Urs Gasser, Harvard Law School professor and executive director of the Berkman Center for Internet & Society, delivered a presentation last month on “The Future of Cybersecurity” at the Asian Leadership Conference, an annual event bringing together leaders across the globe to discuss and provide solutions to Asia’s most pressing challenges.
Professor Gasser joined Jean Paul Laborde, assistant secretary-general and executive director of the United Nations Counter-Terrorism Committee Executive Directorate; Eugene Kaspersky, CEO of Kaspersky Lab; and Danil Kerimi, director of Digital Economy and Global Technology Policy at the World Economic Forum, in a panel moderated by Lee Jaeyoung, member of the National Assembly of the Republic of Korea.
The proliferation of connectivity has contributed to the emergence of cybersecurity as one of the most salient issues of our time, leaving private sector, academic, government, and civil society stakeholders grappling with the implications of this shift. Through his work at the Berkman Center, Professor Gasser has spearheaded various efforts to help develop frameworks providing a comprehensive approach to cybersecurity. A white paper prepared by the Berkman Center in collaboration with the World Economic Forum’s Global Agenda Council on Cybersecurity speaks to the systemic security issues that arise as a result of the hyperconnected world and proposes best practices that cut across sectors to address these nascent challenges.
In his panel contribution to the Asian Leadership Conference, Professor Gasser shared insights gleaned from this collaboration and argued that cybersecurity ought to be seen as a shared responsibility, much like governance of the internet itself is a shared responsibility. A shared governance in mitigating cyber risk necessitates collaboration between the public and the private sector, encompassing governments, enterprises, academics, the technical community, and civil society at large.
“A collaboration of this scale is inherently complicated due to systemic factors that include a lack of trust between governments and companies, particularly in the era of post-Snowden revelations,” he said. “This is further complicated by incentive problems between companies, where fierce competition around time-to-market prevents extensive security testing, and concerns around liability inhibit the sharing of vulnerability information.”
Professor Gasser emphasized that, despite these systemic challenges there is much that both private and public sector stakeholders can do, building upon a foundation in which each stakeholder embraces its responsibility. In the case of companies, he argued, scholarship suggests that all companies should deploy basic cyber hygiene strategies, while technology companies in particular should move towards security-by-design approaches that include more extensive beta testing and product lifecycle management. Gasser stressed that governments also have to play their role, balancing on two ends of a spectrum. On one hand, he said, governments should do no harm by resisting policies that actually weaken the cybersecurity ecosystem, such as mandating backdoors or golden keys. On the other hand, Gasser noted that governments must enact baseline legislation and regulation that establish consumer protection and facilitate Internet of Things safety standards. Most importantly, governments should use the full spectrum of tools at their disposal, including the use of procurement power, capacity building, and educational strategies.
Moving forward, the investment into building distributed governance platforms, networks, and participation mechanisms (including education) will be critical, said Professor Gasser, as it addresses the complexity of stakeholder coordination head-on. Existing platforms and networks that are flexible and fast enough can be built upon, in the image of extant private–public platforms such as the World Economic Forum, or multi-stakeholder convenings such as the Internet Governance Forum. These approaches will not solve all the challenges, he said, but will at least create the necessary spaces for knowledge-sharing and ad hoc interventions, which are often informal.
The Berkman Center is working to address the systemically important issue of cybersecurity through its collaboration with the World Economic Forum with a current focus on IoT safety and security, as well as the Berklett Cybersecurity project, which convenes a diverse group of security and policy experts from academia, civil society, and the U.S. intelligence community to explore and evaluate the roles and responsibilities of the U.S. government in promoting cybersecurity, and the Berkman Assembly, a new and innovative pilot program that is experimenting with different modes of education, collaboration, and development to work towards solving some of the tough problems at the intersections of code and policy.