Currie Lecture 2018 | Jack L. Goldsmith, The Failure of Internet Freedom

Good afternoon, everybody. I am David Levi, the
Dean of Duke Law School. Welcome to the Brainerd
Currie Memorial Lecture. This lecture is named in
honor of Professor Brainerd Currie, who taught contracts,
admiralty, and conflict of laws at Duke from 1946
to 1949 and then again from 1961 to 1965. He was an admired scholar
and a beloved teacher here at Duke as well as at
several other law schools. He was the leading
theorist of his time on the conflict of laws. This lecture series began in
1967, and since that time, it has been given by scholars
of the very first rank. Truly extraordinary
thinkers in the law. This year’s lecturer is
Jack Landman Goldsmith, the Henry L. Shaddock professor
of Law at Harvard Law School. He is the author of
Power and Constraint, the Accountable
Presidency after 9/11 and The Terror Presidency, Law
and Judgment Inside the Bush Administration, as well as
many other books, articles, and articles on topics
related to terrorism, national security, international
law, conflicts of law, and internet law. Professor Goldsmith served
as Assistant Attorney General Office of Legal Counsel from
October 2003 through July 2004. I see Walter Dellinger here, who
also served in that capacity. And Special Counsel
to the General Counsel to the Department of
Defense from September 2002 through June 2003. He clerked for Justice
Kennedy on the Supreme Court, for Judge Wilkinson on the
4th Circuit Court of Appeals, and for Judge George Aldridge
on the Iran-US Claims Tribunal. He is the co-author
of the Lawfare blog. He’s a good friend to many
of us, a delightful person, and a very creative
and powerful scholar. Professor Goldsmith. Thank you. Thank you. Hi. Thank you for that nice
introduction, David. And excuse me one second. Thanks so much for inviting
me to give this lecture. It’s great to be here. I have many friends
on the faculty, and I love being
in North Carolina. Let’s see how this works. OK, Brainerd Currie. So as David said,
this lecture series is named after Brainerd
Currie, and when David asked me to
give this lecture, one of the reasons I
was inclined to do so is because I am actually among
the probably very few people in the Academy who is a great
admirer of Brainerd Currie. Most of the students in the room
probably don’t know who he was. He was, as David said,
among many other things, he was most noted for his
very influential writings on the conflict of laws. And I think it’s fair to
say that he had a greater impact on the conflict of
laws in the second half of the 20th century than anyone. Most people think not
a positive impact. I was early in my
career in law school and obsessed with
conflict of laws, and I was obsessed
with Brainerd Currie. I didn’t agree with
most of what he said, but he had a large
impact on my thinking. He was a brilliant man. I also got to know his
son, David, very well, who was also a brilliant lawyer
at the University of Chicago. So I’m very pleased to give
the Brainerd Currie lecture. I’m going to be talking
about internet freedom. And basically, in
this lecture, I want to try to bring together
some familiar things you read in the newspaper and put them in
a larger and hopefully somewhat coherent perspective. And the target of my talk is
the US Internet Freedom vision, which I will date from
between 1996 and 2016. So the second term of the
Clinton administration through the end of the
Obama administration. And during this period, the
United States government had a very consistent
and coherent– it was a developing view
of internet freedom, but they had a consistent
and coherent theory that they pushed in
legislation and regulation and international affairs. And it was one that insisted
on the free flow of information across borders. The United States was against
blocking internet services. With very few exceptions, they
didn’t like content blocking or any form of blocking. Intellectual property was
the one major exception to this for the United States. They were against the
burdensome internet regulations, internet technology regulations. This is especially
true– it started in the Clinton administration. It was a Libertarian approach,
a market-based, anti-government, Libertarian approach to the
development of the internet. Non-tax. The idea was as the internet
became commercialized in the 1990s, and especially
since the United States was a leader both in
developing the internet and had leading internet
firms at the time and growing and
continuing so, this was an approach
designed to enhance the spread of the
internet and the growth of the use of the internet
and the growth of speech on the internet. During the Clinton
administration, the last half of
the second term, there wasn’t much
focus on censorship. And the reason was because in
the 1990s, for those of you who remember, it was thought
that the internet couldn’t be censored. So they didn’t– Clinton, when he
went to China in ’98, I think he famously said that
trying to regulate the internet is like trying to nail
jello to the wall. He meant to say that
it couldn’t be done. And there was a
belief in the 1990s that the internet was a service
and a technology that simply couldn’t be regulated
because it was everywhere and nowhere at once, and content
could be stored abroad and sent over borders, and it was hard
to stop the flow of content over borders. By the time of George
W. Bush’s presidency, and especially in Barack
Obama’s presidency, this became a concern
because nations– authoritarian nations
especially, but not just authoritarian
nations, became adept at regulating the
internet in a variety of ways that I’m going to talk about. So that was the basic
internet freedom policy. The United States argued
that this was the right way to promote the internet. That this would promote
free speech globally. That it would produce wealth. That it would give
individuals access to all of the miracles
of the internet, and this was just a
win-win for everyone. That was the basic theory. The theory became
more developed, or the position became more
developed, during the Obama administration. And especially, the
most important landmark in the US Internet
Freedom Initiative vision was a 2010 speech by Secretary
of State Clinton in which she gave this view of American
foreign policy, and really, American internet policy, its
most full-throated, explicit defense. And she added these three
points to the basic US position. One is that the
United States was going to be proactive
in promoting internet freedom abroad. This was something
that actually began under the Bush administration. But what this meant concretely
was that the United States would spend money to
help spread freedom in authoritarian states. To help people in
authoritarian states circumvent to
maintain anonymity, to circumvent filtering
and censorship. That the United States would
give them tools and give them training and
basically would help promote internet freedom in
an aggressive, subsidized way, including with
technical assistance. She also pointed out
that cybersecurity was important to
