What Should the New Administration Do?

Three years ago I left my position at the University of Massachusetts, and this blog, to run for congressional district NY-23. The failure of the Trump administration to take seriously Russian interference in our 2016 election was icing on the cake of my motivation that in deeper layers held concern for the autocratic slant in American politics. Citizenship, to me, meant stepping up even, if not especially, in uphill battles, particularly in a time of need. Disappointed that we could not overcome the Republican tilt of this district, I am nonetheless not regretful. Everyone should run for office at some time in their life to get the measure of democracy, not least one under stress given the money that drives politics, unchecked dirty tricks and a tidal wave of disinformation.

It is only fitting that I reignite this blog with commentary on the most recent and explosive cyberexploitation in government information. But before I do, I want to thank the editors of Inside Higher Ed for providing me with this opportunity and send warm greetings to my higher ed friends! I missed you all very much and have a lot to share about my three years in politics. I will be teaching an upper-level undergraduate course in the Information Science Department at Cornell University this spring, which will help inform commentary on cybersecurity, antitrust activities and any number of shifts in technology and law that are likely to occur under a new administration. Tally ho!

President-elect Biden and Vice President-elect Harris issued a statement on cybersecurity. How needed, how necessary, and how refreshing! Current news about breaches in critical areas of our government make it clear that cybersecurity should be a national priority. It should have been under previous administrations, both Obama and Trump, and so there is no time to waste in light of today’s news.

Sure, COVID focuses the mind. That is exactly what nation-state actors in China and Russia and other aggressors rely on to step up interference, especially in light of the manifest failures in our country to get better control of outbreaks, hospitalizations and deaths. North Korea’s proliferation of ransomware attacks that have locked up critical treatment information in our hospitals demonstrates ever so clearly the link between cybersecurity and on-the-ground experience of hospital administrators, doctors and patients all over the country affected by these attacks. Similarly, Treasury and Commerce are not random federal offices but immediate links to the economic impact of the pandemic. For those unpersuaded by such connections, ask the many thousands of people who have had the Russians fill out their taxes for them due to breaches of health insurance and employment (W-2) forms.

What can a new presidential administration do? Three important steps could make the difference. First, the Biden administration must treat cybersecurity as central theme of foreign policy. Technology alone will never solve nation-state attacks, particularly because the United States is the target of so many aggressor countries, nor can it be expected to fight international organized cybercrime alone. Diplomacy to establish international rules -- and collective sanctions, not just those imposed willy-nilly by U.S. presidents -- can begin to set the bar of behavior among nations and international rules for the internet. The United States demonstrated such extraordinary leadership in developing the technology of the internet. It is time for our country to exercise the requisite leadership in governance of that technology as well.

Second, Congress should critically investigate domestic internet governance. Internet roles and responsibilities currently stretch across 17 federal agencies; China, by comparison, has one. Fitting a 21st-century technology into 19th- and early-20th-century administrative structures will not protect military and intelligence secrets, important economic planning, or the people of this country from increasingly dangerous gaps that manifestly began with Sept. 11 and are obviously continuing today. The establishment of the Cybersecurity and Infrastructure Security Agency (CISA) in 2017 was a good start but clearly insufficient to the task of organizing tactical operations that defend effectively against intrusions and their effects on our network infrastructure. Guided by the Biden administration and working in a bipartisan manner, Congress must oversee an expedited examination among government, research and corporate experts on crafting a federal governance structure better suited to our country’s comprehensive military, economic and social needs. Congress then should align supporting law to effectuate it.

Finally, data protection for citizens and consumers must be included in that restructuring. Because, ultimately, data protection is about securing the integrity and availability of information, data protection laws are an integral component connecting international and domestic concerns, government surveillance and consumer privacy. What would be the point of creating international law if on a domestic front outdated wiretapping laws and vapid data consumer law continues to allow corporate giants such as Google and Facebook to make capacious use of personal information? The USA-Patriot Act of 2001 threw off the delicate balance between national security and civil rights written in the Electronic Communications Privacy Act of 1986, a tilt we have to yet to correct. In the area of consumer privacy, while not perfect, particularly by U.S. business norms, European data protection laws at least offer some answers to the core questions about the substance of personally identifiable information, who is responsible for it and how can it properly be collected, maintained and used. Lawmakers should take what is useful from that example and write clear, meaningful law relevant to both the market and individual needs of people in the United States nationalizing data breach notification and also carving out a zone of information privacy for all of us from rapacious internet giants.

With the Departments of State and Homeland Security now added to the list of federal agencies affected by this most recent breach -- among others, and others still to come -- there is no time to waste. The Biden administration offers this country an opportunity to reset the internet compass on so many important and interconnected areas of technology and law. We have done piecemeal long enough, and that approach is no longer serving us. The iron is hot, now is the time to strike comprehensively in the name of protecting and preserving essential American institutions and values embedded in our information and networked systems.