Congresses and Parliaments

The debate over cybersecurity is heating up again in Washington. Congress is considering multiple pieces of legislation intended to enhance the ability of the private sector and government to share information about digital threats. Meanwhile, the White House has put forth its own proposal, which diverges from those measures on major issues.  Keeping track of all the legislative measures can be confusing. In this video, I provide some background on three things you need to know about the debate on cybersecurity information sharing.

Last week, Admiral Mike Rogers, commander of U.S. Cyber Command, testified before the Senate Committee on Armed Services. Most of the media attention (see this, this, and this) has focused on Rogers’ argument that deterrence is not working, and that defense in cyberspace will be "will be both late to need and incredibly resource intensive." As a result, Rogers argued, Cyber Command needs "to think about how can we increase our capacity on the offensive side to get to that point of deterrence." The argument that additional offensive capabilities are critical to deterrence seemed to be widely accepted by the senators’ questioning Rogers. Senator Angus King went further, saying that it was not enough to have the offensive capabilities but that the public has to know about them. Alluding to Dr. Strangelove, the classic movie on the absurdities of the Cold War, King argued “If you build the doomsday machine, you’ve got to tell people you have it. Otherwise the purpose is thwarted." Rogers’ opening comments and written testimony raise at least three follow up questions. First, in regards to the exchange with Senator King, is talking about offensive capabilities enough? For effective deterrence, do you also have to demonstrate that they would work? The United States and the Soviet Union conducted a combined 1745 known underground and atmospheric nuclear tests between 1945 and 1996, along with countless launch exercises from submarines, bombers, and missile silos. The physical effects of a nuclear weapon were well known to both sides. None of this is available in cyberspace. The effects, so far, are invisible and contested, and they may be unpredictable as attacks spill over into connected networks. You can’t march a cyber weapon in a parade and even if the United States, Russia, and China built cyber ranges where they launched practice destructive digital attacks, would the other side necessarily believe that their systems were vulnerable in the same way or could not be quickly reconfigured for defense? Second, do we have any idea of how adversaries might interpret or react to the effort to develop a greater deterrence through offensive cyber capabilities? In his written testimony, Rogers implicitly suggests that U.S. efforts will not be destabilizing by making a comparison to the nuclear age: "Building these nuclear forces and the policy and support structures around them took time and did not cause a nuclear war or make the world less safe." But is this both a rosy remembering of Cold War history and an optimistic hope for future cyber conflict? Given that many defense analysts believe that offense has the advantage over defense in cyberspace, do efforts to develop deterrence through offense create a security dilemma and an arms race? Finally, Rogers says in his written testimony that Cyber Command has gained "priceless experience in cyber operations" and insight into how force "can be employed in cyberspace." He also mentions that Cyber Command has "had the equivalent of a close-in fight with an adversary." Does it matter who that adversary was? Are the lessons learned from an encounter with one adversary applicable to other potential rivals in cyberspace? Is Cyber Command’s knowledge about fighting China’s People’s Liberation Army transferrable to fighting the Iranian Revolutionary Guard Corps? The answer to all these questions is we do not know yet. We can assume, however, that Admiral Rogers knows that cyber deterrence, if it is to work at all, will not operate like nuclear deterrence. Nuclear deterrence was primarily a military strategy designed to prevent one completely unacceptable outcome—nuclear war with the Soviet Union. Cyber deterrence will be the use of political, economic, diplomatic, and military tools not to stop attacks entirely but instead to reduce the volatility and intensity of cyber conflicts. It will require flexibility, adaptability and a lot of thinking about how to tailor policies to specific actors. Offensive capabilities will be important, but they will only be one part of deterrence.

