8 Cyber Policy Janice M Hamby and Thomas C Wingfield The effective use of the informational instrument of national power in all domains and the use of all the instruments of national power in the cyber domain will be a serious and growing challenge for the United States The next U S President must have a clear understanding of the relationship of technology law and policy in formulating options Centralized but not procrustean leadership at the highest level providing a clear and rational delineation of authorities will be needed to coordinate and effectively employ U S cyber and information capabilities Internationally engaging with allies and partners will be vital to our defense engaging with adversaries will require a new understanding of deterrence and counter-espionage in cyberspace Domestically new approaches to public-private partnerships will be key to addressing threats preserving civil liberties and unleashing our potential for improved governance and expanded commerce B y any measure the United States leads the world as a cyber power in terms of its cyberspace-related leadership and capabilities research and development innovation and commercialization of leading-edge hardware and software as well as more specialized products for military and scientific applications This is also true for the world of information Without any whole-of-government coordination the United States produces and exports the lion’s share of globally consumed television film music and games as well as data information and knowledge systems Its advances in mobile communications and social media have revolutionized the way the global community communicates learns and even thinks With this largely unplanned success has come a series of challenges many of which require a more deliberate approach and a national-level strategic effort with Presidential leadership to resolve This chapter provides summary views of many of these challenges and offers recom- • 149 • Hamby and Wingfield Figure 1 Framing Cyberspace mendations by which the administration could gain traction over even the most daunting issues in Technology the information and cyberspace Permissible domain Law From the perspective of the Preferable Department of Defense DOD Policy the term cyberspace is defined as a global domain within the information environment consisting of interdependent networks of information technology infrastructures and resident data including the Internet telecommunications networks computer systems and embedded processors and controllers 1 Protecting this domain is a national priority It underpins U S and global commerce governmental and private discourse innovation and creativity It has evolved into an essential enabler of governance business and personal transactions It has elevated the impact of information in all its forms and provides both opportunities for and limitations to the way we conduct our national security strategy The actors with whom the United States must engage and sometimes counter include capable nation-states criminals and nonstate actors Many of these are not bound by the same norms and restraints that the United States observes The complex motives and methods combined with a low barrier to entry heighten the potential for damaging effects caused by competitor and adversary actions The need to ensure that we both leverage the potential of cyberspace for U S national and global advantage and protect our systems and information to ensure our prosperity and security as a nation demands a comprehensive integrated strategy that provides coherence of action and synchronizes Federal state and local initiatives in cooperation with our partners in industry as well as with foreign governments Possible Framing Cyberspace The Possible Permissible and Preferable Because cyberspace is a domain of near-infinite complexity we need models to allow us to build common theoretical frameworks to help us synchronize our academic research operational planning and high-level policymaking Nowhere is such a common operating picture more important than in explaining the relational positions of technology law and policy • 150 • Cyber Policy In figure 1 the outermost box represents technology—the range of the possible As the largest box it consists of everything that technologists have delivered or can deliver without violating the laws of physics Some of these options are lawful some are not others make good policy sense while others do not To extend the metaphor the top and sides of the box can be extended with more time more money or smarter scientists and engineers The bottom however cannot be extended—it represents those laws of physics and other barriers beyond our control that limit our expansion to the other three directions The intermediate box represents the law—the limits of what is permissible Outside this box are options that are technically feasible but legally impermissible inside the box is the full range of lawful options for policymakers to consider Just as with technology the top and sides of this box can be expanded—domestically by an executive order statute or court ruling Internationally we can expand or contract this box with treaties or more often by concerted changes to state practice with opinio juris the stated position that international law requires or permits a certain action resulting in a reinforcement of or change to customary international law But just as with technology there are virtually unchangeable aspects of the law Domestically the best examples are fundamental constitutional norms—freedom of speech or freedom from unreasonable search and seizure—that are unlikely to be altered even through another constitutional amendment Internationally we refer to these near-unchangeable laws as jus cogens norms—prohibitions accepted by so many states for such a great length of time that only other jus cogens norms could displace them Examples include the universal bans on piracy slavery grave war crimes and genocide This is not to say that these crimes do not exist but rather that their historical severity has rendered them unlikely to ever be legalized Their most important aspect is their universal applicability even in the face of a dissenting state For international lawyers jus cogens norms are the equivalent of the laws of physics The innermost and smallest box is policy—the realm of the preferable These are the policy options that make the most strategic sense aligning desired