This blog was coauthored with my research associate, Lincoln Davidson.
Last month, Republican presidential candidate Jeb Bush announced his cybersecurity platform. You can read his proposals here; essential points are summarized and analyzed below. While Bush’s stance on issues like net neutrality, encryption, and NSA surveillance has made him the target of a lot of hyperbolic criticism, he is the first of the 2016 presidential candidates to announce a specific cybersecurity platform. As other candidates release their stance on the issue, we’ll keep you up-to-date on what they’re saying, whether it’s viable, and its likely impact on U.S. foreign policy.
Take cyber seriously. According to Bush, the federal government and businesses need to see cybersecurity as “a critical element of our national defense and economic well-being.” To achieve that, the government needs a focus at the executive level on improving cybersecurity and creating accountability for breaches. Bush would expand the cyber capabilities of law enforcement and the intelligence community. He also proposes making it easier for government agencies and private companies to share best practices and information about cybersecurity incidents.
Get tough on adversaries and work closely with allies. Bush wants to raise the cost of cyber incidents that steal intellectual property from U.S. businesses by exposing, prosecuting, and potentially retaliating. To do that, Bush says he would work with other countries to establish an international legal framework for prosecuting cybercriminals. He also plans to increase cooperation and discussion of cybersecurity with U.S. allies and maintain control over the IANA functions.
Promote innovation. In line with his economic plan, Bush proposes lowering taxes and removing regulations that impose compliance costs on companies. He argues that these make it difficult for small companies to raise capital to support the development of new technologies that might increase cybersecurity. He also wants to reform immigration to help attract highly-skilled immigrants who can contribute to tech companies and give them more opportunities to stay in the United States.
Viability and Impact
Jeb Bush clearly plans to take cybersecurity seriously. However, among his proposals, there’s a lot that’s not new. As my colleague Rob Knake said after the platform was announced, “It’s a ringing endorsement of the approach the Obama administration has taken.” Bush will be hard pressed to take cyber more seriously than the current administration: spending on cyber is one of the only areas of the federal budget that has largely escaped the ax of sequestration and continues to grow. And it’s not clear that more funding or would go into efforts that actually improve cybersecurity. Simply filling the ranks of already-funded positions is proving hard, as the federal government competes with the private sector to attract the best cybersecurity talent. It’s looking like the Department of Defense may not reach its goal of a six thousand person strong force at U.S. Cyber Command by 2016. As for information sharing, Congress is already considering legislation to do just what Bush proposes. And while it has been criticized by privacy advocates concerned about businesses sharing user data with the government, companies are already coming together to share information among themselves.
Bush says he wants to “expose, prosecute, and in some cases retaliate” against individuals who steal intellectual property from U.S. companies to “increase deterrence of future attacks.” There are a number of issues with this proposal. Despite the claims of federal government officials, attribution is still a tricky issue. It’s hard to retaliate when you only have medium confidence that a specific actor is behind a hack. Making a legal case for retaliation is also something that needs to be worked out.
It’s also unclear what Bush means by “establish[ing] the legal framework necessary to prosecute cybercriminals.” There’s already an international legal framework for cybercrime—the Budapest Convention—which has forty-seven state parties. And while it doesn’t have universal support, those states that are opposed to it—China, Russia, Iran—are unlikely to support any additional framework proposed by the United States. In fact, the United States has traditionally been opposed to the establishment of new legal instruments to regulate activity in cyberspace.
Bush’s opposition to the IANA transition is largely consistent with Republican orthodoxy. However, just about everyone involved in Internet governance policy agrees that the IANA transition is a good move, and it’s been in the works since ICANN was created. Going back on this commitment would not only look bad, but would also needlessly irritate other countries, including U.S. allies, who argue that one government should not maintain control over infrastructure critical to the operation of the global economy. While these concerns are not new, they’ve grown sharper in the wake of the Snowden revelations. Spinning off the IANA functions is a step towards removing a needless irritant that has traditionally fueled the drive for greater UN control over critical Internet infrastructure.
The most effective portion of Bush’s cybersecurity platform is his proposal for immigration reform. Allowing more skilled workers into the United States and making it easier for foreign nationals trained at U.S. universities to stay here after graduation could mitigate the severe demand for cybersecurity professionals the United States is currently facing.