This is a critical moment in global internet policy. The world is awake to the power of connected online systems, and the United Nations agrees that access to the internet is a human right, tied irrevocably to the tenets of free thought and expression. The European Union has just implemented strict data-protection policies under the GDPR, influencing businesses around the world in the process. Russia has been caught hacking into critical US systems, including utility companies, nuclear facilities and routers, and using social media to undermine the 2016 presidential election. Just this week, Facebook announced it had discovered another, similar influence campaign aimed at continually disrupting American democracy.
As leaders around the world turn their attention to cybersecurity, the US lacks the resources and reputation to properly lead the conversation. That's the message out of Tuesday's Senate hearing, The Internet and Digital Communications: Examining the Impact of Global Internet Governance.
"We don't like some of the things that are going on out there, I think we all agree on that," Christopher Painter, a commissioner for the Global Commission on the Stability of Cyberspace, said. "But if the US isn't providing concrete alternatives when some of these countries or collections are trying to export their laws -- for instance, China, or even the EU with GDPR ... other countries who are looking at this, they're going to adopt those standards."
Painter was joined by former Secretary of Homeland Security Michael Chertoff, GoDaddy Vice President James Bladel, American Enterprise Institute visiting scholar Dr. Roslyn Layton and The Business Roundtable VP of Policy Denise Zheng.
Though each witness approached the issue of global cybersecurity from a different viewpoint, a similar thread ran through their arguments: Cooperation is key. In order to cultivate a stable, humane digital landscape across the world, the US has to work with its allies and present thoughtful plans for the future. Otherwise, the US's humanitarian and economic efforts in this online world will be overrun by Russia and China, two countries with authoritarian approaches to privacy and a documented focus on building up their own internet infrastructures.
The US has a strained relationship with its international partners. President Donald Trump has verbally and economically attacked longstanding US allies since taking office in 2017, on Twitter and in person at international summits. Trump called Canadian Prime Minister Justin Trudeau "very dishonest and weak"; he claimed Germany was "a captive of Russia"; he insulted British Prime Minister Theresa May's handling of Brexit and threatened to kill trade deals. Trump imposed tariffs on steel and aluminum from Canada, Mexico and the EU. He trashed the North Atlantic Treaty Organization, the strongest multinational military alliance in America's arsenal, using a litany of falsehoods.
Meanwhile, Trump has refused to criticize, let alone actively punish, Russian President Vladimir Putin, the leader who directed cyberattacks on US election systems with the goal of thwarting the democratic process.
"We haven't really done anything to affect Russia's calculus in any of that," Painter said. "Obviously, we don't want to be overly escalatory. We're not going to shut off the lights in Moscow, for instance, but we should do something that will actually affect Putin and his decision-making in the future."
"We should do something that will actually affect Putin."
- Christopher Painter
NATO, the military alliance that Trump has disparaged, could, in fact, play a large role in the advent of a global, US-led internet policy. It already has a hand in international cybersecurity -- when Russia hit Estonia with a massive DDoS attack in 2007, knocking out internet connection across the nation, NATO countries responded by drafting policies and cybersecurity practices, including the Cooperative Cyber Defence Center of Excellence.
NATO nations have been poised to defend one another against cyberattacks for more than a decade. During Tuesday's Senate hearing, witnesses suggested a NATO-style system could work as a legitimate approach to global cyber defense.
"Are the panelists all in agreement on the concept of a cyber NATO? Does anyone wish to take issue with that?" one senator asked roughly an hour into the hearing.
Four seconds of silence followed.
"No one steps -- "
"I think it depends -- I think it depends on how it's formed," Painter jumped in. "It just depends on the details and how this gets put. But certainly the idea of having like-minded countries come together in the common defense against shared threats, that's an important concept."
The pleas for cooperation and alliance-building come as the US's own cybersecurity infrastructure is crumbling. In May, the Trump administration eliminated the role of coordinator for cyber issues at the State Department -- a role that Painter had held since 2011. As coordinator, Painter led diplomatic efforts to advance the US's idea of an open, secure and reliable internet around the globe, working with private and public sectors in a multi-stakeholder approach.
"The US needs to be be able to elevate cyber issues with diplomatic partners."
Today, the US has a weakened leader in charge of international internet issues. Rob Strayer is a deputy assistant secretary in charge of the State Department's cyber efforts, and he's been the face of international conversations since last year, but this isn't designed to be a permanent position (like the coordinator was). Strayer ended up with the job in September in the midst of restructuring efforts at the State Department, and before that, he served as general counsel for the Senate Foreign Relations Committee. Strayer is operating under the Bureau of Economic and Business Affairs, where cybersecurity issues are nestled further within the State Department than ever.
The Lawfare blog broke down the US's new international cyber structure as follows: "One drawback to the bill is subordinating the Office of Cyber Issues to an undersecretary. Protocol matters in diplomacy, and this has the effect of reducing the diplomatic status of the position when the US needs to be able to elevate cyber issues with diplomatic partners. A number of countries now have officials with cyber portfolios at a ministerial level."
Additionally, the Privacy and Civil Liberties Oversight Board, which oversees the EU-US Privacy Shield outlining data-sharing policies between the two regions, is understaffed and therefore nonfunctional. The board is designed to have five members, but it requires a three-person quorum to pass any actions. Currently, there is only one member.
The White House tapped two people for the board in March, but those nominations have yet to be confirmed.
The US is taking some steps to ensure the continued viability of its internet infrastructure. Just this week, the Department of Homeland Security announced it was establishing the National Risk Management Center, which will focus on identifying and preventing cyber attacks on US systems.
"Although the current Administration, by Executive Order, mandated a number of important reports and recommendations from agencies largely related to cybersecurity, no larger or comprehensive strategy that, among other things, weaves those recommendations together, has yet been released," Painter wrote in his Senate testimony.
"That would essentially politicize the process of dealing even with the technical aspects of the internet."
- Michael Chertoff
Without an ambassador selling the US's internet ideals to the world, other countries are attempting to fill the void. Russia and China, for instance, are pressing the UN to take over international internet arbitration and policymaking, but not for humanitarian reasons. The move could allow these nations to exert authoritarian-style control over digital data and communication, according to analysis at Tuesday's Senate hearing.
"Particularly with the veto in the Security Council, that would essentially politicize the process of dealing even with the technical aspects of the internet, which is why, of course, the Russians and the Chinese want to do that," former Secretary of Homeland Security Michael Chertoff said. "I think we need to continue to look to this multi-stakeholder model, where we ... engage the private sector, the business community and consumers in coming up with proposals on how to reconcile the various interests that are part of the internet."
The main lesson was clear: Without a leader or plan in the realm of global internet governance, the US could miss its chance to shape a pervasive, critical aspect of modern life. This is the dawn of a new digital era, and if the US takes a back seat now, it will be difficult to complain about restrictive or inhumane policies in the future.