The China Digital Times has a very good overview of Beijing’s assertion of "Internet sovereignty" at every level, from "international norms and Internet traffic down to software and the hardware it runs on." The most recent effort was widely reported last week. China is circulating new cybersecurity regulations for companies in the banking sector and there is concern that the regulations will be expanded to other critical sectors of the economy. Foreign technology companies that supply Chinese banks may be required to turn over source code, submit to invasive audits, and build back doors into hardware and software. According to the New York Times, 75 percent of technology products to be used by banks must be classified as “secure and controllable” by 2019. China ultimately aims to create a “cybersecurity review regime” to assess all Internet and information technology products across the economy. The Chinese government has promoted these types of policies before. The "Multi-Level Protection Scheme" was introduced in 2007 by the Ministry of Public Security and prohibited non-Chinese companies from supplying the core products used by the government and banking, transportation, and other critical infrastructure companies. Under the 2010 "Compulsory Certification for Information Security Scheme" foreign companies wishing to sell to the Chinese government were required to reveal intellectual property for security products. But this time looks different. While the previous policies were pushed by specific ministries and a limited number of officials, the current effort appears to come from the top—from the Central Leading Group for Cyberspace Affairs, which is chaired by President Xi Jinping. In addition, banks and other sectors often chose not to comply with the regulations. They made economic and technological arguments that swapping out foreign products for domestic competitors was too expensive and would affect the reliability of their systems. With the new regulations, companies have been told they cannot opt out. So what is to be done? There is some history to draw on. In December 2003, Beijing announced that WLAN Authentication and Privacy Infrastructure, or WAPI, would be the mandatory standard for any wireless product sold in China. The Chinese standard essentially came out of nowhere, mandated by a government agency without consultation with private companies. In addition, Beijing’s decision not to share an algorithm included in WAPI due to “national security concerns” would have forced foreign companies to cooperate with one of twenty-four Chinese vendors licensed to develop the standard, which was likely to result in technology transfer to the Chinese companies. U.S. companies like Intel and Broadcom announced they would not adhere to the standard and would stop selling their wireless chips in the Chinese market. In March 2004, the Bush administration sent China a letter about WAPI, signed by Secretary of State Colin Powell, Commerce Secretary Don Evans, and U.S. Trade Representative Robert Zoellick. Arguing that regulations compelling technology transfer were incompatible with China’s trade commitments, the letter implicitly threatened to pursue the case at the World Trade Organization. The Chinese government backed down, agreeing to revise the standard after input from foreign companies. The WAPI incident suggests three components of a successful strategy that altered China’s approach. First, it was public. It was not the behind-closed-doors effort, sensitive to issues of "face" approach that is so often suggested in negotiations with Beijing. Second, the strategy was unified. There were no defections from companies involved in the Chinese market, and the private sector and the U.S. government applied pressure in tandem. The EU and Japan did the same. Third, the strategy threatened real consequences—a boycott of the Chinese market and a WTO case. The campaign against the current cybersecurity regulations has just started and getting all of the actors on the same page will be critical. There has already been a public response. The U.S. Chamber of Commerce, the American Chamber of Commerce in China, the Information Technology Industry Council and the Telecommunications Industry Association and fourteen other business associations sent a letter to Xi Jinping and the leadership of the Central Leading Group for Cyberspace Affairs, arguing that the technological innovation needed to protect against bad actors could only be achieved by “through commitment to an open market and global trade.”A joint letter from the U.S. government, or some other official protest may be in the works and should come soon. If the Chinese press reports about Apple agreeing to security inspections are true, building a united front among the companies may already be impossible. All three of the components are necessary to roll back the regulations but they may not be sufficient. The fact that the regulations come from the central leading group, and that they seem to reflect an ideologically driven effort to control cyberspace at all levels, make it less likely that Beijing will back down. Even if Beijing does step back in this case, there is a need to address the underlying suspicion. Given the security concerns the U.S. government has with Huawei and other Chinese technology companies, Beijing and Washington have an interest in developing transparent global standards for inspecting and sourcing technology products. Unfortunately for the technology companies, the two sides look farther apart than ever.

