Defense In Depth
Why U.S. Security Depends on Alliances—Now More Than Ever
When the U.S. Department of Justice earlier this month announced indictments of 12 Russian intelligence officials for hacking the Democratic Party’s and Hillary Clinton’s e-mails in 2016, President Donald Trump’s first reaction was to blame the administration of Barack Obama for not taking action against the interference. “Why didn’t they do something about it, especially when it was reported that President Obama was informed by the FBI in September, before the Election?” he tweeted.
Trump will have no one to blame but his own administration, however, in the event of another such attack before the 2018 midterm elections. Faced with mounting evidence of continued Russian efforts “to undermine America’s democracy,” in the words of Director of National Intelligence Dan Coats, the administration needs to take concrete steps to prevent further foreign interference. For a moment last month, it looked as though this were starting to happen: reports emerged that the U.S. government had met with eight leading technology companies to discuss how to safeguard the upcoming midterm elections. It was an encouraging sign that the administration seemed to be taking the threat to the United States seriously and recognizing the critical role of the private sector in protecting the integrity of the electoral process.
Unfortunately, a closer look revealed a serious flaw in this otherwise promising engagement. The New York Times reported “a tense atmosphere in which the tech companies repeatedly pressed federal officials for information, only to be told—repeatedly—that no specific intelligence would be shared.” This tight-lipped approach was apparently one-sided. Although the tech companies were open about what kinds of disinformation they were monitoring on their platforms, “neither the F.B.I. nor the Department of Homeland Security was willing or able to share specific information about threats the tech companies should anticipate.”
Sadly, this type of impasse sounds all too familiar. Both authors served in the White House; one focused on counterterrorism, the other on technology policy. In our experience, getting the government to cooperate with the private sector so that the private sector could help the government was a critical agenda item—and a persistent uphill battle.
The U.S. government is, as a general matter, not built to share intelligence on national security threats with nonstate entities. The relevant intelligence tends to be classified, even if it derives from an open source such as the Internet. Getting approval to share such information tends to be a painstakingly slow and tedious process that requires obtaining consent from many different parts of the government, from the intelligence community to law enforcement to the military, all of which have a greater incentive to deny the request than risk mistakenly sharing something sensitive.
The result is a government that’s very good at ingesting information, but very bad—and very slow—at sharing it. This is helpful for safeguarding the secrets that can be used to protect the United States and the sources and methods used to obtain them. But it’s decidedly unhelpful when the private sector, rather than the government, is on the frontlines of addressing key national security threats.
The private sector is best able to play a productive role in tackling national security challenges when informed by the government’s latest, best understanding of those challenges.
With great profits comes great responsibility. The leading U.S. technology companies owe it to the United States to help ensure that the foreign election interference the country suffered in 2016 doesn’t repeat itself in 2018 or beyond. (Indeed, one of us has set out a “checklist” of steps the tech sector should take to improve its readiness in this regard.) But recognizing the private sector’s responsibility doesn’t let the government off the hook. To the contrary, the private sector is best able to play a productive role in tackling national security challenges when informed by the government’s latest, best understanding of those challenges.
This is a lesson we’ve learned firsthand in the past decade in the area of cybersecurity. In response to an escalating series of data breaches in the years leading up to 2015, the U.S. government created a number of channels to share up-to-date information on cybersecurity threats with the private sector, with leadership from the White House, Justice Department (including the FBI), and Department of Homeland Security, among other parts of the federal government. These policy measures, the most critical of which included executive action undertaken by Obama and the passage of the Cybersecurity Act of 2015, established DHS as the hub for cyberthreat information sharing with the private sector. DHS, in turn, was charged with creating channels for real-time information sharing with the rest of the government. The department accordingly issued guidance to industry pursuant to the new law in 2016.
Now Washington needs to place the same priority on informing the private sector about what the government is seeing on platforms such as Facebook, Twitter, and YouTube in the run-up to the 2018 midterm elections—including new election interference trends and tactics and any pattern of activities across different channels that those who work at a single platform may not notice. Many of these activities are happening on the public Internet, so it shouldn’t be hard to share unclassified analyses of them. Doing so, in and of itself, would be a significant positive step forward.
The government can even go one step further by declassifying at least portions of what it is learning through sensitive sources and methods so that this information can be shared with the private sector. This is perfectly feasible with the right priorities and institutional structure. To the private sector, it frequently won’t matter exactly what sensitive technique or source the government used to learn something or how it did so. What’s important is making the bottom line clear—for example, that a certain set of themes will be emphasized in foreign-driven messaging—so that officials at key technology companies can check the authenticity of accounts disseminating those themes. Such information sharing would let the private sector more effectively devote resources to combating malicious campaigns while allowing the government to keep sensitive sourcing behind the information classified.
Making these changes requires real commitment, including a mandate from leaders such as the director of national intelligence clearly establishing that declassifying and sharing this sort of information is a national priority. Leadership at the White House or in the intelligence community should also create a clearly defined and empowered interagency group charged with pursuing that priority on an expedited timeline. Taking these steps could immediately help Silicon Valley defend against agents spreading nefarious content, including those who try to interfere in and subvert the U.S. political process—a big reward for the amount of work Washington would need to do to make it happen.
In the recent past, the U.S. government has shared key analyses of major challenges in areas such as cybersecurity and terrorism with relevant actors in the private sector. This type of public-private cooperation often happens only after a major incident, when the government enlists companies’ perspectives and expertise, or vice versa. After the horrific December 2015 terrorist attack in San Bernardino, for instance, Obama dispatched to California much of his national security cabinet to discuss with tech sector leaders how to improve cooperation on counterterrorism.
The threat of foreign interference in the U.S. election process is important enough to warrant similar cooperation. As the government’s increasingly proactive support to the private sector to address cybersecurity threats has shown, a leadership mandate and defined interagency team can, together, make the central conclusions of even sensitive information available to the private sector. But up to this point, Washington has not taken the necessary steps to guard against interference in the 2018 elections. The absence of leadership from the White House has been particularly glaring, especially after Trump decided to question whether Russian hackers even interfered in the 2016 elections while standing alongside Russian President Vladimir Putin in Helsinki. Even the FBI’s task force on election interference—hardly the robust interagency creation necessary to succeed—appears to be losing its key personnel. And although the Justice Department’s brand-new Cyber-Digital Task Force report rightly notes that “the Department can help social media providers” by sharing information about potential threats to election integrity, nowhere does the report indicate that the department is in fact already doing this.
It is striking to read that Facebook, not the government, had called the recent meeting—the first of its kind between tech companies and state agencies leading up to the midterms—a mere six months before the upcoming midterms. Let’s hope that a second meeting happens soon and that this time the government shows up prepared not only to learn but to share what it already knows.