The controversy over whether Facebook failed to stop improper access and handling of user data puts social media companies under intense, new scrutiny. We struggle to address the power of Facebook, Twitter, YouTube, and other social media companies because we’re not defining them accurately. These companies are not “just” technology platforms, as their General Counsel’s asserted on Capitol Hill in 2017. Social media is becoming a sector critical to the functioning and security of our nation – and their current approach to Washington’s concerns is untenable. The companies that comprise this sector must act with the responsibility and accountability that we expect from other sectors that are critical to our nation’s health and well-being.
Prior to 9/11, we created categories of critical infrastructure, including telecommunications, finance, and energy, that the government determined to be essential to our nation’s economic and national security. Even as the digital economy exploded over the past 15 years, our security policies continued to focus on these traditional industries. In 2016, I served as the Executive Director of the Commission on Enhancing National Cybersecurity, a bipartisan, independent Commission, led by Tom Donilon and Samuel J. Palmisano, tasked by then-President Obama to develop a roadmap for the incoming Administration on securing and growing the digital economy. One of the eight issues we were asked to address was the security of critical infrastructure. After extensive initial discussion, the Commission determined that, in a time of growing interdependencies catalyzed by the Internet of Things, the lines defining what is and is not critical were getting blurred. This statement is even more true today than it was over a year ago. The definition of critical infrastructure has to evolve and align with the growth of the digital economy.
The cybersecurity events of the last twelve months have forced us to define what is critical in today’s environment. In the aftermath of the Equifax breach and the Russian interference in the 2016 elections, the importance of protecting critical information has become apparent. We now recognize that the protection of critical infrastructure is dependent on the protection of critical information. Yet, we have failed to make protecting critical information a priority.
Who or what holds our critical information? Social media companies are aggregating personally identifiable information at rates and quantities greater than at any other time in the history of the world. Our digital identities are now owned by social media companies. This information is critical because it becomes the gateway to accessing systems and networks to which the individual is connected (i.e., workplace, banks, healthcare endpoints) – systems and networks that constitute traditionally-defined critical infrastructure.
Social media companies were developed as technology platforms to create connections among people around the world. But the technologies have grown at a rapid pace and are much more than the platforms originally envisioned – and these companies need to understand and acknowledge their newfound responsibilities. If a nation-state, like Russia, that is focused on creating digital chaos to influence our democratic process, recognized and was able to access the power of these companies, it is time these companies acknowledge this power, as well, and take responsibility for it.
Social media companies should create a consortium or industry association that works with government to protect the information they are gathering, to be transparent about the information they have, and to collaborate with the public sector on making our nation more secure. These companies would benefit from the engagement and input of traditional infrastructure companies, such as telecommunications, who have experienced growing pains from innovation. Historically, companies with this much power that have turned up their noses at government don’t usually find themselves in enviable positions and are often on the wrong side of a government lawsuit. In the evolution of technology companies (i.e., Microsoft and IBM), for example, when a few companies have dominated, some form of government intervention has emerged.
Social media companies need to organize as a sector and define the roles and responsibilities they now have. If they have a pro-active, unified voice, they have a better shot at an effective relationship with government and creating solutions that will actually work.
The window for voluntary action is closing. As the 2018 elections approach, government may have no choice but to intervene. And, as one of the drafters of the legislation that created the Department of Homeland Security, I can tell you that government will over-rotate when it is responding to national security catastrophes. When it comes to critical infrastructure, government only knows the physical world and it will use this approach to regulate the digital world, which will guarantee the least desirable outcomes for this sector.
Our nation has become dependent, voluntarily and involuntarily, on social media. It is now a sector critical to our nation’s well-being. Social media companies must come together, acknowledge the responsibility their innovation has created, and act like the critical infrastructure sector they’ve become.