Intelligence

Christmas comes but once a year and, for the last two years, Congress has delivered a bag of goodies in cybersecurity legislation. While most corporate counsels are still trying to figure out what the Cybersecurity Act of 2015 (CSA) does for them, I’ll take a cue from my five-year-old and start composing my wish list for next year now. To be clear, there are a lot of things I like about the CSA. Even with the last minute changes, the drafters avoided a parade of horribles. The law explicitly excludes violations of terms of service agreements from the definition of a cybersecurity threat (win). It defines a defensive measure to exclude anything that should rightly be labeled offensive (win). It has provisions that require the minimization of personal data (win). And it maintains the traditional division between civilian and military roles (huge win). Still, there is room for improvement even at this early stage and the drafters seem to know it. The law requires the executive branch provide no fewer than twenty-four reports to Congress on various aspects of the act (with unclassified versions to be made public). It even goes so far as to require a report to Congress that requests the administration’s views on whether further changes to the law are necessary. So, in that spirit, here are five things Congress should contemplate over the coming year: Antitrust may have gone too far (or not far enough): There can be no more whining about antitrust as a barrier to information sharing. Even before the bill, the Department of Justice had gone out of its way to make clear that antitrust wasn’t a concern. CSA makes clear that two or more parties can exchange cyber threat information without violating antitrust law. Unless, or course, you are doing it for anticompetitive purposes (see Sec. 108(e)). That’s fine for companies in most sectors that don’t compete on cybersecurity but problematic for the cybersecurity industry. Can Symantec and McAfee engage in two way sharing and exclude smaller players? Better to sanction more formal constructs with rules for participation as a group of companies have done with the Cyber Threat Alliance. Are Internet Service Providers (ISPs) “information systems”? As I have written before, the act provides legal clarity on what owners and operators of information systems can do for cybersecurity purposes. The trouble remains that it’s not clear if an ISPs’ network qualifies as an information system or a telecommunications system. If ISPs decide the act covers them, then they can screen all traffic for cyber threats without consent. Lawsuits await. Better for Congress to clarify what they mean. Let the Department of Defense (DOD) establish information sharing programs with defense companies: CSA rightly makes the Department of Homeland Security the main portal for information sharing with the private sector. It also gives the president the authority to establish information sharing portals at Commerce, Energy, Justice, and Treasury. It may make sense under a sector-specific model to broaden this list to other departments that have specific sector expertise, like Health and Human Services and Transportation. The act explicitly excludes the Department of Defense, foot stomping the point by parenthetically excluding the National Security Agency (two points for clarity). While the desire to keep NSA out of domestic information sharing is laudable, excluding all of DOD is unwise. The Defense Cyber Crime Center runs the best information sharing program out there for defense companies. While its grandfathered in, DOD should be able to expand this program with the full protection of the new law. Classified sharing requires a classified network: CSA calls for the timely sharing of “classified threat indicators” with the private sector. In cyberspace, timely does not mean quarterly in person briefings in a government facility. Congress needs to authorize and fund development of a classified network for sharing cyber indicators with private companies. Read more on that here. It may undermine sharing: For many years, bad lawyers would tell their clients that engaging in information sharing could create liability for them if they received information but failed to act on it. They recommended an ostrich-like strategy. Most CISOs ignored that advice and participated in information sharing anyway. Over time, as more organizations shared information amongst themselves, it began to create a standard of care where organizations that received cyber threat information acted upon it. It’s in the NIST Cybersecurity Framework and NIST has a draft special publication on it. CSA undoes all of that by making explicit that sharing threat information does not create a duty to warn or duty to act. That’s crazy. If we expect information sharing to help our cybersecurity woes, the least we can do is not absolve negligent organizations that didn’t act on the information they received.

