A Primer on the Proposed U.S.-U.K. Agreement
A brief primer on how cross-border data access requests currently work, options for reform, and major challenges to reform ahead
The Internet and the devices attached to it are, in important ways, broken. They are not secure. And yet we depend on them – and treasure the openness that in some ways is at the root of some vulnerability.
Solutions to this problem are not only difficult to develop, but also exquisitely hard to implement. The Internet environment is a distinctly shared space: it comprises many interdependencies and perspectives among the public and private sectors. Governance of some central functions has been distributed among many parties, both government and private, and undertaken by consensus and practice, rather than formal and by fiat. While a high proportion of Internet infrastructure is private, and some governments have carved out a central role in cybersecurity, action taken by government and corporate actors has been highly fragmented.
Further complicating matters, trust in government – in particular the intelligence community – to help address the mounting concerns around cybersecurity is low. Moreover, the level of engagement by civil society groups and academia has been notably lacking, beyond noting the impact on individual freedom of particular security proposals. Comprehensive cybersecurity frameworks that recognize and build upon the distributed and generative nature of the Internet have not received adequate support, and suffer from a lack of coordination. Basic cybersecurity vulnerabilities are not sufficiently owned by any combination of parties, and actions by stakeholders may not be sufficiently considered with an eye to changes in systemic risk that those actions could cause.
Launched in 2015, the Berklett Cybersecurity project is a unique forum for discussing true and important, and often novel, facts, and perspectives, and achieving surprising consensus on enduring questions of cybersecurity. The project is led by Prof. Jonathan Zittrain and former National Security Agency (NSA) Director of Compliance John DeLong, in close collaboration with security technologist Bruce Schneier, and Matthew Olsen, the former Director of the U.S. National Counterterrorism Center (NCTC).
At the heart of the project is an unprecedentedly diverse group of experts who convene regularly to thoughtfully discuss cybersecurity topics core to government, foreign intelligence, law enforcement, civil society, and industry. The group includes current and former members of the US Intelligence Community and representatives from major technology companies as well as security and policy experts from academia and civil society. In 2016, the project published its first report – “Don’t Panic: Making Progress on the ‘Going Dark’ Debate” – which took on claims and questions around the government finding a landscape that is “going dark” due to new forms of encryption introduced into mainstream products by the companies who offer them. The New York Times’ national security correspondent, David Sanger, described Don’t Panic as “unusual because it involved technical experts, civil libertarians and officials who are, or have been, on the forefront of counterterrorism” and “among the sharpest counterpoints yet” in the encryption debate. In a speech at MIT in March 2016, Robert Hannigan, then Director of the U.K.’s Government Communications Headquarters (GCHQ), recounted the report as one of “the key contributions of the last few years in my area.”
While the group at times publishes specific reports or articles – attributed to the group as a whole or authored by a subset of its members with input from the full group – the main purpose is to achieve a depth of trusted and honest discussion across a broad range of issues at the intersection of cybersecurity and government to significantly advance thoughtful progress on these complex issues.