By Josephine Wolff
I’m a professor of cybersecurity policy, so I spend a lot of time teaching and writing and thinking about policy efforts related to online security and all the ways in which they could be crafted to be better or more effective or more meaningfully enforced. What I don’t spend nearly enough time doing is actually trying to make policy and understand all the reasons why, in practice, it’s often incredibly challenging to shift the policy landscape in the ways that I might imagine.
So, when I had a sabbatical leave in the spring semester of 2023, I jumped at the chance to spend some time at NTIA through the Intergovernment Personnel Act (IPA), which allows academics (and others) to take on temporary assignments in the government. I last formally worked for the federal government more than a decade ago—a long time in the relatively short lifecycle of the Internet!—so I was curious to see how much Internet and cybersecurity policy had changed in that time from the inside. As someone who studies the aftermath of major cybersecurity breaches and what lessons we draw from them, I was also interested in how the priorities of the federal government might have been shaped by incidents like the 2015 compromise of the Office of Personnel Management, the 2021 ransomware attack on Colonial Pipeline, the 2021 SolarWinds incident, and the 2021 discovery of the Log4j vulnerability.
Early 2023 was a great time to join NTIA to work on issues related to cybersecurity because the administration released its National Cybersecurity Strategy (NCS) in March, touting a vision for cybersecurity in which the government plays a much more active role in civilian network and data protection efforts, particularly through mechanisms that I study closely focused on shaping market forces to drive security.
The implementation of that new strategy, led by the Office of the National Cyber Director (ONCD), was one of the processes I was most interested in observing and participating in during my time at NTIA. As I prepare to head back to campus for the fall, that process is still in its very early stages, but already it has yielded a lot of insights into how this administration thinks about the economics of information security, how the many different government offices and agencies involved in cybersecurity work coordinate their efforts, and how the recent creation of the ONCD has changed the dynamics of cybersecurity policy-making within the federal government.
For NTIA, one of the primary focuses for cybersecurity work is maintaining the openness of the Internet and its potential for innovation and further technological development. Those priorities can apply to cybersecurity policy efforts in a variety of different ways.
For instance, one of the pieces of the NCS that interests me most is the call for a new approach to software liability, or who we hold accountable when software vulnerabilities enable significant cybersecurity breaches. One of the things I study in looking at past cybersecurity incidents is who ends up being held accountable—or paying—for them and how the liability regimes surrounding cybersecurity often fail to account for the full richness and complexity of the online ecosystem. But of course, it’s one thing to write academically about the need for new approaches to liability and a very different (and much harder!) thing to actually think through all the implications of how changing those rules will impact industry, independent software developers, open-source libraries, and others.
Another area that I work on in my academic research is the development of the cyber insurance industry, and how companies transfer cyber risk onto insurers, cloud providers, third-party vendors, and others. The NCS also includes a recommendation for further exploration of a federal cyber insurance backstop—something that I’ve again written about many times in my academic life without fully encountering all the practical challenges around actually trying to nail down the specific situations in which the government might help pay for catastrophic cyberattacks.
Similarly, I’ve been studying Border Gateway Protocol (BGP), the rules for how the Internet routes traffic, since I was a graduate student. The security vulnerabilities of BGP have been understood for a very long time in the technical community, but I never fully understood all the logistical and legal obstacles to trying to address those vulnerabilities until I got involved in NTIA’s work to try to improve routing security within the government itself.
It’s a reminder, as I head back to teaching in the fall, that changing policy is far, far harder than just writing an academic article, and that for all the ways we, as academics, may be able to identify or recognize some of those obstacles in our written work, we can never really understand just how formidable they are without spending some time trying to actually work through them. It’s also been a reminder of how much is going on in the government around cybersecurity, and how critical NTIA’s mission is to so much of that work.
The IPA program gives academics and others the opportunity to join the federal government on a temporary basis to focus on a specific policy area. Interested? Learn more here: Intergovernment Personnel Act (opm.gov)