Privacy and Cybersecurity Research Briefing

Cybersecurity has evolved into a pressing issue that sits at the top of government policy and board room agendas as the prevalence and severity of incidents continue to increase. As we search for solutions, public and private sector actors must balance the numerous tensions inherent in securing products and services, keeping users safe, and maintaining a vibrant and innovative ecosystem that supports the continued development of new products. This research briefing aims to translate findings from ongoing Berkman Klein Center privacy and cybersecurity research and activities into practical considerations and takeaways for key stakeholders and decision-makers. It offers a snapshot of the cybersecurity ecosystem and the forces shaping it, a map of high-level overview of several current approaches aimed at addressing cybersecurity challenges, and identifies opportunities for collaborative approaches that will help prepare decision-makers to address the next generation of pressing cybersecurity issues.

"From buying products to running businesses to finding directions to communicating with the people we love, an online world has fundamentally reshaped our daily lives.But just as the continually evolving digital age presents boundless opportunities for our economy, our businesses, and our people, it also presents a new generation of threats that we must adapt to meet.Criminals, terrorists, and countries who wish to do us harm have all realized that attacking us online is often easier than attacking us in person.As more and more sensitive data is stored online, the consequences of those attacks grow more significant each year. . . .[W]ith each new story of a high-profile company hacked or a neighbor defrauded, more . . .wonder whether technology's benefits could risk being outpaced by its costs." 1

Overview
The Berkman Klein Center for Internet & Society at Harvard University ("BKCIS") has prepared this research briefing on privacy and cybersecurity for use by decision-makers in the private and public sectors who must balance the numerous tensions inherent in securing products and services, keeping users safe, and maintaining a vibrant and innovative ecosystem that supports the continued development of new products.In this briefing, the BKCIS team builds on a series of bilateral and multilateral consultations 2 and seeks to summarize and translate selected findings from privacy and cybersecurity research into practical considerations and takeaways that might be helpful to non-academic stakeholders.This document and much of the underlying research is enabled by generous support by the Ford Foundation.
Part I of this briefing is an ecosystem map, i.e., a high-level survey of the following features of the cybersecurity ecosystem: • Tectonic shifts -the fundamental forces in technology, business, and markets that have a significant impact on cybersecurity threats and policy.• Landscape Snapshot -a survey of the cybersecurity environment and the challenges affecting stakeholders.• Tensions -the considerations and competing values that make it difficult for decision-makers to effectively craft cybersecurity policies.
Part II of this briefing is an action map, which offers a high-level overview of several current approaches aimed at addressing cybersecurity challenges.It highlights how these approaches operate, provides some examples of these approaches in action, identifies the underlying values that these approaches represent, and raises guiding questions.
Part III of this briefing is a navigation tool, i.e., that looks ahead to emerging cybersecurity challenges in order to guide decision-makers.It identifies opportunities for collaborative approaches that will help prepare decision-makers for addressing the next generation of pressing cybersecurity issues concerning companies, legislatures, and law enforcement agencies worldwide.

Internet of Things.
Everyday consumer products, public infrastructure, and industrial processes are increasingly controlled by computers and networked together.Fifteen years ago, Internet-connected toothbrushes, streetlights, power plants, and vehicles may have seemed an unnecessary luxury; today, this is a financially and technologically feasible proposition that lays a foundation for unpredictable utility and innovation.Powerful sensors can be embedded into small form-factors, augmenting devices to be more controllable, autonomous, cyberphysical, and environmentally aware.For example, a number of major companies have developed vehicles that can operate autonomously and more accurately than a human driver.Networked thermostats use an array of onboard sensors and data from the Internet to optimize heating and cooling cycles for power consumption and comfort.This movement has been referred to as the "Internet of Things" (IoT), and it is projected to be a major area of growth in the coming years.Some estimates predict 21 billion new "things" will be connected and in use by 2020. 6

Snapshot of Today's Cybersecurity and Privacy Landscape
Over the last two decades, cybersecurity has evolved into a pressing issue.It sits near the top of government policy and boardroom agendas as the prevalence and severity of incidents continue to increase.
Cybersecurity incidents of all stripes have become the norm.Thousands of data breaches are reported each year in the private sector, affecting nearly every industry sector and exposing the information of millions of individuals. 7More are believed to occur but go unreported or unnoticed by the victims.Consumers unwittingly fall prey to individually-targeted schemes that compromise their online accounts, privacy, and personal computers. 8Repressive governments are known to exploit software to target and surveil political dissidents. 9Numerous corporations have had their intellectual assets stolen and networks dismantled in high profile incidents, including some believed to be the work of sophisticated government-sponsored hackers, cyber vigilantes, or hacktivists.nizations, too, have reported serious breaches of the most sensitive employee information. 11he motivations behind these incidents is varied, spanning espionage, surveillance, law enforcement, warfare and armed conflict, civil disobedience, geopolitics, and fraud. 12

