US national cyber director argues for a new social contract to bolster cybersecurity

On March 21, Chris Inglis, the inaugural national cyber director of the United States, joined Professor Samuel Rascoff for a discussion hosted by the NYU Center for Cybersecurity. A recent Foreign Affairs article co-authored by Inglis provided the springboard for a conversation focused on the need for stronger and more effective cybersecurity to defend against mounting threats. Inglis argued in the article for a new “Cyber Social Contract” to help reallocate the respective risks and responsibilities assumed by public and private actors in cyberspace. 

Chris Inglis
Chris Inglis

The in-person exchange at NYU Law touched on subjects such as the actions and inactions that have led to the current state of cybersecurity, the effects on public confidence of incidents such as the Colonial Pipeline ransomware attack; the potential for escalated Russian cyberwarfare in the wake of the invasion of Ukraine; and the new Joint Cyber Defense Collaborative initiative, an effort by the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to integrate the cyberdefense capabilities and efforts of federal agencies, state and local governments, and private-sector entities.

Watch the video of the event:

Selected remarks by Chris Inglis:

“You have North Korea that essentially will find any open door.… Maybe it’s a one-person business somewhere out in the Midwest of the United States that thinks they’re a world away from risk, and all of a sudden they’re toe-to-toe with a ransomware attack that’s actually prosecuted by a nation-state. It’s not a fair fight. They couldn’t possibly win that fight. And why is that? Because we’ve devolved the responsibility for security to the lowest possible denominator in this case, which is the last tactical mile—the person who happens to inherit all of those choices made or not made about the inherent resilience of that architecture and who’s accountable to defend that architecture. Which is why I think we need a new social contract, which is why I think that this is not a technology issue. This is a doctrinal issue. This is a roles and responsibilities issue.” (video 10:39)

“I don’t see so much Big Tech as…something that is having a malign influence but rather as a leverage point, as a resource, that if it were to focus on the societal great goods, it could deliver at scale things that can’t be done by any other kind of similarly postured mechanism within our society. Microsoft, three weeks ago, I think, talked about how they detected on a given afternoon some threat that was holding Ukrainians at risk—I think it was a wiper virus—diagnosed it within three hours and deployed a solution within three hours to 400 million endpoints throughout the world. That’s extraordinary.” (video 37:38)

“How do you find the criminals? How do you hold at risk other nation-states that are holding us at risk in and through cyberspace? There’s any number of remedies to do that. There are financial sanctions, legal remedies, there’s diplomacy, there’s public shaming that sometimes works…. But we’re not going to shoot our way out of this. We cannot just do that…. You have to build in resilience, be a harder target. You have to actually proactively understand how these systems are being used. Find an anomaly, interdict it, engage it, stop it at the earliest possible moment. Assist those who need assistance in this space, and then finally, as a complement to all of that, impose consequences on those who continue to hold you at risk. That only can work in the context of all those other things.” (video 1:02:58)

Posted March 28, 2022