One of the major lessons I learned serving as the Director of National Intelligence for over six years was that cybersecurity must be a team effort. Whether it’s protecting intellectual property, personal data, critical infrastructure, trade secrets, or any other valuable cyber-dependent activity, the government and private sector must share, collaborate, and coordinate.
The Russian invasion of Ukraine shows how and why. American technology companies have helped the Ukrainian government thwart cyber assaults, efforts that President Volodymyr Zelenskyy himself has commended. They have also enabled Russian citizens to obtain uncensored facts about the war. Indeed, this war has seen cyber offense and defense take their places alongside the more “traditional” kinetic weapons, like Javelins, Stingers, and long-range artillery.
What we’re witnessing in this war should be prompting us to deepen even further the public-private partnership between technology companies and the government. Regrettably, some policy-makers, in a well-intentioned effort to regulate the influence technology companies have in our society and political discourse, may inadvertently undermine the ability of these companies to be critical components of our cyber security.
Several former national security officials and I recently signed an open letter to express our profound concerns about the unintended implications of pending legislation in both houses of Congress mandating non-discriminatory access for “all business users”—potentially, of course, including foreign rivals—on U.S. technology platforms. Recently the Senate revised its bill; the new version acknowledges—but fails to address—any of the national security concerns raised in our open letter, or reservations expressed by bi-partisan members of the Senate Judiciary Committee during the lone public hearing on this legislation last January. This legislation has at least three serious flaws.
First, the bill still fails to address the major issue we wrote about in our letter: giving “unfettered” access to the hardware and software of American technology companies which could result in major cyber threats, misinformation, access to data of U.S. persons, and intellectual property theft.
Second, certain provisions of this proposed legislation could force tech companies to break apart integrated security tools currently embedded in device and platform operating systems to screen for spyware and malware. From spam filters to authentication services, we’ve all come to rely on these fraud protections to keep us safe and protect our data; these provisions could expose consumers to bad actors seeking to exploit the weak links in the cybersecurity chain.
Third, the amended Senate bill requires tech companies to allow every application—including those from abroad—to interoperate with their own platforms, except where doing so would cause a “significant cybersecurity risk.” The bill, however, doesn’t define what the threshold is for such a risk. This could conceivably inhibit a tech company from taking aggressive action against a known threat, out of concern that the threat didn’t reach the “significant” threshold. If the companies have to look constantly over their corporate shoulder in the face of always agile threats, Americans could be exposed to the insidious and subtle changes that exploit previously unidentified vulnerabilities.
The urge to reduce the power and influence of the technology companies is understandable and well-intentioned. But, there is danger in plunging head-long in achieving this goal, without due regard for the unintended consequences which could impair our national security. What is needed is a time-out while the legislation is subjected to a national security “stress test.” By this, I mean referring this proposed legislation to a select task force of experts drawn from the relevant national security components; their mission would be to look at the legislation through a national security lens, objectively critique it, and make recommendations back to the Congress that would protect national security equities. And, in the interests of public transparency, the Congress should hold an open hearing so the public will know the results of this examination.
Policy changes that affect the security architecture and practices of these companies must be weighed against potential risk to our cyber safety and security. To do otherwise is dangerous and irresponsible.
James R. Clapper, a retired Air Force lieutenant general, served as director of national intelligence in the Obama administration. He is a consultant to the Computer and Communications Industry Association.
The views expressed here are the author’s own, and do not reflect policies of the Office of Director of National Intelligence or the broader Intelligence Community