Catherine Lotrionte (G’99, G’08) is associate director of Georgetown’s Institute for Law, Science and Global Security and a longtime expert in cybersecurity. In partnership with the Lawrence Livermore National Laboratory and private industry, she directs Georgetown’s Cybersecurity Project, which focuses on the role of international and domestic law in recent cyber technology and cyber threats. A visiting professor of government and foreign service, she previously served as assistant general counsel at the Central Intelligence Agency and in other high-level government positions. Lotrionte talks with Blue & Gray about the major problems in cybersecurity, the need for countries to work together on reform and Georgetown’s contributions to the field.
Q. In general, what do you see as the most pressing issues in the field of cybersecurity today?
A. There have been some discussions among certain states, which is problematic, about disconnecting or creating their own independent Internets. States like China want to do it to censor and control what information gets out to their own citizens. Other states will do it from a national security defensive posture because they’re concerned about the vulnerability of their critical infrastructures that are connected to the Internet.
For the majority of experts in this area, they do not think that this is an option – that there is a lot of advantage the world has gained – especially for developing countries – by being connected. Everything from the ease of online banking, where some countries don’t even have the infrastructure, but through the Internet people can do their banking. If one thinks about cutting that off, you’re going to be negatively impacting the world economy, never mind the world discourse in international relations, diplomatic relations.
Q. What are the technical problems involved in cybersecurity?
A. You have to concentrate on the problems, the weaknesses that are built into the system when they were first created, the networks and the Internet itself. It wasn’t established with the thought of security – it was about openness – the predecessor to the Internet was created to have a means of widespread communication. So now – it’s like using band-aids, we have to go back to the original systems, and the original algorithms that created the systems, whether it’s the domain name system, which has vulnerabilities in it, or other systems.
In March we’re having a large international conference at Georgetown bringing in people from the U.S. government, foreign heads of state and also think tanks from around the world and U.S. academics and their foreign counterparts. The purpose of the conference is to focus on cybersecurity problems, because it this truly is an international problem. Every state needs to first look internally, especially the U.S., and basically take care vulnerabilities in our system, because it’s not just that we have vulnerabilities that put us at risk. Other bad actors, not in the United States, will use our vulnerabilities and our gaps in security to launch other detrimental effects or attacks against other states.
Q. Is there likely to be consensus about this issue internationally?
A. While there might be some nuances and differences, particularly because of the different cultures and laws of each nation state, there has to be some kind of agreement on rules of the roads or standards for security, and also rules of the road when it comes down to behavior in the domain of cyber, whether they are using force or acting in self-defense to an attack. These rules have not been set down yet and agreed to. And that’s why international engagement is important. You’ll see a new development of rules of engagement, under the auspices of international law. It may not be in the form of treaties per se but there has to be the development of these agreed norms.
Q. Can you talk about the Institute for Law, Science and Global Security? What is the purpose of the institute and what kind of research is being conducted there?
A. The institute has a long history. It was established after WWII under a different name with the focus of law and international relations as relates to politics. Then the government department created the Institute of International law and Politics. I later renamed the institute to reflect what the multidisciplinary work we’re doing, and brought Georgetown’s Center for Excellence for Information Assurance into our Cybersecurity Project. We also collaborate with the Law Center, the computer science department and the business school. I am also the liaison for the Program on Nonproliferation Policy and Law, funded by the Defense Threat Reduction Agency in cooperation with the Monterey Institute for International Studies’ James Martin Center for Nonproliferation Studies. We have support for our projects from the federal government to have both graduate and undergraduate students involved in research. The institute has truly become multidisciplinary both in our research, our events and in our academic programs.
Q. How is Georgetown viewed in terms of its contributions to cybersecurity?
A. In a matter of just two years, by bringing together our strengths, Georgetown now not only has its name in the press, we’re recognized as having an impact in cybersecurity, and we actually have the government coming to me and saying, “we want to fund some of your events and your research.” It’s fabulous. Because we’ve been able to hire students, and have students publish in the area and get jobs because of it and get clearances. I see that as very rewarding being at a university being able to do that.
Q. I understand you are working on the books about cybersecurity. Can you talk about them?
A. I have a contract with CQ press on a book involving U.S. national security law from the end of the Cold War to the present that will be completed in a couple of months. And I have another book with Georgetown University Press on cyber both as an instrument of power and intelligence and national security, but also drawing upon big challenges for states. That book will be out in 2012.
Q. WikiLeaks has been in the news a lot. Do you think the cables are an act of cyber war, as some pundits have suggested?
A. There were certain tools employed that also would be used in a cyber conflict. Typically when you talk about cyber war, you think about the espionage and attack aspects of it. But in this case, it wasn’t one state stealing documents to gain an advantage economically or militarily. If it had been a state, hypothetically, this act could have lead to an armed engagement, but that’s not the case here.
People will take their internal security more seriously because of this – they’ll have to. There will be a better look at the use and development of security tools. Internal security with respect to the people who are approved for access will get more scrutiny, and that will help on the insider threat. Better security may prevent the next insider threat.