Lawfare Daily: Phil Reitinger and Komal Bazaz Smith on Civil Society and Strengthening Internet Security

[Intro]

Phil Reitinger: Our focus is on trying to deliver solutions at scale so that everybody has access to cybersecurity. It's sort of our view is it's a fundamental human right, much like privacy or food is, and so we really need to give everybody access to, to cybersecurity.

Justin Sherman: It's the Lawfare Podcast. I'm Justin Sherman, contributing editor at Lawfare, with Phil Reitinger, the president and CEO of the Global Cyber Alliance, and Komal Bazaz Smith, the Alliance's chief business officer.

Komal Bazaz Smith: So we wanna make sure that we're driving, you know, those that are most effective. We're trying to drive reduction in duplication and we're trying to make sure that our investments are, you know, even more strategic and can go, go a little bit further.

Justin Sherman: Today we're talking about cyber risks to core internet functions and the broader internet community, the Alliance's Common Good Cyber project to address them, and how civil society partnerships, funding, and data can make the internet more secure.

[Main podcast]

No doubt many folks are, are well familiar with both of your backgrounds, but for those listeners, hearing your voices for the first time here today, why don't you both give us 30 to 60 seconds on your backgrounds and how you got into this field?

Phil Reitinger: Sure. Hi, this is Phil Reitinger, I'll start. I'm the president and CEO of the Global Cyber Alliance. I got my start in cybersecurity back in 1995 when I was the number six prosecutor at the U.S. Department of Justice in what was then the computer crime unit. I've gone on and worked for DOJ, Microsoft, DHS, DOD, Sony, and now for the last 10 years I've been the president and CEO of a nonprofit called the Global Cyber Alliance.

Komal Bazaz Smith: And hi there everybody, my name is Komal Bazaz Smith. I'm the chief business officer here at GCA, and I also lead our driving ecosystem engagement work, which includes efforts like Common Good Cyber, which we're gonna talk about a little bit later. But my background also spans a couple of decades in the, but more in the strategic consulting and international development spaces. I've worked at places like DAI, R4D, Arabella, Booz Allen, Accenture, and I also co-founded the Kashmir Institute, which helps support my displaced diaspora community.

But one of the things that I was gonna talk about is, you know, I actually don't have a very deep technical—you know, you heard from Phil. He is been in this space for a, a very long time. And I got my start, you know, about five or 10 years ago in the digital space working on digital capacity building work and policy work.

But what I really love is how to solve big, complex problems. And one of the ways that you do that is you bring relevant stakeholders into the conversation and you drive them towards collective action, like really tangible things that solve problems in a meaningful and sustained way, and that's actually what led me to GCA.

And so, you know, just, I noted that GCA, we've really focused on solving these very complex problems that nobody else wants to solve, which does make it a little bit difficult from a fundraising angle, but I got really excited about it and I got excited by the challenge that we're trying to address, these tough issues. And you know, things like building sustainable funding models through something like the Common Good Cyber initiative is something that is not just a project, but it actually has a potential for like really revolutionizing something and changing the ecosystem, and I wanted to do something that would have lasting systemic change, and that's why I came here.

Justin Sherman: Well, that's a, that's a great segue and a, a great preview of, of where we're gonna head. So with that, why don't you tell us a little bit more about the Global Cyber Alliance. Where are you based? What do you work on? And how do you differ from some of the other nonprofits in the cybersecurity space?

Phil Reitinger: You know, that's a difficult question. I would say, you know, we're, we're sort of like the internet, right? We are based everywhere. GCA is a virtual organization, so we're a small organization, but we've got people in the U.S., Canada, the Netherlands, Belgium, Spain, and North Macedonia. So, we've got a pretty broad footprint of people working around the world and bringing their special expertise or efforts to bear.

