A New Cybersecurity “Social Contract”

The US National Cyber Director Chris Inglis wrote an essay outlining a new social contract for the cyber age:

The United States needs a new social contract for the digital age—one that meaningfully alters the relationship between public and private sectors and proposes a new set of obligations for each. Such a shift is momentous but not without precedent. From the Pure Food and Drug Act of 1906 to the Clean Air Act of 1963 and the public-private revolution in airline safety in the 1990s, the United States has made important adjustments following profound changes in the economy and technology.

A similarly innovative shift in the cyber-realm will likely require an intense process of development and iteration. Still, its contours are already clear: the private sector must prioritize long-term investments in a digital ecosystem that equitably distributes the burden of cyberdefense. Government, in turn, must provide more timely and comprehensive threat information while simultaneously treating industry as a vital partner. Finally, both the public and private sectors must commit to moving toward true collaboration—contributing resources, attention, expertise, and people toward institutions designed to prevent, counter, and recover from cyber-incidents.

The devil is in the details, of course, but he’s 100% right when he writes that the market cannot solve this: that the incentives are all wrong. While he never actually uses the word “regulation,” the future he postulates won’t be possible without it. Regulation is how society aligns market incentives with its own values. He also leaves out the NSA—whose effectiveness rests on all of these global insecurities—and the FBI, whose incessant push for encryption backdoors goes against his vision of increased cybersecurity. I’m not sure how he’s going to get them on board. Or the surveillance capitalists, for that matter. A lot of what he wants will require reining in that particular business model.

Good essay—worth reading in full.

Posted on February 22, 2022 at 9:28 AM21 Comments


John February 22, 2022 9:47 AM


New social contract…. Really??

Just get reconnected with our already proven morals and values.

People who forget the lessons of history are doomed to repeat them.


Clive Robinson February 22, 2022 10:04 AM

@ Bruce, ALL,

With regards,

“Still, its contours are already clear: the private sector must prioritize long-term investments in a digital ecosystem that equitably distributes the burden of cyberdefense.”

We know this is not going to happen.

1, Real Cyberdefense is a cost no shareholder is going to pay.
2, Nearly all the profit in the financial sector is based on deliberately created volatility and hidden information.
3, Shareholders will move capital abroad if you try to tie them in to longterm, as there is no short term profit to be made.

A look at history might be instructive. The Bretton-woods agrement made most financiers “spare t1t5 on a bull”. It was not untill Euro/junk bonds came along that we got the highly unstable financial markets we know have that are effectively “rigged” to suit a very very tiny number of people who control most of the liquid wealth.

Every time governments try legislation or regulation, to get stability and longterm growth, the finance industry comes up with a new scheme, to break it.

Thus the problem needs to be fixed earlier in the finance “supply chain”.

Bcs February 22, 2022 10:16 AM

This strikes me as something that could be significantly addressed via meaningful and relevant standards combined with truth in advertising laws.

If we can define terms around the various thing various people want and then ensure that if some actor say they are doing one of those things that they actually are, then people can make informed decisions about them. (And some will choose to make informed decisions that others disagree with, and society should be fine with that.)

Surveillance capitalism doesn’t seem like a problem to me directly. Rather it’s abuse as government surveillance by proxy and negligence in it’s security and deception about what’s being done. Beyond that, it seems like any other business transaction: I decide what of value I’m willing to give to get something of value. If the market wants privacy, then someone will offer that. If their is no maker for that but there’s a market for “limited use surveillance” then I see no reason the government should regulate that option out of existence.

Jeff Valoret February 22, 2022 12:29 PM

I think that’ll happen if this message is spread after a some major cyber incidents big enough to destroy lives. That’s what it takes for big regulatory change.

Sean Lynch February 22, 2022 1:04 PM

What about liability for breaches and other misuse of data? Requiring financial responsibility could be called a form of regulation, but it’s “market-based” in the sense that it would be up to the companies and their insurers what would actually constitute acceptable measures.

chris neglia February 22, 2022 1:29 PM

Until we-the-people (global citizens) are included as a co-equal partner in any and all “public-private” partnerships, then we’re always going to be frozen out by fascistic governments who have gotten us to where we are now: this corporate-controlled global nightmare.

