Download PDF The Bridge: 50th Anniversary Issue January 7, 2021 Volume 50 Issue S This special issue celebrates the 50th year of publication of the NAE’s flagship quarterly with 50 essays looking forward to the next 50 years of innovation in engineering. How will engineering contribute in areas as diverse as space travel, fashion, lasers, solar energy, peace, vaccine development, and equity? The diverse authors and topics give readers much to think about! Future Directions for Cybersecurity Policy Monday, March 8, 2021 Author: Josephine Wolff Fifty years feels almost unimaginably long in internet time. Fifty years ago, the ARPANET was barely a year old; Ray Tomlinson had not yet sent the first email, Vinton Cerf and Robert Kahn had not yet published their seminal paper on the protocol that would become TCP/IP, Tim Berners-Lee had not yet invented the World Wide Web—the online world looked nothing like the one we know today, and the word “cybersecurity” wouldn’t be introduced for nearly another 20 years. Viewed in that light, trying to predict the technological landscape of the internet and cybersecurity a half-century from now is an almost impossible task. But 50 years is not nearly so long when it comes to considering the policy landscape for cybersecurity and the ways that regulators around the world will define, solidify, and implement approaches to securing the internet in their respective countries in the coming decades. The Case for Reduced Connectivity Even if the precise technology underlying how computer networks will work in the future is difficult to predict, certain trends seem inescapable, such as the increasing internet connectivity of existing infrastructure, from cars to personal home electronics to industrial manufacturing machinery. Networking these devices will enable tremendous efficiency, convenience, and safety—but it will also create new opportunities for cyberattacks and vastly raise the stakes of accidental technological failures. To strengthen cybersecurity over the next several decades, technology designers will have to focus on segmenting the networks connecting different devices and think seriously about which of the ever growing number of interconnected devices actually need to be able to communicate with each other. Ideally, 50 years from now, those connections will be much more restricted, so that an adversary who compromises one device is not then able to easily compromise thousands of others. This approach of restricting the connections between different types of devices will appear, at times, to go against current trends toward greater interconnectivity and convenience, such as being able to turn on your car from your smartphone. But a future in which every new device that comes online can communicate with every other device will create much greater risks for all of those machines and their users than will isolating device connections according to their functions. How and when technology developers begin to set boundaries on which types of devices can interconnect with each other and how effectively they implement those borders will be one of the crucial determinants of the future of cybersecurity. Thinking about cybersecurity will have to shift from a focus on preventing breaches and eliminating vulnerabilities to limiting the spread of breaches and minimizing the negative impact of any individual vulnerability beyond the borders of its own system. Role of Regulation Artificial intelligence (AI) will also play a significant role in what cybersecurity looks like 50 years from now. AI can be both an adversarial technology, when algorithms are used to identify vulnerabilities and circumvent defensive technologies, and a target for adversaries trying to undermine or alter sophisticated machine learning algorithms, such as those used by cars to detect traffic signs. To secure AI, it is essential to be able to identify when algorithms are being tampered with in ways that will provide incorrect recommendations or results. This ability will require significant advances not just in explainable AI technology but also in regulatory requirements to implement and audit that technology. The more decision making is outsourced to computer systems, the more cybersecurity efforts will come to focus on safeguarding those systems and the integrity of the decisions they make rather than protecting individuals’ money or companies’ stores of sensitive or proprietary data. Both of these trends, toward more networked devices and more automated decision making, will require regulators to think seriously about the question of who is responsible when security compromises occur, as they inevitably will. The goal of policymakers in the coming decades should be to establish a liability regime that both makes clear who is responsible for which elements of negative cybersecurity incidents and aligns penalties with the stakeholders who are in the best position to mitigate the consequences of those incidents. Clarity about these responsibilities will create stronger incentives for all stakeholders—from software developers and hardware manufacturers to internet service providers and Domain Name System (DNS) server operators—to secure their respective components of the internet ecosystem. Ideally, future device connections will be much more restricted, so that an adversary who compromises one cannot do so to thousands of others. A liability regime will also enable insurers to provide clearer coverage for cybersecurity incidents tailored to the roles and responsibilities of individual customers, and help individuals harmed by such incidents to pursue legal remedies against the appropriate parties. Different countries may define liability for cybersecurity incidents in different ways, as is beginning to happen even in the absence of very clear responsibilities in most places. Despite the current push for global norms and standards for cyberspace, it seems unlikely that the future of cybersecurity lies in defining globally accepted norms, but rather in countries getting better at leveraging their own domestic laws to have outsized, international impacts on the internet through the regulation of global intermediaries and service providers. International Fragmentation of the Internet The fragmentation or balkanization of the internet that has been heralded for years seems less likely to arrive through a definitive fracturing of the internet’s technical infrastructure—the globally used protocols for transmitting information, for instance, or the DNS root zone—than through a gradual, steady divergence in the ways that different countries regulate and restrict online services. In many ways, fragmentation should be the goal in the future: fragmentation of the current internet into many internets that each serve particular, segmented purposes fragmentation of sophisticated AI algorithms into explainable and auditable components fragmentation of responsibility for complex cybersecurity breaches into many smaller subresponsibilities for the different involved stakeholders fragmentation of global cybersecurity regulations according to different countries’ priorities and ideas about what a secure internet should look like. Fundamentally, the future of cybersecurity will involve recognizing that there are multiple visions and finding a way for them to coexist on the global internet. About the Author:Josephine Wolff is an assistant professor of cybersecurity policy at the Tufts Fletcher School of Law and Diplomacy.