The, the focus of the Global Cyber Alliance is—I wouldn't say we're unique, I'd say we're, we're unusual. And what I mean by that is, you know, a lot of people when they think about cybersecurity, think about, you know, on the, on the sort of the technical and the operational side, it's, you know, Microsoft and Google and Verizon and all of these companies, right? And when they think about nonprofits, they think about, you know, the think tanks, especially in the policy space, right? You know, the, the Center for Strategic and International Studies or the Aspen Institute or places like that.

All of which are very important, but we, we sort of are in a niche between the two. We are a nonprofit that focuses on operational activity, and our focus is on trying to deliver solutions at scale so that everybody has access to cybersecurity. It's sort of, our view is it's a fundamental human right, much like privacy or food is, and so we really need to give everybody access to, to cybersecurity.

What makes us—you know, there are a bunch of nonprofits that work in that space. You might think about the Forum of Incident Response and Security Teams, or the Cyber Threat Alliance, or the Cyber Peace Institute, right? There are a number of them.

What I think makes us a little bit different is that we don't work in a particular vertical or silo, right? Our effort is to try and build communities to solve huge problems and to work in particular spaces where we need to deploy its solution at scale and it's not otherwise being done.

So we've done things like, if you've ever heard of Quad9—which is a global protective DNS infrastructure that's free to anybody around the world and protects their privacy—we built that with another nonprofit called the Packet Clearing House. We operate MANRS, which is a global effort involving companies and others to increase routing security around the world.

So we try to hit places where it really takes a unique contribution and we think that the resources that we can bring to bear can make that contribution and deploy solutions that actually have an effect in securing people better.

Justin Sherman: You mentioned sometimes overlooked problems; you also mentioned the, the word communities. So what does that landscape look like today of the different actors? You mentioned some of them working on cybersecurity for the broader internet community. And maybe just elaborate, I guess, a bit—you, you touched on this in part already, but what does that landscape look like and how do these actors interact?

Komal Bazaz Smith: You know, honestly it's, it's a little bit funny. So, you know, the average person, including myself before I joined GCA, really think about, you know, big for-profit companies like Apple and Google and Microsoft and all those others that really sort of, we think of them as the internet, essentially. But that's actually not true.

So in reality, there's just hundreds of nonprofits that you know, that actually maintain the critical cybersecurity functions for the internet, for the good of the internet, and actually for the, for all of its users, including those that are the most vulnerable, those are the most under-resourced in our society. And so, you know, yes, they're not household names—Phil mentioned a couple of them—but they are actually vital to safe and functioning internet.

So I'll just give a couple of examples. Like, you know, many of the tools that that small businesses, for example, run on or are supported, are actually supported by nonprofits. And so, you know, they might use code from open source libraries like Log4J or they might use something called Django to create their products faster and more cheaply, and that's obviously very important for small businesses.

You know, the staff might use open source software libraries like LibreOffice to keep operating costs down. They, you know, Phil mentioned Quad9. They, they might use Quad9 to block malicious websites. They might use Let's Encrypt to encrypt their websites. Shadowserver, Shadowserver fixes network vulnerabilities.

All of these things are free to the user, and there are just a couple of names that nobody's ever heard of—I certainly had never heard of—but they're, they're small nonprofits and they're mostly, you know, tech geeks that just wanna solve the problem. They're like a couple of people that have, have seen that there's an issue and they wanna fix it, and they wanna make sure it's okay for everybody, but they don't have time or skills or resources to go out and fundraise so they can do more of what they're doing.

And you know, more often than not, most of them are, again, really skeleton crews, volunteers. They're working on razor thin budgets. You know, they rely on donations and, and grants and, and sponsorships, but all of those kinds of things can go, can go away and can be pulled at any time. So it makes it really vulnerable.

Justin Sherman: Yeah. And, and funding is a critical issue, I wanna certainly come back to that in, in more detail in terms of thinking about solutions. But one of the, one of the things that was mentioned up top is this phrase Common Good Cyber as one of the ways that GCA is thinking about and working on this, this set of thorny problems. So, in a nutshell, can you tell us what is Common Good Cyber about?