Case Example: Sony Pictures
In 2014, Sony Pictures was the victim of a devastating security incident, which took offline more than half of Sony's global network and erased the data stored on thousands of workstations and servers.Over a period of several weeks, confidential information, unfinished movie scripts, unreleased films, email spools with candid correspondence between senior executives and celebrity, employee social security numbers, salary information, and more were dumped onto public websites by the hackers for the world to see. 13 The attack is believed to have been carried out on behalf of the North Korean government, which was upset over The Interview, a comedy film being produced by Sony Pictures that depicted an assassination attempt on a North Korean dictator. 14In the aftermath, stories emerged about how the company's lax information security practices may have contributed to the incident. 15spite government and private sector efforts in the past decade to promote trustworthy and secure computing, many cybersecurity issues only seem to get worse. 16Vulnerabilitiesdesign and implementation defects -plague software, and adversaries can exploit them to gain access to computers and networks to exfiltrate data, gain control of critical systems, and disrupt services.Software developers and vendors try to combat such threats by building in and bolting on security countermeasures and releasing "patches," which mitigate and eliminate some threats through software updates.However, many vendors and distributors do not issue updates expediently, if at all, and many users do not apply updates when they are issued.Some vendors and service providers have offered greater security by encrypting user data stored on devices and in transit across their networks; however, enabling encryption by default has proven to be somewhat controversial. 17 Beyond the prevalence of vulnerabilities, other key aspects of the problem can be traced to human error, a lack of standards, and weak adherence to the standards that do exist.Many security risks are well known and could be avoided by following basic "cyber hygiene," but or- ganizations and individuals often fail to take these steps. 18For example, mistakes introduced by human error -e.g., misconfigurations of security settings -can inadvertently introduce vulnerabilities and weaknesses.Social engineering attacks in which adversaries deceive users into divulging account credentials also play a significant role in security incidents . 19These types of attack are both highly effective and especially difficult to guard against.
The existence of software and human vulnerabilities are not new security challenges, but they are exacerbated by the tectonic shifts in the landscape.For example, as more connected devices and services are coming online, such as IoT products, the "attack surface" -the vectors through which adversaries can exploit systems -is increasing at a similar rate (or greater).An exploitable vulnerability in one system can be a vulnerability in all systems networked with it.Moreover, as software and systems become more complex, it also becomes commensurately more difficult to anticipate security and privacy risks.
Meanwhile, adversaries are growing more sophisticated and the targets more attractive.Gray and black markets make it easy to acquire hacking tools, software vulnerabilities, and exploits.With more tools available, cyber criminals have evolved from individual actors into a highly-networked system of criminal enterprises around the globe. 20We have also seen the emergence of the so-called "advanced persistent threats" -well-resourced and highly-skilled groups of adversaries believed to be backed by governments, which penetrate private and public sector organizations.The targets of these threats are evolving too.A handful of large companies in particular are becoming stewards of large amounts of data as they increasingly become centralized platforms on which many other services and Internet-connected products rely, making them tempting targets for malicious actors.And, the proliferation of cloudbased services and the sensors and networked components of the IoT, such as microphones, cameras, and industrial control systems, to name but a few, presents new opportunities for surveillance and privacy incursions on an unprecedented scale. 21

Case Example: Targeting Political Dissidents
A number of reports have emerged in recent years documenting attempts to identify and monitor political dissidents, journalists, activists, and others in sophisticated hacking and social engineering operations.In some cases, attacks on dissidents intend to cause physical damage to computer systems or data, and manipulate the availability or integrity of content published online. 22uch incidents take place around the world, and are often thought to be led by governmental and state sponsored organizations.Stakeholders disagree about the best solutions to solve the many problems.For example, some have advocated for creating new government regulations and liability, while others think the private sector is better suited to create solutions free of regulations.Although this debate has yet to be resolved, stakeholders are not standing still.Both domestic government and private sector organizations have pursued new initiatives.For example, legislation was introduced in 2016 in the U.S. to facilitate threat information sharing between stakeholders, and the U.S. National Institute of Standards and Technology (NIST) has collaborated with the private sector to develop new standards frameworks .24Unilateral efforts are insufficient as the issues are increasingly international in nature: the victims as well as the adversaries responsible for attacks are located around the world.Policy debates reflect this trend, particularly around contentious issues such as encryption, international law enforcement requests for data, and data localization efforts.Fragmentation across national and supranational boundaries also continues to be a challenge for multinational companies as they navigate a diverse set of standards, laws, and policies worldwide, while trying to ensure the preservation and security of users' data.