Last night, President Obama gave his annual State of the Union address in which Internet and cyber issues got their own paragraphs. On the Internet, the president said: I intend to protect a free and open Internet, extend its reach to every classroom, and every community, and help folks build the fastest networks, so that the next generation of digital innovators and entrepreneurs have the platform to keep reshaping our world. On cybersecurity, he said: No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyberattacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe. President Obama’s remarks referred to policy proposals he announced last week, in which he proposed a plan to incentivize the delivery of high speed Internet and called on Congress to pass legislation to facilitate cybersecurity information sharing, protect consumer data, and increase the penalties in the Computer Fraud and Abuse Act (CFAA). The cybersecurity information sharing proposal is interesting. According to the text the president has sent Congress, the legislation aims to facilitate information sharing by: 1.  explicitly authorizing a private entity to share cyber threat indicators with the Department of Homeland Security’s National Cybersecurity and Communications Integration Centre (NCCIC), any federal entity (including law enforcement), and private sector-led information sharing and analysis organizations (ISAO); 2.  launching a process to determine the best practices for the creation and operation of ISAOs, organizations the White House hopes can act as a clearing houses to pass cyber threat information between private sector entities; and 3.  allowing NCCIC to share cyber threat information it has received from private entities to other federal entities, such as the National Security Agency or the FBI. As opposed to requiring companies to report indicators, the proposed law hopes to incentivize companies to share information by shielding them from liability and regulatory action. The draft law would also require the attorney general, in cooperation with a slew of federal entities, to develop privacy guidelines for the use, retention, and disclosure of the indicators the private sector provides. There are a couple of things that stand out from the proposal. First, the draft focuses heavily on the private sector sharing information with the government but remains largely silent on the government sharing information with the private sector. Information sharing is not a one-way street: the private sector needs information from the government if it hopes to better protect itself against advanced persistent threats. The U.S. government already provides programs that facilitate this, like DHS’ enhanced cybersecurity services or US-CERT’s product offerings, but it will all too often take and rarely give back. While legislation provides some legal protections to incentivize sharing, the private sector will only share if they get something in return. That’s not so much as a legal issue as it is a policy and operational one. Second, though the privacy community has embraced some aspects of the White House plan, especially compared to the Cyber Intelligence Sharing and Protection Act (CISPA), concerns remain. As Paul Rosenzweig has already noted, many of the privacy provisions rest on the "reasonableness" of stripping personally identifiable information reports of cyber threat indicators. That is likely to cause a battle between the intelligence community, which needs to know as much as possible, and the privacy advocates, which only want to share what is absolutely necessary. Furthermore, relatively little is said about the privacy controls that the ISAOs should have when handling cyber threat indicators. This stands in contrast to the controls that the legislation proposes for government, such as destruction schedules, protecting proprietary information, and creating anonymizing processes. The discrepancy makes me wonder whether ISAOs could abide by a lower privacy standard than the government to handle the exact same information. With regards to the amendments to the CFAA, Orin Kerr provides a legal analysis of the proposal in the Washington Post. I see two primary policy considerations. First, the amendments could make it harder for computer security researchers to do their job. As I’ve said before, some amendments such as using information derived from a computer security breach would carry stiff penalties, potentially making it difficult for researchers and security companies to analyze incidents. Second, it’s hard to see what increasing the penalty for unauthorized access to a computer will achieve. Will a potential hacker not deterred by the prospect of ten years in prison be deterred by twenty? Increasing criminal penalties certainly will do nothing to stop hackers in China, Russia, or North Korea. Could this finally be the year when the Congress passes cyber legislation? I think yes. Public awareness of the threat is at an all-time high. The Sony attack has created pressure for Congress to act (though it is not clear that any of the legislation would have prevented the North Korean hackers from breaching the company). Moreover, there is bipartisan support for cybersecurity legislation. The New York Times this morning contrasts the bold vision President Obama delivered in the State of the Union with the political reality that he lost control of both houses of Congress: "The question raised by the speech was whether advancing initiatives with little or no hope of passage constituted an act of bold leadership or a feckless waste of time." Yet, while disparaging most of the President’s agenda, prominent Republicans like Senator Lamar Alexander of Tennessee have pointed to cybersecurity as an area where "we can get some agreement." As in the past, privacy concerns will make or break the legislation, but we should expect to see real signs of progress.

