Cybersecurity: Obama's Conflicted Legacy
In the wake of Edward Snowden’s disclosures, the Obama administration had to address a daunting series of challenges on surveillance, cybersecurity, and privacy.
RWU Law Professor Peter Margulies writes:
In the wake of Edward Snowden’s disclosures, the United States administration faced a daunting series of challenges on surveillance, cybersecurity, and privacy. Congress was reluctant to enact comprehensive legislation. Moreover, Snowden’s revelations had triggered an international trust deficit. To deal with these challenges, the executive branch under President Barack Obama resorted to two alternatives: soft law and agency discretion. Soft law entails the issuance of non-binding policy positions and entry into nonbinding agreements with other stakeholders. In contrast, agency discretion connotes unilateral action by federal agencies.
In the soft law domain, the Obama administration sought to ease the post-Snowden trust deficit with Presidential Policy Directive No. 28, which expressly recognized global privacy rights. In collaboration with the EU, the Obama administration also crafted the Privacy Shield agreement governing U.S.-EU commercial data transfers, which created an ombudsperson in the State Department to address EU complaints about U.S. surveillance. The agency discretion model has also yielded advances on privacy. The Federal Trade Commission, for example, has implemented cybersecurity best practices through settlements with firms whose negligence resulted in data breaches.
While both soft law and agency discretion have marked virtues, they also create risks. In disputes with Microsoft regarding overseas data and with Apple about iPhone encryption, U.S law enforcement prioritized the acquisition of information needed for investigations over engagement with stakeholders. Moreover, soft law often lacks clear norms and enforcement mechanisms. For example, the Privacy Shield agreement lacks specificity on the ombudsperson’s powers, which may blunt the ombudsperson’s ability to check the U.S. intelligence community.
To analyze the Obama administration’s cyber efforts, this article proposes a paradigm of stewardship with both discursive and structural dimensions. Discursive stewardship refers to the Executive’s openness to dialogue with other stakeholders. Structural stewardship refers to the domestic and transnational distribution of decisional authority, including checks and balances that guard against the excesses of unilateral action. The Article concludes that the Obama administration made substantial progress in each of these realms. However, the outsized role of law enforcement agendas and dearth of clearly articulated checks on transnational surveillance drove headwinds that limited forward movement.