Promoting Societal Resilience to Secure America's Digital Borders
October 6, 2020
MEMORANDUM
FROM: ASHLEY FOX
SUBJECT: PROMOTING SOCIETAL RESILIENCE TO SECURE AMERICA’S DIGITAL BORDERS
SUMMARY:
Domestic resilience is an essential component for securing America’s critical information infrastructures. As internet service providers, technology manufacturers, and U.S. agencies work to develop secure networks and products, American citizens present a significant vulnerability that cannot be fixed through hardware and software patches. To this end, the U.S. government must ensure user resilience through robust digital literacy campaigns that promote awareness and understanding among everyday citizens.
BACKGROUND:
Technology alone cannot secure America’s digital borders. With attacks on critical infrastructure, election mechanisms, government databases, and private companies on the rise, the U.S. government is working against attacks from all sides. One crucial area where significant gaps remain is the capabilities and awareness of everyday internet consumers. Despite notable strides in securing America’s digital framework on the product and network front, individual users still present an important vulnerability with one-third of all data breaches stemming from simple social engineering phishing schemes.[i]
As of 2019, 90% of U.S adults—approximately 312 million—are regular internet users.[ii] Theoretically, this means there could be as many 312 million possible vulnerability points for malicious foreign actors to attempt to gain access to or influence America's digital information infrastructure. One digitally illiterate government employee, banker, or hospital worker could be the trigger point for a significant catastrophic breach. Millions of unaware voters could fall prey to sophisticated influence and disinformation campaigns carried out on seemingly innocuous social media platforms.[iii] Simply put, if the U.S. government wants to secure its digital borders, it must ensure that individual Americans have the capability and resources to secure themselves and their networks from malicious actors.[iv]
DISCUSSION:
Several approaches can help build digital and cyber resilience among the general population. Some steps are already being taken, such as training local election officials to secure election infrastructure and providing fact-checking on social media platforms.[v] However, there is much more the U.S. government can do.
Providing digital literacy education in schools and the broader community is a good first step for ensuring societal resilience. Many American adults have never been formally educated about the risks and vulnerabilities they face on the internet. This has resulted in generations of users at high risk of manipulation and influence who don’t even realize it. The government must fill knowledge gaps for individuals outside of school-age thorough outreach campaigns and alert systems. Individuals must build the necessary digital and critical reasoning skills for identifying and understanding the risks presented to them as they use the internet.
Another area where the government can shore-up domestic societal resiliency is in the regulation space. U.S. technology and social media companies operate largely unregulated or self-regulated, giving them a vast opportunity to create digital atmospheres that are dangerous to digitally illiterate consumers. Data privacy, algorithmic accountability, and online advertising laws can provide standards of operation for technology companies that help mitigate personal data misuse for malicious operations.[vi] As the owners of troves of personal user data, it will also be crucial for these companies to operate in an information-sharing environment with the U.S. government to identify known threats and malicious actors.
RECOMMENDATIONS:
Creating and maintaining robust societal cyber resilience will require a multi-faceted approach that can be accomplished through the following:
Establish mandatory digital literacy, cybersecurity basics, and general critical reasoning curricula in all K-12 schools (state and local governments);
Work with the private sector to collect relevant data on the demographic groups older than 18 years old associated with significant cybersecurity and digital literacy knowledge gaps (CISA);
Evaluate and categorize demographic groups based on vulnerability, susceptibility, and risk of falling prey to malicious campaigns (CISA);
Develop a country-wide awareness campaign on cyber risks and vulnerabilities with heavy targeting toward previously identified “critical-need” demographic groups (CISA);
Create training-of-trainer materials and workshops for community leaders, academia, and other relevant institutions seeking to provide cybersecurity education to the public (CISA and private cybersecurity companies);
Pass necessary legislation on algorithm accountability, data privacy, online advertising standards, and information sharing between private companies and the government (Congress and state legislatures);
And implement a nation-wide alert system for providing timely updates on specific cyber threats and vulnerabilities to which average citizens may be particularly susceptible (CISA, White House, DHS).
[i] “2019 Data Breach Investigations Report” (Verizon, May 2019), https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf.
[ii] Monica Anderson, Andrew Perrin, JingJing Jiang, et al., “10% of Americans Don’t Use the Internet. Who Are They?,” Pew Research Center, FactTank (blog), April 22, 2019, https://www.pewresearch.org/fact-tank/2019/04/22/some-americans-dont-use-the-internet-who-are-they/.
[iii] Scott Shane and Sheera Frankel, “Russian 2016 Influence Operation Targeted African-Americans on Social Media,” The New York Times, December 17, 2018, https://www.nytimes.com/2018/12/17/us/politics/russia-2016-influence-campaign.html.
[iv] Angus King and Mike Gallagher, “Cyberspace Solarium Commission Report” (U.S. Cyberspace Solarium Commission, March 2020).
[v] “Election Security Preparedness | U.S. Election Assistance Commission,” accessed October 6, 2020, https://www.eac.gov/election-officials/election-security-preparedness.
[vi] Joseph S Nye, “Protecting Democracy in an Era of Cyber Information War,” Belfer Center Paper, February 2019, 32.