Diplomat: Security, Openness Can Co-ExistWhy Government-Centric Approach to Cybersecurity Won't Work
The United States government is working with other nations to beef up their cyberdefenses, says Christopher Painter, the State Department's top cyberdiplomat.
"It's important for countries to have strong cybercrime laws, strong capacities to actually fight cybercrime, and then the ability to coordinate," Painter says in an interview with interview with Information Security Media Group (transcript below).
To address cybercrime, the U.S. works with other countries on information sharing and to help them enact stronger laws, Painter says. One initiative is the 24-by-7 High Tech Crime Network, which consists of more than 60 countries that participate in sharing threat information.
"Because digital evidence could disappear so quickly, this is to help actually track criminals down," he says.
"As we look to the future, one of the things we want other countries to do is really step up on cybercrime in terms of their laws and their policies, and to work with each other," Painter says.
In the second of a two-part interview, Painter:
- Identifies the five "buckets" his office pursues with foreign governments: human rights and Internet freedom, governance, cybercrime, cybersecurity and international security;
- Discusses the differences and commonalities of international cybersecurity and cybercrime;
- Addresses how nations can cooperate to assure individuals' privacy despite different interpretations of the definition of privacy.
In part 1, Painter discusses how the United States and China should collaborate to battle common cyberthreats, although both governments blame the other for cybermischief (see Battling a Common Cyber-Enemy).
In 2009, Painter served as acting White House cybersecurity coordinator. When Howard Schmidt became cybersecurity coordinator in early 2010, Painter became his principal adviser, serving in that role until he was named the State Department cyber-issues coordinator in 2011. Earlier in his career, Painter served as deputy assistant director of the FBI cyberdivision; principal deputy chief at the Justice Department's computer crime and intellectual property division and as an assistant U.S. attorney, prosecuting hacker Kevin Mitnick in the mid-1990s.
Differing Privacy Views
ERIC CHABROW: How are America's and Europe's differing views of privacy having an impact on taking advantage of the Internet to promote international commerce?
CHRIS PAINTER: ... There was a white paper that was issued by the White House a while ago, and there's been legislative efforts in the EU on data privacy issues. The most important thing is that we don't need to have the completely same systems, but we need to have interoperable systems. We need to make sure that our privacy protection systems and, frankly, even our cybersecurity approaches, are interoperable so that companies and governments who operate internationally, which they all do, are not subject to a whole bunch of different conflicting approaches, but instead have something that works together. That's really been our big push. We've had these discussions with Europe on data privacy and law enforcement privacy issues.
CHABROW: What's the vehicle to assure that there's this interoperability?
CHABROW: How big is your office?
PAINTER: We started with a small number. We've grown to about 10 now, but it's more than just the office. The way we work, we're in the secretary's office at the State Department, and we work with folks across the department who work with us. For instance, we work with an office within the economic bureau, and a lot of the economic issues and some of the governance issues we work with our international relations bureau. We work with our democracy and human rights bureau on a lot of those issues. We work with the people who do law enforcement issues and security issues. We work with every regional bureau as well. We have a coordination group that meets once a month, and we pull in people from all those bureaus to discuss these issues and make sure we're synched up. Then, we have an interagency team that we work with. There are certain things we leave in; there are certain things that others leave. But the idea is really to bring this all together. I'm happy that we've grown. I'm sure we can continue to grow and we'll need to. I hope this gets to be more and more of a priority, but I think we've been pretty effective at pulling people together.
CHABROW: You mentioned cybercrime. Is that one of the biggest areas you deal with?
PAINTER: That's one of the areas. As I think about it, there are five buckets and then two kinds of threats we've been working on. The two threats I mentioned were intrusion threats and right now the DDoS attacks and the malicious code threat. The five policy areas are the human rights area, which includes Internet freedom, working with our DRL colleagues and others here at the department on Internet governance issues, cybercrime, cybersecurity and then international security. Cybercrime is one of those five major buckets, and it's a key one here.
One of my deputies here comes from a cybercrime background, a prosecutor. I also was at the Department of Justice for many years prosecuting and then working on cybercrime policy. We think that's an important thing around the world for countries to have strong cybercrime laws, strong capacities to actually fight cybercrime, and then the ability to coordinate. In that regard, we've been promoting what's called the Budapest Cybercrime Convention around the world, and more countries are now signing up, and the U.S. is a member of that convention.
We've been working with countries to do capacity building, to put better laws in place. There's something called the 24-7 High Tech Crime Network, which [now includes] over 60 countries around the world. Because digital evidence could disappear so quickly, this is to help actually track criminals down. There's been a lot of advancements on this since I started doing cybercrime prosecution back in 1991. Cybercrime in many ways predated the kind of emphasis on cybersecurity. People understood and were thinking about cybercrime even back then, and it's still a really important issue right now. As we look to the future, one of the things we want other countries to do is really step up on cybercrime in terms of their laws and their policies and to work with each other.
CHABROW: You talk about having their laws improved to address cybercrime. How much of your work is toward trying to limit cybercrime itself?