ends with available means most effectively They make the most political sense whether in response to public opinion media coverage or interest-group or thought-leader positions They might be the path of least resistance within a bureaucracy the least common denominator position adopted by a coalition of allies a workable compromise within a legislature or an executive’s daring vision In any case they are the product of the political forces operating at the time and should be derived from the largest possible menu of lawful options As • 151 • Hamby and Wingfield Figure 2 Cyberspace Issues and Federal Boundaries Artificial Intelligence Security Advances Nano-Bio-Robo Connections New Technologies Internet Economy Mesh Businesses Global Financial Transaction System Bitcoin and BlockChain Sharing Economy Global National Logistics Militarization of Cyberspace Edge Defense Process Automation Start-Ups Incubators Venture Capital Innovation in Cyberspace Moblie Cyberspace The Internet of Things Media and Cyberspace Education Science in Cyberspace Economy Hybrid Gray Zone Warfare Data Localization Laws Issues in Cyberspace Cyber Security Cyber National and International Law Human Rights for Digital Citizens International Governance Politics and Democracy in Cyberspace Private Sector Responsibilities and Liabilities Social Media Navigation Services Critical Infrastructures Health Services Data Communications Infrastructures Assurance TOR Dark Net Hidden Services Privacy Protections Classroom Technologies Net Neutrality Cyber Crime Balkinization of the Internet On-line Learning Options Arms Control Warfare in Cyberspace Territorial Sovereignty Issues Internet Access Cyber-based Protest National Cyber Power Strategies Attribution National Cyber Jurisdictions MOOCs Pop-Up Schools Anonymity Encryption Data Ownership Censorship Cyber Arms Racing Dual-Use Technologies Multistakeholder vs Multilateral Governance International Norms of Cyber State Conduct Government Data Information Knowledge Management Strategic Narrative Messaging Public Private Info Sharing Resilience with the other two boxes we can imagine three sides that can be moved with time money and political capital just as we can imagine a fourth side that cannot be—policy options that are considered so politically toxic or strategically unfeasible as to be impossible Governance Framework and Policy Multiple partitions abound in the Federal Government’s design reflecting the economic and political priorities of the Industrial Age One effect is the pile-up of “cross-cutting” issues—particularly those generated by the disruptive information digital age—that fail to fit neatly within outdated Federal agency department boundaries Figure 2 shows examples of cyberspace issues that run across over under and around these boundaries This leads to costly dysfunctionality Issues of cyberspace become too fractured and segregated to fit within the logic of existing department agency mission areas This limits responses to departmental or agency-specific responsibilities which rarely consider or incorporate all the other parts of a cross-cutting issue The results are solutions with a higher risk of failure—for example the persistent failure to share electronic health records between DOD and the Veteran’s Administration Departments and agencies waste resources and duplicate efforts Bureaucratic barriers bound Federal work and employees within department • 152 • Cyber Policy and agency authority structures which lose synergistic value Moreover these arrangements cause unnecessary contestation for resources and arguments over leadership spending and control at the expense of shared best practice solutions Four reform strategies have been attempted thus far grabbing agency components to create an Industrial Age–style Department of Homeland Security designating lead agencies appointing “supervisory czars” over groups of agencies for example Director and Office of National Intelligence and building lower-level issue-specific fusion centers for cross-agency information-sharing and coordination Collectively these strategies have generated modest improvements in shared situational awareness on the cross-cutting issues of cyberspace They have been handicapped by a narrow focus inappropriate appropriations classifications and misaligned authorities and responsibilities leading to continued duplication of effort poor exploration of unintended consequences of policy actions and constant work to address undiscovered feasibility affordability and utility issues We offer the following recommendations • Map Federal Government relationships within cyberspace writ large to generate shared situational awareness as the basis for effectively integrating the executive branch This map should offer a dashboard-style real-time presentation of connections crossovers databases and knowledge sets of the Federal Government and expand to include commercial nongovernmental and international networks • As a first step to fitting the Federal Government for the digital age create an empowered and resourced leadership structure in the executive office with a cyberspace remit rather than one focused on e-government or cybersecurity • Task this new structure and leadership to launch a “hackathon”-style initiative to acquire and explore new options for executive branch network structures that are not dependent on current Federal Government agency and department boundaries budgets and authorities • Design a collaborative follow-on strategy with congressional Members and staffs for identifying legal frameworks for authorizing appropriating and overseeing such networked and adaptive structures • 153 • Hamby and Wingfield Reviewing Cyber Authorities The U S Government has not clearly laid out the roles responsibilities and authorities RRA of its components for cyberspace operations As a result U S actions in cyberspace are nether coordinated nor synchronized and resources are not coordinated to reduce inefficiency and unintended redundancy As identified in the 2016 Cybersecurity National Action Plan CNAP the Barack Obama administration’s cyber policy has been based on three strategic pillars raising the level of cybersecurity in American public private and consumer sectors taking steps to deter disrupt and interfere with malicious cyber activity aimed at the United States or its allies and responding effectively to and recovering from cyber incidents 2 In addition to the CNAP areas