The Imperative for a Comprehensive National Data Protection Strategy in the United States
November 1, 2024Uncategorized Article(Source)
Introduction:
In a brief period, two branches of the U.S. government have unveiled ambitious initiatives aimed at safeguarding Americans’ personal data from hostile exploitation. While their approaches differ, both share a foundational commitment to national security. This alignment is noteworthy, particularly as Congress grapples with stalled comprehensive privacy legislation and the reauthorization of key surveillance authorities with enhanced privacy measures.
These initiatives transcend mere privacy protections—often likened to sector-specific federal laws or state privacy regulations like the EU’s GDPR. They are fundamentally rooted in national security concerns. As targeted efforts against specific threats, they have the potential to bolster the nation’s cyber defenses and complicate adversarial maneuvers while offering some privacy safeguards. However, their efficacy hinges on their integration into a cohesive, government-wide data protection strategy that effectively shields personal information from malicious use. Existing frameworks such as the National Security Strategy, National Intelligence Strategy, and National Cybersecurity Strategy underscore the pressing need for a comprehensive National Data Protection Strategy to address these emerging threats.
Recent Developments – An Overview:
On February 28, 2024, President Joe Biden signed Executive Order 14117, designed to protect Americans’ sensitive personal data and government-related information from exploitation by designated “countries of concern.” This order mandates the Department of Justice (DOJ) to develop corresponding regulations. Following this, the DOJ issued an advance notice of proposed rulemaking (ANPRM), a 23-page document, outlining key proposals and inviting public commentary and participation. The DOJ is contemplating measures to restrict or prohibit transactions involving defining this term to encompass various personal identifiers, precise geolocation data, biometric identifiers, genomic information, health records, and financial data. These regulations would apply when the volume of such data exceeds certain thresholds, except for data related to U.S. government personnel or locations.
The proposed regulations would target “ ,” defined as entities or individuals under the control of “ ,” a classification aligned with a . as per 31 CFR Section 560.210. Simultaneously, the Department of Commerce issued its own ANPRM concerning information and communications technology (ICT) in connected vehicles, seeking public input on strategies to mitigate the risk of foreign adversaries misusing these systems to collect sensitive personal data. On March 20, 2024, the House of Representatives unanimously passed a bill prohibiting “data brokers” from disclosing sensitive information about U.S. individuals to designated foreign adversaries.
Assessing the National Security Framework:
A decade ago, the breach of sensitive background investigation records at the Office of Personnel Management (OPM) sent shockwaves through government circles, revealing vulnerabilities that extended to cyber intrusions at Equifax, Marriott, and Anthem, all attributed to the People’s Republic of China (PRC). This year, a cybersecurity advisory disclosed that PRC-affiliated operatives, known as Volt Typhoon, are actively attempting to infiltrate IT networks, positioning themselves for potential disruptive cyberattacks on critical U.S. infrastructure during times of crisis. These incidents contribute to an increasingly perilous threat landscape, as highlighted by the U.S. Intelligence Community (IC). The ANPRM draws upon the , emphasizing that adversaries view data as a vital asset, seeking to acquire personally identifiable information and other data types to bolster their capabilities in espionage, influence operations, kinetic actions and cyberattacks, ultimately undermining the U.S. economy and strategic position.
The 2024 Annual Threat Assessment issued by the Director of National Intelligence (DNI) warns that “China continues to pose the foremost and enduring cyber threat” to U.S. networks. China’s cyber espionage activities, combined with its export of surveillance technologies, heighten the risk of aggressive cyber operations targeting critical infrastructure, particularly if a major conflict with the U.S. seems imminent.
Regarding other nations, Russia remains a persistent global cyber threat, employing cyber disruptions as a tool of foreign policy while attempting to undermine Western alliances. Iran is noted for its growing capacity for aggressive cyber operations, while North Korea continues its cyber activities, particularly in cryptocurrency theft. The assessment does not identify similar threats from Cuba or Venezuela, though President Biden extended a national emergency declaration concerning Venezuela on March 5, 2024. Previous assessments noted attempts by both Cuba and Venezuela to influence the 2020 U.S. elections.
