“I Work for N.S.A. We Cannot Afford to Lose the Digital Revolution. Technology is about to upend our entire national security infrastructure.”
The New York Times, September 10, 2019
Opinion | The Privacy Project
Opinion By Glenn S. Gerstell
(Mr. Gerstell is the general counsel of the National Security Agency.)
The digital revolution has urgent and profound implications for our federal national security agencies. It is almost impossible to overstate the challenges. If anything, we run the risk of thinking too conventionally about the future.
There are four key implications of [the Fourth Industrial Revolution] that policymakers in the national security sector will need to address:
The first is that the unprecedented scale and pace of technological change will outstrip our ability to effectively adapt to it. Second, we will be in a world of ceaseless and pervasive cyber-insecurity and cyber-conflict against nation-states, businesses and individuals. Third, the flood of data about human and machine activity will put such extraordinary economic and political power in the hands of the private sector that it will transform the fundamental relationship, at least in the Western world, between government and the private sector. Finally, and perhaps most ominously, the digital revolution has the potential for a pernicious effect on the very legitimacy and thus stability of our governmental and societal structures.
The digital revolution thus far is distinguished by its ability to become ubiquitous in our daily personal and commercial lives in an astonishingly rapid time, a time frame that is really without precedent.
Other transformational technologies, such as railroads, electricity, radio, television, automobiles and airplanes, all took several decades before they reached that comparable level of ubiquity. Society had the time to sort out the norms, rules and laws governing those technologies and the respective roles of government and the private sector.
We will need new technologies and systems to capture, analyze and store this data. Obviously, that will require enormous investments by the United States and its allies to upgrade national security and surveillance systems. Will Western liberal democracies, already straining under the combined demands of decaying civil infrastructure, aging populations, upgrading militaries and so on, be able to afford these investments? Given that there is no specific forcing event to require greater resources, but rather a trend, history suggests that we will appreciate the seriousness of the underinvestment only when a crisis has occurred. [emphasis added]
That approach might be a barely acceptable way for our society and government to address social ills and decaying infrastructure, which are slower-moving problems, where with enough resources one might catch up. But the same approach could well be disastrous when addressing rapidly evolving technological matters, especially where national security is at stake. Without such investments, our national security agencies risk becoming profoundly less effective or marginalized.
While extraordinary levels of new investment will be required to deal with the sheer quantity of data, that alone will not be sufficient. It is futile to believe that we will be able to spend our way to success. Rather, we will need to couple large investment with entirely new ways of approaching how we collect, manage and make sense of this data.
One key aspect of any such new approach will be a heavy reliance on machine learning and artificial intelligence. We thought wrestling with the challenges of the Fourth Amendment in addressing electronic surveillance over the past few decades was complicated and contentious, but setting norms for A.I. will surely be even more fraught with difficulty. The stakes are much higher, given that A.I. will be intrinsic to determinations and decisions of almost every aspect of our personal, professional and commercial lives. A.I. opens up the possibility of rendering intelligible for national security purposes that ocean of data. But if misused or even if not thoroughly understood, A.I. can yield nefarious and corrupting results for our society.
Since A.I. is still relatively nascent, our surveillance and analytic resources are not well positioned to deeply understand how adversaries might be using it in the future. The range of novel issues is daunting. For example, we will need to understand how to defend our analytic systems against data poisoning, in which an adversary can feed misinformation to A.I. systems to corrupt or defeat them (such as causing a driverless car to ignore a stop sign).
Understanding the promise and threat of quantum computing will also require vast expansion of our expertise in this extraordinarily sophisticated area. It is true that no one has yet built a functioning quantum computer. Perhaps no one ever will. But it seems more likely than not that before the middle of this century either China or the United States will do so, with extraordinary advantages for whichever nation gets there first… One strategic benefit is that quantum computing will enable something that even our current supercomputers cannot do — crack strong encryption of the type that now protects our commercial financial transactions, our weapons systems and government’s secret communications.
It is by no means assured that our national security sector will be able to attract on a sufficient scale the scarce engineering, mathematical and scientific talent that would supply the necessary expertise [to effectively address the challenges we face]. That challenge will require investment, enlightened strategic management and an innovative approach to luring a different type of expert out of the private sector into government.
In short, while important work has been done in examining and laying the foundations for the critical role new technologies will play in national security, much more needs to be done. We must ask whether our defense and national security establishments are in a position — financial and technical — to succeed in these critical technologies that could either solidify our continued position as the leading global power or reduce us to a clearly subordinate role. We are talking about national initiatives that collectively will dwarf the effort to put a man on the moon. [Emphasis added]
Bluntly put, there are few signs that our society overall and our political leaders have fully embraced the challenge or appreciate the risks of failure.
All of this technological innovation will surely bring significant societal benefits, perhaps most notably in the area of health care and genetic engineering, but it will also increase — to use a hackneyed but useful term — the “attack surface” for cyber mischief. This takes us to the second implication of the digital revolution: We must prepare for a world of incessant, relentless and omnipresent cyberconflict — in not only our national security and defense systems (where we are already used to that conflict) but also, more significantly, every aspect of our daily and commercial lives.
In all probability, it [how to respond in a definitive and dispositive way to another nation-state’s malicious cyberactivity ] will get better not because we develop more effective deterrents (although threats of cyberretaliation and imposition of other burdens clearly do play a key role here, at least with other nation-states) but because we develop greater resilience and more impervious defenses — and the full realization of that may be a decade away.