internet freedom because if these networks
weren’t secure, then all of the wealth,
especially, and everything embedded in the internet
would depend upon security. So she emphasized that. And she also emphasized
that the United States wanted to establish
international norms reflecting this position. So that, in a nutshell,
is the vision. And I’m here to say
that it’s failed. And I’m going to tell
you why it’s failed. I’m going to say why
it’s failed and then what will be done about it. I don’t know what
should be done about it. And I’m not sure anything
could be done about it. I’m pretty pessimistic. But I want to spend
most of my talk talking about why it’s failed. And there are basically
three reasons. The United States is widely seen
as really one of the enemies of internet freedom. And I’m going to explain that. Despite the vision
I’ve just articulated. It turns out that the United
States has failed and cannot promote internet freedom abroad,
and I’ll explain what I mean by that. And as we’re experiencing every
day, internet freedom at home is creating big problems. OK. So first, the United States
is seen as a cyber bully. I mean five things by this. I’m going to tell you,
basically, five stories. So the Frightful
Five is the name I think the New York Times gave
to Google, Facebook, Apple, Amazon, and Microsoft. These global internet
technology conglomerates that really dominate internet
services and related services around the globe. And it is hard to exaggerate how
big a threat other nations see the so-called Frightful Five. They are viewed to have outsized
influences on economies. They’re viewed to shape
values in other places in ways that aren’t
consonant with local values. They’re seen as sucking out
data from those countries, sending them back to
the United States, and supporting ever
more powerful algorithms to enhance the power and
products of these companies. And they’re viewed, basically,
with wide resentment. Now I mean this
mostly by governments. Consumers like these products. It’s governments that don’t
like the Frightful Five. This is best captured
in a quotation from Mathias Dopfner,
who’s the head of a large digital publishing–
the largest digital publishing unit in Europe and also the
President of the Federation of German Newspapers. He wrote an open letter,
a long open letter, to Eric Schmidt
of Google in 2014 in which he said
a lot of things, but this really captures the
European sensibility on this. “We are afraid of Google. It concerns our values,
our understanding of the nature of humanity,
our worldwide social order, and, from our perspective,
the future of Europe.” That sounds– those
are large claims, and there’s a lot of
self-interest underlying his complaints
about Google, but I think that accurately reflects
the way that a lot of people see the Frightful Five. So the United States
is viewed as basically that it’s firms are viewed
as dominant in this area, and a lot of countries
don’t like it. Second, in the Arab Spring
and before the Arab Spring, and lots of disruptions
from 2009 to 2011, US internet firms, and
especially social media, were seen, were perceived to be
very important in facilitating the uprisings, especially
in the Arab Spring, but in other countries as well. And there’s an academic debate
about the extent to which social media actually did
help foster those revolutions, and that’s contested. But what’s not contested
is that the social media firms and encrypted
communication platforms were almost all
American firms, and they were seen as tools
of American power, and they were seen as express
tools of American power as tools of the
American government. Four days after the
first protests in 2009, the so-called Twitter Protest
in Iran, the New York Times– I think it was four days after–
ran a story on the front page saying that the State Department
was working very closely with Twitter to make sure that
Twitter stayed up and running during a– they were due for a
scheduled service that would have taken the service down– and that Twitter
was up and running and was available as a tool to
help foster this revolution. And this was confirmed a lot of
authoritarian countries’ views that these technologies
were actually going hand-in-hand
with US foreign policy and were threats to
their sovereignty and to the existence
of these governments. And there was lots
of other evidence of especially the
relationship between the Obama administration and
Silicon Valley. That they were
working hand-in-hand. And of course, six or eight
months later, Hillary Clinton gives the internet freedom
speech in which he says, yeah. We’re behind this. We’re supporting it. We’re paying for it. And that was widely
applauded at home, but abroad in
authoritarian states, that was viewed with horror. Evgeny Morozov, in his excellent
book, The Net Delusion, describes it as that
the web was perceived as some kind of made-in-America
digital missile that could undermine
authoritarian stability. That’s a little bit flowery,
but that captures the idea. That around 2009, 2010,
2011, the combination of these protests, which seemed
to be organized and inspired with social media tools,
combined with Hillary Clinton’s speech, combined with these
overt connections and overt coordination between
the United States and trying to use these tools
to really bring down governments abroad. And the authoritarian
states took notice. Third, again, I want to
emphasize that for almost all of this talk, I’m
being descriptive. I’m trying to explain why
certain things have happened. Third, Cyber Command was
stood up also in 2009. This was an effort to
establish a more organized, offensive cyber capability. And the idea was that we would
establish an organization very closely related to the
National Security Agency that would engage in
offensive operations. And this was widely viewed
abroad as the United States militarizing cyberspace. And it was viewed
that way at home, but it was also be that
way abroad, especially. And this view
became more accepted when Stuxnet was reported by
The New York Times in 2010. This was the name
given to the operation, allegedly by the United
States and Israel, to use cyber means to interrupt
Iran’s nuclear centrifuges. So this was the use of cyber
offensive operations really across air gaps– it was an
extraordinary operation– to basically bring–
have an effect in Iran to adversely impact their
nuclear weapons development. And this gave– for the
people who were already worried about what
they were reading in the newspapers
about the United States and its capacities, this
gave a lot of people pause. Former CIA director and National
Security Agency Director Michael Hayden
described it as follows. That Stuxnet– the
Olympic Games was the name of the US operation. Stuxnet was what the
worm was described as. “The Olympic Games was
the first attack–” this is a quote– “of a
major nature in which a cyber attack was used to affect
physical destruction. Rather than simply steal data
or disrupt a normal computer’s operation–” excuse me. I didn’t read that well. Let me try that again. “It was the first attack of a
major nature in which a cyber attack was used to effect
physical destruction, as opposed to simply stealing
data or disrupting a normal computer’s operation. Somebody has crossed
the Rubicon,” Hayden said, comparing the
attack on Iran to August 1945, when the world first witnessed
the destructive power of nuclear weapons. The Olympic Games coming on
top of Cyber Command coming on top of the use of social
media being identified with the US
government, this is all creating a picture abroad
of the United States as the aggressive user
of cyber operations to monkey in other
people’s sovereignty to do what was viewed as harm
in other people’s networks in their countries. And last but certainly not least
was the Snowden revelations in 2013. And these revelations
basically revealed that the National
Security Agency was indeed living in the networks of just
about every other country. They had broken into
and were withdrawing data for a variety of
reasons, through a variety of programs in other nations. And they were also– this is when the domestic
programs, especially 702, became known to the
public, in which it became clear to the public that
the United States firms’ possession of data
inside the United States, the fact that Gmail
was frequently used, and Facebook was
frequently used, and that that traffic transited
through the United States, that this gave the United States
a huge asymmetrical advantage in collecting
information that was data and communications and
metadata that was basically concerning conversations and
activities outside the United States. It would be hard to overstate
the extent to which the Snowden revelations, on top
of all these things, made the world think that
the United States was really the greatest danger
to internet freedom. We were doing– it
seemed to many– and not just in authoritarian
states, in Europe as well, and other countries. That we were doing
the very things that Hillary Clinton
was saying one shouldn’t do in
her speech in 2010. It meant that whatever moral–
the combination of these things meant that whatever moral
authority of the United States had in its internet freedom
program had dissipated. It showed that the United
States, as I just said, was heavily involved in
surreptitious activities and other networks. It seemed to give the lie to
Secretary Clinton’s complaints in her 2010 speech that nations
that, quote, “systematically violate the rights
and privacy of those who use the internet for
peaceful political purposes should be ostracized
and punished.” They showed that the NSA was
undermining the very encryption tools that the State
Department was pushing to preserve anonymity abroad. And they basically– all
these things together gave other nations of the world,
authoritarian states and not, the incentive, the
cover, the excuse, and something of a roadmap to
do all of these things itself. These things together
sparked an arms race in both surveillance at home and
in protecting domestic networks from foreign infiltration and
in using information operations and cyber operations abroad. So the first point
I want to make is the United States
activities from basically 2009 through 2013, those
revelations really cut the knees out of the
Internet Freedom Program. Second, the United
States has failed in its efforts to impose
internet freedom abroad. This is, I think, a
somewhat familiar story. I’m not going to go
through all these, but Tim Wu and I wrote a book
in 2006 called Who Controls the Internet, Illusions
of a Borderless World. And the thesis of the
book, this was basically a response to the 1990s
vision that the internet couldn’t be regulated
by states, by nations. And the basic thesis
of the book was that nations within territories
can use coercive means to achieve extraordinary
control over the content that’s available on the internet
within their borders and on the use of
digital technologies within their borders. And that part of the
thesis, I think, has been– we weren’t the only
ones to think that. It’s been proven largely true. And nations, especially
in response to the events I just described, have
become more and more adept of using a
variety of strategies, from filters at the borders
to all sorts of laws about– filters at the borders,
to surveillance, to using social media to
surveil the users of technology, to using back doors
to break encryption, to insisting that
companies that do business allow access to
otherwise encrypted– create a means to allow
access to otherwise encrypted communications, to growing
homegrown services, basically states that
are adept, states that are technologically
sophisticated, and China is the main
example, the leading example, have achieved extraordinary
control over their networks. Not every nation is
as good as China, but the idea that
regulating the internet was like nailing jello to the
wall has been proven false. China has brought
extraordinary control. At the same time, that doesn’t
mean that they clamp down on all speech. They’re very sophisticated
and subtle about it. At the same time, China has
an extraordinarily robust– it has to be said–
internet within its borders. But certain forms of speech and
certain forms of organization are not allowed,
and they have lots of tools to ensure that
they can control that. Now, this is a
Freedom House study that was just published a couple
of months ago, through 2018. And basically
everything but green is bad news, from Freedom
House’s perspective. This is basically– Freedom House has been
studying internet freedom since Hillary Clinton’s
speech in 2010. Every year they study it,
they use qualitative measures. What they’re measuring
is traditional freedom of speech and expression on
networks around the world. And basically using
qualitative criteria, their numbers show that every
year since Hillary Clinton’s speech, internet freedom
has declined in general. Some nations get
better some years, but on the whole, every
year, it gets worse. And the point is
that these tools are being used increasingly
successfully around the world. The Arab Spring,
as I said earlier, was thought to be
a counter example. But the conventional wisdom
now, I think it’s fair to say, is that the problem
in 2009, 2010, 2011, was not that states were
incapable of controlling these tools while also allowing
their people to use them, but rather that they were
either not adequately prepared or didn’t have the
sophistication. And basically what’s
happened since 2009, 2010, 2011, is that
authoritarian states have become much more adept
at reverse engineering these tools, and in
fact, using social media tools as tools of surveillance
and tools for control. Ron Deibert, after
studying this, said– he’s a prominent internet
analyst from Canada– “authoritarian
regimes–” I think this is an accurate statement–
“have proven themselves surprisingly and dismayingly
light-footed and adaptable at controlling internet
and social media and then using these tools
for authoritarian ends.” So that is the situation
in authoritarian states. The European Union
is a different story. This is another story of nations
