×

Fill out the brief form below for access to the free report.

Homeland Security Secretaries Discuss Securing the Homeland in an Internet Age

Former Homeland Security Secretaries Jeh Johnson and Michael Chertoff discuss the impact of technology upon elections, preserving free speech in an internet age, and the reality of cyber threats.

Interview with Jeh Johnson and Michael Chertoff October 13, 2020 //   19 minute read

Jeh Johnson and Michael Chertoff each served as Secretary of the Department of Homeland Security — Johnson under President Barack Obama and Chertoff under President George W. Bush. They faced firsthand modern threats to American security, including cyberattacks. And in this interview, they demonstrate repeatedly that the challenges transcend politics.

The pair spoke with Lindsay Lloyd, the Bradford M. Freeman Director of the Human Freedom Initiative at the George W. Bush Institute, Chris Walsh, Senior Program Manager in the Human Freedom Initiative, and William McKenzie, Senior Editorial Advisor at the Bush Institute, about the impact of technology upon elections, preserving free speech in an internet age, and the reality of cyber threats. Chertoff, chairman of Freedom House and a former federal judge, and Johnson, a partner in the law firm of Paul Weiss and a former Pentagon general counsel, also described what would keep them up at night if they were still in charge of homeland security.

Imagine that you're back in your old job as Secretary of Homeland Security and a few weeks away from a very unusual election. What things might be keeping you up at night?

Chertoff: I would be concerned about a cyberattack, something that would freeze voter databases or part of the infrastructure of voting. I also would be concerned about a cyberattack that would cut off some of the transportation or power to key jurisdictions that would make it difficult to vote. And I would be focused on disinformation emanating from overseas. I'd be gathering information concerning potential disruptive activity on Election Day, and how we might make sure that doesn't happen.

Johnson: I'd be worried in the same way I was four years ago. On October 7th, 2016, the Director of National Intelligence and I put out a statement formally accusing the Russian government of attempting to influence our democracy during that presidential campaign.

I see the threat divided into three categories. One is the direct threat to the cybersecurity of our election infrastructure, which was my principle concern as DHS [Department of Homeland Security] secretary. The second is the effort to hack into presidential campaigns, steal communications, and weaponize them by publicly disclosing them to the detriment of one candidate or the other. And then three, I would be worried that we are still learning the effects of the vast disinformation campaign the Russian government engaged in four years ago. If you believe our intelligence community, and I do, there is activity in all three of those categories.

I'd be very concerned on all three fronts, but first would be the cybersecurity around our election infrastructure. That directly affects our democracy and vote count.

You both mentioned three buckets of threats. Do you see any of these as being more vulnerable than the others? Or do we need to examine all three equally?

Chertoff: They all will have vulnerabilities.

There’s been some focus on the election infrastructure. I know some parts of DHS are working with state-level authorities and a number of private groups are doing so. Jeh chairs the advisory board of U.S. CyberDome, which I am also involved with. The nonprofit offers free cybersecurity services to campaigns and campaign committees to prevent the kind of hacking we saw in 2016. Nevertheless, there still will be vulnerabilities.

Depending on where you are in the country, there are varying levels of cybersecurity for critical infrastructure. We’ve done better now than years ago, but we are not in a position to be complacent.

Depending on where you are in the country, there are varying levels of cybersecurity for critical infrastructure. We’ve done better now than years ago, but we are not in a position to be complacent.

Johnson: Good work has been done over the last four years by state election officials, working with DHS, to harden their cybersecurity. But our greatest vulnerability is also our greatest strength.

As a free and open democracy, we guarantee free speech that enables foreign actors to masquerade as others to push out extremist views and fake news on the internet. But it is not the role of government, specifically security agencies, to censor, edit, or push those views off various platforms. Government officials should not be deeming something fake news and censoring it.

To me, this is our biggest challenge.

As a free and open democracy, we guarantee free speech that enables foreign actors to masquerade as others to push out extremist views and fake news on the internet. But it is not the role of government, specifically security agencies, to censor, edit, or push those views off various platforms.

Where do the biggest threats come from? What parts of the world? What governments? And what are they trying to do? What is their end game?

Chertoff: We’ve seen the Russians be very active, not only in 2016 and not only in the U.S., but in prior years and elsewhere in the world. Efforts to affect the elections go back decades, but now it's enhanced by social media. China, Iran, and North Korea are beginning to get into this as well, although they're less of a blunt instrument. The Russians are trying to foment disruption and distrust.

