As the 116th Congress comes to an end, the annual defense authorizing legislation (NDAA) is among its most important pending matters — and tucked within it is the most important internet issue that you’ve probably never heard of.
While not as visible as COVID relief or continuing government funding, the massive Fiscal Year 2021 NDAA Conference Committee report addresses many important defense and non-defense issues, including the naming of military bases after Confederate officers, limits on the President’s ability to withdraw troops from Germany and Afghanistan, a threatened presidential veto over the absence of a repeal of Section 230 and much more — to say nothing of the roughly $740 billion in military programs the law would authorize for the current fiscal year.
Amid these, both the House and Senate bills and the Conference Report address an important internet issue that is not much discussed and not much understood outside of a small circle of industry, scholarly, military, intelligence and law enforcement experts. The resolution of the issue (which won’t get the kind of attention that creating a new “National Cyber Director” will get) could have an enormous impact on the shape and future of the entire internet — far beyond the military and defense communities. Labeled “information sharing,” to put it most simply, it’s whether the U.S. Government (or any government) should regulate and control information about cyber threats that is shared by internet (and other) companies with U.S. military, law enforcement and intelligence agencies — or whether the sharing of cyber threat information by internet companies should continue to be voluntary and led by industry.
The issue is often addressed in vague terms, but at its core, it divides American industry, the tech sector and even the internet industry itself — and its resolution will establish basic rules for how the internet is regulated by the U.S. government and most other governments.
The Fiscal 2021 NDAA Conference Report partly addresses this issue and partly postpones it. That’s not surprising, given its complexity and enormous implications for the shape of the internet.
Aside from the political fact that nearly everyone supports “cooperation on cyber security” between government agencies and internet companies, the debates over mandatory versus voluntary cooperation is further complicated by the fact that serious cyber threats to the U.S. originate not only from a foreign military attack, but also from anyone from a bored high school student to a professional crime ring. Cyber threats from any of these could jeopardize large parts of our economy or social structure. So, a major underlying issue in mandatory versus voluntary “information sharing” is that the problem that’s being addressed is not just defending against a foreign military attack on the United States. It is, arguably, defending against any type of cyber threat from anyone.
The details are quite complex, but the core issue has been hotly debated for over a decade and even echoes policy debates over industry regulation that go back to the 1980s. Like several other cybersecurity issues, the issue of “information sharing” was highlighted by the recent report of the Cyberspace Solarium Commission, which looked at the full scope of cyber threats to the U.S. and set forth a wide range of proposals to improve America’s cyber security. The Commission singled out companies that are part of the “defense industrial base” (which could include quite a large swath of the internet industry) and concluded that they and other internet companies need some form of new, mandatory information sharing for the national security of the United States. Not everyone agrees.
Historically, there have been many — mostly in intelligence, law enforcement and the military — who believe that major internet companies should be legally required to rapidly share information about cyber threats with law enforcement, military and intelligence agencies. These advocates of mandatory and regulated information sharing are supported by some defense contractors and many businesses that depend on the integrity of the internet for their business. Generally, their view is that whatever drawbacks this form of regulating the internet may have are a small price to pay for the significant increase in security and stability that mandatory and regulated information sharing would offer.
On the other hand, historically, some — including many internet companies — have encouraged a voluntary arrangement with very few or no mandatory cyber threat reporting requirements. These advocates of voluntary information sharing are supported by some civil liberties groups and advocates of limited government regulation. Generally, their view is that if the U.S. Government regulates major internet and other companies by legally requiring them to share information about cyber threats, then this exact same requirement will be imposed on these companies by numerous other governments. Moreover, many opponents assert that new government internet regulations of this sort are clumsy, easily-outdated and subject to legalistic manipulation… compared with voluntary information sharing, which is often flexible and rapidly updated.
Other opponents assert that mandatory information sharing on cyber threats is an invitation to widespread snooping by intelligence and law enforcement on innocent citizens who are simply using the Internet.
The issue has been addressed before, most recently in 2015, when Congress enacted the Cybersecurity Information Sharing Act (CISA) to deal with some major concerns about such cyber threat information sharing: confusion over what cyber threat information to share and with which agency to share it, as well as concerns over privacy protection and liability of internet companies that share cyber threat information with federal agencies. Among other things, CISA led to the establishment of a detailed definition of cyber information that could be shared, a procedure for internet companies to share it if they wished to do so and an opportunity for internet companies that properly share information to also receive cyber threat information from agencies. CISA also provided some privacy protection to individuals (by requiring participating internet companies to strip out personal information), and it provided some indemnification for fully compliant internet companies that share cyber threat information.
After five years, the voluntary information sharing program created by CISA has met with mixed reviews. A recent Homeland Security Inspector General report noted that voluntary participation in the new information sharing program has been limited (219 companies by 2018), as has the amount of cyber threat information that has been shared. Which leads us back to the central controversy over whether the sharing of cyber threat information by internet companies with federal law enforcement, military and intelligence agencies should continue to be voluntary or whether it should be mandatory.
The FY21 NDAA House and Senate conferees agreed that multiple studies of this controversial issue will be conducted but also agreed to some limited new areas of mandatory and regulated cyber threat information sharing: The Secretary of Defense will determine by next October whether a “defense industrial base threat information sharing program” that includes mandatory industry cyber threat reporting, is “feasible and suitable” and if it is, will implement the program. In addition, the CISA Director (the lead official in the Homeland Security Department responsible for infrastructure and cyber security) is given significantly expanded authority to issue administrative subpoenas to internet companies, legally requiring them to provide cyber threat information.
Many other countries will closely watch the implementation of these new authorities and evaluations. Either a continued voluntary or a new mandatory approach to information sharing has serious consequences for the nature of the internet and its relationship with governments everywhere — and for the security of the internet on which our society, economy and security increasingly depend. Consequently, the issue of mandatory versus voluntary cyber threat information sharing will probably remain among the most important — yet least publicized or understood — internet issues facing both industry and governments.
Roger Cochetti provides consulting and advisory services in Washington, D.C. He was a senior executive with Communications Satellite Corporation (COMSAT) from 1981 through 1994. He also directed internet public policy for IBM from 1994 through 2000 and later served as Senior Vice-President & Chief Policy Officer for VeriSign and Group Policy Director for CompTIA. He served on the State Department’s Advisory Committee on International Communications and Information Policy during the Bush and Obama administrations, has testified on internet policy issues numerous times and served on advisory committees to the FTC and various UN agencies. He is the author of the Mobile Satellite Communications Handbook.