Lawfare Daily: Phil Reitinger and Komal Bozaz-Smith on Civil Society and Strengthening Internet Security - The Lawfare Podcast

Summary5 min read

The Lawfare Podcast Summary

Episode: Lawfare Daily: Phil Reitinger and Komal Bozaz-Smith on Civil Society and Strengthening Internet Security
Release Date: May 23, 2025
Hosts: Justin Sherman, Phil Reitinger (President and CEO, Global Cyber Alliance), Komal Bozaz-Smith (Chief Business Officer, Global Cyber Alliance)

1. Introduction

In this episode of The Lawfare Podcast, host Justin Sherman engages in an in-depth discussion with Phil Reitinger and Komal Bozaz-Smith from the Global Cyber Alliance (GCA). The focus centers on cyber risks to core Internet functions, the Alliance’s Common Good Cyber Project, and the pivotal role of civil society partnerships, funding, and data in enhancing Internet security.

2. Speaker Backgrounds

Phil Reitinger shares his extensive experience in cybersecurity, beginning in 1995 with the U.S. Department of Justice's Computer Crime Unit. Over the years, Phil has worked with entities such as DOJ, Microsoft, DHS, DOD, Sony, and has led the GCA for the past decade.

Komal Bozaz-Smith outlines her background in strategic consulting and international development, with roles at Dai, R4D, Arabella, Booz Allen, and Accenture. She co-founded the Kashmiri Institute and highlights her passion for solving complex problems through stakeholder collaboration, leading her to GCA.

3. The Global Cyber Alliance: Mission and Unique Approach

Phil Reitinger (02:28) explains that GCA is a globally distributed, virtual organization with a presence in countries like the U.S., Canada, the Netherlands, Belgium, Spain, and North Macedonia. Unlike other nonprofits that focus solely on policy or technical operations, GCA occupies a unique niche by delivering scalable cybersecurity solutions accessible to all.

Notable Quote:

“Our view is it's a fundamental human right, much like privacy or food is. So we really need to give everybody access to cybersecurity.”
— Phil Reitinger (05:31)

GCA's initiatives, such as Quad9—a global protective DNS infrastructure—and Manners, an effort to increase routing security, exemplify their commitment to operating at the intersection of technical and operational cybersecurity.

4. Challenges in Cybersecurity: Funding and Critical Infrastructure

Komal Bozaz-Smith (09:09) highlights the often-overlooked role of hundreds of small nonprofits that maintain critical cybersecurity functions essential for a safe and functioning Internet. These organizations, typically staffed by volunteers and operating on razor-thin budgets, are vulnerable to funding fluctuations.

Notable Quote:

“Most of them are, again, really skeleton crews, volunteers. They're working on razor thin budgets.”
— Komal Bozaz-Smith (09:09)

The discussion underscores the fragility of core Internet infrastructure maintained by these nonprofits, emphasizing the dire need for sustainable funding models.

5. Common Good Cyber Initiative

Phil Reitinger (11:44) delves into the Common Good Cyber Initiative, born from a 2022 Brussels meeting where nonprofits identified a critical need for collective funding to sustain essential cybersecurity operations. The initiative aims to bridge funding gaps, ensuring that vital services like Let's Encrypt and QUAD9 remain operational.

Komal Bozaz-Smith (32:18) elaborates on the initiative’s mapping efforts, categorizing 334 public interest-driven cybersecurity tools and services into six groups based on the NIST framework. This mapping facilitates strategic investments, reduces duplication, and enhances the overall effectiveness of cybersecurity efforts.

Notable Quote:

“It's an effort to actually enable nonprofits that fill that critical juncture between what individuals and the private sector and governments all do in a way that keeps the Internet safe for everybody.”
— Phil Reitinger (11:44)

6. Mapping and Data Needs in Cybersecurity

The speakers discuss the importance of creating a comprehensive mapping dashboard to identify and quantify the roles and effectiveness of various cybersecurity tools and organizations. Komal Bozaz-Smith (32:18) emphasizes the need for metrics to evaluate impact, prevent resource duplication, and direct strategic investments.

Phil Reitinger (35:00) points out the global deficiency in cybersecurity metrics, contrasting it with established public health metrics. He highlights efforts like the Cyber Peace Institute and GCA’s own reporting tools but underscores the pressing need for standardized, scalable data collection.

Notable Quote:

“It's like, you know, we know what food safety metrics look like. We've been doing that for 100 years. We haven't been doing the Internet for 100 years.”
— Phil Reitinger (35:00)

7. Policy Impacts and Future Directions

Komal Bozaz-Smith (39:08) reflects on the declining funding trends in cybersecurity over recent years and how Common Good Cyber aims to mitigate funding uncertainties through collective fundraising and joint investments.

Phil Reitinger (40:48) discusses the necessity of global collaboration and policy initiatives like “Secure by Design” to enhance the Internet’s inherent security. He stresses the importance of international cooperation and sustained investment to address the complex, global nature of cyber threats.

Notable Quote:

“Cybersecurity is not unique here. You see this all around the world, not just in the United States, where there's a lot more uncertainty and people focus on the problems closer to home.”
— Phil Reitinger (40:48)

8. Optimistic Outlooks and Conclusion

Looking ahead, Phil Reitinger (44:35) expresses optimism that the growing recognition of cybersecurity’s importance will drive governments and organizations to take collective action. He envisions significant positive change through initiatives like Common Good Cyber, leading to a more secure and resilient Internet infrastructure.

