Criminal Justice & the Rule of Law Cybersecurity & Tech

The National Cyber Strategy and Legal Reform

Steve Stransky
Monday, October 8, 2018, 8:50 AM

The White House recently released its National Cyber Strategy, and lawyers and privacy advocates alike should pay careful attention to its “priority actions” related to surveillance and criminal law reform.

Published by The Lawfare Institute
in Cooperation With

The White House recently released its National Cyber Strategy, and lawyers and privacy advocates alike should pay careful attention to its “priority actions” related to surveillance and criminal law reform. Within its section on combating cybercrime, the document provides that the administration will work with Congress to modernize both electronic surveillance laws and computer crime statutes in order to “enhance law enforcement’s capabilities to lawfully gather necessary evidence of criminal activity, disrupt criminal infrastructure through civil injunctions, and impose appropriate consequences upon malicious cyber actors.” However, reform in each area of law presents its own unique issues and challenges.

Modernizing Electronic Surveillance Laws

The Cyber Strategy only mentions “privacy” and “civil liberties” a handful of times. Accordingly, instead of framing the administration’s priority to modernize electronic surveillance laws in terms of safeguarding privacy rights, the document addresses this legal reform in the context of promoting law enforcement and security interests. However, past debates surrounding surveillance authorities within the Foreign Intelligence Surveillance Act (FISA)—the 215 Program and 702 Program—and developments within domestic and foreign laws, foreshadow the difficulty the administration will face in attempting to enhance the government’s surveillance power for its cybersecurity purposes.

Originally, Section 215 of the Patriot Act authorized the FBI (through a Foreign Intelligence Surveillance Court order) to acquire “tangible things” in connection with a terrorism or counterintelligence investigation. Over time, however, this provision became the basis for the government’s ability to collect telephony metadata records in bulk, and when the scope of the 215 Program was leaked by Edward Snowden in 2013, it became the subject of judicial challenges and raucous congressional debates. In the end, with the support from privacy advocates both inside and outside of Congress, President Obama signed into law the USA Freedom Act of 2015, which essentially ended the U.S. government’s ability to utilize Section 215 to collect telephony metadata in bulk. When the Section 702 Program was subject to reauthorization earlier this year, its scope and use faced similar scrutiny. Section 702 of FISA authorizes warrantless surveillance of non-U.S. persons “reasonably believed to be located outside the United States,” with the compelled assistance of electronic communication service providers. During the debate on the continuation of the 702 program, Sen. Rand Paul (R-Ky.) referred to the reauthorization bill as a “flawed” measure that would allow “the warrantless surveillance of innocent Americans.” Sen. Ron Wyden (D-Ore.) warned that the bill “expands the federal government’s ability to spy on Americans.” Although Section 702 was eventually reauthorized, the congressional debate led to “significant changes to 702, though the reforms are substantially more modest than those sought by privacy advocates.” Notwithstanding their modest gains, the congressional debate concerning Section 702’s reauthorization illustrates the continued influence these privacy advocates have in shaping surveillance law—influence that will undoubtedly endure in the event the administration seeks to enhance these laws in favor of cybersecurity in line with the new strategy document.

The administration should also recognize the privacy-centric developments in both domestic and foreign laws. For example, in 2018, with the passage of laws in Alabama and North Dakota, all fifty states have now enacted data-breach notification laws, which reflects a progression in data privacy rights and responsibilities. Additionally, in 2018, California passed state legislation expanding consumer privacy rights and regulating the security of internet-connected devices in order to better safeguard personal data they contain. Given the scope of California’s economic reach, these laws will undoubtedly impact the data-privacy practices of businesses across the United States. Separately, with the implementation of the General Data Protection Regulation in May of 2018, and the threat that Privacy Shield will be invalidated, the broad data privacy rules and regulations in Europe have had a profound impact in the United States (and worldwide).

Although there are exceptions (e.g., the Cloud Act of 2018), the current legal and policy trends seem to favor of individual privacy over security. Thus, it is difficult to foresee how the administration can work with Congress to modernize surveillance law in a manner that would significantly benefit the government, regardless of whether those reforms are intended to enhance the nation’s cybersecurity.

Modernizing Computer Crime Statutes

The Cyber Strategy also focuses on modernizing “computer crime statutes” to support the federal government’s security posture and response capability. Given that Congress has passed several cyber-related criminal statutes that provide law enforcement with broad authorities, this priority within the Cyber Strategy should attract attention and curiosity.

The Computer Fraud and Abuse Act (CFAA) is the government’s principal tool for prosecuting computer crimes, as it broadly prohibits intentionally accessing a computer either without authorization or in excess of authorization. The CFAA was a central aspect of Robert Mueller’s 2018 indictment of Russian officials who hacked the Democratic National Committee (DNC), and of the landmark 2014 indictment of five Chinese military officials for computer hacking and economic espionage. In addition to the CFAA, federal prosecutors can potentially levy federal charges against cyber criminals for violating laws related to the following: wire fraud (18 U.S.C. § 1343); identity theft (18 U.S.C. §§ 1028(a)(7) and 1028A); economic espionage and trade secrets theft (18 U.S.C. §§ 1831-32); wiretapping (18 U.S.C. § 2511); and the unlawful access of stored communications (18 U.S.C. § 2701).

Given the tools already available to federal prosecutors to combat cyber criminals, it is difficult to understand the Cyber Strategy’s prioritization of modern computer crime statutes. Hopefully, this priority is not aimed at amending the Foreign Sovereign Immunities Act (FSIA). Because FISA is not considered a “computer crime statute,” this is likely not the case, but should be confirmed.

Previously, FSIA has presented challenges to plaintiffs seeking to use civil proceedings against state-sponsored perpetrators of cyberattacks. Pursuant to FSIA, foreign states and governments are immune from lawsuits filed in domestic courts, unless one of the statute’s exceptions to immunity can be invoked. FSIA is particularly challenging in cases concerning state-sponsored cyber attacks because the nature of these activities does not clearly align with any of the exceptions to immunity delineated in FSIA. (Note: Professor Ingrid Wuerth has provided very thorough assessments (see here and here) concerning FSIA in the context of Russian interference in the 2016 election.) Accordingly, some have called for amending FSIA to create a cyberattack exception—which would be akin to the current terrorism exception within FSIA—to legally remove the immunity of foreign states that facilitate cyberattacks against individuals or entities in the United States.

However, as the administration seeks to modernize computer crime statutes as part of its Cyber Strategy, it should review any requests to amend FSIA with caution. Given the scope and breadth of the U.S. government’s intelligence and offensive cyber activities abroad, any changes to the immunity of foreign states in our domestic courts could have significant consequences if such measures were reciprocated by foreign governments. As Jack Goldsmith recently provided,

[t]he U.S. intelligence services break into computers and computer networks abroad at an astounding rate, certainly on a greater scale than any other intelligence service in the world. Every one of these intrusions in another country violates that country’s criminal laws prohibiting unauthorized computer access and damage ...

If the administration amends FSIA to create a cyber-related exception to foreign immunity and other countries respond in kind, it would significantly increase the risk that members of U.S. law enforcement and intelligence agencies would be subject to CFAA-like violations in foreign countries and potentially embroil the United States in litigation all over the world.

Steven G. Stransky is a partner at Thompson Hine LLP and the co-chair of its Privacy and Cybersecurity practice group. He primarily assists clients in complying with data protection laws and regulations and with responding to ransomware attacks, business email compromises, and other cybersecurity incidents. He previously served as a deputy legal adviser to the president’s National Security Council and as an attorney (intelligence law) at the U.S. Department of Homeland Security.

Subscribe to Lawfare