The Hewlett Foundation recently put out a paper on what they have learned since the start of their cybersecurity initiative four years ago. It identifies many challenges in the field but one persistent problem is the gap between the technical world and the policy world. Many thousands of words have been written trying to explain cybersecurity to policymakers. Yet, comparatively little tries to explain the policy world to technologists. So, here I want to provide a few tips:
Awaken from your dogmatic slumbers. When working with technologists on policy problems, I often find that they reflexively dismiss many solutions because they don’t align with ingrained beliefs. Many technologists, for whatever reason, tend toward libertarian views. They are distrustful of government intervention. Yet, the dogmas of the early internet are inadequate for its stormy present. If you find yourself talking about a borderless world, or arguing that countries do not have sovereignty online, or that regulation simply is not possible because technology moves too fast you will have very little to add to a public policy discussion. In the words of Abe Lincoln, “we must disenthrall ourselves” and keep an open mind.
Public policy is a field, one that is a lot older and better developed than cybersecurity. Study it. If you want to influence government, learn about how it works and how to develop innovative public policy programs. Go get a degree in public policy. Come spend a year with the Council on Foreign Relations doing an International Affairs Fellowship. Take a job on Capitol Hill or in government. You will likely find you have a lot to contribute. You will also likely come to the conclusion that turning the ship of state is a lot harder than you imagined and past failures are not due to a lack of technical knowledge. You probably will have minimal impact if all you do is pop in to the occasional policy discussion, dazzle with your technical brilliance, drop the mike, and walk away.
If you want an idiot’s guide to public policy, buy a copy of The Tools of Government. Of all the reading I have assigned to students over the years, this is the book that students find most useful. In it, Lester Salamon walks through fourteen tools of government. Five that have not been well and fully explored for application to cybersecurity include 1) government corporations and government-sponsored enterprises; 2) corrective taxes, charges, and traceable permits; 3) loans and loan guarantees; 4) tax expenditure; and 5) private cause of action. Quick start suggestion: identify a problem in the cybersecurity landscape. Look at how these solutions could be applied to it.
Focus on nudges. Nudges are the fifteenth tool. Borrowing from behavioral economics, “nudge theory” is that positive reinforcement and recommendations are often more effective than mandates. The book Nudges by Richard Thaler and Cass Sunstein is a good primer. Sunstein would go on to apply the concept in his role at the Office of Information and Regulatory Affairs. The cybersecurity framework is one big nudge. The growth of information sharing and analysis organizations all come from nudges.
Look for solutions outside of cybersecurity. You are likely to find that many of the problems that need to be solved in cybersecurity have been solved in other fields. Want to eradicate known vulnerabilities in software? Study how smallpox and polio were eradicated in the real world. Want to reduce the prevalence of botnets on the internet? Look at what lessons you can draw from the success in reducing chlorofluorocarbons. What is most likely to be the most influential policy work this decade, the New York Cyber Task Force Report, borrows its approach from environmental policy.
Take your analysis beyond 140 characters. Twitter has its uses but, to my knowledge, no idea has ever gone from a Tweet to implemented policy, at least without a lot of interim work to develop it. Think you have a good idea for cybersecurity policy? Write it up. Get it to 600 words, and send it to Net Politics (netpolitics at cfr dot org). Get it to 800 words and send it to the New York Times. Want to avoid gatekeepers? Publish it on Medium and then tweet it out. But write it all down first.
Do some research. It’s a big world and cybersecurity is a hot topic. Chances are your brilliant idea has been proposed before. That doesn’t mean it’s not worth writing up but it probably does mean you could learn a lot from what has come before. If you need a rule, read 100 times more than the amount that you write on a topic. Above all else, make sure you really understand existing law and policy in the area and are offering useful amendments not a new constitutional convention. Unlike malware, the U.S. code is not obfuscated. Before panning the Computer Fraud and Abuse Act for being outdated, read it and tell me what needs to be fixed with citations to the actual text.