Denver Dialogues Governance Human Rights Policy Social Media

Who Will Manage the Trade-offs Between Rights and Security on the Internet?

By Deborah Avant for Denver Dialogues.

Cybersecurity panel at the OECD Forum 2018. Photo via OECD.

Despite much focus on China and Russia, the Internet’s future is being shaped by a more varied set of relationships. In a recent example, Microsoft employees issued an open letter asking the company not to bid on the Joint Enterprise Defense Infrastructure (JEDI) contract to build cloud services for the Department of Defense.  The employees complain that the JEDI contract may violate Microsoft values: to “empower everyone on the planet to do more”. It is unclear just what Microsoft would be doing (cloud services can refer to everything from infrastructure to platforms to software—and the security to support each), but employees worry that their efforts could be used to harm others.

In particular, employees noted a statement by DoD’s Chief Management Officer John H. Gibson at an industry day for JEDI – “We need to be very clear. This program is truly about increasing the lethality of our department.” Increasing lethality is consistent with the approach taken by the 2018 Department of Defense Cyber Strategy. According to Nina Kollars and Jacqueline Schneider, the upshot of this strategy is clear: “Deterrence is no longer the prominent pillar of U.S. cyber defense strategy and the United States has moved past preparations for defense and will now confront the adversary on its home turf.” The strategy says much more—it aims to protect critical infrastructure, preserve peace and security, and expand American influence abroad by extending an open, interoperable, reliable, and secure Internet. While still operating on the premise that an open and free Internet is the goal, though, the 2018 strategy adopts a more muscular approach to “assertively defend” US interests.

Though Microsoft’s mission overlaps with some parts of the new US strategy it is far from identical. And Microsoft employees did not sign up to assertively defend American interests by ending lives.  In fact, in 2017 Microsoft called for a Digital Geneva Convention to prevent cyberwarfare. The employees urge their company to follow Google’s example and withdraw from the competition to preserve their principled commitments.

Google’s example is an interesting one. Earlier this year Google decided not to renew its contract with the Pentagon for Project Maven, which analyzed footage from drone operations, some of which were lethal. Thousands of Google employees signed petitions against this work. Their action prompted Google not only to refrain from renewing the contract, but also to develop its own AI principles.

This is not to suggest that Google doesn’t struggle with these principles. Indeed, Google’s statement about its decision not to bid on the JEDI contract stipulates its desire to continue working with the US government. And, of course, Google’s interactions with the Chinese government have made abundantly clear that it faces a variety of trade-offs as it interacts with powerful governments.

But Google’s actions and the Microsoft employee letter reflect an increasingly important reality about who weighs in on managing the trade-offs between rights and security in cyberspace. Just as the military’s need for cyber expertise means they must deal with the “culture problem” (i.e., the fact that those it most needs for cyber expertise are people who bear little resemblance to the typical warfighter), its use of cyber proxies brings with it dependence on the talent these companies recruit and the values they organize around. Sometimes they are dependent on individuals—from contractors like Edward Snowden to the Russian hackers Tim Maurer cameos in the preface of his fascinating book, Cyber Mercenaries. Other times it means dependence on companies like Google, Microsoft, and others.

Technology companies are hardly beacons of ethical behavior, but they do participate in forums such as the Global Network Initiative which has developed principles on freedom of expression and privacy. Companies have constituencies that include both employees and consumers; they stretch far beyond any nation’s borders and seek solutions that may not line up with any one government’s articulation of its interests. We should be paying much more attention to the interactions between governments, technology companies, hackers, and their various association; that is where we will find the politics shaping the future of the Internet.

Leave a Comment