Cybersecurity: A Worldwide PolicyInt'l Cooperation Seen Yielding Improved Global Infosec
"We're going to work internationally to promote open, interoperable, secure and reliable information and communications infrastructures," State Department Cyber Issues Coordinator Chris Painter says in an interview [transcript below].
Painter says making sure the United States is preventing intrusions and protecting networks is the first priority for the office. Working with other countries to build discussion and reach agreements on common Internet practices is another important goal.
Issues the office will tackle include governance, cybercrimes and protecting military networks, to name a few. "This basket of issues is a new foreign policy priority," Painter says. "Too often in the past, this has been seen as a collection of ... niche issues, and it really has transformed itself and elevated itself to a major policy issue on the international stage."
Working with other countries will aid in preventing future attacks on critical infrastructure. Painter uses cybercrime as an example of cybersecurity as a foreign policy. "If we build a stronger cooperation with respect to cybercrime, when people try to intrude and attack these systems, there will be accountability," he says.
Different countries supporting and holding each other accountable will reduce the number of attacks and make sure these cyber issues are addressed.
In the interview with GovInfoSecurity.com's Eric Chabrow, Painter discusses:
- Integrating cybersecurity policy into America's overall diplomatic initiatives.
- Building global trust in a global environment where people believe many cyberattacks originate from China and Russia and that the United States was behind the Stuxnet worm that disabled Iranian nuclear centrifuges.
- Safeguarding the global supply chain to assure purchased technology manufactured abroad does not contain vulnerabilities.
Painter served as acting White House cybersecurity coordinator in the months preceding the naming of Howard Schmidt to that post [See Acting Cybersecurity "Czar" Speaks Out]. When Schmidt ascended to the cybersecurity post, Painter served as a top lieutenant and principal adviser in the cybersecurity coordinator's White House office.
Before joining the White House national security team in early 2009 - he became acting coordinator that summer - Painter served as deputy assistant director of the FBI cyber division; principal deputy chief at the Justice Department's computer crime and intellectual property division; and as an assistant U.S. attorney. "I've been involved with cybersecurity for 20 years" - he prosecuted hacker Kevin Mitnick in the mid-1990s - "and I have never seen in my career so many people coming together with such a common purpose," Painter said in remarks at a December 2009 CIO Council IT security conference.
Painter holds a law degree from Stanford University Law School and bachelor of arts degrees in political science, English and biology from Cornell University.
Broad, Strategic FrameworkERIC CHABROW: The International Strategy for Cyberspace is a broad document identifying seven principles that include economic engagement, law enforcement, military cooperation, international development, Internet freedom, multi-stakeholder Internet governance and protecting networks. In a moment, I'd like to focus our discussion on one of those principles, network protection. But first, with four cabinet secretaries and three other senior executives making the announcement, the International Cyberspace Strategy must be very important to American diplomacy and cybersecurity. Why so?
CHRIS PAINTER: What makes this document remarkable is that it's the first time that the United States, or really any country, has taken this full sweep of cyber issues, ranging from Internet issues to governance issues, economic issues, cybercrime, fighting cybercrime, cybersecurity, protecting military networks and ideas around norms of behavior and how you deal with data on state situations. No one has put all of that together under a broad strategic framework, and I think it's critically important that this happens because, although there's been a lot of good work done in all of those areas before, they aren't necessarily interrelated. We are much stronger as a country in terms of our international policy to recognize interdependency and how they relate and have a coherent strategy going forward in respect to all of those things.
CHABROW: What are the mechanics behind your office? Who do you report to and who do you work with?
PAINTER: I report to the secretary. It's a new office that was created in what's called the QDDR, the Quadrennial Diplomacy and Development Review. It came out back at the end of last year. The idea of the office was to address a longstanding need that the secretary and the deputy secretary, Jim Steinberg, recognized. The secretary said this in her remarks that this is a new foreign policy imperative. This basket of issues really is a new foreign policy priority. And I think too often in the past, this has been seen as a collection of either niche issues or technical issues, and it really has transformed itself and elevated itself to a major policy issue on the international stage.