Phil Reitinger: A few years ago, we got a group of nonprofits together, it was actually in Brussels, oh, about two and a half years ago, where we were talking about the need to involve every element of society in cybersecurity, what Craig Newmark likes to talk about as a whole of society effort or Cyber Civil Defense.

And it was interesting because all the nonprofits around the room said the same thing, which was, you know, we do critical work that keeps, actually keeps people secure. It's not just writing reports and recommendations. But funding for what we do is almost impossible to get. If there is funding out there and there's not much of it, it's to build this new shebang thing as opposed to keeping the work going that everybody needs.

So like for example, you think about ISRG, which runs Let's Encrypt, which secures, you know, like half the websites on the internet, right. They need funding not to build a new thing—they do probably need to build some new things—but they need to keep operating what they're doing so that everybody can continue to have encrypted communications with websites.

And so we thought about how do we solve that, right? How do we bring the resources to bear for those entities that work to scale solutions for the common good, you know, not just for the biggest companies or the richest nations, but for everybody around the world, high risk actors, vulnerable groups, and really those parts of the internet that keep everybody secure that we've been talking about.

And so that's how Common Good Cyber got kicked off. It was an effort, a community effort to say, how do we band together to do something that will be enduring and actually work to solve the problem, as opposed to somebody just writing another letter and saying, gosh, we need to support nonprofits, and then they, you know, they read the letter and then they throw it in the garbage and they go on, right? How do we do real things?

And so that is what Common Good Cyber is about—an effort to actually enable nonprofits that fill that critical juncture between what individuals and the private sector and governments all do in a way that keeps the internet safe, for everybody, and how do we empower them, whether it's through in kind work, building capacity, making sure that they're helped with things like fundraising and communications, and most importantly, how do we bring the resources to bear? What are the funding models that will make sure that we've got an internet that does the things that need to be done?

You know, the internet is unlike any other infrastructure out there. Like you got roads. You know who's responsible for patching the potholes and roads. You know, even on a complicated global system like the airlines, you know, you've got a clear set of understandings about who's gotta do what, what are responsibilities, who pays for what?

The internet's not like that. You know, the internet, there's a problem, and it's like a community assembles and hopefully solves the problem, right? Without any funding, which is great, right? But can we really depend on that in every circumstance where life, limb, the economy, education, and even entertainment, all of those things depend on this backbone infrastructure.

Justin Sherman: I appreciate that, that grounding 'cause I think that as you're getting at, really materializes it for, for folks. I mean, I don't want to editorialize here either, but I think as you're saying, it's resonating also that obviously for so many years, many wonderful folks including yourselves have volunteered a lot of their time for this, but as you're saying, I'm often troubled too by the assumption or expectation that folks will do this for free or don't need, don't need funding to do it.

So I, I wanna pull on, on one of the threads you mentioned, which is the focus on really the common good and on vulnerable and, and under-resourced actors, because I think for those listening to what you're saying and thinking, okay, this sounds reasonable, we have real problems here, but who are perhaps wondering how this sits against or relates to or differs from concepts like Cyber Civil Defense or government capacity building, or you know, terms that are related are for folks not in our space that maybe sound kind of the same.

So can you elaborate a bit on how this kind of focus and this kind of work relates to maybe a more traditional public private partnership or something like a government, you know, cyber training program?

Komal Bazaz Smith: Yeah, just, you know, having worked very closely with the Agency for International Development, with the State Department, other international, other government capacity building projects, I can tell you from the ground that this is radically different.

And you know, one of the ways that most cybersecurity capacity building projects work on the ground is they really take at a user level, you know? They've got a particular user in mind. Let's say it's small, medium enterprises, let's say it's media, let's say it's journalists or a woman entrepreneur. And that comes from a particular tranche of funding. And what they do is they really try to understand sort of what's the capacity of this particular type of, or user, what's the language that they work in, what's the political and geographical context in which they work? What are the kinds of things, where are they on their digital journey and where are they on their cybersecurity maturity?

