6 June 2017

CYBER OFFICIALS NEED HELP, BUT ARE EXPERTS UP TO THE TASK?

BRENT ROWE AND ELI SUGARMAN

For special access to experts and other members of the national security community, check out the new War on the Rocks membership.

The Trump administration is confronting a series of cybersecurity crises ranging from a global ransomware epidemic to a new wave of Russian cyber-attacks against NATO allies. It’s doing its best to respond to the myriad threats facing the United States, but vacancies in key cybersecurity slots are impacting its ability to do so.

After several months of delay, on May 11, President Donald Trump signed a long-expected executive order on cybersecurity. It commissions a variety of reports on key cyber policy priorities, including cyber deterrence, international cooperation, and workforce development. The order wisely requires those reports to gather input from a broad array of executive branch actors, ranging from the Intelligence Community to the Department of Commerce.

Unfortunately, the order largely ignores one supremely important pool of cyber policy expertise — civil society. While there is one exception for organizations deemed to be part of the U.S. critical infrastructure, which includes certain public and private sector entities — — many of the world’s top cybersecurity experts, who have university, think tank, and/or industry affiliations are simply left out.

This is, to put it mildly, unwise. But blame, in this case, is a two-way street. The U.S. government may need to do better to include the expertise resident in civil society, but civil society also needs to step up to the plate.

A new report by RTI International funded by the Hewlett Foundation (the two organizations where the authors work) tries to tackle this important problem from both ends. Drawing on nearly 50 interviews with key government cyber policy officials, it highlights how state and federal government can more effectively harness outside cybersecurity expertise. It also addresses the supply of cyber policy ideas from outside of government. By drawing on the recommendations in this report, think tanks, advocacy organizations, and academic centers can unlock the tools to better address the needs and priorities of government policymakers, thereby contributing to more informed policymaking.

Supply is Not Meeting Demand

Cyber decision-makers say they are not getting what they need from the broader cyber policy community, and this challenge is not unique to cyber. The gap between academic research and government officials has been well-documented in other fields, notably foreign policy, at least as far back as 1993, in Alex George’s Bridging the Gap: Theory and Practice in Foreign Policy. Since then, many others have studied this issue, and for more than a decade, the Carnegie Corporation of New York has funded a series of new university efforts aimed at narrowing that gap.

This gap exists for a variety of reasons on both the supply and demand side. Government officials often do not provide enough funding to academics and others outside government, and they fail to provide sufficient guidance on the information and resources they need. In some cases, this is because of security clearance issues, but government officials also struggle to make the time to ask for what they need or communicate with sufficient clarity.

Without this information, researchers and policy experts often focus on issues that seem to be of broad interest to the public, often based on media reports. Academics and other outside experts also have different motivations beyond utility to government policymakers, and these motivations often conflict with sharing relevant information with them. Academics, for example, need to publish to advance in their careers, but the slow pace of peer review often significantly reduces the value of their findings to government officials looking to take action on a pressing issue.

In cyber policy, the academic-government gap seems particularly wide. The highly technical and rapidly evolving nature of cyber issues – coupled with the sometimes classified nature of key government programs and information — makes it difficult to identify a starting point for many policy discussions, and cyber terminology has not been standardized. One official we spoke to pointed out that, “even the laws related to cyber topics are highly complex — they touch on a wide array of regulatory, statutory, and constitutional issues.” The number and breadth of stakeholders are also incredibly large, and critically, the roles and responsibilities of public and private organizations and individuals have not been clearly established.

Today, Industry Offers Greatest Value to Government

Given all of these barriers, it’s not surprising that industry plays an outsized role in providing inputs to cyber policy decision-making. Government officials indicated that industry reaches out to them frequently for meetings. Another official estimated that for every 100 requests to meet from industry, there would be 10 requests from advocacy groups or think tanks and only one from academia.

And industry experts listen to what they hear from government officials in those meetings. They often come back with information and recommendations that specifically address the priorities and requests expressed by government officials. The difference in approach was highlighted by one interviewee: “Industry experts will tell us, ‘We hear that you are currently facing problem X; we suggest you deal with it by doing Y, for reasons Z.’ No other stakeholders do this, even when we ask them to directly.”

Officials know the information they receive from industry is biased, but they find it highly valuable nonetheless. Industry shares analysis results based on real world data that government cannot otherwise obtain. They provide timely, specific estimates of the impact of a proposed policy or regulation on jobs and other economic impact metrics. And they offer targeted, actionable recommendations (that, of course, often serve their commercial interests).

In contrast, academics were often described as mainly working on theoretical issues, focusing on topics that were not government priorities, and not providing information, recommendations, or other resources that could be easily used or adopted. Still, officials trust academics’ motivations above any other group, and many academics were mentioned as key sources.

Several think tanks were also mentioned as being particularly helpful. The most often mentioned nongovernment source was Jim Lewis at the Center for Strategic and International Studies (CSIS).

Government Looks to Trusted Sources, But Doesn’t Advertise Needs

We also asked government officials who they call when they needed input or feedback on a specific cyber policy issue. Most said that they look to individuals and organizations that they know and trust; when they didn’t know who to call, they looked to organizations with strong brands. Among those mentioned most often were think tanks such as CSIS, the Brookings Institution, and New America as well as academic institutions such as Harvard, Stanford, and Carnegie Melon. This method for filtering information — relying on personal connections and “name brand” institutions — suggests that much of the information developed by members of the cyber policy community who work outside this handful of organizations never reaches cyber officials.

The problem is only made worse by the fact that government officials rarely communicate their agency priorities and their needs publicly with enough specificity for other members of the cyber policy community to address them. They share these details with their trusted sources and with those, such as industry, who reach out to them frequently. Others are left in the dark.

Academics: Time to Listen and Customize Communication

The good news is that officials know they need help generating new policy ideas and went so far as to identify specific ways that the gap can be filled. Almost all of the officials interviewed said that they were very open to meeting with more academics, think tanks, and others working on cyber policy issues. They offered to share their priorities and needs, as much as possible given the real security and other legal barriers that exist, to meet with cyber policy researchers to provide feedback on their ideas, and to discuss their findings in person or by phone. Several officials said repeatedly that more researchers should pick up the phone and contact them directly.

Officials also suggested that they would be much more willing and able to make the time to review new research findings and policy recommendations if they were short briefs — “one or two pages at the most,” according to one official. And they asked that in these briefs and during in-person or phone conversations, researchers should focus on only data, results, tools, and recommendations that the government official has asked for or could easily use based on their current needs and priories. To do that, researchers need to meet with officials earlier in the process of a project, or government officials need to do a better job of communicating their needs publicly and widely.

One official also suggested that more government fellowship programs could help improve communication, noting that “if more academics and other members of civil society could spend time inside government, they would gain a better understanding of how government works and develop trusted relationships they could utilize after they return to academia.”

Money Talks

Government funding and grants from foundations can play a big role in readjusting the incentives for cyber policy researchers. Based on comments from officials, many recognize that additional government funding may be needed in order for more cyber policy topics to be studied. Further, funders could encourage or require researchers they fund to have a specific plan for communicating with government officials before, during, and after their research.

With focused effort, the policy gap could be narrowed significantly. In the meantime, incremental progress can be made by individual researchers taking small steps: recognizing the relevance of their work to policymakers, presenting their findings in ways policymakers can easily understand and use, and most importantly, contacting government officials to start a conversation about what both sides need.

No comments: