Additional Priorities

December 2, 2020  • US Cybersecurity Group

Information Operations

By weaponizing social networks and digital media, a wide range of malicious governments, organizations, and individuals are actively undermining American society’s shared understanding of evidence-based reality. Left unchecked, malign influence campaigns present a threat to modern democracy and national security. Foreign adversaries are leveraging these tactics as a purposeful, long-term strategy to paralyze and poison public life. Domestic groups and individuals use similar tactics to sow social division and advance unsubstantiated conspiracies. Even worse, innovation in fields such as artificial intelligence are allowing foreign and domestic actors to scale their efforts to infect public discourse with false narratives.

Given the stakes, many observers are clamoring for a more aggressive defense. For the federal government, confronting this challenge means resolving at least three problems. First, we must review, improve, and institutionalize tested processes and capabilities for disrupting foreign influence operations. Structures such as the FBI’s Foreign Influence Task Force and CISA’s Countering Foreign Influence Task Force provide a solid foundation for establishing long-term partnerships between relevant federal agencies and the private companies that supply the information ecosystem.

Second, the federal government must take the basic step of defining which information operations merit attention in the first place. When should we start to care about a specific information operation? How should we think about adversary campaigns, where seemingly unimportant, separate operations actually combine to achieve a serious impact? What threshold level of harm must be crossed to trigger action by federal authorities? How should we even measure the harm? A chief priority for the White House and Congress should be to select criteria for identifying the specific types of information operations that deserve federal scrutiny and potential intervention. This will be essential not only for targeting limited resources but also to start addressing the third, most difficult challenge.

While the First Amendment generally prohibits government restrictions on freedom of speech, our leaders today cannot ignore the pernicious epidemic of misinformation, disinformation, and violent extremist content produced and disseminated by domestic actors. Unlike in the case of foreign-directed information operations, there is no obvious toolset for addressing domestic information campaigns, which create effects that may be identical to those led by foreign governments. Any action is likely to be met with serious political repercussions. Enhancing public resilience to these false narratives is an incredibly hard problem, and it is not surprising that the most important stakeholders—social media companies, federal agencies, state or local governments, and education leaders—have yet to raise their hand and offer to lead the charge. This must change. Focusing on foreign influence as the sole source of information operations lets our nation off the hook, abdicating the soul-searching it needs to reexamine the responsibility of social media companies and government leaders in cultivating a healthy public discourse.

Dig Deeper:
Algorithmic Bias and Cybersecurity

Algorithms, advanced behavioral analytics, and facial recognition technologies are increasingly becoming a part of everyday life. Banks, judges, and law enforcement agencies rely on computer code to make life-altering decisions on lending, sentencing, and criminal investigations. These systems are already causing disparate impacts that perpetuate discrimination against racial and ethnic minorities due to unintentional—but very real—biases in the underlying datasets. A recent study by NIST, for example, found that the majority of facial recognition algorithms it tested exhibited demographic differentials. Others have found strong evidence of racial discrimination in housing loan and criminal justice recidivism tools.

Even when used in good faith, these tools support critical and opaque decisions on behalf of vulnerable populations, including racial and ethnic minorities who have no opportunity to inform how these systems are created, and who are more likely to be harmed by their use. Yet cybersecurity risks allow attackers to manipulate algorithms and introduce deliberate bias, notwithstanding the good intentions of authorized users. Malicious actors may try and obtain the underlying data powering the algorithm, manipulate that data to affect the algorithm’s calculus, or alter the algorithmic code itself. Without greater transparency into how algorithmic tools are developed and deployed, it will be difficult to show that decision outcomes are legitimate.

At a minimum, government and independent bodies should establish auditing standards for the private and public sectors to use as benchmarks before decision-making algorithms are deployed–particularly when they apply to racial and ethnic minorities and other vulnerable groups. Organizations that use them, from courts to schools, should also develop clear guides for assessing algorithms during procurement processes, borrowing lessons from the World Economic Forum’s AI Procurement Guide or the EdTech Equity Project’s School Procurement Guide. In doing so, the public sector can establish a role in cultivating industry-wide standards.

Dig Deeper

Learn more

Legislation, Regulation, Executive Orders, and Guidance

State and Local Cybersecurity

SLTT governments are on the frontlines of cybersecurity. Since 2016, federal support for state and local leadership in cybersecurity has focused on election security. It is possible that in the wake of the 2020 election season, notable for the absence of known cases of malicious compromise in election infrastructure, members of Congress or state leaders might dismiss continued investment and planning in election security. This would be a mistake. Recent disinformation campaigns to delegitimize the electoral process only increase the risk that even isolated, limited security incidents could undermine public confidence in future results. The need to fund and, critically, professionalize all aspects of cybersecurity in the elections sector is greater than ever.

