Digital Libertarians and the Problem of Cyber Statecraft – The American Conservative

Imagine a country that promised young people exciting careers in a multi-billion-dollar industry in exchange for physical protection services, and where the marketable degrees and high-paid jobs were for becoming mercenaries to escort fellow citizens as they commuted and shopped, or else to guard the premises of big banks and corporations. Does this country have a government, you might ask? This is Somalia, right? No, this is the United States. And the industry is cybersecurity.

Securing U.S. interests in the 21st century will mean adapting to the reality of cyberspaces evolution from its brief age of innocence in the 1990s. The United States back then promoted the internet with a policy to advance Western visions of societal openness, civil transparency, and global commerce. In the last decade, however, U.S. adversaries have wielded cyberspace as an instrument of statecraft to contest that vision. Headline after headline proves cyberspace to be a fifth domain of competition and conflict (after land, sea, air, and space), differing from the other domains only in that it is manmade and thus inherently political.

Improving national cyber defenses requires American policymakers to reshape the nations relationship with the internet. For that to happen, Americans must admit that wholesale and uncritical adoption of digital connectivity entailed unforeseen and unacceptably risky cyber dependencies in every dimension of public and private life. There is a tradeoff between digital openness and cyber security, and we must understand that the nation allowed strategic vulnerabilities to emerge because we opted for openness in a domain ripe for weaponization.

How we should pivot to better footing in this fifth domain of competition and conflict is the fundamental problem of American cyber statecraft. Three scenarios, pursued as industrial and technology policy individually or orchestrated across overlapping time frames, suggest approaches to this problem: 1) The government defends critical national assets by taking the lead in insulating or decoupling them from the internet; 2) The United States becomes the angel investor for a more secure internet architecture; 3) Private software developers of American information and communications technology (ICT) companies meet stretch goals set by the government for designing, producing, and selling more secure software.

Bolstering U.S. cyber defenses entails a political choice to realign the internet to American interests in national security. We have been here before. The United States created the internet to advance national security and only later promoted it with a vision of digital openness and globalization. The predecessor to the Defense Advanced Research Projects Agency (DARPA) built the internets foundation in an effort by the Pentagon to ensure continuity of operations in the event of nuclear attack. Following U.S. victory in the Cold War, policymakers in the 1990s pivoted to a peacetime application of the internet by creating a legal framework to encourage private competition and openness in a domestic market of telecommunications and ICT companies that became internet service providers (ISPs).

Thus, what began as a U.S. shield against nuclear decapitation became an American tool for shaping the world in its image of openness, transparency, and commerce. For example, the Federal Communications Commission exempted ISPs from costs associated with long-distance telephone carriers and interpreted the Telecommunications Act of 1996 such that broadband networks rivaled regional phone companies. Congress also passed the Communications Decency Act in 1996 with a stipulation that exempted ISPs from liability for third-party content posted on their platforms, effectively licensing a digital commons for the free exchange of ideas. Finally, the United States in 1997 used diplomacy to spur the reach of the internet worldwide when it negotiated commitments from 67 countries through the World Trade Organization to ensure commercial competition in burgeoning telecommunications markets. These policies opened the world to a globalized internet offered by American ISPs and ICT companies.

Most debates about the future of the internet neglect this political origin story of cyberspace, biasing U.S. policymakers and private stakeholders away from conceivable (albeit radical) options to improve national cyber security. A universalist, techno-optimist myth about the internets emergence and nonpolitical naturecentered in a libertarian imagination about Silicon Valley entrepreneursnaively ignores the underlying national security interests implicated by a U.S.-fostered cyberspace. As told by technology enthusiasts and big ICT companies and ISPs, this myth omits the presence and parentage of U.S. industrial and technology policy and consequently is silent about the internets inherent political nature.

Digital natives such as Facebooks Mark Zuckerberg, who were raised in the 1990s era of a U.S.-directed internet and now head important American tech companies, assumed that liberalizationsocietal openness, civil transparency, globalized commerceare nonpolitical givens or enduring universals of the digital age. They resist renegotiation of the internets regulation or governance by the United States as unnecessary or harmful because anything that impedes worldwide connectivity and opennessas they define itis bad. Meanwhile, every innovative use of the internet as a political warfare weapon or measure of internal population control by states like Russia or China is a shock to them.

This techno-optimist myth, and the commercial interests it serves, is delaying the United States from adjusting to the reality that the liberal digital order it fostered leveled the playing field of cyber warfare. It keeps American statesmen spellbound from conceiving how the internet could be otherwise and from thinking in terms of cyber statecraft. How could our experience of the internet be otherwise?

