Lauren Zabierek, former Executive Director of the Cyber Project at Harvard Kennedy School’s Belfer Center for Science and International Affairs, has been appointed Senior Policy Advisor with the Cybersecurity & Infrastructure Security Agency (CISA). 

Jen Easterly, CISA Director, and Lauren Zabierek, Cyber Project Director at Harvard Kennedy School's Belfer Center and co-founder of the #ShareTheMicInCyber movement, write about the importance of diversity and belonging in cybersecurity fields. This article was published on Oct. 20, the day before this year's #SharetheMicInCyber activities.

The United States nor its allies alone cannot counter adversarial and criminal cyber activity in the digital domain-–the reach, scale, stealth, and danger are simply too great for any one country to bear. As such, calls for international operational collaboration in cybersecurity and emerging technologies are increasing. Former U.S. State Department Cyber Diplomat Chris Painter noted in a December 2020 Foreign Policy article that there must be more leadership and partnership on global cyber cooperation. What follows represents a thinking-through of what this ought to entail.

In February 2012, the first significant attempt to set mandatory cybersecurity requirements and response plans for critical infrastructure was introduced in Congress. Unfortunately, it was watered down to voluntary standards and failed in the Senate. Opponents of the bill cited fears of overburdening regulations on companies and warnings of over-simplistic box-checking and minimum compliance. Business groups championed the narrative of big government to ensure the bill’s demise — and that narrative persists to this day.

The Belfer Center's Cyber Project and the R Street Institute's Cybersecurity and Emerging Threats Team have been working together to identify roadblocks to a federal data security and privacy law, drawing upon research and engagement with stakeholders to identify and recommend appropriate courses of action to find compromise on federal legislation. Ongoing research also includes topics like civil rights in privacy, arbitration and covered entities and data.

The FTC already enforces some privacy legislation and seeks to expand on its role in data privacy. As federal data and privacy bills are considered, it is therefore critical that we understand the role the FTC might play in overseeing and enforcing such legislation as well as the important role that lawmakers will have in setting parameters for the FTC.

Congress’s decision regarding who they choose to empower—be it individuals, state attorneys general, one or more federal agencies, or a combination thereof—will dictate the true shape of the law, once passed. If individuals are empowered with an enforcement role—that is, if a private right of action (PRA) is established—it is important to outline the structure, procedures and limits to craft a fair and functional law.

This one-pager is an overview and precursor to a series of policy recommendations for a federal data privacy and security law, which answer and expand on the concepts of preemption, private right of action, and the role of the FTC.

Know the Adversaries. Bolster the defense. Mitigate the disaster.

The invasion of Ukraine thrust the Cybersecurity and Infrastructure Security Agency into public consciousness as the nation’s key cyber security risk advisor during a time of heightened risk. Congress recently passed legislation requiring critical infrastructure operators to notify the agency of security breaches, bringing it into closer contact with the private sector. This development builds on positive momentum for the agency, following a series of executive orders that expanded its authority and created a specific Joint Cyber Defense Collaborative to share information about threats between the public and private sectors. Nearly four years after its creation, the agency now has more visibility into the risks the country is facing and more resources at its disposal to combat them.