Hello, World: The FBI, Apple, and the Emergence of America’s Cyber Industrial Complex
“The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.” So began a letter to Apple customers from CEO Tim Cook on February 16, in which Cook relayed his concerns over a recent request from the FBI for access to potentially sensitive data on the phone of Syed Rizwan Farook, one of two perpetrators of the December 2015 San Bernardino attack. While many in the media suggested that the tension between the FBI and Apple was a “sign of things to come,” in actuality such friction had been simmering between Silicon Valley and Washington, DC, for several years. Common concerns of national welfare were besieged by oft-dueling notions of security and transparency, and compounded by cultural differences between hoodie-clad engineers of Silicon Valley, and button-downed policymakers of Washington, DC.
Apple’s terse public exchanges with the FBI and its parent organization, the Department of Justice, are not discrete episodes. Rather, the situation underscores Silicon Valley’s prominent place in public discourse about the need to balance privacy with national policy goals, and the tension inherent to these public-private partnerships. While today’s dialogue on cybersecurity is dominated by concerns over cyber attacks from China, and the potential for a Russian attack on the American power grid, the growing “Cyber Industrial Complex” remains an understudied – but increasingly influential – player in the national policy space. Lurking in the periphery of judicial considerations regarding access to Apple iPhones, and Congressional legislation addressing intra-government information sharing, lies a large – and growing – “cyber lobby,” hired by industry leaders such as tech giants Apple, Microsoft, Google (Alphabet) and Facebook; financial services companies like Discover, Visa and American Express; and defense titans Lockheed Martin and Northrup Grumman. Jockeying for favor, influence and even responsibility in the nascent field of cybersecurity, the number of lobby firms representing companies on cyber issues tripled from 2008-2014, reflecting one of the largest “growth industries” in that space.
The potential impact of this influence across the economic and political spectrum is vast. While lobbying on national security issues is not new, the “cyber lobby” is distinct in three key ways: First, information asymmetry means companies have much more information about their technology than do legislators, courts, or other oversight authorities, affording them a lopsided understanding of the actors, capabilities and consequences at stake. Second, the dual-use nature of cyber weapons and software means they can be used for both civilian and military purposes. Beyond raising a unique set of moral and ethical questions, this also cultivates for corporations concerns over export control regulations, and questions over the intentions of government access. Third, the technological complexity inherent to cybersecurity confers a structural power on tech companies that is distinct amongst most other areas of the defense and national security industry. In the 112th Congress, for example – which introduced one of the most controversial cybersecurity bills, the Cyber Intelligence Sharing and Protection Act (CISPA) – only six members of the House or Senate held engineering degrees. By comparison, there were 17 farmers. This knowledge gap between the educational background and skillset of members of Congress, and the increasingly technical national security issues they face, has only widened the opportunities for external influence. Twelve of the companies lobbying for CISPA donated $103,000 to the legislation’s main sponsor, Representative Mike Rogers (R-MI), or his PAC in 2012 alone. Such influence was not limited to CISPA, however: 303 organizations registered to lobby its follow-on bill, CISA, while 130 registered for H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act.
Historically, there are three key avenues for American companies to influence policy: through legislation, the regulatory system, and the courts. Although Apple has turned its attention to the latter, the impact of lobbying on legislation and the regulatory policies it produces should not – and cannot – get a free pass. The scope of policy interests between tech and defense companies, and the government agencies to which they cater, are oft conflicting: companies are bent on maintaining autonomy and providing goods and services, and the US Government is concerned about information access. But the stakes to both our nation’s security, and also the international economy, are too high to leave external influences unexamined: In 2012, then-NSA director General Keith Alexander described the consequences of cyber espionage – merely one aspect of the cybersecurity threat landscape – as “the greatest transfer of wealth in history.” Additionally, a CSIS report published by cybersecurity giant McAfee found that while the Internet economy annually generates between $2 trillion and $3 trillion, “cybercrime extracts between 15% and 20% of the value created by the Internet.”
Understanding on whose influence the US Government relies in its efforts to combat such threats and to build relationships with its private sector counterparts thus has broad implications not only for preventing future tragedies like San Bernardino, but also for maintaining and fostering the spirit of innovation that has always propelled America’s place in the world. It is on this issue that transparency must be prioritized.
Torey McMurdo is an ISPS Graduate Policy Fellow and a Ph.D. student in political science, focusing on U.S. foreign policy and international security. Her interests lie at the nexus of international relations, American politics and comparative politics.