Lincoln Davidson is a research associate for Asia Studies at the Council on Foreign Relations. China’s military reforms, which have sped up since Xi Jinping came to power in 2012, are making steady progress and the latest change in the People’s Liberation Army (PLA) was a big one. On December 31, 2015, the Central Military Commission formally overhauled the organizational structure of the PLA, establishing three new organizations: the Army Leading Organ, the Rocket Force, and the Strategic Support Force. The big takeaway: the Third Department of the PLA, the home of China’s cyber operations and commonly known as 3PLA, may be moving to a different command. The Army Leading Organ appears to be a centralized command hub, aiming to coordinate joint operations between different PLA branches, which has long been a goal of China’s military reforms. The Rocket Force, which has been covered extensively elsewhere, is an upgraded version of the PLA’s strategic nuclear missile force, the 2nd Artillery Corps, and seems to be an official recognition of the branch-level role the corps has long played. The new Strategic Support Force (SSF), on the other hand, has gotten scant attention in the foreign press, and is arguably the most interesting development in this round of reforms. In his speech at the founding ceremony, Xi said that “the Strategic Support Force is a new-type combat force to maintain national security and an important growth point of the PLA’s combat capabilities.” Many news outlets have reported that the SSF is focused on cyber operations, but Chinese press reports suggest that the new force has a wider range of responsibilities. A report by an official news outlet compared the SSF to the armed forces of the U.S., Russia, and “other developed countries,” saying that its organization is more advanced, because it involves operations that do not fit well into any existing military force, but touch on all of them. Another report emphasized that it’s “even ahead of the United States conceptually,” which still separates support functions among all the branches of the military so that “they are constantly fighting with each other for resources.” The SSF won’t be on the front lines of combat, but rather provide “information support and safeguards.” However, unlike other support forces such as logistics, it “can use its own power to damage the enemy.” According to the same report, the SSF’s responsibilities will include the “five domains” of intelligence, technical reconnaissance, electronic warfare, cyber offense and defense, and psychological warfare. According to SSF Commander Gao Jin, a lieutenant general with an engineering background and three decades of service in the 2nd Artillery Corps, the SSF aims to help integrate all the other PLA branches and “raise up the ‘information umbrella’ for the whole PLA system.” It will work to integrate “planning, mechanisms, resources, programs, operations, and human resources,” run strategic research projects, and be the “cloud think tank” for the PLA. Chinese reports state that the SSF was created partially as a response to “space combat forces” of other nations, suggesting that this may also be part of its operations. That’s about the extent of what we know right now about the SSF from publicly-available Chinese-language sources. However, there is some speculation about the more concrete details of the SSF. A Zhejiang Evening News article reposted by the Global Times quotes retired 2nd Artillery Corps officer Song Zhongping as saying that the SSF is not a unified branch, but three independent branches. The first is the “cyber force,” which is made of “hacker troops” responsible for cyber offense and defense. The second is the “space force,” responsible for surveillance and satellites. The final is the “electronic force,” responsible for interfering with and misleading enemy radar and communications. According to a Russian military expert, the SSF oversees the former PLA General Staff Headquarters Third and Fourth Departments, which were responsible for technical reconnaissance, cyber intelligence, electronic warfare, and offensive cyber operations, as well as the Foreign Affairs Bureau of the former PLA General Political Department, which oversees propaganda efforts targeting adversary military forces and populations. It will be responsible for “military intelligence at large and for the psychological operations in particular,” which suggests that it may also include the former Second Department which was responsible for military human intelligence. The SSF may also be given command of special operations units. It remains to be seen how rapidly this reorganization will be conducted, exactly what roles formerly held by other PLA units will be placed under the SSF, and how exactly the SSF will work with the other PLA branches. The impact of this reorganization on China’s military cyber operations—for espionage, offense, and defense—also remains to be seen. A recent essay on Chinese cyber strategy published by the Chinese Communist Party’s official newspaper, People’s Daily, emphasized the importance of centralized command for cyber operations to reduce the risk of escalation. Hopefully, the creation of the SSF is a move in that direction.

President Barack Obama will be giving his annual state of the union address later tonight. While the president isn’t expected to announce any groundbreaking cyber or digital policy initiatives, cyber issues have featured prominently in past speeches. Last year, I put together a chart outlining how many times the word "cyber" had appeared in his speech and any action that was taken. Here’s the updated edition to take into account what the president said in 2015 and what Congress has done since.

