On Monday March 7, New York University (NYU) hosted a public symposium to mark the opening of its new Center for Cyber Security, a joint venture between the school’s engineering and law schools that aspires to explore the intersection of security technology and public policy.
Before a full house at NYU’s Dibner auditorium, a group of the university's professors and researchers engaged in a series of dialogues with industry thought leaders from Facebook, venture capital firm Kleiner Perkins Caufield & Byers, and cybersecurity firm IronNet Cybersecurity.
The evolving conflict between Apple and the U.S. Federal Bureau of Investigation (FBI) over access to the San Bernardino shooter’s iPhone provided a timely backdrop for the event, often serving as Exhibit A in a discussion of the complex interplay between technological and legal perspectives on cybersecurity.
Facebook’s Chief Security Officer Alex Stamos—whose employer has publicly backed Apple in its face-off with the FBI—warned of a "slippery slope" when governments force companies to introduce intentional vulnerabilities into their products.
"When you think of security, you have to look at the big picture," Stamos said, arguing that hasty judicial decisions could have lasting economic consequences for companies whose long-term competitive advantage rests on building trust with their customers. "This kind of decision should not be decided in a courthouse. It should be weighed through a legislative process."
Other participants agreed on the need for government to take a measured approach to cybersecurity. IronNet Security president and former NSA General Counsel Matt Olsen argued government should play an active role, but cautioned against the urge to overreact. "We need to get policymakers to pause, listen to multiple sides, and truly try to understand the situation before deciding whether we need legislation. Washington tends to be very knee-jerk."
This growing interplay between legal, policy, and technological concerns reflects the complexity and rising stakes of a rapidly shifting security landscape. Kleiner Perkins general partner Ted Schlein drew a sharp contrast between the 1980s era of hobbyist hackers "who just wanted to mess with you a little bit," and the "catastrophic hacking" of today, in which entire nation-states deploy teams of hackers to infiltrate major corporations, or large-scale criminal organizations set their sights on multiple firms in the same industry, and the CEO of a large public company like Target can lose his job over a high-profile security breach.
Schlein cautioned against the temptations of starting a new cyber arms race. "Getting the balance right is very important for the country," he said. "It’s going to take law, engineering and other perspectives to help us sort through these issues."
From a purely technological perspective, most participants agreed the growing sophistication of security threats demands that security teams shift focus from preventing attacks—which are all but unavoidable—to detecting them as quickly as possible.
"We’ve come to the realization that for the most part, the bad guys are probably going to get in," said Schlein, "so we need to find out as quickly as possible, contain it, and remediate." That means relying on big data analytics and other forms of signal detection to react quickly to attacks rather than trying to prevent them altogether.
In a similar vein, Olsen talked about moving from a focus on securing the perimeter to taking a data-driven approach to detecting intruders. "How do we take advantage of the huge advances in high-performance computing and big data analytics to understand the behavior of devices on a network to determine a threat?"
Olsen felt real gains will come only when companies develop the ability to share data on inbound threats without compromising their proprietary data. "When we getto the point where we can share cybersecurity information in near real-time, that’s when we’ll see companies enabling each other to be in the best position to identify a breach."
To get there, companies will have to explore methods for anonymizing their data and building reliable bonds of trust between companies—and to create legal frameworks that will allow them to do so. By way of example, Olsen pointed to the mutual defense agreements that many countries enter into, "where you realize the greater good comes from working together."
Stamos also endorsed the need for better information sharing between companies, pointing to open source efforts at Facebook like its osquery tool for infrastructure monitoring, and Threat Exchange, a machine-to-machine security sharing system with built-in privacy controls). He cautioned information-sharing is no "magic bullet," advocating for a multi-pronged approach involving technology, the law, and ongoing awareness efforts to educate the general public about security threats.
"It’s not like building a bridge," said NYU Senior Fellow Judith Germano. "It’s more like a never-ending game of chess."
Alex Wright is a writer and researcher based in Brooklyn, NY.