Cyber threats to the United States are escalating in sophistication and magnitude, but mistrust between Washington and Silicon Valley continues to stymie progress on cybersecurity. In a new Council Special Report, Adam Segal examines the security risks exacerbated by the divide between government and the technology community and offers policy recommendations to help restore trust.
In addition to rising cybersecurity threats, the [Donald J.] Trump administration will inherit a growing political divide between Washington and U.S. tech firms that stems in large part from the disclosures by NSA contractor Edward Snowden, writes Segal, the Council on Foreign Relations’ Ira A. Lipman chair in emerging technologies and national security and director of the Digital and Cyberspace Policy program.
Although numerous government officials have traveled to Silicon Valley over the past several years, narrowing the gap will not be easy in part because technology firms operating as global platforms have strong economic motivations to keep Washington at a distance. Potential adversaries will continue to use hardware and software developed by U.S. companies and thus law enforcement and intelligence agencies will persist in exploiting the vulnerabilities in these products, he adds.
Segal asserts that repairing the rift will not be easy, but there are areas where the two sides can find common ground. The report, Rebuilding Trust Between Silicon Valley and Washington, notes that the two sides can work together to:
Create a vibrant cyber workforce. The private sector and the U.S. government both benefit from growing the labor pool of qualified cyber professionals. Fight the global trend of forced data localization. U.S. tech companies and the U.S. government share an interest in opposing requiring tech companies operating abroad to store data locally. Deter state attackers. Although companies must improve their own defenses, policies taken to deter the most sophisticated state actors would be an important step in reducing the threats and thus restoring some measure of confidence in the technology sector that the government can effectively address the cybersecurity challenge.
Forge a compromise over the deployment and use of encryption and lawful access to data. A broad policy and legal debate to define the parameters of the hacking, followed by strict judicial oversight, would ensure that lawful hacking is used responsibly, much like the restrictions that already apply to wiretapping.
Segal also outlines several policies the U.S. government should pursue on these issues:
continue support for the U.S. Digital Service (USDS), a technology consulting team drawn from the private sector, and create a highly specialized cybersecurity service within the U.S. government
amend provisions of the Electronic Communications Privacy Act, using the U.S.-UK agreement as a template, to allow technology companies to provide data to foreign governments
attribute attacks more frequently and, for cyberattacks that fall below the use of force and armed attack threshold, devise and implement forceful responses, such as covert cyber operations designed to disrupt future attacks
strengthen law enforcement’s ability to conduct lawful hacking under strict judicial oversight and clearly defined protocol on when to disclose information about computer software security vulnerabilities