of a different territorial sovereignty also imposing
its vision of the internet in its territory in a way
that departs from US internet freedom. Basically, the EU has
a different conception than the United States,
as I’m sure you’re aware, about the nature of privacy,
the nature of consumer control over data, the relationship
between firms and data, and between the
individual and firms. They value privacy
and consumer control much more than
the United States. They have a quite different
conception of free speech. And they’re much more inclined
to regulate than the United States is in general. And so over the last five,
six, seven years, and frankly, this has been going on since
the dawn of the global internet, and Tim and I talk
about this in our book. But it’s grown much
more consequential in the last five or six years. Europe has regulated antitrust
and hate speech and privacy, the right to be forgotten
is a prominent example. They have successfully
imposed ever-increasing taxes on US firms. They can do what they want,
the European Union can, to these firms in their borders. And as the– the basic
principle in both the authoritarian
states and in places even like Europe is that the
more burdensome regulation wins. The brute fact is that US
firms to do business abroad have to comply with local laws,
and the permissive environment in the United States, whether
it’s a speech environment, or whether it’s a
business environment, doesn’t hold abroad. And if the market is big enough,
as China and the European Union are, US firms have to
bow to those regulations. And the United States
has not succeeded yet, either in the
authoritarian states or in the European Union, in
imposing its particular vision. So what we see
happening is basically– what I’ve sketched a little bit,
I’m going to fill out a little bit more now– is a digital Cold War
between basically these three blocs, the authoritarian
states, the European Union, and the United States. And I’m sorry to keep talking
about my book with Tim. I’m going to tell you
one more thing about it, and then I’m going to tell
you what we got wrong. In the penultimate
paragraph of the book, after describing
the various ways that nations we thought would
be successful at controlling internet flows and content
and usage within their borders and in talking about the ways
in which some of these things were starting to– some
of these domestic controls were starting to seep out
and have externalities in other countries,
we said the following. “It’s not just that
nations have the power to shape the internet’s
architecture in different ways. It’s that the United
States, China, and Europe are using their coercive powers
to establish different visions of what the internet might be. In so doing, they will
attract other nations to choose among
models of control, ranging from the United States’
relatively free and open model to China’s model of
political control, with the European
Union in the middle. The result–” this is 2006– “is the beginning of a
technological version of the Cold War, with each
side pushing its own vision of the internet’s future.” This is exactly what we
see going on with China is not just using these
tools within its borders. It is coordinating with
other authoritarian states, with technical
assistance, with learning, and helping authoritarian
states achieve similar control. It’s not just China that’s doing
that, but they’re the leader. The European Union is,
in a variety of ways, exporting its vision
to the United States. The big question here
is whether the right to be forgotten,
which is basically a right to have information
about you delisted from– basically not be not made
available on search engines, whether that will have
extraterritorial effect. That’s before the European
Court right now, that question. And if that question is answered
the way some people think, it means that European
conceptions of privacy will be imposed
globally, and there won’t be anything
Google can do about that, the Googles of the
world can do about that. And so the other blocs
are exporting their vision just the same way we
were trying to export our vision on the Clinton
model and the Clinton, Bush, Clinton-Obama model. And so there’s this
large fight going on. And what I’ve tried
to suggest so far is that on the global level,
the United States has– we still have dominant IT firms. I don’t think that
all of these or any of these regulations in Europe
are going to kill these firms. They might affect their profit,
the bottom line profits. Not clear how Europe
might use antitrust law to affect these firms. On the whole, I don’t
think that those firms are going to stop doing
business in Europe or anything like that. The situation in the
Chinas of the world is more precarious,
because China, as a condition of
doing business, really places very high
demands on US firms in terms of storing data there,
in terms of giving access to data there, in terms of
working with local officials, in terms of giving
over source code, in terms of working
with the government to clamp down on free speech. So basically, our
firms have to comply wherever they do business. And the United States, to
date, has not been successful. And the firms, in my view– we
can talk about this in question and answer– the firms, in my view,
if their decision as private firms, to
decide whether and when to do business, if
the United States thinks that our firm shouldn’t
be doing business in China, then the United
States should issue sanctions that prevents
them from doing business. Otherwise, in my view, it’s
those firms tasked it aside. And the truth is is
that the market in China is so enormous that
no firm can afford to not participate there. Not only because the
market there is big, but because China is developing
homegrown competitors that are going to be global
competitors as well. So the basic point is
that the European bloc and the authoritarian
bloc have been very successful at resisting
the internet freedom idea. They’ve been very successful, as
Tim and I and many other people predicted, trolling
their vision. Imposing their vision
within their territories. Now I’m going to turn
to the domestic realm. So Tim and I wrote
our book in 2006. That was the year
Twitter was created. Facebook was created
two years earlier. I barely knew about it
in 2006, even though it was started in Cambridge. We didn’t say a word about
social media in our book. We didn’t say a word about
cybersecurity in our book. We barely spoke–
we didn’t say a word about surveillance in our book. These were factors
that governed control of the internet that were just
invisible to us at the time. And all of those things,
cybersecurity and surveillance especially, challenge
the paradigm that states can
control activities within their borders. It turns out that cybersecurity
is a very hard problem to deal with, and
it’s not a problem you can deal with simply by– it can be dealt with– it’s not a problem you can
deal with simply by asserting control in your borders. I’m sorry. I don’t want to get to that yet. Let me see how I’m
