The defining challenge for American leadership in the world can perhaps be summed up by one word, balance. It is the overriding consideration on every big global issue confronting us as we weigh the merits of our response and the course of action we take. Nowhere is this more true than on issues related to cybersecurity. In an increasingly networked world the internet presents at once enormous opportunities and significant vulnerabilities.
The example of Sony’s film The Interview is a perfect illustration. A cyberattack perpetrated by North Korea exposed the susceptibility of companies to breaches of their computer networks. But then Sony’s subsequent decision to release the movie for online sale or rental demonstrated the internet’s economic power: it has earned about $40m (£26m), making it Sony’s most successful digital release.
When President Barack Obama and David Cameron announced our nations’ new cybersecurity partnership at the White House last month, a reporter asked whether there “need[s] to be a swing of the pendulum a little bit, maybe from privacy towards counterterrorism”. There was nothing unusual about the question, especially since the horrific attacks in Paris were still fresh in the mind. But it underscored one of the problems with the way we debate cybersecurity and privacy. It was the metaphor.
The pendulum is a common image for these kinds of issues. We use it to try to express our wish for an idealised happy medium between two seemingly irreconcilable poles, while also resigning ourselves to an inevitable back-and-forth. Similarly, when we say we seek balance and put our cupped hands out like a set of scales, we are thinking in terms of give and take. Like a pendulum, this suggests a zero-sum game: that to increase security, you must sacrifice privacy — and vice versa. It’s clear that we’re not really talking about balance at all; we’re talking about trade-offs and trying to find a grudging stasis that compromises both equally.
The 19th-century writer Samuel Butler observed that “metaphors, while misleading, are the least misleading thing we have”. Which is why we need a better metaphor for our cybersecurity debate. After all, it is not our aspiration to find the trade-offs that we are willing to live with. It is our aspiration to develop a digital universe where privacy and security both flourish.
It might be better to talk about cybersecurity in its native terms — as networks, a system with myriad connections, which are in constant flow, and which, therefore, need to achieve harmony or equilibrium. The good news is that, while we may not be talking that way, we are making progress on our efforts to bring equilibrium to the complex ecosystem of cybersecurity and digital privacy.
The most critical measure of the health of a network is whether the key nodes are well-connected. In the case of cyber issues, this means public and private sectors working together. The private sector is essential to our law enforcement and intelligence agencies successfully fighting cyber and online threats. And rigorous protocols and strong working relationships must closely guide these critical passageways of communication.
We also need experts and activists outside government reminding us of the state’s responsibilities to civil liberties. That is why the president convened a summit on Friday at Stanford University for industry, tech companies, law enforcement and consumer and privacy advocates to work out ways to meet legitimate privacy concerns, but also the concerns the security agencies have identified.
It’s not a question of just putting in place rules and guidelines for what will happen to what is shared, and what and when to share. It is as much a matter of building a culture of trust and transparency.
The same is true when it comes to international partnerships, especially to counter the use of the internet for terrorist purposes. As with much else in the international arena, the US-UK partnership sets the standard. Together, we are improving the cybersecurity of critical infrastructure in both countries with joint exercises to enhance our defences. And we are supporting the next generation of cybersecurity experts with a new scholarship, the Fulbright Cyber Security Award.
We are also strengthening collaboration by establishing a joint “cybercell” with an operating presence in each country. This cell brings together experts from the NSA and FBI with GCHQ and MI5 to enable threat information and data to be shared.
We simply cannot fight cyberthreats in a measured, productive and balanced way without partnerships — public, private and global. If we’re going to get it right, it’s going to have to be a shared mission.
NB: This article originally appeared in the Sunday Times