Today, 2/9/16, U.S. President Obama issued an executive order creating a commission on enhancing national security. Note that it resides within the Department of Commerce, not the military or the Department of Homeland Security. The official text:
Executive Order — Commission on Enhancing National Cybersecurity
– – – – – – –
COMMISSION ON ENHANCING NATIONAL CYBERSECURITY
By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to enhance cybersecurity awareness and protections at all levels of Government, business, and society, to protect privacy, to ensure public safety and economic and national security, and to empower Americans to take better control of their digital security, it is hereby ordered as follows:
Section 1. Establishment. There is established within the Department of Commerce the Commission on Enhancing National Cybersecurity (Commission).
Sec. 2. Membership. (a) The Commission shall be composed of not more than 12 members appointed by the President. The members of the Commission may include those with knowledge about or experience in cybersecurity, the digital economy, national security and law enforcement, corporate governance, risk management, information technology (IT), privacy, identity management, Internet governance and standards, government administration, digital and social media, communications, or any other area determined by the President to be of value to the Commission. The Speaker of the House of Representatives, the Minority Leader of the House of Representatives, the Majority Leader of the Senate, and the Minority Leader of the Senate are each invited to recommend one individual for membership on the Commission. No federally registered lobbyist or person presently otherwise employed by the Federal Government may serve on the Commission.
(b) The President shall designate one member of the Commission to serve as the Chair and one member of the Commission to serve as the Vice Chair.
Sec. 3. Mission and Work. The Commission will make detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices. The Commission’s recommendations should address actions that can be taken over the next decade to accomplish these goals.
(a) In developing its recommendations, the Commission shall identify and study actions necessary to further improve cybersecurity awareness, risk management, and adoption of best practices throughout the private sector and at all levels of government. These areas of study may include methods to influence the way individuals and organizations perceive and use technology and approach cybersecurity as consumers and providers in the digital economy; demonstrate the nature and severity of cybersecurity threats, the importance of mitigation, and potential ways to manage and reduce the economic impacts of cyber risk; improve access to the knowledge needed to make informed cyber risk management decisions related to privacy, economic impact, and business continuity; and develop partnerships with industry, civil society, and international stakeholders. At a minimum, the Commission shall develop recommendations regarding:
(i) how best to bolster the protection of systems and data, including how to advance identity management, authentication, and cybersecurity of online identities, in light of technological developments and other trends;
(ii) ensuring that cybersecurity is a core element of the technologies associated with the Internet of Things and cloud computing, and that the policy and legal foundation for cybersecurity in the context of the Internet of Things is stable and adaptable;
(iii) further investments in research and development initiatives that can enhance cybersecurity;
(iv) increasing the quality, quantity, and level of expertise of the cybersecurity workforce in the Federal Government and private sector, including through education and training;
(v) improving broad-based education of commonsense cybersecurity practices for the general public; and
(vi) any other issues that the President, through the Secretary of Commerce (Secretary), requests the Commission to consider.
(b) In developing its recommendations, the Commission shall also identify and study advances in technology, management, and IT service delivery that should be developed, widely adopted, or further tested throughout the private sector and at all levels of government, and in particular in the Federal Government and by critical infrastructure owners and operators. These areas of study may include cybersecurity technologies and other advances that are responsive to the rapidly evolving digital economy, and approaches to accelerating the introduction and use of emerging methods designed to enhance early detection, mitigation, and management of cyber risk in the security and privacy, and business and governance sectors. At a minimum, the Commission shall develop recommendations regarding:
(i) governance, procurement, and management processes for Federal civilian IT systems, applications, services, and infrastructure, including the following:
(A) a framework for identifying which IT services should be developed internally or shared across agencies, and for specific investment priorities for all such IT services;
(B) a framework to ensure that as Federal civilian agencies procure, modernize, or upgrade their IT systems, cybersecurity is incorporated into the process;
(C) a governance model for managing cybersecurity risk, enhancing resilience, and ensuring appropriate incident response and recovery in the operations of, and delivery of goods and services by, the Federal Government; and
(D) strategies to overcome barriers that make it difficult for the Federal Government to adopt and keep pace with industry best practices;
(ii) effective private sector and government approaches to critical infrastructure protection in light of current and projected trends in cybersecurity threats and the connected nature of the United States economy;
(iii) steps State and local governments can take to enhance cybersecurity, and how the Federal Government can best support such steps; and
(iv) any other issues that the President, through the Secretary, requests the Commission to consider.
