Welcome to eWhite House Watch
Where Technology, Privacy, and Politics Collide
eWhite House Watch features concise updates on cyber policy issued by the Office of the President of the United States (POTUS). Monitored and written primarily by law students, each eWHW cyber policy update is presented in an easy-to-scan format that includes links to POTUS announcements, federal and state proposed legislation, breaking news, updates, cyber policy committee reports, and more.
Striking the proper balance of benefits between technological advances and privacy protection has always posed challenges. Today, the challenges are even greater as technology significantly outpaces privacy protections; and the need for greater recognition of this reality and honest public discourse is more pressing than ever. eWhite House Watch monitors the cyber agenda so you can be informed and partake in the debate.
Visit our special feature, Origins: The White House Cyber Agenda for details on the current administration's Comprehensive National Cybersecurity Initiative. Learn More
The creator of eWhite House Watch also created eLessons Learned with a similar vision in mind: To provide readers with useful and timely information about how technology impacts our legal system and our lives in a way that is easy to understand. Learn More
The IAPP held its annual Global Privacy Summit in Washington DC between April 3rd and 6th. Drawing more than 3,500 attendees, the IAPP said it was the largest summit they had ever put on, and to their knowledge the largest of its type in the world. eWhite House Watch had the opportunity to attend the conference as part of the press corps. As it has in years past, the conference combined fascinating opportunities to hear about cutting edge issues in privacy law with great opportunities to connect with privacy professionals from around the globe. The conference drew some of the best speakers and biggest names in the privacy community. For example, one of the keynote speakers was Brad Smith, Microsoft’s Chief Legal Officer and President. Mr. Smith’s theme was that this is the best of times and the worst of times for privacy in America. “Privacy is one of the defining issues of our time.” With everything being connected, we can all benefit from the use of big data, advances in human centered technology, and vast networks of people and computers. But, hacks like the one Sony experienced, and concerns regarding encryption’s role in the Paris attacks, are just a few examples of the challenges facing privacy professionals. He emphasized that there is no single answer and that the private sector and governments need to work together to draw proper lines that protect people’s privacy while also providing for their safety. In short, there is a lot of work to do, but Mr. Smith emphasized that “Privacy should be a cause worth embracing.” eWhite House Watch was also fortunate to attend an interesting discussion with the FBI’s general counsel, James A. Baker. Mr. Baker started by explaining: "I consider myself to be a privacy lawyer to a significant degree because a huge amount of my job is to think about that." Privacy “is baked into [the FBI’s] mythology and how we think” with 27 privacy officers stationed throughout the Bureau. He expressed great concerns regarding the “Going Dark” issue that FBI Director Comey has spoken extensively about. He emphasized the importance of electronic surveillance as a key tool for the FBI to investigate crime and protect the public. But, he said that with the rise of encryption electronic surveillance is becoming less and less effective. Mr. Baker recognized the value of encryption (especially in dealing with countries run by authoritarian regimes) and acknowledged that the FBI does not have the answer to the Going Dark problem. He then emphasized, "we are not trying to impose a solution because we don't have one. In terms of establishing the balance of how to achieve all of these issues it is a hard question." He acknowledged that the FBI cannot be successful without the trust of the American People, or “at least [their] confidence that competent people in government are trying to do the right thing." The FBI thinks of itself “as the servants of the American people and will do what you want.” A more encrypted world will make the FBI’s job harder, but that may be the price the public is willing to pay to protect its privacy. Beyond the big name speakers, the conference also provided an enormous range of panels and workshops for attendees. With sessions ranging from practical panels like “Building a Hurricane-Proof Data Transfer Compliance Program” and “Trends in Cybersecurity Supervisions and Examinations” to more fanciful discussions like “Sci-Fi Privacy: The Tech It Predicted and What's Coming Next” the conference truly offered something for everyone. One of the most interesting sessions eWhite House Watch attended was a short 15-minute talk given by Nico Sell, founder of the encrypted messaging app Wickr. Ms. Sell’s talk acted as a counterbalance in many ways to Mr. Baker’s “Going Dark” concerns regarding encryption. Ms. Sell spoke about the importance of encrypted communications and the battles underway to undermine privacy. She likened personal data to hazardous waste: “if you're holding it, you better keep it safe.” Encryption is the first line of defense to protecting data, the best way to make this encryption effective is to “embrace hacker research.” Ms. Sell topped off her talk by showing a map (see page 17 here) created by Human Rights Foundation and Wickr that highlights which countries demand backdoors or restrict access to encryption. Noted cyber lawyer Fernando M. Pinguelo, Esq. (CIPP/US), who attended the session, remarked: “Ms. Sell’s remarks hit the mark and captivated the audience. I found her philanthropic efforts focused on kids to be fascinating. Through teaching cryptography, white-hat hacking, and cyber security she hoped to empower kids around the world to protect their communities.” Attendees to the conference also got to hear all the IAPP’s latest news. IAPP president J. Trevor Hughes proudly stated that the IAPP now has 25,000 members in more than 80 countries. He also announced the creation of the Fellow of Information Privacy certification, which is intended to recognize leaders in the privacy field. Mr. Hughes further announced that the CIPP credential has received the ISO 17024:2012 certification. Mr. Hughes told eWhite House Watch that the ISO’s approval is “important because it is a third party who has acknowledged and certified that the CIPP is of the highest quality and that the IAPP is doing what it says it does.” In short, the conference was a success for the IAPP. Mr. Hughes said that the Association “was very pleased with the conference” and that he was proud that “every year the event gets bigger.”
