Advice for Congress, the weakest link in cybersecurity

The fight between law enforcement and Silicon Valley over encrypted communications – what many called the second coming of the cryptowars – is mostly over. The feds "lost." Encryption advocates have the political and technical edge. Now that the rhetoric can cool, policymakers might realize they were playing a positive-sum game all along.

American secrets, whether they belong to citizens or the CIA, are under unprecedented digital assault. American firms want to do business on an Internet made safe for commerce. More than autocratic states like Russia or technophobic nations in Europe, the US has a stake in making sure that security, privacy, and personal freedom go hand-in-hand online. Rather than work so hard to beat the Valley, the Beltway should join it – and that starts with welcoming digital savvy, including use of encryption, in the halls of government. Because let’s be frank: On cybersecurity, Washington is a weak link.

Policymakers will struggle to be taken seriously in this space as long as their own defenses remain so dramatically bad. The breach of the Office of Personnel Management was more than just an epic counterintelligence failure; it casts a shadow over every conversation on public/private cooperation in cyberspace. Months later, we still get reports revealing the hack was worse than previously disclosed. Just a few weeks ago, OPM admitted that five times as many fingerprints were stolen as originally estimated. Who could have been surprised that when Facebook set up its ThreatExchange platform to swap information on cyber risks, government agencies were left off the invite list?

To repair the public sector’s digital reputation, start by embracing tech tools and talent. And the institution that most desperately needs to up its game is Congress, where the Senate asks for unanimous consent before allowing the use of calculators on the floor.

In September, the American Civil Liberties Union sent a letter to Congress encouraging members and their staff to take action to secure their own communications. It was good advice – not just because encryption protects against espionage, but because Congress needs first-hand experience with the technologies we expect them to help regulate. In a 2013 survey, Federal News Radio asked government workers, “More than ever, Congress is being asked to legislate on issues such as cybersecurity and cloud computing. Do you believe members of Congress have the knowledge/background they need to properly legislate on these issues?” Out of 708 respondents, just seven – 1 percent  – answered "yes."

We have to demand better. Otherwise, look forward to a world where some of the most important decisions on our national security, our civil liberties, and our place in the world economy are made by Apple and Snapchat – not by the public’s elected representatives. 

Congress should have three priorities for improvement. First, the Hill needs to enforce best practices for "digital hygiene" ASAP. Walk the walk. In 2015, taking advantage of basic precautions like two-factor authentication and strong passwords should be the entry ticket to any conversation on cybersecurity. Some exposure to the use of encrypted chat, the anonymizing Tor browser, and other tools wouldn’t hurt either. Digital technology is not magic, and taking these utilities for a spin would go a long way toward demystifying them for members.

Second, Congress needs to narrow the digital talent gap with Silicon Valley. Few staff and even fewer members are literate in the issues that make up more and more of their agenda: surveillance, encryption, online radicalization. And while Capitol Hill pay is never going to compete with Facebook’s, lawmakers can do a better job pitching tech talent on the chance to make a civic contribution, through efforts like #Hack4Congress.

Finally, Congress can play a more constructive part in America’s strategic narrative for the Internet. Other countries are lining up behind a balkanized, nationalized vision of the Web. The head of China’s Cyberspace Administration recently pushed US tech firms to sign dangerous guarantees in exchange for access to the Chinese market. France, in a baffling and deeply troubling move, wants Google to implement Europe’s controversial "right to be forgotten" on its platforms worldwide.

The US, home to the world’s most innovative tech firms, is in a unique position to argue for a better model. We need a public sector ready to make the case that privacy does not come at the expense of security, prosperity, and the open flow of ideas. That message depends on the messenger’s credibility, and credibility depends on our capacity. Congress should start building it yesterday.

The opinions expressed here are solely those of the author. 

This article was originally published in The Christian Science Monitor's Passcode feature.