(c) To accomplish its mission, the Commission shall:
(i) reference and, as appropriate, build on successful existing cybersecurity policies, public-private partnerships, and other initiatives;
(ii) consult with cybersecurity, national security and law enforcement, privacy, management, technology, and digital economy experts in the public and private sectors;
(iii) seek input from those who have experienced significant cybersecurity incidents to understand lessons learned from these experiences, including identifying any barriers to awareness, risk management, and investment;
(iv) review reported information from the Office of Management and Budget regarding Federal information and information systems, including legacy systems, in order to assess critical Federal civilian IT infrastructures, governance, and management processes;
(v) review the impact of technological trends and market forces on existing cybersecurity policies and practices; and
(vi) examine other issues related to the Commission’s mission that the Chair and Vice Chair agree are necessary and appropriate to the Commission’s work.
(d) Where appropriate, the Commission may conduct original research, commission studies, and hold hearings to further examine particular issues.
(e) The Commission shall be advisory in nature and shall submit a final report to the President by December 1, 2016. This report shall be published on a public website along with any appropriate response from the President within 45 days after it is provided to the President.
Sec. 4. Administration. (a) The Commission shall hold periodic meetings in public forums in an open and transparent environment.
(b) In carrying out its mission, the Commission shall be informed by, and shall strive to avoid duplicating, the efforts of other governmental entities.
(c) The Commission shall have a staff, headed by an Executive Director, which shall provide support for the functions of the Commission. The Secretary shall appoint the Executive Director, who shall be a full-time Federal employee, and the Commission’s staff. The Executive Director may also serve as the Designated Federal Officer in accordance with the Federal Advisory Committee Act, as amended, 5 U.S.C. App. (FACA, the “Act”).
(d) The Executive Director, in consultation with the Chair and Vice Chair, shall have the authority to create subcommittees as necessary to support the Commission’s work and to examine particular areas of importance. These subcommittees must report their work to the Commission to inform its final recommendations.
(e) The Secretary will work with the heads of executive departments and agencies, to the extent permitted by law and consistent with their ongoing activities, to provide the Commission such information and cooperation as it may require for purposes of carrying out its mission.
Sec. 5. Termination. The Commission shall terminate within 15 days after it presents its final report to the President, unless extended by the President.
Sec. 6. General Provisions. (a) To the extent permitted by law, and subject to the availability of appropriations, the Secretary shall direct the Director of the National Institute of Standards and Technology to provide the Commission with such expertise, services, funds, facilities, staff, equipment, and other support services as may be necessary to carry out its mission.
(b) Insofar as FACA may apply to the Commission, any functions of the President under that Act, except for those in section 6 and section 14 of that Act, shall be performed by the Secretary.
(c) Members of the Commission shall serve without any compensation for their work on the Commission, but shall be allowed travel expenses, including per diem in lieu of subsistence, to the extent permitted by law for persons serving intermittently in the Government service (5 U.S.C. 5701-5707).
(d) Nothing in this order shall be construed to impair or otherwise affect:
(i) the authority granted by law to a department, agency, or the head thereof; or
(ii) the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals.
(e) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.
THE WHITE HOUSE,
February 9, 2016.
Today, 2/9/16, U.S. President Obama issued this executive order:
Executive Order — Establishment of the Federal Privacy Council
– – – – – – –
ESTABLISHMENT OF THE FEDERAL PRIVACY COUNCIL
By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:
Section 1. Policy. The mission of the United States Government is to serve its people. In order to accomplish its mission, the Government lawfully collects, maintains, and uses large amounts of information about people in a wide range of contexts. Protecting privacy in the collection and handling of this information is fundamental to the successful accomplishment of the Government’s mission. The proper functioning of Government requires the public’s trust, and to maintain that trust the Government must strive to uphold the highest standards for collecting, maintaining, and using personal data. Privacy has been at the heart of our democracy from its inception, and we need it now more than ever.
Executive departments and agencies (agencies) already take seriously their mission to protect privacy and have been working diligently to advance that mission through existing interagency mechanisms. Today’s challenges, however, require that we find even more effective and innovative ways to improve the Government’s efforts. Our efforts to meet these new challenges and preserve our core value of privacy, while delivering better and more effective Government services for the American people, demand leadership and enhanced coordination and collaboration among a diverse group of stakeholders and experts.
