This semester I am teaching a course entitled Law, Policy and Politics of Cybersecurity. It incorporates everything from national security to information security and privacy. This morning when I read about the appellate decision in the Missouri v. Biden case, about which I have already spent some class time, I thought I would write a little summary for the students.
That summary has turned into something else: a clarion call to recognize to those I teach at Cornell and reach through this blog to reassess the posture of our national security in contemporary jurisprudence on matters of the First Amendment and content management. It is my contention that notwithstanding numerous efforts, our country has not done enough to protect ourselves from the myriad fronts upon which our adversaries operate.
We hold ourselves back by focusing too much on existing federal structures, scientific and business success, and even traditional jurisprudence. Thus, the implications of this case are not just about augmenting First Amendment jurisprudence in the digital age. This case raises profound public concerns that must be addressed before our country locks itself into a structural and jurisprudential straitjacket that in the long run could have serious deleterious effects on our national security.
Some background to this case will help to bring the issues out into more bold relief. The 2016 Russian election interference, confusion over COVID messaging and the events of Jan. 6 put a spotlight on social media in the 2022 midterm elections. As a result, the Biden administration placed social media companies on a high level of alert. That level included communications between various branches of the federal government and prominent companies such as Facebook, now Meta, and Twitter, now X.
In the aftermath of the election, a concern arose that those communications violated free speech, were biased against viewpoint expression and exercised undue influence over private companies. Attorneys general in Missouri and Louisiana, together with individuals who believed that their speech on social media had been affected by these communications, brought an injunction against the administration and a wide swath of its agencies to desist. Judge Dougherty found in favor of the plaintiffs, and the Department of Justice appealed. This week, a three-member panel of the Fifth Circuit upheld his decision with some new restrictions.
For the most part it would appear to be a Solomonic decision. The court retained the injunction for the White House, Centers for Disease Control and surgeon general’s office. Evidence suggested that those offices were the plaintiffs’ main targets. The appellate court agreed that those offices’ communications with social media blurred public policy concerns with political issues, such as instructions to remove posts about President Biden’s son Hunter, or violated basic free speech principles with respect to individual expressions about COVID. The appellate court narrowed the scope of the injunction, however. Although critical of the Department of Justice and the Federal Bureau of Investigations, the court relieved them of the injunction. Whatever mistakes those offices may have made in this instance, the court recognized the key roles each plays in law enforcement and hesitated to constrain the executive branch too much based on this limited set of facts.
These issues are fraught. The “what about” political use that Republicans have made of Hunter Biden to deflect from Donald Trump is a ridiculous equivalent. Social media posts challenging the CDC ranged from quirky through fraudulent to malignant. While the United States has the dubious distinction of the most deaths from COVID among developed nations due in no small part to mis-/disinformation, a shocking statistic given that our country pioneered the most effective vaccines and distributed them widely, the First Amendment still matters. Leaving aside the question of whether government influence on those issues and not actual regulations amount to state action (a question left open by both the original decision and the appellate opinion), the evidence does suggest that the administration overstepped bounds and that there was a need for correction.
Hence the original decision and now the appellate rejoinder. The problem is that in both decisions the issue of cybersecurity is overlooked. Judge Dougherty made cybersecurity an explicit exception to his ruling but apparently in a high degree of ignorance. Since 2016 the Cybersecurity and Infrastructure Security Agency (CISA) has included disinformation in its scope. It is not clear that Judge Dougherty knows or understands the meaning of it. He appears to have relegated cybersecurity to technology, with little to no understanding that cybersecurity works ubiquitously up the proverbial internet stack from hardware equipment through software and into applications. Those applications are what people read, react to, form opinions and bring into abiding believe. What is not clear in his exception for cybersecurity is whether he appreciates that in the United States no fewer that 150 million people are a part of this discourse and it is riddled with disinformation designed to confuse and divide us.
