OODA Loop – U.S. Gets Praise for Cybersecurity Posture Improvement but Where’s Data Privacy?
A recent report on the Cybersecurity Posture of the United States examined U.S. efforts to improve its overall cybersecurity, assessing its progress in aligning to the goals set by the 2023 National Cybersecurity Strategy. The report is not short on praise, much of it warranted, highlighting the fact that 33 out of 36 initiatives were completed on time, a commendable feat to be sure. Trends driving implementation included risks to critical infrastructure, a prolific ransomware ecosystem, supply chain concerns, the commercial spyware market, and the potential threat posed by irresponsible use of artificial intelligence. With nearly all of the initiatives being met, the government appears well situated to begin tackling phase two of its implementation plan. This comes on the heels of an April 2024 Government Accountability Office’s (GAO) reporton Executive Order (EO) 14028 Improving the Nation’s Cybersecurity in which the Administration identified 55 leadership and oversight requirements that needed to be met or exceed outlined standards to bolster federal cybersecurity. The GAO gave a favorable review of these efforts as well. It seems that the United States is headed in the right direction and making substantial strides in key areas, although how these metrics will translate into improved security against cyber attacks remains to be seen.
Notably, in the Cybersecurity Posture report, managing risks to data security and privacy was among the 12 core activities taken by the government, with an emphasis protecting cross-border commerce and advocating the development of privacy-enhancing technologies. The report was light in this regard touting initiatives that have been implemented during Biden’s tenure such as E.O. 14117 on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern; EO 14110 on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence; and the EU-U.S. Data Privacy Framework. However, while laudable, these appear more as band aids than a viable solution when it comes to securing citizens’ data privacy. It’s a shortcoming that even the report tacitly acknowledges by stating up front that these initiatives were done “in the absence of a national data privacy law.”
Failure to produce one has been an Achilles heel for Administrations ever since data breaches became colossal events that exposed the personally identifiable information of Americans who rely on it for their medical and financial well beings. Even the Trump Administration’s iniative to protect citizens’ and companies’ sensitive information from intrusion collection activities from hostile cyber threat actors sidestepped how organizations should protect privacy data. The Clean Network program represented the effort of coalescing partnerships among trusted partners, and focused on four key pillars to mitigate the threat from states like China exploiting technology for its gain: clean carrier (ensuring untrusted foreign carriers were not connected to U.S. telecommunications networks); clean store (removing untrusted apps from U.S. mobile app stores); clean apps (preventing untrusted smartphone manufacturers from preinstalling apps); clean cloud (preventing sensitive public and private information from being stored and processed in cloud environments accessible to hostile state actors); clean cable (ensuring the integrity of undersea cables); and clean path (preventing untrusted vendors’ access into government 5G networks).
Despite having global support (at its peak, the Clean Network boasted the support of 27 of the (then) 30 NATO allies, 26 of the 27 European Union members; 31 of the 37 Organization for Economic Cooperation and Development nations; and 11 of the 12 Three Seas nations), the program still looked at countering threats to sensitive information rather than policies to address organizational responsibility to protecting it. Potential corruption and abuse of that data at the hands of nefarious actors has an immediate consequence that is difficult to overcome, and a conciliary offering of a year’s free credit monitoring by organizations failing to protect that information is not a consolation as much as an insult.
Part of this problem may be the emphasis on data transfers rather than focusing on the stewards of that information on either side of the endpoints. Even when referencing managing risks to data security, the Cybersecurity Posture report highlights the importance of “enabling safe, data-rich cross-border commerce and promoting the development of privacy-enhancing technologies.” EO 14117 focuses on states consuming bulk information and the data brokers that sell the information. With respect to data transfer, the Atlantic Council pointed out in an Issue Brief by the Atlantic Council, the United States has historically triumphed national security concerns over data protection requirements, largely considering the surveillance of “foreigners personal data in the course of commercial transfers was regarded as an entirely separate matter.” This can be expected to be the norm as recently the United States renewed a section of the U.S. surveillance framework, which granted a two-year extension to collect data without warrants from non-U.S. citizens across the world.
Indeed, the transfer of data is a critical component of data privacy, especially with respect to international trade, commerce, and even non-financial transactions such as healthcare-related information that traverse the Internet. However, it has unfortunately taken priority over what happens to that data when it has been received, and what security considerations are given to its handling, processing, storing, and protecting. According to a site specializing in providing news and analysis for people “making government work,” nearly all of the compromises occurring in 2023 that impacted 349 million victims were from data breaches – incidents where unauthorized individuals stole sensitive information from where it was stored. The italicized part of that sentence is important because the more extensive and expansive breaches have occurred when data was at rest, not in transit, suggesting that the focus of the U.S. government may be misplaced with respect to addressing the problem of data privacy.
In the absence of a national data privacy law, states like New Hampshire have been trying to fill the void. But as witnessed by a recent Vermont attempt of implementing one of the strongest state-focused data privacy bills, such efforts are often met by Big Tech opposition. Nevertheless, even if all fifty states draft and enact their own respective data privacy laws, this will be no better than a patchwork quilt of laws resembling one another but made up of different material and sizes. Again, this becomes no better than a band aid used to treat a wound that requires more thorough doctoring.
The United States is making significant progress with respect to cybersecurity, but much of that is federally focused. Public and private partnership is seen as a cornerstone to enhancing public sector organizations. If this is true, what needs to be done is to get sectors on board with establishing mandatory cybersecurity baselines for their respective industries, implementing best practices guidance from agencies like NIST to their unique environments with standardized but scalable guidelines. And at the crux of this effort needs to be data privacy. Otherwise, we will continue to apply band aid security solutions for situations that require so much more.