going to do this. Sorry. OK. So we also didn’t talk
about free speech at home. So now I’m going to
move on and tell you the ways in which the Internet
Freedom vision is actually doing harm at home. And the very premise that
more speech is better is being called into question. So one is with– I’m now moving to how freedom
is working out at home. One is the idea of
weaponized speech. This is something we see every
day, we experience, some of us, and we see articles
about every day. About the ways in which speech
is being used as a weapon to distort information,
to attack speakers, it’s done by private
entities, not by the State. The danger to speech
here, in this context, is not from the State. And that’s why our
traditional First Amendment thinking doesn’t work very
well in analyzing this problem. The threat here comes
from private speech that is extremely easy to
produce and aggregate and send around very quickly. And that includes non-truthful
speech or misleading speech or harmful speech,
very harmful speech, that can either viciously
attack certain targets, and thereby silence
them in a private way that the government actually
has a hard time regulating. That uses flooding
tactics to distort speech by taking a piece of
speech and just presenting a different reality. That became a very
successful tool. This all comes under
the rubric of– this part in particular
comes under the rubric of misinformation or fake news. It’s also related to the
extraordinary splintering and decentralization
of media sources. The fact that we all tend to get
our media not from The New York Times and The Washington
Post and three broadcast news and the shows in the evening,
but from a whole plethora of sources. And to the related idea that we
can all opt into our daily me, as my colleague, Cass
Sunstein, talks about it, and consume the news or be
targeted with news that we’re more likely to want to see. So on this problem
of weaponized speech, I think this is a large problem. It’s not a problem
I’m an expert on, but it is one of the downsides. And it’s also something
that the government has a hard time regulating. Because the First Amendment
cannot regulate this type of harmful, private
speech that takes– at least not under
traditional current doctrine– harmful speech that takes
place in the private sector. The institutions making
the decisions about speech are the private firms. And we’re now in the middle
of the private firms, Facebook and Twitter and the like,
trying to figure out how they can regulate
the speech to make it, for lack of a better phrase,
and this is a weird phrase to say in a speech context,
better, higher quality speech. To even say that is dangerous
because who decides that? That’s the danger. I’m not yet talking
about Russian operations or foreign operations. I’m just talking about
domestic speech patterns. So this is all by way of
saying that freedom of speech in the internet and
social media era has yet to be theorized– its
value has yet to be theorized, I think it’s fair to say. I’m actually somewhat
agnostic on this. I think it’s very hard yet
to tell because we don’t understand the alternatives. I think that some sometimes
the idea of daily me’s and retreating into our own
worlds in which we don’t see opposite views, some of
the emerging social science evidence on that suggests
that that’s overstated, and that with this
plethora of media sources, we actually see a
variety of views more often than we used to. But there’s no
doubt that there’s something going on with free
speech in the United States, and that it’s a problem. I’m more concerned– and then
I’m going to talk for the next few slides– about the relationship between– this is a non-obvious
relationship– the relationship between
our open and free society and cybersecurity. Because here I think we
are at a serious asymmetric disadvantage, vis-a-vis
authoritarian states, in protecting our
digital networks. So these are three
comments from Dan Coats, the Director of National
Intelligence, last month. Rob Joyce, who is the
White House Cyber Czar. That was last November. I think it’s Robert Ashley. I keep forgetting his name. Robert Ashley is the head of
the Defense Intelligence Agency. And this was in
testimony yesterday. I could have given you a
thousand slides like this. The United States is
literally under attack. It’s under attack on
a variety of contexts, and we’re very much
losing this battle. It’s under attack in terms of
our intellectual property being stolen and exfiltrated. It’s under attack in terms
of our public institutions having sensitive data
stolen, whether it’s the OPM hack or others,
or the DNC hack, which I’ll get to more in a second. The Office of Professional
Management hack, in which the Chinese
Stole millions of records of very sensitive
information about classified files of people who
work in the government, and it did a lot of damage. The reason, in a nutshell,
why cybersecurity is hard is because all of
our– all of our. A great deal of our wealth
and our security and our power is embedded in digital networks. Literally embedded
in digital networks. Those digital networks
are connected, often, to the internet or through
some means that could easily be connected to the internet. The number of actors
who have access to that sensitive and important
information and data that represents and
embodies our power, it’s not someone who walks
to the door and gets in and steals something
out of– it’s something that anyone in the
world, in theory, has access to if those machines
are directly or indirectly connected to the
internet or a thumb drive or some other means
of exfiltration. So the number of
offensive actors is multiplied by the millions,
hundreds of millions, possibly. So let’s just say millions. Defense is hard
in cybersecurity. Offense is easier because the
nature of software and hardware vulnerabilities is
such that they’re impossible to eliminate,
especially when– impossible is the wrong word. Very, very hard to eliminate,
especially when softwares interact in unpredictable ways. And that means that
offensive has an advantage, because offense only
has to find one way in, and defense has to find
every chink in the armor. For a variety of
reasons, this means that we have had hundreds of
billions, by some measure, of intellectual property
stolen, and all the other losses in the private and public
sector that you read about everyday in the news. So here are three slides
about how our open society makes this problem worse. And I don’t know what
we can do about this. So you’ll see at the end, I
don’t have great solutions to this. So the first point
I want to make is this is a point both
about the combination of digital dependence, the
fact that we as a society are deeply dependent on digital
networks, from our phones, to our homes, to our cars. Digital dependence means that
there’s lots of attack space. That our adversaries have many,
many places, an almost infinite number of attack sites. When that fact is combined
with our free and open society, it makes for some
difficult situations. One of the most notable elements