And that is incredibly difficult and important work, but it is, the problem is it's really, really hard to scale that. And no matter how much time and effort you put in and investment there, you know, into these programs on capacity building, it's, it's really, really hard to reach everyone. It's really, really hard to ensure that there's actual sustained behavior change and there's actual capacity building that is where folks that can actually be determined to be capacitated. I think, you know, that, that requires more and more investment from donors, more and more resources, on the ground implementing agencies and partners that can help do the trainings.

So, you know, one of the things that we are trying to do with Common Good Cyber is a couple of things. One is we're trying to invest in actually creating an infrastructure that makes it safer by design. And, and what that does is it makes it easier and safer for users, which then reduces the burden to be able to have to invest into cyber capacity building. So we're hoping that we can actually help the landscape in all of that sense.

The second thing that we're doing is really trying to scale a lot of the capacity building in a way that doesn't need one-to-one sort of user, very, very specific user-focused pieces and be able to scale the, the funding and, and drive deep funding into this space.

So, you know, we, we really try to kind of make sure that it's both differentiated in terms of the kind of work that we're trying to accomplish as well as additive to the investments that donors and other governments are doing in the capacity building space.

Justin Sherman: Yeah, and your point about differentiation and process and focus area, like that's all really valuable stuff to hear, I think, again, with part of the through line being that, as you said, focus on under-resourced and vulnerable groups and, and actors and, and parts of the infrastructure.

Phil, was there anything you wanted to add?

Phil Reitinger: I think Komal got it right. I, I'd only add that what we're doing here is supportive of, and very complimentary. You know, as, as Komal said, you know, these capacity building projects are very sort of end user and specific problem focused, right? You know, there's a project in Nigeria or a project in Japan, or a project in Finland, right? And so they're trying to do things.

What's missing is, as she said, the infrastructure that supports all of that. What are the scalable mechanisms that you use to support high risk communities around the world? What about the pieces of the internet on which everyone relies, right? That sort of thing is not funded in these projects. They're like, yeah, we want you to deploy this, but you gotta have the thing to deploy, or you need securely built into that thing by design. And that's the role that these nonprofits play.

You know, Civil Cyber Defense is an example, right? It's not, it's not one of those specific deployment projects. It's also a global initiative, but the focus there is generating interest and making sure that people have the actual means to do what they need to protect themselves and their communities, whether that's training or tools, right? So that's the substance and the knowledge. Common Good Cyber is about capacitating, growing the capabilities and support for the organizations that make Cyber Civil Defense possible.

Justin Sherman: With that context then on organizations and on process and some of the funding gaps, I wanna focus now a bit on, on the technology specifically.

And so we could obviously spend plenty of time and I'd be curious your, your thoughts on this, and you mentioned MANRS earlier for, for routing, security, and some other topics; you know, we could cover all kinds of things across the internet's core, physical and digital infrastructure, cables, domain name system, and so on, that might need more security. That might be a whole separate podcast.

And so to focus, I'm, I'm curious for you both when you look at core internet systems and you can interpret that in whatever way you, you'd like, are there two or three or four that stand out to you as the highest risk or in the need of the, the most support in this kind of area? You know, just to give us a sense of what some of those, those big priority tech stack components or what, whatever we wanna call it, are?

Phil Reitinger: Part of the problem and not to, not to generalize beyond the, the value to your podcast listeners, but you know, part of the problem is we don't really know, right? You know, the, the understanding of what are the critical things that need to be protected is, you know, it's rudimentary at best, online. And that's why part of the Common Good Initiative is about figuring that sort of workout and doing things like mapping the roles and requirements that I think Komal could get into later.

But you know, there are some things that we know are important. Some key illustrations like you mentioned. As I mentioned before, MANRS, the Mutually Agreed Norms for Routing Security, right? I like to tell people that routing security has been one of the internet security sucking chest wounds for 20 years, right? Right, because it's, everybody knows it's a huge problem, right? It's not something that you worry about criminal actors. It's really more sort of the, the state sponsored and the really high order actors have a capability, but if you, you know, if you're effective at that, you can attack financial infrastructures, e-commerce, all sorts of different things.

