Netpolicy/Cybersecurity Delphi

From MozillaWiki
Jump to: navigation, search

Report Now Published

Mozilla Policy Blog: Experts develop cybersecurity recommendations

Link to report

Launch Event! July 28

As reports of cyber-attacks continue to increase and policymakers begin debating possible solutions and legislation, Mozilla has brought together more than 30 leading cybersecurity experts from a wide variety of backgrounds -- academia, civil liberties, government, security, and technology -- over the last 9 months, aiming to build consensus on cybersecurity policy priorities. Through a first-of-its-kind Delphi-inspired research process, Mozilla is releasing a report that aims to cut through rhetoric and broaden the current discussion from information sharing and CISA, to understanding the larger threat landscape.

At an event Tuesday, Mozilla and research participants will give an overview of the Delphi process and findings, share the group’s recommendations, and comment on the ongoing cyber security debates, including information sharing.

Tuesday, July 28 at 11 am
Human Rights Center, lobby level conference room
1640 Rhode Island Ave NW

Speakers will include:

  • Chris Riley, Head of Public Policy, Mozilla
  • Joe Hall, Chief Technologist, CDT
  • James Lewis, Director and Senior Fellow, Strategic Technologies Program, Center for Strategic and International Studies (CSIS)
  • Heather West, Public Policy, CloudFlare

To attend, please RSVP to

More about the Delphi Cybersecurity Project: Delphi is a research process that aims to build consensus on complex issues through multiple steps that allow users to provide candid feedback by using pseudonyms instead of real names. Mozilla’s Cybersecurity Delphi Project is the first study to use the Delphi-inspired research process to tackle cybersecurity issues.

The report, available on Tuesday, will list 36 specific policy solutions, such as:

  • After each data breach, work on what are the best practices and procedures that could help prevent this in the future;
  • Automate security and enable security by default;
  • Make it easier for a wider group of internet users to use encryption;
  • Develop and use alternative authentication methods beyond passwords;
  • Create more funding to keep free and open source software secure; and
  • Encourage government and NGOs to create labels or seals of approval for corporations and government services meeting certain security standards.

Cybersecurity Delphi 1.0

As our global dependence on the Internet has grown, so too have the threats to privacy and security. Many conversations and strategies to lessen the harm of cybersecurity vulnerabilities have taken place and been proposed, in the public sector, the private sector, and forums that integrate both. In public policy arenas, too many of these have focused on "detect and respond" approaches to cybersecurity, under-weighting "prevent" as a target for change. The result is a framework for cybersecurity that emphasizes massive information collection and analysis - with attendant increased risks for privacy, civil liberties and openness - and with little attention to practical efforts that can reduce the scale of potential security harms. Rare is the public policy conversation about reducing the impact of the major sources of cybersecurity vulnerabilities - such as the widespread use of unpatched operating systems, browser plugins and applications with known vulnerabilities (whether on personal computers or mobile devices), the absence of transport encryption (HTTPS) by default for websites, or even the direct connection of utility control systems to the Internet without adequate firewalls. What is most needed, right now, is greater clarity into cybersecurity risks and responses, and an effort to build momentum and support for real and pragmatic change.

Mozilla's Cybersecurity Delphi 1.0 is a step to address this gap, by identifying and prioritizing concrete threats and solutions. Through the iterative structure of the Delphi method, we will build expert consensus about the priorities for improving the security of the Internet—infrastructure to protect public safety, sustain economic growth, and foster innovation. The Delphi method offers unique benefits in this context because it aggregates the input of a diverse, broad set of voices, using a discrete and defined process with a clear, fixed end point and a mechanism for non-attribution to encourage open and through engagement. In our application, the Cybersecurity Delphi 1.0 process will:

  • Create an expert-generated, consensus-driven, prioritized list of key security vulnerabilities that threaten individual, commercial, and educational organizations;
  • Develop briefs based on the outcomes of the Delphi process for policy makers in the US and abroad; and
  • Define an agenda for cross sector action to address critical vulnerabilities that leverages participants, intragovernmental groups, and civil society.

The resulting report will be a guide and reference point that civil society organizations and other advocates can use to develop positive, affirmative agendas for cybersecurity change built on grounded facts, data and the recommendations of experts. It will help drive forward-looking policy understanding and discussion around cybersecurity that helps maximize the valuable contributions of the Internet, while mitigating the inherent risks. Current efforts related to the Obama Administration's Executive Order on Cybersecurity, a proposed Directive by the EU on cybersecurity, and ongoing Senate discussions over comprehensive cybersecurity legislation all point to the timeliness and opportunity for this work to be influential from a policy perspective.

How We're Going to Do It

The project execution includes planning, recruitment of the Delphi members, the Delphi process itself, and reporting out to various constituents, culminating in a briefing for the extended DC community. The Delphi takes place across three phases:

  • Planning: During the planning phase, facilitators review existing literature to compile an initial list of topics for discussion, working with the project advisory board. Participants are recruited and the initial round of voting and commenting, powered by customized software and services built and managed by Mozilla, commences.
  • Execution: Participants continue to discuss and vote on the issues under review. Participants are also encouraged to add new topics to the discussion as they emerge and/or if they have been omitted from the original design. Facilitators monitor the discussion, aggregate related threads into categories, and prepare the final report based upon the voting results.
  • Extension: Following the presentation of the report, participants are asked to take the top policy recommendations and conduct a scenario planning exercise to identify potential consequences of the policies being enacted. As with the execution phases, facilitators guide the discussion and summarize the results, to be appended to the report.

We anticipate recruiting 50 participants from across 10 professional disciplines to participate in the study. For example, ideal composition for the study to realize this objective would include specialists in computer security, network security, cryptography, data security, application security, as well as professionals from industry and public sector organizations responsible for addressing threats and vulnerabilities associated with cybersecurity.

What It Takes

Mozilla acts as the convener of the Cybersecurity Delphi 1.0, with assistance from four groups:

  1. Advisory Committee: A small group of subject matter experts provide input on the discussion topics and the analysis of key outcomes at the end of each round.
  2. Delphi Facilitators: Provide anonymous summary and justification of the experts' position statements as part of the iterative cycle of discussion.
  3. Delphi Design Specialist: Inform the framing and execution of the discussion.
  4. Technical Support Team: Manage the online survey tools and the asynchronous discussion forums.


We expect to kick off the Delphi process in the fall of 2014, with a tangible output for public distribution ready at some point early in 2015.