Komal Bozaz-Smith (46:10) echoes this optimism, emphasizing the critical role of the Internet in economic prosperity and global peace. She highlights the momentum building towards a stronger, more secure Internet driven by collaborative efforts.

Notable Quote:

“We've got the Internet that underpins literally everything we do. And if I can do that, I think it really changes the game.”
— Komal Bozaz-Smith (46:35)

Phil Reitinger (46:50) adds a crucial note on the nonpartisan nature of cybersecurity, advocating for a unified approach detached from political divisions to achieve effective outcomes.

Notable Quote:

“Cybersecurity has always been substantially a nonpartisan issue and it needs to remain that way.”
— Phil Reitinger (46:50)

Conclusion

This episode of The Lawfare Podcast provides a comprehensive look into the challenges and initiatives shaping Internet security today. Through the insights of Phil Reitinger and Komal Bozaz-Smith, listeners gain a deeper understanding of the critical role civil society plays in safeguarding the digital realm and the urgent need for sustainable, collaborative solutions to enhance global cybersecurity.

Resources and Further Information:

Visit the Global Cyber Alliance for more on their initiatives.
Explore the Common Good Cyber mapping dashboard to understand current public interest-driven cybersecurity tools and services.

Loading summary

Transcript58 lines

[00:01]
Podcast Host
The following podcast contains advertising to access an ad free version of the Lawfare Podcast. Become a material supporter of lawfare@patreon.com lawfare that's patreon.com Lawfair also check out Lawfare's other podcast offerings, Rational Security, Chatter, Lawfare, no Bull and the Aftermath.
[00:32]
Advertiser
If you're an experienced pet owner, you already know that having a pet is 25% belly rubs, 25% yelling drop it. And 50% groaning at the bill from every vet visit. Which is why Lemonade Pet Insurance is tailor made for your pet and can save you up to 90% on vet bills. It can help cover checkups, emergencies, diagnostics, basically all the stuff that makes your bank account nervous. Claims are filed super easily through the Lemonade app and half get settled instantly. Get a'@lemonade.com pet and they'll help cover the vet bill for whatever your pet swallowed after you yelled drop it.
[01:09]
Phil Reitinger
I have this nightmare that I never.
[01:11]
Justin Sherman
Finished college or that someone's going to find out that I don't have the qualifications for this job and I'm like a total fraud. Sometimes even the most successful people experience Imposter Syndrome Check out Mind if We Talk?
[01:24]
Phil Reitinger
The newest podcast helping you with tough topics. In this episode, Licensed therapist He Su Jo sits down with award winning journalist Jane Marie to explore why so many of us have imposter syndrome and why.
[01:36]
Justin Sherman
Success never seems to solve it. Whether you've ever questioned your own success or felt like the odd one out.
[01:42]
Phil Reitinger
This episode's for you. Listen and subscribe to Mind if We Talk? Wherever you get your podcasts, our focus is on trying to deliver solutions at SC so that everybody has access to cybersecurity. It's sort of our view is it's a fundamental human right, much like privacy or food is. So we really need to give everybody access to cybersecurity.
[02:14]
Justin Sherman
It's the Lawfare Podcast. I'm Justin Sherman, contributing Editor at Lawfare, with Phil Reitinger, the President and CEO of the Global Cyber alliance, and Komal Bazaz Smith, the Alliance's Chief Business officer.
[02:28]
Komal Bazaz Smith
So we want to make sure that we're driving those that are most effective. We're trying to drive reduction and duplication and we're trying to make sure that our investments are even more strategic and can go a little bit further.
[02:42]
Justin Sherman
Today we're talking about cyber risks to core Internet functions and the broader Internet community. The Alliance's Common Good Cyber Project to address them and and how civil society partnerships, funding and data can make the Internet more Secure. No doubt many folks are well familiar with both of your backgrounds. But for those listeners hearing your voices for the first time here today, why don't you Both give us 30 to 60 seconds on your backgrounds and how you got into this field.
[03:10]
Phil Reitinger
Sure. Hi, this is Phil Reidinger. I'll start. I'm the President and CEO of the Global Cyber Alliance. I got my start in CyberSecurity back in 1995 when I was the number six prosecutor at the US Department of Justice and what was then the Computer Crime Unit. And I've gone on and worked for DOJ, Microsoft, DHS, DOD, Sony, and now for the last 10 years, I've been the president and CEO of a nonprofit called the Global Cyber Alliance.
[03:47]
Komal Bazaz Smith
Hi there, everybody. My name is Komal Bazaz Smith. I'm the Chief Business Officer here at gca and I also lead our driving ecosystem engagement work, which includes efforts like Common Good Cyber, which we're going to talk about a little bit later. But my background also spans a couple of decades, but more in the strategic consulting and international development spaces. I've worked at places like Dai, R4D, Arabella, Booz Allen, Accenture, and I also co founded the Kashmiri Institute, which helps support my displaced diaspora community. But one of the things that I was going to talk about is I actually don't have a very deep technical. You heard from Phil. He's been in this space for a very long time. And I got my start about five or 10 years ago in the digital space working on digital capacity building work and policy work. But what I really love is how to solve big, complex problems. And one of the ways that you do that is you bring relevant stakeholders into the conversation and you drive them towards collective action, like really tangible things that solve problems in a meaningful and sustained way. And that's actually what led me to gca. And so, you know, just I noted that gca, we really focus on solving these very complex problems that nobody else wants to solve, which does make it a little bit difficult from a fundraising angle. But I got really excited about it and I got excited by the challenge that we're trying to address these tough issues and, you know, things like building sustainable funding models through something like the Common Good Cyber Initiative is something that is not just a project, but it actually has a potential for like really revolutionizing something and changing the ecosystem. And I wanted to do something that would have lasting systemic change. And that's why I came here.
[05:31]
Justin Sherman
Well, that's a great segue and a great preview of where we're going to head. So with that, why don't you tell us a little bit more about the Global Cyber Alliance. Where are you based, what do you work on, and how do you differ from some of the other nonprofits in the cyber security space?