And so who's working on it? Well, it turns out that's MANRS and it's really just about MANRS. You know, it's the way all these, a bunch of companies like the, you know, the Telcos and other folks are thinking about it and implementing pieces, but it's the community. It's, it's a classic example of a problem, you know, not to call back too far, but it takes a village to solve, right? No one entity can solve it, so you need collaboration, right? So that's one class of problems that is super important.

Another similar one is incident response, right? Everybody does incident response, but how do we make sure all of those organizations in charge of that on a national level or on a even a regional or a local level, have the capacity to do that, right? There's—it turns out there's an organization that does that. It's called the Forum of Incident Response and Security teams or FIRST, and it's been around for a long time, and it does God's work in capacitating all of these organizations. You know how many people it's got. Take a guess. Justin.

Justin Sherman: Oh, I, I, all I'll say is I'm gonna be horrified by the number.

Phil Reitinger: It used to be three.

Justin Sherman: Oh, good.

Phil Reitinger: Now it's seven. Okay, right? So you know who, who thought that was a good idea? You know, who thought that we should rely on seven employees and just a bunch of volunteers to run arguably the most critical global infrastructure, right.

We just had another example, to pick one, last week, right? You, you're familiar with the CVE debacle, right?

Justin Sherman: Yep.

Phil Reitinger: Right. So just for your listeners, this is MITRE—which actually is a nonprofit, although it's an FFRDC, we don’t need to go into that, so it's a federally funded research and development corporation, it's still a nonprofit—runs this thing called CVE, which is the list of exploited, commonly exploited vulnerabilities. It's the language that everybody uses to work together.

It's funded by CISA, in this case, by the U.S. government, right? But like only by them. And the contract was gonna run out and we came within hours—I'm not being hyperbolic—literally hours of that contract running out and having no support for this critical piece.

It's another example, now federal government stepped forward, came up with the money, extended the contract, but you know, it's like, you know, you think about what happens in the U.S. sometimes, right, with continuing resolutions. Like, eh, is the federal government gonna shut down or not? Right? So every week you got a is the federal government gonna shut down this week, right? It's like that, but in cyber, right? You know, and it can happen a lot more in cyber because there's all of these different organizations that are hand to mouth and do critical work online.

Justin Sherman: Well, the point that we don't actually know necessarily, right, what those core elements are, how they stack against each other, as you said, how to map those to different priorities and other things is an important point, and as you're saying, I would certainly agree there's probably a great under-appreciation for, you know, the extent to it, right? I mean, people, we don't get our package, you know, the day it's supposed to come and everybody flips out. You know, like you're saying, not, not recognizing, right, just how much of this is, is fragile in some ways, structurally, in terms of the, the resources supporting these core functions.

So just to, to continue, you mentioned mapping, right, I want to talk about that as well because one part of your website that I find particularly interesting is the build out of this mapping dashboard, quote unquote, to organize and to quantify some of the cybersecurity and resource dynamics in play here.

And among other reasons, find this work that you're doing interesting because we hear a lot about—as you both alluded to—data that the government can bring to bear data that a CrowdStrike or a Google or something can bring to bear on cyber problems, but perhaps less about civil society data where there's a real opportunity and a gap there.

And so could you tell us a little bit more about this mapping dashboard that I'm referring to, and perhaps as well maybe about that data piece. What role can metrics and civil society metrics and measurements potentially play in identifying and mitigating some of these high risk internet security issues.

Komal Bazaz Smith: Yeah, I can take the first part and I'll talk a little bit about, a little piece about the metrics as well, and then I'll, I'll hand it over to Phil.

You know, so one of the things that we kept hearing from potential donors and groups across the stakeholder system was who does what where? You say that nonprofits are working in this space, what are they doing? What are the kinds of things that they're actually solving for? And if they are solving for these problems, who, who's doing what? It's, it's hard to differentiate.

