The Trump administration was criticized at a Senate hearing today for abolishing key cyber posts in the White House and the State Department. Also under fire at the hearing were the European Union’s General Data Protection Regulation (GDPR) and other localized data frameworks.
Under former Secretary of State Rex Tillerson, the State Department moved offices dedicated to addressing international cybersecurity, telecommunications, and technology issues into the Bureau of Economic and Business Affairs. More recently, National Security Adviser John Bolton eliminated the position of cybersecurity coordinator on the National Security Council.
The Senate Foreign Relations Committee recently approved a bill that would require the State Department to establish an Office of Cyberspace and the Digital Economy headed by a Senate-confirmed ambassador (TR Daily, June 26). The Cyber Diplomacy Act (HR 3776) would restore and elevate the role of the State Department cyber coordinator – a position that was established under the Obama administration to promote an open Internet worldwide and work with other governments on cyberspace issues.
The legislation drew praise at a hearing today held by the Senate communications, technology, innovation, and the Internet subcommittee on the impact of global Internet governance on U.S. businesses.
Sen. Brian Schatz (D., Hawaii), the subcommittee’s ranking member, said he wants the administration to reestablish the cybersecurity coordinator role at the NSC and said that Congress is trying to reestablish the cyber office at State.
The senator said the U.S. must play a key role in Internet governance, including protecting the multistakeholder process, adding, “Our standing down will create a vacuum for authoritarian regimes.”
Christopher Painter, the first cybersecurity coordinator at the State Department who is a member of the Global Commission on the Stability of Cyberspace, said the State Department cyber office was the first such one established by a foreign ministry and that more than 25 now exist across the world.
“I applaud the continued efforts of my former colleagues at State, Commerce and other agencies, but I believe those efforts have been hampered by the lack of a sufficiently high-level office at the State Department and the recent abolition of the Cyber Coordinator position at the White House,” he said. “On the first, as I noted above, my former office, among many other things, facilitated coordination across the government and helped provide high level representation with other governments to advance U.S. policies on a range of issues. I commend the House and Senate efforts to restore, strengthen and institutionalize my former office. The House passed the Cyber Diplomacy Act several months ago and the Senate Foreign Relations Committee recently voted a companion bill out of committee. I am particularly pleased that these were bi-partisan efforts reflecting the bi-partisan nature of most of these issues. Hopefully, the Department of State will take action on this matter soon.”
Today’s hearing explored a wide variety of issues, including cybersecurity, localized data frameworks, and Russian hacking of U.S. election systems.
“Policies targeting data and networks often stem from a country’s interest in fostering its own innovation or protecting its people from possible data misuse. But here’s a new problem, the global nature of the internet means that the impact and power of these laws goes beyond a jurisdiction’s borders,” Sen. Roger Wicker (R., Miss.), the subcommittee’s chairman, said in his opening statement at the hearing. “U.S. companies compelled [are] to change business models or alter operations to achieve compliance in foreign markets, and they are experiencing disruptions in their own domestic operations as well. The result is less job creation, less investment, and less innovation in the United States. Consumers are feeling the effects of international internet policies, also. Overly restrictive limitations on data movement or inconsistencies across jurisdictions ultimately deliver an internet experience to consumers that is less personalized and more expensive to access.”
During today’s hearing, the GDPR, which recently took effect, also drew criticism.
“A popular misconception about the GDPR is that it protects privacy; it does not. The GDPR is about data protection or more correctly, data governance,” said Roslyn Layton, a visiting scholar at the American Enterprise Institute.
“U.S. companies are now suffering because of its cost and complexity,” Ms. Layton said of the GDPR. She said that as a result of the framework, residents of the EU can’t access many websites, including those of retailers and newspapers.
She said that “Americans can develop a better regime through science, technology, and innovation. Policymakers can incentivize this with partnerships for grants, prizes, award, competitions, and safe harbors for innovation to ensure that innovators can innovate without punishment.”
“GDPR has touched every aspect of our industry, but notably it has significantly disrupted the WHOIS service, which is an online directory of contact information for domain name registrants,” said James Bladel, vice president-policy for GoDaddy, Inc. “WHOIS is a two-edged sword, serving as an important tool for law enforcement agencies and other stakeholders, while also being a gold mine of personal data for spammers. Currently, we are engaged with representatives of law enforcement agencies and our colleagues at the Internet Corporation for Assigned Names and Numbers (ICANN) to strike the right balance between providing access to WHOIS data for legitimate needs, while still protecting the private information of our customers.”
Denise Zheng, VP-policy for the Business Roundtable, complained that “there has been a rapid increase in the number of complex, conflicting, and uncoordinated ICT [information and communications technology] public policies from governments around the world. This trend undermines global digital innovation and trade by creating policy and regulatory fragmentation, business uncertainty, overwhelming compliance costs, and other unintended consequences. The European Union (EU) and China are currently the most active players in developing and implementing ICT policies. But India, Russia, South Korea, and other … countries are ramping up efforts to develop and enforce a wide range of cybersecurity, privacy, and data localization policies. Already at least 34 different countries have data localization requirements, while approximately 120 countries have data privacy laws and many more countries are considering legislation in this area.”