I’m not impressed by the fruits of their so called ‘public-private’ partnerships (which is a retread of the word fascism or no-bid-contracts, etc)

No. Open source ; Open Hardware ; Open firmware ; Full Transparency ; Crowdsourcing ; Crowdfunding ; Crowdsourced audits ; Community policing ; Community determined rules and governance ; and most of all NO censorship of any kind. If you don’t like it, mute the person yourself — we don’t need nanny governments and hypersurveillance. We need agorism and voluntary relationships.

These things are the future. So any new “Cyber Social Contract” MUST include those things otherwise it’s a legal cryptomagical spellcraft to sneak in more invasive, intrusive, unwanted, kontrol mechanisms and government into our lives.

Look around you? Hows your governments working for you right now? And yet here I am on a laptop with linux mint using the best of open source tools in my daily life and they bring me nothing but productivity. People did that. NOT government.

Government gives you billy windows and windows update which undoes all the changes you did from the last update without your consent. It installs Alexa on your computer and 33 other backdoors. That’s what government does for you.

Ted February 22, 2022 1:40 PM

What’s interesting about this essay is not only its awareness and scope, but also the background of Chris Inglis.

Not only is Mr. Inglis the first US National Cyber Director, he also served as the Deputy Director of the NSA from 2006 to 2014. He’s held many other prominent and knowledge-intensive roles on top of that.

I appreciate that he sees the absurdity of placing small entities in the royal hot seat for cyber-incidents, and is instead looking to government and large firms to take on more responsibility in organizing this environment.

Regulations and system development can take years to come about. But Mr. Inglis seems to know where many things are positioned on this field. I appreciate that he’s so keenly aware of these dynamics and is sharing these thoughts with us. I hope his legacy is meaningful and constructive.

Clive Robinson February 22, 2022 3:08 PM

@ Ted, ALL,

I appreciate that he sees the absurdity of placing small entities in the royal hot seat for cyber-incidents, and is instead looking to government and large firms to take on more responsibility in organizing this environment.

Rhe problem with “cyber-attacks” is the political desire to bring them into the politicians domain. Which with central government that the guard labour given the job,

1, The military (and Intel Com).
2, The centralised Law Enforcment.

They in turn make “a big thing of it” instead of being pragmatic.

Nearly all cyber incidents are “criminal” and that is best handled by the same people that deal with criminal activity. That is the ordinary Police.

If you listen to the cyber-assesments, they are not about cyber-crime, untill ransomware finally went over the top.

But even now those assesments are agency “Empire building” not getting the actual job done of “policing”.

Because of this moronic machismo by central government agencies, the little crimes that need to be solved don’t even get looked at…

The result is a cautious cyber-criminal keeping the value of individual crimes down, will get almost entirely uninvestigated. So it’s not surprising traditional crime the police deal with is falling but cyber-crime has grown at an astounding rate.

Whilst central government agencies hardly communicate with each other at the base operational level, and swagger and act macho, and annoy just about every one they come in contact with, ordinary police forces tend to communicate better when given the opportunity.

Importantly not just within their own country but with other countries.

And that’s important because cyber-crime works better across international borders than it works locally unlike more conventional crime.

So if we want to stop cyber-crime which is actually more important than solving fake-news we need ordinary police agencies working across borders just as the cyber-criminals do.

Opening this up with careful legislation would make the biggest real term societal gains.

Ted February 22, 2022 5:31 PM


I was just listening to the confirmation hearing of Chris Inglis and CISA’s Jen Easterly from June 2021. Both talk a lot about team-building and coordinating public/private relationships.

I guess the day before their hearing, the House Homeland Security committee had a hearing on the Colonial Pipeline attack. The Congress members and both nominees talked some about that. However, that conversation focused more on preparedness and communication than it did on politics and policing.

I hope their job assignments and Congressional accountability help give them a sense of purpose and focus. As @Jeff mentioned, it will be interesting to see how these roles coalesce around real-world events.

ResearcherZero February 22, 2022 11:26 PM

A social contract? Ethical behavior and a sense of responsibility for other people’s information, and your own information?

