The overarching question imparting urgency to this exploration is: Can U.S.-Russian contention in cyberspace cause the two nuclear superpowers to stumble into war? In considering this question we were constantly reminded of recent comments by a prominent U.S. arms control expert: At least as dangerous as the risk of an actual cyberattack, he observed, is cyber operations’ “blurring of the line between peace and war.” Or, as Nye wrote, “in the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code, or simply the intent of a computer program’s user.”
Despite the prevalence of cyber attacks, we still have a limited understanding of the relationship between security control failures and financial loss. A very few firms build their own cyber risk models internally but lack external data to ensure they are robust. The industry has done a good job sharing threat and vulnerability information but that provides little guidance to shape overall strategy either for individual firms or policymakers looking to manage risk at a societal level. MIT’s SCRAM (Secure Cyber Risk Aggregation and Measurement) is a new cyber risk measurement research platform that provides security benchmarking and return-on-security-investment data to CISOs, Chief Risk Officers and CFOs so that they can better protect their networks, direct security investments, and improve the state of global cybersecurity. SCRAM uses secure multiparty computation based on threshold homomorphic encryption to compute aggregate benchmarks and risk metrics, without ever requiring firms to disclose their sensitive data to anyone else. This new approach to cybersecurity will provide currently unattainable cyber risk pricing metrics to guide private investment decisions, make cyber insurance markets more efficient, and shape cybersecurity regulations.
Daniel J. Weitzner is 3Com Founders Senior Research Scientist, MIT Computer Science and Artificial Intelligence Laboratory and Founding Director, MIT Internet Policy Research Initiative. His research interests include accountable systems, privacy, cybersecurity, and online freedom of expression. He was the United States Deputy Chief Technology Officer for Internet Policy in the White House under President Obama, founded the Center for Democracy and Technology, led the World Wide Web Consortium’s public policy activities, and was Deputy Policy Director of the Electronic Frontier Foundation. He was responsible for the Obama Administration’s Consumer Privacy Bill of Rights and the OECD Internet Policymaking Principles. Weitzner has been a leader in Internet public policy from its inception, making fundamental contributions to the successful fight for strong online free expression protection in the United States Supreme Court, opposing technologically unwise regulation of encryption technology, and for laws that protect the privacy of email and web browsing data against government surveillance. Weitzner has a JD from Buffalo Law School and a BA in Philosophy from Swarthmore College. He is a non-resident Senior Fellow at the German Marshall Fund, a recipient of the International Association of Privacy Professionals Leadership Award (2013), the Electronic Frontier Foundation Pioneer Award (2016), was named a Fellow of the National Academy of Public Administration (2019) and is a member of Council on Foreign Relations.