By Shahid Mahdi
April 16 marked 30 years since one of the seminal moments of our digital being. In 1993, amidst a need to keep up with the dizzying pace of technological innovation, the Clinton administration announced a cryptographic device that would enshrine itself in cybersecurity history.
The MYK-78 was developed by the National Security Administration to give the government a “back door” into all communications in the interest of national security. Nicknamed the “Clipper Chip,” it would permit federal, state and local law enforcement to access and decipher voice and data transmissions at their discretion.
Unsurprisingly, the notion of the government having a permanent opt-in method to eavesdrop on all cell phones, computers and pagers was met with a vociferous uproar. Sure enough, a meager three years and much backlash later, the Clipper Chip was scrapped.
The rise and very quick fall of the Clipper Chip is a cautionary tale of how a failure to understand the operational environment of privacy and tech can lead to failures in policy.
President Biden’s National Cybersecurity Strategy, published March 2, is not a failure in policy. It espouses objectives that are long overdue amidst a world of pervasive cyber threats. It includes the desire to eliminate malicious cyber actors from Russia and China and defend critical infrastructure like hospitals and power generation. “Its implementation will protect our investments in rebuilding America’s infrastructure, developing our clean energy sector, and re-shoring America’s technology and manufacturing base,” the Strategy says. It would expand “the use of minimum cybersecurity requirements in critical sectors,” building on those governing the electric industry.
However, one particular element of the Strategy must tread very carefully: “Shape Market Forces to Drive Security & Resilience.” It aspires to promote privacy and security of personal data, and, interestingly, aims to shift liability for software products from users to tech companies to promote security practices.
This comes at a time when relations between government and tech are at something of a nadir. Apple, Google and Meta have been vocal about their privacy practices: Tim Cook was obstinate in refusing to give the government a back door into iPhones; Meta promulgated end-to-end encryption loud and clear on its Messenger and WhatsApp platforms. The message here? Trust us as we’ll keep the government out of your pocket. And from Apple: Our privacy measures are way better than our competitors’s.
Federal Trade Commission Chair Lina Khan has dialed up government bellicosity toward the tech companies, and the Strategy will further empower this. The FTC may be one of the first agencies to take advantage of the ability to “shape market forces” if given the power by Congress to do so. Should the liability initiatives in the Strategy give birth to more lawsuits, tech companies will be hit with a deluge of regulations and policies — a tightening of the government leash on the so-called market forces.
And then battle will be done in the courts, as it’s being done already. The language “shifting liability” may be innately at war with the biggest, most substantial legal defense in a tech company’s arsenal: Section 230 of the Communications Decency Act, which Biden and company have been vocal about revamping. Section 230 exculpates a publisher from the content on its platform (i.e., you can’t prosecute Meta for a graphic video posted to Facebook). The Supreme Court is deliberating over a case predicated on Section 230 at the time of this writing.
Further friction between tech and government would also, ironically, weaken the Strategy itself. Why? The “Defending Critical Infrastructure” and “Dismantle Threat Actors” sections of the Strategy involve the promotion of public-private collaboration. Widening the existing wedge between tech and the government doesn’t sound like the way to do this.
Alphabet, Meta, Apple, Amazon, and Microsoft and company arguably have the most sophisticated, talented minds and data repositories that can safeguard the U.S. in a world of nefarious cyber threats. Why run the risk of antagonizing them?
Shahid Mahdi is product lead for EnerKnol, a provider of energy regulatory intelligence software.