A Technology Guru and A Policy Expert Walk into a Bar…

May 10, 2017
Mission Assurance and Cyber Policy: Post by Peter Sheingold
Peter Sheingold

A technology guru and a policy expert walk into a bar.

For decades, no matchmaker would've given them a chance for getting along. But these days, technology and policy folks are increasingly realizing that while they may not have much in common— they absolutely depend upon one another when it comes to cybersecurity.

Let’s think about why. The technology guru and the policy expert each know many important things.

The technology guru is more likely to understand and consider how rapidly evolving technologies work and what they can and cannot do. The policy expert is more likely to understand and consider the social costs, benefits, and consequences associated with technological change. Both have gaps in their knowledge that, if filled, would inform the art of the possible.

Our technology guru may be more sensitive to technical constraints about what is feasible, which our policy expert may not understand, such as the technical difficulty of changing the design of widely-deployed technology. And the technology guru may not fully appreciate the equally important issues our policy expert cares about, such as legal constraints and the need to build coalitions and manage competing interests.

Are these two doomed to never get along?

We say no. Because both recognize the stakes involving cybersecurity are just too high. At MITRE, we seek to help bring clarity to the dilemma our nation's technology and policy experts each face—and help bridge the gaps between technology and policy.

Over the past decades, the internet has changed the way we live, communicate, buy and sell goods, develop new products, exchange ideas, manage critical infrastructures, and engage in conflict. At the same time, vulnerabilities in networked technology have been exploited to cause harm. Privacy has been compromised, trade secrets and intellectual property have been stolen, physical infrastructure has been damaged, and human safety put at risk.

Consider the following two challenges our policy wonk and technology expert should discuss over their appletinis.

One, there's increasing recognition that cyber attacks can put human safety at risk. In recent months, we've heard a lot about potential federal investments in infrastructure modernization. This has a direct connection to cybersecurity. Today, many of the critical infrastructures (e.g. power, water, transportation, manufacturing, healthcare) that we rely on are increasingly dependent on networked technologies that are vulnerable to cyber attack and disruption. How should infrastructure modernization policy promote efforts to manage the vulnerability of these systems?

Two, individual organizations increasingly use networked technology to help deliver their missions—and that means cyber attacks can result in "mission breaches" that damage public trust, national, and economic security. For example, ransomware attacks holding hospital systems hostage impacts delivery of care to patients. This means that leaders across organizations, not just Chief Information Officers and Chief Information Security Officers, must work together to address mission and cybersecurity strategies and priorities.

In practical terms, this means our friends at the bar must work together at a new level. Cybersecurity teams need to learn about the mission and its associated policy imperatives. At the same time, mission owners need to become more educated consumers about the relationship between mission goals and the security tradeoffs that come with the use of different technologies. Moving forward, we should also encourage the professional development of more "techno-policy" experts, who understand and apply both technology and policy perspectives. Some techno-policy experts already exist. We would be thrilled if, in the future, when a technology guru and a policy expert walked into a bar, it was more likely to be the same person.

MITRE brings more than 40 years of expertise helping our sponsors navigate cybersecurity-related policy and technology tradeoffs. Whether at the national or organizational level, we hope to offer perspectives and insights, or raise questions, which can help bring the policy and technology community together.

We don't claim to have all the answers, but believe that MITRE's objectivity and the nature of our work affords us unique insights that need to be shared. Equally important, we want to hear from you. We look forward to learning from you along the way.