A Human to Know: Megan Stifel

When you think about cybersecurity solutions, you’re probably not thinking about recycling, using renewable energy, or constructing LEED buildings. Megan Stifel, former Director of International Cyber Policy on President Obama’s National Security Council and current Cybersecurity Policy Director at Public Knowledge, recently wrote a paper explaining what cybersecurity policymakers and practitioners have to learn from the sustainability movement.

“Where two decades ago recycling was not yet mainstream and companies were not competing on how much energy their new products save, today, in many parts of the world, recycling has become second nature, and institutions win awards for their environmental stewardship,” she says. “Few understand the science and processes behind these developments, but they give consumers and corporations a positive sense of control over and contribution to a greater societal good. I believe we can apply many elements of this approach to make meaningful progress in cybersecurity.”

Cybersecurity and sustainability management both address risks to shared resources, whether those resources encompass the natural environment or information and communications technologies (ICT). They are also both forward-looking, seeking to not just mitigate existing problems but to build long-term strategies for the future.

Last week, I spoke with Megan about sustainable cybersecurity and what it means for the world’s democracies. An edited version of the interview is below.

How did you become interested in sustainable cybersecurity in the first place?

From my experience in the government and now working with startups and a consumer advocacy organization, it became increasingly clear that to improve cybersecurity, we need progress across stakeholders—particularly with corporations and consumers. For corporations, we need them to expand their aperture from “how secure is my network” to “how secure is my product” (whether it be a physical good or a service). For consumers, we need them to understand the benefits of more secure products and better “hygiene” in their use.

At the moment, however, the market does not facilitate meaningful information exchange on these issues. I began to examine other areas where progress has been made through corporate and consumer action. Climate change and the sustainability movement that has taken off in the past two decades quickly drew my attention.

In the context of sustainability, you mention a comparison between data and oil. Could you explain this analogy?

There are no perfect analogies for our cybersecurity challenges. But, as I noted in the paper, several publications and cybersecurity experts have highlighted this one. First, like oil, data itself is a resource to the organization that collects it. Once collected, it can be further analyzed by the collecting organization, or shared with another organization that may further “refine” the data for its own use. Second, if that collection and future transfer and processing are not carefully considered from the outset, the resource can be lost through (among other things) a “spill.” Of course, the consequences of an oil spill and a data breach are quite different, but both are quite preventable through appropriate resource allocation. Failure to properly anticipate and plan for one, however, risks the longevity of the respective ecosystem.

The report also mentions the idea of trust. What's the relationship between cybersecurity and trust, and what, if anything, are current cybersecurity shortcomings doing to trust itself?

Cybersecurity is a cornerstone of trust in ICTs. Poor cybersecurity—for example, what led to last year’s Equifax breach, or the other near-daily headlines of data breaches exposing sensitive personal information—has contributed to decreasing consumer trust in online activities. The 2018 RSA Privacy and Security report found that 78 percent of respondents limit the amount of personal information they put online or share with companies. A 2015 Pew Research Center study presaged one reason for this practice: in addition to concerns about economic sectors that Americans associate with data collection and monitoring, “Americans also have exceedingly low levels of confidence in the privacy and security of the records that are maintained by a variety of institutions in the digital age.” And in 2016, the National Telecommunications Information Administration reported that lack of trust in internet privacy and security deters consumers from engaging in certain electronic transactions and other e-commerce activities. If we want to continue to reap the economic and societal benefits that interconnection has enabled, we have to improve user trust in ICTs, and strong cybersecurity is a critical element in that effort.

How should democratic countries start down the path of sustainable cybersecurity?

Cybersecurity is a team sport (said one of my former government colleagues). Policymakers may be one of the captains, but like any team sport, the players—including the captains—need to be able to play a number of different positions to succeed, even if they excel at offense or defense.

The sports analogy (recall not one is perfect!) is useful because for consumers, we need to start cybersecurity awareness at a young age; we need to practice it daily; and we need to update our equipment and brush up our skills regularly, often times with the help of experts. Similarly for enterprise network operators, they need a deep bench and a series of playbooks. Fortunately, while sports teams may not share their inside knowledge on the competition, in combating malicious actors, we need all stakeholders to share as much information as we can and put it to meaningful use.

Is this an effort that relies on policymakers alone?

Policymakers can help to convene opportunities to share information, identify gaps, highlight policy priorities, and propose and pass enabling legislation where appropriate. But we need private and public institutions to step up and put cybersecurity first or near the very top of their priority business operations. Just about everywhere one looks, cybersecurity plays a critical role in ensuring what is expected and intended to happen does happen, and preventing what should not happen from happening.

While adherence to the rule of law is critical to effective cybersecurity, government does not and should not have all the answers. In addition to substantive and procedural laws that criminalize misuse of ICTs (like those discussed at the Budapest Convention), we need to address cybersecurity through engagement with a range of stakeholders, including industry, civil society, academia, and the government. This will lead to more effective solutions than those conceived by government alone.

And what does the future look like for you? What research and policy issues do you see yourself working on?

I’m eager to collaborate with organizations interested in supporting the transition to a sustainability-framed approach to cybersecurity. In the near term, that includes looking at labeling approaches to convey security capabilities to interested consumers and increase demand for more secure products. I would also welcome the opportunity to engage sustainability management leaders at institutions to learn from their experiences and further refine relevant elements of the white paper.