[05:47]
Phil Reitinger
You know, that's a difficult question. I would say, you know, we're sort of like the Internet, right? We're based everywhere. GCA is a virtual organization, so we're a small organization, but we've got people in the U.S. canada, the Netherlands, Belgium, Spain, and North Macedonia. So we've got a pretty broad footprint of people working around the world and bringing their special expertise or efforts to bear. The focus of the Global Cyber alliance is. I wouldn't say we're unique. I say we're unusual. And what I mean by that is, you know, a lot of people, when they think about cybersecurity, think about, you know, on the, on the sort of the technical and the operational side, it's, you know, Microsoft and Google and Verizon and all of these companies. Right. And when they think about nonprofits, they think about, you know, the think tanks, especially in the policy space. Right. You know, the, you know, the center for Strategic and International Studies or the Aspen Institute or places like that, all of which are very important. But we sort of are in a niche between the two. We're a nonprofit that focuses on operational activity, and our focus is on trying to deliver solutions at scale so that everybody has access to cybersecurity. It's sort of, our view is it's a fundamental human right, much like privacy or food is. And so we, we really need to give everybody access to cybersecurity. What makes us, you know, there are a bunch of nonprofits that work in that space. You might think about the form of incident response and security teams or the Cyber Threat alliance or the Cyberpeace Institute. Right. There are a number of them. What I think makes us a little bit different is that we don't work in a particular vertical or silo. Right. Our effort is to try and build communities to solve huge problems and to work in particular spaces where we need to deploy a solution at scale and it's not otherwise being done. So we've done things like, if you've ever heard of Quad9, which is a global protective DNS infrastructure that's free to anybody around the world and protects the privacy. We built that with another nonprofit called the Packet Clearinghouse. We operate Manners, which is a global effort involving companies and others to increase routing security around the world. So we try to Hit places where it really takes a unique contribution. And we think that the resources that we can bring to bear can make that contribution and deploy solutions that actually have an effect in securing people better.
[08:46]
Justin Sherman
You mentioned sometimes overlooked problems. You also mentioned the word communities. So what does that landscape look like today? Of the different actors you mentioned, some of them working on cybersecurity for the broader Internet community and maybe just elaborate I guess a bit. You touched on this in part already. But what does that landscape look like and how do these actors interact with.
[09:09]
Komal Bazaz Smith
You know, honestly, it's a little bit funny. So, you know, the average person, including myself before I joined gca, really think about, you know, big for profit companies like Apple and Google and Microsoft and all those others that really sort of, we think of them as the Internet essentially. But that's actually not true. So in reality there's just hundreds of nonprofits that, you know, that actually maintain the critical cybersecurity functions for the Internet for the good of the Internet and actually for the, for all of its users, including those that are the most vulnerable. Those are the most under resourced in our society. And so, you know, yes, they're not household names. Phil mentioned a couple of them, but they are actually vital to safe and functioning Internet. So I'll just give a couple of examples. Like, you know, many of the tools that small businesses, for example, run on or are supported are actually supported by nonprofits. And so, you know, they might use code from open source libraries like log4j or they might use something called Django to create their products faster and more cheaply. And that's obviously very important for small businesses. You know, the staff might use open source software libraries like LibreOffice to keep operating costs down. They, you know, Phil mentioned Quad 9. They might use Quad 9 to block malicious websites. They might use let's Encrypt to encrypt their websites. Shadow Server. Shadow Server fixes network vulnerabilities. All of these things are free to the user. And there are just a couple of names that nobody's ever heard of, I certainly had never heard of. But they're small nonprofits and they're mostly tech geeks that just want to solve the problem. There are a couple of people that have seen that there's an issue and they want to fix it and they want to make sure it's okay for everybody. But they don't have time or skills or resources to go out and fundraise so they can do more of what they're doing. And more often than not Most of them are, again, really skeleton crews, volunteers. They're working on razor thin budgets. You know, they rely on donations and grants and sponsorships. But all of those kinds of things can go away and can be pulled at any time. So it makes it really vulnerable.
[11:21]
Justin Sherman
Yeah, and funding is a critical issue. I want to certainly come back to that in more detail in terms of thinking about solutions. But one of the, one of the things that was mentioned up top is this phrase common good cyber as one of the ways that GCA is thinking about and working on this set of thorny problems. So in a nutshell, can you tell us what is Common good Cyber about?
[11:44]
Phil Reitinger
A few years ago, we got a group of nonprofits together. It was actually in Brussels about two and a half years ago, where we were talking about the need to involve every element of society in cybersecurity. What Craig Newmark likes to talk about as a whole of society effort or cyber civil defense. And it was interesting because all the nonprofits around the room said the same thing, which was, you know, we do critical work that keeps. Actually keeps people secure. It's not just writing reports and recommendations. But funding for what we do is almost impossible to get. If there is funding out there, and there's not much of it, it's to build this new shebang thing as opposed to keeping the work going that everybody needs. So, like, for example, you think about isrg, which runs, let's encrypt, which secures like half the websites on the Internet, right? They need funding not to build a new thing. They do probably need to build some new things, but they need to keep operating what they're doing so that everybody can continue to have encrypted communications with websites. And so we