The 2016 Democratic Party Platform promises to strengthen national cybersecurity and privacy by deterring aggression and promoting peace. Unfortunately, however, it's rooted in the same failed, hawkish approaches of the past that have turned our nation's databases and networks into easy targets for criminal hackers and foreign governments.
Instead, an effective cybersecurity platform rooted in progressive values would both improve the resiliency of our digital systems and better protect civil liberties and privacy rights that are fundamental to American democracy.
While corporations store massive amounts of information on just about everyone, they have outsourced the ultimate responsibility for cybersecurity to the government. Yet, instead of improving our networks’ security, our intelligence and law enforcement agencies have used corporate information storehouses to access as much information as possible in their hunt to identify bad guys.
As a result, everyday Americans are left with no choice but to continue using systems that routinely get hacked and constantly surveilled.
The government's priorities when it comes to securing networks don't just put civil liberties at risk, they also leave Americans vulnerable to criminals who can track them online, break into bank accounts, infiltrate critical infrastructure, and steal our most sensitive information to sell it on for a few dollars on internet black markets.
Progressives and libertarians alike have championed the defense of civil liberties and privacy rights, but without a robust cybersecurity agenda of our own, techno-illiterates and security hawks will continue running amok with their collect-it-all initiatives, wasting billions of dollars while making the world less safe.
To counter this, we propose a progressive cybersecurity policy platform – one that prioritizes improvements to the resiliency of our digital networks and minimizes the damage from hackers targeting these key systems.
Consumer rights and corporate accountability
Corporations collect massive amounts of sensitive information about consumers, yet leave these databases so unprotected that they are frequently breached. The proliferation of data, and therefore targets for online criminals, can be minimized by regulations that ensure consumers have control over who can access their data while knowing how the data is stored.
Similarly, progressive champions like Sen. Elizabeth Warren (D) of Massachusetts should push for regulations to hold corporations financially liable for failing to adequately protect consumer information. The retail giant Target settled a massive 2013 breach of 40 million customer credit and debit cards for tens of millions of dollars – an amount unlikely to change the behavior of a corporation with tens of billions of dollars in annual revenue.
Regulatory changes are needed to encourage corporations to adequately invest in cybersecurity – and to stop hoarding sensitive customer data without good reasons. Additionally, national regulations with clear requirements and penalties will clear up the uncertainties of disparate state laws and judicial decisions that obfuscate the real financial liability of corporations.
Criminal justice reform
When former head of US Cyber Command Keith Alexander went to the hacker gathering at DEF CON to convince the best security researchers to work for government, hecklers shouted him down: "Stop arresting us!"
Government relations with the security research community have been ruined by laws such as the Reagan-era Computer Fraud and Abuse Act (CFAA), which allows prosecutors to target the security and civic hacker communities with the threat of decades of prison time for pranks, security research, and potentially sharing your Netflix password.
Unless cybersecurity experts join with the criminal justice movement to take on the rampant overcriminalization of everything from security research to modest pranks, the best of the best will remain estranged, even as breaches like the Office of Personnel Management hack target our government.
Thankfully, libertarians like Sen. Rand Paul (R) or Texas are already joining with progressives to reform the CFAA by pushing to enact Aaron’s Law, which would let violations of the terms of service for software or an employer agreement to be settled in civil courts, and not used to harass hackers.
Rule of law
Law enforcement agencies have been hacking computers and networks for years without clear oversight and restrictions, and as a result we have botched cases against child pornographers and allowed for wasteful and dangerous incidents such as the FBI’s purchase of an iPhone exploit earlier this year which they then refused to disclose to Apple.
The rules for law enforcement hacking must be clearly delineated by Congress, not slipped in by an administrative update such as change to the obscure Rule 41 of the Federal Rules of Criminal Procedure. Law enforcement hacking needs to take place under a strong framework of public transparency, with clear requirements to report software vulnerabilities so they can be patched, and public reports on prior actions that would enable meaningful oversight of these initiatives.
Complicating the application of the rule of law to cyberspace, the head of the National Security Agency and the head of US Cyber Command have traditionally been the same person. These two agencies operate under different sections of US law and collocating their operations allows government lawyers to pick and choose which set of regulations apply at any given time. This bureaucratic schizophrenia has resulted in the further militarization of our intelligence agencies and deprioritization of activities focused on securing vital communications and private information.
While many security hawks want to enable intelligence agencies and law enforcement to access an ever-increasing part of cyberspace to hunt down criminals and terrorists, this approach has effectively weakened cybersecurity for everyone – especially heavily networked countries such as the US.
Separating the NSA’s Signals Intelligence Directorate (tasked with breaking into networks) from its Information Assurance Directorate (tasked with keeping people from breaking into networks) would ensure that top government cryptographers are building more secure systems – and are not simultaneously mandated to sabotage them.
Similarly, the FBI and the Senate Select Committee on Intelligence leadership are leading the campaign against strong encryption, creating new threats to cybersecurity. The public should benefit from the security standards created by agencies like the National Institute of Standards and Technology, and these standards shouldn’t be inhibited by intelligence agencies’ intelligence-collection efforts.
Better tech diplomacy
Despite its flaws, the agreement between President Obama and Chinese President Xi Jinping to oppose theft of commercial intellectual property has already led to a tangible decrease in Chinese cyberattacks. The US should develop a comprehensive diplomacy agenda for reducing attacks, and arms control agreements that curtail the global market for malware and vulnerabilities.
This platform is built on a foundation of resiliency. No government can or will stop every cyberattack, yet we can and must mitigate the value of these attacks by minimizing the damages and enabling more speedy recoveries. Perhaps surprisingly for many cyberhawks, the focus on resilience is the same framing used by the Director of National Intelligence’s Worldwide Threat Assessment.
Progressive and tech advocates must begin to engage cybersecurity policy in earnest. Without policy experts capable of translating progressive ideals into digital policies, laws will continue to be crafted by those who view the internet as a space to surveil, and a domain of war, and not as a space for the overcoming of barriers, growing commerce, and spreading humanity's best ideals.
Karl Grindal is a fellow at X-Lab, a venture focusing on tech policy interventions. Follow him on Twitter at @karlgrindal.
Jeff Landale is the executive assistant at X-Lab. Follow him on Twitter @JeffLandale.