Cybersecurity Expert Andrea Matwyshyn Offers Policy Suggestions for Improving Security

By TAP Staff Blogger

Posted on November 15, 2018


In January 2015, the movie Blackhat debuted in U.S. theaters. … Curious about technical experts’ reactions to the film, the producers of Blackhat held special screenings for information security professionals in Silicon Valley and Washington D.C. … The security experts all agreed on one thing: the severity of existing security vulnerabilities was not overstated. Serious vulnerabilities in both the public and private sectors are known, often unpatched, and sit ripe for exploitation by malicious attackers.
    - Andrea Matwyshyn, Northeastern University Professor of Law and Computer Science


In her recent article, “Cyber Harder,” cybersecurity expert Andrea Matwyshyn carries on the work she introduced in “CYBER!” by presenting “concrete policy suggestions for charting a new course for security in both the public and private sectors.”


Below are a few excerpts from “Cyber Harder.”



In 2017, malware dubbed ‘NotPetya’ infected businesses in over 20 countries, causing an estimated $1.2 billion in damage. Companies as diverse as shipping companies and global law firms suffered significant losses as a result of the malware, with some effects still lingering a year later. Although NotPetya mimicked prior malware presumed to be written by financially-motivated criminals, security experts deemed this resemblance likely superficial: unlike some of its malware predecessors, NotPeya was likely written by a nation state for purposes of targeted disruption. Indeed, both the United States and the United Kingdom publicly identified Russia as the author of the malware — allegedly a part of Russia’s “hybrid warfare” aimed primarily at destabilizing Ukraine.


The scale of the NotPetya problem calls to mind the Office of Personnel Management (“OPM”) breach of 2015. In that breach of approximately 22 million government employees’ data – including data of covert operatives – was exposed, ostensibly due to avoidable variables. Like the effects of NotPetya, the full impact of the OPM breach may also never be known. However, national security experts have opined that the OPM breach was “an absolute calamity” whose national security impact may last forty years or more, and it is likely to have damaged an entire generation of national security operations.


Recent legislative and public discussion of data breaches and security has significantly increased, yet in the last year alone, the security situation on the ground appears to have further deteriorated. The Mirai botnet remotely compromised Internet of Things devices such as DVRs and overwhelmed some of the best-defended websites on the internet with a distributed denial of service attack, knocking them off the internet. The WannaCry ransomware held thousands of National Health Services hospital administrative computers hostage, disrupted patient services, and threatened patient welfare. Even the U.S. presidential election appears to have been impacted by attacks on vendors and compromises of state voter registration systems - attacks which our intelligence services believe to have been the work of a foreign adversary. Our current “cybersecurity” approaches are clearly not succeeding, and the state of security looks bleak.


The predecessor article to this essay, CYBER!, offered a fresh approach to security – the paradigm of reciprocal security. This essay continues where CYBER! concluded and offers elaborations on concrete policy suggestions for charting a new course for security in both the public and private sectors.


Brief Summary of CYBER!


CYBER! introduced the problem of “reciprocal security vulnerability.” The problem of reciprocal security vulnerability refers to the security reality that security flaws and vulnerabilities in the private sector impact the public sector and vice versa. Compartmentalization is impossible in security because both sectors rely on overlapping technology and people.


Three Flawed Assumptions about Cybersecurity:

  1. Questions of privacy are often conflated with questions of security. But, CYBER! explains, as a matter of technical computer science these are largely different inquiries focusing on different units of analysis.
  2. Partially because of this privacy conflation problem and a deficit of shared vocabulary, a language barrier between computer scientists and policymakers causes them to often talk past each other on matters of security – an incommensurability problem that results in muddled policy.
  3. Security is never simply “cyber” – physical security and digital security are inextricably interwoven. Thus, even the term “cybersecurity” itself misframes the conversation, reflecting an internet exceptionalism problem.

CYBER! Presents a New Paradigm: The Paradigm of Reciprocal Security


Unlike the current paradigms, reciprocal security recognizes two key features about security.


First, security is a polycentric problem, meaning it has multiple pieces that require coordination simultaneously. Imagine a team attempting to construct a single jigsaw puzzle, with each person working on one segment while retaining a sense of the whole. In other words, digital security and physical security should be viewed together as part of the same whole and coordinated in tandem, as should various efforts across the government and the private sector on security generally.


Second, security requires a paradigm driven by adversarial perspective-taking. In other words, we need to think like attackers. Attackers do not generally distinguish between private sector and public sector targets – they strike wherever desirable information resides and where unpatched vulnerabilities allow for ease of security compromise. They also do not distinguish between physical and digital information access – attackers use whichever method is more expedient to them.


Stated succinctly, attackers exploit the problem of reciprocal security vulnerability in two ways simultaneously: once in terms hunting access across both the private and public sector for their desired compromise, and a second time in terms of hunting for either physical or digital data sources and access points in furtherance of the desired compromise. For these reasons, the paradigm of reciprocal security replaces the current policy focus on information sharing and deterrence with a focus on information vigilance infrastructure and defense primacy.


Shifting to A Model of Reciprocal Security


“Cyber Harder” provides a series of legislative, regulatory and technical proposals. They are presented in two groups: security vigilance infrastructure and defense primacy.


Security vigilance infrastructure would be materially bolstered through the implementation of the following two sets of proposals:

  • Create new formal federal government security feedback loops. Security feedback loops blending insights from both the public and private sector can be added in a relatively streamlined manner across all three branches of government.
  • Improve security disclosure infrastructure across both the public and private sector to allow for meaningful progress tracking. Three improvements to security disclosure structures would swiftly improve security vigilance infrastructure – updating vulnerability tracking, creating a uniform security advisory notice structure, and creating a uniform data breach notification form and central data breach notification repository.

Defense primacy would be meaningfully introduced into both the public and private sectors with the following starter initiatives:

  • Defend supply chains to improve integrity. Persistent vulnerability in both the public and private sector sometimes arises because organizations fail to keep track of the software and hardware products they use (and the components included in those products). Consequently, they fail to monitor adequately for the security vulnerabilities that directly impact them.
  • Defend entrepreneurship with security tax incentives and tools. Cash-strapped startups and consumers often face challenges in learning about and implementing security. Two strategies may assist in helping to translate the importance of security to these less knowledgeable populations – tax incentives for startups and more accessible security tools.
  • Defend market integrity. A necessary component of ensuring a baseline of security across sectors involves more rigorous enforcement – both by the relevant regulatory agencies and by organizations themselves. Without more rigorous enforcement, our markets cannot effectively reward companies who deserve consumer trust because of their strong security practices.



This essay has offered a series of concrete proposals to operationalize the paradigm of reciprocal security introduced in CYBER!. While no single policy or legal intervention will meaningfully address the severe deficits in security that exist today across both the public and private sector, the combination of the proposals contained herein offers a path toward material incremental security improvement.


Read the full article: “Cyber Harder.”


Andrea M. Matwyshyn is a professor of law/professor of computer science (by courtesy) at Northeastern University, an affiliate scholar of the Center for Internet and Society at Stanford Law School, and a Senior Fellow of the Cyber Statecraft Initiative of the Atlantic Council. She thanks the US-UK Fulbright Commission, who named her a US-UK Cyber Security Scholar in 2016-2017, and the Princeton Center for Information Technology Policy, where she was the Microsoft Visiting Professor of Technology Policy in 2014-2015 during the writing of this article.


Note: The Technology | Academics | Policy (TAP) website is sponsored by Microsoft Corporation. While Microsoft provides administrative and financial support for the site’s platform and content, there is no payment made to scholars for appearing or blogging on the site.