thought about, how do we solve that, right? How do we bring the resources to bear for those entities that work to scale solutions for the common good, not just for the biggest companies or the richest nations, but for everybody around the world. High risk actors, vulnerable groups, and really those parts of the Internet that keep everybody secure that we've been talking about. And so that's how common good Cyber got kicked off. It was an effort, a community effort, to say, how do we band together to do something that will be enduring and actually work to solve the problem, as opposed to somebody just writing another letter and saying, gosh, we need to support nonprofits. And then they read the letter and then they throw it in the garbage and they go on, how do we do real things? And so that is what common good cyber is about. An effort to actually enable nonprofits that fill that critical juncture between what individuals and the private sector and governments all do in a way that keeps the Internet safe for everybody. And how do we empower them? Whether it's through in kind work, building capacity, making sure that they're helped with things like fundraising and communications, and most importantly, how do we bring the resources to bear. What are the funding models that will make sure that we've got an Internet that does the things that need to be done? You know, the Internet is unlike any other infrastructure out there. Like you got roads, you know, who's responsible for patching the potholes and roads. You know, even on a complicated global system like the airlines, you know, you've got a clear set of understandings about who's got to do what, what are the responsibilities, who pays for what. It. The Internet's not like that. You know, the Internet, there's a problem and it's like a community assembles and hopefully solves the problem. Right. Without any funding, which is great. Right. But can we really depend on that in every circumstance where life, limb, the economy, education and even entertainment, all of those things depend on this backbone infrastructure.
[15:35]
Justin Sherman
I appreciate that grounding because I think that as you're getting at, really materializes it for folks. I mean, I don't want to editorialize here either, but I think as you're saying, it's resonating also that obviously for so many years, many wonderful folks, including yourselves, have volunteered a lot of their time for this. But as you're saying, I'm often troubled too by the assumption or expectation that folks will do this for free or don't need funding to do it. So I want to pull on, on one of the threads you mentioned, which is the focus on really the common good and on vulnerable and under resourced actors. Because I think for those listening to what you're saying and thinking, okay, this sounds reasonable, we have real problems here. But who are perhaps wondering how this sits against or relates to or differs from concepts like cyber civil defense or government capacity building, or you know, terms that are related or for folks not in our space that maybe sound kind of the same. So can you elaborate a bit on how this kind of focus and this kind of work relates to maybe a more traditional public private partnership or something like a government, you know, cyber training program?
[16:45]
Komal Bazaz Smith
Yeah, just, you know, having worked very closely with the Agency for International Development, with the State Department, other international, other government capacity building projects, I can tell you from the ground that this is radically different. And you know, one of the ways that most cybersecurity capacity building projects work on the ground is they really take it at a user level. You know, they've got a particular user in mind. Let's say it's small medium enterprises, let's say it's media, let's say it's journalists or a woman entrepreneur. And that comes from a particular tranche of funding. And what they do is they really try to understand sort of what's the capacity of this particular type of user, what's the language that they work in, what's the political and geographical context in which they work, what are the kinds of things, where are they on their digital journey and where are they in their cybersecurity maturity? And that is incredibly difficult and important work. But it is, the problem is it's really, really hard to scale that. And no matter how much time and effort you put in and investment they're into these programs on capacity building, it's, it's really, really hard to reach everyone. It's really, really hard to ensure that there's actual sustained behavior change and there's actual capacity building. That is where folks that can actually be determined to be capacitated, I think, you know, and that that requires more and more investment from donors, more and more resources on the ground, implementing agencies and partners that can help do the trainings. So, you know, one of the things that we're trying to do with common good cyber is a couple of things. One is we're trying to invest in actually creating an infrastructure that makes it safer by design. And what that does is it makes it easier and safer for users, which then reduces the burden to be able to have to invest into cyber capacity building. So we're hoping that we can actually help the landscape in all of that sense. The second thing that we're doing is really trying to scale a lot of the capacity building in a way that doesn't need one to one sort of user, very, very specific user focused pieces and be able to scale the funding and drive deep funding into this space. So, you know, we really try to kind of make sure that it's both differentiated in terms of the kind of work that we're trying to accomplish as well as additive to the investments that donors and other governments are doing in the capacity building space.
[19:16]
Justin Sherman
Yeah, and your point about differentiation and process and focus area, like that's all really valuable stuff to hear. I think again with part of the through line being that as you said, focus on under resourced and vulnerable groups and actors and parts of the infrastructure Phil, was there anything you wanted to add?
[19:31]
Phil Reitinger
