In February 2016, two months after Rizwan Syed Farook killed 14 people in San Bernardino, California, FBI director James Comey spoke before the Senate Intelligence Committee to discuss the global threats facing the US. “The growing use of encryption,” Comey testified, was “overwhelmingly affecting law enforcement.” As an example of this technical imposition, Comey informed the legislators that his agency “still [has] one of [the San Bernardino] killer’s phones that we have not been able to open.”
Comey’s remarks precipitated a weeks-long, very public imbroglio between the FBI and the tech community. Within days of Comey’s testimony, the intelligence agency demanded Apple give them access to Farook’s encrypted iPhone, effectively asking the company to create a backdoor into its own technology so the agency could assess if the killer was communicating with ISIS. Apple refused, arguing—along with the entire civil liberties and tech community—that doing so would undermine the security of all the company’s devices and open them up to hackers. The FBI issued a court order sparking a battle that captured the attention of the nation—and made “encryption” a household term.
The FBI ended up paying a third party to break into the iPhone (from which it discovered no evidence of consequence), but by then, Comey, who had argued for a backdoor against encryption since his first months as FBI director, became the poster boy for anti-encryption crusaders.
In the year since the FBI-Apple fallout, Comey’s tenure as director has been further marked by high-profile tech-related controversies. His agency oversaw the investigation into the Hillary Clinton email scandal, and Comey recently testified that the FBI is looking at connections between Russian hackers and the 2016 US presidential election. And while the public has largely been consumed with questions over how Comey handled both of those issues—and how President Trump fired Comey Tuesday based on the director’s handling of the former while the investigation into the latter is ongoing—the dust-ups all share a similar theme: The government appears to have deep-rooted problems with tech literacy.
From Russia, With Emails
After the Apple imbroglio, you only have to look to the next high-profile investigation the FBI was involved with to see how pervasive US government leaders’ digital illiteracy can be. During her tenure as US Secretary of State, Clinton used an email account that routed through a server she had privately set up in her home. This was against government protocol, but her team appeared to not take those guidelines seriously. After reports broke in March 2015, the FBI investigated to see if any of the emails Clinton or her team sent through the server contained classified information that could have been intercepted by hackers.
Clinton and her team used the private server because the government email they were supposed to use was clunky and difficult and not optimized for mobile. (It’s the same reason that Colin Powell used a private email account while he was Secretary of State, and why Vice President Mike Pence frequently used personal email while he was governor of Indiana.) This underscores both Clinton and her team’s misunderstanding of the risks of a private server, but also the dangers of a government that doesn’t balance security with usability.
Most recently, Comey testified that the FBI was investigating how Russian-backed bad actors influenced the 2016 election by hacking the email of Podesta and the DNC by releasing the contents to Wikileaks in slow, methodical leaks that turned the tide of public support against Clinton. Wrapped up in that investigation is an FBI probe into whether—and to what extent—members of the Trump administration and campaign were aware of or colluded with the Russians.
This investigation has the potential to be explosive—members of Congress from both sides of the aisle expressed concern Tuesday that Trump fired Comey to disrupt the investigation, an allegation that could lead to impeachment—but its beginnings are prosaic. The Russians likely got into Podesta’s emails and the DNC (and the Republican National Committee, though they didn’t release any of that info) with a simple phishing email, the kind that targets business and individuals around the world millions of times a day.
All of this underscores how digital illiteracy at every level of government endangers the security of the nation and the functioning of democracy. It takes a multi-pronged, concerted approach, with smart internal policies, federal legislation, tech savvy diplomats and a willingness to realize information security is a critical skill for the defense of the nation—all of which is incredibly difficult to achieve even when a government is functioning well.
Hard to Get Right
For years, Congress has punted creating any kind of actionable legislative framework to deal with the challenges of information encryption in the age of widespread surveillance, terrorism, and smartphones. Even if Comey and the FBI had won and gotten Apple to break into Farook’s phone, it would have been an isolated data point—likely to set a precedent in practice, but not in law—rather than a policy.