President Obama presented his final annual budget proposal to Congress on Tuesday, which included a $19 billion request to support the launch of his new Cybersecurity National Action Plan (CNAP). The $19 billion request reflects a $5 billion increase in current spending. The President insists that this investment will ensure that Americans will have the tools to protect themselves online, companies will be able to protect their operations and information from hackers, and the government will be able to defend itself against cyber attacks. Some highlights of the CNAP include: • $3.1 billion to form the Information Technology Modernization Fund, which will rebuild the federal government’s aging computer systems. • The formation of the Commission on Enhancing National Cybersecurity, comprised of top business and technical non-government employees and thinkers, who will advise the government on the newest technical solutions and the best cybersecurity practices to protect privacy and public safety. • $62 billion investment to attract qualified cyberprofessionals to the workforce. A portion of the funds will be used to establish scholarships for students who wish to obtain a cybersecurity education and work for the government. In addition, the government will offer loan forgiveness for students who pursue careers in the cyber profession. • The appointment of a Federal Chief Information Security Officer, who will be the first ever senior government official whose sole purpose is to focus on developing, managing and coordinating cybersecurity strategy within the Federal government. • Increased investment in the President’s 2014 Buysecure Initiative, which seeks to empower Americans to protect themselves by using multiple factors of authentication when logging into their online accounts. This program also encourages companies to accept more secure forms of electronic payment, such as microchips, instead of magnetic strips on credit and debit cards. Additionally, the program seeks to reduce the use of Social Security Numbers as online identifiers of citizens to protect against identity theft. You can find out more about the CNAP here.
The Department of the Treasury’s Office of Foreign Assets Control (OFAC) published the Cyber-Related Sanctions Regulations that became effective on December 30, 2015. The new regulations implement Executive Order 13694 and authorize the imposition of economic sanctions on those found to be responsible for, as well as those who significantly benefit from, malicious cyber attacks or cyber theft. The regulations do not identify specific individuals or entities who will be sanctioned, nor do they indicate any sort of immediate compliance obligations for U.S. companies. Some notable regulations include: Sanctions on identified entities who participate in cyber-enabled activities that are reasonably likely to have resulted in a significant threat to the national security, foreign policy, economic health or financial stability of the United States. Sanctions on identified entities who trade or engage in other transactions with people named on OFAC’s SDN List pursuant to E.O. 13694. You can find more details about the Cyber-Related Sanctions Regulations here.
By Kristen Tierney While security seemed to be a major focal point during President Obama’s State of the Union Address last Tuesday night, cyber security did not receive quite as much direct attention. Not surprisingly, national security took a front seat, but this time with very little focus on national surveillance policies. Perhaps it could be because it is the President’s eighth and last State of the Union Address, but the overall tone felt nostalgic, with the President frequently referencing the traditional American “spirit” and “work ethic.” Yet, it was candid and at times even “playful,” with the President evoking laughter several times throughout the night. The President opened his address by laying out four major questions that he planned to answer, one of which was how we as a nation can “make technology work for us and not against us.” In trying to promote the need for technological developments in science and in medicine, Obama referred to the American “spirit of discovery.” calling for a similar response in dealing with issues like climate change and developing the cure for cancer as there was during the development and buildup of the American space program. Developments in internet access received a brief but honorable mention, when the President said we have successfully “protected an open internet” and which also allowed for more students and low-income Americans to have internet access. It would have been impossible for the President to address issues of national security without at least acknowledging the looming threat of terrorism. It was at this point that the internet received a less honorable mention when the President acknowledged the use of the internet as a tool for terrorist groups like Al Qaida and ISIL in recruiting new members. Lastly, the President focused on technology and the role it played in recent economic changes and the challenges that have accompanied these changes. Recognizing the effect that technological advances have had on jobs, Obama noted that such advances affected jobs in all sectors. The President used this as a stepping stone to discuss the growing power of companies and those at the top over the average American worker. It was as a result of this outcome that the President urged for reform in education, calling for computer science classes to make America’s future workforce “job-ready.” President Obama used his final State of the Union Address to call for what would require a series of compromises in Congress during the remaining months of his presidency and beyond. However, although he addressed the influences of technology in various areas like energy, health and medicine, and the economy, the President’s address seemed to be missing something – cyber security.
