Podcast & blog: Who is in charge of our cyber resilience?

Who is in charge of our cyber resilience?

Digital landscapes, by default, evolve and expand beyond the borders of national cyberspaces. So it is natural that the paths of cybersecurity and geopolitics become increasingly intertwined. What countries cannot afford in this context, though, is to overlook roles and modes of countering effectively cyber threats.

On cybersecurity, the e-Governance Conference 2024 features a fireside chat between Andrew Grotto, seasoned expert and professor from Stanford University, and former White House advisor, and Merle Maigre, Head of Cybersecurity at eGA. In this podcast episode, the two introduce the upcoming session on protecting critical infrastructure, making sure responsibilities are clear, and deploying public-private partnerships for better strategies.

 
Cybersecurity and geopolitics – a White House Advisor’s perspective

Andrew Grotto’s tenure as a cybersecurity advisor under two U.S. administrations aids us in putting into perspective the geopolitical dimensions of cyber policy. The U.S. approach in this sense is clear – strategies on the topic are integrated within the broader national security plans. This highlights two elements. Firstly, technology governance is critical, and so should be in the eyes of all governments. Secondly, this cuts across different domains of government, including national security and foreign policy.

“As we’ve monitored cybersecurity trends, it’s clear that the digital battlefield is not just about protecting information, but is a crucial arena for international diplomacy and conflict resolution,” Maigre begins. In this regard, Grotto explains, “In my time at the White House, we saw firsthand the intersection of cyber capabilities and international power dynamics. Cyber operations have become a fundamental component of national security strategies, serving both defensive and proactive roles in geopolitical contests.”

When the cyber domain becomes yet another battleground for geopolitical influence, such a playing field is set to reflect broader tensions between major powers. But as Grotto noted, cybersecurity is not just about defense – but an essential element of a country’s offensive capabilities and diplomatic toolkit, too. Cyber capabilities shouldn’t be developed then with the sole goal of protecting one nation’s cyberspace. Cyber operations, indeed, have already played a role in diplomatic negotiations, helping to address global security challenges.

 

Patchworks of regulations don’t help the cause

Let’s look overseas – how do cybersecurity regulations work in the U.S.? Because unlike Europe’s broad mandates, the U.S. approach is much more sector-specific. This allows for tailored strategies that address unique sectoral risks, from healthcare to finance. But also, it results in a patchwork of standards that can complicate comprehensive policy enforcement. So while each sector develops its own cybersecurity protocols, it is possible that these do not consistently overlap. Flexibility is ensured, but room is left for gaps that can be exploited by cyber threats.

“The U.S. cybersecurity framework is byzantine at best. Small businesses, in particular, struggle with this complexity, which often leads to inadequate protections that could be streamlined through more coherent federal policy,” Grotto says. And the administrative landscape of the United States of America, across states, might not help either. “We’re dealing with a system where states often have conflicting or overlapping cybersecurity regulations. This not only complicates compliance but also weakens our collective security posture.”

The need is for a more unified regulatory approach that, for example, would help companies better protect themselves and their customers. A form of federal oversight, that could enforce uniformity while allowing for adaptations to sector-specific needs. “A unified regulatory approach would reduce these inefficiencies, and enhance our ability to respond to cyber threats swiftly and effectively,” Maigre explains.

“What we need is regulatory consolidation that helps businesses comply, but without getting in the way of innovation. Patchworks of regulations are not only inefficient but also create significant barriers to effective cybersecurity practices,” she adds.

 

Safety measures to address vulnerabilities and AI use

Moreover, with the rapid integration of AI and large language models in security infrastructures, new vulnerabilities emerge alongside powerful solutions. “It’s imperative that we develop stringent safety measures and governance frameworks to mitigate these vulnerabilities and risks adequately,” Grotto points out.

In this sense, we shall not forget about the dual-edged nature of technological advancements. “AI can significantly enhance our cybersecurity capabilities, but without proper controls, the same technology poses severe risks. We need comprehensive risk management strategies that address both the opportunities and threats presented by AI,” Grotto says. A foundational safety protocol akin to seatbelts in cars, so to say, would standardise basic cybersecurity hygiene across technologies.

When we say comprehensive, it means beyond countries’ borders too. “Cybersecurity is not an issue any country can tackle alone. International standards and cooperation are vital for developing AI security measures that protect against global threats,” Grotto says, to the end of developing international standards for AI security.

“As AI becomes more integrated into our systems, the potential for both intentional and accidental vulnerabilities increases. Robust safety protocols are essential to safeguard our digital infrastructure. As governance frameworks, that are effective for AI in cybersecurity too. These should address the technological aspects, of course, but also consider the ethical implications of deploying AI in sensitive environments,” Maigre highlights.

 

Interested in public-private cooperation in cybersecurity? Join the fireside chat featuring Andrew Grotto and Merle Maigre at the e-Governance Conference on 22 May to delve into the crucial matter of allocating responsibility between the government and the private sector in countering cyber threats, particularly concerning critical infrastructure, and explore effective strategies for strengthening the cybersecurity of critical infrastructure.

Check the programme and get the ticket now at egovconference.ee  

Listen to all Digital Government Podcast episodes ega.ee/digital-government-podcast