Because cyberspace grew from a U.S. public-private partnership that reflected American interests at the time in openness, updating that partnerships terms to acknowledge new interests in security is surely legitimate. Of course, the U.S. does not have the same shaping power over the internet as it did in the 1990s, because the internet now is a complex global system in which foreign companies and governments participate. Therefore, improving the nations cyber security requires thinking harder about what it would really take to make the U.S. public and private sectors more secure. A renegotiated public-private partnership between government and American industry would be necessary for any strategy to achieve this.

The first area to improve is the cyber security of critical infrastructure connected to the internet. Specifically, the government could assert itself as the primus inter pares defender of American cyberspace for a designated subset of assets among our 16 critical infrastructure sectors. In this area, the government might go beyond its current voluntary and cooperative head coach role to be the team lead network defender.

As a start, the government could supervise the detachment of critical national infrastructure from the internet and subsidize the creation of air-gapped intranet systems to ensure separation of their operational technology (e.g. programmable logic controllers) from the worldwide internet. To patrol the internal cyber borders of these intranet systems, a Cyber National Guardwhich is developing alreadycould deploy or deputize federal watch operators in control rooms of designated national assets. Many companies fail to report breaches to the authorities out of fear of market loss or because they misrepresented their cybersecurity standards to the government. Thus, relieving companies operating critical infrastructure from the cost of employing elite cybersecurity professionals, whose jobs do not add to the quarterly bottom line, makes common sense.

The second area to improve is the cyber architecture upholding public internet traffic. Better digital forensics and proactive scanning of network traffic for botnets and malware attacks are needed, for example through methods that scale up deep packet inspection. If the United States were to be the angel investor for a more secure internet architecture, it could shift the balance of cyber power to network defenders. Although no device examining cyberattacks and identifying the attackers intrusion set in real time is likely to be available before a breakthrough in artificial intelligence-assisted computer network operations, innovations on fundamental data transmission processes could boost the quality of digital forensics. Perhaps DARPA, in conjunction with the National Science Foundation, could intensify the provision of seed capital for research and development to improve digital transmissions into data packets containing traceable signatures.

An internet architecture that shifts the balance of cyber power is vital because critical national functions depend on ICT companies and their network defenders, who often have better insight than the government into hostile hacking operations. Most government agencies outside the military and intelligence community connect to the internet, and are regularly attacked by cyber-intruders from around the world. Even air-gapped intranet systems such as classified government networks protect computers reliant on private vendors with global supply chains for updates, patches, and next generation operating systems (e.g. Windows 11), which creates attack vectors from the outside. For example, the 2020 cyber-intrusion into the SolarWinds company that gained Russias foreign intelligence service access to sensitive U.S. government unclassified systems, and which forced the Pentagon to shut down its classified communications that were running SolarWinds software, demonstrated the threat to state agencies from a digital supply chain attack on a private company.

In the third area, the government could challenge and incentivize private sector software developers and ISPs to make a generational improvement in the integrity of their software code. Malicious cyber activity is currently so easy because private sector software engineers do not prioritize information security when building software and computer network systems. If computer engineerings quality and security controls were applied to civil engineering, the everyday collapse of bridges and tunnels would spark a national uproar. Yet, American users of digital infrastructure simply accept as normal the crashes and breaches of faulty software design.

Edward Amoroso, a former senior vice president and chief information security officer at AT&T,stated that the most valuable contribution government can make to cyber security involves providing incentives for software makers to create more correct code. One way to achieve that is to award grants and accolades to software developers that program with secure development coding standards and practices and design with zero trust architecture. For instance, the National Institute of Standards and Technology could sponsor a market challenge to the first software developer to use artificial intelligence or machine learning to reproduce an operating system with more secure code.

Shifting the nations footing in cyberspace from uncritical connectivity toward determined security means accepting the political nature of the internet. Cyberspace is the fifth domain of geopolitical competition and conflict, not merely a virtual marketplace for private commerce. Serious proposals that would make the American public and private sectors secure demand that statesmen accept geopolitical realism about international relations and reject the techno-optimist myth of the Internet. To resolve the fundamental problem of American cyber statecraft, industrial and technology policy for a more secure future is the only choice we have left.

Nathan Hitchenis a writer living in Virginia. He is a graduate of the Institute of World Politics, Johns Hopkins SAIS, and Rutgers University.

Read more here:

Digital Libertarians and the Problem of Cyber Statecraft - The American Conservative