I had the opportunity to participate in a panel at a recent Cybersecurity Workshop hosted by the Organization of American States (OAS) and the Inter-American Development Bank (IDB). The panel topic was Relevant actors in cybersecurity: who are they and how to involve them? Since I did not use a presentation, I thought I'd share some of my comments in a post.
In my opening statement, I explained that I would limit my comments to combatting cybercrime, as cybersecurity is so all encompassing that it would be difficult to get to ground zero in the time alloted. I listed as relevant actors the usual suspects I engage with daily, and mentioned major private sector actors, security NGOs, CERTs/CSIRTs/CIRTs and FIRST, stand out unversities like UAB and USCD, monitoring and threat intelligence organizations and I explained that private sector bears the brunt of activities to combat cybercrime.
When the session moderator asked, How do we to involve them?, I suggested that this question was formulated incorrectly.
It's not a matter of how to involve relevant actors, but how governments can get more involved. The relevant actors have been involved for decades and governments must cooperate and engage with relevant actors more closely than ever if we have any hope to mitigate cybercrime.
I then challenged the audience to consider several ways to engage relevant actors effectively.
- Grow and Foster Trust. Encourage your digital infrastructure operators – ccTLD registry operators, ISPs, messaging infrastructure operators – to participate in organizations like APWG or MAAWG. Governments must grow to appreciate that trust is bottom up: individuals trust individuals with whom they've had positive outcomes first, and later, by extension, this trust extends to organizations or governments through the individual or webs of trust.
- Invite the relevant actors to help you build capacity. NGOs like ICANN do this. Private sector actors will help build capacity, too. It’s an investment with a potentially large ROI for multinationals. Each country whose digital infrastructure is hardened against attacks is one less localized presence that is likely to be exploited, defaced, or disrupted.
- Leverage and invest in your future digital citizenry. Create programs to take advantage of local university graduates: internships, research, development, jobs. Employ this youthful talent before they become disillusioned with job hunting in struggling economies and choose a criminal lifestyle. Seek out multinationals who believe they can benefit from (or grow markets) by nurturing your country's talented youth.
- Fund open source, especially open source projects that you deploy and rely on. If your country struggles with unlicensed software issues and is looking for a more secure yet financially viable alternative, look at open source. And if you look, invest.
- Develop security awareness programs for your citizens, your ICT users, and your ICT administrators. Leverage what exists by helping to internationalize programs such as Stop.Think.Connect.
Last but perhaps most importantly,
- Sustain interest beyond the evangelical and bully pulpit stage. I shamelessly borrowed from several earlier speakers who asked why are we still talking about implementing cybersecurity? but took a more direct (OK... blunt) approach:
Talk is cheap and the topic of cybersecurity is becoming tired. All success stems from a combination of willingness to pay and will to execute. Issue the marching orders and get this done.