I think Komal got it right. I'd only add that what we're doing here is supportive of and very complimentary. As Komal said, these capacity building projects are very sort of end user and specific problem focused. Right. There's a project in Nigeria or a project in Japan or a project in Finland. They're trying to do things. What's missing is, as she said, the infrastructure that supports all of that. What are the scalable mechanisms that you use to support high risk communities around the world? What about the pieces of the Internet on which everyone relies? Right. That sort of thing is not funded in these projects. They're like, yeah, but we want you to deploy this, but you got to have the thing to deploy or you need secure be built into that thing by design. And that's the role that these non profits play. You know, civil cyber defense is an example, right? It's not, it's not one of those specific deployment projects. It's also a global initiative. But the focus there is generating interest and making sure that people have the actual means to do what they need to protect themselves in their communities, whether that's training or tools. Right. So that's the substance and the knowledge. Common Good cyber is about capacitating, growing the capabilities and support for the organizations that make cyber civil defense possible.
[21:11]
Podcast Host
Hey, do you insure your car, your home? Do you have a personal liability policy in case someone sues you? Unless you're Elon Musk, it's a good idea because if something bad happens, you want to be protected. But what about you? Are you protected? What happens to your income, your family's future? And if something happens to you, hit by a bus, plane crash, heart attack, stuff happens. Policygenius makes finding and buying life insurance simple. Ensuring that your loved ones have a financial safety net they can use to cover debts and routine expenses. You can compare quotes from top insurers and find coverage that fits your needs and your budget. With Policygenius, you can find life insurance policies starting at just $276 a year for a million dollars in coverage. It's an easy way to protect the people you love and feel good about the future. Okay, this is a true story. A couple of years ago, my cabin in the woods flooded and was almost completely destroyed. And the insurance company, my homeowner's insurance, didn't pay a dime to to rebuild. We were stuck with the whole cost of it. Can you imagine doing that if say, you had a mortgage to service on a property and your partner was gone. Life insurance can cover loved ones expenses if something happens to you. Mortgage payments are a common cost that could be covered by life insurance too. So I have life insurance because I don't want my family to have to worry about money after I'm out of house. The Picture policygenius is a great way to get the right policy for you. Combining digital tools with the expertise of real licensed agents, you can compare quotes from America's top insurers side by side for free. Policygenius's licensed support team helps you get what you need fast so you can get on with your life. They answer questions, handle paperwork and and advocate for you throughout the process. Life insurance is not a one size fits all product and policy genius doesn't treat it like one. They lay out all your options clearly. Coverage, amounts, prices, terms. No guesswork, just clarity. So check life insurance off your to do list in no time with Policygenius. Head to Policygenius.com or click the link in the description to compare free life insurance quotes from top companies and see how much you could save. That's policygenius.com.
[24:03]
Advertiser
You were made for going the extra mile for your pet. And Farah Pets was made to do the same. Farah Pets supplements are vet created with innovative ingredients that combine eastern and western therapies so you your pet can thrive after all. You would do anything to help your pet feel their best. And so would we. Visit farahpets.com pod to get 20% off today. That's F-E-R-A pets.com P O D Fera Pets we were made for this.
[24:32]
Komal Bazaz Smith
This is a mini meditation guided by Bombus. Repeat after me. I'm comfy. Comfy. I'm cozy. Cozy.
[24:40]
Advertiser
I have zero blisters on my toes.
[24:42]
Phil Reitinger
Blisters.
[24:43]
Advertiser
And that's because I wear Bombas.
[24:44]
Phil Reitinger
The softest.
[24:45]
Komal Bazaz Smith
Socks, underwear and T shirts that give back.
[24:48]
Advertiser
One purchased equals one donated. Now go to bombus.com acast and use code acast for 20% off your first purchase. That's B O M b-s.com acast and use code Acast at checkout.
[25:03]
Phil Reitinger
Picture this. You're halfway through a DIY car fix, tools scattered everywhere and boom. You realise you're missing a part. It's okay because you know, whatever it is, it's on ebay. They've got everything. Brakes, headlights, cold air intakes. Whatever you need. And it's guaranteed to fit. Which means no more crossing your fingers and hoping you ordered the right thing. All the parts you need at Prices you'll love, guaranteed to fit every time. Ebay, things people love.
[25:37]
Justin Sherman
With that context. Then on organizations and on process and some of the funding gaps. And I want to focus now a bit on the technology specifically and so we could obviously spend plenty of time and I'd be curious your thoughts on this. And you mentioned manners earlier for routing security and some other topics. We could cover all kinds of things across the Internet's core physical and digital infrastructure, cables, domain name system and so on that might need more security. That might be a whole separate podcast. And so to focus, I'm curious for you both, when you look at core Internet systems and you can interpret that in whatever way you'd like, are there two or three or four that stand out to you as the highest risk or in the need of the most support in this kind of area? Just to give us a sense of what some of those, those big priority tech stack components or whatever we want.
[26:32]
Phil Reitinger
To call it are part of the problem. And not to generalize beyond the value to your podcast listeners, but part of the problem is we don't really know. Right. The understanding of what are the critical things that need to be protected is rudimentary at best online. That's why part of the common good initiative is, is about figuring that sort of work out and doing things like mapping the roles and requirements that I think COMO could get into later. But there are some things that we know are important, some key illustrations like you mentioned, as I mentioned before, Manners, the mutually agreed norms for routing security. Right. I like to tell people that routing security has been one of the Internet security sucking chest wounds for 20 years. Right?
[27:23]
Podcast Host
Right.
[27:23]
Phil Reitinger