previously addressed include information-sharing Executive Order 136913 improving government information technology and information security increasing public cyber awareness and education and increasing the size and quality of the military and civilian cyber workforce These initiatives are helping to address the tactical and operational weaknesses of the United States Unfortunately what is missing is a comprehensive framework that clearly articulates the RRA for Federal state and local governments There are several key documents that address aspects of this problem the most important of which are Presidential Policy Directive PPD -20 PPD-21 and PPD-41 4 All address important shortfalls but greater synchronization and clearer authorities and responsibilities are needed We offer the following recommendations • Replace the patchwork of executive branch policies that describe cyber roles responsibilities and on occasion authorities with a single overarching document • Ensure specificity and clarity when assigning RRA in cyberspace for Federal organizations There are debates about responsibility whenever agencies have to interpret RRA which delays collaboration and hinders the sharing of information Require rotational assignments for senior executives to ensure a more complete understanding of the roles and responsibilities of other Federal agencies • Ensure this new document expands upon the framework initially outlined in PPD-20 Unlike PPD-41 which focuses solely on event response the policy must look holistically at cyberspace to include planning for the building of the cyberspace terrain and how we operate in that terrain both offensively and defensively • 154 • Cyber Policy • Continue the concept of using lines of effort as introduced in PPD-41 This format is an easy structure to understand clearly identifies the supported and supporting organizations and will enhance collaboration among agencies across the range of cyber activities • Make the document unclassified A major issue with PPD-20 is that it is a top secret document and the vast majority of the workforce has no idea of its contents—or even its existence This made it challenging for the Federal workforce to understand how its organization fit into the cyberspace architecture In addition the private sector and American people lacked knowledge of U S defenses and cyberspace capabilities • Consider creating a Department of Cyber to unify capabilities and provide leadership Following the U S Coast Guard precedent of having one of the Armed Forces report to an agency other than DOD consider aligning U S Cyber Command under this new department Engaging the International Community on Internet Governance The United States must engage the international community regarding Internet governance to ensure that information in cyberspace remains free and accessible to U S citizens and the global community Framing this complex challenge requires understanding the roles that cyber strategy policy regulation and security play in Internet governance It is also important to assess whether our efforts to secure the Internet and protect information and privacy rights are consistent with overarching “governing” objectives that is information freedom and net neutrality and to ensure that our security efforts do not threaten the very liberties they are intended to protect This is not to suggest that U S engagement can wait The pace and scope of the Internet’s growth and the infinite ways it is evolving with economic political and social implications necessitate a deliberate and decisive engagement While the Internet has ushered in great societal benefits it has also introduced new risks such as crime terrorism and warfare that threaten the critical infrastructure and services on which societies depend The risk borne by individuals and societies continues to expand as complex and tightly coupled systems5 such as electrical power grids services such as health care and the emerging “Internet of things” are increasingly interconnected moving us from the information age to a “network society ”6 As with any technology there are intended and unintended uses and users There are some who desire to leverage • 155 • Hamby and Wingfield the Internet to bring local national and global services and benefits 7 There are others with nefarious intentions introducing crime exploitation and terrorism into cyberspace We offer the following recommendations • Map infrastructural Internet components to identify gaps and redundancies in governance • Incorporate cyberspace policies and standards into future bilateral and multilateral trade agreements to establish and reinforce needed international cyber norms • Forge new ties with a variety of nonstate actors including industry nongovernmental organizations and international organizations for example the International Telecommunications Union Internet Corporation for Assigned Names and Numbers and so forth to build a coalition of governing actors that share democratic values as they relate to information and cyberspace • Engage the public in this policy formation process as its understanding of the benefits and risks associated with the Internet is key to its future security and resiliency This can be accomplished through different forms of public forums Measuring Performance in Cyberspace Performance management has been required of Federal agencies since passage of the Government Performance and Results Act of 1993 However the integration of performance information into agency decisionmaking is not well advanced 8 Despite efforts by the George W Bush and Obama administrations the Government Accountability Office noted that reported use of performance information for high-level objectives did not improve between 2007 and 2013 9 Since cyber is a relatively new field cyber performance management is still a fairly undefined term During this developmental stage the cyber world must embrace performance measures that link organizational strategic goals and objectives with strategic initiatives in order to assist government agency–level leaders or executives with organizational decisionmaking Traditional information technology IT services those commonly found under the domain of Federal chief information officers CIOs do have performance metrics These existing metrics for example network availability number of trouble tickets resolved do not address cyber per- • 156 • Cyber Policy Table Differences Between Nuclear