“The U.S. government and U.S. companies should lead in developing norms, best practices, and standards for the internet and digital platforms,” Ms. Zheng added. “Areas of focus include cybersecurity, privacy, and cross?border data flows. At the same time, emerging technologies such as artificial intelligence, autonomous vehicles, blockchain, internet of things, and robotics require serious attention, because rules do not yet exist.”
“In the face of an already fragmented environment, the U.S. government should play a leadership role to align or harmonize where possible existing ICT policies, regulations, and standards globally, and maintain that same approach for emerging technologies to avoid costly fragmentation,” Ms. Zheng added.
Mr. Painter said that the U.S. should have a “high-level cross-cutting, integrated strategy that leverages all relevant government agencies, outside stakeholders and like-minded countries to deal with the many challenges we face internationally and helps direct and prioritize our engagements.”
He said such coalition-building is necessary in response to the GDPR and other localization policies, where he said the U.S. and its allies should provide “concrete alternatives” to those frameworks.
Michael Chertoff, cofounder and executive chairman of The Chertoff Group and former secretary of the Department of Homeland Security, also stressed the need for consensus-building “with like-minded countries, other democracies and Western countries who agree on the broader principles of the internet but may disagree about how to regulate, shape, and manage it. We must recognize that we may, at times, disagree with even our closest allies on policy particulars, but in the end, it is better to reach an imperfect compromise with them than allow for the disintegration of the internet as we know. So much of the internet’s value is in its global nature, and we must work across international borders if we hope to preserve it as a common good.”
Mr. Chertoff, who is also a member of the Global Commission on the Stability of Cyberspace, added, “Without that cooperation we are likely to see new barriers, intended or not, appear and impede the development and growth of the internet. Data localization requirements, for example, may be enacted to protect a country’s citizens’ data, but have the more practical effect of significantly raising costs, diminishing competition, frustrating international commerce, and preventing citizens from accessing the services of providers based outside their own country. New regulations may be enacted to protect users’ privacy but result in unexpected delays in cross-border law enforcement cooperation. The best way to avoid such barriers is to work with other countries to address these issues, as many countries share the same concerns and would all benefit from coordinated action.”
At today’s hearing, Democratic senators and witnesses also stressed the importance of combatting Russian interference in U.S. elections.
Mr. Painter said that “a declaratory policy” would be helpful, adding that “high-level” and inconsistent messaging from the Trump administration “undercuts” U.S. actions against Russia.
Sen. Amy Klobuchar (D., Minn.) asked whether states are adequately prepared for any attempts to hack their elections equipment.
States now realize they must be vigilant against such attacks, Mr. Chertoff said.
“But to be honest, this ship is going to take a while to turn around,” he added, citing states’ “aging infrastructure” and the fact that some don’t realize how much systems are connected to the Internet.
“I don’t know that we’re going to have this problem fixed by 2018. I would be very doubtful,” Mr. Chertoff added. But he said he hope states will be ready by 2020.
But Ms. Layton said that other countries have wanted to influence U.S. elections for decades. “This isn’t the first time this has happened,” she added.
Sen. Ed Markey (D., Mass.) asked witnesses what they thought of his Cyber Shield Act, which would implement a voluntary cybersecurity certification program for Internet of things devices (TR Daily, Oct. 27, 2017).
Mr. Painter said the idea “has a lot of merit” as long as it doesn’t “create a conflicting regime” with the EU. Ms. Zheng expressed concern that Mr. Markey’s bill would result in countries each developing their own approach, which could hurt interoperability.
Sen. Markey said that “the Trump administration made a big mistake” in downgrading the cyber coordinator post at the State Department.
Sen. Ted Cruz (R., Texas) asked the witnesses to weigh in on legislation he introduced recently with Sen. Catherine Cortez Masto (D., Nev.). The Eliminate From Regulators Opportunities to Nationalize The Internet in Every Respect Act (E-FRONTIER Act) would ban the administration from nationalizing 5G networks without congressional authorization.
Sen. Cruz cited a memo leaked earlier this year that suggested such a nationalization proposal was being considered by the administration (TR Daily, Jan. 29), and he said that officials have “been less than clear in rejecting that idea.”
“It would be a disaster” if 5G networks were nationalized, said Ms. Layton. “It’s not where we should put our money.”
“In general, I think nationalization of a function like that stifles innovation and puts the government in a position which overreaches … what its proper role is,” said Mr. Chertoff.- Paul Kirby, email@example.com
Interested in submitting an article?
Submit your information to us today!Learn More