The Georgetown University Law Center held its annual Cybersecurity Law Institute on May 20 and 21, 2015. The event, billed as the only cybersecurity conference geared primarily for attorneys, focused on providing both practical how-to advice for attorneys working on cybersecurity while also discussing the future of cybersecurity. eWhite House Watch had the opportunity of attending the conference as part of the Institute’s Press Corps, and found the sessions and networking opportunities fascinating. The highlight of the event came on its first day when both James B. Comey, the director of the FBI, and Leslie Caldwell, Assistant Attorney General in charge of the DOJ Criminal Division, spoke to the assembled conference goers. Director Comey demonstrated a solid understanding of the cybersecurity threats facing the nation. He repeatedly emphasized the importance of private companies' collaborating with the FBI to address the most pressing of cyber threats. He noted that even though the FBI has not always had a stellar record in working with the private sector, it hastaken great steps to improve its relationship with private enterprise since the financial attacks of 2012. AAG Caldwell stated that “we need to have a real sense of urgency when we talk about cyber crime.” It is the most international of criminal activity and, as such, the CCIPS (Computer Crime & Intellectual Property Section) of the DOJ has made a concerted effort to work with its international and private partners to track down and prosecute foreign criminals. AAG Caldwell noted that earlier this year, the DOJ had worked with INTERPOL and foreign authorities to arrest notorious Russian hacker Roman Seleznev while he was on vacation in the Maldives. The program was also chock-a-block full of panel discussions designed to be useful for individual practitioners. One of the reoccurring themes was that cyber threats were not an IT issue, they were a corporate issue. Boards of directors and senior executives need to not only understand cybersecurity issues, but also they need to fully buy into their companies’ security programs and response plans. More than one panel discussed the need to include senior executives in “tabletop”exercises practicing how the company will respond in the event of a cyber intrusion. During one panel discussion, Ivan Fong (General Counsel for the 3M Company) said that Boards needed to address the “3 Rs” for cyber security: (1) Risk – a board needsto have an understanding of the cyber risks the company faces and to drill down on how those risks affect the company; (2) Resources – a board needs to ensure that the company has the personnel, the technology, and the processes in place to address a threat when it arises; and (3) Reediness/Response – senior management and the board should have a plan in place to respond when the inevitable intrusion occurs, senior executives should have a communications team ready, contacts with relevant law enforcement/regulatory agencies, and a plan tailored to address the specific needs of your company. Peter Gleason from the National Association of Corporate Directors (NACD) noted that his organization had developed a Cyber-Risk Oversight Handbook for boards of directors, which received great praise from other conference attendees. The conference also comprised a fascinating panel discussion regarding emerging trends in corporate liability resulting from cyberattacks. The panel had representatives from the plaintiffs’ bar, corporations and the defense bar. A lively, though good-natured, discussion ensued regarding what companies are doing wrong in terms of responding to attacks and how they can position themselves to better fend off litigation. An interesting point that came out was that while companies are racing to collect data that could be used to analyze markets and customers, such efforts also create risks for the company – and if there is not a business reason to keep the data, then companies should question why they are collecting it. Overall the conference was well organized and well received. Lawrence J. Center, Assistant Dean, at Georgetown Law and the administrator overseeing the event said that the school was “very pleased that in its third year [the conference] had more than doubled the total number of attendants” to more than 300 people in attendance at the conference. He believed that this increase was “a reflection of the importance of the conference” as the institute “strives to be the premiercybersecurity conference for lawyers.”
House Faces Both Support and Criticism over Cybersecurity Bills Discussed this Past Week As reported by The Hill this past week, the House was set to discuss two important Cybersecurity Bills, both expected to pass. According to the proposed bill, the Protecting Cyber Networks Act is intended “to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” Separately, the National Cybersecurity Protection Advancement Act is an amendment to the Homeland Security Act of 2002 and according to that proposed bill it is expected “to enhance multi-directional sharing of information related to cyber-security risks and strengthen privacy and civil liberties, protections, and for other purposes.. On the surface, neither of the proposed bills seems problematic. There is some significant support for the bill, as noted in The Hill’s piece Tech will be watching cyber vote – in that the Information Technology Industry Council (ITI) has already sent a letter to the House expressing its support for the bills. In the letter ITI said that it “firmly believe[s] that passing legislation to help to increase voluntary cybersecurity threat information and sharing between the private sector, is an important step Congress can take to enable all stakeholders to address threats, stem losses, and shield their systems, partners and customers.” Although ITI is highly supportive of these measures, there are other groups that are not as on board and that have too voiced their own opinions, including major concerns regarding privacy. Also acknowledged in The Hill coverage, groups such as the American Civil Liberties Union, FreedomWorks, and the New America Foundation’s Open Technology Institute, among others also submitted a letter of their own to the House, specifically about the Protecting Cyber Networks Act, urging Congress to oppose it. Their concern is that the actual effect of the law would result in abuse by the National Security Agency. They close their letter by saying, “PCNA’s overbroad monitoring, information sharing, and use authorizations effectively increase cyber-surveillance, while the authorization for the use of defensive measures actually undermines cybersecurity.” According to The Hill’s report, it seems as though the House is expected to pass both bills. However, the groups opposed to the bills raise some compelling concerns that may cause some pause. While most acknowledge that Congress needs to do something to address the issue of cybersecurity, the question is whether these two bills are the answer.