Moreover, the IC warns of a broader trend in digital repression. The indicated that foreign governments are increasingly utilizing digital technologies to monitor and suppress political discourse domestically and among expatriate communities. According to the 2024 Annual Threat Assessment, digital technologies, particularly artificial intelligence (AI), have become central to the repressive strategies of various regimes. China is advancing AI for applications in surveillance, smart cities, and military technologies, while Russia is employing AI to generate deepfake content, and potentially deceiving experts.
Exploring the Significance of Personal Data:
The ANPRM articulates that the unrestricted transfer of vast amounts of sensitive personal and government-related data to designated countries poses significant risks to U.S. national security and foreign policy. The following broad categories are noteworthy:
Malicious cyber activities facilitated by personal data enable hostile actors to breach systems for a spectrum of harmful objectives, including disrupting critical infrastructure, financial theft, and intellectual property misuse. While the Order and ANPRM do not cite specific instances, cybersecurity experts consistently caution about the tactics used by malicious actors, such as social engineering (like posing as a trusted individual) to acquire login credentials or prompt the installation of malware.
Identifying and focusing on individuals with access to sensitive systems or data is closely linked to the previous point. Information about government personnel, whether obtained directly or indirectly, could facilitate additional access to sensitive data. Furthermore, it could potentially disclose the locations of previously undisclosed sensitive facilities. Smear , enhancing the creation of believable synthetic content and improving the precision in crafting and targeting messaging for malicious purposes and similar activities. Access to personal data could assist governments in identifying dissidents and their supporters globally, facilitating digital repression tactics. Advanced technology, particularly Artificial Intelligence, increases the demand for extensive data to enhance capabilities. This enables regimes to efficiently sift through large volumes of data, accelerating their ability to exploit information for malicious ends as described earlier.
Current Strategies in Safeguarding Personal Data from National Security Risks:
To combat emerging threats, the executive branch has employed legal mechanisms across three primary areas. One significant initiative is the Committee on Foreign Investment in the United States (CFIUS), which evaluates foreign investments for potential national security risks. The 2018 Foreign Investment Risk Review Modernization Act (FIRRMA) enhanced CFIUS’s authority to include assessments of risks related to personally identifiable information and other sensitive data.
FIRRMA mandates that CFIUS examine the implications of foreign access to such data, a focus further emphasized by President Biden’s Executive Order 14083, issued on September 15, 2022. This order directs CFIUS to consider whether transactions might transfer sensitive U.S. data to foreign entities that could threaten national security. However, CFIUS primarily scrutinizes investment transactions, leaving other avenues for foreign data access, such as data broker acquisitions, largely unaddressed.
Former President Trump’s Executive Order 13873 identified foreign adversaries exploiting vulnerabilities in information and communications technology (ICT). This order restricts specific ICT transactions with foreign adversaries due to perceived risks. The Department of Commerce has acted on this by issuing an ANPRM concerning connected vehicles and by defining “foreign adversaries,” which includes nations like China, Russia, and Iran.
Additionally, Executive Order 13913 formalized the interagency Committee for the Assessment of Foreign Participation in the Telecommunications Sector, known as Team Telecom, which aids the Federal Communications Commission (FCC) in evaluating foreign involvement in U.S. telecommunications. These initiatives suggest that their architects are acutely aware of both the capacities and limitations of existing frameworks, aiming to address gaps in national security regarding foreign access to sensitive data through commercial transactions. As stated in the DOJ’s fact sheet, current mechanisms, while useful for case-by-case evaluations, do not comprehensively mitigate risks posed by foreign entities.
A specialized team is overseeing the implementation of the new order within the DOJ’s Foreign Investment Review Section (FIRS), which encompasses CFIUS and Team Telecom. This structure facilitates coordinated enforcement in collaboration with other agencies like the Department of Commerce. The recent proliferation of regulations and executive actions indicates a heightened urgency to address these threats proactively, relying on existing authorities rather than waiting for new legislation. However, this reliance on executive power introduces its own complexities.
