The United States has yet to show up to this information fight. U.S. cyberstrategists prioritize defending physical infrastructure—routers, servers, and endpoint devices such as laptops and smartphones—but consistently underestimate the economic and political significance of the information carried on that infrastructure. The U.S. private sector, which rarely acts in the American national interest, is primarily responsible for protecting data and information platforms.
It can be tough to craft regulations and national security policies for data and technology that do not fall afoul of democratic and capitalist values. A national information strategy can sound, or indeed become, Orwellian without the right political leadership. But to thrive in the twenty-first century, democracies must now put information at the center of domestic, security, and foreign policy.
MARSHALLING DATA
In 2014, Chinese hackers stole the personal information of more than 22 million people connected to U.S. security clearance processes. That breach not only demonstrated the vulnerability of U.S. government systems to hostile actors but also provided China with a tremendous resource. China could use the stolen data to profile and target U.S. officials and their families. It could also use the “clean” and highly structured data to train the algorithms that power military-related artificial intelligence projects, sharpening the weapons in its cyberwar arsenal.
For similar reasons, China sponsors the theft of commercial data. Security officials believe that the data breach that rocked credit reporting giant Equifax in 2017—in which hackers stole the financial and personal information of approximately 147 million Americans—originated in China. That stolen U.S. information can make up for gaps in China’s own datasets. Although consumers provide plenty of data to Chinese e-commerce giants, China’s financial and health-care industries are threadbare compared to their U.S. counterparts. The Equifax operation provided the Chinese with detailed, organized information on nearly half the American population. Neat, easily searchable data, however acquired, is vital for companies to train artificial intelligence applications for both military and commercial use.
No advanced economy boasts a national artificial intelligence strategy more mercantilist than China’s. Beijing seeks to lead the world in this area by 2030. Xi’s doctrine of civil-military fusion yokes together the research efforts of private corporations, China’s military industrial base, and the intelligence agencies of the People’s Liberation Army. China subscribes to the zero-sum ethos of data competition; states want to acquire data from others, while limiting access to their own data. To that end, China, India, Russia, and other countries have introduced tough data localization laws to prevent companies from taking certain types of information across national borders.
In the private sector, access to data tends to create a virtuous cycle: more data lets companies build better applications, which makes them more profitable and allows them to harvest and monetize even more data. The dynamic explains why information giants, like Alibaba, Amazon, Facebook, Google, and Tencent are monopolies. But this commercial logic also prompts states to think in zero-sum terms.
The United States should prepare for the prospect of authoritarian regimes ramping up cyberattacks against the databases of its major companies. If China, for instance, wanted to boost its own national champion as the dominant player in a particular market, even a minor cyberattack against a rival firm could be very damaging. Stealthily disrupting or “poisoning” inputs through a data-integrity attack or by manipulating the quality-control algorithms that govern industrial processes and the delivery of products could result in inferior, potentially harmful outcomes. Before an affected company even detects this kind of attack, it could face numerous economic, legal, and reputational problems, losing consumers and becoming dislodged from supply chains.
Data-driven machine learning systems now assist decision-making in many areas of the private and public sectors. A data integrity attack does not even need to be successful to be catastrophic. The perception that an organization’s data is poisoned and its decision-making processes corrupted could reduce public trust in a company, in a government agency, and even in democratic process.
Since the Internet was introduced in China in the 1990s, China has developed the world’s most sophisticated system of network control, censorship, and propaganda, and has maintained heavy restrictions on market access for foreign media and technology companies. Russia is following China’s lead. During recent protests in Moscow, authorities jammed mobile Internet access in the city to keep protestors from communicating with one another. In a more ambitious gambit, Russia plans to test a procedure that would altogether disconnect Russian Internet users from the global internet. Even the United Kingdom’s Ministry of Defense has warned that democracies may need to step back from a commitment to the open Internet and consider “national or regional cyber borders.” Such moves would unwind decades of economic liberalism, fragment the relative openness of current information flows, and give rise to suspicion and animosity. Unless the United States can chart a different course, the world might stumble down this path.
A REAL PLAN
The United States must adopt a national information strategy that places data at its center. The network-centric approach to national security is failing. There is only a low probability of a catastrophic attack on infrastructure networks, but that possibility has distracted leaders from defending the nation’s most precious resource: information.
U.S. policymakers need to identify and protect national information assets, including companies and infrastructure, from attacks and foreign takeovers. Over the past decade, China has systematically invested in U.S. firms that develop data-driven technologies. Recent steps to tighten foreign investment rules are encouraging. This year, the Committee on Foreign Investment in the United States forced Chinese investors to withdraw from a data-rich health-care startup and a prominent dating app. New regulations will soon toughen the vetting of foreign investments in high-tech firms that possess troves of sensitive data. Still, Congress should supplement the heightened scrutiny of foreign investment with more funding to support companies and research institutions that are developing artificial intelligence. In particular, the government should help boost tech companies whose innovations do not have immediate commercial applications but could support American national security or economic interests over the longer-term.
Those measures would be further bolstered by a national data protection regime. Many democracies, and the United States in particular, muddle along with a complex web of state-based and industry-specific requirements for data protection and privacy. A U.S. company could contend with more than 50 different overlapping and sometimes contradictory data laws, which together are still insufficient to ensure basic data governance and protection standards. Policymakers and lawmakers should streamline and clarify this inefficient and highly ineffective system.
Government agencies must strengthen coordination with the private sector, which is on the frontlines of twenty-first-century competition and conflict. The intelligence community should share threat assessments with high-tech companies, social media platforms, and entities that keep large holdings of sensitive data. At the same time, Congress must pass pending legislation, such as the bipartisan bill sponsored by Senators Elizabeth Warner, Lindsey Graham, and Amy Klobuchar, that will hold tech firms accountable for their role in protecting national security interests.
After reinforcing its defenses, the United States should expose the malign tactics and shadowy networks of its adversaries. Evidence of bribery, state sponsorship of organized crime, the employment of cyber-mercenaries, and attempts to interfere in Western democratic processes must see daylight outside the memos of intelligence services. Such exposure should form a core plank of public information campaigns that reveal China and Russia’s corrupting and coercive behaviors.
Authoritarian governments like those of China and Russia are ultimately brittle. Their legitimacy does not rest on freedoms and elections, but rather on the control and manipulation of information. They are therefore highly susceptible to cyberattacks that would crack open their tightly controlled information environments. U.S. leaders should explicitly signal that information attacks against the United States will spark serious retaliation.
To effectively meet authoritarian countries on the field of information competition, democracies will have to perform a balancing act. They must boost their economies’ capacity to produce, refine, and protect data, while avoiding the temptations of protectionism and monopolism. They must defend their information environments from subversion but redouble efforts to protect individual rights and democratic institutions. The difficulty of these tasks must not prevent policymakers from grappling with them. For national security leaders, there can be no more important task than crafting a data security strategy fit for purpose in the information age.
This article was originally published on ForeignAffairs.com.
