If We Can't Abolish the No-Fly List, Can We at Least Keep It Safe?

Reviewing and improving the federal government’s data security and digital defenses should be a priority.


Whoops, we leaked the no-fly list. 

And by "we" I mean CommuteAir, a regional airline whose insecure server, accessed by a Swiss hacker named maia arson crimew, included a file helpfully named NoFly.csv, which turned out to be a 2019 version of the U.S. government's no-fly list. The Daily Dot, which first reported on the story, notes that the list has around 1.5 million entries—though many of those are aliases for a much smaller number of individuals—and includes both names and birthdates. It's a subset of the broader Terrorist Screening Database, and both lists are chock-full of civil liberties and due process violations.

Meanwhile, the Justice Department continues to discover more classified documents in various buildings associated with President Joe Biden. The president is both cooperating with the investigation—which is to say, inviting the FBI to search his Delaware home to see what else might have slipped his mind and federal document security procedures—and insisting to the public that there's "no there there." And though this mishandling of classified documents is less egregious than former President Donald Trump's mishandling of classified documents, even congressional Democrats seem to find Biden's denials unconvincing.

The ideal libertarian policy response to these debacles would be a major overhaul of the systems in question: establish transparent due process for no-fly list placement and appeal—or abolish the list altogether—and rethink the whole system of classified documents and state secrets

But that's not going to happen for the foreseeable future, so let's set a more modest goal, one achievable for the Congress we actually have: to review and improve the federal government's data security and digital defenses.

That this is necessary has been obvious for a long time, since well before any of these present scandals. There was the big 2015 breach of the Office of Personnel Management, which revealed around 21 million people's personal information to foreign hackers. And the 2016 leak of National Security Agency cyber weapons. And Wikileaks' 2017 revelation of "more than 8,000 documents detailing various CIA cyberwarfare and electronic surveillance activities." And the 2021 leak of Internal Revenue Service data on very rich people. And, yes, "her emails," the private email server (and personal Blackberry) Hillary Clinton used while serving as secretary of state in the Obama administration. 

And those are just the big ones, the ones that made the news, the ones that are comparatively easy to recall a few years after the fact. They're also all federal in scale, but it's not like states, municipalities, and other lower levels of government—to say nothing of private companies that interact with government data, like CommuteAir with the no-fly list or any account tied to our Social Security numbers or tax information—are fully secure. 

Our elections are all handled by those smaller government entities (there are more than 10,000 election authorities in this country), and though our fears aren't always rational, election security has understandably been a major concern for the better part of a decade. Life-sustaining utilities have been shown vulnerable to hacking too, as with 2021's Colonial Pipeline ransomware attack and smaller incidents like the hack of a water treatment plant near Tampa.

In many cases, as I've argued before, we could relatively easily improve security by being a bit less online. Paper trails in elections, manual overrides for utilities (with workers who know how to use them), and air-gapped computer systems all offer basic and easily intelligible security which only requires us to return to perfectly viable modes of operation from the very recent past. The 1990s were not the dark ages, and it is better to keep some things analog than to have real qualms about election integrity or poisonous tap water.

But that suggestion obviously isn't a panacea, as these documents scandals indicate. Trump reportedly had poor digital security practices while president, and Biden's use of a Peloton bike and an Apple watch has raised questions about his device security. These classified papers, though, were papers.

And my guess—despite lawmakers' claims about their own trustworthiness in document handling—is that Biden and Trump aren't alone among current and former presidents, members of Congress, and other high-ranking federal officials who have classified documents where they are not supposed to be. 

It strains credulity to imagine that Sen. Joseph R. Biden pioneered the sin of taking work papers back to his home office circa 2008. (News that former Vice President Mike Pence also kept classified papers at home broke while I was writing this very article.) 

And it's similarly implausible, particularly during the COVID-19 pandemic and amid post-pandemic work-from-home habits, that no other classified documents have made a similar journey. (Washington, D.C., has the highest telecommuting rate of any major American city, a statistic driven in large part by federal agencies' telework policies.) Keep your secret work papers at work is almost certainly not an adequate documents policy in an increasingly digitized, work-from-home environment.

We don't have to speculate to know our government's digital defenses are lacking. Here's how bad the situation is, as told by a single figure Reuters reported in 2017, citing multiple senior intelligence officials: "Across the federal government, about 90 percent of all spending on cyber programs is dedicated to offensive efforts." And if 90 percent goes to offense, at most we're spending 10 percent on defense. 

The government of the wealthiest and most powerful country on earth—the government that likes to play world police and keep a huge nuclear arsenal and hoover up millions of innocent people's personal information—that government has decided to spend $9 in $10 on "penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure," the officials told Reuters. It leaves just the change to keep its own data and systems safe. 

That's absurdly reckless, and even a Congress as divided, performative, and incompetent as ours should be able to see it. Federal data security and digital defenses aren't exactly thrilling topics, but they also aren't partisan issues, and securing America against Russian and/or Chinese meddling—take your pick, as partisanship directs—ought to be a popular policy goal right now. Stories like the no-fly list leak and reports of bipartisan presidential carelessness should drive home the political neutrality and necessity of this reform.