We're a small office that spans those different disciplines. I'm the coordinator for cyber issues. I've only been into it about two months now, but I have someone who's worked in the economic bureau here in State who has worked a lot on standards and economics issues. I have someone from DRL, which is Democracy and Human Rights. I have someone who has had long-term experience in cybersecurity, norms, state behavior and working in those issues. That whole breadth of issues is represented here. We're going to be about six people, initially, but we're going to be magnified or leveraged to all the different work that is going to happen to the State Department. One of the things we're doing is every regional and functional bureau of the State Department has someone who's dedicated to working with us as part of a coordination group, and that pulls in all of the different things the State Department is doing. As you might know, the State Department is in many ways a microcosm for the rest of the federal government. We work on standards issues, we work on security issues and we work on Internet freedom issues. We're also leveraging our embassies. One of the great assets of the State Department is the posts all over the world and the people in those posts. Just like this is a crosscutting issue here, it's a crosscutting issue in the embassies, which involve the economic people there, the policy people, political people and others to build expertise in this area. And then we work, of course, with our entire agency partners. The agencies I worked with when I was at the White House are the same ones I'm working with here. I'm working with them very closely, and of course working with the White House as well.
The short answer is we're working with all those people, and the reason for all that is we're working very closely with foreign governments and international institutions. That really is what diplomacy is about; building a consensus about the vision that was articulated in the strategy.
Integrating Cyber Into DiplomacyCHABROW: Is this a new way of looking at how diplomacy is carried out, or even how government is carried out, in a sense that cyber is being integrated into all aspects of governing?
PAINTER: Yeah, I think it is. That's why I said this is a new foreign policy. The secretary said this was a new foreign policy imperative. The U.S. and the secretary have been leaders in looking at this issue and recognizing it at the foreign policy perspective, and certainly the president's strategy is a leadership document that shows that. But other countries are beginning to treat it that way too. Even since my post was created and announced, there are other countries - the U.K., Germany, and some others - that are looking or have created similar posts in their government. It's a recognition that this is something that transcends a whole lot of different issues. This technology has been so transformative for the economic, social and free flow of information and the free flow of ideas across the board that it's elevated to something that is important to make sure that that continues into the future and the vision that we want for this technology prevails.
CHABROW: Onto network protection. Among the priorities under network protection is to reduce intrusions into and disruptions of U.S. networks. As you know, many experts believe the attacks on American government and business networks have come from China, Russia and other nations, and if not by those nations' governments, at least with a wink of an eye from them. Plus, whether or not, many people believe that the U.S. was behind the Stuxnet virus that crippled centrifuges at Iranian nuclear facilities. Now, I'm not going to ask you about your views on those cyber attacks. But with these cyber incidents in mind, how would you assess the level of trust among nations to pursue common goals of safeguarding national networks, and what does your office need to do to achieve that trust?
PAINTER: First, to put this in the context of the overall goal articulated in the strategy, we're going to work internationally to promote open, interoperable, secure and reliable information and communications infrastructures. Part of the way to achieve that, and it's also laid down in the strategy, is we're going to build and sustain an environment in which norms of responsible behavior guide state's actions. I should note that the strategy is not starting from a ground stop. We've been doing a lot of work in this area. Not just us, but other agencies throughout the government too - and this is a whole of government strategy - to try to do things like prevent intrusions and to protect our networks. That's been an ongoing effort.
One of the ways we do that is we engage with other countries. We engage with countries who agree with us. We engage with countries who don't agree with us. We try to build a consensus around these norms of behavior, these norms of state-to-state action, which builds more confidence around this area. We try to come up with confidence building measures. That's one of the areas we've been working on with respect to the U.N. group of government experts for the upcoming conference that foreign minister Hague in the U.K. is going to be having in the fall. There are a number of efforts that are designed to build discussion between countries, to reach out and actually both discuss and reach some agreements on this.