of the last three or four years, in which the
government is constantly publicizing our
digital losses, is that we seem to do very
little in response. This is a large puzzle. The United States seems hesitant
to do anything in public. They talk a lot, but the
sanctions, it’s an indictment, or it’s some economic
sanctions in the face of catastrophic losses. Even the sanctions in
the face of the DNC hack seemed minuscule
to meet the task. There might be secret
sanctions going on. It seems like
they’re not robust, and they don’t have much of a
deterrent effect if they are. So one puzzle is why is the
greatest power in the world, and indeed, the greatest
offensive power in the world, so hesitant to fight back? And why are we having
such a hard time punishing our adversaries
when they do this to us? There are many reasons for this. One of the reasons is
that much of this stuff is not illegal under
international law. That’s another story, which we
won’t have time to get into. But in fact, we,
as Snowden shows, are doing things that
are very related. And frankly, the
United States has engaged in
information operations for a very long time. All the things that
are happening to us, in one way or
another, we have been doing to other countries
for a long time. What was the Clinton Internet
Freedom Initiative, other than subsidizing US
and other entities to use tools in foreign
networks to try to make changes to bring political change? That’s what it was
about, overtly. And for a variety of
reasons I can’t get into, we can talk about it
in question and answer, that’s not illegal
under international law. So why we hesitate. One reason we hesitate is
we have an open society. And what that means
is, this is a quote from Obama in his last
press conference in 2016. And what he meant
here is that we are unusually susceptible
to information operations of the type that
the Russians did against us. Compare the propaganda
that was used against us through social media,
compare the doxing operations where information was stolen
from the Democratic National Committee, and then
just published, and then took on a
destructive life of its own. That can happen
in a free society, and it’s very hard for that
to happen in a closed society. The Russians and the Chinese
do a much, much better job of controlling speech
and of controlling the circulation of speech
and controlling access to that information. So we have an
asymmetrical disadvantage on our open society
in that we are much more subject to those
types of foreign influence operations. Moreover, because we
are so subject to those, one of the main reasons you
hear this jargon being used in the newspapers, one
of the main reasons we hesitate to
attack in response, is that we fear we
lose in escalation. Which means that every time–
and this is what Clapper is talking about in this quote. This was from the Director
of National Intelligence under Obama, Jim Clapper. Every time that the United
States servers sees attacks, there’s a large
discussion in Washington about what are we going to do. There are a whole array
of tools put on the table. And there are certain
tools, you know, you can’t exactly use nuclear
weapons or physical force against most of these attacks. It would be illegal
under international law. And it would not be popular
at home or abroad, probably. And it would lead to worse
consequences in that respect. Using cyber means can
be more effective, although, as I
just described, we have fewer options in
the use of cyber means abroad, in closed
societies, especially. And more importantly, here
is what I mean by escalation. Every one of these
situations, this has happened. This happened in OPM. It happened in the DNC
hack, in the election hack. The United States hesitated
because it feared retaliation to its retaliation. And every time they
modeled it out, they thought, well,
if we do this to them, they can come back and
do a lot worse to us. We are basically an open target. And we’re an open target in
part, not only, but in part, because we’re a free society. And that means that the type
of information operations which can be much more sophisticated
than the 2016 elections, were much, much more vulnerable
to that type of operation. Second, there are downsides
of government transparency. This will seem,
perhaps, surprising, but the United States is the
most transparent government in the world when it
comes to its intelligence operations, both voluntarily
and involuntarily. We have many, many more leaks
of intelligence information. And part of the reason
we have many more leaks is because of the third point. We have extraordinary
press freedoms, and there’s a lot of
talk about cracking down on the press for the
leaks of the recent years. It doesn’t compare to any
other country in the world, in terms of our freedom. Freedom of press. We are, for reasons
I still puzzle over, but I think I have
an explanation for, the world’s leaders in
reporting our losses. The Chinese, the Europeans, they
suffer cyber losses, especially in the public sector. They don’t put them on the
front page of the paper. It’s a bit of a puzzle
why we do all the time. In part, it’s
because it leaks out. In part, it’s because
we live in a democracy, and our government thinks
they have to let people know, who are adversely affected, know
about the adverse consequences. But in any event,
we’re constantly publicizing our losses
at the same time that we’re constantly
publicizing our lack of reaction. It’s funny, but
it’s devastating. We have extraordinarily
open oversight, and believe it or not,
we treat leakers better. So we have a
permissive environment when it comes to the publication
of intelligence information, and we publish a lot of
information about losses. There’s downsides to this. And I think this is
another large– perhaps too subtle– but large explanation
for our lack of deterrence policy. We have these independent
pressures to disclose, and then once we disclose,
there’s pressure to attribute. And so the United States,
as soon as something happens, who did it. And there’s a big push
to say who did it. And then the United
States attributes, and oftentimes
there’s skepticism about the attribution, but
even if there’s not skepticism, practically nothing happens. And the asymmetrical disclosure
of these cyber losses, followed by a lack of response,
has a devastating impact on our deterrence policy. A devastating impact. And we’re in this
terrible cycle. And part of the reason
we’re in this terrible cycle is because we talk
about this stuff openly. We talk about it openly. We haven’t been
able to figure out a way to do anything about it. That sends signals that
we are an open target, and that’s exactly the
way we’re perceived by the rest of the world. The last point– I hesitate
to say this in a law school– are the downsides
of the rule of law. And I go a little
bit beyond my talk here, so I’ll just focus on
the domestic rule of law. So on the one hand,
the United States has the most legalistic
military and intelligence bureaucracy in the
world, by a large margin. We take law– this may
