Interview with Cybersecurity Expert Paul Rosenzweig: The Federal Role
On December 12th of 2019, New Center Policy Analyst Laurin Schwab interviewed Dr. Paul Rosenzweig of the R Street Institute on federal regulation in cybersecurity. On top of serving as a Senior Fellow with the R Street Institute, Dr. Rosenzweig manages his own cybersecurity company, Red Bridge Consulting, and teaches cybersecurity at the George Washington School of Law. Dr. Rosenzweig has also authored Cyber Warfare: How Conflicts in Cyberspace Are Challenging America and Changing the World on top of numerous cyber-related online courses.
LS: You have such a unique vantage point having worked for the Department of Homeland Security in the public sector as well as managing your own cybersecurity company in the private sector. What kind of cybersecurity issues did you work on at DHS?
PR: The most significant was the development of the very first set of cybersecurity policies and initiatives for the U.S. government. In 2005 or 2006, I think it’s fair to say the government was relatively unaware of the nature of the cyber threats. And then we got some very bad tests done that showed pervasive vulnerabilities in the industrial control systems of the electric grid, and that started a government-wide project that eventually resulted in something known as the Comprehensive National Cybersecurity Initiative, the CNCI. It was initially classified top secret, but President Obama subsequently declassified major portions of it, and that was the first effort to the U.S. government to define what cyberspace is and why it’s important, and what the government’s role in it should be. So that was a major part of my initial effort.
LS: You’ve been around, then, since the inception to watch government policy on cybersecurity come into existence and then develop since 2005. Since then, what would you say are the biggest changes in government regulations or shifts in policy?
PR: That’s a very big question. I would say that the initial phase of deep concern and panic over infrastructure protection has given way to a moderately effective steady state of review that has seen the government figure out that in this domain, directive regulatory results are not so good, and it has decided to lean into the idea of standard-setting and suggestions, best practices sort of thing, which have proven to be relatively effective. So the biggest change is that the government has been humbled a bit, and has realized it doesn’t have all the answers, and that the private sector has more answers than it does itself, generally.
LS: I can see how it would simmer down as people understand the scope of the problem. I’m curious about your ideas surrounding what the role of the Department of Homeland Security should be in cybersecurity policy. What should it be able to do, and what should it not be able to do?
PR: Where I think government does best is where it has a unique capability. Some of those are simple things like enabling information-sharing and convening experts for standards setting. The government’s most important value here is cyber on the international stage, trying to find levers that might not be cyber levers for modifying Chinese behavior in stealing intellectual property, or modifying Russian behavior in interfering with our elections. Those are not issues that a private sector company can resolve. That is clearly the highest, best value for government: international norms and behavior-setting. By contrast, selling the newest security widget is something the private market does pretty well. We don’t need government to set the best widget. We need government to figure out how to rate widgets so you can decide which one is best. Measuring cybersecurity is something government might have a better role in.
LS: With respect to cybersecurity standards, should the DHS play a role in compelling companies to follow them?
PR: I don’t think the government is nimble enough to pick the right standards. A friend of mine in the industry once told me, “The attackers are a year ahead of the defenders, the defenders are two years ahead of the legislators, and the legislators are two years ahead of the regulators.” That’s just the way it works. Our government is a slow-moving, hierarchical system. The cyber domain is a distributed, fast-moving system. Another friend of mine once said, “The government is a Ford Edsel, and cybersecurity is a Tesla.” And I actually think that understates the difference.
LS: That makes sense in such a rapidly evolving field. If the government can’t pick the right standards, do you think there’s an opportunity in the private sector for a private organization to develop standards and encourage companies to adhere to them?
PR: Yes, that’s evidently plausible. I don’t know the government has to be the standard-setter. It has advantages in being the standard-setter mainly because it doesn’t have a parochial interest, whereas if industry gets together, there’s a fight going on between you and me; my standard helps my product, your standard helps your product.
LS: So there’s the federal government, the private sector, and then there are state and local governments. Do you think that the federal government should coordinate with the states to create standards?