And so we thought that it would be really helpful to start kind of mapping this out. And what we did was we reviewed, you know, tools and solutions, services platforms, but the, the evaluative criteria for that was are they actually deployed in the public interest? And you know, what are the kinds of things that they're doing? Are they securing networks? Are they empowering internet users? Are they increasing resilience across the sectors in some way?

And so the result is this is this Common Good Cyber mapping database. It's just getting started. As of right now, I believe we're at 334 public interest driven cybersecurity tools and services and, and platforms, and it's organized in six different groups. So you've got groups that work in the governance space, groups that work in the identify space, groups that work in the protect space, detect, respond, and recover.

And so, you know, the reason why it's in these different six categories is one, that's, that follows a NIST framework, which is very familiar to a lot of folks, but also together, all of those different kinds of pieces of work form that vital layer of defense for the broader digital commons, and that's something that we really wanted to understand from a broad lens.

And you know, again, just the maintenance and deployment of that work is actually quite heavy on the nonprofit side, the nonprofit individual and, and volunteer side. So we take on a lot of the burden and we have the most limited resources and budgets.

And one of the things we really wanna try to work on as we get Common Good Cyber up and running and we really get funding for it, is we really wanna try to build a set of metrics and start gathering data to understand and evaluate the actual effectiveness of each of these tools so that we understand, you know, which of these tools and services and platforms are actually having the most impact.

How are we making sure that we don't duplicate resources and, and, you know, reduce the the amount of services and platforms that we have to invest in? So we wanna make sure that we're driving, you know, those that are most effective, we're trying to drive reduction in duplication, and we're trying to make sure that our investments are, you know, even more strategic and can go, go a little bit further.

Phil, I don't know what you wanna talk about a little bit on the data side.

Phil Reitinger: I, I, I think I'd like to just sort of talk about some of the more global efforts. You know, Justin, your question points out there are a lot of people who could be active here, right?

You know, the, the best example to pull forward might be for those who are familiar with the Solarium Report, the Cyber Solarium work. A few years ago, you know, it recommended the creation of a Bureau of Cyber Statistics so we could actually have the data sources to do this, that would be funded by the federal government. It's one of the parts of the Solarium Report that's never gotten any traction because you know who wants to pay for that, right? No matter how important it is, it's like, you know, and you see this now, right in U.S. government, it's like, do we really need the Bureau of Labor Statistics? Do we need all these things? Well, yeah, we actually do.

So it's, it's sort of been sitting around. At the end of the prior administration, there was some really great work that was done by the office of the National Cyber Director with MITRE to build a national dashboard on what's the state of security, but you know, that I think has mostly been orphaned right now in the current administration. You know, those responsibilities, I believe, have transitioned over to the Office of Homeland Security Statistics or OHSS in DHS. And if you look at their website, you will see that they've got cyber security metrics listed as a work area for work on the website, but there's not anything there, right?

There's been other historic efforts, including the National Risk Management Center in CISA a few years ago, and there is a huge amount of work on this in the nonprofit from people, you know, like GCA. We've done reports to measure the effectiveness of particular things that we've done. You know, we've built dashboards that are publicly exposed, Shadowserver reports on what the overall threat levels are. There are nonprofits like CyberGreen, which is led by Yurie Ito, that work on developing cyber hygiene metrics and tools around the world.

But it's an area that, that calls out for much greater investment because, you know, we're, we're, we're behind here. You know, we've gotten, we know what public health metrics look like; we've been doing that for a hundred years. You know, we know what food safety metrics look like; we've been doing that for a hundred years. We haven't been doing the internet for a hundred years. And to be frank, it's more complicated than any of those other ecosystems. I'm gonna, you know, the public health people are gonna come at me and say, no, no.

Komal Bazaz Smith: Oh yeah.

