The Precarious Cyber Security Regulatory Balancing Act

What to do about hacking and the misuse of major social media platforms by foreign actors in U.S. elections? Much of the sturm und drang over potential cyber security solutions boils down to one compound question: should the government step in with regulation, allow the internet and social media platforms to police themselves, or a combination of the two?

While the scope and potential impact of the current social media misuse on national security are unprecedented, the general circumstances are not. In many ways, the development of social media—still a relatively new form of communication—is following a familiar path. Surprisingly, the history of radio offers a striking parallel to the current threats and solutions. Here’s how it usually goes: First, the new media platform or technology is seen as a positive step forward in human communication. It is later recognized as an unregulated Wild West, peppered with bad actors and unintended consequences. This spurs alarm and an industry effort to (grudgingly) self-regulate in order to avoid government regulation. When that is deemed ineffective, regulators step in. After several years of trial and error, the chaos dies down and industry and government settle into an uneasy relationship.

First, there was the Radio Act of 1912 to regulate private usage since there was no broadcasting yet. Then, on April 6, 1917, the day the U.S. entered World War I, President Woodrow Wilson issued an executive order that ended amateur radio use, ordering the Navy Department to close and/or seize the estimated 8,500 radio “plants” around the country that broadcasted to an estimated 125,000 radio receivers. This extreme act was prompted by extreme circumstances—foreign interference in the form of spying and sabotage, primarily via radio communication with German U-boats off the U.S. coast.

Once the war ended and the government allowed radio usage to return, government stepped in with regulations. In 1927, it established the Federal Radio Commission, which eventually formed the Federal Communications Commission in 1934. In other words, it took more than a generation to corral the varying technical and content consequences of this revolutionary media, both to protect national security and deal with controversial content, which ranged from Orson Welles’ panic-inducing “War of the Worlds” dramatization to Father Coughlin’s eventually banned anti-Semitic/pro-fascist rants to Tokyo Rose’s propaganda broadcasts during World War II.

Moving pictures (from film to television) took a more self-regulatory direction to stem opposition to what many citizens believed was amorality. To avoid government oversight and third-party censorship, Hollywood came up with industry-mandated content rules that were popularly known as the Hays Code. This industry self-censorship forced filmmakers to make sure that portrayed crime didn’t pay, and that depictions of then “controversial topics” like drug use and sex were severely limited. In 1968, the self-imposed rating system changed with the times and continues (with some tweaks) today.

One reason why these industry self- and government-regulated rules are needed is that nearly all radio and telecommunications acts passed by the U.S. Congress over the last century were either ill-informed or outdated—or both by the time they were adopted. This continues today.

The internet and social media platforms are still in their unregulated Wild West stage. But with public and political pressures rising and unwanted governmental regulatory precedence lurking, social media platforms realize the need to determine and enforce their own regulatory policies.

Cyber security issues, however, extend far beyond these largely domestic content problems and the ongoing (and largely business model-centric) net neutrality kerfuffle. The open nature of the internet and the seemingly uneven contest between security and hackers has created a too-tempting magnet for mischief (such as the 11-year-old who just hacked into a duplicate of Florida’s state election site in less than 10 minutes). This is not limited to just the Russians, but also includes other state, organizational and individual non-state actors. And it’s not just elections that are targets, but power grid systems, economic/financial records, ransomware, cyber terrorism, etc. The target list is as terrifyingly long as the potential consequences.

We are obviously way beyond simply seizing all radios as we did in 1917. Astoundingly, no national legislative action, bad or otherwise, is likely, given the current political hesitancy by some parties to even acknowledge any threats.

So, the unprecedented nature of these ugly cyber threats likely will have to be addressed in the historically old-fashioned way—by the affected industries themselves. But overcoming the political and business conflicts—as well as getting a crew of government agencies, device providers, social media companies, and content and service providers from around the world to agree on measures—will likely only be formed when there is an extreme precipitating cyber event. We just hope it isn’t a World War.