Tensions, Tradeoffs, and Other Considerations
Beneath the surface are numerous tensions and tradeoffs that compound cybersecurity and privacy issues.They help answer the question of how we arrived at this point.They also punctuate the complexity of the issues and explain why satisfactory solutions are elusive.In this section, we explore a selection of these tensions and tradeoffs in rapid succession, highlighting those most emblematic of the status quo and the stakeholder groups they affect.

Consumers (including individual users and organizations)
• Loss of Control.Consumers have become reliant on vendors to provide security and privacy.Many vendors can be more effective at securing systems than the average consumer.However, consumers are ill-equipped to verify the claims of vendors.Moreover, a lack secure alternatives and high switching costs limit the viability of substitutes.• Demand for Security and Privacy.Recent polls on privacy and security suggest an increasing number of consumers care deeply about privacy and security issues, 25 however this does not seem to be reflected in purchasing habits and security practices.One explanation is that other factors, like price and convenience, are more determinative; another is that consumers lack the knowledge and information to adequately make decisions based on security and privacy.• Convenience, Usability, and Autonomy.Software products and services that are more secure are often more difficult to engineer and use.A product that is difficult to use may not be viable in the marketplace.Similarly, onerous security policies can push end users to circumvent security controls for the sake of convenience.• Security and Privacy as Premium Products.While some companies offer products with security features enabled by default, many do not.Those that do are typically higher-cost, premium products and services, such as Apple's iPhone.In contrast, low cost devices tend to have more security vulnerabilities that are less frequently patched by vendors.This creates the risk of a segregated society that offers additional security and privacy only to those who can afford it .27 Producers (including software developers, vendors, and service providers) • Competition and Market Forces.To keep pace with the competitive global marketplace for software goods and services, many producers have shifted toward rapid software development lifecycles, often trading security for speedy development.For example, it is common for new products and services to ship with known vulnerabilities or without undergoing a thorough security review.• Allocation of Resources and Knowledge Within Organizations.Money, time, and personnel are finite resources for producers that must be justified as they are invested and allocated.Security is costly, and is often viewed as an expense rather than an investment -on a balance sheet, security does not add revenue even when it is effective. 28The lack of liability has also minimized the costs of security incidents, which can make it difficult to justify allocations for preventative security and support for older products.Security knowledge, expertise, and talent are frequently cited as lacking across organizations.The emerging cyber insurance industry has also struggled to quantify risks and encourage producers to adhere to a common set of best practices.• Silos and Information Sharing.Concerns about leaks, antitrust violations, and regulatory scrutiny have constrained information flows between the public and private sectors.As a result, information silos within governments and companies make it difficult to share information about vulnerabilities and security threats.research, chilling further research. 29Instead of disclosing vulnerabilities to vendors, security researchers can be lured by lucrative black and gray markets in which buyers -including military, intelligence, law enforcement, and hackers -pay top dollar.• Regulatory and Legal Systems.Software developers, vendors, and service providers are generally not held liable for damages that stem from latent and known vulnerabilities in products and services.The exceptions lie within regulated industrial and critical infrastructure sectors, such as transportation, energy, finance, and healthcare.Even so, it is rare for consumers to recover the full costs of harms from cybersecurity incidents, making it less likely for companies to take into account the societal costs.
Government Organizations (including policy-makers, regulators, law enforcement, and military) • Public-Private Trust Deficits.Since the Snowden revelations in 2013, trust between the US government and private sectors has been especially low. 30Many multinational technology companies have taken steps to distance themselves from the government.• Government Roles and Regulatory Policy.The legal and regulatory system is slowly and cautiously evolving in response to the tectonic shifts.The U.S. government, for instance, has opted to eschew regulating and mandating software security standards, due to lack of expertise and to avoid impeding economic growth.Instead, the U.S. government often operates as a facilitator and convener of bottom-up efforts, by rallying producers around standards and self-regulation, and educating consumers about best practices.• Civil Liberties, National Security, and Foreign Policy.Security and privacy protecting technologies, such as encryption, can be useful tools for countering many of the cybersecurity threats we face.At the same time, these same tools can be used by malicious actors to hinder law enforcement surveillance and prosecution.This raises difficult questions about how such conflicts should be reconciled with other priorities like national security and the promotion of democratic values through foreign policy.• Government Exploitation of Vulnerabilities in Commercial Software.Military, intelligence, and law enforcement agencies discover, acquire, exploit, and stockpile software vulnerabilities in commercial, off-the-shelf software for use in offensive operations and investigations.Some commentators have warned that such practices could potentially endanger the public should an adversary exploit vulnerabilities in commercial software undisclosed by the government.This raises difficult questions about the degree to which the public's interests would be better served by policies that prioritize disclosure over stockpiling.

