from Net Politics and Digital and Cyberspace Policy Program

Report Watch: Tracking Digital and Cyber Scholarship So You Don’t Have To

CFR Cyber Net Politics

January 19, 2017

CFR Cyber Net Politics
Blog Post

Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations. 

To celebrate the New Year, Net Politics is launching a new series of blog posts. Every quarter, we’ll curate and distill the most relevant digital and cyber scholarship to bring you the highlights. Most of our readership are practitioners who might not have time to delve into lengthy and sometimes dense reports. We’ll do all the work so you don’t have to.

In this inaugural edition: election cybersecurity, the vulnerability equities process, and censorship in China.

"Hacking Chads: The Motivations, Threats, and Effects of Electoral Insecurity" by Ben Buchanan and Michael Sulmeyer

In light of Russian interference in the 2016 elections, Buchanan and Sulmeyer ask two important questions regarding the integrity of elections: First, how concerned should we be about election cybersecurity? Second, how vulnerable is the United States to a foreign power or other actor trying to undermine the public’s confidence in our elections?

The authors argue that fraud does not actually have to take place to cause damage--merely the perception of fraud is enough to damage electoral integrity. In fact, the perception of illegitimacy is perhaps even more damaging than the real thing because it is harder to counteract. Foreign powers can advance their interests merely by promoting persistent questions of illegitimacy.

The authors make four recommendations for combatting the perception of illegitimacy. First, election systems, though operated by the states, should be federally designated as critical infrastructure. Second, the federal government should fund state purchases of voting machines that create a voter-verifiable paper audit trail. Third, states should expand security audits prior to elections to identify and correct potential vulnerabilities. States should also establish or improve their audit procedures after elections, using statistically rigorous methods to increase confidence in the reported results. Finally, the United States should deter foreign adversaries by outlining a clear policy on electoral interference.

"The U.S. Government and Zero-Day Vulnerabilities: From Pre-Heartbleed to Shadow Brokers," by Jason Healey

Healey takes a critical look at the U.S. government’s vulnerability equities process (VEP), the process by which the federal government determines whether cybersecurity vulnerabilities U.S. agencies discover should be disclosed to vendors and the wider public. He argues that loopholes in the VEP have led to the withholding of critical security information, which upon revelation damages the trust and credibility of the U.S. government’s cyber programs.

To solve this problem, Healey makes a number of recommendations. First, the VEP should be formalized as an executive order to elevate it from a mere policy. Second, vulnerabilities that the government decides to retain should undergo periodic review to confirm that retention is still valuable. Third, the VEP executive secretary function should be transferred from the NSA to DHS. Fourth, Congress should oversee the VEP, perhaps through the Privacy and Civil Liberties Oversight Board or Office of the Inspector General. Fifth, a revamped VEP should also close the loophole used by the FBI so agencies cannot bypass the process because of a non-disclosure agreement.

To make the VEP more transparent, Healey argues that the U.S. government should publish quarterly and yearly VEP statistics that could include the actual numbers of reviewed and retained vulnerabilities.

"Harmonized Histories? A year of fragmented censorship across Chinese live streaming applications," by the Citizen Lab at the University of Toronto

The authors argue that Chinese internet censorship is intensifying, particularly on social media. In contrast with the popular conception of top-down, authoritarian censorship, censorship is not uniformly implemented across social media platforms and companies. Instead, censors employ a distributed system of intermediary liability in which each company must censor content on its own platform. The government refers to this intermediary liability as “self discipline,” a way of pushing responsibility for information control onto the private sector.

Examining blacklisted keywords (i.e., a post containing a certain word is automatically censored) reveals that there is limited overlap between companies, suggesting that there is no centralized list of keywords. Furthermore, companies do not always censor the same events, suggesting that there is also no centralized directive provided to them. Interestingly, companies often censor the names of their competitors or competing products, suggesting business interests also play a role in censorship, not just government pressure.

Chinese internet users are embracing new forms of communication and commerce on social media, which is clearly cause for concern for the government. However, traditional centralized censorship is not the government’s response. Rather, it employs a form of “Networked Authoritarianism” in which the ruling party maintains control in a distributed and adaptive manner. This also allows companies to consider their own interests in censoring content.