A Clean Networks program wouldn’t have prevented the SolarWinds hack. But we still need one.
The timing is painfully ironic. While the Trump administration was trying to close the door to Chinese espionage, the Russians were already inside. But while the SolarWinds hack was a disaster that is even now still unfolding, its very severity may also represent a golden opportunity for the Biden administration to take bold steps that could help prevent the next hack from gutting American data security. The best path forward runs through the same types of government-led initiatives that—in this case—were unequipped to prevent the SolarWinds hack.
While far from perfect, at its heart the Clean Networks program is some of the first real coordinated action we’ve seen from the U.S. government to secure supply chains, ensure the use of trusted vendors, and build consensus around what safe and trustworthy technology should look like. A reformed, revitalized Clean Networks is a key part of what must be a comprehensive strategy to protect the data of U.S. citizens and allies and to promote U.S. technological, economic and military strength into an era of 5G and beyond.
First, what the Clean Networks program does particularly well: Unlike many initiatives, this program takes a holistic view of the points of vulnerability in ICT infrastructure. While conversations about excising Chinese telecommunications giant Huawei have dominated discussions about 5G, the security of our data relies on far more than one equipment provider. In its mission to build a coalition of companies and like-minded countries ready to prioritize security above cost when building out ICT infrastructure, Clean Networks takes on everything from iPhone apps to the undersea cables that form the backbone of intercontinental communications.
Further, the program is rooted in the strengths of the State Department—diplomacy and outreach. The State Department’s Trump-era website boasted that the United States was joined in its efforts by 30-some other countries committed to securing their systems from untrusted vendors. The State Department seems to have considered the advice of stakeholders in the process, working with civil society to generate guidelines for building trust and security. In fact, one of the most important things that the United States can do for our national security is work collaboratively to support strong, trustworthy U.S. ICT companies—both to raise the level of industry security overall and to elevate the position of U.S. companies globally. In government, momentum is critical and activation energy is difficult to generate. Therefore, the Biden administration should build on the groups and coalitions that have already been set in motion.
The Clean Networks program is also a step toward transparency in ICT supply chains, which have long been infamous for their—at times even deliberate—opacity. By identifying trusted suppliers, companies and governments alike can be assured that vendors are making a good-faith effort to ensure the highest level of security standards, rather than allowing the data and control over the networks to fall into the hands of opportunistic criminals or the Chinese government.
But when the Biden administration takes on the Clean Networks Program, they should rethink three key weaknesses of the initiative.
In its current iteration, the Clean Networks program is too politicized. It is directed nearly exclusively at excising Chinese vendors from ICT infrastructure, using rhetoric that is so crudely anti-China that it almost seems like a caricature of itself. The program is more a polemic with vague policy than a clear policy backed by guiding ideology. And it obscures the fact that China is not our only adversary in this space. The United States should be focused more broadly on raising business and technical standards globally, on decreasing the risks of third-party compromise, and on improving the cybersecurity ecosystem by encouraging the creation of secure companies and technology in allied and partner nations.
The Clean Networks program also has an unhealthy focus on exclusion, and should be broadened. Trusted vendors are important to rely on, but it’s not a sufficient solution to our security problem: the SolarWinds hack is an excellent example of a recent compromise of a trusted vendor. It is not enough to build a “Clean fortress” based on a political litmus test; the United States needs to also prioritize technical solutions such as zero-trust networks, built-in resiliency and healthy encryption standards. And it’s not enough for a Clean Networks program to promote external transparency simply; it should also model transparency in its own determination of security standards and evaluation.
Finally, the program’s potential to divide the global internet further has analysts worried. In recent years, warnings of a “splinternet” and the “balkanization of the internet” describe fears that what was once hailed as a tool that would bring all people together but is instead a tool of their further separation. This is not only an ideological problem but a real economic dilemma as well, if sanctions, tariffs and political retaliation lock U.S. companies out of other countries.
The Biden administration is facing a daunting number of crises. Despite this, the challenge of creating secure ICT networks should be an immediate top priority, as it is one of those issues that doesn’t look like an urgent problem until it is too late. The new administration must take advantage of the coalition-building efforts of the Clean Networks initiative in order to identify best practices and good partners, build transparency, prioritize security, maintain momentum and provide a sense of coherence after the United States’ boomeranging foreign policy changes of the past four years. It’s this type of work that may prevent the next SolarWinds-style hack—or, at the very least, help officials catch it a bit earlier.
And in the long-term, the Biden administration should also dig into the thornier problems that the Clean Networks program’s focus on excluding Chinese vendors eclipses: such as the U.S. government’s own aversion to impenetrable encryption, the lagging state of adherence to already established basic cybersecurity standards across the ICT industry, and the real social and economic consequences of a splintering internet.
Image credit: deepadesigns