and Cyber Weapons Target of Deterrence Development Effort Effects of Use Proliferation Deterrence Low Well understood High Debatable Nuclear Weapons State State-level resources Immediate overt destruction Cyber Weapons State Nonstate Individuals Individuals to state but also self-creating Widely variable breadth depth and time formance management As a result organizational cultures inappropriately place responsibility for gains from cyberspace on technicians alone We offer the following recommendations • Include a performance management framework for cyber in the next National Security Strategy NSS • Mandate agency strategies include performance measures that directly align with the performance management framework in the NSS • Develop performance measures that reflect cyberspace’s impact on national strategy goals such as national security civil liberties and economic growth Deterrence and Offensive Cyber Operations Cyber deterrence is a critical component of overall strategic deterrence but it is far less developed conceptually Some see a parallel between nuclear weapons and cyber weapons and posit that nuclear deterrence models could therefore be usefully applied to cyberspace One critical difference is the scalability of cyber weapons which allows for cyber deterrence at the operational and tactical levels The table highlights some of the differences between nuclear and cyber weapons These differences illuminate the need to develop a new model that incorporates the unique aspects of cyber deterrence The target of deterrence needs to believe the deterring state has the capability to impose an unacceptable cost for an attack coupled with the will to use that capability or the capability to defend against or immediately recover from an attack rendering it ineffective The highly secretive nature of our offensive cyber capabilities and the many restrictions placed on their use limit their deterrent effect Additionally cyber attacks are often difficult to trace This lack of attribution means attackers need not fear retribution Finally leaders who feel vulnerable to retaliation or • 157 • Hamby and Wingfield find an attack to be pointless due to resilience may also hesitate to act or to escalate Cyber weapons are part of a larger arsenal of national power that the United States could bring to bear to deter or should deterrence fail to defeat our enemies While cyber weapons may be the most appropriate means to achieve a specified effect other sources of national power are also clearly relevant to both cyber deterrence and cyber operations in conflict scenarios We offer the following recommendations • Support a sufficiently capable cyber force to ensure a deterrent effect and should deterrence fail to prevail in conflict scenarios • Emphasize the essential nature of cyber resilience as a matter of broad national policy to promote necessary investments in backup and restoration capabilities and invest in technologies that make defensive cyber operations faster and less manpower-intensive such as artificial intelligence and big data analytics • Direct research on the integration of cyber capabilities into deterrence theory frameworks Advancing Public-Private Partnerships The loss of critical infrastructure “would have a debilitating impact on security national economic security national public health or safety ”10 The majority about 85 percent of critical infrastructure is privately owned and operated requiring a public-private partnership to provide its security 11 Operating alone the private sector is incentivized by profit and is averse to liability This puts the resiliency of national critical infrastructure at risk The current strategy of promoting and facilitating best practices and information-sharing with the government is necessary but insufficient to addressing sophisticated threats of organized crime terrorists and nation-states National interests traditionally handled through law enforcement or national defense are not aligned with the financial and reputational interests of the private sector As the United Kingdom Cyber Security Strategy states “Just as in the 19th century we had to secure the seas for our national safety and prosperity and in the 20th century we had to secure the air in the 21st century we also have to secure our advantage in cyber space ”12 We offer the following recommendations • 158 • Cyber Policy • Propose legislation to accelerate and expand the provisions of the U S Cybersecurity Act of 2015 • Promote incentives venues and opportunities that encourage private-sector participation in solution development Privacy and Identity The laws regulations and standards that govern the protection of personal information and the release mandatory or otherwise of data collected or maintained by the U S Government are undergoing a period of review The triple challenges of IT advances the globalized flow of data for trade and other purposes and the value both legal and illegal of individually identifiable information have caused this relook Advances in IT have included an exponential increase in collection storage and processing capabilities including the development of machine learning algorithms that greatly surpass human ability in pattern matching and discovery The globalized flow of data is fueled by electronic commerce off-shoring and transnational workforces enabling 24 7 operations that flow from time zone to time zone Finally the value of individually identifiable information enables both good and bad things it can not only assist law enforcement and intelligence activities and enable better service but it also fuels identity theft fraud and blackmail This situation is exacerbated by the reality that different cultures approach the definition and protection of privacy very differently This difference has complicated global commerce and international legal structures but solutions such as the European Union–U S Privacy Shield have been developed to bridge such divides Challenges remain Existing controls are structured for legacy structures and technologies Emerging technologies present new challenges This new and evolving state of affairs requires careful consideration to ensure that government activities are consistent with social values international trade agreements and reality Several important initiatives are emerging to create a foundation for a solid path forward The creation of the Federal Privacy Council is critical to these efforts