Cybersecurity is one of those terms which is widely used yet often misunderstood. It was coined by a journalist in 1989, the same year cyberporn landed in the dictionary. These days, cybersecurity - and its maligned sibling cyber-interference - have become broad topics for academic study, business, and political discourse, encompassing crime, surveillance, public and corporate behavior, media, international espionage, and much more.
Put simply, it’s the practice of defending computers, devices, systems, and people from malicious attacks.
Why should it matter? Adequate cybersecurity is critical for citizens who are increasingly relying on digital identities to fully and fearlessly engage with the modern age. And in the accelerating world of digital identity, the concept of cybersecurity remains a remarkably important lever for attracting the attention of politicians with regards to digital identification systems, whether it sounds outmoded or not.
Last year, research firm FleishmanHillard conducted a series of interviews with privacy and security experts in government and business about the concept of Good ID in institutional ID programs and online data trails.
They discovered that when government stakeholders think about the potential approaches for identity management, data breaches and cyber attacks are "top of mind" (see page 11 of the framework). In fact, building stronger defenses against cyber attacks sits alongside fostering economic growth as a key motivator for engaging with the Good ID approach.
Digital identity is an enormous and expanding issue, touching every aspect of modern life - yet the arguably more niche topic of cybersecurity frequently gets a bigger billing at global, high level gatherings, and top university curricula.
At the UN general assembly in September 2019, much of the limited airspace dedicated to digital matters was taken up by notions of cyber warfare; how to prepare for it, how to mitigate its consequences.
One woman, Avril Haines, has more insight than most when it comes to matters of national security and how the digital age has affected the machinery of government. Haines is the former deputy director of the CIA, and served as the principal deputy national security advisor to President Barack Obama.
She is a Deputy Director of Columbia World Projects at Columbia University, and also lectures there in the law school. Columbia World Projects (CWP) is an academic problem-solving program tackling some of the most basic and fundamental global challenges.
CWP has embarked on the development of a five-year digital identity initiative alongside projects on access to energy, election security, maternal health, disaster relief, decarbonization, and inequality.
In her experience, the conversation about cybersecurity has chiefly revolved around three things: the fear of a massive cyber attack that brings down critical infrastructure, cybertheft, and election interference. Topics that receive less attention but are also critically important are vulnerabilities that undermine privacy and information challenges that are increasingly dividing our society and undermining our democracy.
"There are a range of issues that have made it difficult to effectively mitigate the risk of all of these challenges,” Haines says. “But whether we are talking about massive cyberattacks or privacy, it’s less about developing the right technical solutions and more about deriving the right organizational, behavioral, institutional, and public policy solutions.”
One example of this relates to the need for developing international norms, and a strategy for deterring state actors from engaging in malicious behavior in cyberspace. The conversation too often focuses entirely on cyber-war and what constitutes an armed attack in cyberspace.
"I'm not suggesting that we shouldn't be talking about that, but that's not from my perspective the most useful conversation we could be having," she explains. "Malicious cyber activity that occurs in peacetime, which may include cybercrime, attacks on our financial infrastructure, election interference, privacy intrusions, and disinformation campaigns, is far more prevalent and problematic at this point than the use of cyber in the context of an existing conflict and is where cyber norms would be most useful."
A unique challenge
According to Haines, there are numerous organizational challenges which stand in the way of high-level conversations on these issues.
Organizing within government is a major obstacle for a start. Haines maintains there are phenomenal difficulties in coordinating people around government on these issues. "Cybersecurity is an issue for every agency and department, requires a level of public-private partnership that is unique, has no borders, is technically complex, and is developing at a pace the government generally doesn't move at, which presents a host of challenges."
"Organizing ourselves within the US government was challenging. For example, the Department of Defense is responsible for defending the United States from attack, including attacks that occur in cyberspace.
"The Department of Homeland Security is responsible for building the national capacity to defend against cyberattacks to safeguard the .gov networks that support the essential operations of partner departments and agencies.
"The FBI also views its role as defending the United States against cyber threats, though it takes the lead for investigating cyber attacks by criminals, overseas adversaries, and terrorists."
"You can see how challenging it might be to clarify the different roles and responsibilities with such clearly overlapping interests, and how the fact that the digital domain knows no borders, can complicate the situation," she continues.
Then you have the challenge of organizing internationally, on top of those domestic challenges. And while this may seem like a Sisyphean task, Haines maintains that international coordination can and does happen, although it takes time. When it comes to digital cooperation, does she think we're going fast enough?
"It depends on the metric you're approaching it with. We're definitely not going fast enough when you think about the threats we're facing today."
"The opportunities presented by the Internet are extraordinary, giving us greater access to knowledge, civic engagement, markets, entertainment, ideas, and so many other resources – but it also creates enormous vulnerabilities. Unless we figure out how to better protect ourselves, we are at risk of not only losing the advantages afforded but also undermining our privacy and civil liberties, as well as our national security."
"Developing international cooperation - and the norms that are the backbone of that cooperation - takes a very long time," she says.
"For example, think how long it took to establish the legal and normative frameworks in the maritime domain. The sea is another domain that we had to map out, figure out, and develop a body of customs and agreements to maintain order, productivity, and peaceful relations.
"How should we manage this space? How can we influence behavior so as to maximize our ability to prosper, promote free trade, manage national security concerns, and encourage dispute resolution mechanisms that do not result in the use of military force? We developed rules for how to act in peacetime and understandings that would help us to promote our collective interests, along with our allies and partners but it has taken arguably since the 1600s to do so and we are still fine tuning the frameworks even now. I hope it won’t take as long for cyber, but it isn’t going to happen overnight."