Because it's, everybody knows it's a huge problem. Right. It's not something that you worry about criminal actors. It's really more sort of the, the state sponsored and the really high order actors have a capability but if you, you know, if you're effective at that, you can attack financial infrastructures, e commerce, all sorts of different things. And so who's working on it? Well, it turns out that's manners and it's really just about manners. You know, it's the way all these, a bunch of companies like the, you know, the telcos and other folks are thinking about it and implementing pieces, but it's the community. It's a classic example of a problem that you know, not to call back too far, but it takes a village to solve. Right. No one entity can solve it. So you need collaboration. Right. So that's one class of problems that is super important. Another similar One is incident response. Right. Everybody does incident response. But how do we make sure all of those organizations in charge of that on a national level or on a, even a regional or a more local level have the capacity to do that? Right. There's turns out there's an organization that does that. It's the called the Forum of Incident Response and Security Teams or first. And it's been around for a long time and it does God's work in capacitating all of these organizations. You know how many people it's got? Take a guess. Justin.
[28:51]
Justin Sherman
Oh, I. All I'll say is I'm going to be horrified by the number.
[28:55]
Phil Reitinger
It used to be three.
[28:57]
Justin Sherman
Oh, good.
[28:58]
Phil Reitinger
Now it's seven. Okay, Right. So you know, who, who thought that was a good idea, you know, who thought that we should rely on seven employees and just a bunch of volunteers to run arguably the most critical global infrastructure? Right. We just had another example to pick one last week. Right. You're familiar with the CVE debacle, right?
[29:27]
Justin Sherman
Yep.
[29:28]
Phil Reitinger
Right. So just for your listeners, this is mitre, which actually is a nonprofit, although it's an ffrdc. We need to go into that. A federally funded research and development corporation, it's still a nonprofit, runs this thing called cve, which is the list of exploited, commonly exploited vulnerabilities. It's the language that everybody uses to work together. It's funded by cisa, in this case by the US Government. Right. But like only by them. And the contract was going to run out and we came within hours, I'm not being hyperbolic, literally hours of that contract running out and having no support for this critical piece. It's another example now federal government stepped forward, came up with the money, extended the contract. But you know, it's like you think about what happens in the US Sometimes, right, With continuing resolutions, like is the federal government going to shut down or not? Right. So every week got a. Is the federal government going to shut down this week? Right. It's like that, but in cyber. Right. You know, and it can happen a lot more in cyber because there's all of these different organizations that are hand to mouth and do critical work online.
[30:48]
Justin Sherman
Well, the point that we don't actually know necessarily, right. What those core elements are, how they stack against each other, as you said, how to map those to different priorities and other things is an important point. And as you're saying, I would certainly agree there's probably a great underappreciation for the extent to it. Right. I mean, we don't get our package the day it's supposed to come and everybody flips out, like you're saying, not recognizing just how much of this is fragile in some ways structurally, in terms of the resources supporting these core functions. So just to continue, you mentioned mapping, I want to talk about that as well, because one part of your website that I find particularly interesting is the build out of this mapping dashboard, quote, unquote, to organize and to quantify some of the cybersecurity and resource dynamics in play here. And among other reasons, I find this work that you're doing interesting because we hear a lot about, as you both alluded to, data that the government can bring to bear, data that a crowdstrike or a Google or something can bring to bear on cyber problems, but perhaps less about civil society data where there's a real opportunity and a gap there. And so could you tell us a little bit more about this mapping dashboard that I'm referring to and perhaps as well maybe about that data piece, what role can metrics and civil society metrics and measurements potentially play in identifying and mitigating some of these high risk Internet security issues?
[32:19]
Komal Bazaz Smith
Yeah, I can take the first part and I'll talk a little bit about a little piece about the metrics as well, and then I'll hand it over to Phil. You know, so one of the things that we kept hearing from potential donors and groups across the stakeholder system was who does what? Where you say that nonprofits are working in this space, what are they doing, what are the kinds of things that they're actually solving for? And if they are solving for these problems, who's doing what? It's hard to differentiate. And so we thought that it would be really helpful to start kind of mapping this out. And what we did was we reviewed, you know, tools and solutions, services, platforms, but the evaluative criteria for that was are they actually deployed in the public interest? And you know, what are the kinds of things that they're doing? Are they're securing networks, are they empowering Internet users, are they increasing resilience across the sectors in some way? And so the result is this, is this common good cyber mapping database. It's just getting started. As of right now, I believe we're at 334 public interest driven cybersecurity tools and services and platforms. And it's organized in six different groups. So you've got groups that work in the governed space, groups that work in the identify space, groups that work in the protect space, detect, respond and recover. And so, you know, the reason why it's in these different six categories is one that's, that follows a NIST framework, which is very familiar to a lot of folks. But also together, all of those different kinds of pieces of work form that vital layer of defense for the broader digital commons. And that's something that we really wanted to understand from a broad lens. And again, just the maintenance and deployment of that work is actually quite heavy on the nonprofit side, the nonprofit, individual, and volunteer side. So we take on a lot of the burden. And, and we have the most limited resources and budgets. And one of the things we really want to try to work on as we get common good cyber up and running and we really get funding for it, is we really want to try to build a set of metrics and start gathering data to understand and evaluate the actual effectiveness of each of these tools so that we understand which of these tools and services and platforms are actually having the most impact. How are we making sure that we don't duplicate resources and reduce the amount of services and platforms that we have to invest in? So we want to make sure that we're driving those that are most effective. We're trying to drive reduction and duplication, and we're trying to make sure that our investments are even more strategic and can go a little bit further. Phil, I don't know what you want to talk about a little bit on the data side.