Sec. 2. Policy on Senior Agency Officials for
Privacy. Within 120 days of the date of this order, the Director of the Office of Management and Budget (Director) shall issue a revised policy on the role and designation of the Senior Agency Officials for Privacy. The policy shall provide guidance on the Senior Agency Official for Privacy’s responsibilities at their agencies, required level of expertise, adequate level of resources, and other matters as determined by the Director. Agencies shall implement the requirements of the policy within a reasonable time frame as prescribed by the Director and consistent with applicable law.
Sec. 3. Responsibilities of Agency Heads. The head of each agency, consistent with guidance to be issued by the Director as required in section 2 of this order, shall designate or re-designate a Senior Agency Official for Privacy with the experience and skills necessary to manage an agency-wide privacy program. In addition, the head of each agency, to the extent permitted by law and consistent with ongoing activities, shall work with the Federal Privacy Council, established in section 4 of this order.
Sec. 4. The Federal Privacy Council.
(a) Establishment. There is hereby established the Federal Privacy Council (Privacy Council) as the principal interagency forum to improve the Government privacy practices of agencies and entities acting on their behalf. The establishment of the Privacy Council will help Senior Agency Officials for Privacy at agencies better coordinate and collaborate, educate the Federal workforce, and exchange best practices. The activities of the Privacy Council will reinforce the essential work that agency privacy officials undertake every day to protect privacy.
(b) Membership. The Chair of the Privacy Council shall be the Deputy Director for Management of the Office of Management and Budget. The Chair may designate a Vice Chair, establish working groups, and assign responsibilities for operations of the Privacy Council as he or she deems necessary. In addition to the Chair, the Privacy Council shall be composed of the Senior Agency Officials for Privacy at the following agencies:
(i) Department of State;
(ii) Department of the Treasury;
(iii) Department of Defense;
(iv) Department of Justice;
(v) Department of the Interior;
(vi) Department of Agriculture;
(vii) Department of Commerce;
(viii) Department of Labor;
(ix) Department of Health and Human Services;
(x) Department of Homeland Security;
(xi) Department of Housing and Urban Development;
(xii) Department of Transportation;
(xiii) Department of Energy;
(xiv) Department of Education;
(xv) Department of Veterans Affairs;
(xvi) Environmental Protection Agency;
(xvii) Office of the Director of National Intelligence;
(xviii) Small Business Administration;
(xix) National Aeronautics and Space Administration;
(xx) Agency for International Development;
(xxi) General Services Administration;
(xxii) National Science Foundation;
(xxiii) Office of Personnel Management; and
(xxiv) National Archives and Records Administration.
The Privacy Council may also include other officials from agencies and offices, as the Chair may designate, and the Chair may invite the participation of officials from such independent agencies as he or she deems appropriate.
(c) Functions. The Privacy Council shall:
(i) develop recommendations for the Office of Management and Budget on Federal Government privacy policies and requirements;
(ii) coordinate and share ideas, best practices, and approaches for protecting privacy and implementing appropriate privacy safeguards;
(iii) assess and recommend how best to address the hiring, training, and professional development needs of the Federal Government with respect to privacy matters; and
(iv) perform other privacy-related functions, consistent with law, as designated by the Chair.
(i) The Chair and the Privacy Council shall coordinate with the Federal Chief Information Officers Council (CIO Council) to promote consistency and efficiency across the executive branch when addressing privacy and information security issues. In addition, the Chairs of the Privacy Council and the CIO Council shall coordinate to ensure that the work of the two councils is complementary and not duplicative.
(ii) The Chair and the Privacy Council should coordinate, as appropriate, with such other interagency councils and councils and offices within the Executive Office of the President, as appropriate, including the President’s Management Council, the Chief Financial Officers Council, the President’s Council on Integrity and Efficiency, the National Science and Technology Council, the National Economic Council, the Domestic Policy Council, the National Security Council staff, the Office of Science and Technology Policy, the Interagency Council on Statistical Policy, the Federal Acquisition Regulatory Council, and the Small Agency Council.
Sec. 5. General Provisions. (a) Nothing in this order shall be construed to impair or otherwise affect:
(i) the authority granted by law to a department, agency, or the head thereof; or
(ii) the functions of the Director relating to budgetary, administrative, or legislative proposals.
(b) This order shall be implemented consistent with applicable law and subject to the availability of appropriations.
(c) Independent agencies are encouraged to comply with the requirements of this order.
(d) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.
THE WHITE HOUSE,
February 9, 2016.