PR: I think everybody who is a stakeholder is appropriately included in the discussion, and so that includes state and local. They bring a unique perspective and are probably closer to the people, so that makes some sense that they would participate. I don’t think the Department of Homeland Security should have any role in compelling the states any more than I think that they should have one in compelling the private sector. I don’t see them as having that successful expertise.
LS: I can see how it’d be difficult to coordinate cybersecurity while also protecting states from forced compliance, which could stifle innovation and limit the laboratories of democracy in the U.S. What are your thoughts on that?
PR: I’m not anti-regulation generally, I just think that regulations work best in systems that are slow to change. We can do environmental regulation readily because what’s good for the environment doesn’t change that much over time. Maybe the new science tomorrow tells us we should reduce the benzene levels 10%, but fundamentally, science is science; with respect to the environment, there are no great new discoveries. Whereas I don’t see that being the case in the cyber realm.
LS: I’m also curious about your thoughts on cyber information-sharing. There was a bill passed in 2015 called the Cybersecurity Information Sharing Act for companies to share information with the government. I’m wondering what your thoughts were on whether this was a positive or negative development, and what its effects were in the cyberspace policy community.
PR: It’s a good thing but not a great thing. It didn’t really change too much. It didn’t hurt.
LS: Some groups were concerned about the security and privacy of individual users’ information, and how companies could share personal information with the government. There was a letter written by a few companies to Paul Ryan in 2015 about how they wanted to establish the DHS as the only portal for information-sharing and make sure that no other national security agency in law enforcement, like the FBI or the NSA, could automatically have the information shared by the DHS. What are your thoughts on that concern?
PR: I thought that was a tempest in a teapot, it didn’t matter too much one way or another.
LS: I’m curious about any promising developments in private or public sector cybersecurity that are game-changers for protecting critical infrastructure or cyber infrastructure in the U.S. today. Is there anything you’re excited about right now?
PR: First off, there are no game-changers. Everybody’s looking for silver bullets, but there are no silver bullets; it just is what it is, that’s all of it and there’s nothing more to it than that. So that’s number one. Number two, to the extent that I’m excited about anything at all, it is really the growing trend of cybersecurity to stop being an art and start being a science. Right now, everything in cybersecurity is qualitative, and I think that the most important changes that are happening in the near term are that they’re becoming quantitative, that we’re beginning to measure cybersecurity effectively. And if we do that, we’ll be in good shape, if we can actually turn it into a science. That would be effective, I think.
LS: What do you think is missing in what we’re focusing on right now in cybersecurity? Do you look at developments in the public and private sector and think, “Wow, we should really be focusing more on this”?
PR: I mentioned one, the idea of metrics, the idea of numbers—that deserves more focus. We’ve talked about another, which is the weakness in state and local governments, and the necessity of doing that. I think right now, the DHS is pretty distracted by environmental and immigration matters, and I think as a result we haven’t been putting as much effort into cybersecurity as we have the last few years. That’s the nature of a president being a president; he gets to choose.
LS: Another issue in the cybersecurity space is personnel—that there are so few people working in the government space. Do you think that’s significant?
PR: Personnel is a biggie, but that’s a perennial. I don’t know that the government can do too much about it unless it quadruples the salary of everyone who works for the government. That’s going to be a much harder nut to crack.
LS: Looking forward, do you think cybersecurity will be even more of an issue than it is right now?
PR: Right now is the calm before the storm. We are likely to see bad things happening soon, but at the same time, it is the case that so far they haven’t been that bad. More people have died from squirrels the past year than cybersecurity problems.
LS: It does seem to suffer from that issue—the potential is so great, but it’s so hard to talk about it without metrics.
PR: Right; I can’t measure it, so I can’t tell you if we’re better or worse today. I have a sense that we’re better off but haven’t done enough, but maybe I’m wrong.
LS: Thanks so much for your time today; I appreciate it!
This transcript was loosely edited for clarity.