This op-ed was originally published in Morning Consult.
By Adam Golodner
On Aug. 25, President Joe Biden met with the CEOs of leading technology and critical infrastructure companies to discuss the importance of strengthening the country’s cybersecurity posture. Leadership from the top is critical — and Biden, the new cyber team at the White House, and the technology CEOs announcing supply chain actions, have all taken another crucial step down the road to reducing unacceptable global cyber risk. All are to be commended.
While progress is being made, these positive steps are not enough to ensure the core trust we need to advance and sustain our digital progress. Industry and governments globally have worked to answer parts of this — the secure development lifecycle for software development, the National Institute of Standards and Technology Framework for enterprise security, supply chain security, the Common Criteria for product integrity and transparency reporting about government requests for data.
All of these are good, but they are not sufficient for answering the simple question: Can and should I trust this product, service, company or government? Should I use it, trust it in my infrastructure, trust it to keep my personal financial or health data private or have confidence that my child can be safe using this device, app or service?
We need a new approach to trust — one that sets out a future-focused Trust Framework laying out key indicia of security and privacy and allows a technology producer or service provider to understand the holistic criteria they could meet that would enable someone to trust their product or service — and if they’d like, state or certify that they exhibit indicia of trust. Indicia like secure software and hardware development, product security teams, product incident response teams, Common Criteria product certification, enterprise security, privacy by design, clear data collection and transfer policies, explanation of any monetization of data, methods used to ensure the security and privacy of the hardware and software ecosystem, engagement in public-private partnerships, approach to responses to government requests for data, patching and vulnerability disclosure policies and how the product or service integrates into a systems architecture approach to security and privacy in the enterprise or consumer network. All these factors are indicators of trust, and a new Trust Framework can help us gauge what level of trust should be assigned to a device, service or company. We should start developing this Trust Framework today.
Governments should be included in this Trust Framework. Indicia of trust include whether they adhere to the developing “rules of the road” of acceptable behavior in cyberspace, what demands they make of companies in their country, whether they foster innovation in security and privacy, allow companies to compete on security and privacy and whether their legal environments can be trusted. Indicia would include factors like: Do they condone attacks on critical infrastructure, harbor criminal actors, force security risks into the design or development of products, undermine reasonable expectations of privacy or countenance legal systems that favor domestic entities or abide corruption? These factors too, should be incorporated into the Trust Framework.
Finally, over the past 20 years, cybersecurity and privacy have become increasingly central to the economic and national security of countries, companies, and consumers globally. The sphere of cyber legal and policy concerns has expanded and pushed up against other existing legal and policy concerns like antitrust, corporate governance, and social responsibility. That means a broader set of disciplines now needs to consider and understand the cybersecurity and privacy impacts of decision making in these once separate spheres. For example, antitrust legislation, policy, or enforcement remedies that would undermine the security of a device or service should be understood, and avoided, particularly where there are other alternatives that do not adversely affect global cybersecurity, privacy, or at base, the national security. The new Trust Framework can guide policy and enforcement decisions and help avoid adverse unintended consequences that would predictably undermine the national and economic security.
If we want to ensure a more trusted future, now is the time to develop a comprehensive Trust Framework. It could be one of the more enduring and impactful solutions to advance goals in the wake of the White House meeting. It is cliché to say we are at an inflection point, but as the recent spate of nontrivial cyber incidents and activities attests, we really are. We need to comprehensively advance a more Trusted Future.
Adam Golodner is a former senior official in the Department of Justice’s antitrust division and ran global cyber security policy for Cisco Systems, Inc.; he is the founder and CEO of Vortex Strategic Consulting.