PAINTER: It's one of our major priorities. We address that in a couple of different ways. One is we work closely with our Department of Justice colleagues and our FBI and Secret Service colleagues. We try to enhance the kind of operational coordination that's out there, and obviously they're involved in the trenches and doing the operational coordination. We've been chairing a G8 High-Tech Crime group for many years that brings the G8 countries and the EU together to talk about how we combat cybercrime on the policy level, but also think about specific projects. The 24-7 Network is part of that, was born out of that G8 group, and we are very involved in managing that. ...
Part of the capacity building we do around the world is focused on cybercrime and cybersecurity because I view them as two sides of the same coin. Cybersecurity is how do you really prevent these things from happening; but if they do happen, how do you make sure that people are accountable? How do you go after the criminals that are attacking or intruding into systems? That's been pretty important in terms of our overall work. I also say that countries around the world, as they think about their own cyber strategies - I think there are about 20 national cyberstrategies now around the world, some on version 2.0 or 3.0 - cybercrime usually is featured pretty prominently there as well.
CHABROW: You spoke this spring at the Purdue University's Center for Education and Research in Information Assurance and Security, the group headed by Gene Spafford. Among the points you raised was how Internet governance is accomplished. Can you discuss that?
PAINTER: That's another docket that I mentioned. As I said, we work closely with other folks here at the State Department. With everything, we work closely with the White House and also, in this case, with our Commerce Department colleagues. The most important thing, the bedrock principle for Internet governance, is this idea of a multi-stakeholder approach, of having not just the governments calling the shots, but having governments, private sector, civil society and the technicians and Internet wise guys, if you will, all participate. That was evidenced when we did these OECD Internet policy-making principles, now a couple of years ago, which said you need to have this open system; you need to have this multi-stakeholder system. That's how the Internet has grown up.
As you know, the Internet, although it was sponsored initially by government, the way it has developed, the way that it's become so popular, the way it's become such an incredible engine of economic and social growth, is not because governments have run it; it's because you've had this multi-stakeholder approach. That's something that we feel very, very strongly about. We resist governments who want to have a much more top-down government-centered approach or a government that says, "We want to have sovereignty over our cyberspace," which essentially creates these digital bubbles, which undermines the interoperability and interconnectedness of the Internet. This is one of the big challenges going forward, making sure people understand why this is multi-stakeholder, why it should remain that way and making sure that, as people think about the future of the Internet, they don't abandon this core principle.
CHABROW: How much does that threaten cybersecurity? You have nations now that are putting restrictions on what can be aired on their Internet.
PAINTER: I think that it does threaten cybersecurity because, on the one hand, I think some of the best approaches you've had to securing systems are not top-down government approaches, but are solutions that have come out of this multi-stakeholder process. The threat is that governments in the name of security want to monitor content, and this goes to the Internet Freedom Agenda as well. But it really is an area where governance, freedom and security all come in. Security should not be used as a proxy to censor citizens to try to clamp down on dissonance. That's not appropriate. We said in our international strategy you can have both security and openness at the same time, and multi-stakeholder governance is important to both. As we go into these various forums and these things are debated, this is a point that we continually make.
CHABROW: The countries that are clamping down, is it really for security? Is it for just protecting their own governments?
PAINTER: That's where they define security that way and we do not. I think there are governments who are more worried about regime stability than they are about cyberstability, or regime security rather than cybersecurity. The thing that's being missed - and I know there's some work being done in different places around the world - is the importance of not just the Internet to the economy in countries and the social development of countries, but the importance and hope of the Internet to economic development, and particularly for the developing world. That's an important concept. Having an open Internet is really what's going to drive economic development and innovation of those countries. That really ends up leading to greater stability. That's one of the arguments that we're constantly advancing as we go around the world.
Quite frankly, there are some countries that are entrenched on the side of wanting to do more government control, control of content, who look at this as information security and not cybersecurity. There's a large group of countries who believe the Internet should be open, and there's a number of countries in the developing world and other places who are on the fence, who are trying to figure out what's the best approach. Those are the countries we need to reach and we need to talk about how you do cybersecurity in an effective way, how you maintain openness and why that's going to lead to a benefit for those countries.
Importance of Language
CHABROW: How important is language? We just discussed a bit about how security means different things to different governments. Privacy could mean something different to Europeans than it does to us in America.
PAINTER: It's important in the sense that if the term actually is meant to mean something else, you need to know what that means. In other words, when people use the term information security, sometimes it may be a benign meaning. But often what it means is security and information, which is a proxy for censorship, and that's not acceptable. We have to be careful about language and how we use language. The same is true when you talk about cyber-intrusions versus cyber-attacks. They're different concepts, but people tend to conflate them together. I think precision in language is important as we have these international discussions because we can't be talking past each other.
CHABROW: Do you have any final thoughts?
PAINTER: When we first talked after I took this job, I certainly was very optimistic. I thought this was a great opportunity to really move this forward, and I have to say I feel the same today. Even as an ex-prosecutor, I have a very hopeful view of the future. I think that there's a lot we've been able to do in just the last couple of years. I think this has obviously been a huge priority for the president, for the secretary and for other senior people throughout the government. If anything, I just see this becoming a more important issue as we go forward. There are challenges out there, and they're significant ones, but I also think there are some real opportunities for us to make progress. I'm optimistic, I think that there's a lot more we need to do and I look forward to doing it.