How the next president can bridge the internet-cyber gap

Editor's note:

This post originally appeared on the Lawfare blog.

In a recent paper, I reflect on my experience in the Obama administration and draw lessons about policymaking on issues for that space.  As the General Counsel at the Commerce Department—where I performed the duties of the Deputy Secretary for the majority of the more than four years I was there, and those of the acting Secretary for a spell—I found myself drawn into issues like surveillance, norms for state behavior, and security far more than I could have anticipated going in.  These matters have significant effects on other issues that are core to the Commerce Department mission, such as technological innovation, competitiveness and international data flows, and global internet governance.

The paper is entitled “Bridging the Internet-Cyber gap: lessons in digital policy for the next administration.” That’s an allusion to an observation by Danny Weitzner, then Deputy Chief Technology Officer at the White House Office of Science & Technology Policy, at a meeting of economic and security agencies that, “this world is divided into people who call it ‘the Internet’ and those who call it ‘cyber.’”  The former tend to be techno-optimists who focus on the economic and human potential of information and communications technology, whereas the latter focus on the darker side of that technology—threats, exploits, bad actors, and applications to warfare.

We saw that divide in the initial response to the Snowden leaks in 2013. Almost immediately, President Obama sought to assuage concerns about the Section 215 program by saying that “nobody is listening to your phone calls” and stated that PRISM surveillance under Section 702 “does not apply to U.S. citizens and it does not apply to people living in the United States.” These responses were fighting the last war, aimed at distinguishing the Snowden revelations from the decades-earlier revelations about FBI and CIA domestic surveillance that led to the creation of the Foreign Intelligence Surveillance Act in 1978.

The President’s response did not address the impact of the leaks on companies identified in the documents released by Snowden and on international issues from trade to privacy and internet governance. This omission waved a red flag to those outside the United States. The resulting firestorm hastened the demise of the Safe Harbor transatlantic data transfer framework at the hands of the Court of Justice of the European Union and saw allies join less friendly nations in considering data localization and some kind of multinational takeover of internet governance.

Three years later, the landscape is different. The Obama administration has learned a lot from its experience of managing the Snowden disclosures and has taken numerous steps to restore trust and integrate a broader outlook into its policymaking in the digital arena.

We’ve seen reports from the president’s special review board on surveillance as well as the Privacy and Civil Liberties Oversight Board; President Obama’s January 2014 announcement of surveillance reforms and Presidential Policy Directive 28 declaring that foreign citizens outside the U.S. should receive protections for privacy and dignity comparable to those for American citizens; a transformation in transparency about intelligence programs; the enactment of the USA FREEDOM Act and Redress Act, among other things. We’ve also seen the White House expand and empower its technology staff and involve them, and other agencies, in decisionmaking on issues in the traditional national security (or “cyber” as opposed to “internet”) sphere.

Issues surrounding the digital economy and technology have become mainstream. For most of my time in the administration, I was the senior official focusing on international and commercial privacy issues. Now that official is the president.

My paper asks, “What will the Obama administration leave behind? How much will the collective understanding developed over the course of the current administration survive the senior officials who leave? Or will entropy set in?”

Drawing on my observations and experience as well as discussion with participants and stakeholders, I make the following recommendations about how to ensure the next administration learns from these successes and failures:

  1. National security policymaking needs to reflect the importance of economic issues in general and the digital economy in particular. We pay lip service to the relationship of the economy to national security. We need to do more to reflect it. The digital economy is more resilient and faster-growing than the economy as a whole. That will continue, and it will present great opportunities and challenges (think autonomous vehicles, for one example). The health and wellness of the digital economy and the systems and technology that support it are vital U.S.  interests.
  2. The president and other top leaders need champion an interconnected world. It took President Obama’s personal engagement to change the trajectory of damage from the Snowden disclosures. It will take advocacy and engagement from the next president and cabinet officers to press these vital interests and promote the benefits of a digital economy and open, interoperable networks around the world.
  3. The organization of the executive branch around digital issues should reflect their scope and significance. Advocacy and engagement at the top needs to be supported throughout the government, and economic issues integrated with national security:
    1. White House decision-making should reflect the breadth of issues involved. The National Security Act of 1947 gives the president the authority to establish who participates in the National Security Council. The Obama Administration established the position of Deputy National Security Adviser for International Economics, and its directive on NSC operations says this adviser, along with the National Economic Council, the Trade Representative, and the secretaries of Commerce and Treasury shall participate in the NSC when “international economic issues are on the agenda.”  There should be a presumption that these agencies will participate in the NSC and its interagency processes. Executive orders spelling out more of the processes of the NEC, Domestic Policy Council, and National Science & Technology Council and how their work relates to national security and digital issues would help put them more on a par with the NEC.
    2. Every agency needs to be part of the digital agenda. The Commerce and State Departments have senior advisers on digital issues reporting directly to the secretaries and coordinating across their agencies. Commerce Secretary Penny Pritzker has made the digital economy a top priority. Every agency needs to consider how will engage in this arena.
  4. Open the architecture of decision-making affecting the digital economy and the ecology of the internet.  Multi-stakeholder, iterative, and adaptive decision-making works in this space because it is complex and continuously changing. The agencies that have been effective are those that have a great deal of interaction with outside stakeholders—businesses, academics, civil society, and foreign governments.
  5. Personnel is policy. Structural changes in decisionmaking will work only if the right people are in the right places. Increasingly, understanding of things like the architecture of the internet, the mechanisms of cybersecurity threats, and the role of information and technology in the future are as necessary as some basic understanding of economics or how a bill is passed. More and more government positions will demand this literacy. The paper includes as an appendix a “Digital Policy Plum Book” identifying positions in the executive branch where this applies, including many where digital fluency is essential to the job.