However, election security is only one slice of state and local cybersecurity. State and local homeland security officials, law enforcement, and National Guard units commonly provide the on-the-ground response for ransomware incidents. State and local regulatory commissions set rules and guidelines for energy distribution, water facilities, and insurance standards. And universities, community colleges, and K-12 institutions are the primary source of the nation’s cybersecurity talent pool.

Many state and local officials are eager for closer partnerships with federal cybersecurity departments and agencies. They need assistance with developing statewide cybersecurity strategies, exercising response plans, scaling cybersecurity education, and partnering with industry. A principal obstacle to progress is a lack of dedicated personnel in federal and state offices to drive these priorities. Legislation to create a cybersecurity liaison for each state within DHS, if enacted and supported with sufficient funding, would supply a partial solution. Federal policymakers should also strongly encourage the governor of every state and territory to create and fund a dedicated, statewide cybersecurity coordinator, not merely designate a preexisting department head. Federal liaisons and state coordinators could form state-specific duos equipped to communicate state and local needs to federal policymakers, integrate federal capabilities into statewide cybersecurity plans, and standardize effective strategies nationwide.

Dig Deeper:

Learn More

Legislation, Regulations, Executive Orders, and Guidance

Federal Support for Basic Research

Foundational research is the bedrock of innovation. The National Science Foundation defines it as “activity aimed at acquiring new knowledge or understanding without specific immediate commercial application or use.” It fosters discovery that informs and strengthens the application of new technologies down the road. The success of foundational research is not always immediately tangible nor is it guaranteed; it is by design an exploration of the unknown.

The case for government R&D funding—particularly foundational research—is simple: no one else will do it at scale. Foundational research frequently does not reward the original spender. Investing in technological innovation is risky, and long-term research often fails to yield profits. Our economic competitiveness relies on federal investment in foundational research that allows industry to direct its own research dollars into applied technologies where payoff is more likely.

Unfortunately, federal R&D funding—which encompasses foundational research—as a percentage of GDP has fallen steadily since the 1960s. Although industry R&D investment continues to rise, dwindling federal government investment is troubling. By contrast, China doubled its foundational research funding in the last five years and spent a record $254 billion on R&D in 2017, narrowing the gap between it and the United States in R&D spending. If the United States wants to lead the world in innovation, this must change. To start, Congress should ensure that federal agencies have the budget authority and appropriations to bring the federal government back to at least a 50% share of basic research nationwide. Authorizing language should be accompanied by statutory language that expressly embraces risk and encourages federal agencies to adopt a risk tolerant approach to awarding federal research grants.

Dig Deeper:

Learn More

Legislation, Regulations, Executive Orders, and Guidance

Basic Cyber Hygiene

Many dimensions of cybersecurity strategy and policy would be unnecessary if most organizations implemented a relatively limited set of cybersecurity measures, including but not limited to those outlined in the CIS Critical Controls. Foundational cyber hygiene practices include deploying multifactor authentication, mandating regular software updates, enforcing least privilege access, inventorying devices and software, monitoring networks, recording security anomalies, exercising crisis response procedures, and backing up critical data.

For a variety of reasons, many of these relatively best practices are simply not employed by government organizations, companies, or individuals. Decision makers might not understand the risks. If they do, their hiring department might struggle to find skilled personnel to implement basic controls. Even equipped with the right people and resources, some organizations are incentivized to prioritize convenience and service delivery over more mature risk management that adds cost and time to projects. And without better data on where their peers stand and which cybersecurity measures provide the best return on investment, cybersecurity professionals may struggle to persuade leadership to prioritize their advice.

Many recommendations in this report speak to these challenges and offer pathways to drive more widespread adoption of cybersecurity hygiene, particularly for larger organizations. But cybersecurity policymakers must focus more attention on driving foundational practices for all organizations and individuals, from small businesses to state agencies. Different stakeholders require appropriately tailored guidance and incentives. Across these communities, greater awareness of how to leverage existing and emerging technologies to help manage risk and outsource security maintenance is also essential to scaling an effective defense.

Dig Deeper:

Learn More

Legislation, Regulations, Executive Orders, and Guidance