and signals the importance with which the problems associated with privacy and technology are considered Similarly the National Institute of Standards and Technology NIST has begun twin efforts in developing guidance and standards for privacy and de-identification processes Emerging research from academia and industry in topics such as privacy labeling and management database privacy and differential privacy is critical to the development of tools and practices • 159 • Hamby and Wingfield for privacy problems There is an emerging community of practice of privacy officers mathematicians computer scientists and civil libertarians that provides fora for the discussion and presentation of research Building on these initiatives provides a way forward to address privacy and data release concerns We offer these recommendations • Leverage the Privacy Council and NIST efforts to provide intellectual support to the community of practice and create feedback mechanisms to U S Government efforts • Prioritize funding the National Science Foundation and other government research to support existing privacy enhancing functional research such as differential privacy • Fund research into the future of privacy such as the issues associated with big data analysis that derives private information from contextual data a lack of published information or from cross-referencing information from multiple sources All these approaches have been used to expose private information and present significant challenges for both individuals who wish to keep aspects of their lives secret and for governments that need to keep aspects of operations such as research and development and counterintelligence efforts secret • Sponsor research into cascading effects from privacy violations that subvert national goals in order to reveal currently unimagined policy and scientific needs Foreseeing the Future of Identity Concepts of identity are evolving in ways that are difficult to predict In the past identity elements were defined through elements of personhood name eye color job title responsibilities profession lawyer doctor relationship family or network member interests hobbies habits culture values and belief systems heritage citizenship and political structures Layering on those established identity elements are new cyber-enabled identities which may or may not relate closely or at all to physical reality Cyber identities may be expressed through a variety of means including avatars in artificial worlds software bots that execute behaviors such as troll armies affiliation with ad hoc communities such as Anonymous or as social media characters Besides being new ways to create or express identity these cyber-enabled identity elements can be difficult • 160 • Cyber Policy to relate to real people and thus cause challenges in realms as diverse as national security and mental health As cyber-innovation continues at its breakneck pace cyber-enabled identities and identity elements will continue to evolve and mutate in ways that are difficult to predict including allowing people to “live” or express themselves through multiple different identities or even many cloned identities There are important implications for this emerging fluidity in identity One is in governance when one person can have multiple identities that person can opt in to multiple governance structures ranging from political to practice to commercial Another is in security identities can be used to disguise or hide subversive activities but may also be used effectively to discover and understand alternative ways of thinking and acting There is benefit and worry the balance between the two requires significant understanding and structural philosophical approaches We offer the following recommendations • Appoint an interagency working group with representatives from the Justice State Defense Transportation and Homeland Security departments to formulate lead and coordinate legal approaches domestically and internationally because cyber-enabled identities can easily engage in behavior that crosses jurisdictional boundaries • Create an office in the Department of Homeland Security to engage in dialogue with communities formed in the virtual world by cyber-enabled identities for communication and intelligence • Fund research into the implications for example psychological effects or national security considerations of single individuals engaging in the virtual world through multiple cyber identities Technology for Governance Explosive growth of unstructured data demands solutions to the challenge of information management As the use of mobile devices and sensors grows and evolves experts expect data volume to grow to over 4 300 percent of 2009 levels by the year 2020 The Federal Government faces a need to shift from collecting data to gaining new insights identifying unexpected patterns and trends and using data analytics to find new solutions to complex problems—an analysis best conducted using data visualization techniques Unfortunately correctly interpreting trends and patterns hidden in the data requires special skills in information and computing technologies that are lacking in the current cyber workforce Additionally ap- • 161 • Hamby and Wingfield propriate investment in the underlying technologies themselves lags well behind need Ultimately information processing and visualization must be improved for national leadership to make sense of the proliferation of data in order to inform policy and decisionmaking Visual analytics is an especially compelling technology because of its potential to facilitate leadership’s ability to understand a situation quickly and clearly and to make better decisions However a major challenge in addition to a very small talent pool is the level of funding required for high-end visualization resources and machine learning capability Google researchers note that machine learning can solve problems that no other methods can but that the cost of the technology and maintenance of the algorithms is significant and may be out of reach for individual organizations 13 A collective approach to develop capabilities that could then be further customized for individual organizational use is warranted to make these technologies affordable We offer the following recommendations • Tap private sector and academic research to inform development of objectives and policy regarding data visualization capabilities • Direct NIST to move more