tr td { border: 1px solid black; } The President is expected to dedicate a section of his State of the Union tomorrow to cybersecurity. Last week he introduced a number of new legislative proposals and other efforts focused on: better information sharing between the public and private sector; amendments to the Computer Fraud and Abuse Act; national breach reporting; and grants to historically black colleges for cybersecurity education. Net Politics will have more in-depth analysis of the speech on Wednesday if there is significant coverage of cybersecurity. But for those watching tomorrow, here’s a chart of cybersecurity’s previous appearances in the State of the Union. It appeared in the President’s first address to Congress in 2009, and then after a two year hiatus, has returned every year since. The legislative proposals have basically gone nowhere, but the administration has enacted almost every provision of its February 2013 Executive Order. Year Times "cyber" is  mentioned Quote Action taken 2009      1 To meet the challenges of the 21st century – from terrorism to nuclear proliferation; from pandemic disease to cyber threats to crushing poverty – we will strengthen old alliances, forge new ones, and use all elements of our national power. N/A 2010      0 N/A N/A 2011      0 N/A N/A 2012      1 To stay one step ahead of our adversaries, I’ve already sent this Congress legislation that will secure our country from the growing dangers of cyber-threats. President Obama was referring to his legislative proposal of May 2011. It was one of the outcomes of the Administration’s 2009 comprehensive cyber review. While Congress considered a number of cyber bills that year, none that improved the cybersecurity of critical infrastructure became law. 2013       2 America must also face the rapidly growing threat from cyber-attacks. Now, we know hackers steal people’s identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to security our networks and deter attacks. President Obama was referring to the Executive Order on Improving Critical Infrastructure Cybersecurity. A recent progress update on the order from the Congressional Research Service can be found here. 2014       1 Here at home, we’ll keep strengthening our defenses, and combat new threats like cyberattacks. N/A  

Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations.  As Adam mentioned the other day, the Sony hack highlighted the fact that even after years of debates and increased public attention on cyber issues, fundamental policy questions in this area remain unanswered. For example, no one has been able to satisfactorily determine when a cyber incident becomes an armed attack. When does a cyber incident cross the threshold that allows a victim country to respond with force consistent with its inherent right to self defense? Does the incident need to kill people or will physical damage, or even economic damage as in the Sony case, suffice? These are tricky and wrenching questions to answer. Yesterday during a House Foreign Affairs Committee briefing on North Korea, Brig. Gen. (Ret’d) Gregory Touhill, deputy assistant secretary for cybersecurity operations and programs at the Department of Homeland Security, hinted that the Obama administration was working on a framework to determine how the government should respond to a particular cyber incident based on its severity. Responding to a question from Rep. Gerry Connolly (D-VA) who asked "at what point does the intensity and severity and magnitude [does a cyber attack] constitute an aggressive act that has to be addressed?" Touhill replied: Currently, the administration is working to put together that a codified construct for the priorities and the prioritization, and taking a look at it from a risk management and consequence management standpoint. That’s still a work in progress. But ultimately through our congressional processes and our constitutional processes, rather, you know, we -- we will be making those determinations. Touhill’s answer, while convoluted, makes clear that the Obama administration is working on some sort of framework that could determine when a cyber incident reaches the level of an armed attack. Government officials, like everyone else, prefer it when things are easy and straightforward. It would be great to have a framework document that sets out the criteria to determine when the United States is cleared to reply to a cyber incident with force. The problem with these efforts are that determinations of whether something constitutes an armed attack is an inherently political decision, not a bureaucratic one. Responding to a cyber incident with force is a serious decision for any country, and a head of state will want maximum flexibility before making it. They won’t want to be constrained by a bureaucracy’s attempt to rationalize whether an incident meets the armed attack threshold, a concept which is also fuzzy given the lack of international consensus on the definition of an armed attack. Further, as Matthew Waxman argues, a country’s response to a cyber incident will not only rest on its interpretation of the law but also on its broader strategic interests. That explains why NATO’s cyber doctrine gives the North Atlantic Council, the organization’s peak decision-making body, the authority to determine when a cyber incident is severe enough to invoke Article 5 on a case-by-case basis instead of some pre-determined matrix. It also explains why Iran didn’t consider the Stuxnet incident an armed attack, as the Iranians probably didn’t want to trigger a conflict with the United States and Israel, Stuxnet’s alleged authors. Saudi Arabia, Qatar, and the United States probably made the same calculus when confronted with disruptive and sometimes destructive cyber activity that affected Aramco, RasGas, and U.S. financial institutions in 2012. Government mandarins and academics can try as hard as they want to come up with an answer as to when a cyber incident meets the threshold of an armed attack, but a head of state’s likeliest response is going to be: "When I say so."