The Obama Administration has released a Cybersecurity National Action Plan (“CNAP”) that will provide the nation with a long-term strategy to “enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security,” according to a White House press release. This long-term strategy will be a product of a “series of near-term actions” intended to enhance the cybersecurity of agencies within the federal government as well as private parties across the country, the press release explained. The CNAP’s emphasis on public-private cooperation is consistent with the Cybersecurity Act of 2015 passed by Congress in December 2015.
Specifically, the press release highlighted the following actions included in CNAP:
- Establish the “Commission on Enhancing National Cybersecurity”: This Commission will include members from the public as well as the private sector, and will provide recommendations to both the private and public sectors for strengthening cybersecurity over the next decade.
- Modernize government IT and the management of cybersecurity: To achieve this, the Administration is proposing a $3.1 billion Information Technology Modernization Fund. The Fund will be used to retire, replace, and modernize difficult to secure and expensive legacy IT. The Fund will also finance a new position to “drive these changes” which will be called the Federal Chief Information Security Officer.
- Add an “extra layer” of security: The Administration wants to move “beyond just passwords.” To this end, it plans to “judiciously” combine passwords with additional security factors, such as the use of fingerprints or a “single use code delivered in a text message.” This multi-factor authentication is designed to “[e]mpower Americans to secure their online accounts.”
- Invest over $19 billion on cybersecurity: The Administration will invest over $19 billion for cybersecurity as part of the President’s FY 2017 Budget, a 35% increase from FY 2016.
The White House Fact Sheet can be found here.
Cyber Round Up: NSA Planning Reorganization; U.S. Looking to Relax Software Export Regulation; Defense Secretary Highlights Tech Priorities for 2017
- NSA Planning Reorganization (The Washington Post): The National Security Agency (“NSA”) is reportedly planning a reorganization, according to The Washington Post. The article suggests that the reorganization, referred to as “NSA21”, will be publicly announced soon. The reorganization is focused on breaking down walls between organizations within the agency and developing a more collaborative environment, the article explained. According to the article, the offensive and defensive organizations will be merged to allow them to better adapt to changing threats. The full article can be found here.
- U.S. Looking to Relax Software Export Regulation (WSB-TV): According to an article from WSB-TV, the U.S. government is planning to ease arms control rules concerning the export of software that have the potential to be used for hacking and surveillance because they have legitimate uses, such as securing computer networks. The article reported that the proposed changes have the support of the White House. The language of the proposed rule is broad, according to those who oppose the rule, and would result in “unintended negative consequences for national cybersecurity and research,” the article explained. The full article can be found here.
- Defense Secretary Highlights Tech Priorities for 2017 (Federal Times): U.S. Secretary of Defense Ash Carter identified the major theme underlying the defense budget for FY2017, according to the Federal Times. The article reported that Secretary Carter emphasized the “technological edge as a major theme.” Included in the budget is a $7 billion fund for investment in cyber for 2017, and then about $35 billion over the next five years, specified the article. The cyber fund will be used to improve the DoD’s network defenses, provide more training for cyber warriors, and develop cyber tools, including those that can be used offensively, according to the article. The full article can be found here.
In the eleventh hour of the twelfth month of 2015, the Cybersecurity Information Sharing Act (“CISA”) (Public Law No. 114-113), pushed through Congress as part of an omnibus spending bill and was subsequently signed by President Obama. This bill has been hailed by its sponsors as long overdue and an important step in enhancing our nation’s cybersecurity; while privacy advocates have decried this as the government further encroaching on privacy rights. Due to the fact that CISA 2015 is an expansive and wide-reaching law our focus will be limited to the information sharing portion of this law.
In order to understand CISA 2015, it is important to contemplate what the act covers. The sponsors of this legislation, as well as the White House, have indicated that this act is focused on information sharing between private and federal entities, purportedly to enhance the United States’ cybersecurity posture; whereas privacy advocates claim this is merely an expansion of the cyber-surveillance state. CISA 2015 defines cybersecurity threat as “…an action, not protected by the First Amendment …, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.” This seems to pretty much cover everything and anything and of particular interest is the fact that the key language “…that may result in an unauthorized effort…” seems to imply that merely taking an action that has the potential to impact an information system is a cybersecurity threat and that no actual harm must occur. The crux of this is about information sharing, thus, if a private entity shares information with a federal entity the bar is set exceedingly low with respect to establishing that there is a possibility that something could be a threat. This shifts the burden of due diligence and consequently information sharing can occur without the entity really examining the issue and the context to see if harm is “likely” to occur. There is a vast expanse between something that is possible and something that is likely. Under these auspices, an entity could share almost anything that had even an infinitesimal chance of causing harm.
