This fall has been rich in cyber security and privacy news, both domestically and internationally. The U.S. – China cyber agreements announced by President Obama and President Xi Jinping are an important first step in addressing bilateral tension over the growing number of cyber attacks against American companies. Around the same time, the long-fought national debate over government-mandated backdoors into encryption technology was diffused by the Obama administration’s decision not to seek legislation to force companies to decrypt user data. Both of these significant developments do not come in a vacuum, but are intimately connected to the broader issue of re-building trust between businesses, governments and online citizenry while strengthening the security of national and global economies against criminal attacks.
In light of the increasing damage caused by security breaches, China and the United States – the largest world economies – reached an agreement not to conduct or knowingly support cyber-enabled theft of intellectual property. If successfully enforced, this agreement promises to establish an international cyber security norm. Malicious attacks against companies originating on US or Chinese territory will be subject to bilateral investigation via multi-level intergovernmental cooperation. A cyber incident hotline will serve as one communication channel within a broader enforcement mechanism to facilitate timely collaboration between the two parties.
Although some questions about the prospects for these agreements may be raised due to the lack of commitment on China’s part in the past, the nations’ political will are not the only factors in determining how successful this US-China agreement will be. To support its enforcement, commercial enterprises in possession of information about intrusions must be willing to timely supply that data to their respective governments in order to effectively address reported attacks. The US Senate just passed the long-debated Cyber Security Information Sharing Act (CISA), which is aimed to establish a process for US businesses to share threat indicators with the government. This is not the first attempt to pass such legislation – similar proposals failed to pass the Senate in 2012 and 2014, in large part due to privacy concerns.
Many security experts and privacy groups including the Electronic Frontier Foundation have been very vocal in opposing CISA. Policy-makers and the tech industry are under pressure to reject the proposal for failing to offer appropriate safeguards for user information while expanding government data collection under very broad terms. In exchange for threat information, companies are offered liability protections in case data is breached or shared inappropriately, raising a red flag with the privacy and security community. After suffering numerous data breaches in recent months – with OPM being one of the largest incidents in history exposing the data of over 20 million people – the government has not maintained a stellar track record when it comes to information security. Should cyber incident information shared by the commercial sector be breached, individual users whose personal data is compromised in the process may have no recourse due to liability protections under CISA.
Thus, technology companies are caught in the crossfire – while they would benefit from government support with countering foreign criminal intrusion threats, it is equally important for them to protect user information to “promote trust in the digital economy, the software and technologies that make it work, trust in the rule of law, and respect for individual rights”. For now, many in tech industry resort to developing their own or joining others’ platforms that facilitate cross-industry sharing of threat data including malicious domains and malware samples.
Given the importance of the US-China cyber cooperation for global economy, the US government needs to boost its security practices, including employment of strong encryption across the board. In order to bring technology companies to the table, the private sector needs to be confident that users’ personal data is appropriately protected when shared with the government for the purposes of addressing foreign criminal attacks. Then, a promise of US-China cooperation to create a forum to address the threats against American companies may be a strong enough incentive for businesses to consider sharing risk indicators with a government.
The timing of the Obama administration’s decision to abandon a legislative solution to mandate technology companies to build an encryption backdoor into their software is worth noting. This announcement came at a time when the public debate about the global implications of weakening encryption for law enforcement had reached its peak, particularly in the United States. World-renowned cryptographers and major tech companies joined forces in advocating for strong security in US information systems. If the tech industry were compelled to introduce a backdoor in the interests of the US government, it would inevitably create a precedent for foreign nations, including China, to demand similar access to largely global commercial networks. As a result, all users, including American citizens, would become more vulnerable to data breaches and economic losses. Intellectual property, which gives US enterprises a major competitive advantage, is undoubtedly more secure when protected by strong encryption that forms a major element of the national defense architecture against foreign attacks and IP theft.
The stakes are truly global when it comes to protecting international financial, transport, and communications infrastructure with data breaches estimated to cost businesses over $300 billion a year globally. According to a recent report, under the most extreme scenario of an attack against American power infrastructure, the cost to the US economy alone can rise to over $1 trillion. It is clear that countless high-profile data breaches, international cyber agreements, domestic legislative initiatives, and public advocacy for higher encryption standards must be seen in a broader global security context.
All these factors converge to raise protection levels for consumers, enterprises and governments worldwide. It is time to boost the adoption of encryption tools as a global stabilizer and means to protect the economy which cuts across political agendas and geopolitical interests. Universally strong encryption is a powerful defense, which provides a unique capability to protect the private sector and citizens against malicious data breaches perpetrated by state or non-states actors.