Students on cybersecurity task force weigh policy options

"Cybersecurity" has been in the American lexicon for decades. The U.S. has typically taken a defensive approach to cyberwarfare, responding to attacks as they occur but leaving preventative strategy to private companies. But recent extensive invasions like the Sony Pictures Entertainment hack, the Target data breach and an attack on the White House network have called national attention to the sharp rise in cyberattacks, exposing the vulnerabilities of millions of Americans.

"Cybersecurity: Attacks and Consequences," a class offered in the format of a policy task force at Princeton University's Woodrow Wilson School of Public and International Affairs this spring, sought to evaluate the need to address the public harm caused by cyberattacks and to offer recommendations to policymakers.

Cybersecurity Class

The class "Cybersecurity: Attacks and Consequences" sought to evaluate the need to address the public harm caused by cyberattacks. (Photo by Denise Applewhite, Office of Communications)

Ten juniors and one senior began the course in February knowing only that they were deeply unfamiliar with the emergent policy issue. But a semester of immersion validated their interest and ended with a presentation of their findings to staff from the Homeland Security Committee of the U.S. Congress and the National Security Council at the White House in Washington, D.C.

"I was surprised to find out that most of my classmates had chosen this task force for the same reason that I did — most of us were new to the topic," junior Chany Kim said.

"It seems every month or so we hear about another data breach or hacking incident," said senior Kathryn Scott, who served as task force commissioner. "I wanted the opportunity to learn more about the nontechnical policy issues surrounding cybersecurity."

All undergraduate majors at the Wilson School complete a task force as part of their junior independent work requirement. The courses are designed to focus on unresolved policy issues, giving students the opportunity to research and approach matters in real time.

Students discuss in cybersecurity class

All undergraduate majors at the Woodrow Wilson School of Public and International Affairs complete a junior task force. Each course focuses on an unresolved policy issue, giving students the opportunity to research and approach matters in real time. From left, juniors Priyanka Sur, Michael Skelly and Benjamin Dinovelli participate in a class discussion about cybersecurity. (Photo by Denise Applewhite, Office of Communications)

The cybersecurity task force was led by Joel Reidenberg, a visiting lecturer in the Wilson School and the 2013-14 inaugural Microsoft Visiting Professor of Information Technology Policy at Princeton's Center for Information Technology Policy. A cybersecurity expert, Reidenberg is a researcher and author in information privacy and information technology law and policy. He also is the Stanley D. and Nikki Waxberg Chair in Law and Professor of Law at Fordham University, where he directs Fordham's Center on Law and Information Policy.

"This was a forward-looking task force," Reidenberg said. "Cybersecurity is a critical issue for the U.S. right now. Our work fed directly into current discussions, giving the task force the opportunity to make a significant policy contribution. The nature of the issue — addressing attack damages — has allowed the task force members to get ahead of the curve in the course of a semester."

To meet the school's junior policy paper requirement, each Wilson School junior researches a particular aspect of an issue covered in the task force and offers written policy recommendations. The senior commissioner, having successfully completed a task force the previous year, guides the juniors as they learn to write policy papers as well as work collaboratively to produce a final white paper offering their recommendations to officials in the public and private sectors.

The cybersecurity task force's report argues that while Congress, the White House and federal agencies have enhanced U.S. defense against cyberattacks, the focus of the policy debate has largely been on industry protection. The collateral damage of past attacks — people whose security has been compromised in one way or another — has not been clearly evaluated, according to the report. This is unfortunate because cyberattacks can have significant economic and legal consequences for private citizens, such as identity theft or even bankruptcy.

"Many of the existing proposals on cybersecurity serve the interests of private sector organizations, but often fail to protect third parties, including the public," said Kim, who spent the semester researching liability issues related to cyberattack countermeasures.

Cybersecurity taskforce in Washington, D.C.

The task force traveled to Washington, D.C., to present their findings to policymakers. Here, they present to staff from the House of Representatives Committee on Homeland Security. (Photo by Joel Reidenberg, Woodrow Wilson School of Public and International Affairs)

The report recommends policies to mitigate the harm suffered by victims of cyberattacks, beginning with an analysis of gaps within the cybersecurity protection framework. The students found that information sharing among the private sector and with the federal government needs a clearer legal structure. To better protect data, they report, collection and assessment need to be improved.

The report also proposes that the Department of Homeland Security create an emergency fund within the Federal Emergency Management Agency to cover certain kinds of losses suffered in attacks and that the government establish a specific reaction plan. To strengthen small businesses, the report recommends creating a federal cyber reinsurance program in the Treasury Department that would offer financial protection when damages are exceedingly high. A program for internet safety licenses earned through the completion of a cybersecurity course is also encouraged so that consumers can better protect themselves against attacks as well as limit their legal liability when they do occur.

On May 5, the class traveled to Washington, D.C. There, students received feedback on their recommendations from the staff of the Homeland Security Committee in Congress, the National Security Council at the White House, and the Special Assistant to the President for Cybersecurity, Michael Daniel, a 1992 Princeton alumnus who majored in the Wilson School.

"The trip was a resounding success," Scott said. "The staff members were incredibly impressed by what the juniors had managed to accomplish in only one semester. They also weren't hesitant to ask the juniors hard-hitting questions and provide real critiques. The juniors provided excellent responses that showed off their knowledge. Our audience was doubly impressed."

Junior Luke Brahm considers the trip to Washington the highlight of the semester.

"Gaining an understanding of the difficult and complex decisions that are made by people at the highest level was the biggest takeaway," Brahm said. "I came away with a much more complete understanding of the way in which government policy makes its ways through the systems of bureaucracy and comes out as actionable law in the end."

Cybersecrity class discussing in Washington, D.C.

Students discuss their cybersecurity policy suggestions with White House staff May 5 in the Cordell Hull Room in the Eisenhower Executive Office Building. (Photo by Kathryn Scott, Class of 2015)

Throughout the semester, the task force hosted visitors including Leo Taddeo, special agent in charge of the cyber/special operations division of the FBI; Timothy Howard, the assistant U.S. attorney for the complex frauds and cybercrime unit of the Southern District of New York; and Terrell McSweeny, a commissioner of the Federal Trade Commission (FTC).

During the class McSweeny visited, she and the students discussed the crucial issue of the lack of data on the effects of past cyberattacks. There must be an understanding of the current state of cybersecurity, she said, to know why and how it must change, and be able to balance the cost of risk with the cost of security. McSweeny said she was looking forward to seeing the fruits of their research as the FTC considers the critical issue of who has the authority to regulate consumer data security.

"The guest speakers in the class were truly exceptional," said Brahm. "From an agent-in-charge of the FBI's cybersecurity division to a lead prosecutor on the infamous Silk Road case, they were simply incredible."

As the students were finalizing the report's recommendations, the U.S. House of Representatives passed two bills to promote cybersecurity information sharing between government and the private sector. The U.S. Senate is expected to vote on legislation this month. While the White House supports the legislation, the security-versus-privacy debate carries on, with critiques that the measures go too far or not far enough. The students on the task force can now follow this debate with ease, as they have done their homework on the issue.