How important is the stability of the internet to the world?

All of a sudden, the onetime repository for cat videos and cookie recipes has become critically important, because the stakes are infinitely higher than they were a decade ago. Yet a growing communications gap between the technology community and U.S. policy makers is raising alarm in the cybersecurity community that the country has ceded control of the internet agenda to other global superpowers.

China flexed its authoritarian muscles in 2017 and enacted a cybersecurity law which required businesses to store data inside the country and allow the government to inspect software and demand encryption keys at any time. On the other end of the spectrum, the European Union’s General Data Protection Regulation or GDPR placed strict protections on personal data, with penalties for noncompliance running into multiple millions of dollars.

The actions of these two regions have set the tone for the rest of the world, a development that has a number of leading figures in the cybersecurity community concerned about the lack of common principles to govern the internet and maintain a stable operating platform. That concern led to the formation last year of the Global Commission on the Stability of Cyberspace, a group of 25 men and women from multiple nations. One of the co-chairs is Michael Chertoff, former Secretary of U.S. Homeland Security and now the executive chairman of his own advisory firm on cybersecurity issues.

Several of the commissioners, appearing in a panel discussion at Black Hat USA conference in Las Vegas on Thursday, sounded realistic about the current direction to create a set of common norms in concert with major nations of the world.

“This is such a new area that nation states are not willing to constrain themselves,” said Chris Painter, a former senior official with the Department of Justice, the FBI, the National Security Council and the State Department, who expressed concern over the lack of understanding between technologists and policy makers. “The technical community and the policy community don’t speak the same language.”

In May, the Commission issued a new norm for the internet which prohibited the disruption of elections through cyberattacks. The proposed standard was crafted in response to information presented over the last several months by the U.S. intelligence community that Russia carried out a plot to influence the 2016 presidential election.

One commission member described his concern about the U.S. response to election meddling, which has involved sanctions against Russia but no publicly disclosed counterattack in cyberspace. “There’s no sanctions left that we can impose on Russia,” said James Andrew Lewis, senior vice president and program director at the Center for Strategic and International Studies, who said that the U.S. intelligence community and military now believe the government needs to respond with attacks of its own. “It’s a game of chicken and right now the other guys are winning because we chicken out. We need to shoot back.”

While leading international policy experts such as Painter and Lewis expressed concern over the U.S. government’s apparent reluctance to “hack back” against foreign meddling over the internet, others in the cybersecurity world are growing increasingly wary of federal computer surveillance inside the country’s own borders. In 2016, the Supreme Court approved an expansion of legal surveillance powers, a process known as Rule 41. The expanded powers allowed the FBI and other law enforcement agencies to search and gather evidence from computer networks throughout the country based on a single warrant.

The government argued for the change because the modern internet depends heavily on a network of distributed servers, making it nearly impossible for authorities to request warrants based on specific locations. But the government’s deployment of surveillance malware across multiple networks in pursuit of crime has led some to wonder if the activity could further destabilize the internet.

“We have a lot of concerns about the Rule 41 change,” said Jennifer Granick, cybersecurity counsel for the ACLU’s Technology Project, who spoke in a separate panel discussion during Black Hat on Wednesday. “The assumption is that the government should be doing remote searches of computers. How do you feel now about facing your own government who is a well-financed attacker?”

Appearing with Granick on the same panel, Leonard Bailey, special counsel for national security at the Department of Justice, pointed out that the government has been conducting physical searches of private homes using court-sanctioned warrants for decades without a lot of outcry. “Somehow the computer search seems creepier,” Bailey said.

The quest for norms, commonly accepted standards within the cyberspace community, looks like a daunting task. But some very influential people are taking on the assignment because today’s global dependence on the internet demands it.

“Can we imagine a moment in time when we need norms more?” Jane Holl Lute, special adviser to the Secretary General of the United Nations, asked during her panel appearance with fellow commissioners Painter and Lewis. “I can’t. If we don’t narrate what the expectation of performance is, we can’t complain when people don’t comply.”

Photo: Black Hat