aggressively to instantiate a collaborative model to catalyze development of data visualization capabilities for the purpose of government sense-making and decisionmaking Decoding Encryption Aligning Technology Law and Policy The Nation faces the risk that our adversaries’ use of encryption technologies to “go dark” will cause the loss of the ability to surveil their actions in cyberspace 14 Terrorists are using the Dark Web and strong encryption technologies to plan and execute their operations protected from government surveillance 15 National security and law enforcement entities desire a backdoor or master key built into the encryption algorithms or legislation compelling companies to engineer their software allowing for searches to surveil terrorists and investigate criminals The cryptographic scientific and technologic communities are united in saying strong encryption is an all-or-nothing position and that weaker encryption jeopardizes the global infrastructure of trust Encryption is founded in mathematical principles and is considered strong only when it is subjected to rigorous public scrutiny A weakness—whether accidental or legislative—is a globally exploitable feature Strong encryption is important to national security Critical infrastructure banking commerce and communications all rely on strong encryption for security Encryption protects and enables national defense • 162 • Cyber Policy commercial activities and freedom of speech Public and private entities use strong encryption to fulfill their obligations to protect personal information under legislation for example the Health Insurance Portability and Accountability Act and the Privacy Act of 1974 Recent attacks in the United States France Belgium and Turkey aided by secret communications using strong encryption provide a case to limit it This however would not be effective Encryption technologies used by criminals and terrorists are not controlled solely by U S companies or interests and cannot be effectively curtailed though U S legislation Additionally methods to surveil and apprehend criminal and terrorist actors who use encrypted technologies do exist These methods exploit how the actors build and use encryption technologies and the infrastructures of the Dark Web Additional research is needed as many methods and techniques were exposed and rendered ineffective by the Edward Snowden leaks of 2013 but others can be developed We offer the following recommendations • Support use of strong encryption acknowledging its utility for protecting citizen data • Require use of strong encryption technologies in the Nation’s critical infrastructure • Invest in advanced tools to identify and surveil criminal and terrorist actors Developing a Coherent Artificial Intelligence Agenda Between May and July 2016 the U S Office of Science and Technology Policy OSTP completed four public workshops on artificial intelligence AI to “identify challenges and opportunities related to this emerging technology ”16 Focus areas included legal and governance use for public good safety and control and social and economic implications Additionally OSTP created a new National Science and Technology Council NSTC Subcommittee on Machine Learning and Artificial Intelligence to coordinate Federal Government activities in these areas These two initiatives demonstrate that AI is gaining attention but they do not constitute a strategy for assessing the associated benefits and risks in a comprehensive manner With the imminent arrival of self-driving vehicles and precision autonomous weapons systems it is imperative that the United States advance a coherent AI agenda addressing the technological legal and • 163 • Hamby and Wingfield policy implications of this technological revolution Failure to do so threatens to leave the Nation incapable of benefiting from AI use for the government or influencing responsible AI use in the private sector We offer the following recommendations • Charge the newly formed NSTC Subcommittee on Machine Learning and Artificial Intelligence to maintain currency on AI capabilities and trends regularly convene diverse experts in the field offer expanded participation in the subcommittee and produce actionable timely AI goals • Complete a formal review of White House expectations to influence private AI use and implementation of AI in government • Conduct outreach to address public fears that AI may cause loss of jobs or that autonomous machines may threaten public safety Modernizing Government Cyber Infrastructure The White House and Congress must continue to reform IT acquisition practices in order to meet modernization goals and objectives Numerous studies and congressional testimonies have highlighted the need for a synchronized and cohesive strategy to plan program budget and execute modernization of IT A May 2016 report by the Government Accountability Office GAO found that Federal agencies are spending almost 75 percent of the $88 billion IT budget to maintain legacy systems 17 The report specifically identified that 5 233 of approximately 7 000 Federal IT systems are spending all of their funds on operations and maintenance costs By comparison development modernization and enhancement spending for the same programs represents less than 25 percent of spending and has declined $7 3 billion since 2010 The study also highlighted that numerous systems were developed decades ago with parts and programming languages that are now obsolete and pose significant risk Some of the programs such as the DOD program that coordinates the operational functions of the Nation’s nuclear forces were developed over 50 years ago and use 8-inch floppy disks that have long ceased being produced In other cases agencies rely on outdated operating systems such as those from Microsoft in the 1980s and 1990s that ceased vendor support long ago As a result the GAO study found that agencies spend significantly more to hire and maintain programmers who hold specific skill sets as well as expose increased security risks This comes at a time when more than $3 billion worth of Federal IT investments will reach end-of-life in the next 3 years • 164 • Cyber Policy In response to these issues the Office of Management and Budget OMB developed the IT Modernization Fund ITMF 18 The fund as part of the White House’s Cybersecurity National Action Plan follows up on the gains made from the Federal IT Acquisition Reform Act in 2014 19 The ITMF is in