CISA 2015: Authorization, Sharing, Protection Related to Cybersecurity Threats
The CISA act addresses areas such as authorization for monitoring and identifying cybersecurity threats, the sharing of cybersecurity threats between federal and non-federal entities, as well as protections from liability related to sharing cybersecurity threats. CISA 2015 provides entities with the authorization to monitor information systems, implement defensive cybersecurity measures, and share cyber threat indicators or defensive measures so long as these actions are done under the guise of cybersecurity purposes. With respect to liability limitations and information sharing protections, none of the information shared for cybersecurity purposes will be made generally available to the public and is exempt from among other things, FOIL laws, preventing the disclosure of any of the shared information. While this may have the effect of helping to encourage information sharing it could also have a chilling effect on oversight as an entity can simply claim that information being sought under disclosure mandates is excluded since it relates to “cybersecurity threat information sharing”. Furthermore, section 106 of CISA 2015 directly addresses liability and states that no cause of action can be initiated or continued in any court against any private entity related to (1) monitoring of an information system or, (2) the sharing or receipt of any cyber threat indicator or defensive measure, so long as these actions are done in accordance with CISA 2015 (which of course relates back to the definition applied to cybersecurity threat). As a result of this language, both the Federal Trade Commission (“FTC”) and the Federal Communications Commission (“FCC”) have effectively been de-fanged by this legislation. Now, neither the FTC nor the FCC can pursue private entities who monitor their information systems so long as the entity establishes that they are acting pursuant to cybersecurity purposes.
CISA: Balancing Information Sharing with PII
In some respects, CISA 2015 serves to leverage President Obama’s Executive Order 13691 which was designed to promote the creation of information sharing and analysis organizations (ISAOs) in order to encourage the sharing of cybersecurity threat information between the private sector and the government. While this could be viewed as a positive step one can also counter that this encourages the widespread and continued intrusion into our everyday cyber lives. For CISA 2015 does not just encourage information sharing it also severely limits the liability of any entity that shares information. Whether or not that information ultimately ends up containing personally identifiable information (“PII”) or is ultimately not connected to any viable cybersecurity threat. CISA 2015 does require that non-federal entities review information for PII prior to sharing but the threshold is once again exceedingly low. The act allows the entity to either review the information and remove PII that they “know” identifies a specific individual; or in the alternative an entity may develop a technological solution to remove information unrelated to a cybersecurity threat that the entity “knows” at the time of sharing to be personal information. Here knowingly as defined in the model penal code means essentially that the entity must be “practically certain” that their conduct (e.g. the sharing of information) would both (1) not be connected to a cybersecurity threat, and (2) contain information that would identify a specific individual. In addition to the encouragement of sharing, under section 105, cybersecurity threat information is shared with all of the federal entities subject only to such controls as must be unanimously agreed to by the federal entities. Consequently, any information processing is weighed in favor of expediency and against the unintended release of PII, in spite of the potential collateral damage associated with the sharing of PII. Within this same section, CISA lists a range of authorized activities which allow Federal, State, and Local law enforcement to use cyber threat information for investigations covering a wide range of offenses. Essentially allowing the government access to and use of information that would otherwise be protected under the fourth amendment provisions against unreasonable search and seizures as well as the probable cause requirements.
Effectively, the public outcry following the Snowden revelations about widespread cyber-surveillance was overcome as this expansive bill pushed through the House and the Senate and was dutifully signed by President Obama. As though the encouragement and promotion of information sharing did not have enough potential for misuse, this Act goes a step further by declaring that all of this information is exempt from the standard disclosure laws and that entities involved in cybersecurity threat analysis, monitoring, defense, and sharing are exempt from lawsuits. To further ensure that no hurdles exist, the definition of cybersecurity threat adopted in this legislation is overly broad and covers everything unless a first amendment exception can be successfully asserted – which is no small task. In short, the Cybersecurity Information Sharing Act of 2015 seems to stack the deck in favor of entities and against individuals’ privacy rights.