be a surprise to you, especially when it comes
to the initiation of use of force and compliance
with the UN Charter. But outside that
context, where I actually don’t think we take legal
compliance very seriously, we take legal compliance
very seriously. We also have very robust
domestic legal protections, the First and Fourth
Amendment, and a variety of statutory protections
that keeps the United States from basically
being in the network. And we take international
law seriously. And cyber operations,
there are operations that we don’t do because
we worry about collateral consequences and
proportionality, and we worry about sovereignty
concerns, especially neutrals. And so our military
and intelligence takes these rules
very seriously. The rest of the world doesn’t. And this has a really
asymmetrical impact on our security. And really, the main
point I want to focus on, because it’s the domestic
point, is the first one. The digital network
is in private hands. It’s owned by private companies. The United States uses
the network for 90 and some odd percent
of its traffic, but it’s owned by
private companies. It’s the only channel of
attack, air space, sea, and land being the others, it’s
the only channel of attack where the United States
government does not have control. It does not have
control over the weapons coming into the border
and being used against us. And there are significant
legal restrictions preventing the United States
from having access and control. And there are a lot of good
reasons for this, reasons that we cherish and
that are very important, but they also put us
at a disadvantage. By contrast,
authoritarian states don’t have these problems. China has very serious
cyber security concerns also because it too, like the
United States, and unlike, say, North Korea, is
deeply digitally dependent, and they have very serious
cybersecurity problems. They are doing things about
those cybersecurity problems that we could never do, starting
with the Great Wall of China, which can be used to keep out
stuff at a crude level, cyber security threats
at a crude level, to eliminating– they’re in
the process of having a very significant digital registration
process to eliminate anonymity, which makes cyber
security easier to do, to insisting on backdoor access
to encrypted communications, to insisting on backdoor
access to encrypted data or it not being encrypted, to being
fully present in the network and to be able to respond
to malicious activity very quickly. So there’s a serious asymmetry. Because the rule of law is one
side of our openness at home, our freedoms at home, but it
makes cybersecurity that much harder, and it creates
an asymmetrical weakness with our adversaries. OK. This is the story that
I think wraps it all up. So when Hillary Clinton
gave her speech in 2010, she had Russia in mind. She had the Russians
in mind, in part, and she had the idea of
using these digital tools to help bring freedom– to help break down the
authoritarian state in Russia. And in the legislative
elections of 2011, after those
legislative elections, there were protests in
Russia, very serious protests. Some people thought
Putin was endangered. He, at the time, blamed
Hillary Clinton for that. He believed, whether
correctly or not, that this was all part of
the US freedom operation to bring digital tools abroad
to help protesters coordinate, to help them maintain anonymity,
to help them bring down the regime or at least
affect the regime. That’s the way he viewed it. That operation in 2011,
if it was one, failed. But it might have been
what gave him the idea. There are a lot of episodes
like this in the 2000s. But his similar operation in the
United States wildly succeeded. And it wildly succeeded in 2016
with a very crude and simple– I mean, the crudest and
simplest propaganda effort, but really it was
the doxing operation. The stealing of the DNC
materials and the publication of those and the
churning that took place, that we’re still living
with the consequences of. So the basic story
is we wanted to bring internet freedom abroad. We failed, but our
adversaries, especially our authoritarian adversaries,
are using our freedom against us to do very
significant harm to us. That, in a nutshell, sums up
what I’ve been trying to say. OK. It’s at this point
that I’m supposed to tell you how we’re
going to fix this, but I’m running out of time. And I don’t have any answers. I’m actually– I and
a lot of other people, including, I’m sure,
people in this room, have thought about this a lot. There’s no single answer. There are a lot of
answers, and none of them are happy ones, assuming–
and they probably aren’t going to be successful. I think it’s going to get a lot
worse before it gets better. And my own view, my
large-picture view is that the internet
is actually– it’s developing a technology
that on a variety of fronts, even though we have
this short-term surge in our companies and in our
political and diplomatic power, I think in the medium-term,
it’s going to do us enormous, enormous damage. These are three things
I think will happen. I think that the Internet
Freedom Agenda is dead, because Donald
Trump is president, and he has no interest in
pushing human rights abroad. But I don’t think
it will be revived under the next administration. Because I think
the hypocrisy of it and its lack of effectiveness,
it might continue, but it’s going to be rethought. I think that– and I’ve
written a lot about this. I won’t be able to say
much about it here. The United States– I feel very strongly about this. What we are complaining about
now and what we are devastated about now with what
happened to us last year, the United States is
widely perceived– not without a large
element of truth– to do exactly those
things abroad. Now, it looks different, because
we’re the good guys fighting for democracy abroad. But for the Chinese
and the Russians, we’re meddling in
their digital networks to affect their sovereignty and
the nature of their government. And I don’t believe
that we’re going to be able to get
relief from the very destructive operations that
are being taken against us. And I’m not suggesting
this is an easy solution, but I don’t think we have
any chance of getting relief unless we’re willing
to give some stuff up, and no one is talking
about giving stuff up. And finally, we’re about
to, we’re in the middle, it’s starting now, I’ve
got stacks of things. I can’t keep up
with all the things being written about this. We’re in the middle of
rethinking freedom of speech at home. And what that means, whether
the First Amendment needs to change, how internet service
providers and social media should act to shape
speech, what should we do, both to have the
proper speech at home and to minimize foreign
infiltration in speech, we’re going to have the next– for your legal
careers, this is going to be the big issue in speech. And I’m going to stop there. And I’ve got nine minutes to
take questions, if you like. Questions? Yes, sir. What would you qualify,
as in would qualify as an armed attack under
international law that’s a cyber engagement? What level would