Over the next few days, Net Politics will countdown the top five developments in cyber policy of 2015. Each policy event will have its own post, explaining what happened, what it all means, and its impact on cyber policy in 2016. In this post, the United States-China Cyber Agreement.  For much of 2015, cyber espionage was an especially contentious issue in the U.S.-China relationship as Washington pushed for a norm against cyberattacks on private companies designed to steal intellectual property, trade secrets, or business strategies. Assistant Secretary of State for East Asian and Pacific Affairs Daniel Russel warned that cyberspace had the “potential to drive strategic mistrust in the relationship,” and Beijing called U.S. hacking charges "irresponsible and unscientific." Claims that China-based hackers were behind the attacks on the Office of Personnel Management (OPM) and the theft of the data of 22 million individuals further exacerbated tensions, even though the administration was careful to distinguish between legitimate political and military espionage, which the OPM hack would seem to be, and cyber industrial espionage (leading to a weird sort of professional admiration, with Director for National Intelligence James Clapper speaking on China and the OPM hack saying he "kind of salutes them for what they did"). In the weeks before President Xi Jinping’s visit to Washington, press leaks suggested that the White House was considering sanctioning Chinese individuals or entities that benefit from cyber theft. The threat seemed to have worked. In September 2015, at a joint press conference in the Rose Garden, President Obama announced that the United States and China had agreed that neither government "will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage." Washington and Beijing would also provide timely responses to requests for assistance in cybercrime investigations; cooperate in conducting investigations and collecting evidence; identify and endorse norms of behavior in cyberspace; and establish two high level working groups and a hotline between the two sides. Was the agreement a real breakthrough, or just a tactical maneuver by China, an effort to prevent Washington from levying sanctions and disrupting a summit that was important politically for President Xi? There was positive follow up in the first round of cyber talks between the Department of Homeland Security and Chinese Ministry of Public Security in December 2015. The two sides agreed on guidelines for requesting assistance on cybercrime or other malicious cyber activities, as well as to conduct "tabletop exercises" in spring 2016 and to define procedures for use of the hotline. The Washington Post also reported that China arrested some hackers before the summit, but the arrests were not publicized in China and the United States government has not confirmed. Security experts outside of China with connections to Chinese hackers have suggested that those arrested supplied malware to the PLA, but are not PLA operators. In addition, after years of promoting the norm against cyber industrial espionage, the U.S. announcement was followed by a similar agreement between the UK and China, and a report that Berlin would sign a "no cyber theft" deal with Beijing in 2016. In November 2015, China, Brazil, Russia, the United States, and other members of the G20 accepted the norm against conducting or supporting the cyber-enabled theft of intellectual property. This diplomatic effort is important progress, but early reports on whether these statements have had any affect on the scope and scale of cyberattacks on U.S. companies have been mixed at best. Just three weeks after the agreement, cybersecurity companies reported new attacks on pharmaceutical companies. Unnamed officials told the Washington Post that the May 2014 indictment of five PLA hackers has had the effect of shifting much of the activity to the Ministry of State Security, but National Counterintelligence Executive Bill Evanina has said there is "no indication" from the U.S. private sector "that anything has changed." If during the first few months of 2016 there is no noticeable decline in the hacking, or if there is a major attack against a private firm, then pressure will rise on the Obama administration to levy sanctions on China. Even if it is a quiet year in terms of breaches, and that is a big if, China and the United States remain divided over Internet governance and policies designed to secure supply chains and information and communication technology equipment. U.S. technology companies will continue to find themselves squeezed by Chinese efforts to make the technology used in critical infrastructure "secure and controllable." Cyberspace will continue to be an area of conflict and competition.    

Here is a quick round-up of this week’s technology headlines and related stories you may have missed. Given the upcoming holiday season, please note that this will be the last week in review post of the year. 1. The European Union agrees to a revamped data protection law. After nearly four years of negotiation, the European Parliament, the European Commission, and EU member states have agreed to a data protection legislative package. The package will provide EU residents with a right to know when their personal information held by a third party, such as a social network or data broker, has been compromised, a right to require the deletion of information collected about them, and a right to easily transfer data from one provider to another. Companies will be required to be more explicit in how they use customer data and seek customer consent every time the company wishes to use the data in a manner the customer has not explicitly authorized. Firms that run afoul of the new rules are liable to a fine of up to four percent of their global revenue. According to Ars Technica, if ever Google were found to have violated the law, it could face fines of about $2.5 billion. On the bright side, firms that collect personal data now only have to answer to one European-level regulator, not data protection authorities in each of the twenty-eight member states. Once the European Parliament provides final approval of the legislation in early 2016, EU member states will have two years to incorporate the changes into domestic law. 2. The UN General Assembly adopts WSIS+10 resolution. The review of the World Summit on Information Society (WSIS) goals concluded this week in New York, with UN member states adopting a resolution noting progress in improving access to information and telecommunications technologies (ICTs) but highlighting that more needs to be done. Launched in 2003 and 2005, the WSIS aims to bridge the digital divide and improve access to ICTs. (For a backgrounder on the WSIS, check out this Council on Foreign Relations interactive). As expected, cybersecurity, human rights and Internet governance were the main sticking points. Human rights groups, the United States and its allies were pleased that the resolution has strong references to the multistakeholder Internet governance model and reiterates that the same rights that people have offline apply online. According to the New York Times, China tried but failed to include language "that would have made authority for Internet-related public policy issues ’the sovereign right of states’" despite the fact that world leaders had agreed to identical language in 2005. However, China got a win when it obtained recognition that governments have the lead role "in cybersecurity matters relating to national security." Net Politics will have more analysis on the WSIS outcome next week. Stay tuned. 3. China hosts second World Internet Conference. The Chinese government held a conference promoting their view of the Internet this week in Wuzhen, China. The conference drew an even bigger crowd (and more foreign delegates) than last year, which China will likely use as evidence of the conference’s success. Chinese President Xi Jinping used parts of his remarks to rebutt the cyber norms promoted by the West and foreign delegates got swanky Xiaomi phones pre-loaded with credentials to bypass the Great Firewall. Last year, China tried to get conference attendees to sign onto a last-minute joint declaration that endorsed China’s views of "cyber sovereignty." So far, it seems like the organizers have learned their lesson as there haven’t been any last minute shenanigans this year. You can find my take on the Xi’s speech here. 4. The Cybersecurity Information Sharing Act (CISA) sneaks its way into an omnibus bill. CISA, the subject of much hand wringing over the past year despite being mostly a red herring, made its way into a must-pass budget bill that keeps the U.S. government running. Paul Rosenzweig at Lawfare has the essential details. In a nutshell, the Department of Homeland Security (DHS) becomes the hub for information sharing, meaning that companies looking to share cyber threat information with the U.S. government will have to go through them, not the NSA or the FBI. Information DHS receives could only be shared within government for cybersecurity purposes or preventing a specific threat of "death or serious bodily injury" or "serious economic harm." That last provision has some advocacy groups and some legislators up in arms. They would have preferred only allowing DHS to share information for cybersecurity purposes and requiring the private sector to implement more stringent requirements to strip out personally identifiable data from information being shared with government. 5. Facebook, Google and Twitter agree to a mechanism to remove hate speech in Germany. As a result of the deal, the U.S. companies will remove hate speech from their websites within twenty-four hours of being flagged, using the hate speech standard established by German law, not the companies’ terms of service. German authorities believe the deal will help stem the tide of hateful and xenophobic speech directed at the over 1 million refugees that have settled in Germany this year. The deal with German authorities comes at a time when some U.S. legislators want to create legal requirements for social media companies to report terrorist activities to the FBI.