Case Example: Encryption, "Going Dark," and Apple v. FBI
For the last several years, officials from the Federal Bureau of Investigation in the U.S. and other law enforcement entities abroad have raised alarms over what they see is a concerning trend: communications are "going dark."That is, major technology companies -including Apple, Google, and WhatsApp -are implementing security features, such as end-to-end encryption and disk encryption schemes, in their communications products and services in a way that puts user data beyond the investigative reach of the government, even in circumstances when the law would otherwise permit government access.Many within governments fear this will make it far more difficult to conduct investigations, prevent terrorist attacks, and enforce national security interests.One manifestation of the debate transpired during a legal fight in early 2016 in which the FBI asked a federal court to compel Apple to unlock an iPhone used by a perpetrator in the San Bernardino mass shooting.On the other hand, the companies implementing these features believe these stronger measures are needed to mitigate the growing number of security threats and to protect the privacy interests of individuals.And, as noted in a February 2016 Berkman Center report, Don't Panic: Making Progress on the 'Going Dark' Debate, questions remain about the degree of "darkness" in the future landscape given the emergence of the Internet of Things, a desire to monetize user data, and other forces that will influence the trajectory.

II. Action Map
In addressing the range of challenges described above, a wide range of governance mechanisms have been identified, discussed, and implemented as solutions.To give but a few examples: • The implementation of open, well-documented standards could substantially boost the security of certain products or services.• New regulations could require that vendors adhere to a particular standard of design, or that they practice a degree of openness around their security and privacy practices.• Safe harbor laws could enable public and private sector entities to share with each other information about threats, incidents, and vulnerabilities without fear of repercussions.• Bolstering the quality of cyber insurance offerings may help companies more accurately allocate costs in proportion to risk.
Such interventions could be implemented in a number of ways and in various combinations, which makes it difficult to describe all the possibilities on the pareto frontier.For instance, in some cases, government actors or industry leaders are best positioned to push these interventions from the top down.In other cases, a diverse collaboration of actors from industry, civil society, and academia are best positioned to build support for change from the bottom up.Interventions can also vary in scope, with some targeting a specific ill, others addressing the whole of the ecosystem directly, and others indirectly reaching objectives through first and second order effects.
The action map that follows provides a high-level sampling of different possibilities for governance mechanisms, including current representative uses and proposals, organized by modality: technology, market, norms-based, law, and blended governance approaches.This is not to say any of these are the best, the most effective, or the only choices -the pathways forward are uncertain and rife with tradeoffs, and many unlisted ideas deserve more study.State Breach Notice Laws: 48 states have enacted laws that require holders of personal information to notify consumer when their personal information has been compromised in a security incident.
Cyber Independent Testing Laboratory: A new, non-profit company funded by DARPA that will test and issue consumer reports about the security of off-the-shelf commercial software to educate consumers about risky software and incentivize companies to avoid common security mistakes as the develop products.

Sample Questions
What tools and guidance are needed to improve the overall state of security in software and hardware that preserve the open, generative nature of the internet?How can the market forces be supplemented to encourage organizations and individuals to ensure a vibrant marketplace of products that offer strong security for those that use them?What interventions at the individual level are effective in promoting a robust cyber workforce and consumer populations that take measure to mitigate risks?What changes should be made to the law in response to the new security and privacy challenges we are likely to face in the future?Can multiple approaches be used to address the issues from different angles?