Phil Reitinger: But it is. It, it's, you know, the, we're we're going to approach in the not so distant future, the number of devices on the internet as there are cells in the human brain, or neurons in the human brain, right? So how do you model that, right? How do you do that? That's a really important area of work.

Justin Sherman: Yeah, so I mean, I, you know, I'm not a doctor, so I will, you know, I'm neither gonna argue with you on that or be able to correct you, but I think as you're saying, there definitely is something to be said for the sheer scale, let alone the, you know, complex interdependence and everything else that that creates.

So you mentioned funding; this is another good segue. It goes without saying you know, anyone listening, all of us are, are well aware of everything going on, and so, talent funding resources you touched on, all of these things have shifted greatly, I'll say cataclysmically, in the last few months on cyber proper, on capacity building generally, on U.S. engagement on various issues around the world.

So my two in one question is, how do you see all of the recent policy and funding changes in the U.S. impacting your work in terms of the organizations you're working with, the needs you're seeing and so forth? And then looking a year or two out, are there particular policy or other measures in an ideal world do you think we would need now or, or organizations might need to put in place now to deal with where these trends are headed?

Komal Bazaz Smith: Honestly, here's the thing. So funding in the cybersecurity space has been slowing for a number of years now. You know, yes, there's a lot of disruption in the last couple of months, and that's undeniable, but this has been happening and it's been a trend for a number of years, and frankly, you know, it's one of the things that drove us to start Common Good Cyber. We wanted to be able to find a way to mitigate against all of this uncertainty. We wanted to be able to make something that created a joint fund that enabled, you know, more collective action.

You know, when there is a very uncertain funding environment, it takes even more collective action it takes, you know, nonprofits being able to work together to say, okay, can we actually go after funding together? Are there joint fundraising potential efforts that we can do together? How can we focus the investments from the donor side and how do we make sure that we're, that we're helping explain to them who we are and why we should be funded?

And we really think that Common Good Cyber is one way to actually reduce the uncertainty in the environment. And you know, again, if we're trying to inherently invest in the infrastructure that takes the burden off users, then that reduces the needs a little bit in terms of investing in small scale and potentially duplicative investments across the ecosystem.

So we're trying to do something that is just much more systematic, much more holistic, not in a piecemeal fashion, where it brings together the policy makers, the civil society folks, the private sector folks, and, and really try to make a lasting and meaningful change that hopefully will even weather all of this uncertainty and will create a, a much more stable environment.

Phil Reitinger: So I think that's absolutely right. I, I, I'd say, you know, cybersecurity is not unique here, right? And not again, to boil up to bigger issues, right, rut you see this all around the world, not just in the United States where there's a lot more uncertainty and people focus on the problems closer to home: national, state or local issues, right?

So it's almost a, a moving away from and lack of investment in global institutions, like you know, the U.S. withdrawing from the World Health Organization, right? United States may be leading, if you will in that category, but it's not alone, right, and you know, the problem with that is it ignores those things where, you know, not only is it more efficient to tackle things globally, you know, because of scale, because of economies of scale, because of other things, and it's actually, it's actually necessary in a lot of cases to do that, right? You can't really track certain things on a merely local basis and not know what's happening, right? And the internet is the, as I said before, that's the most important of all those things to tackle globally.

So I would say I, I'll to return to your question then of what are the most important things. I'll highlight two, one policy and one non policy. The policy issue goes back to what Komal was saying about how do we solve this problem for everybody, right?

You know, there's an initiative that people have been really interested in for a long time called Secure by Design, where we say, you know, the people really capable of fixing these things ought to do so at the highest level possible so other people don't have to act, much like we addressed automobile security by making automobiles safer.

So the Internet's not so simple, right, but that the, the approach has value, and that's a key policy issue, right? So that doesn't happen organically, right? It takes strategy and implementation efforts really on a global level to make that happen. So the most important policy issue, I think, I'd say is what are the drivers? Is it regulation? Is it liability? Is it collaboration? Is it jawboning? You know, what are the efforts that are gonna happen to make that different so that the internet becomes more inherently safer, right?

