You Can’t Solve These Problems on an Ad Hoc Basis

Resolving today’s most pressing cyber security and Internet governance challenges is dependent on the tech industry and the government working together on both policy development and policy implementation. Specifically, collaboration is required to successfully research, design, debate, and ultimately implement effective solutions. While there is overwhelming consensus on the need for collaboration, it remains a huge challenge. Why? While many factors contribute to the problem, including differing incentive structures, cultures and business models, one critical element—organizational structure—is a significant and often overlooked hurdle that needs attention and creative solutions.

Specifically, public policy consensus building and collaborative policy implementation require a resilient process through which advocates of differing perspectives have the authority to discuss and negotiate on their organization’s behalf. Additionally, these actors must be empowered to make commitments on behalf of their organizations and have access to, and buy-in from, those who will lead implementation. This construct has proven particularly challenging in the context of government and technology companies because organizationally neither side is organized to facilitate this process. Most collaborations today are done by ad hoc teams of operational personnel, lawyers, government affairs departments, and/or trade associations or other outside third parties. This setup is neither efficient nor effective.

During my tenure at the Federal Bureau of Investigation, I had the opportunity to serve as both the section chief of the Office of National Policy and the chief policy advisor for Science and Technology. In these roles I saw organizational structure issues play out in the context of discussions about the use of encryption, both as a benefit to cyber security in terms of securing data, and as a challenge in the cases where it was implemented in a way that precludes company access even when presented with a valid court order. During discussions between the technology companies and the federal government on these matters, impediments to progress derived specifically from the organizational structure on both sides of the dialogue quickly became apparent.

On the industry side there are companies who are simply not organized to negotiate complex policy issues with the federal government. While many companies have established and in many cases are expanding government affairs operations, these are usually physically located in Washington, and are not connected to the central decision makers in their company’s executive suites. This presents a real challenge for meaningful change and successful discussions of complex challenges. Further, these offices are best suited for lobbying and congressional affairs and as such do not have significant experience in collaboration with executive branch departments and agencies. Given this structure, it becomes difficult for the federal government to engage with one central individual or functional area to effectively assimilate ideas and implement them across the separate business lines (legal, engineering, marketing, etc.) making agility and substantive collaboration challenging.

Similarly, the government struggles with building and sustaining structures to support private sector engagement as well. Again, my experience working encryption policy at the FBI reflects this gap. While the FBI has been around for over 100 years it was only in 2014 that the Office of Private Sector Engagement and the Office of National Policy were created. Charged with "putting a leash on the cats" of private sector outreach and national security council policy engagement respectively, these central offices are small yet effective means for coordinating outreach and they have had some success in their early years facilitating policy discussions and even co-designing programming but there is much work left to do. Specifically, while offices like these and the Private Sector Office at the Homeland Security Department and the Defense Innovation Unit Experimental DIU-X at the Defense Department are great starts, they are young and need additional resources, mission refinement, and continued executive support. Further, these models need to be refined and customized across relevant departments and agencies.

In addition to creating dedicated collaboration functions on both the tech and government sector sides, other creative mechanisms for addressing this structural issue are being tested and need attention and support. The White House’s Presidential Innovation Fellows Program is one great example. This program, which brings technology professionals to Washington and assigns them to specific agencies, creates a potential opportunity for the government and technology companies to benefit from a navigator who can guide and translate throughout the policy collaboration process. Additionally, calls from both tech and government leaders for exchange programs—externships for government personnel to work for tech companies and public sector fellowships such as the PIF program—all will go a long way toward enhancing engagement and ultimately wise outcomes.

Progress on cyber and Internet governance policy is predicated on the private sector and the government working together to develop, test and refine policy options. To get there faster, both components need to further invest in organizational structures that can link up effectively to research, design, debate, and ultimately implement (and revise as needed) collaborative options.  Unfortunately, there are no short cuts or one-size-fits-all solutions. This will need to be built and supported in each company and each agency with their specific needs and partners in mind. While this can be seen as a heavy lift, until there is a focus on the gaps presented by existing organizational structures, progress will continue to be stymied.

Sasha Cohen O'Connell is a director in the homeland security and law enforcement practice at the professional services firm PwC.