Cyber attacks. Disinformation campaigns. The fragmentation of the Internet. Surveillance capitalism, or even worse, the surveillance state.
The U.S. Director of National Intelligence testified this year that U.S. Strategic competitors will increasingly use cyber capabilities to seek political, economic, and military advantage over the United States. They will seek to steal information, to influence our citizens, and to disrupt critical infrastructure.
It is fair to say that the model of an open and interoperable internet, driven by the multi-stakeholder approach, is facing challenges by those that are threatened by the benefits it can bring.
Given the critical importance of the Internet to our economy and our society, our very way of life seems at stake.The risks are real, yet the “doom and gloom” masks the fact that the Internet remains an engine for our prosperity. It provides unparalleled access to information that, when used for good, allows the whole of humanity to learn from our accumulated knowledge. It enables commerce across borders, which improves people’s lives and standards of living. It fosters discussion, debate, civic engagement, freedom of expression, and transparency. It connects us.
To maintain our vision of an open, interoperable, reliable, and secure Internet, we must stand up for our fundamental values. This means adherence to the rule of law and the free flow of data across borders. It also means respect for privacy and the exercise of human rights online.
In my capacity as Deputy Assistant Secretary for Cyber and International Communications and Information Policy, I lead a team that works hand-in-hand with colleagues throughout the interagency to protect and advance these values every day. Let me share with you how the State Department and the U.S. government is putting these values into action in engagements on emerging technology, cybersecurity, and in dealing with some of the authoritarian uses of technology that we see bubbling up in parts of the world.
The U.S. government could not do it without our private sector, academic, civil society, and foreign partners. This is the multi-stakeholder model of Internet governance supported by the Internet Governance Forum, and it is why I am so happy to be with you today.
Given the borderless nature of much of cyberspace, and the need to advance the values of both privacy and security, we must avoid falling into the trap of false choices. We do not need to sacrifice the free flow of data across borders in order to protect and secure personal data. World-class cybersecurity can protect data wherever it resides in the cloud; and common, interoperable data protection principles that democracies share can guard privacy around the globe.
We must work with other countries to find interoperable solutions, because a fragmented Internet with unpredictable rules will frustrate innovation, limit the reach of its benefits, and result in unnecessarily bureaucratic processes and regulations.
Artificial Intelligence is an emerging technology with great potential. We are engaging with our allies and partners to develop sound policies to ensure this technology supports our interests and values.
As I am sure most of you are aware, President Trump signed an Executive Order in February creating the American AI Initiative. The United States firmly believes that AI can have a positive, meaningful impact on our world. We want to reduce barriers to the use of AI technologies to promote their innovative application.
As the Organization for Economic Cooperation and Development’s excellent Going Digital report highlighted, we need to foster entrepreneurship by reducing regulatory burdens for start-ups and re-evaluate regulations that may not fit the digital age.
If we get the policy right, and remain true to our values, we can achieve an AI future that enriches the lives of our citizens, promotes innovation, and ensures our national and economic security.
The State Department’s role in implementing this initiative is to foster an international environment that is open to American AI research and development and the adoption of AI in society.
A great example of how we do that is facilitating the recent OECD Recommendation on AI, the first set of inter-governmental principles aimed at fostering trustworthy AI. The OECD Recommendation identifies principles for the responsible stewardship of trustworthy AI. These are things that I am sure many of you have thought about:
- AI should be human-centered and embody fairness.
- It should be transparent and explainable.
- It should be robust, safe, and secure.
- It should be accountable.
- At the same time, it should contribute to our economic growth and the well-being of society.
The OECD Recommendation takes a holistic approach to AI with a strong emphasis on international, crosscutting collaboration among governments, the private sector, and civil society. Above all, it reaffirms a commitment to strengthen public trust, protect individual liberties, and remain true to our shared values—respect for democracy, the rule of law, privacy, and intellectual property.
One example of this is demanding explainability and responsible disclosure, so that those affected by an AI system can understand the outcome and – if they have been adversely affected – challenge it. In this way, we can work to ensure that AI is not used in an inappropriate or discriminatory manner.
We are very pleased that the OECD Recommendation on AI addresses so many of the issues being tackled by the American AI Initiative. It has been picked up in the Leaders Statement at the G-20 as well, so its influence is growing.
Cybersecurity, Deterrence, and 5G
Let me turn now to cybersecurity. Increasingly sophisticated cyber attacks and cyberspace campaigns — by criminals and states — jeopardize the value that we derive from the Internet and digital technology.
The theft of confidential business information, intellectual property, and personal information all can have significant negative repercussions and undermines our privacy, economic competitiveness, and security.
So what are some of the ways that we in government can protect the security of our nation, while not limiting innovation, decreasing access to technologies, reducing competition, or creating trade barriers?
One way to do this is by providing industry with a clear regulatory environment that is stable, predictable, technology-neutral, and risk-based.
With regard to the development of security standards, technical experts in the private sector and government are best qualified to recommend what is the most efficient and effective. In general, standards should be voluntary, market-driven, and established through multi-stakeholder processes.
The NIST Cybersecurity Framework is an excellent example of this — a voluntary, multi-stakeholder process that resulted in a risk-based flexible framework for managing cyber risk.