But a lot of the content now is generated by Americans. There are conspiracy theorists and extremists. The Russians sit back and push it out there. We can't try to censor the content. What we can do is focus on people who are using false identities or automated ways to drive the message. There are areas where we can do some regulation.

----dynamic----

Johnson: Each nation, when it comes to cyberattacks, has their own footprint. The Russians tend not to be subtle. The Chinese are more subtle and harder to detect. And if you believe our intelligence community’s recent reports, they seem to have their own motives for wanting to get involved in this space, favoring one candidate over the other.

But Mike is also correct that information operation efforts to influence public opinion are not new. What is new is an effort directed at a specific election, targeting specific types of voters with information.

And I very much agree with Mike that many Americans are in this space. All these foreign actors need to do is sit back and amplify what is being generated in our own country.

There’s been some talk in Congress about creating a national cybersecurity director. What is this position? Do we need it and how could it make a difference?

Johnson: I'll give you two answers. One is we have a new agency dedicated to the cybersecurity of the nation: the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the Department of Homeland Security. I pushed for this when I was in office and Congress recently agreed to create it. We need an agency dedicated to cybersecurity and infrastructure protection.

Yet if I could realign government, I would think seriously about a Cabinet-level agency dedicated to cybersecurity. It is that important that we get this right. If we have a Cabinet-level agency dedicated to our defense, to justice, to the interior, maybe we should think about something similar for cybersecurity.

But now, we have a new agency dedicated to cybersecurity and infrastructure protection. Let’s give that a try and see how it works. 

Chertoff: I have a slightly different take. First, I applaud Secretary Johnson's push to create CISA within DHS to do cybersecurity and infrastructure protection.

One reason I would not have a stand-alone cybersecurity department is that cyber and physical security often go hand-in-hand. And we have seen a blend of cyber and physical attacks. A stand-alone department would fragment responsibility for those two kinds of threats. You would have a risk gap, which we had prior to 9/11.

Plus, you have an integrated DHS. The Secret Service and the Coast Guard have an intelligence element and a cyber element. Bringing these together gives you a multiplying effect.

That said, this presumes the DHS secretary will be focused on cybersecurity as a major issue. Over the last couple of years, the top leadership of DHS has been almost obsessively involved with borders. You can't afford to have that narrow focus when you're presiding over an agency with a broad security mandate.

What can our industries and government learn from other nations that have experienced cyberattacks?

Chertoff: If you want a great lesson to learn, look no further than Ukraine, which unfortunately has been a Petri dish for every kind of online misbehavior that [Vladimir] Putin can think about. There not only have been disinformation campaigns and physical infiltration of disruptive agents, but there've been a number of attacks over the last 15 years or so designed to destabilize Ukrainian infrastructure. That includes shutting down the power grid and infecting businesses with ransomware that make them inoperable.

----dynamic----

Johnson: Different nations are going to have different attitudes when it comes to privacy, cybersecurity, even basic things like what constitutes an act of terrorism.

I gave some congressional testimony a couple of years ago on what constitutes an act of war in cyberspace. What should constitute an act of war? Some would think that’s a difficult question, but I don't think so. It’s basically any cyberattack that has a dramatic physical impact, causing loss of life or a massive loss of property.

There can be international agreement as long as everyone accepts that what's good for one nation is good for another.

To what extent should we as individuals be worried about a cyber invasion of our own data? What can we do to protect our data? And what should social media companies do to protect it?

Johnson: We should be worried about it because a lot of our privacy is already out of the barn. Simply by participating in the internet and social media consciously, we already have surrendered a lot of our own personal data.

Retailers, data mining firms, and the like can find out a whole lot about us as private citizens, what our shopping preferences are, where we travel, and what our family tree is like. Most Americans would be stunned with the amount of their privacy they have already surrendered simply by clicking that little box that says “I agree” every time they download something new. They agree to sharing data between and among different private entities.

Chertoff: I'm in total agreement. And I would add that as the Chinese pursue becoming the leaders of artificial intelligence, they realize that personal data is the raw material that you can apply to algorithms to make the algorithms more sophisticated and capable.

I would attribute huge amounts of data thefts over the last couple of years to the Chinese. There was a massive theft from the Office of Personnel Management Office of background check files on millions of people who work for the government. I'm sure Jeh and I were in that category as well. And data was stolen about hotels, credit cards, and health systems that would give the Chinese total visibility on every American citizen.