At a minimum, the worldwide cyberthreat will put a premium on trusted relations among the Five Eyes (the United States, Britain, Canada, Australia and New Zealand) and other like-minded nations, to facilitate working together to counteract malevolent activity that can span the globe in seconds.
The third implication of the digital revolution is that the balance between government and the private sector will be altered in a profound way. That in turn is the inescapable product of three factors: cybervulnerability affecting every element of the private sector (no longer are targets arguably limited to military assets), the general flood of data unleashed by the digital revolution that will be created in the hands of private enterprise and a response to a rising China whose strategic technology goals pose a unique threat that directly implicates the private sector.
Even without considering the challenges presented by China, there are at least two, related manifestations of how the government-private sector balance has changed and will change. First, the government no longer possesses the lead in complex technology, at least in many areas relevant to national security. … Second, the private sector will have many more times the quantity of data about individuals and commercial activity than governments could ever obtain.
Until recently, at least in the United States, our notions of privacy have been rooted in the Fourth Amendment’s delineation of the federal government’s powers vis-à-vis the individual citizen. But what do our notions of privacy mean anymore when Amazon, Google, Apple, Microsoft, Facebook and so on already know so much about you? We now see increasing pressure in Congress to regulate in this area. To be sure, this article is not advocating any particular approach (much less suggesting greater surveillance powers), but it is hard to escape the conclusion that we will need to recalibrate the balance in this area of data privacy between the government and the private sector.
Of course, there is another path, and it is the one taken by authoritarian regimes around the world. China’s approach is to have all that data reside in the central government, in a vast databank of personally identifying information about its citizens, from iris and facial recognition to DNA data. That is antithetical to our values.
But it is equally true that to keep our society safe, those charged with that mission will need some access to that data. Absent some satisfactory calibration, our national security agencies run the risk of being marginalized and ultimately irrelevant and ineffectual, with grave consequences for national security.
Eschewing the approach taken by authoritarian regimes to data collection and usage by no means reveals the proper path to be taken, as any decision would be deeply linked to the historic roles of government and the private sector in each country. The approach in Western Europe, with close cooperation between public and private sectors, might seem inappropriate if not impossible in America.
As if all this is not disconcerting enough, the fourth implication is that the internet can have a pernicious effect on our democracies, where adversaries can take advantage of our freedoms and interfere with our societal and government institutions. The painfully obvious fact is that the internet affords everyone a communications capability. In the absence of a commonly accepted authority — whether it be a trusted government or a curated news source — the internet permits lies and evil to be spread with almost no check.
Indeed, the state of affairs of fundamental uncertainty and doubt that will be facilitated by the misuse of digital technology may well make it more difficult to maintain foreign alliances (which, after all, are based on trust) — precisely at a time, paradoxically, when global cooperation is required to counter malicious activity. In short, and perhaps most critical to appreciate, the fourth implication of the digital revolution is that it will make dealing with the first three implications all the more problematic.
Putting these four implications together — coping with unprecedented technological change, adapting to a world of unceasing cyberconflict, navigating concepts of privacy and the power that comes with access to big data in the hands of the private sector, and countering the insidious and pernicious effects of the delegitimization afforded by the malign use of the internet — yields at least two imperatives, both of which are transformational.
The first imperative is that our national security agencies must quickly accept this forthcoming reality and embrace the need for significant changes to address these challenges. This will have to be done in short order, since the digital revolution’s pace will soon outstrip our ability to deal with it, and it will have to be done at a time when our national security agencies are confronted with complex new geopolitical threats.
The second imperative is we must adapt to the unavoidable conclusion that the fundamental relationship between government and the private sector will be greatly altered. The national security agencies must have a vital role in reshaping that balance if they are to succeed in their mission to protect our democracy and keep our citizens safe. While there will be good reasons to increase the resources devoted to the intelligence community, other factors will suggest that an increasing portion of the mission should be handled by the private sector. In short, addressing the challenges will not necessarily mean that the national security sector will become massively large, with the associated risks of inefficiency, insufficient coordination and excessively intrusive surveillance and data retention.
A smarter approach would be to recognize that as the capabilities of the private sector increase, the scope of activities of the national security agencies could become significantly more focused, undertaking only those activities in which government either has a recognized advantage or must be the only actor. A greater burden would then be borne by the private sector.
The point here is not to advocate for any of these [options for public-private cooperation], simply to say our policymakers need to be examining alternatives if we are to close the forthcoming technology gap. Although I have sketched out some of the more troublesome implications of the digital revolution for the national security sector, it is not in the spirit of forecasting doom, but rather to sound an alarm. [Emphasis added]
Our innovative and entrepreneurial society affords us a unique advantage in dealing with those implications. Moreover, no adversary should ever underestimate the extraordinary capabilities of our armed forces and intelligence community…. Their prowess and resilience will be key in addressing future challenges. But it would be a mistake to rely on these strengths alone.
Surmounting the transformational challenges posed by this Fourth Industrial Revolution will require not merely resources and creativity from both the public and private sectors but also, and more critically, a level of concerted national political will that may be made all the more difficult to achieve by the very attributes of the digital revolution rushing toward us.
About the Author:
Mr. Gerstell is the general counsel of the National Security Agency and previously served as a member of the president’s National Infrastructure Advisory Council.