Blurring boundaries on national security: the government and private industry

As if out of a Hollywood movie, Edward Snowden emerged from hiding when he flew on commercial air from Hong Kong to Moscow in recent days, where he is now hunkered down in an airport transit zone and appears to be in legal limbo, having applied and withdrawn his request for political asylum from Russia. Snowden, the former NSA contractor reported to have leaked top secret material to the press detailing the government’s collection of “metadata” on Americans last month, is now officially on the run from U.S. authorities, since the U.S. filed criminal charges against him and requested his extradition, first from the Hong Kong government and now from Russia.

The documents that Snowden leaked to the press reportedly indicate that the U.S. government is collecting telecommunications data, such as data from cell phones and email, through commercial companies including Verizon, Google, Microsoft and Apple. While any details of government agreements with these companies are still largely unknown, this scandal only foreshadows the substantial role that private industry will play in national defense in the future, as a result of cyber threats.
 
In testimony on Capitol Hill since the Snowden leak, top government security officials have described several foiled terrorist attacks, highlighting that telecommunication surveillance through these types of companies is an important tool in the intelligence community’s counterterrorism toolkit. In addition, private entities are increasingly targets themselves of cyber-attacks and cyber-espionage, which have already proven to be very costly. With increasing frequency we’re hearing national security experts sounding alarms as to the risks of a cyber-attack on “critical infrastructure” such as a power grid or the Stock Exchange. The reality is that computer networks now allow previously well-insulated civilian enterprises to be targets.
 

ADVERTISEMENT
The risks of cyber-attacks are being taken seriously in Washington. Indeed in February, Obama released an Executive Order on “Improving Critical Infrastructure Cybersecurity,” that provided first steps on a path of government/private industry cooperation on defense against cyber threats. The Order provides for the creation of a framework for practices to combat cyber risk, which critical infrastructure entities will be able to voluntarily adopt. The Order contains several other provisions as well, including one that expands government-to-industry information sharing, so that private companies will have access to information that can help them protect themselves.
 
Because of the potential gravity of a successful cyber-attack on critical infrastructure, cooperation on cyber defense along the lines of the Executive Order must eventually become mandatory for truly critical infrastructure. In addition, it should be expanded to the wider business community on a voluntary basis, while industry cooperation on government surveillance should proceed with caution and public debate surrounding privacy concerns.
 
There is precedent for involving industry in the (typically, defensive) warfighting functions of government, from the industrial mobilization during World War II through our system of import controls. Nonetheless, the degree and the permanent nature of public/private cooperation that cyber threats require is giving rise to a new paradigm for the role of private industry in national security; the eventual balance that will be reached is very much yet to be seen. As the internet and other telecommunications networks are tearing down global barriers, we must adjust the divisions between the state and private industry in a way that promotes security and is circumspect about protecting civil liberties.
 
Vavrichek is a defense analyst in Washington, D.C.