As we strive to enhance the security and resiliency of the global cyber ecosystem, our focus is on deterring malicious activity in cyberspace and cyber-enabled behavior, securing critical infrastructure, particularly telecommunications supply chains, and countering disinformation and propaganda online.
Last September, the White House released a National Cyber Strategy that provides a framework for how the U.S. government will work to secure and preserve cyberspace for future generations.
For more than a decade, we have been working to promote responsible state behavior in cyberspace with tremendous success. We have seen growing consensus around three key elements of an international cyber stability framework:
- First, affirmation that existing international law applies to state behavior in cyberspace. We already have effective legal constructs in place and do not need new legal instruments.
- Second, adherence to certain non-binding norms of responsible state behavior in cyberspace during peacetime;
- And third, the development and implementation of practical confidence-building measures to reduce the risk of conflict in cyberspace.
These elements have long been used to enhance international stability in other areas of transnational concern. Together they build trust, enhance transparency, and decrease the risk of conflict. Indeed, all UN Member States have affirmed such a framework in their adoption of the UN Group of Governmental Experts’ consensus reports of 2013 and 2015. We will continue to work in the new UNGGE on responsible state behavior in cyberspace.
While the United States continues to build international consensus around this framework, we recognize that some states are not willing to abide by it. We believe that if states engage in significant disruptive, destructive, or otherwise destabilizing malicious cyber activity, they should face consequences.
That is why the National Cyber Strategy calls on the United States to “develop swift and transparent consequences” that we will impose “to deter future bad behavior.” These should be carried out in concert with international partners that seek to hold states accountable for significant acts that are contrary to the framework of responsible state behavior. To that end, we are building a coalition of like-minded states called the Cyber Deterrence Initiative.
We areencouraged to see a growing number of governments beginning to work together to condemn malicious cyber activity. From WannaCry to NotPetya to APT10, more and more countries are attributing cyber attacks or issuing statements of support to those that do.
The Cyber Deterrence Initiative builds on a foundation of transparency. Transparency about our cyber activities, about the norms of responsible state behavior, and about deterrence actions. Our approach will be consistent with international law and with non-binding peacetime norms of state behavior.
Along with deterring, countering, and contesting malicious foreign state behavior and improving network defenses, we also must focus on the security of our telecommunications networks and supply chains, especially when it comes to the Fifth Generation of wireless technology, or 5G.
I do not need to tell this group that 5G will be transformative. Tens of billions of new devices and sensors will be connected to the Internet via 5G in the next few years, including critical services like electricity distribution. Given 5G’s scope, the stakes for safeguarding these vital networks could not be higher.
The United States is urging countries to adopt a risk-based security framework for the construction of all elements of 5G networks, including a careful evaluation of hardware and software equipment vendors in the supply chain.
We urge nations to consider whether vendors could be ordered to undermine network security—to steal personal information, conduct industrial espionage, disrupt critical services, or conduct cyber-attacks.
It is critical that we not allow 5G communications networks to be a conduit for the exfiltration of personal data or commercial IP to authoritarian governments.
We are concerned that China’s National Intelligence Law allows it to compel 5G vendor companies, such as Huawei, to take such actions against our national interests and values or those of our partners. Therefore, we have undertaken a worldwide campaign urging countries to improve communications security standards, as we have in our country.
Authoritarian models for Internet control
This brings me to my final point: We are increasingly concerned that authoritarian regimes are using the Internet and emerging technologies as tools for repression.
For a disturbing example of this, look at Xinjiang and how the Chinese government uses technology to target individuals arbitrarily for pervasive, high-tech surveillance, to collect personal data involuntarily, and to suppress freedom of expression, religious freedom, and other human rights. Alarmingly, China is beginning to export this model to others keen on exploiting this technology to monitor and control their own populations.
Our democratic values and institutions are also under direct attack through digitally enabled means. As we saw in the lead-up to the 2016 election and similar efforts at foreign malign influence in democracies across the globe, the legitimacy of our political institutions and cohesion of our society are in the cross hairs of our adversaries.
We are working within our government and with democratic countries and the private sector to protect and defend ourselves from these attacks and influence campaigns in the future. We are also working with our partners to prevent states that view the open Internet as a political threat from transforming it into an authoritarian tool for social and economic The challenges we face are part of a larger philosophical debate that is shaping the future of the internet, of emerging technologies, and of global society. Our task – as a government and as a society – is to confront these challenges and thwart malicious actors while upholding our values and the important benefits that come from an open, interoperable, secure, and reliable information and communications infrastructure.
The State Department, in coordination with other government agencies, is building a cyber and digital economy policy that protects the United States and our allies, ensures that we can all reap the benefits of the open Internet, and that promotes an environment that enables American and international innovation.
We will continue to engage multilaterally, at places like the OECD, to promote international norms and best practices based on our shared values and democratic principles.
We will use our 100+ cyber and digital economy officers at U.S. embassies around the world to engage directly with our foreign counterparts and push back against those who view information as a threat.
We will continue to work with the private sector, civil society, and other stakeholders to promote Internet freedom, build trust, and enhance transparency.
Working together, and based on our shared values, we can ensure that our vision for the Internet prevails. We can chart an optimistic path where technology is not a tool of repression, but serves to empower individuals, and allows our citizens and economies to reach their full potential.
Thank you for the work that you do to assist us in this vital mission.