line with the recommendations from the May 2016 GAO report and supports other modernization initiatives such as the General Services Administration GSA 18F program 20 Success of the ITMF is at risk unless several major weaknesses are addressed We offer the following recommendations • Establish a centralized board of experts to identify and prioritize the most pressing legacy IT systems to be targeted for replacement with a smaller number of common platforms • Provide an initial $3 1 billion in seed funding Based on calculations provided by OMB the funding will address at least $12 billion in modernization projects and generate the momentum needed to establish a repayment process to ensure the ITMF is self-sustaining • Establish under the oversight of the GSA a centralized fund supporting agency modernization plans competitively distributed based on plan quality • Leverage GSA experts in IT acquisition and development to support agencies in implementing their modernization plans Improving the Cybersecurity Workforce U S national security the protection of critical infrastructure and the effective functioning of the Federal Government require reliable and secure cyber-based government assets supported by a professional cybersecurity workforce that protects these assets from all types of threats including cyber attacks Recent breaches including those resulting in significant data losses at the Office of Personnel Management OPM and Internal Revenue Service revealed that the cybersecurity workforce is significantly challenged in protecting the government’s cyber-based assets against attacks Efforts to generate the numbers of personnel with the requisite competencies have been unsuccessful The government lacks a coherent and comprehensive approach to improve the cybersecurity workforce OPM has a responsibility to develop a holistic and proactive approach to improve the cybersecurity workforce This approach must include • 165 • Hamby and Wingfield but not be limited to recruiting hiring developing and retaining We offer the following recommendations • Establish a cybersecurity executive council composed of senior executives from each department and agency to establish the executive governance for cybersecurity workforce policies initiatives and strategies • Develop and publish an updated job specialty standard specific to cybersecurity positions to establish a single authoritative source for cybersecurity positions • Establish common higher-level cybersecurity educational criteria to create a baseline for cybersecurity educational requirements • Offer tuition assistance reimbursement and scholarships to enhance retention of government cybersecurity workforce members and attract new employees from the private sector • Index compensation for specific cybersecurity workforce positions to comparable private sector positions in order to retain top performers • Require quarterly progress reports until these actions are fully implemented Sensing and Responding for Agile Government Information technologies now feed a swelling appetite for real-time information Citizens demand and rely on data from their mobile devices to make decisions such as travel routes or which consumer product to buy that can immediately disrupt markets or drive new behaviors Private industry recognizes this as part of doing business in the 21st century Governments have not realized this and have failed to find ways to use it to drive innovations Failure to adopt a strategy to serve citizen needs for information that leverages the opportunities of technology while avoiding the inherent challenges privacy concerns information overload and so forth places the government at risk of losing relevance confidence and trust in the eyes of its citizenry Citizens will find information elsewhere and construct their own stories about particular experiences with government entities based on their perceptions of the value realized from the • 166 • Cyber Policy interaction Worse yet citizens may find governance of no value or fill any vacuum with information from untrustworthy or biased sources to construct their perception of events and motivations These alternate sources have demonstrated their ability to seize opportunities to sense public mood and provide the storylines that will advance their cause by taking advantage of gaps in public information and any signs of insecurity or fear They feel no obligation to be truthful or unbiased The same dynamic has reduced the time allowed from the emergence of a public policy issue through the development and implementation of policy to address it such that the failure to immediately address a problem is viewed as unresponsiveness Civil movements rely on cost-effective instantly deployed social media platforms to engage advocates and escalate favorable public opinion These same platforms can be used to cultivate public friction and hateful or counterproductive civic positions that present obstacles to positive government initiatives In this context government has also failed to seize the opportunity to employ the same information technologies to develop a better sense of how citizens perceive public good and how they find value in government service delivery models There is a need for the administration to establish a sensing framework to develop insights regarding if it is serving or failing to serve those to whom it is accountable This applies whether dealing with cyberspace or traditional governmental obligations in establishing trust and engagement by the technology-enabled citizen A positive outcome of such an initiative would be the repackaging of government data and information to proactively explain internal decision factors competing agendas and crowdsourced data gaps to external consumers This could illuminate the complexity of governance activities and decrease the need to seek substitute data sources Effectively it offers content for civic education and distributes responsibility for governance to a community of interested people This new vision embeds contemporary consumer sense-making in the practices of the good governance We offer the following recommendations • Charge the Federal CIO with rapidly crafting a strategy to synchronize and elevate e-government initiatives into effective citizen engagement capabilities addressing needs for information dissemination service provision and gauging citizen valuation of government policy services and transparency • Link agency