[35:01]
Phil Reitinger
I think I'd like to just talk about some of the more global efforts. Justin, your question points out there are a lot of people who could be active here, right? You know, the, the best example to pull forward might be for those who are familiar with the Solarium Report, the cyber Solarium work. A few years ago, you know, it recommended the creation of a Bureau of Cyber Statistics, so we could actually have the data sources to do this that would be funded by the federal government. It's one of the parts of the Solarium Report that's never gotten any traction because, you know, who wants to pay for that, right? No matter how important it is. It's like, you know, and you see this now, right? In the US Government's like, do we really need the Bureau of Labor Statistics? Do we need all these things? Well, yeah, we actually do. So it's, it's sort of been sitting around. At the end of the prior administration, there was some really great work that was done by the Office of the National Cyber Director with MITRE to build a national dashboard on what's the state of security. But, you know, that I think has mostly been orphaned right now in the current administration, you know, those responsibilities, I believe, have transitioned over to the Office of Homeland Security Statistics, or OHSS and dhs. And if you look at their website, you will see that they've got cybersecurity metrics listed as a work area for work on the website. But there's not anything there. Right. There's been other historic efforts, including the National Risk Management center in CISA a few years ago. And there is a huge amount of work on this in the nonprofit from people, you know, like gca. We've done reports to measure the effectiveness of particular things that we've done. You know, we've built dashboards that are publicly exposed shadow server reports on what the overall threat levels are. There are nonprofits like Cyber Green, which is led by Yuri Ito, that work on developing cyber hygiene metrics and tools around the world. But it's an area that, that calls out for much greater investment because, you know, we're behind here. You know, we've gotten, we know what public health metrics look like. We've been doing that for 100 years. You know, we know what food safety metrics look like. We've been doing that for 100 years. We haven't been doing the Internet for 100 years. And to be frank, it's more complicated than any of those other ecosystems. I'm going to, you know, the public health people are going to come at me and say, no, no, but it is, it's, you know, that we're, we're going to approach in the not so distant future the number of devices on the Internet as there are cells in the human brain or neurons in the human brain. Right. So how do you model that? Right. How do you do that? That's a really important area of work.
[38:05]
Justin Sherman
Yeah. So, I mean, you know, I'm not a doctor, so I'm neither going to argue with you on that or be able to correct you. But I think as you're saying, there definitely is something to be said for the sheer scale, let alone the, you know, complex interdependence and everything else that that creates. So you mentioned funding. This is another good segue. It goes without saying, you know, anyone listening, all of us are well aware of everything going on. And so talent, funding, resources, you touched on all of these things have shifted greatly, I'll say cataclysmically, in the last few months on cyber proper, on capacity building generally, on US engagement on various issues around the world. World. So my two in one question is how do you see all of the recent policy and funding Changes in the US Impacting your work in terms of the organizations you're working with, the needs you're seeing and so forth. And then looking a year or two out, are there particular policy or other measures in an ideal world you think we would need now or organizations might need to put in place now to deal with where these trends are headed?
[39:09]
Komal Bazaz Smith
Honestly, here's the thing. So funding in the cybersecurity space has been slowing for a number of years now. You know, yes, there's a lot of disruption in the last couple of months, and that's undeniable. But this has been happening and it's been a trend for a number of years. And frankly, you know, it's one of the things that drove us to start Common Good Cyber. We wanted to be able to find a way to mitigate against all this uncertainty. We wanted to be able to make something that created a joint fund that enabled, you know, more collective action. You know, when there is a very uncertain funding environment, it takes even more collective action. It takes, you know, nonprofits being able to work together to say, okay, can we actually go after funding together? Are there joint fundraising potential efforts that we can do together? How can we focus the investments from the donor side and how do we make sure that we're, that we're helping explain to them who we are and why we should be funded? And we really think that Common Good Cyber is one way to actually reduce the uncertainty in the environment. And again, if we're trying to inherently invest in the infrastructure that takes the burden off users, then that reduces the needs a little bit in terms of investing on small scale and potentially duplicative investments across the ecosystem. So we're trying to do something that is just much more systematic, much more holistic, not in a piece feel fashion, where it brings together the policymakers, the civil society folks, the private sector folks, and really try to make a lasting and meaningful change that hopefully will even weather all of this uncertainty and will create a much more stable environment.
[40:48]
Phil Reitinger
So I think that's absolutely right. I'd say, you know, cybersecurity is not unique here. Right. And not again to boil up to bigger issues. Right. But you see this all around the world, not just in the United States, where there's a lot more uncertainty and people focus on the problems closer to home. National, state or local issues. Right. So it's almost a moving away from and lack of investment in global institutions like the US Withdrawing from the World Health Organization. The United States may be leading, if you will, in that category, but it's not alone. And the problem with that is it ignores those things where, you know, not only is it more efficient to tackle things globally, you know, because of scale, because of economies of scale, because of other things. And it's actually, it's actually necessary in a lot of cases to do that. Right. You can't really track certain things on a merely local basis and not know what's happening. Right. And the Internet is the, as I said before, that's the most important of all those things to tackle globally. So I would say to return