And then, the second issue is actually the Common Good Cyber issue, right? That's gonna solve a bunch of problems, but it's not gonna solve all problems. There's still gonna be issues, right? We're gonna need international collaboration. There's still gonna be people left behind. We're gonna need organizations like the Cyber Peace Institute or GCA that work to deliver services to vulnerable communities. How do we fund that, right?

So how do we build the infrastructure to be more secure from the start, and how do we work together? Because we love this multi-stakeholder model of the internet. We love that it brings everybody together. We love that it's open and we love that it enables all this economic progress and freedom. What we don't really do is support it. Like it's that, it's like, eh, you know, and then a company will solve it. A startup will be created that will solve this problem and we won't have to worry about paying. And that's just not how anything works. Repairs always need to be done.

Justin Sherman: Right, right. Yeah, no, exactly. Looking ahead then and trying, I mean, I'm perhaps trying to skew us in an optimistic direction maybe, but, but are there areas where you are more optimistic about obviously some of the great work you're doing, but some of the results you're seeing and, and what might those growth areas look like in the near term?

Phil Reitinger: So I'll continue just 'cause I'm on a riff, right? So there's one problem that is our greatest challenge and our greatest opportunity, and that is recognizing the seriousness of the problem and starting to treat the internet like we do other infrastructures and saying it needs the support to make it functional, right?

We continue to see incidents come up that cost billions of dollars. So the downside risk of that is those incidents are gonna continue to grow until eventually, as I wrote in a tongue in cheek blog post a few years ago, the entire world economy will be eaten up by cyber losses. But the upside is people are gonna start to recognize this. Governments are gonna start to step in and say, well, what we're doing now is not working and we have to solve the problem.

And I think—this is the optimistic I'll be a Pollyanna—this is a moment in time where we can make that difference where people are starting to recognize the need to work together, even though the overall international trends are against working together.

And so I'm very, very hopeful that in the next couple of years through Common Good Cyber and associated efforts, we're actually gonna be able to change the ecosystem, and we're gonna provide means—starting small, but growing—so that we've got mechanisms to make sure the most critical work gets done, both to secure core infrastructure and high risk actors around the world. I think that's possible.

Komal Bazaz Smith: I don't think you can add to that. I think that's exactly right. I mean, at the end of the day, you know, we've got this, this internet that underpins literally everything we do and, you know, it, it underpins our daily lives, obviously, but it underpins economic prosperity and global peace.

And if—I think we're really at a, a juncture at this point where we're starting to see a lot of momentum and people recognizing the need for it as well as wanting to do something about it. And if we can do that, I think it really changes the game and it changes the ecosystem and we can start moving towards a much more stronger and sustained internet.

Justin Sherman: Is there anything else either of you would like to add?

Phil Reitinger: I, I, I'll, I'll say one quick thing. You know, cybersecurity has always been substantially a nonpartisan issue, and it needs to remain that way. You know, everybody's got political opinions and you know, I've got my own and think some people are right and some people are wrong, but historically, everybody's been together on cybersecurity that we need to take effective action. And I hope it will remain that way, and I think it can, if we disaggregate it from other stuff and have our fights in other fields, you know, and focus on, focus on outcomes in cybersecurity, right?

But that takes everybody agreeing, you know, you can't, you can't have, you know, one side being political on one side, not being political 'cause it always becomes political then. So I'm hoping that we really start to build domestic, in the U.S., and international consensus around the joint action that's necessary.

Justin Sherman: That's all the time we have. So Phil, Komal, thank you so much for coming on.

Komal Bazaz Smith: Thank you.

Phil Reitinger: Thank you, Justin.

Justin Sherman: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfare media.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Allies, The Aftermath, and Escalation, our latest Lawfare Presents podcast series about the war on Ukraine. Check out our written work at lawfaremedia.org.

The podcast is edited by Jen Patja and our audio engineer this episode was Cara Shillenn of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.