Cyber Scene #28 - Regulation: Variations on a Theme
Regulators Unite en Marche (or not)!
Under the rubric of the Internet Governance Forum which convened in Paris mid-November, French President Macron called on nations to join forces to regulate the tech industry given the dominance in daily life of cyberspace "in every aspect of our lives ... as the shared responsibility...to improve trust, security and stability in cyberspace." Labeled the "Paris Call for Trust and Security in Cyberspace," President Macron's appeal to Europeans as well as the US to move forward as a unit seeks a global reach. His address established nine criteria for strengthening cybersecurity globally, removing or preventing illicit cyber activity and protecting privacy, and calling for 2019 forums (Paris Peace Forum and the Internet Governance Forum in Berlin) to revisit progress on this regulatory initiative. France itself will undertake a 6-month regulatory pilot program studying how Facebook (FB) removes certain illicit content, with work extending from its Silicon Valley to Dublin locations. The US, per President Trump who was in Paris at the time of this initiative for the anniversary of the end of WWII, will not participate following a reportedly tough exchange with his host. Your author agrees with legal expert Paul Rosenzweig (Lawfare blogger and legal eagle extraordinaire) who opines that international regulatory action may come, and that a presidential "contretemps" should not overshadow the importance of Macron's call to action. He also recommends reading Macron's "Call" in its entirety.
On the other hand, the US regulatory role was underscored, also in mid-November, by NSA's General Counsel Glenn Gerstell who addressed the annual American Bar Association National Security Law Conference. General Counsel Gerstell traced the legal regulatory authorities back to 1928, citing prescient commentaries decades ago and the need for such regulation of the nascent internet. He notably does not dispute the preeminence of judicial review, as confirmed by the blockbuster Marbury v. Madison case, as the acting Attorney General nominee recently maintains. It should be noted that one of Mr. Gerstell's predecessor NSA general counsels, Stewart Baker, Esq., is the lead voice on Lawfare's National Security reporting. He is also a partner with Steptoe & Johnson, LLC, which has spawned several US Trade Representatives, past and likely future as the intertwining of trade and cybersecurity have of late been "above the fold" (for tactile readers) top news items. Lawfare itself is a Harvard Law School/Brookings Institution joint venture. As regulation of cyberspace develops, so too should the readership of Lawfare.
New Regulating Regulators -- Undaunted Courage: Is a cyber regulatory map in the 2019 forecast?
A leitmotiv apparent to regular Cyber Scene readers has been how Congress can, or should regulate cyberspace via its high tech FAANG command posts. Whether this spills into both chambers' foreign affairs committees relating to Macron's call to action or not remains to play out in 2019 with significant changes to the players on the field. The following developments since last month may provide some projections.
The Regulated -- Will FAANGs' claws be clipped?
As the Dow dips against a drop in US-based tech stocks despite Amazon's HQ2 expansion (and coincidentally, so close to Congress and Wall Street!), discussions continue internally among FB and others about how to address past lapses and future fixes. In the realm of whether a strong defense is always a sufficient offense, Mark Zuckerberg returns to the center ring as FB seeks to acknowledge past sins and obtain a pass for delays in reporting the extent of the Russian infiltration. Several Senate committees -- and these will likely remain intact come January 2019 -- are expecting more solid explanations even as the House moves toward change in committee leadership. Notable among them is Adam Schiff, in line to assume the HPSCI chair. He starts out restrained, likely sardonically replying "that's a good one" to a presidential tweet replacing the last two consonants of his name rather than jumping into a tweet-for-tat (or that). But with Rep. Nunez's incendiary chairmanship ending, Schiff and other new committee chairs will likely move out to put subpoena teeth into talk of regulation. Which end of "getting mad or even" is in the fore remains to play out. But not to miss out on lame duck opportunities, the House Judiciary Committee has just issued subpoenas for former FBI Director James Comey and former Attorney General Loretta Lynch regarding Hillary Clinton's (but not Ivanka Trump's) emails under outgoing chairman Robert Goodlatte (R-VA) and possible ties between the Trump campaign and Russia, per the Black Friday New York Times.