III. Navigation Aid (Identification of Key Opportunities)
As we look beyond the current challenges and interventions, we recognize that this complex ecosystem will continue to evolve.It is important for decision-makers to anticipate and prepare for the next generation of cybersecurity and privacy challenges.
Given the numerous complexities and tensions in play, the emerging challenges and interventions are not obvious.However, what is clear is that stakeholders, including government, private sector, civil society, and academia, must work collaboratively to address the emerging challenges and find solutions that overcome many of the current obstacles to successfully mitigating cybersecurity risk.With this in mind, we identify four broad categories of opportunities for collaborative approaches: 1. Information sharing and horizon scanning -opportunities for identifying and responding to upcoming technological and policy shifts; 2. Impact assessments -opportunities for assessing the impact of regulation and other interventions; 3. Transparency and education -opportunities for improving communications with consumers about cybersecurity issues; and 4. Accountability and liability -opportunities to change how the costs of cybersecurity failures are internalized and improve how the public and private sectors allocate cybersecurity risks.
Below are some examples of -and by no means the only -opportunities within each category.
• Information Sharing and Horizon Scanning: decision-makers could engage in collaborative, multistakeholder horizon scanning exercises to better anticipate how technological and policy developments are shaping this quickly evolving ecosystem.
» Decision-makers could convene stakeholders to engage in information sharing and discuss emerging threats and approaches in cybersecurity, and exchange actionable informat0ion.These conversations should aim to break down private-to-private and public-private information silos, leveraging a diversity of perspectives to help highlight trends as they emerge to ensure that decision-makers fully understand the current cybersecurity landscape and its trajectory in the future.Such convenings could also serve as early-warning mechanisms to help stakeholders identify potentially divergent interests.» Decision-makers could develop exchange programs in which employees from one organization spend time at another as a means of sharing information, expertise, and to experience the challenges from another perspective.For example, government employees of one agency could be temporarily assigned to another government agency.Likewise, a private sector employee or member of academia could temporarily work for a government agency in an advisory role, which has worked well in the past for organizations like the U.S. Federal Trade Commission. 37 37 See, e.g., U.S. Federal Trade Commission, "FTC Names Edward W. Felten as Agency's Chief Technologist; Eileen Harrington as Executive Director," November 4, 2010, https://www.ftc.gov/news-events/press-releases/2010/11/ftc-names-edward-w-felten-agencys-chief-technologist-eileen.
• Impact Assessments: decision-makers could benefit from a more accurate understanding of the tensions in the ecosystem as well as the likely effectiveness and the tradeoffs of potential solutions, including new regulations, industry-led efforts, and other interventions.
» Decision-makers could convene stakeholders from industry and government to discuss and catalog potential interventions, like regulation or a tort regime for software development, while debating and sharing the potential impacts that might affect various stakeholder.
» Decision-makers could support additional research on the economic impact of inventions by examining other, historically comparable and analogous regulated industries in order to develop testable hypotheses for measuring the impact of various interventions in the cybersecurity ecosystem.
• Transparency and Education: decision-makers could foster a series of educational reforms and transparency initiatives to help consumers understand the impact of cybersecurity and take steps to better protect themselves.But for such interventions to be effective, additional research may be required.For example, what are the most impactful methods for communicating to consumers about the cybersecurity of products and services?How would disclosures likely impact consumer purchasing decisions?How can decision-makers ensure that private entities provide fair, truthful, and actionable information to consumers?What is the optimal balance of regulatory disclosure requirements, spanning a spectrum from simply encouraging voluntary disclosures, to mandated self-reporting (e.g., nutrition label-like approaches), to third-party disclosures (e.g., government or independent testing laboratories conducting tests and providing the disclosures)?
» Decision-makers could work with stakeholders from across industry and government to discuss potential methods and approaches for measuring and communicating about cybersecurity practices.» Decision-makers could support the development of prototype disclosures and test them with small samples of consumers.After testing and iterating on draft disclosures, decision-makers should publish the draft standard in order to further advance the debate about transparency.» Decision-makers could also collaborate with cybersecurity testing laboratories to support their efforts to measure and improve the effectiveness of their transparency efforts.
• Allocation of Risks and Decision-making: decision-makers could develop a collective understanding of the private and societal costs of allocating risk and the necessity of responsible decision-making, particularly around the proliferation of insecure software and poor cyber hygiene.These efforts could help identify the practices that undermine our broad interests in maintaining a secure and trustworthy software ecosystem as well as those that would strengthen them.
» Decision-makers could work with other stakeholders to understand how their interests affect decision-making, with an eye towards developing firm-level decisions that critically affect the ecosystem as a whole.This could inform the creation of voluntary best practices to aid software developers and vendors as they make business decisions that implicate privacy and cybersecurity interests.» Decision-makers could work with key stakeholders, including software developers and vendors, and insurance companies, to discuss new governance mechanisms that would help all parties best internalize the costs of cybersecurity risks.
Preservation of the open and generative Internet; protection of individual privacyPromotion of the autonomy of market actors; inclusion and promotion of diversity in solution space Promotion of consumer agency and autonomy through the fostering of a more well-informed user base Preservation of public and individual safety through laws and regulations; promotion of transparency and accountability Inclusion of multi-stakeholder models; promotion of diversity in perspectives and approaches