Building Global CooperationCHABROW: The Internet truly has shown how interconnected the world is, and the International Strategy for Cyberspace states that the interconnected global environment, weak security and one-nation system compounds the risk to others. Another priority of the strategy is to ensure robust incident management, resiliency and recovery capabilities for information infrastructure. How would that work and how would that be achieved?
PAINTER: Obviously, part of that is a domestic undertaking to make sure that you secure your own house and do all that you can. But quite frankly, part of that is working with other countries to build cooperation. When we're talking about incident response, for instance, the Department of Homeland Security and other agencies have been working very hard to build cooperation with other countries in terms of incident response. The DOJ has been working very hard to build law enforcement networks and law enforcement response. We've been working to support both of those efforts. Part of it also is having a good legal structure in place. When we talked about norms, which I did a moment ago, some of those norms involve laws to deal with cybercrime. The Budapest Convention, as we call it, done by the Council of Europe, with many states now joining, is one of the tools where you make yourself safer by making sure that criminals and criminal conduct is being thwarted. That's all part of that diplomatic effort.
CHABROW: Another priority of the strategy is to improve security in the high-tech supply chain in consultation with industry. Simply, how can we be assured that the technology made abroad doesn't have viruses or other vulnerabilities built into them? What can be done internationally to secure the IT supply chain?
PAINTER: That's another area, and as the strategy lays out that's one of our priorities. We laid out a set of priorities that are clear, not just to us domestically but to all of our partners around the world. I think you really hit on it. One of the key aspects of this is having a very strong dialogue with industry, which often understands these issues, sees these issues come up and owns most of the infrastructure. Part of the international strategy and part of what our office is doing working with the rest of the governments is reaching out to industry and engaging with them on those issues. Also, prioritizing that is one of our goals when we discuss these topics with other nations.
Determining Cyber NormsCHABROW: Talking about priorities, there are a lot of goals stated in this agenda. Is there a priority list? Are there certain things you're working on specifically now?
PAINTER: One of the key things we're working on is we're making sure we're having a robust discussion about what the norms are in cyberspace. We had a very good meeting with the U.N. group of government experts. We talked about this issue. We've been making progress. There has been agreement that this is an important area. We've been carrying that forward in groups like the OSC, the Organization for Security and Cooperation in Europe. There are other forums where we'll be carrying this forward. We've been discussing issues like this in the G8 and the Organization for Economic Cooperation and Development. There's going to be a meeting in June that deals with Internet policymaking principles.
We are engaging in all these different international fora to do that. Another priority is to do what the secretary described in her speech on Monday, which is the real core of diplomacy: to build persistent, patient and creative diplomacy. That is what will get us to the end goal here. One of the other things we're doing is reaching out and making sure that we find partnerships, not just among our traditional allies, but also with the rest of the world that is facing the same issues as we are, particularly with the developing world. And we're trying to that through outreach, diplomacy and capacity building. So that's important.
Another issue is using our embassies around the world that can both see things on the ground and what's coming and also be very effective in going to foreign governments and trying to enlist them to support this vision. This vision is not a uniquely U.S. vision. This is really a vision that is international. This is a world vision. It may be that this is the president's strategy, but it's trying to reflect not a set of prescriptions but a vision for the future of the Internet that is going to support societies in economy and innovation worldwide. So those are some of the priorities as we're starting up the office. We are also working closely with our other government partners who have expertise, for instance, in cybercrime, military or standards work, like the Department of Commerce and the State Department. The DOC works very closely on those issues and Internet governance issues. We're trying to make sure that the multistakeholder governance model for the Internet continues.
I've been involved in this area now for a long time, about 20 years. I think that the decisions we're going to make over the next couple of years are going to determine what this technology and cyberspace are going to look like over the next 10, 20 or 30 years - whether it's going to be the same open platform that's going to support commerce and free expression, or whether it will be balkanized, lawless and not support the ultimate goals, the economic and free expression goals. Security is not an end in itself, as you know, but it's a way to make sure that the things we want to achieve are achieved. And that's an important part of this.