to your question then, of what are the most important things, I'll highlight two one policy and one non policy. The policy issue goes back to what Komal was saying about how do we solve this problem for everybody, right. You know, there's an initiative that people have been really interested in for a long time called Secure by Design, where we say, you know, the people really capable of fixing these things ought to do so at the highest level possible so other people don't have to act much. Like we addressed automobile security by making automobiles safer. So the Internet's not so simple, right? But the approach has value and that's a key policy issue. Right? So that doesn't happen organically. Right. It takes strategy and implementation efforts really on a global level to make that happen. So the most important policy issue, I think I'd say, say, is what are the drivers? Is it regulation, is it liability, is it collaboration, is it jawboning? You know, what are the efforts that are going to happen to make that different so that the Internet becomes more inherently safer? Right? And then the second issue is actually the common good cyber issue, right? That's going to solve a bunch of problems, but it's not going to solve all problems. There's still going to be issues, right? We're going to need international collaboration. There's still going to be people left behind. We're going to need organizations like the CyberPeace Institute or GCA that work to deliver services to vulnerable communities. How do we fund that? How do we build the infrastructure to be more secure from the start and how do we work together? Because we love this multi stakeholder model of the Internet. We love that it brings everybody together. We love that it's open and we love that it enables all this economic progress and freedom. What we don't really do is support it. Like, it's that. It's like, you know, and then a company will solve it, a startup will be created that will solve this problem and we won't have to worry about Paying and that's just not how anything works. Repairs always need to be done.
[44:15]
Justin Sherman
Right? Right. Yeah, no, exactly. Looking ahead then, and I'm perhaps trying to skew us in an optimistic direction, maybe, but are there areas where you are more optimistic about, obviously some of the great work you're doing, but some of the results you're seeing and what might those growth areas look like in the near term?
[44:35]
Phil Reitinger
So I'll continue just because I'm on a riff. Right. So there's one problem that is our greatest challenge and our greatest opportunity, and that is recognizing the seriousness of the problem and starting to treat the Internet like we do other infrastructures and saying it needs the support to make it functional. Right. We continue to see incidents come up that cost billions of dollars. So the downside risk of that is those incidents are going to continue to grow until eventually, as I wrote in a tongue in cheek blog post a few years ago, the entire world economy will be eaten up by cyber losses. But the upside is people are going to start to recognize this. Governments are going to start to step in and say what we're doing now is not working and we have to solve the problem. And I think this is the optimistic. I'll be a Pollyanna. This is a moment in time where we can make that difference, where people are starting to recognize the need to work together, even though the overall international trends are against working together. And so I'm very, very hopeful that in the next couple of years, through common good, cyber and associate efforts, we're actually going to be able to change the ecosystem and we're going to provide means starting small but growing so that we've got mechanisms to make sure the most critical work gets done both to security, core infrastructure and high risk actors around the world. I think that's possible.
[46:11]
Komal Bazaz Smith
I don't think you can add to that. I think that's exactly right. I mean, at the end of the day, you know, we've got this, this Internet that underpins literally everything we do. And you know, it, it underpins our daily lives, obviously, but it underpins economic prosperity and global peace. And if I think we're really at a juncture at this point where we're starting to see a lot of momentum and people recognizing the need for it as well as wanting something about it. And if we can do that, I think it really changes the game and it changes the ecosystem and we can start moving towards a much more stronger and sustained Internet.
[46:47]
Justin Sherman
Is there anything else either of you would like to add?
[46:51]
Phil Reitinger
I'll say one quick thing. You know, cybersecurity has always been substantially a nonpartisan issue and it needs to remain that way. You know, everybody's got political opinions and, you know, I've got my own and think some people are right and some people are wrong. But historically, everybody's been together on cybersecurity that we need to take effective action. And I hope it will remain that way. And I think it can if we disaggregate it from other stuff and have our fights in other fields, you know, and focus on, focus on outcomes in cybersecurity. Right. But that takes everybody agreeing. You know, you can't, you can't have, you know, one side being political and one side not being political, because it always becomes political then. So I'm hoping that we really start to build domestic in the US and international consensus around the joint action. That's necessary.
[47:51]
Justin Sherman
That's all the time we have. So, Phil Komal, thank you so much for coming on.
[47:55]
Komal Bazaz Smith
Thank you.
[47:56]
Phil Reitinger
Thank you, Justin.
[48:00]
Justin Sherman
The Lawfare podcast is produced in cooperation with the Brookings Institution. You can get ad free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfairmedia.org support. You'll also get access to special events and other content available only to our supporters. Please rate and review. View us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Allies, the Aftermath and Escalation. Our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work@lawfaremedia.org the podcast is edited by Jen Patia and our audio engineer. This episode was Kara Schillen of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.
[48:53]
Advertiser
Hi, it's Paige from Giggly Squad. Let's be real. Cat dads are in their golden era. Temptations, America's number one cat treat brand, is celebrating how seriously irresistible these guys are. They've got sensitivity, snack, timing, precision, and their cats adore them. Add in a handful of Temptations treats and boom, you've got a certified cat dad show. More love to the cat dad in your life with Temptations Cat Treats. And tag your fave moments with Catdad Sighting. You know we're dying to see them.