In April 2016, senators Diane Feinstein and Richard Burr introduced a law that would require tech companies to provide unencrypted data to law enforcement when asked, or give law enforcement that ability to get it themselves. The bill was terrible. “I gotta say in my nearly 20 years of work in tech policy this is easily the most ludicrous, dangerous, technically illiterate proposal I’ve ever seen,” Kevin Bankston, the director of the New America Foundation’s Open Technology Institute, told WIRED at the time. After outrage and outcry from advocates, tech companies, and even some notably tech literate politicians, it failed.
It failed because encryption is hard to get right, as is information security and privacy in general. Two working groups in Congress are still trying to draft better encryption legislation. So far, their recommendations have yet to produce a bill. While waiting for a federal policy, states have tried to pass their own encryption bills, which is itself a terrible misunderstanding of how technology works.
“People are mobile and devices are mobile, so the state by state approach isn’t effective,” says Darrell West, Director of Governance at the Brookings Institute.
How to Be Not Dumb About This Stuff
Unfortunately, fixing the government’s tech literacy problem isn’t as easy as drafting a single coherent technology policy—not least because Trump’s preference for deregulation makes it less likely that a document like that could get through. Even more to the point, cybersecurity and technology issues so permeate every aspect of government now that a single, all-encompassing policy may prove impossible.
“It’s yesterday’s solution to what is a much more complex issue as we understand it today,” says R. David Edelman, former special assistant to President Obama on cybersecurity and tech policy. The real fix, instead, demands the administration to treat cybersecurity and technology competency as a required skill for all members of government. That’s a lesson Obama only figured out after years; Trump needs to learn it sooner.
“More uniform tech policies would let people know what the rules are and what the best practices are. But we are not moving in that direction, which means that the risks are even greater of scandals happening due to cyber intrusions,” says West.
To get going in the right direction, the Trump camp needs to go through what Edelman refers to as the three steps toward cyber-nirvana. “The first is ‘Oh, we don’t really know about this cyber thing.’ The second is ‘Oh my god, this cyber thing, we need to appoint a czar,’ and the third and highest form is realizing this is a skill set that is going to have to be known to pretty much any official in government.”
Trump, who on the campaign trail loved to refer to cybersecurity as “the cyber,” is following that track exactly. Last month, he appointed his son-in-law Jared Kushner to head up the Government Innovation Office. The president also signed an executive order creating a tech council to modernize the government. That puts Trump squarely on the second step toward Edelman’s ideal. And though the president’s team is busy undoing the work of Obama’s cyber-regulation and policies, all administrations reinvent the wheel at first. Edelman has hope that Trump’s team will soon realize tech literacy is not a partisan issue, and then they’ll realize the Obama team left them blueprints for how to draft coherent policies.
“People under-appreciate that getting it right and getting it organized took a lot of time and many, many iterations,” says Edelman, “The evolution of taking these issues as core was slow [in the Obama administration]. When we started, one person on the economic council did tech stuff, but when we left, it was a third.”
Of course, tech illiteracy is not just an issue for the executive branch. Last April, Congress killed off the Office of Technology Assessment, the one office that was devoted to making policy recommendations about science and technology. And the existing Office of Science and Technology Policy, which is meant to advise the president, is reportedly being sidelined within the new administration.
Both the GOP-led congress and the White House have a ways to go before they take that third step and recognize just how crippling digital illiteracy can be to a democracy. When the administration does make the turn, though, it will need to draft policies and guidelines that do the following: Federally mandate that backdoors are bad for privacy, security, and commerce; require all government networks and computers to run up-to-date software and hardware (including mobile); require government employees to keep their passwords up to date and learn to recognize phishing emails; write clear rules for when and how the government can demand information from tech companies; require all companies and government agencies to disclose quickly when they have been breached; set up guidelines for how to help people affected by breaches; set up diplomatic frameworks for sanctions against hackers. And that’s just a start.
A big list, for sure. But at least there are glimmers of progress; the administration Thursday finally rolled out a long-promised executive order on cybersecurity that aims to shore up our country’s cyberdefenses and best practices. It won’t smarten up the government overnight—but it could help stave off the next scandal.