In December 2017, Sasakawa USA partnered with the Center for a New American Security (CNAS) to take a cohort of seven rising U.S. cybersecurity experts and technology entrepreneurs for a week-long study trip to Japan. Here, cohort member Megan Stifel, Cybersecurity Policy Director, Public Knowledge, writes about the challenges governments and entrepreneurs face when addressing cybersecurity.
Late last year I participated in a Sasakawa USA Emerging Experts Delegation (SEED) to Japan to learn more about how the Japanese are approaching cybersecurity and entrepreneurship. Having never traveled to Japan or Asia, but having spent the better part of my professional career in cyber policy, I immediately accepted the invitation.
Our meetings were informative and collaborative. Indeed, the United States and Japanese governments share similar views on the importance of cybersecurity and common approaches to meet the challenges it poses to the global economy. Unfortunately, they also share a common vulnerability where cybersecurity and entrepreneurship intersect. From my prior experience, confirmed and expanded in conversations during the trip, it appears they rarely do, that is until it may be too late.
This is not to suggest that these governments do not have resources available for individuals and organizations that want to learn more about cybersecurity. One does not have to look far in either country to find the U.S. Federal Trade Commission’s Start with Security, or the Japanese Information Security Handbook for Network Beginners (which includes some fantastic cartoons!). These cybersecurity awareness publications are great resources, but the individual or organization has to know that it should and care to look.
Much has been said previously about the need to raise cybersecurity awareness and improve cybersecurity education. Most countries have efforts underway to address these issues; such efforts can and should continue. But researchers have found that these efforts fail in part because of the way they are framed: negatively, drawing upon fear, uncertainty, and doubt. Consumers and major corporations share this perspective. Reframing the societal approach to cybersecurity is long overdue.
Fortunately, both the Japanese government and the Japanese Business Federation are already working toward this end. The 2015 Japanese Cybersecurity Strategy called for executives to raise awareness of cybersecurity measures as an “investment” for progressive management, not a “cost” of business. Similarly, Keidanren, the Japanese Business Federation, reports that it amended its Charter of Corporate Behavior to include an obligation for companies to address cybersecurity as a social responsibility. Its 2017 “Call for a Reinforcement of Cybersecurity” also observes that “security is a necessary precondition for creating value in cyberspace…”
For example, the Japanese government is supporting the development of an Internet of Things (IoT) standard for commercial and industrial organizations. It has also emphasized security by design in its IoT policy development processes. These recent efforts support and reflect Japanese cultural beliefs that corporations must “behave with a strong sense of ethical values and responsibility and gain trust and rapport from the public.” Both the U.S. and Japanese governments and portions of industry have recognized the importance of cybersecurity to maintain trust in the tools that enable the modern economy, as represented by the Charter of Trust, efforts of the World Economic Forum, and others.
Despite this progress, governments and organizations at all levels can better demonstrate their commitments to cybersecurity. In their efforts to support entrepreneurialism, in addition to running and supporting accelerator programs, cities and regions should also ensure that participants in the programs operate in facilities that employ cybersecurity best practices, and that these new businesses learn relevant best practices themselves. This expertise is not something the governments themselves necessarily need to possess, though they should. Rather, when necessary they could collaborate with private sector entities who do. To reduce the risk of picking industry champions, an independent advisory board could support evaluation of such programs. Better yet, a multi-stakeholder process could develop a baseline framework to help guide accelerators and entrepreneurs in making good cybersecurity choices.
Key elements of such a baseline should include priority questions and features when selecting communications service providers and information assets (e.g., computers, printers, routers) for facilities as well as the organizations they support; employee cybersecurity training; secure software development; policies and procedures governing authorized uses of accelerator and supported organization information assets; basic privacy and security legal obligations and best practices (e.g., handling personally identifiable information; collecting information from children; GDPR); and incident response planning, to name but a few. As these startups mature they should continue to be mentored in their cybersecurity practices, particularly in the areas of software vulnerability management and supply chain risk management, and should also receive guidance when selecting a managed security service.
As entrepreneurs are growing in number across America, in Japan, and around the world, cybersecurity must be a core element of their experiences. Implementing best practices will provide nascent businesses with a solid and secure foundation upon which they can grow, succeed, and ensure that their innovations sustain the internet for tomorrow.
Megan Stifel is an attorney and the founder of Silicon Harbor Consultants, a firm that provides strategic cybersecurity operations and policy counsel. She currently serves as Cybersecurity Policy Director at Public Knowledge. In addition, she is a Policy Advisor to Technology for Global Security and is a Nonresident Senior Fellow in the Atlantic Council’s Cyber Statecraft Initiative.
Stifel previously served as a Director for International Cyber Policy at the National Security Council (NSC), where she was responsible for expanding the U.S. government’s information and communications technology policy abroad, including in connection with cybersecurity, internet governance, bilateral and multilateral engagement, and capacity building. Prior to the NSC, Stifel served in the U.S. Department of Justice (DOJ) as Director for Cyber Policy in the National Security Division and as counsel in the Criminal Division’s Computer Crime and Intellectual Property Section.
Before joining DOJ, Stifel was in private practice, where she advised clients on sanctions and FCPA compliance. Before law school, she worked for the U.S. House of Representatives Permanent Select Committee on Intelligence.
She received a Juris Doctorate from the Maurer School of Law at Indiana University, and a Bachelor of Arts in international studies and German, magna cum laude, from the University of Notre Dame.