Netpolicy/Cybersecurity Delphi: Difference between revisions

Cybersecurity Delphi 1.0

As our global dependence on the Internet has grown, so too have the threats to privacy and security. Many conversations and strategies to lessen the harm of cybersecurity vulnerabilities have taken place and been proposed, in the public sector, the private sector, and forums that integrate both. In public policy arenas, too many of these have focused on "detect and respond" approaches to cybersecurity, under-weighting "prevent" as a target for change. The result is a framework for cybersecurity that emphasizes massive information collection and analysis - with attendant increased risks for privacy, civil liberties and openness - and with little attention to practical efforts that can reduce the scale of potential security harms. Rare is the public policy conversation about reducing the impact of the major sources of cybersecurity vulnerabilities - such as the widespread use of unpatched operating systems, browser plugins and applications with known vulnerabilities (whether on personal computers or mobile devices), the absence of transport encryption (HTTPS) by default for websites, or even the direct connection of utility control systems to the Internet without adequate firewalls. What is most needed, right now, is greater clarity into cybersecurity risks and responses, and an effort to build momentum and support for real and pragmatic change.

Mozilla's Cybersecurity Delphi 1.0 is a step to address this gap, by identifying and prioritizing concrete threats and solutions. Through the iterative structure of the Delphi method, we will build expert consensus about the priorities for improving the security of the Internet—infrastructure to protect public safety, sustain economic growth, and foster innovation. The Delphi method offers unique benefits in this context because it aggregates the input of a diverse, broad set of voices, using a discrete and defined process with a clear, fixed end point and a mechanism for non-attribution to encourage open and through engagement. In our application, the Cybersecurity Delphi 1.0 process will:

• Create an expert-generated, consensus-driven, prioritized list of key security vulnerabilities that threaten individual, commercial, and educational organizations;
• Develop briefs based on the outcomes of the Delphi process for policy makers in the US and abroad; and
• Define an agenda for cross sector action to address critical vulnerabilities that leverages participants, intragovernmental groups, and civil society.

The resulting report will be a guide and reference point that civil society organizations and other advocates can use to develop positive, affirmative agendas for cybersecurity change built on grounded facts, data and the recommendations of experts. It will help drive forward-looking policy understanding and discussion around cybersecurity that helps maximize the valuable contributions of the Internet, while mitigating the inherent risks. Current efforts related to the Obama Administration's Executive Order on Cybersecurity, a proposed Directive by the EU on cybersecurity, and ongoing Senate discussions over comprehensive cybersecurity legislation all point to the timeliness and opportunity for this work to be influential from a policy perspective.

How We're Going to Do It

The project execution includes planning, recruitment of the Delphi members, the Delphi process itself, and reporting out to various constituents, culminating in a briefing for the extended DC community. The Delphi takes place across three phases:

• Planning: During the planning phase, facilitators review existing literature to compile an initial list of topics for discussion, working with the project advisory board. Participants are recruited and the initial round of voting and commenting, powered by customized software and services built and managed by Mozilla, commences.
• Execution: Participants continue to discuss and vote on the issues under review. Participants are also encouraged to add new topics to the discussion as they emerge and/or if they have been omitted from the original design. Facilitators monitor the discussion, aggregate related threads into categories, and prepare the final report based upon the voting results.
• Extension: Following the presentation of the report, participants are asked to take the top policy recommendations and conduct a scenario planning exercise to identify potential consequences of the policies being enacted. As with the execution phases, facilitators guide the discussion and summarize the results, to be appended to the report.

We anticipate recruiting 50 participants from across 10 professional disciplines to participate in the study. For example, ideal composition for the study to realize this objective would include specialists in computer security, network security, cryptography, data security, application security, as well as professionals from industry and public sector organizations responsible for addressing threats and vulnerabilities associated with cybersecurity.

What It Takes

Mozilla acts as the convener of the Cybersecurity Delphi 1.0, with assistance from four groups:

1. Advisory Committee: A small group of subject matter experts provide input on the discussion topics and the analysis of key outcomes at the end of each round.
2. Delphi Facilitators: Provide anonymous summary and justification of the experts' position statements as part of the iterative cycle of discussion.
3. Delphi Design Specialist: Inform the framing and execution of the discussion.
4. Technical Support Team: Manage the online survey tools and the asynchronous discussion forums.

Timeline

We expect to kick off the Delphi process in the fall of 2014, with a tangible output for public distribution ready at some point early in 2015.