I'm very optimistic about this too because there are a lot of other countries that are seeing this. I think you've seen it too because you've covered this issue for such a long time. It's become increasingly important at the highest levels of government here, but that's being mirrored around the world.
CHABROW: Let's switch gears just a bit and take a look at the international cyberstrategy from the perspective of a government agency, corporate chief information security officer or others charged with protecting IT systems. What does this mean to them?
Diplomacy's Meaning to the CISOPAINTER: If you're a CISO, your job is to make sure your networks are secure. You're trying to harden your targets. You're trying to build as much protection into your systems as possible so they don't get victimized by attacks. And if they do, if there are intrusions into your systems or if there are vulnerabilities in your systems, you want to have the ability to bounce back. You want resiliency and, ultimately, you want those threats to be addressed so they'll be reduced.
To give you a couple of examples, one way this is important is if we build these understandings with other countries; let's take cybercrime, for instance. If we build a stronger cooperation with respect to cybercrime, when people try to intrude and attack these systems, there will be accountability. There will be consequences for them, and that will reduce the number of those attacks and make sure that those are addressed. And there's also a feedback loop because you might discover new vulnerabilities, new attack vectors and intrusion vectors that you can feed back to that community. If you build international CERTs (Computer Emergency Readiness Teams) around the world, as DHS has been working to do, and have a cooperative relationship with them, you are able to get more of the vulnerability information and threat information exchanged that can be very useful to a CISO. In the long term, if we build an understanding between countries in terms of what the rules of the road are, what the norms are in cyberspace, that ends up reducing the number of attacks or intrusions because what you're doing is saying, "This is acceptable. This is not acceptable. This is the way that cyberspace should function." And that will help.
I also would say that for the CISOs, who have the mission of protecting their own system, it's important that they engage too, that they find ways to plug into the work we try to do because they're part of the private sector. I'm not someone who thinks the private sector is a monolithic group. There are many different parts of the private sector. They're going to see imperatives and see things that need to be addressed that we may not normally see, and it would be good for them to bring them to our attention. I think it'll help them not just in the long term, but in the short term.
Determining SuccessCHABROW: Is there a way to determine whether the establishment of this office and this policy will be working?
PAINTER: We've already seen some successes just in the short time we've been here. We've been able to bring different parties together on issues who normally don't really communicate. That's been with respect to some of the issues that have been this bucket of issues where it then helps us have a much more holistic position.
CHABROW: Can you give an example of bringing people together who haven't communicated?
PAINTER: I'm not going to get into the actual forum, but there was a particular forum that came up which looked like it was addressing just one part of this issue, the Internet freedom part. But it turned out that it was really addressing a whole suite of issues, including governance and other end security issues. Before, we would not have been as well prepared to deal with all those issues and to understand how this went together to be effective in that forum. We're going to measure our success, quite frankly, on how well we engage other partners around the world, how well we build this consensus and this community of interest. That's going to be the real telling part if we're going to be successful in winning allies and friends and making partners in this area. And it's not just us. We're going to work closely, as we have before, with Justice, with Commerce, DHS, DOD and the White House. I think our success will be measured in how much we see other countries coming and adopting this vision which is an international vision, not just a U.S. vision. We're already seeing that. We're already seeing far more discussion, than I personally have seen over the last 20 years, in just the last year with other countries who now understand how important this issue is.
CHABROW: Any final thoughts?
PAINTER: Personally, I'm very excited to be here in the State Department. My very first federal job back in 1984 for six weeks, between law school and a clerkship, was with the State Department, so I feel like I've come home. There's a lot of excitement here, a lot of buy-in here. I really welcome creating the structure here. I really think this is a moment. As I said, this is an inflection point for what the future of cyberspace will look like, and this is a major policy priority. I'm pleased to be able to contribute to carrying forth those visions. I'm excited. I'm optimistic. I think that the strategy gives us an incredibly great platform to build on. It really says to the rest of the world and to our domestic audience what America stands for and why it's vital to us to find partners and to build consensus with our partners around the world.