it go to, and what do you think the US, in an ideal
world, that they could just change the
international law today, what should it look like,
for the US’ benefit? That’s a big question. And there’s a lot of
debate about this. I’ll just tell you, I
don’t have any views beyond the conventional
wisdom on this. I’ll say two things. I don’t have any profound views
beyond the conventional wisdom. The challenge here is to take
the concepts of the UN Charter, use of force and armed attack,
these are kinetic terms, and to translate them
into a digital world. And the basic answer is that
if something happens digitally that causes the same harm or
analogous harm to something that happens
kinetically, than it has the same legal consequences. As a first cut, I think
that’s, as an analogy, probably the place to start. I don’t think it’s
going to end there, but I don’t know
the answer to that. But let me just say that that
is not where the action is. And so much scholarship
focus on attacks. All of the action,
almost all of the damage, is below the threshold of armed
attacks and uses of force. The DNC hack, the
OPM operation, there are lots of enormously
damaging things that our adversaries can do
to us by stealing information and publicizing, by stealing
information and using it to build products
abroad, and the like, that don’t implicate the Charter. And that’s where the
action is, and that’s where most of the harm is. Yes. On the domestic
side, there’s been a lot of discussion
of net neutrality, and I thought it
was interesting. Do you think that that
is in the same category as these concerns, or? You know, I’m no expert
in net neutrality. I don’t think those– I think, my own view– and
I’m not an expert on this– is that the net
neutrality debate has become a theological
debate about something else. And I don’t think there’s
a lot of empirical evidence yet about what will
actually happen if there’s pricing differentials
for the delivery of content. But the short answer is I
don’t see how it directly intersects with this. Yes. So you mentioned
Europe a little bit in the beginning of
your speech, but then kind of deviated from it a bit. I was wondering if
you could respond to what Europe is doing. They’re facing similar
threats, and I’ve heard one suggestion
is that they have different, for example,
campaign laws and voting laws. So for example, campaigns
are much shorter, so it offers less
opportunity to do damage. Do you think that Europe is
building its own road map? And if so, is it one
that we might look to? I don’t know about
that much either. I don’t think– so the problem– road map for what? I mean, they are very
concerned about data privacy. And there’s a new regulation,
European-wide regulation, that’s about to come into force
in a couple of months that is the most demanding
and restrictive privacy regulation there is. On that issue, they’re
making their will felt, and successfully so. And they just have a different
view about privacy than we do, and they’re imposing that
will on our companies, and our companies
are moving there, storing data there, both for
political and logical reasons. And we’re basically losing that. If you think it’s losing. I mean losing
against the baseline of our conception of privacy. But some people think they have
a better concept of privacy. I don’t know what they’re
doing on elections. I, frankly, have not
seen great proposals anywhere for how to
deal with the types of electoral interference
that the Russians carried out. Doxing operations,
as President Obama described that, that was an
unsophisticated attack that revealed information
that was disclosed and that had these
devastating impacts. If you just imagine– we’re not going to be able
to stop that from happening. People worry about
protecting the voter counts and things like that,
and we’re taking steps– again, I’m not an expert on
this– we’re taking steps to deal with those problems. I’m a little skeptical
about that as well. But on the types of propaganda,
the Facebooks and Twitters of the world, they’re taking
steps to eliminate anonymity, to try to eliminate
bots to generate– certain bots from
certain entities. But again, my own view is
that the propaganda stuff is less consequential
than the doxing operation. And when it comes to stealing
information strategically and releasing it, I don’t see
how any of these countries can do anything about that. And so I don’t see that type
of electoral interference being changed at all. And no, I haven’t seen
Europe doing the about that. But the truth is, I’m no expert
on what the Europeans are doing on that. Yes, in the back. Yes, sir. No, you, with the beard. Yeah. One of the few constants of the
internet since its inception has been individuals
breaking things and just kind of upsetting the status quo. Do you see any space for
the private actors involved, the technology companies,
those scary big five, to come in and not solve this,
but lessen the impact, and how? Again, that’s a
large, large question, and I’ll give you a very
large, abstract answer. I don’t. Look, the kind of things that
a lot of economists and policy makers think need to
be done to improve basic cybersecurity, which
means making software better, which means making
disclosures faster, which means basically
forcing companies to take the products they
deliver to us to be more secure, involved regulation. It involves regulation. It involves the
imposition of standards. It involves liability. All of those things are entirely
anathema to those companies, which they see as
killing innovation. And so far, those
companies have won. And by the way,
this problem is just about to get a whole lot
harder and worse because of the internet of
things, and we’re not doing a darn thing to
regulate cybersecurity there. So I don’t think– the companies
on their own, absent changes and liability and
regulation and taxes and the like, absent
government intervention, they have no incentive, frankly. Microsoft– I shouldn’t
say they have no incentive. They have a
reputational concern. And so Google’s a
pretty secure product. Microsoft has done a lot
to improve its software. They’ve done this through
purely internal market reasons because they’ve
perceived that it was important their products
have better security. But they only have an incentive
to do that up to the point where it makes them
the next dollar, and then they don’t have
that incentive anymore. And it really requires
government regulation. I’m not saying
that’s a good idea, because frankly, the
government often gets it wrong. And it’s very hard to know– and I’ve not seen
any great analysis of how we measure the costs
on innovation and the like– I just don’t– the companies
scream and yell, saying, you’re going to kill our
innovation advantage. And one of the
reasons that we’ve been the leaders
in all these areas is because we have
less regulation. I just don’t know
how to assess that. I haven’t studied it enough
yet, but that’s the argument. Thank you. Thank you very much.

Leave a Reply

Your email address will not be published. Required fields are marked *