The early years of the Internet were marked by a libertarian optimism about its decentralizing and democratizing effects. Information would be widely available and undercut the monopolies of authoritarian governments. Big Brother would be defeated. President Clinton believed that China would liberalize and that Communist Party efforts to con- trol the Internet were like trying to “nail jello to the wall.”1 The Bush and Obama administrations shared this optimism and promoted an Internet Freedom Agenda that included subsidies and technologies to assist dissidents in authoritarian states to communicate.
Today, in the face of successful Chinese control of what citizens can see and say on the Internet and Russian use of the Internet to interfere in the 2016 American election, the United States (and allied democ- racies) find themselves on the defensive. The expected asymmetries seem to have been reversed. Autocracies are able to protect themselves by controlling information flows, while the openness of democracies creates vulnerabilities that autocracies can exploit via information warfare.
Ironically, one cause of the vulnerabilities has been the rise of social media and mobile devices in which American companies have been the global leaders. Citizens voluntarily carry Big Brother and his relatives in their pockets. Along with big data and artificial intel- ligence, technology has made the problem of defending democracy from information warfare far more complicated than foreseen two decades ago. And while rule of law, trust, truth and openness make democracies asymmetrically vulnerable, they are also critical values to defend. Any policy to defend against cyber information war must start with the Hippocratic oath: first, do no harm.
Democracy depends upon open information that can be trusted. Authoritarian states can exploit and weaponize this openness. Information warfare is not new, and it has always presented a challenge to democracy, but technology has transformed the nature of the challenge. What’s new is the speed with which such disinformation can spread and the low cost and visibility of spreading it. The Internet has expanded the information attack surface and the instruments that can exploit it. Electrons are cheaper, faster, safer, and more easily deniable than human spies. What is more,
the business models of the large American social media companies can be readily manipulated by malign actors for criminal or political purposes. But as democracies respond to such challenges, they run the risks both of doing too little, but also too much. Measures that curtail openness and trust would become self-inflicted wounds. This will be true of both the defensive and offensive measures that democracies undertake. Imitation of the authoritarian practices would be a defeat.
In the case of Russian interference in the 2016 presidential election, the United States was poorly prepared and inadequate in its response. Differ- ent vectors of attack require different measures. Hacking and doxing of political actors requires greater awareness and practice of cyber hygiene. Hacking of electoral machinery and voter rolls requires more robust machines and audit trails as well as improved federal, state and local coop- eration. Thwarting and removing false accounts, botnets, sockpuppets and astroturf actors requires strong action and cooperation among social media companies. Dealing with fake news designed to polarize, disrupt and sup- press voting also requires action by the companies but with procedures for protecting transparency in algorithms and processes that reveal difficult trade-offs regarding free speech. None of this will be solved easily. In some cases, artificial intelligence will help the offense, in other cases the defense. The game of cat and mouse does not end; it must be continually monitored.
At a more general level, a national strategy for defending democracy in the cyber age must include all three dimensions of resilience, deterrence and diplomacy. American actions have been inadequate on all three dimensions but some useful steps have begun, and this discussion has suggested more that can be done. We are only at the beginning of a long process of protecting democracy in an era of cyber information war.