“There is no bigger gap in cybersecurity than making sure that the entire effort to support the public good in cyber is funded.”

We interviewed Philip Reitinger, President and CEO of the Global Cyber Alliance, on the sidelines of the first Common Good Cyber Workshop in Washington D.C., which brought together 120 top key players in the global cybersecurity field. Common Good Cyber is a collaborative effort aimed at building sustainable funding models to support those who secure the Internet for everyone. 

You can watch the full interview HERE.

Why is GCA leading the change on Common Good Cyber?

As an organization, GCA has always been focused on filling gaps, and there is really no  bigger gap in cybersecurity than making sure that the entire effort to support the public good in cyber is funded. The number of organizations that do work that benefits not just them – in fact primarily not them, but other people – is really significant.

The Internet is somewhat unique from other infrastructures in that there are so many organizations that do the basic filling of potholes or building of roads when you are talking about the Internet. And so, as we all have come to depend more and more on the Internet, we need to make sure that those who do that real work are supported, have the means to do so, so we don’t wake up one day and just find out that the Internet we’ve all come to depend on is not there, or at least not there the way we thought it would be.

What is your message to the cyber community?

I think my message to the cyber community is that this is a problem that affects all of us. The challenge is that everyone likes to say that cybersecurity is a shared responsibility, and that’s unquestionably true. But what most people mean when we say that cybersecurity is a shared responsibility is it’s your responsibility. And your responsibility is not necessarily mine.

We don’t have a case where the ultimate responsibility to make sure the infrastructure operates rolls up to one government, or on a government-by-government basis regionally, or even to a small set of private sector actors. So, what do we do about that? How do we make sure that we align capability with responsibility, which we haven’t done right now?

Those who are responsible for keeping the Internet running don’t have the authority to do it in a lot of cases and don’t have the resources, certainly.

Why do you think it’s so hard for organizations to find funding?

Because everybody thinks it’s somebody else’s responsibility. You know, I hate to get too technical about it, but people throw around the term market failure sometimes, right? The Internet is kind of built for market failure. 

Maintenance of the roads is really the government’s responsibility, unless it’s a private road. But even if the road is private, everybody knows who owns that road and who is responsible for it. And there are funding mechanisms to fill potholes and to build new roads.

Same for power, right? There are fairly clear responsibilities. And even where there’s a distributed responsibility, there’s a regulatory overlay in government oversight to make sure it happens. That’s just not true in cyber. First off, it’s not specific to any one country. It ties everyone together. So even if you said the US government or the European Union has a majority of the interest, well, wouldn’t that be false? And second, what are they going to do, how are they supposed to keep bearing all of the bills, which they don’t yet… But if they tried to, how would they keep bearing all of the bills for the global community? 

There is no one stakeholder who is responsible for making this happen. And by this I mean the maintenance of the Internet the way everyone expects it to be, and particularly the maintenance of cybersecurity. So that’s the problem, it’s global, it’s multi-stakeholder, and it’s really both complicated and complex. The risk is you wake up one day and it’s not your mother’s Internet. People think it’s bad now, and in some places it is.

How many phishing emails do I get a day? I don’t know, it’s probably in the hundreds. But there are mechanisms. Webmail providers are getting better and better at filtering that, but without the backends that support them, including the small ISPs, your inbox is now garbage.

You can’t go to the website. The power doesn’t work. Your food doesn’t come through. And the reason it doesn’t is because everybody depends on the Internet now and nobody has the responsibility to make sure that it goes forward. We used to say – this is back in the old days, you know – people take things seriously because people will “die”, right? But we passed that –  people have already died in hospitals and otherwise because of cyber insecurity. And we still haven’t solved the problem. Now it’s: lots of people will die. We will have a global electronic apocalypse. Those are perhaps a little bit overblown, but the seriousness of the problem can’t be overstated.

This gathering is to move from idea to action. I think there is broad consensus in the room that this is a significant problem. And we heard from a number of nonprofits about the challenges they have and the value they provide. We heard from governments, we heard from academia, the idea is we come out of this workshop with the core of an action plan that we can condense in the next few weeks, move forward on, and then update throughout the year, with about a year from now, having a set of implemented tools that people can rely on.