Cybersecurity policymaking is out of focus. Bureaucracy hackers can help.
The cybersecurity industry is in desperate need of more “bureaucracy hackers” — individuals within federal and state governments who are authorities on the intricacies of policy creation and the nature of today’s rapidly-evolving technology and threat landscapes.
To understand why, look no further than Georgia State Bill 315: Introduced in the Georgia state senate earlier this month, the bill has the entire cybersecurity community shaking its head in disbelief. In short, the bill is modeled after the highly-controversial Computer Fraud and Abuse Act, which makes accessing a network or computer without authorization illegal – even if there is no theft or damage. While many parts of the U.S. government are advancing cybersecurity by adopting industry’s best practices, such as allowing security researchers to identify and disclose vulnerabilities that make us all safer, Georgia is closing the door to these folks.
Sen. Mark Warner’s IOT Improvement Act is another clear example: Drafted and supported by a bipartisan group of senators, the bill aims to protect increasingly “connected” citizens and their homes by introducing a baseline security standard for all internet-connected devices.
In principle, this is exactly the type of legislative action we want to see from lawmakers. It’s proactive, forward-looking and fully intended to keep citizens secure now and into the future.
There’s just one problem: it won’t work.
In short, the bill calls for vendors to “certify” that there are no vulnerabilities in a connected device before goes to market. While that sounds reasonable, it’s completely infeasible. No one can ever say with absolute certainty that a product with more than 10 lines of code is free of vulnerabilities. That’s just not how software works.
There inlies the problem: the people we have drafting critical cybersecurity policies don’t actually understand the basics of software and computer code. It’s not their fault — but it’s also far too important to leave in their hands alone.
To create the right policy frameworks for 21st century cybersecurity, we must prioritize finding and activating more bureaucracy hackers. In doing so, we can provide policymakers with the domain expertise they so desperately need to make informed policy decisions. What’s more, they can also help the policy-making process become more agile and proactive — two key tenets of effective cybersecurity.
Most of the time, policymaking is a reactionary process: something breaks (often in a big and very public way) and then lawmakers scramble to fix it. By then, it’s already too late. Imagine if we had someone proactively culling through existing laws and policies to identify potential trouble spots down the road. That could change everything.
Granted, there is a long tradition of bringing subject matter experts into state and federal policymaking to help them better understand complex subject areas. But this approach clearly isn’t working. What we need are people with real skin in the game — individuals who are deeply invested in the outcomes, understand the difficulties of passing meaningful policy and legislation, and have the ability to work across stakeholder groups from within the federal government.
In many ways, this is a natural evolution. In recent years, the U.S. government has made great strides in bringing technical people with a policy background (and vice versa) into the fold through organizations like the U.S. Digital Service (USDS) and 18F. Now, it’s time to double down.
How do we do it? First, Congress needs to act. Specifically, they can start by articulating where bureaucracy hackers are most needed. That is to say, determining whether the roles are government-wide (i.e., every federal agency has one) or agency-specific (i.e., DoD, DoJ, and/or DHS only) — or some other model entirely.
Next up: authorizing and prioritizing the roles. Generally, that means legislating and authorizing funding for them. Once it happens, agencies will take the effort seriously and begin to prioritize it.
Finally, we need to pick the right people for the job. Again, they can’t just be people with Silicon Valley expertise. They must have government experience as well, and likely an extremely nuanced and well-understood picture of the laws that govern this technical space. That generally requires more than just a few years of government experience, which for a lot of technical folks, can seem like a lifetime and hold them back.
That means the best candidates will likely come from within. Make no mistake: they’re already in our ranks — we just need to find and empower them.
The USDS and 18F are natural places to start the search. They can help identify and recommend individuals they’ve found working in agencies that have that the right skills. Here’s what to look for: individuals who have fought through government bureaucracy either from a policy role or technical one; who have real technical skill (i.e., they know how to code, not just who to call); possibly even a law degree or at least a real understanding of the relevant laws; and lastly, a proven track record of getting things done in the government — especially when all odds are against them.
This is how we build cybersecurity frameworks that are up to the challenges of today’s technology and threat landscapes — more expertise, more proactivity, more collaboration. To get there, we need to bring the bureaucracy hackers that already exist within the ranks of the government to the forefront and empower them to bring teams together and effect realistic change through policy today.
We cannot afford to wait.
Lisa Wiswell is a strategic adviser to HackerOne and a Principal at GRIMM, a cybersecurity research, engineering and consulting firm. Previously, Wiswell worked for the Defense Digital Service, where she was appointed Special Assistant to the Deputy Assistant Secretary of Defense for Cyber Policy in the Office of the Secretary of Defense and pioneered “Hack the Pentagon,” the U.S. federal government’s first bug bounty program.