Cybersecurity often seems like an abstraction to the everyday person — obscure programs, administered by tech nerds squirreled away in dark offices, that may or may not protect our interests. Betsy Cooper, founding director of the Aspen Policy Academy, wants to change that. Using her background at the Department of Homeland Security and the University of California, Berkeley’s Center for Long-term Cybersecurity, Cooper aims to assist consumers, cybersecurity professionals, and policymakers in making real, practical shifts in cyber practice from the ground up.
Through webinars, training courses, and fellowships, the Academy provides people with the tools they need to advocate for better cybersecurity practice in ways that affect them directly. The programs tap industry expertise to help citizens talk to government officials and offer them concrete proposals for policy improvement. These steps are often small and incremental — for example, improving the accessibility of complaint forms that older adults who have been scammed need to complete.
Here, Cooper speaks with InformationWeek contributor Richard Pallardy about how the Academy trains people to address everyday cybersecurity concerns in ways that are truly meaningful.
Betsy Cooper, founding director, Aspen Policy Academy
You’ve worked with many cybersecurity experts. Have you encountered any revolutionary security ideas worth pursuing?
Betsy Cooper: Our fellow Daniel Bardenstein was really focused on smart medical devices. He came up with a whole new way for the FDA to make medical devices easier to secure. The solution was pretty technical. He suggested that the FDA should require manufacturers to build a device query interface into the medical devices, so that device owners could secure their devices without impacting the patients. You might have an implanted pacemaker in your body. It needs to be able to communicate externally to make sure it’s working. But you also don’t want to have a situation where people can tamper with it.
Cybersecurity feels stuck in a reactive whack-a-mole loop. Are you optimistic that we can get the upper hand and actually stay one step ahead of the threats?
Cooper: I’m really not. At the end of the day, all the hacker needs is one vulnerability. On the other side, we need to protect every possible avenue. I don’t know how to fix that. Cybersecurity is all about people. It’s about training people to say something when they see something, and training people to be able to respond.
One idea that I worked on a while ago was a cybersecurity workforce incubator where you would have government folks sitting side by side with private-sector folks. So, the government folks would benefit from getting private-sector knowledge of the state of the art, and the private-sector folks would benefit because they’d have the opportunity to use offensive tools that they’re not allowed to touch in their private-sector lives. Both sides could benefit from sharing lessons with each other. But it’s never going to be a panacea.
You’re at the forefront of policy and know how critical it is to inform lawmakers before rules are set in stone. How do people go about getting the attention of legislators and regulators?
Cooper: You have to have a story for why it matters. Was someone in your family scammed? Did a company struggle to get back after a ransomware attack? We need to tell those stories effectively, and make sure someone knows why it matters. Then you need to be really clear what the solution is. Whether it’s adding two-factor authentication or building a new bug bounty program, you need to actually go in with a very specific ask for the government stakeholders. To the extent you can, you want to build the materials that enable someone to actually solve that problem.
Can you give an example of a good story and solution?
Cooper: We worked with a team of Aspen fellows a couple years ago who were focused on helping older adults who had been scammed online. The parent of one of the fellows had been scammed and lost money. This inspired our fellows to think of how to help these sorts of people. The government forms that you needed to fill out when you were scammed were really hard for older adults to navigate. The forms were in really tiny fonts or had grayed-out boxes. Older adults who weren’t as computer savvy didn’t understand that the grayed-out boxes would be populated later.
They redesigned the form so older adults would be able to more easily navigate it. We flew them to Washington, D.C., so that they could meet directly with the stakeholders that they were trying to influence. The government had already created a contract to focus on this with a nonprofit. Our fellows ended up feeding the form that they had created into the redesign process.
So, those fellows didn’t just write an op-ed. They came up with a draft design. They built a website that would help older adults understand what to do when they’ve been scammed.
Raising public awareness about cybersecurity issues is a delicate balance. On the one hand, sharing real-world examples can help people understand the risks. On the other hand, there’s always the danger of revealing too much and inadvertently aiding bad actors. How do we go about increasing awareness and accountability without further compromising security?
Cooper: It’s about getting more ordinary people to care about this: folks whose businesses are getting scammed out of money. We need more of those stories, and we need to make those public, so people are aware. We do have to be very careful in disclosing the specific details of how someone got to you. That’s where it gets tricky. How much do you want to disclose about the technical specifications of the link that led you to the scam? It can be good to make that stuff public, but we have to do so cautiously, so that we don’t compromise other investigations or push the actors to go to a system that’s even harder to track. I don’t think there’s a silver bullet, but I do think that the more the effects of bad cybersecurity incidents are made public, the better we’ll be able to convince people to care about it.