Numerous countries will hold elections in 2015. Here are ten to watch. 

Electoral math is unforgiving. The Democrats had twenty-one seats up for election yesterday. Seven of them were in states that Mitt Romney won in 2012. Midterm elections typically attract fewer voters, and those who go to the polls are older, whiter, and less congenial to Democrats. The president’s approval ratings are hovering around 40 percent. Add all that up, and you get a convincing GOP win in the 2014 elections. Here are three quick thoughts on what it all means. 1. Republicans Won Big—But Not That Big. Republicans took back control of the Senate for the first time since 2006. They can now set the legislative agenda. But that doesn’t mean they now have the ability to dictate legislative outcomes. Even if the currently undecided races in Alaska and Louisiana go the GOP’s way, Republicans will still be short of the sixty-seat supermajority needed to get most legislation through the Senate. Democrats can to use the same tactics Mitch McConnell perfected when he was minority leader to frustrate him as majority leader. Republicans will work hard to entice Democrats to defect on critical issues. But that strategy may be difficult to implement. Yesterday’s election swept away the most politically moderate and electorally vulnerable Senate Democrats. Those remaining are more liberal and hold more secure seats. Even if the GOP can get the Democratic defectors it needs to hit sixty votes, Obama can wield his veto. So he and the Democrats remain legislatively relevant. 2. Partisanship Will Intensify—And So Will Internal GOP Tensions. We could get the optimist’s scenario in which yesterday’s vote breaks the partisan gridlock in Washington. The White House and congressional Republicans could decide that it is in their interest to find common ground. Some issues on which deals might be struck include tax reform, infrastructure, and trade. If all the political stars align, there could even be agreement on entitlement reform. However, the pessimist’s scenario is more likely. Republicans didn’t embrace split-the-difference politics after a bruising electoral loss in 2012, so they probably won’t embrace them after a big victory in 2014. The tall price they demand may be higher than President Obama is willing to pay. Moreover, internal divisions could hobble the GOP’s ability to negotiate. Tea Party Republicans and establishment Republicans disagree on basic issues such as the size and role of government, as the debate over reauthorizing the Export-Import Bank shows. House and Senate Republicans also face different political incentives. What sells in a carefully drawn congressional district in a Red State doesn’t sell in a Blue state. And Senate Republicans know that the electoral math that worked for them in 2014 will work against them in 2016. They will have 24 seats up for election compared to only ten for the Democrats, and they will be defending seats in seven states President Obama won twice and two he won once. The higher and more Democratic-leaning turnout that comes with a presidential election only makes their job harder. As a result, the negotiations between the House and Senate could be as interesting as those between Congress and the White House. 3. Tuesday’s Vote Hampers President Obama on Foreign Policy—But Less Than You Might Think. President Obama clearly has a harder task now that Republicans will control the Senate. His nominees will face a tougher road to confirmation, administration officials will testify before more adversarial committees, and unfriendly legislation will no longer die in the Majority Leader’s office. But that doesn’t mean that the primary say over foreign policy has shifted from the White House to Capitol Hill. Presidents have greater freedom to act in foreign policy than they do on domestic policy, both because of their specific constitutional authorities and because of their ability to take the initiative. And they wield the veto. Congress last overrode one on foreign policy in 1986. The precise impact that the switch in Senate control has on foreign policy will vary by issue. Where President Obama needs Congress to act and his policy preferences align with the GOP’s, progress is possible. A possible deal on trade promotion authority is a case in point. Conversely, where Obama needs congressional cooperation and his policy preferences diverge from the GOP’s, he can go only as far as his executive power and appetite for political confrontation take him. Immigration reform and a nuclear deal with Iran that requires lifting sanctions fall into this category. And on some issues the change in Senate control will have little if any impact. Democrats and Republican both want to find a way to relax the squeeze sequestration has put on defense spending, but they can’t agree on how to do it. The Senate’s appetite for consenting to treaties like the Law of the Sea was limited even before Tuesday’s vote. And many Republicans are as skeptical as President Obama and most Americans about the wisdom of becoming embroiled in Iraq and Syria. So while they will criticize what they see as the flaws in his strategy for dealing with ISIS, they won’t be legislating a new one.

