2019 began with the United States’ longest government shut down ever, halting the work of many federal agencies and leaving analysts especially concerned for the Nation’s cyber security.  According to The Hill, Lawmakers are experiencing growing concerns that the “lingering effects” of the government shutdown, coupled with increased efforts from hostile foreign actors, have left the United States vulnerable to cyber threats.  During the shutdown, the Department of Homeland Security (DHS), one of the agencies forced to furlough certain employees, issued a first of its kind emergency directive detailing what procedures were to be followed as a result of the lapse in appropriations.  House Homeland Security Committee Chairman Bennie Thompson told the Hill that another shutdown “absolutely” could amount to “an open invitation for foreign hackers to go after federal systems,” further explaining that Congress’s “concern is that so many of those persons we relied on, they weren't there,” Thompson said. “And that makes us weak.”  Currently DHS has temporary funding until February 15th, 2019 at which point the government will face the specter of another shutdown.  DHS was not the only Federal agency whose cybersecurity operations were affected by the shutdown.  According to a 72 page briefing from the FBI Agents Association, an organization founded in 1981 to protect the rights of FBI agents and former agents, the FBI cyber investigations and enforcement efforts were seriously affected by the shutdown. The report, titled “Voices from the Field: FBI Agent Accounts of the Real Consequences of the Government Shutdown”, focused on how several areas of the Bureau’s efforts were adversely impacted by the shutdown.  The report included many quotes from acting FBI agents, identified only by the region they operate in, and shed light on how the shutdown put many types of operations in jeopardy.  These include making payments to confidential human sources, funding for wiretaps, issuing subpoenas, and collaborating with other federal agencies that were likewise unfunded and facing furlough.  One agent, identified by the report only as being from the “Northeast Region”, shared this quote during the shutdown: “Today we have no funds for making Confidential Human Source payments. In my situation, I have two sources that support our national security cyber mission that no longer have funding. They are critical sources providing tripwires and intelligence that protect the United States against our foreign adversaries. The loss in productivity and pertinent intelligence is immeasurable.”  The Federal government effectively pushed back the deadline for reaching a budget agreement until February, 15th,  2019.  It is unclear as to whether or not the President and Congress will reach an agreement, or if another shutdown is already in the making. In the meantime, it appears that US cyber resilience is being pushed closer and closer to its limits.   

September 21, 2018 By: Connor Breza President Trump unveiled his administration’s cybersecurity strategy this week, promoting it as “America’s first cybersecurity strategy in 15 years”.  President Trump’s strategy builds off of his 2017 Executive Order “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” laying out four “key tenets”.  President Trump’s first tenet reads: “Protect the American People, the Homeland, and the American Way of Life.”  The strategy articulates that it will accomplish this tenet by “taking specific steps to secure Federal networks and information, secure critical infrastructure, combat cybercrime, and improve incident reporting.”  The second tenet of the cybersecurity strategy is to “Promote American Prosperity”.  The White House asserts that the administration “will preserve America’s influence in the technological ecosystem and pursue development of cyberspace as an open engine of economic growth, innovation, and efficiency.” This tenet is broken into three steps: Fostering a vibrant and resilient digital economy.Protecting American ingenuity from threats such as intellectual property theft.Developing a superior cybersecurity workforce through education and recruitment. Third, President Trump’s cybersecurity strategy seeks to “Preserve Peace through Strength”.  His administration asserts that it “will identify, counter, disrupt, degrade, and deter behavior in cyberspace that is destabilizing and contrary to our national interests, while preserving America’s overmatch in and through cyberspace.”  This tenet will be accomplished in four parts: Promoting responsible behavior among nation states.Working to ensure there are consequences for irresponsible cyber behavior.Launching an international Cyber Deterrence Initiative. Exposing and countering online malign influence and information campaigns.  Finally, the fourth tenet of the cyber strategy is to “Advance American Influence”.  President Trump seeks to accomplish this tenet by ensuring and preserving the long-term openness of the internet.  President Trump has put forward a five-part plan on how his cyber strategy will further this aim: Encouraging Nations to advance internet freedom.Advancing a multi-stakeholder model of internet governance.Promoting open, interoperable, reliable, and secure communication infrastructure.Opening overseas markets for American ingenuity.Building international cyber capacity.  As a part of this strategy, the Trump Administration has pledged to release a number of agency specific strategies that emphasize the importance of cyber security.  His final message in the strategy strongly concludes: We Will Make America Cyber Secure. 

Sponsor Tables Shine at the Cyber Risk Summit In Philly August 6th, 2018   NetDiligence held its 9th annual Cyber Risk Summit on June 12-14th in Philadelphia.  This year, the conference focused on educating attendees on current breach risk management protocols and practical knowledge for cybersecurity insurance brokers, attorneys and Chief Information Security Officers (CISOs). eWhiteHouseWatch had the privilege to cover the conference in its entirety again this year. A conference regular, Nick Economidis of Crum & Forster noted that “the conference has grown tremendously over the past nine years because it features experts from various disciplines and provides real insights.”