Title II of CISA discusses the National Cybersecurity Advancement which includes the implementation of intrusion detection and prevention systems, and leveraging “advanced network security tools” to diagnose and mitigate cybersecurity risks, whereas Title III outlines a plan to assess the current cybersecurity workforce, to identify needs in both civilian and non-civilian roles and to ascertain areas of critical human resource needs for cybersecurity roles. Title IV mandates that specific studies be undertaken: (1) Mobile device security with a plan for secure mobile device technology to be utilized by the Department of Homeland Security; (2) Dept. of State International Cyberspace Policy – a plan to guide diplomacy to work with foreign countries to adopt bi/multi-lateral activities to foster international norms within cyberspace; (3) a plan to address the apprehension and prevention of future cybercrimes from individuals operating within countries for which no formal extradition policy exists; (4) enhancement of emergency services to assess cybersecurity risks to Federal and State emergency responder systems; (5) plan to audit and bolster cybersecurity within the healthcare sector; and (6) a move to multi-factor authentication for all federal computer systems.
 Cybersecurity Information Sharing Act of 2015, Pub. L. 114-113, 129 Stat. 694, 694-744 (2015).
 Christopher Harvie & Cynthia J. Larose, Happy New Year – Cybersecurity Information Sharing Act, National Law Review (Jan. 6, 2016), http://www.natlawreview.com/article/happy-new-year-cybersecurity-information-sharing-act.
 Jack Detsch, Is the Cybersecurity Act really government spying in disguise?, The Christian Science Monitor (Dec. 23, 2015), http://www.csmonitor.com/World/Passcode/2015/1223/Is-the-Cybersecurity-Act-really-government-spying-in-disguise.
 Robyn Greene, Cybersecurity Information Sharing Act of 2015 is Cyber-Surveillance, Not Cybersecurity, Open Technology Institute (Apr. 9, 2015), https://www.newamerica.org/oti/cybersecurity-information-sharing-act-of-2015-is-cyber-surveillance-not-cybersecurity/.
 Cybersecurity Information Sharing Act of 2015, supra note 1, at 696.
 Id., at 699-700.
 Id., at 702.
 Cybersecurity Information Sharing Act of 2015, supra note 1, at 709-10.
 The White House, Office of the Press Secretary, FACT SHEET: Executive Order Promoting Private Sector Cybersecurity Information Sharing, (Feb 12, 2015), https://m.whitehouse.gov/the-press-office/2015/02/12/fact-sheet-executive-order-promoting-private-sector-cybersecurity-inform.
 Cybersecurity Information Sharing Act of 2015, supra note 1, at 701.
 Model Penal Code §2.02(2)(b) (Am. Law Inst., 2016).
 Cybersecurity Information Sharing Act of 2015, supra note 1, at 695, 703 (Federal Entity includes: Dept. of Commerce, Dept. of Defense, Dept. of Energy, Dept. of Homeland Security, Dept. of Justice, Dept. of the Treasury, and the Office of the Director of National Intelligence).
 Greene, supra note 4.
 Cybersecurity Information Sharing Act of 2015, supra note 1, §§201-407.
Cyber Round Up: Six Botnets Identified and Traced; DoD Releases Cloud Connection Process Guide; France Wants to Increase Legal Tools to Address Cybercrimes
- Six Botnets Identified and Traced (Israeli21c): Six botnets have been identified and traced by cybersecurity researchers from Deutsche Telekom Innovation Labs at Ben-Gurion University, according to an article by Israeli21c. Botnets are “networks of malicious remotely undatable code” that infect computers, the article explained. Hackers can then use these botnets to carry out “powerful attacks” that are very difficult to trace, the article continued. Using the results from the research, law enforcement will be able to “track the botnet back to its administrator”, according to the article. The full article can be found here.
- DoD Releases Cloud Connection Process Guide (C4ISR&Networks): The Defense Information Systems Agency (“DISA”) has released its “Cloud Connection Process Guide (“CCPG”), according to C4ISR&Networks. The article stated that the document includes “lessons learned and process insights from cloud pilots and various other DISA led efforts.” The article further explained that the CCPG is a “living document” that will be updated in accordance with changing policies. The full article can be found here.
- France Wants to Increase Legal Tools to Address Cybercrimes (The Associated Press): French Interior Minister, Bernard Cazeneuve, stated that the French government would adopt rules that will allow the government to access data for cybercrime investigations, according to The Associated Press. Although there was little details announced, the article explained that these planned laws would allow the government to demand data from overseas tech companies. The full article can be found here.