A little history might help. Russians are the world’s best at disinformation. They have been active in that practice for decades, maybe even centuries, but certainly since the regime of the Soviets. It is no coincidence that Putin comes directly from that vein of the government. His skills in this area are a mark of his continued political success. In short, it is impossible to evaluate our vulnerabilities in the cybersecurity space without a comprehensive approach to disinformation and at some juncture disinformation crosses the boundaries of free speech and content management. That boundary is not clear, and the United States does not have an articulate path to parse the distinctions. But we ignore this challenge at our peril. Focused on the right-left political spectrum in the United States, Judge Dougherty falls right into Putin’s trap. The national security complications are out of Judge Dougherty’s bailiwick. The appellate court did well to cabin the original opinion in terms of the reach of the First Amendment but either missed or sidestepped the larger and more significant issue of disinformation entirely.
These gaps constitute the warning bell in the night. For all the enmity the American public has about China and ambiguity about foreign policy with Russia, we, as a society, do not take our adversaries seriously enough. The People’s Republic of China and Russia, not our only but our most potent adversaries, use the internet to engage in diverse and divisive tactics. Cybersecurity is not limited to electronic attacks on our utilities or data exfiltration of personally identifiable information, intellectual property and military secrets, but purposeful campaigns to pervade virtually every aspect of American life and culture. Russian interference in the 2016 elections, disinformation campaigns ever since, the festering political fissures in our body politic and, yes, even the influence of social media platforms such as TikTok are all examples. Occasional flashpoints arise such as hearings in Congress, but those events turn more into political grandstanding than true educational moments. That trade-off insufficiently copes with real threats.
Something is lacking in our country’s ability to absorb the reality that cybersecurity disinformation threats are serious. Our researchers are smart, innovators creative and businesspeople daring, but all the above are naïve. Were the United States not a market-driven country, leaders better attuned to these challenges could place that naïveté in perspective. But we are not. The market inordinately shapes public policy in the United States. While for the most part that emphasis has historically garnered so much opportunity for individuals and global supremacy for our country, there are some moments when it is appropriate to turn the tables a bit more to address the very reason why a government exists: to protect the people it represents. We are in one of those pivotal moments. That fact may be difficult to accept given that the lights are on and our economy moves at a steady pace. We fight a proxy war with Russia, but that proxy means we don’t have our own soldiers dying in the field. We have effectively outsourced military conflicts. The question remains whether we are positioned to confront the threats we still have alive and well in our own landscape.
Perhaps the most concerning aspect of our country’s ability to meet those threats rests in the unpropitious structure of where and how cybersecurity sits in our federal government. Our federal government took predominate shape at the turn of the last century up through the New Deal. That era is many global transformations ago. For example, domestic internet governance spreads across no fewer than 17 agencies. Cybersecurity spans across three, at the most conservative assessment. The White House has a cybersecurity coordinator with little actual authority but the expectations to exert significant influence over both external and internal policy. Actual authority to execute operations rests in the U.S. Cyber Command, the military arm of our cybersecurity profile. Located in the National Security Administration, this office ties together the cyber units in each of our six branches of defense. Its scope encompasses both offensive and defensive maneuvers, which are often executed in secret and below the level of transparency for review of the people of the United States. The Cybersecurity and Infrastructure Security Agency lives in Homeland Security. CISA mainly addresses information security in the federal government, but it necessarily must take account of global concerns given the nation-state nature of attacks.
Compare that posture to the People’s Republic of China. Within its already centralized party structure, China has one internet agency. That means everything from military operations to the development of microchips—in other words, risk management is assessed comprehensively. Russia offers another example. One need not go back as far as its 1980s Operation Infektion that fomented the conspiracy theory that the United States engineered the virus that caused AIDS to rid itself of homosexuals and Blacks to learn how skilled Russians long have been to use disinformation to confuse and disrupt its enemies and gain a leg up in international contests. The more recent election of 2016 offers so many excellent examples, thanks to work of the Internet Research Agency under the direction of no other than the recently assassinated Prigozhin. Whatever one thinks about the falling-out between him and Putin, there is no debate over the effectiveness of that campaign.