Executive Order 14117 – Addressing the Need, Assessing the Scope:
Drawing on Abraham Maslow’s analogy, “if the only tool you have is a hammer, it’s tempting to treat everything as a nail,” the Executive Branch must adeptly utilize its legal authorities and leverage the expertise of seasoned professionals to counter escalating threats effectively. Executive Order 14117 and its accompanying ANPRM demonstrate the depth of experience among officials, representing a natural extension of ongoing interagency efforts to address existing gaps. The comprehensive inquiries within the ANPRM reflect the government’s commitment to gathering public feedback before proceeding.
While the Executive Order 14117 may appear significant, it can be seen as a strategic yet incremental advancement. Coupled with Commerce’s ANPRM on connected vehicles, it reveals a targeted approach focusing on specific high-risk transactions and technologies. The DOJ’s fact sheet emphasizes this targeted nature, which aligns with the government’s aim to mitigate economic impacts while preserving essential cross-border data flows. This focus prompts critical inquiries regarding future regulations:
Countries of Concern: The current static list fails to account for the varied risk profiles of these nations. A dynamic process for adjusting the designation of “countries of concern” would better reflect evolving threats.
Transaction Classification: Determining which transactions to prohibit, restrict, or exempt requires nuanced judgments across numerous factors. Identifying “data brokers” and assessing their respective national security risks remains complex. While the ANPRM employs a thoughtful approach, the long-term viability of these classifications is uncertain. Defining “sensitive” data and establishing thresholds for bulk treatment presents ongoing challenges, especially as AI technologies enable new insights from seemingly innocuous data.
Connected Vehicles: The ANPRM highlights the risks posed by foreign adversaries utilizing technology to collect personal data from various consumer goods. As Intelligence Community leaders caution, the proliferation of Internet-connected devices creates new opportunities for adversaries, amplifying the potential impact of their access to our digital systems. The question arises: what new consumer devices might emerge next?
A Framework for National Data Protection Strategy:
Addressing the inquiries poses a formidable task for current interagency mechanisms, even with enhanced staffing. Confronting such a significant challenge requires a strategic approach. What is the fundamental character of the threat? Which existing legal frameworks can be leveraged in response? What new legislative mandates are necessary? How can the full spectrum of national capabilities be effectively employed? Which governmental bodies are essential participants in this endeavor?
Crucially, formulating a national strategy necessitates meticulous evaluation of the comprehensive efficacy of proposed measures, considering the perpetual evolution of technologies and the dynamic nature of threat landscapes. Indeed, sustainable responses require a holistic approach that acknowledges the intrinsic value of personal data and comprehends the diverse ways it can be exploited, manipulated, and abused by various entities.
The risk to personal data extends beyond “covered persons” under the influence of “countries of concern”; criminals and other malicious entities also actively pursue personal data for nefarious ends. Components of such a strategy would encompass comprehensive engagement with the public and Congress, extending beyond singular proposed regulations to address broader inquiries into optimal methodologies for safeguarding personal data from national security threats. Additionally, collaboration with international partners and allies would be integral, ensuring coordinated actions among democratic nations to enable secure data flows to trusted entities, while implementing equivalent measures to shield data from exploitation by untrusted parties.
This strategy underscores the necessity for comprehensive federal privacy legislation that establishes uniform and fundamental privacy protections nationwide, thereby guiding companies in their practices. By ensuring transparent and legally defined access to commercially accessible personal data by the U.S. government, the United States could assert leadership and differentiate itself from adversaries in safeguarding privacy and civil liberties. In essence, a national strategy would enhance the United States’ ability to fulfill the commitment of the Executive Order 14117 safeguarding personal data as a critical national security imperative.
Suggested Citation: Muhammad Siddique Ali Pirzada, The Imperative for a Comprehensive National Data Protection Strategy in the United States, Cornell J.L. & Pub. Pol’y, The Issue Spotter, (Nov. 1, 2024), https://jlpp.org/the-imperative-for-a-comprehensive-national-data-protection-strategy-in-the-united-states.
You may also like
- November 2024
- October 2024
- April 2024
- March 2024
- February 2024
- November 2023
- October 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- November 2019
- October 2019
- September 2019
- April 2019
- February 2019
- December 2018
- November 2018
- October 2018
- September 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- May 2017
- April 2017
- March 2017
- February 2017
- December 2016
- November 2016
- October 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- August 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- June 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- April 2011
- March 2011
- November 2010
- October 2010
- September 2010