This follows New York Times analysts Nicholas Confessore and Matthew Rosenberg reporting on the onset of "open warfare" between Silicon Valley tech industries and former Democratic supporters on the Hill in the wake of revelations that FB execs were less than forthcoming regarding evidence of Russian activity on FB for longer than first disclosed while, on the other hand, hiring a Republican-linked research firm to attack George Soros, billionaire Democratic supporter. Senior Senate statesmen such as Senators Elizabeth Warren (D-MA) and Chuck Schumer (D-NY), the latter a particular "Facebook friend," who have supported the FAANGs in the past now seem ready to take to task the lack of accountability and "the dark side of technology." Four Senators including Amy Klobuchar (D-MN) have specifically written FB to inquire whether it, or any FB affiliates, used "vast financial and data resources available to them to retaliate against their critics, including elected officials who were scrutinizing them." This calls to mind last month's Cyber Scene discussion of who's hacking the hackers. As NYT contributor Mike Isaac's continuing reporting on FB notes, CEO Zuckerberg defended FB's actions in both a Q & A with his employees and a conference call with reporters. While it seems fact-based that Zuckerberg and COO Sandberg who both testified as reported in Cyber Scene in the spring before Congress about preventive FB measures, were unaware of the extent of the problem when informed by their security chief as noted by Wall Street Journal's Deepa Seetharaman, it is likely that they and other "-AANGs" will face intense scrutiny and more/some regulation from both sides of the Hill once the post-midterm election lull subsides. For those looking for FB heads to roll, the CEO seems untouchable. Against a backdrop of queries about #2 and COO Sheryl Sandberg's survivability, FB announced that its Communications and Policy Chief Elliot Schrage issued a written apology for targeting George Soros, for which COO Sandberg also apologized to employees. She remains, while Mr. Schrage is leaving FB.
On cyber issues, changing dynamics of the Senate committees as referenced above include the ire of some former supporters of FB. Along with changes in House leadership as a result of the midterms, both the House and Senate will be anxious for future congressional hearings, whether bipartisan or not. Recently, apart from court appointments in six Senate open hearings, two Senate Select Committee on Intelligence (SSCI) held closed hearings as one third of Senate seats were in the midterm mix. The midterms suspended most hearings the House as its elections occur every two years. The pace is already picking up.
Good News: Election Threats to Constitution Neither Foreign Nor (Hardly) Domestic
Given intense work on cyberoperations to protect US elections this round, particularly under the direction of new Cyber Command Chief General Paul Nakasone, the elections ran without the blatant interference of 2016. Both Julian Barnes and old intelligence hands David Sanger and Sheera Frenkel outlined what was expected and that countermeasures were in place to prevent any deja vu scenarios from abroad. The election grid, however, did suffer from underinvestment, old machinery, understaffing, obfuscating ballot designs, inconsistent voting methodology, and a large dose of human frailty. Some would add voter suppression. These cannot be blamed on Russia, China, Iran or North Korea and are correctable with political will and funding. Congress does hold America's purse strings. The courts will be dealing with some of the other attendant election issues. But the large voter turnout did not include Russians or historic Chicago underground residents.
To counter any sense of complacency, a NYT op-ed of 19 November by Ari Mahairas, an FBI NYC Cyber Division chief, and Peter J. Beshar, the general counsel of Marsh & McLennan Companies, whose business includes risk management, sounds the alarm regarding the safety of the US water supply. Citing the second hacker attack on North Carolina's water supply in the aftermath of Hurricane Florence causing "catastrophic loss" via data encryption locking out employees, these two experts cautioned against complacency: "Our water supply is increasingly digitized, and increasingly vulnerable." They advocate defense and note that while the cyber world has changed, the concept is not new. They cite the Assyrians in the sixth century B.C. poisoning enemy wells and 1939 Nazi plans to blow up Hoover Dam. And your author would also include the "Cassandra of the 60's" Tom Lehrer whose prescient piece, "Pollution" tells his listeners: "don't drink the water and don't breathe the air." As usual, this ever-present mathematician-philosopher subscribes to "plus ca change, plus c'est la meme chose." N'est-ce pas, Monsieur Macron?