The Internet Research Agency successfully instigated ethnic and religious protests in unsuspecting but susceptible Midwestern cities. It created an unbelievable conspiracy theory about a child sex ring organized by Hilary Clinton in a D.C. pizza parlor that prompted at least one man to believe it so much that he took it upon himself to free the children from an alleged prison in a basement of that building that does not even exist. He sits in jail today as a result. It is not clear how much of the COVID disinformation that had such a deleterious effect on public health in the United States originated from Russia, but given its so many other effective campaigns at sowing fear, confusion and distrust, one can assume quite a lot. Russians plant false seeds that flower on the internet. Structural gaps in U.S. governance may be keeping the United States from keeping up with the profusion or knowing how to confront these kinds of cybersecurity events.
Domestic U.S. law contributes unwittingly to this conundrum. Time, place and manner restrictions; fighting words; speech encompassing conduct; and hate speech are all artifacts of life in the United States little informed by national security. A culture of free expression intersects with uncertainties surrounding content moderation inherent in Section 230 of the CDA. As most everyone knows, section 230 affords broad legal immunity to media platforms for third-party content. An essential driver of the public internet in its earlier incarnations, this law has become a political football in Congress as well as a real quandary for the courts because of technological advances such as advanced algorithms and artificial intelligence that “internet service providers”—what we would now call social media platforms—use to leverage content. National security concerns are not given their due in this analysis. Mark Zuckerberg might have taken it on the chin in public relations before Congress in the aftermath of the 2016 Russian onslaught, but he was in no danger of legal consequences. Likewise, Elon Musk’s very first layoffs announced on the night of his investiture at Twitter appeared to many to be an intriguing business pivot and not a cybersecurity concern. A raft of abusive, hateful and deceptive information immediately appeared on the platform.
Private corporations such as Meta and X are free by law to create their own policies. They are not government or “state” actors. So long as they do not violate the exceptions to First Amendment law, (e.g., obscenity, child pornography or abject criminal activity such as drug trafficking), they are free to moderate as they want. The problem lies in the whims of the leaders of these platforms, who are unschooled in the law and often tin-eared about the public policy. Facebook’s refusal in 2013 to comply with federal elections law on reporting of political advertising opened the door for Russia to do what it did in 2016. Similarly, numerous studies noted the rapid uptick in disinformation, abusive and hateful speech in the aftermath of Musk’s decision to gut his content-moderation staff. I am writing this post for those who might not believe that foreign intervention constitutes no small part of that content.
Content moderation might not be such an important issue if media platforms did not function as a public square for U.S. society. But they do and it is into this space that our adversaries have infiltrated. The values undergirding First Amendment jurisprudence to enhance political speech or search for knowledge are contrary to their goals. They seek to confuse and undermine our society. Recognizing that they cannot defeat us in military might, they have probed other areas for vulnerabilities. In the antiquated structure of our government, existing domestic law on First Amendment and content management, and an abiding preference for innovation over other public policy, they have found our weaknesses. No matter how good the Cyber Command, CISA and the White House may be at addressing these concerns, our government is up against larger, more significant threats. Into these gaps flow the innumerable possibilities for intrusion, espionage and potential interruption of utilities and services. Destruction of our physical infrastructure lies alongside those potential attacks. A loss of believe in our values of our government would be the worst outcome yet.
A comprehensive vision of cybersecurity in our national security framework is necessary to address such abiding concerns. It is one thing if the people of this country wanted to strike out a different governmental path and totally another if that direction is being manufactured for us by our adversaries. U.S. intelligence reports that on the night of 2016 election Putin opened champagne and made a toast. Against the odds, their manipulations had contributed to a stunning electoral success thousands of miles away from a single ballot box. I, for one, refuse to believe that this is the outcome that most people of this country want. In so many avenues we must move beyond two-dimensional partisan politics and bring the third dimension of national security concerns into focus. If that effort involves deeper exploration of the issues in jurisprudence, then so be it. Recent events demonstrate that this is not the time to stand on ceremony but rather the moment when we should call upon a solid tradition of American ingenuity and a will to act when it is in our national interest.