Cyber Round Up: Rudy Giuliani compares cybersecurity to cancer and hackers to the Mafia, U.S. Utilities worry about cyber coverage after Ukraine Attack, Congress Needs to Catch up on Cybersecurity Issues
- Rudy Giuliani Compares Cybersecurity to Cancer and Hackers to the Mafia (MarketWatch): In a recent MarketWatch article, Giuliani, a prostate cancer survivor compared cybersecurity to cancer, saying that both present similar challenges and that early detection is vital to reducing damage. Giuliani went on to say that cybercrime reminds him of the organized criminal networks that he pursued back in the 80’s, according to the article. The article indicates that Giuliani’s move into cybersecurity reflects reluctance on the part of many CEO’s to hire traditional cybersecurity firms, especially those that are largely staffed by ex-hackers. Giuliani’s approach was quite different as he decided to recruit from the ranks of ex-military rather than looking at reformed hackers, the article stated. The full article may be found here.
- Continued Exposure for the U.S. Power Industry (Reuters): Jim Finkle reports in Reuters that U.S. utilities are closely examining their exposure and insurance coverage following the Ukraine power grid hack which was reportedly the first cyber attack to cause a physical power outage. The article indicates that a similar attack in the United States could devastate utilities and result in financial losses of more than $200 billion. Several utilities, namely, American Electric Power Company, Duke Energy Corp., Nextera Energy, Inc., and PG&E Corp., have warned about their exposure to cyber risks in their annual reports provided to security regulators, according to the article. Furthermore, the article states that a study by Lloyd’s of London and the University of Cambridge indicated that simultaneous malware attacks on just 50 generators in the Northeastern US could cut power to nearly 100 million people and result in $243 billion in economic damage and between $21 and $71 billion in insurance claims. The full article is here.
- Congress Needs to Catch up on Cybersecurity Issues (FCW): This article by Aisha Chowdhry credits Sen. Rob Johnson (R-Wis.) as saying that the U.S. is behind the curve on cybersecurity and the Cybersecurity Information Sharing Act of 2015 should have been passed years ago. Johnson also indicated that our energy infrastructure is inadequately protected and no one is even talking about the use of electromagnetic pulse (“EMP”) weapons, according to the article. The full text of the article is here.
California Joins New York in Opposing Phone Encryption (ComputerWeekly.com): Warwick Ashford, writing for Computer Weekly reports that now California is joining New York in considering legislation to force technology companies to give law enforcement workaround to access encrypted devices. Ashford states that the means proposed by New York and California to access encrypted data are similar; however the ends are somewhat divergent as the NY focus is on countering terrorism whereas California is focused on eliminating human trafficking.
The article posits that were these proposals to be passed then businesses in New York or California that require encrypted devices would be forced to buy or lease said devices from suppliers that from outside states. Furthermore, the tech companies themselves are staunchly opposed to back-door access to encrypted devices, according to the article.
So is the NY and California approach more a “blind leading the blind”, or perhaps “dumb and dumber”? The California Assemblyman that is spearheading this legislation, Jim Cooper, readily admits that 99% of Californians’ phones would not be involved in any law enforcement operations, yet this legislation would make 100% of all the California devices more vulnerable to hacking, according to Ashford.
Cooper, apparently not a strong Constitutional advocate is quoted in the article as saying “… Human trafficking trumps privacy, no ifs, ands or buts about it”. This view seems to be in opposition to some recent high-profile Supreme Court cases, but why let a silly thing like the Constitution or the Supreme Court get in the way of really good legislation. Meanwhile, the Dutch government has taken the view that strong encryption is vital to protecting national interests and the protection of citizens, reports Ashford.
If we ignore the privacy argument, the role of smartphones and their manufacture and sale in interstate commerce, then New York and California might be able to make a case for restricting the sale of encrypted devices that don’t allow back-door access for law enforcement. Of course, if we look at the Constitution or the Supreme Court’s interpretation of privacy rights these proposed pieces of legislation seem like nothing more than grandstanding and trying to appeal to the “flavor of the month”. One needs to look at the overall picture and understand that the introduction of back-doors for access to encrypted data merely simplifies the state and non-state actors ability to obtain and exfiltrate data. If we develop a blanket policy with respect to encryption then we chip away at the very foundation of internet communication and the ability to establish secure communication channels for the transmission of sensitive data (i.e. performing financial/banking transactions, encrypting sensitive corporate data such as trade secrets, etc.).
It is, therefore my opinion that if you want my encrypted data you will have to pry the private keys from my cold dead hands — no secret backdoor access should be allowed.