I can think of a few reasons why that would be a good idea…

Wirecard chief operating officer was revealed as an agent of Russian intelligence—demonstrates the breadth and depth of Russian operations.

“The 40-year-old Austrian has led multiple lives, with complicated and overlapping commercial and political interests. Sometimes those interests cleaved to Wirecard’s aggressive expansion plans in frontier markets. Sometimes they coincided with Mr Marsalek’s own sprawling and unusual range of personal investments. And sometimes they seemed to fit neatly with the work of Russia’s intelligence agencies.”

Mr Marsalek is now a person of interest to three western intelligence agencies, according to officials in three countries.

In particular, they are intrigued by Mr Marsalek’s association with individuals or networks linked to Russia’s military intelligence directorate, the GRU

Executive at Wirecard suspected of using forged contracts

Titled “Project Tiger Summary” and dated May 7 2018, the presentation outlined potential violations of Singapore law, including “falsification of accounts” and “money laundering”. Mr Kurniawan remains employed in the same position of responsibility at the group’s regional head office in Singapore.

Wirecard claimed that KPMG concluded that no discrepancy was determined during the audit.

Publication of the KPMG audit sparked heavy losses that deepened as Braun faced tough questioning on a conference call with analysts. Shares were down 26%, erasing more than 4 billion euros from the company’s market value.

Wirecard AG is an insolvent German payment processor and financial services provider, whose former CEO, COO, two board members, and other executives have been arrested or otherwise implicated in criminal proceedings. In June 2020 the company announced that €1.9 billion in cash was missing. It owed €3.2 billion in debt. The company is being dismantled after it sold the assets of its main business unit to Santander Bank for €100 million in November 2020.

John February 23, 2022 2:37 AM


Isn’t it amazing that NO news media have called the Russian invasion what it is!!!

Can’t anyone think anymore?


Denton Scratch February 23, 2022 4:53 AM

“a digital ecosystem that equitably distributes the burden of cyberdefense.”

What an odd phrase. What does it mean? In conjunction with the phrase “public/private partnership”, it looks as if it might mean “Everyone and no-one is responsi

Denton Scratch February 23, 2022 4:54 AM

…responsible for cyberdefence”. Sorry. my comment got submitted prematurely. Damn this keyboard.

me February 23, 2022 6:38 AM

Since Russia and China seem to build a new block, the dynamic equilibriums in cybersecurity (holes vs. patching, etc.) probably must be shifted somewhat.

Petre Peter February 23, 2022 8:45 AM

Regulation in the tech industry is coming. The only question in my mind is if it will happen before a cyber catastrophe.

Clive Robinson February 23, 2022 11:25 AM

@ Petra Peter,

Regulation in the tech industry is coming. The only question in my mind is if it will happen before a cyber catastrophe.

In the US and other places “Regulation is in place” already.

The dominant feature being “business must snitch” to authorities BUT… Must not “tip off the user” in any way.

So I realy do not think further regulation will make the harvesting of data any more difficult, in fact I think it will make not snitching almost impossible with the way most use communications these days.

That so far failed Child Exploitation system Apple was going to put on everyone’s iPhone being just the visable edge of what the likes of the FBI / DoJ and other tyranical psychopaths want…

There is only one solutuon to that which is “move the security end point” not just “Off Device” but well beyond any communications path end point, and preferably with the human in the loop to act as a “tripwire come firewall”… That is compleatly the opposite of what those Three Leter Agencies want. So expect any future legislation contain legal requirments to “attempt” to combat that.

Rob April 8, 2022 12:55 PM

Well, a social contract implies both parties participate in the agreement. The government has been one-sided on all contracts for at least a century. Voters don’t have direct inputs, the ideas of individual decisions on social contracts would be viewed as criminal or treasonous against the one-sided parties decisions. Obviously, anyone who mentioned not wanting their social contracts, or laws based on social contracts, is someone that is against them and their laws, in their opinions.

Further, the government commonly uses online hacking and stalking tactics to harass individuals. That corrupt tyrannical government is not going to choose to allow anyone an input to a social contract that will eliminate their black op invasions of people’s property or online activity. And if they are forced into a social contract, perhaps via some law they pass and never read, the government will simply go overseas, use allies, or use contractors to invade and harass citizens online.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.