We are standing at a critical juncture in our collective digital history.
The rise of cybersovereignty – or, as it might be more accurately called, cyberfascism – has ushered in a global wave of censorship, surveillance, monitoring, and filtering that could directly hamper, or even reverse, the spread of a free and open internet.
Once inaugurated, in his first 100 days President-elect Donald Trump needs to take immediate steps to establish a clear and effective cybersecurity policy and engage the global community in the realms of both digital offense and defense. The latest election hacking issues posed by Russia must be addressed, but it is also imperative that Mr. Trump works holistically to establish global norms to promote stability and the internet freedoms that have benefitted US corporations and the government.
After Wednesday's press conference in which Trump denied that hackers compromised the Republican National Convention (RNC) before election but acknowledged the range of actors and their ability to impact US national security, it's all the more necessary that he works to understand the full scope of adversaries' cybercapabilities, what they are targeting, and develop a coherent national security plan accordingly.
As a candidate who ran on altering the status quo, Trump's first step should be to end the broken loop of decades-old debates on information sharing and encryption, which have either already been addressed in the private sector or are too widespread and advanced to be globally hindered. Instead, Trump needs to turn his immediate focus to the modern threats facing the US and craft a coherent declaratory policy that reinforces the global norms of appropriate behavior in cyberspace. Without it, other states will fill the vacuum in ways opposed to US national and economic interests.
A good initial action would be modernizing US policy – which is currently based on the vague, out-dated, and anachronistic Computer Fraud and Abuse Act of 1986 – with specific guidelines for appropriate private sector behavior in cyberspace. Without clear guidelines, some in the private sector have recently become more active in responding to the onslaught of targeted attacks by trying to hack back, or enter external networks for objectives such as investigations, data retrieval, and even destruction.
Given the financial and reputational impact of the attacks suffered, some in the private sector have, and will likely continue to, fight back in cyberspace in cases where they see it as their only course of action. However, besides the escalatory risks, "hacking back" often isn’t that effective thanks to dynamic adversary infrastructure and the ease of data duplication.
Therefore, to maintain the government’s monopoly on the legitimate use of force, Trump should develop a greater declaratory policy and make explicit the repercussions for digital theft or attacks. To date, the US government has attributed only four attacks that resulted in sanctions or indictments. The recent attribution of the DNC attacks to Russia is the latest and resulted in additional sanctions aimed at their intelligence and defense organizations, the closure of two Russian compounds in New York and Maryland, and persona non grata status for 35 operatives.
This was a strong move to help sharpen US declaratory policy, but more must be done. Attackers need to know what they might be in for if they attack the US or its companies. Absent clearer ramifications for the majority of attacks, state and nonstate actors will continue to attack without fear of any retaliation. Done correctly, this will not only deter adversaries, but also make the private sector more confident in the government’s ability to step in and act, which should remove the will to take offense into their own hands. It also can help harden defenses and encourage innovative information security research by clearly stating the parameters of legal activity.
Once these policies are clear, the Trump administration must think more broadly and work with the private sector to foster an agenda that actively promote a free and open internet with global access. This moves well beyond resolved debates about information sharing and focuses on active collaboration to promote internet freedoms.
Facebook has an effort underway to attain global internet penetration via drones. Google’s Project Loon is using hot air balloons to provide internet access. On the policy side, Microsoft released a report in June on implementing digital norms to defend technology at a global scale. By supporting and coordinating better with the private sector, the Trump administration can avoid policies that are technically infeasible or detrimental to US defenses (e.g. Wassenaar Arrangement), while leveraging his business background to provide a larger role for the tech and cybersecurity communities in informing policy.
Resetting US domestic digital policy will also help the Trump administration establish appropriate global behavior. This is important given the spread of cyberfascism not only in authoritarian countries such as China and Russia, but also in regional powers such as Brazil, Turkey, and Ethiopia. Though this might seem secondary to US priorities, because multinational corporations operate across borders, companies with a presence in a country with less internet freedom (i.e. Amazon operating in China) could be pressured to provide access to users’ personal information, intellectual property, or both.
Finally, the Trump administration should leverage global institutions created and shaped by the US to formally craft global norms for the cyber domain. For example, the Budapest Convention on Cybercrime and the UN Group of Governmental Experts are pushing forth the US vision of a free and open internet and beginning to implement baseline criteria and commonalities across the global community. Cyberattacks have recently been added to NATO’s Article V. These forums will help to establish global norms and determine which online activities are appropriate, and which warrant a retaliatory response.
Trump comes into office at a time of global uncertainty about internet freedoms. But now is not the time for retraction. Instead, the US should assert its power and influence to preserve a free and open internet.
Dr. Andrea Little Limbago is the chief social scientist at the cybersecurity firm Endgame. Follow her on Twitter @limbagoa.