Print

As the 116th Congress comes to an end, the annual defense authorizing legislation (NDAA) is among its most important pending matters — and tucked within it is the most important internet issue that you’ve probably never heard of. While not as visible as COVID relief or continuing government funding, the massive Fiscal Year 2021 NDAA Conference Committee report addresses many important defense and non-defense issues, including the naming of military bases after Confederate officers, limits on the President’s ability to withdraw troops from Germany and Afghanistan, a threatened presidential veto over the absence of a repeal of Section 230 and much more — to say nothing of the roughly $740 billion in military programs the law would authorize for the current fiscal year. Amid these, both the House and Senate bills and the Conference Report address an important internet issue that is not much discussed and not much understood outside of a small circle of industry, scholarly, military, intelligence, and law enforcement experts. The resolution of the issue (which won’t get the kind of attention that creating a new “National Cyber Director” will get) could have an enormous impact on the shape and future of the entire internet — far beyond the military and defense communities. Labeled “information sharing,” to put it most simply, it’s whether the U.S. Government (or any government) should regulate and control information about cyber threats that is shared by internet (and other) companies with U.S. military, law enforcement, and intelligence agencies — or whether the sharing of cyber threat information by internet companies should continue to be voluntary and led by industry. The issue is often addressed in vague terms, but at its core, it divides American industry, the tech sector, and even the internet industry itself — and its resolution will establish basic rules for how the internet is regulated by the U.S. government and most other governments. The Fiscal 2021 NDAA Conference Report partly addresses this issue and partly postpones it. That’s not surprising, given its complexity and enormous implications for the shape of the internet. Aside from the political fact that nearly everyone supports “cooperation on cybersecurity” between government agencies and internet companies, the debates over mandatory versus voluntary cooperation is further complicated by the fact that serious cyber threats to the U.S. originate not only from a foreign military attack but also from anyone from a bored high school student to a professional crime ring. Cyber threats from any of these could jeopardize large parts of our economy or social structure. So, a major underlying issue in mandatory versus voluntary “information sharing” is that the problem that’s being addressed is not just defending against a foreign military attack on the United States. It is, arguably, defending against any type of cyber threat from anyone. The details are quite complex, but the core issue has been hotly debated for over a decade and even echoes policy debates over industry regulation that go back to the 1980s. Like several other cybersecurity issues, the issue of “information sharing” was highlighted by the recent report of the Cyberspace Solarium Commission, which looked at the full scope of cyber threats to the U.S. and set forth a wide range of proposals to improve America’s cybersecurity. The Commission singled out companies that are part of the “defense industrial base” (which could include quite a large swath of the internet industry) and concluded that they and other internet companies need some form of new, mandatory information sharing for the national security of the United States. Historically, there have been many — mostly in intelligence, law enforcement, and the military — who believe that major internet companies should be legally required to rapidly share information about cyber threats with law enforcement, military, and intelligence agencies. These advocates of mandatory and regulated information sharing are supported by some defense contractors and many businesses that depend on the integrity of the internet for their business. Generally, their view is that whatever drawbacks this form of regulating the internet may have are a small price to pay for the significant increase in security and stability that mandatory and regulated information sharing would offer. For more visit OUR FORUM