The Raymond and Beverly Sackler U.S.-U.K. Scientific Forum “Cybersecurity Dilemmas: Technology, Policy, and Incentives” was held on December 8 and 9, 2014, at the Washington, D.C., headquarters of the National Academies of Sciences, Engineering, and Medicine. With support from the Computer Science and Telecommunications Board (CSTB) of the Academies, the forum was organized by a steering committee of distinguished researchers from the United States and the United Kingdom.
The forum brought together approximately 60 participants from academia, government, industry, philanthropy, and nongovernmental organizations. Participants included former senior government officials from the United States and the United Kingdom as well as individuals from both countries who have been critical of the policies of their respective governments. The forum was held under the Chatham House Rule, which specifies that the ideas expressed at a meeting may not be attributed to any particular individual or institution and that the list of attendees may not be circulated beyond those who participated. The intention was to create a setting where participants could speak frankly as individuals, even about issues that affect their own organizations or countries. The two-day meeting included presentations and discussions on such topics as cybersecurity and international relations, privacy, rational cybersecurity, and accelerating progress in cybersecurity.
This summary of the forum is drawn from the comments made by participants at the meeting but does not reflect a consensus of those present or of the sponsoring organizations. However, the observations and proposed actions in this document provide an overview of key issues in cybersecurity from a group of people working at the forefront of the field.
Cybersecurity can be seen as demanding a trade-off between functionality and security: users demand flexibility and complexity in the systems they use, but this demand significantly increases the difficulty of ensuring the security of the system. Although perfect cybersecurity is not possible, there are many opportunities to improve systems and better protect their users.
A major concern for individuals is how they can protect their privacy in a world where data about them are increasingly collected, stored, and used for a variety of purposes. Different stakeholders have conflicting interests in the balance between privacy and data collection. Although some service providers are primarily interested in collecting as much data as possible, even if it is not immediately useful, individual customers value their privacy and autonomy. Customers’ stored data may be anonymized, but such data can be stitched back together to create a detailed profile of an individual with relative ease. If data collection and storage are not carefully controlled, they can introduce new opportunities for criminals to gain access to them for malicious purposes.
In our interconnected world, cyberspace is a key topic that transcends borders and should influence (as well as be influenced by) international relations. As such, both national and international laws will need careful evaluation to help ensure the conviction of cybercriminals, support companies that work internationally, and protect national security. To meet the growing demand for protecting national security, international law and norms could be strengthened to reduce the risk of international cyberattacks. In addition, there is a growing need for future leaders in both the private and public sectors understand and articulate the implications of cybersecurity risks for their own organizations and for the wider economic and social system.