Catherine Lotrionte has been the power broker behind Washington D.C.’s International Conference on Cyber Engagement for seven years now and she’s getting ready to host it again this April with The Atlantic Council. Formerly serving as Counsel to the President’s Foreign Intelligence Advisory Board and former Assistant General Counsel at the Central Intelligence Agency and in the Department of Justice, Lotrionte first launched the conference with an eye toward information sharing among larger, more advanced countries, and those with fewer resources, but often with more at risk in cyberspace.
The Cipher Brief talked with Lotrionte about what she believes the top international cyber issues will be in 2019.
Lotrionte: We’re still going to have a continuing conversation with respect to norms, or acceptable behavior, particularly for state actors, in cyber space. This has been an ongoing conversation through a number of different venues and we now have some competing forums for which states are seeking to get this on the agenda. One being the United Nations, which has approved another group of government experts to look at ICT. This group has ranged from 15 to 25 nation states, with five permanent members of the security council. And the U.S. is one of the leaders in that group, along with Russia and China. I think we are going to see a lot of continued discussion on that and hopefully we’ll see progress made on the norms that have already been agreed to.
I think we are also going to see in 2019, more of a focus on the technologies that can be leveraged for cyber security that are also being used for other purposes. Things like artificial intelligence, which has gotten more attention. China and the U.S. are the major leaders in developing artificial intelligence. I think China has some advantages in this space and may surpass the U.S. in terms of its capability and how the government in China is leveraging their ability to fund private sector start-ups in the AI field. I think we are going to see AI as well as quantum computing and encryption as important discussions for advancement in technology.
The Cipher Brief: Which countries do you think are most progressive on implementing effective cyber policies so far?
Lotrionte: For a long time, there were very few countries that had written and published a cyber strategy. Today, we have about 80 or more countries that have their own cyber strategies. Many of the strategies share similar principles, usually including a statement about the need for a strong public-private partnership.
What really matters is what you are doing in terms of carrying it out. How is it actually working within your own government system? And typically, you’ll see R&D and research as part of cyber strategies, and the international outreach is always there.
I think the countries that have been the best at implementing policies tend to be those that have more of the advanced economies. So, they recognized probably long ago, that the economy of the country depends on the security of their cyber infrastructure.
The Cipher Brief: Which countries do you think are leading the way in terms of successfully engaging with the private sector?
Lotrionte: When we say, “engaging with the private sector“, what I’ve seen is that countries do that in a couple of different ways. The U.S. and the UK, as well as Israel, has been very forward-leaning in how they are interacting. Typically, that starts with sharing information and I usually think of the private sector in this field. There are two groups of people, when we think of cyber security, there are cyber security firms, those who have the technical expertise to actually build defensive protections, but also have the expertise to build offensive cyber weapons. And then there are the critical infrastructure private sector groups, if you will, opened and operated by the private sector. Both are important.
Now different governments have worked differently based upon their own culture and the way they do business. So, for instance, in the U.S., the U.S. government has been forward-leaning in information sharing by building organizational structures like the ISACs, with DHS in the lead, trying to make sure that government shares as much of the threat information as possible with the private sector. But when you consider the U.S., as a nation, the government tends to take a hands-off approach to any private sector issues. The Israelis and China, and in fact, Russia don’t have the same approach when it comes to really letting the companies do it on their own, if you will. So, the U.S. government wants to make sure that private companies are securing themselves, and at some point, of course, the government is there to defend the country.
The Israelis have really been out front where they have come up with unique and innovative ways of thinking about how they can leverage the ingenuity of their engineers and computer scientists working mostly in the private sector, to help the government and the country at large. The government has physically brought together both government research institutions and private companies. And what they have done with the companies is, they haven’t just encouraged them to focus on cyber security, they are actually subsidizing the work of private companies. So, for instance, if there is a technology company – it doesn’t have to be Israeli – if they come to Israel and they hire young Israeli engineers or computer scientists, the Israeli government will pay the salaries of those people. They’ll also help pay taxes, so the government is actively involved in energizing this innovation and making sure that the cyber security field has the amount of research and expertise that it needs.
China is doing this in an interesting way, particularly with artificial intelligence. China is not just waiting to see what companies like Google will produce in terms of future AI capability. The government of China is actively investing in this development. They are investing large sums of money not only to start-ups, but to individual engineers who will likely leave a larger company and create their own start-up focusing on AI. The Chinese government is also subsidizing an entire city, a new infrastructure, built on AI. So, they are creating a city from scratch, really, where it’ll be completely run on artificial intelligence.
Russia’s interaction with the private sector is another example of a different way to do it. Not one that the U.S. would necessarily take. Russia has been notorious for using organized crime. So, these are also private entities, private individuals; where the government looks the other way if this entity is conducting cyber crime, as long as it is not impacting any Russian entities inside the state. But the government will also hire these individuals while benefiting from the money that the organized crime members make. But they’ll also hire expertise out of this private sector field.
So, the U.S. will not, of course, alter its way in terms of approaching its relationship with the private sector in the same way that Russia does. But there may be some things to learn in terms of watching, particularly with artificial intelligence, the direction that China is moving in that we may want to think about. Australia is doing great things in terms of traditional information sharing and working with the private sector. But there are countries like Israel and China who are really taking it to a new level and doing things that the U.S. may never do or hasn’t done as a nation when we think about our relationship between the government and the private sector.
The Cipher Brief: You’ve been the force behind the International Conference on Cyber Engagement in Washington D.C. for seven years now, and you’re getting ready for the eighth installment hosted by the Atlantic Council. What are some of the lessons learned from past events when it comes to international cooperation and participation?
Lotrionte: We are convening people based on the different challenges they are facing and combining both the government perspective and private sector, as well as researchers and academics. I’ve seen over the years that more government and private sector companies have seen value in talking about issues and challenges that they deal with every day in an environment where you are not stuck in your normal protocols. The dialogue is free-flowing and it really encourages people to get to the heart of the issue.
I would like to get more countries in the Middle East involved. I’ve had a number of countries like Jordan that have participated, Israel has been involved, but I’m asking others to join us as well. I would like to see more African countries represented. I’ve had a few over the years, but a lot of times it’s the cost of the travel to the U.S. that has prevented some of the countries from coming and being represented. But, the issue of capacity building and other issues will be important for those countries. Europe hasn’t been a challenge at all. Singapore, China, South Korea, Japan, have all been represented.
See also, The System is Blinking Red Once Again…