IT funding to successful implementation of the Federal CIO strategy referenced above to engage citizenry using required metrics on citizen-perceived utility of systems trustworthiness of • 167 • Hamby and Wingfield governance messaging transparency of governance processes and decisionmaking and government responsiveness to citizen needs • Develop a Web-based performance dashboard to present customizable views of internal policy administration data metrics provide a more accessible window into government institutional activity and value creation and promote accurate perceptions of government activity Conclusion In a short time cyber has emerged as both a warfighting domain fully as significant as the land sea air and space domains and an omnipresent public-private operating universe The potential opportunities found within the domain of information and cyberspace are seemingly limitless The risks of this reliance are clear as demonstrated by recent highly publicized network breaches It is important that these risks be deliberately accounted for and addressed in the process of making decisions about the use of cyberspace Cyber competence must be part of the skill set for all senior leaders in the national security enterprise Most senior leaders received their professional educations at the beginning of the cyber age and their understanding of and sensitivity to the opportunities and vulnerabilities described above may be limited Nevertheless mastery of the cyber domain has now assumed critical importance because of our dependence on cyberspace Agency heads must be held accountable for their organization’s employment of information technologies—abrogation of responsibility to CIOs and other “cyber experts” is unacceptable Addressing the critical challenges of cyberspace must be approached with an understanding of limitations and risks inherent in the use of the technologies that underpin the domain’s potential The authors here have highlighted promising opportunities and areas of concern Specific recommendations are offered to contribute to a Presidency ready to embrace both the risks and the opportunities facing the Nation in cyberspace The authors would like to thank the following contributors to their chapter William S Boddie James Churbuck Cathryn Downes Carl J Horn Michael D Love Jenny Hall Mandula Kenneth D Rogers John L O’Brien Julie J C H Ryan Paul Shapiro George Trawick and Veronica J Wendt • 168 • Cyber Policy Notes 1 Joint Publication 3-13 Information Operations Washington DC The Joint Staff 2014 available at www dtic mil doctrine new_pubs jp3_13 pdf 2 White House Fact Sheet “Cybersecurity National Action Plan ” February 9 2016 available at www whitehouse gov the-press-office 2016 02 09 fact-sheet-cybersecurity-national-action-plan 3 Executive Order 13691 “Promoting Private Sector Cybersecurity Information Sharing ” February 13 2015 available at www federalregister gov articles 2015 02 20 2015-03714 promoting-private-sector-cybersecurity-information-sharing 4 Presidential Policy Directive PPD 20 “U S Cyber Operations Policy” 2012 is a classified document that provides a framework for the roles and responsibilities of the executive branch’s agencies in cyberspace as well as a framework for U S cybersecurity PPD-21 “Critical Infrastructure Security and Resilience” 2013 provides a top-down risk management architecture and directed the creation of the national critical infrastructure centers for enhanced information-sharing and collaboration Supporting PPD-21 is Executive Order 13636 “Improving Critical Infrastructure Cybersecurity ” which focuses on the cyberspace security aspect of PPD-21 PPD-41 “United States Cyber Incident Coordination” 2016 articulates how the Federal Government coordinates its incident response activities to significant cyber incidents 5 Charles Perrow Normal Accidents Living with High-Risk Technologies New York Basic Books 1984 6 Manuel Castells “Informationalism Networks and the Network Society A Theoretical Blueprint ” in The Network Society A Cross-Cultural Perspective ed Manuel Castells New York Edward Elgar Publishers 2004 7 Laura DeNardis Internet Points of Control as Global Governance Internet Governance Paper No 2 Ontario Canada Centre for International Governance Innovation 2013 8 John Kamensky “Why Isn’t Performance Information Being Used ” Government Executive October 14 2014 available at www govexec com excellence promising-practices 2014 10 why-isnt performance-information-being-used 96347 9 U S Government Accountability Office GAO Managing for Results Agencies’ Trends in the Use of Performance Information to Make Decisions GAO 14-747 Washington DC GAO 2014 10 PPD-21 Nathan E Busch and Austin D Givens “Public-Private Partnerships in Homeland Security Opportunities and Challenges ” Homeland Security Affairs 8 no 18 October 2012 available at www hsaj org articles 233 11 12 “Cyber Security Strategy of the United Kingdom Safety Security and Resilience in Cyber Space ” 2009 available at www gov uk government uploads system uploads attachment_data file 228841 7642 pdf 13 Zachary Chase Lipton “The High Costs of Maintaining Machine Learning Systems ” KDNuggets News 2015 available at www kdnuggets com 2015 01 high-cost-machinelearning-technical-debt html 14 Senate Hearing on Worldwide Threats 2016 The Dark Web is commonly defined as a sub-portion of the Internet that consists of Web sites portals and social media similar to the open Internet but that is accessible only through specially designed Web browsers and using technologies that easily anonymizes the user and encrypts all of his traffic data and activities 15 • 169 • Hamby and Wingfield 16 Ed Felton “Preparing for the Future of Artificial Intelligence ” WhiteHouse gov May 3 2016 available at www whitehouse gov blog 2016 05 03 preparing-future-artificial-intelligence 17 “Federal Agencies Need to Address Aging Legacy Systems ” GAO gov May 25 2016 available at www gao gov products GAO-16-696T 18 “Federal Agencies Reliance on Outdated and Unsupported Information Technology A Ticking Time Bomb ” hearings before the Committee on Oversight and Government Reform House of Representatives 114th Cong testimony of the Honorable Tony Scott available at https oversight house gov wp-content uploads 2016 05 2016-05-25-ScottTestimony-OMB pdf 19 White House Fact Sheet “Cybersecurity National Action Plan ” 20 GAO Building the 21st Century Digital Government available at https 18f gsa gov • 170 •