----dynamic----

Second, there has been some pushback lately in Europe. Data privacy regulation there shifts the burden on social media companies to secure permission before they use your data for any purpose other than the narrow one you signed up for.

We have started to see this in the U.S. We need more of it because that at least gives people some control over their data. I wrote a book a couple of years ago predicting the way data would be misused. If anything, I was too cautious. It's gone beyond my ability to imagine.

Let me broaden this discussion about social media beyond our personal data. What responsibility or role should social media companies play in alerting consumers about possible disinformation they may be getting through their feed?

Chertoff: This is a quickly evolving area. The companies took the position that they will label questionable things that don’t seem to have a huge impact.

Twitter has been more energetic in taking things down and they've gotten criticized by people on the right for that. Facebook's been more cautious and reluctant. A former employee criticized them recently for not been aggressive enough in calling out foreign groups that are masquerading in order to post online. And that they're not doing enough to take down content that is clearly false.

I'm nervous about taking down content because of the First Amendment. But there has to be a vigorous pushback against any effort to interfere with people's election processes by giving misinformation about how you vote, when you vote, and the hours in which you can vote. That ought to be shut down right away. And people ought to be directed to an authoritative site.

But on such items as someone criticizing Nancy Pelosi because she needed to wear a mask or whatever, we have lived with that throughout American history. The answer there is education, not suppression.

Johnson: We’ve created a monster by enabling virtually anyone to get on the internet who has a keyboard. And there are no standards for exit and few barriers to entry. It's difficult to be half pregnant in this space. It's difficult to say I'm going to regulate political advertising a little bit, but not go all the way. Or I'm going to deem something to be false or misleading and not go all the way.

At the very least internet service providers, social media providers, ought to be vigorous in policing their own terms of service. When somebody agrees to go on their platforms, there's probably a lot more they can do there.

At the very least internet service providers, social media providers, ought to be vigorous in policing their own terms of service. When somebody agrees to go on their platforms, there's probably a lot more they can do there.

One good idea is that organizations like NewsGuard will in effect put seals of approval on a piece of news or information. And the social media provider agrees to download that. When you look at the information on Facebook or whatever, you'll see a yellow, red, or green indication. A green notation means this is a valid, reputable source of news. Yellow sometimes means false or too opinionated. And red means this is garbage, don't read it.

This may have to be part of the future if we, as Americans, are unable or unwilling to do that ourselves.

Most Americans don't bother to discern whether one piece of information is reputable and the other's not, they just consume it. And if it validates their own predictions, biases, or suspicions, they're going to go with it. That’s the problem we face.

 What is it that Americans need to know about why it's important who controls cyberspace? For example, what do we need to know about the battle over 5G networks? Why does that matter?

Chertoff: Much of our economic activities are now online, and that requires infrastructure, including hardware and software. Who controls that controls our lives.

One concern is that China essentially has a monopoly on the infrastructure for 5G, which will then be 6G and even faster. They would have an enormous amount of leverage.

If we want to maintain our independence and economic vibrancy, we need to make sure we've got resilience, redundancy, and confidence in the infrastructure on which much of our activity now rests.

Johnson: I agree with everything Mike said. First thing that occurred to me when you began to ask your question is, there are government regulators for bandwidth, aren't there? There's the FCC [Federal Communication Commission]. Do we need to rethink how we regulate the space we're all talking about here today? I'm not smart enough to know the answer to that.

What likely impact will all these technologies, artificial intelligence included, have over the next five to 10 years?

Johnson: All this wonderful technology enables us to be intellectually lazy in a way. Let me give you an example. When I went to law school, we were just beginning to have electronic research. LexisNexis came out not long after that. You had to go to the law books and go through these digests of legal points to find what you were looking for.

But in going through the law books, you discover 18 other interesting points of law. They might be germane to the case you are trying to argue. We’re overlooking this other vast space of things to learn from.

I see this in numerous contexts, even in national security. That has been the effect, or even vulnerability, of our ability to do so much so quickly.

Chertoff: I had the same experience with legal research. When I was judging, I had law clerks. Their research would be narrowly and specifically focused. I always felt that you need to read everything around the case to get a sense of context.

Everybody thought technology was going to be great for democracy, with people reaching out all over the world. There has been some of that, but technology also can have a narrowing function. With the invention of algorithms, we are now, to some degree, manipulating the platforms so websites serve up to us what they think will engage us. I'd still rather go to the bookstore and look for a book to read.

We have to educate people to be a bit more skeptical.