Cyber Round Up: Israel’s Electric Authority Infected with Virus; China Revamps Cyber Force; CERT-In Signs Agreements with 3 Nations
- Israel’s Electric Authority Infected with Virus (Times of Israel): The Times of Israel reported that several computers used by the Israel’s Electric Authority is currently experiencing a “severe cyber-attack”. According to the article, the Israeli Energy Minister Yuval Steinitz confirmed the attack is ongoing, adding that the ministry is “already handling it” in collaboration with the Israel National Cyber Bureau. The virus was discovered on January 26 and forced the ministry to “paralyze” many computers, the article continued. The article added that according to Minister Steinitz the “right software was already prepared to neutralize [the virus].” The full article can be found here.
- China Revamps Cyber Force (The Washington Free Beacon): As a result of the recent Chinese military reorganization, the danger posed by the nation’s cyber force has increased, according to The Washington Free Beacon. The article added that according to analysts a new Strategic Support Force has been created. This new support force is comprised of the 3rd Department (“3PLA”), a unit with about 100,000 cyber warfare hackers and signals intelligence troops, the article continued. The 4th Department, the nation’s military electronic intelligence and electronic warfare service is also included in the new support force, the article explained. According to the article, analysts believe that this new support force will allow the nation to “move forward with the concept of integrated network electronic warfare.” The full article can be found here.
- CERT-In Signs Agreements with 3 Nations (Times of India): The Indian Computer Emergency Response Team (“CERT-In”) signed agreements with its counterparts in Malaysia, Singapore, and Japan, the Times of India reported. The article revealed that the agreements include cooperation on cybersecurity, information and experience sharing, and cooperation on addressing cyber incidents. The full article can be found here.
Following the massive data breach involving the Office of Personnel Management (“OPM”) which compromised approximately 22 million security clearance records of federal employees and contractors, the Obama administration has tasked the Department of Defense (“DOD”) with overhauling the background investigation process, Nextgov reported. This move shifts the responsibility to protect security clearance information from the OPM, the agency that spearheaded the effort at the time of the beach, to the DOD, the article continued.
According to the article, the DOD will implement new IT systems that store background investigation information of federal employees and contractors. Unlike OPM’s IT system, the article reported, the DOD’s new systems will use encryption to protect sensitive data. Further, DOD software engineers will develop the systems using a “modular approach” which will allow them to better adapt to evolving cyber threats, the article explained. Nextgov also revealed that parts of the system may be disconnected from the internet.
In addition, the article reported that the administration plans to establish a new entity within the OPM called the National Background Investigations Bureau which will be responsible for conducting background checks. The DOD will also be responsible for the security of the IT systems used by this new office, according to the article. The Defense Information Systems Agency, a combat support agency of the DOD, will be charged with the execution of the project, the article further stated.
The administration has requested $95 million to implement this project, however, even if Congress approves it, the budget would not be available until September 2016 when the next fiscal year begins, according to article. For now, the article added, the project will be funded by the current OPM budget which includes $21 million approved by Congress in December 2015 for IT upgrades.
For more on this issue, please find the full article here.
Professor William Snyder
is a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.
Jennifer A. Camillo
is a third year student at Syracuse College of Law. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She is a member of the Syracuse National Trial Team and was recently awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.
holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington.
- Obama Executive Order — Commission on Enhancing National Cybersecurity
- Executive Order — Establishment of the Federal Privacy Council
- White House Announces “Cybersecurity National Action Plan”
- Cyber Round Up: NSA Planning Reorganization; U.S. Looking to Relax Software Export Regulation; Defense Secretary Highlights Tech Priorities for 2017
- The Cybersecurity Information Sharing Act of 2015
- Cyber Round Up: U.S. Tracking Cyber Activity in Syria Conflict, DPRK Hacked ROK Metro System — ROK Legislator, Aircraft Vulnerable to Cyber Attacks — European Official on
- Cyber Round Up: Anonymous Declares War on ISIS, Ghost Security Group Targets ISIS Online Activities on
- Cyber Round Up: DOE and MIT Sloan Partner Up for Grid Security, DoD Needs to Focus its Hiring Efforts, USCG RDML Thomas on Port Security on
- Cyber Round Up: U.S. Strengthens Cyber Defenses while recruiting 6,000 cyber-warriors, RSA:CyberSecurity industry is ‘fundamentally broken’, Who’s Really in Charge in case of a US Cyberattack? on
- Too Big to Fail? Understanding the U.S. Power Grid Vulnerabilities in terms of Cybersecurity on
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010