VI: In other words, the actors doing these kinds of criminal activities in cyberspace are hackers coming from wherever?They may be countries that are testing their abilities to break into things and do harm, or they might be terrorist organizations looking to finance their operation?
Paul Rosenzweig: Yes, that’s true. Terrorist financing is a thing that we deal with through the methodologies enacted to counter terrorism financing. I am trying to break off the pieces of cyber that are unique to it, that make it a different problem than anything else. There are things about cyber that are unique – I have designated the five “v’s”. It’s velocity, it’s volume, it’s variety, veracity or lack of veracity, and valence, that is its ability to be targeted. This for me is the criteria that makes the difference from terrorists stealing money electronically, versus terrorists robbing a bank.
VI: Moving on to 2.0, the big data aspect of cybersecurity, which includes what Cambridge Analytics did in the 2016 election. They acquired data from Facebook and used it for their own purposes – to influence elections in designated jurisdictions by manipulating peoples’ attitudes. Is not this kind of weaponization of data something to be quite concerned about?
Paul Rosenzweig: Yes, very much so.
VI: Do you think a government should prioritize trying to counter big data manipulation?
Paul Rosenzweig: I think all three aspects of cybersecurity are important. Don’t get me wrong. Even though I’m minimizing the criminality in 1.0, I think that government has a huge role to play in partnering with the private sector for critical infrastructure protection of the parts that need to be protected like the transportation and electric grid.
In 2.0, the government has been pretty absent. There is no US government privacy regulation at the federal level to speak of. There never has been. The Europeans have just issued the General Data Protection Regulations. California has a new law that is just coming online. I confess I don’t know what the right answer is because as the Obama White House’s report on big data made clear, there are lots of plus values to large-scale data aggregations that allow for serendipity and synergies that we don’t even know exist at this point. It seems clear to me that government is further behind the curve in Cybersecurity Threats 2.0 than it is in what I’m calling 1.0.
At the start of his administration, President Obama had a blank slate, “What should we be doing about Cybersecurity 1.0?” They came up with a lot of good stuff. Was it perfect? No, but were we better off after eight years of working on that problem based on what they found at the start? Yes.