This article is an excerpt from the “2020 Mandate for Leadership: A Clear Vision for the Next Administration.” It looks back at policy decisions made by the Trump administration over the past four years. You can purchase your copy of “Mandate 2020” here.
The scale and speed of technological change and its evolving security implications make it difficult to generate policies that are both effective and timely. This is further complicated by the rational U.S. desire to protect industry from overly burdensome regulations and allow for proactive self-regulation that is almost always more responsive to industry needs and less costly.
Nevertheless, as noted, there is a clear and compelling national interest in securing the U.S. technology industrial base and the critical infrastructure on which the base operates.
To this end, the federal government has taken several actions over the past four years to address general cybersecurity as well as broader national security concerns.
In December 2015, the Cybersecurity Information Sharing Act was signed into law. The act seeks to make it easier for technology companies and internet service providers to share cybersecurity threat information with each other and with the government by means of an online portal managed by the Department of Homeland Security.
While the law requires that personal information that is not related to cybersecurity be stripped from data that is shared, it adopts a broad definition of cybersecurity information and allows this information to be used by federal intelligence and law enforcement agencies for such other purposes as the prosecution of violent crimes.
Even though the law provides liability protections for those who participate in the Cybersecurity Information Sharing Act, at last count, fewer than 10 companies and nonfederal entities were sharing information on the portal—an indication that the legislation is not broadly valued.
In April 2018, the Stop Enabling Sex Traffickers Act and Allow States and Victims to Fight Online Sex Trafficking Act were combined into a single legislative package and signed into law by the president. This legislation adjusted U.S. sex trafficking laws and made it illegal for digital media publishers, social media sites, and other internet service providers to knowingly assist, facilitate, or support sex trafficking.
It also amended Section 230 of the Communications Decency Act, which provides certain civil liability protections for internet platforms, to exclude enforcement of federal or state trafficking laws from its immunity.
Beyond these two laws, during the past four years, the United States has not passed legislation that meaningfully improves the reporting and notification of data breaches, enhances protections for individual privacy, or builds up the cybersecurity either of industrial control systems and other critical infrastructure or of the emerging “internet of things” marketplace.
In summary, the nation remains critically ill-prepared to meet proliferating cyber threats.
Conversely, there have been significant changes at the strategic level that, if seen through, suggest that the nation is beginning to understand and address some of the most pressing technology challenges arising from the new technology-enabled great-power competition.
Concerns about foreign direct investment and foreign supply chains have generated reform of the Committee on Foreign Investment in the United States and a new executive order on information and communications infrastructure.
- In August 2018, the Foreign Investment Risk Review Modernization Act became law. It was the first update to the Committee on Foreign Investment review process in more than a decade. The Foreign Investment Risk Review Modernization Act’s key provisions expand the types of investments that the Committee on Foreign Investment in the United States will review, with special attention now being paid to key emerging technologies like artificial intelligence and specialized chipsets and microprocessors.
- In May 2019, the president issued an executive order granting the secretary of commerce the power to review and cancel any information or communications transaction between a U.S. company and any entity owned by or significantly influenced by a “foreign adversary” if the secretary deems that the transaction would constitute “an unacceptable risk to the national security of the United States.” The executive order does not target any specific country or company but is certainly intended to address China’s aggressive use of companies like ZTE, Huawei, Hikvision, and DJI as extensions of its intelligence apparatus.
The United States is also organizing its offensive cyber capabilities to match the increasingly crowded and dangerous cyber domain more effectively. In 2018, U.S. Cyber Command was elevated to be a unified combatant command and to begin decoupling itself from the National Security Agency.
This transition has been accompanied by National Security Presidential Memorandum 13, issued in September 2018, which reportedly removes many of the bureaucratic hurdles that formerly restricted offensive cyber operations.
The details of National Security Presidential Memorandum 13 are classified, but according to then-national security adviser John Bolton, “Our hands are [no longer] tied as they were in the Obama administration.” Public reporting on the National Security Agency’s activities against Russia and other malign cyber actors during the 2018 congressional elections would appear to verify this sentiment.
In addition, an executive order issued in May 2019 calls for enhanced efforts to attract, train, and keep top-tier cybersecurity talent, both inside and outside of the federal government.
Beyond these tactical and operational evolutions, the federal government is beginning to formulate the nation’s long-term strategic posture on cybersecurity and emerging technological challenges to national security.
In 2018, two separate commissions were formed, the Cyberspace Solarium Commission and the National Security Commission on Artificial Intelligence, each comprised of experts from government, academia, civil society, and industry.
The Cyberspace Solarium Commission is modeled after President Dwight Eisenhower’s Solarium Commission, which developed policy proposals for addressing the rising challenge of the Soviet Union, and is tasked with generating proposals for the United States’ “grand strategy” for cyberspace.
The National Security Commission on Artificial Intelligence is tasked with understanding and proposing responses to the national security implications of artificial intelligence development and application, particularly in the areas of economics, politics, and national defense.
Finally, in December 2018, in an effort to look at over-the-horizon opportunities and challenges, the president signed the National Quantum Initiative Act.
The National Quantum Initiative Act reorganizes a number of government innovation and technology bodies, creates dedicated funding and oversight for quantum science-related research, and identifies key national security priorities for quantum research that seeks to leverage the unique properties of quantum science to bring about dramatic improvements in such capabilities as quantum computing, quantum communications and encryption, and quantum sensors.