Anyone who tuned into President Obama’s address to the nation last night expecting to hear a detailed plan to defeat ISIS came away disappointed. The president spoke mostly in generalities and skirted tough questions. But laying out a detailed plan that would pass muster with experts wasn’t his primary purpose. Reassuring a public worried about the ISIS threat, and his response to it, was. The one specific piece of news Obama announced was that 475 U.S. troops will head to Iraq to support and train Iraqi and Kurdish forces. He also said for the first time that “I will not hesitate to take action against ISIL in Syria.” He didn’t, however, elaborate on what that action might look like or what circumstances might trigger it. Obama was also specific in describing who ISIS currently threatened: people in the Middle East, not Americans. He only granted that ISIS might become a threat to the United States “if left unchecked.” That assessment puts Obama at odds with his critics. It also puts him at odds with his own advisers. Secretary of Defense Chuck Hagel has called ISIS an "imminent threat to every interest we have," while Secretary of State John Kerry said it “poses a severe threat.” But Obama’s assessment does reflect the judgment of the U.S. intelligence community. Obama similarly disagreed with himself, not for the first time, on the powers of the presidency. As a senator he argued that presidents needed congressional authorization before using military force. In 2011 he waged war against Libya without going to Congress. A year ago he did an about face and asked Congress to authorize him to strike chemical weapons sites in Syria. Last night he only said he would “welcome congressional support” for his effort to stop ISIS. He said nothing about what he might do to encourage Congress to give him the support he says he wants. Obama also left many obvious questions about his strategy unanswered. Why is the new Iraqi government likely to be a more effective partner than its predecessor, which allowed ISIS to conquer a third of the country? Who are the other members of the coalition America is leading and what will they do? Can the United States degrade ISIS without strengthening Syria’s Bashar al-Assad, who Obama has said must go? Have U.S. drone strikes in Yemen and Somalia, which the president held up as a model for attacking ISIS, been as successful as he suggests? And perhaps most important, what will success in the effort to degrade and defeat ISIS look like? But Obama’s real audience was not the experts who are asking those questions today. It was the two out of three Americans who have come to doubt that he is up to the foreign policy challenges the United States now faces. They do not want another U.S. military intervention abroad, but they also worry that he has been too cautious in responding to a world that seems to be spinning out of control. Obama’s focus on reining in loose talk about the ISIS threat, ruling out the return of U.S. combat troops to Iraq, and stressing American leadership of a global coalition sought to quell the public’s dual fears that he is doing too little—or might do too much. The question is whether Americans are still listening. Presidents in their sixth year seldom claim public attention in the way they did in their first. They have given too many speeches to move opinion by words alone. The public wants results. Therein lies Obama’s fundamental problem. Good results could be hard to come by. ISIS became a threat because the very countries the United States needs to help defeat it are weak, ineffective, and (often) duplicitous. ISIS’s vulnerability to U.S. airpower won’t prevent it from using grisly spectacles like the recent beheadings of two American journalists to sow fear and mask its battlefield losses. So as much as the president hopes to reassure Americans that he is meeting the ISIS challenge with “strength and resolve,” he could well discover, as did several of his predecessors, that events can be hard to tame, even for a leader of a superpower.