RAND Hosts Cybersecurity Exercise


Sep 3, 2015

Digital internet security concept

Illustration by MF3d/iStock

The ever-more-critical discussion of cybersecurity should not be trapped within narrow technical, national security, or legal stovepipes and should include an examination of economic, civil and societal factors. With that goal in mind, RAND this week hosted an all-day, analytic exercise on cybersecurity, called Cyber 360 Exercise, at its Washington office.

The exercise was designed to elicit insight into the current national cybersecurity dialog. Participants came from academia, government, the private sector, academia and think tanks, media, advocacy groups and foundations and included individuals with legal, economic, technology, policy, security and privacy experience.

The exercise was structured around two cybersecurity vignettes that presented potential futures in which emerging cybersecurity problems produced fundamental challenges to society. Teams were asked to account for a variety of societal perspectives and present solutions that balanced competing interests. Specified viewpoints included individual and collective security, privacy and civil liberties, long-term economic prosperity, and effective rule-of-law, among others.

The scenarios, both of which were set on the Ides of March 2021, examined two hypothetical, and somewhat dystopian, futures. In the first scenario the Internet-of-Things has become an essential part of our personal and work lives. But with it has come a new wave of cyber crime that exploits Internet-of-Things devices to steal more information about us and extort individuals and small business. Similar capabilities are also wielded by adversarial nations and used to advance their agendas—presenting a national security problem. The second scenario, escalating breaches of personal identifying information, including driver license databases at the state level, caused a crisis in which our system of identification and authorization—designed to let legitimate users in and fraudulent users out—failed to do either. This second scenario put at risk the credentialing of personal authentication that provides the trust foundation upon which modern, complex societies operate.

In both cases the group needed to take into account a variety of factors, including security, technology, civil liberty, rule of law, privacy, and economic considerations.

If you would like information about future cybersecurity events at RAND, please email Cyber_Colloquium@rand.org.