By: Frank X. Wukovits 4/5/2018   On March 23, 2018, the Clarifying Lawful Overseas Use of Data [CLOUD] Act was signed into law as a part of the Omnibus Spending Bill. In short, the legislation sets forth a myriad of provisions involving procedures and methods of storage, access, and retrieval of data between the United States and foreign governmental entities. As a result, the CLOUD Act's provisions create a potential (and perhaps inevitable) conflict between privacy and efficient governance.

eWhite House Watch returned for another great opportunity to report on the annual International Association of Privacy Professionals (IAPP) Global Privacy Summit in Washington D.C.. In the world of Cambridge Analytica and Facebook troubles, GDPR, and most recently, the new California privacy law, data protection and privacy have become a mainstream topic of conversation.  That is why the IAPP Global Privacy Summit of 2018 this year was described as “A Monumental Conference for A Profession at Crossroads.” As always, the world’s biggest privacy conference hosted more than 3,500 attendees, collaborating and seeking answers to important global privacy issues, highlighting topics such as survival, resilience, digital reputation, and equality, with a large focus in trust.  These issues were driven home by the conference’s distinguished Keynote Speakers, including  Social Activist, Writer, and Public Speaker Monica Lewinsky; MEP, International Trade, TiSA Rapporteur Viviane Reding; Writer, Broadcaster, Journalist, and Documentary Filmmaker Jon Ronson, Professor at Columbia University and contributing Editor of the Financial Times Simon Schama; and Birgit Sippel, MEP, Group of the Progressive Alliance of Socialists and Democrats.  The keynote speakers gave in depth discussions on issues central to the conference such as the EU’s position in global trade and the digital economy, spearheaded by MEP Reding. Additional topics included changes in the internet and the growing prominence of social media as well as the EU’s new Privacy regulation and their stance on Privacy in the 21st century. The Conference hosted a plethora of other speakers, ranging from in-house counsel at prominent corporations, government officials, and cybersecurity experts.   In the segment titled “A Fireside Chat with the Chair of the Article 29 Working Party”, Chairwomen of the WP 29 and Director of the Austrian Data Protection Authority Andrea Jelinek, together with Corporate VP and Deputy General Counsel at Microsoft Julie Brill discussed the main areas of uncertainty remaining in the GDPR.  These two prominent speakers brought forth important questions such as: What will enforcement look like once the GDPR comes into effect? How will European regulators handle and coordinate cross-boarder investigations? How do DPAs keep up-to-date on artificial intelligence, machine learning, and similar advanced technologies? And what will data protection look like five years from now? Staying true to years past, the conference hosted many remarkable panels and discussions.  Some interesting sessions included: Mitigating Human Risk Factors Through Privacy and Cybersecurity Training; Regulating for Results: Effective Use of Both Carrot and Stick; and Privileged & Confidential… And Lets Keep It That Way! One of the most helpful sessions for in-house counsel who assist their companies in compliance was Vendor Risk 2.0. The panel, consisting of privacy pros Michelle Beistle, Dori Kuchinsky and Charlotte Young, focused on such issues as how to set up a process for both, new and existing, vendors, what clauses to have in their contracts, find out what type of data is shared with them and what type of protections are in place. The Meeting Challenges of Privacy, Security and GDPR Compliance in the Cloud session focused on the key issues in cloud privacy space.  With the exponential growth of cloud use by the business, how to tackle compliance while assisting your business in accomplishing their goals takes center stage. The Summit also focused on international topics, spotlighting issues involving compliance with and enforcement of GDPR as well as trans-border data flows.  In the “Privacy Shield as the GDPR Comes Online” session, such distinguished speakers as Bruno Gencarelli, the Head of International Data Flows and Protection, European Commission, explained how while Privacy Shield facilitates transatlantic data flows, its intersection with the GDPR may present challenges. The panel’s warning about the Privacy Shield effectiveness has come true when recently the European Parliament threatened to suspect it until the United Stated complies with its terms. No surprisingly, the Parliament specifically referred to Facebook and Cambridge Analytica- both were certified under the Privacy Shield. Staying true to its reputation, the Summit ushered in thousands of privacy practitioners and provided the opportunity to spread a wealth of knowledge and information from across continents and allowed practitioners to network, correspond on prominent privacy and security issues, and discuss the changing privacy and cyber landscape.  The mindset of the conference can be summed up by Keynote Speaker MEP Reding’s challenge: “Do you want to be a standard maker or a standard taker?” 

By: Frank X. Wukovits March 21st, 2018     This past month, the Council of Economic Advisers (CEA) released a report, The Cost of Malicious Cyber Activity to the U.S. Economy. The report identifies and articulates the impact recent cybercriminal behavior has had on the United States economy and identifies several issues impeding sufficient cybersecurity measures. The report details distinct forms of malicious cyber activity and highlights the sectors of the economy that are most vulnerable to such activity. However, the CEA notes that the vernacular used to describe cybersecurity concepts and issues in the report are not uniform and may differ from other reports published in the cybersecurity community. In general, malicious cyber activities involve cybersecurity incidents, which are described as explicit or implied security policy violations. Private and public entities experience various forms of cybersecurity incidents, which essentially intend to compromise an entity’s confidentiality, integrity, and/or availability (CIA).