Cybersecurity is the national security issue that will likely dominate the first one hundred days of the Trump administration. After his briefing with the intelligence community on Russia’s role in the election, President Trump announced that he would appoint a team draft a plan to “combat and stop” cyberattacks within the first 90 days his term.
There are no shortage of recommendations for the incoming administration to choose from. Individuals, think tanks and research organizations have advocated for new strategy documents, organizational realignments, and new declaratory policy. The president’s own plan, released during the campaign and elaborated upon in a subsequent video message, called for a greater role for the Department of Defense to secure private sector networks, a proposal that was criticized for upsetting the balance between civilian and military authorities.
Although these recommendations are all worthy of consideration, the best thing the Trump administration can to do improve U.S. cybersecurity is repair the relationship between Silicon Valley and Washington. The Silicon Valley-Washington rift has real implications for U.S. cybersecurity and foreign policy. An ugly fight between the two sides makes it more difficult to share cyber threat information, counter online extremism, foster global technology standards, promote technological innovation, and maintain an open internet. This week I authored a new Council on Foreign Relations Special Report on rebuilding trust between the technology companies and policymakers. You can find the report here.
The divide between both coasts began in 2013, when former National Security Agency contractor Edward Snowden disclosed U.S. intelligence programs, and has grown worse over the years. In reaction to the Snowden disclosures, U.S. tech companies realized they have an incentive to encrypt user data and assert their independence from the U.S. government given that almost 60 percent of their revenue comes from foreign markets. Encrypting user data improves cybersecurity, making it less accessible to states actors, criminals, and hactivists who would want to use it for nefarious purpose. It also makes it easier for criminals and terrorists to “go dark” and avoid law enforcement and intelligence gathering. As a result, many law enforcement officers and policy makers have argued that technology companies should provide backdoors, front doors, or other technical means to provide access to encrypted data. Tech companies have vociferously argued that weakening encryption weakens cybersecurity for all.
Despite a great deal of outreach in Silicon Valley, the Obama administration had little success in mending the rift. There is little pre-existing goodwill between the Trump camp and the technology companies that the two sides can draw on as they confront the difficult trade-offs that will be required to forge a compromise. As a candidate, Donald Trump targeted several tech companies for sending jobs overseas. Many in the technology community actively supported Democratic nominee Hillary Clinton and had close ties to the Obama administration. Differences between President Trump and tech leaders over immigration, trade, climate change, net neutrality, and antitrust regulation appear stark.
Repairing the rift between Silicon Valley and Washington will not be easy, but it is possible. There are four policy areas where meaningful progress can be made, ranging from relatively easy fixes to more difficult challenges. The private sector and the U.S. government have a shared interest in, first, creating a cyber workforce and, second, fighting the global trend of forced data localization. Deterring state attackers, the third area, is necessary more difficult and will demand new conceptual models that rely less on the lessons of the nuclear era. The fourth issue, a workable compromise over the deployment and use of encryption and lawful access to data, would be the most consequential step in restoring trust, but also the most demanding.
In order to make progress in these four areas, the United States should, among other measures:
- amend provisions of the Electronic Communications Privacy Act, using the U.S.-UK agreement as a template, to allow technology companies to provide data to foreign governments;
- attribute attacks more frequently and, for cyberattacks that fall below the use of force and armed attack threshold, devise and implement forceful responses such as covert cyber operations designed to disrupt future attacks; and
- strengthen law enforcement’s ability to conduct lawful hacking under strict judicial oversight and a clearly defined vulnerabilities equity process.
There is a significant risk that the D.C.-Silicon Valley rift widens if President Trump’s campaign rhetoric—like boycotting Apple over the encryption fight with the FBI or eyebrow-raising statements over cybersecurity–follows him into the White House. The U.S. government may take a much more activist role through regulation, the elevation of the Department of Defense as the lead organization in protecting critical infrastructure, and increased surveillance of domestic networks. The private sector may in turn respond with limited cooperation on information sharing, a greater focus on encryption and other technological solutions to defending their own networks, and individual efforts to make deals with governments around the world to smooth access to technology. Tensions are inevitable, but pragmatism from both sides can contain it and maintain the United States’ ability to shape cyberspace.