Haines points to other examples of international cooperation - private international law agreements around the abduction of children, or law enforcement agreements in the context of extradition and prisoner transfers.
"With cybersecurity and digital identity, you need ways to collaborate across borders. A good example of collaboration is in relation to abducted children. Countries who are a party to the Hague Abduction Convention are required to have a central authority. Generally, countries choose an office within an existing agency or department of their government but it serves as the point of contact, in a sense, so that everybody knows where to go when a child is abducted across borders. Everyone knows who to call for assistance."
"Simple things like that make all the difference in your collaboration, in a timely situation. Behind this, the national government has to organize themselves and decide who the central authority is. That takes time to develop."
She goes on to talk about the importance of shared values being at the center of certain types of cooperation, while in other cases it is critical just to make progress where you can do so, as in the case of cyber issues between the United States and China.
"I know there are individuals working in governments thinking about the right frameworks and trying to identify models for cooperation and collaboration that are in our mutual interests, including models that they hope to use to protect the values we hold dear."
"But there's just no question that - globally - our interests are different from some other countries and we thus cannot expect to have a broad, widely ratified, multilateral treaty on cyber in the very near future. It will be a challenge to get the major powers interested in [digital identity and cybersecurity] to be on the same page."
"When I was in the US government, we looked to our partners first, in Europe and elsewhere, where we shared certain values related to the internet and the open exchange of information. President Obama signed an executive order on cyber that reflects some of the first norms that emerged out of those conversations and that we continued to pursue."
"Among the issues addressed in that executive order that identified sanctions that could be imposed in the event an individual or entity engaged in certain malicious cyber activity, was cyber-enabled activity that had the purpose or effect of harming computers that support critical infrastructure. In that context, you can begin to see the bones of what are initial steps in developing norms, as were statements made by the leaders of the G20 States in 2015 on cyber. The United Nations has been trying to facilitate further work, as has NATO, but it is slow going. It's not nearly enough, but it's a very, very tentative first step."
"Over time, these small steps can put more pressure on other countries that disagree with you like China. [Each entity] starts to formulate its own views, and we see where there's overlap and where there's not."
"Our ability to at least agree with China that neither country will conduct or knowingly support cyber-enabled theft of intellectual property with the intent of providing competitive advantages to companies or commercial sectors was an important step, even if it was insufficient to address the range of challenges we have with China that are related to cybersecurity. Over time, however, as we find common ground with our allies and partners in these areas, we may have further success with China."
So in the context of digital cooperation, is Haines optimistic these issues can be worked through?
"I'm naturally optimistic, but I would not say I feel confident we're going to work through these issues on the timeline that is really needed. It's more that I recognize how long it does take, and see that as a challenge," she explains.
Under- or over-identified?
In her work at Columbia University, Haines is involved in developing a five-year pilot project that would involve deploying a digital identity system in Africa that prioritizes, among other things, privacy and security. How did that come about?
"There were two projects that came out of the cybersecurity forum that we held at Columbia World Projects. One was on election security, and the other was digital identity," she says.
The project is bringing together multidisciplinary perspectives from society, including scientists, advocacy organizations, and governments. There are those who recognize the need for systems to prioritize privacy and security of information, while at the same time promoting digital identity for the roughly one billion people who don't have it. And there are those who approach it from a very different perspective, a different entry point on the 'sliders' Caribou Digital's Jonathan Donner refers to when we frame the conversion about digital identity.
"What we recognized in the forum was how critically important it is to develop digital identity systems that are usable, useful, universal, secure, decentralized and privacy enhancing, and affordable – whether for low- and middle-income countries, or for advanced economies, including in the United States. The fact is, we need better options across our societies."
"In the United States, for example, from a privacy perspective, it's astonishing that we still base so much on our Social Security number, making us extraordinarily vulnerable to identify theft and that we use identification cards like driver's licenses, that provide far more information than is necessary for most transactions for which an ID is needed." She believes the US could do far better with its systems to protect the public.
Obama's ID proposal
Haines recalls the Obama administration's efforts to come up with a national ID proposal. "It was not a politically popular idea. There was a significant negative reaction to any national identification [program], and concern about digital ID, even though it would have been far more protective of people’s privacy."
At CWP, where academics and practitioners come together to discuss ways of effecting social change, colleagues started to discuss whether they could develop a digital identification system. "We were thinking: could we develop something that hit all the major issues that all of us think are important? It has to be usable. It has to be universal, secure, privacy-enhancing, affordable, decentralized."
"The concept that emerged was to do a pilot, both to see if we could satisfy the conditions from a technical perspective but also whether we could work on the regulatory and policy framework that would surround its use to promote the kind of digital identity system that would fulfil the criteria we discussed."
This led CWP to the digital identity project: working with encryption specialists, computer scientists, lawyers, professors, and others to produce a GDPR-compliant system, which is now being worked on. But where are these systems designed for?
"[In the pilot], we want to see if we could both be helpful in areas where you have populations that don't have access to national identification systems, but also advanced economies like the United States where we recognize that there's a better way of doing things. We are looking at what use cases we might try this with in Africa."
Given Haines' unique experience in government, and her focus on the over and under identified in this project, the outputs of the initiative will no doubt be fascinating to see.
And clearly since this interview, the pandemic has thrown all manner of digital identification issues into mainstream view, whether it's contact tracing, the acceleration of national identity systems, or immunity passports. Speaking from lockdown in New York City, she reflects on how the pandemic affects her work in this arena:
"I think it is too early to tell, but with the extraordinary increase in activity online for all manner of human development, it is clear that the pandemic has only increased the importance of cybersecurity and digital identities."