Here’s a fun party game. The next time you are at a cybersecurity industry event—an evening event with an open bar—find one of the many lawyers in the room and ask them whether the Cybersecurity Information Sharing Act (CISA) would apply to internet service providers (ISPs). Every time one of them answers with “it depends,” take a shot. If the lawyers are any good, you’ll be hammered by the time you call for your Uber ride home. Here’s why. As I wrote about in my last post, for most companies, the problems that CISA is trying to solve don’t exist. Companies share tons of cybersecurity information with each other every day. They also use defensive measures that inspect their Internet traffic for malicious activity and block it. All in a day’s work for your average IT administrator. No one ever gets sued and no laws are being broken. But for ISPs, it’s not so simple. Under the Electronic Communications Privacy Act (ECPA), an ISP like AT&T, Verizon, or Comcast is a bit different than say, the Ford Motor Company. While Ford can look at all the traffic crossing its network, AT&T can’t. AT&T is a big dumb pipe that passes on packets no matter what is in them, be it malware, child pornography, or stolen copies of The Interview. The only traffic monitoring AT&T can legally do is what it can justify as necessary to keep those packets zipping along (the so-called “owner operator exception”) or if one of its customers has contracted with it to provide security services, thereby providing consent to be monitored. CISA, in one view, would allow ISPs to monitor all traffic for cybersecurity threats, operate defensive measures to stop those threats, and share information about these threats with the federal government. That, to Senator Wyden, and others looks a lot like mass Internet surveillance under the guise of a voluntary information sharing bill. Although CISA contains language in a series of notwithstanding clauses that would seemingly override ECPA, definitional problems create some doubt. The monitoring and defensive measures authorized by CISA can only take place on “information systems.” CISA defines information systems as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” It’s basically the same definition used from U.S law governing federal information systems. So, does the Internet backbone qualify as an information system under CISA? Is it a discrete set of resources? The words alone are confusing enough. Now place them in context. Many lawyers, though not all, will conclude that the definition pertains to Ford’s computer network but not AT&T’s Internet backbone. Some lawyers, though not all, will draw a distinction between information systems and “telecommunications systems”. To make things clear as mud, CISA’s drafters explicitly included one other type of information system in the definition—industrial control systems (ICS). Some lawyers, though not all, will view the fact that the drafters included the ICS definition as evidence that the existing definition was not all inclusive. If ICS need to be explicitly included, so would ISPs. If the bill goes forward with these definitions, whether CISA applies to ISPs will depend on where their lawyers come down on these definitions, how risk averse their CEOs are, and, ultimately, whether a judge agrees with the ISPs’ lawyers. With the bill headed to a conference with the House, a simple request to conferees: insert a clause in the definition that explicitly includes or excludes ISPs. It will save years of court battles and the livers of anyone who tries out this drinking game.

It was a brilliant political maneuver. In the spring of 2011, the Obama Administration put out an ambitious legislative proposal on cybersecurity. Among other initiatives, it called for granting the Department of Homeland Security the authority to regulate cybersecurity for critical infrastructure providers. The Chamber of Commerce made it its mission to kill the bill. They used a simple argument: government doesn’t need to regulate; it needs to make it possible for companies to share information with each other. The argument worked. The idea of regulating our way out of cybersecurity died a slow and painful death. When the Obama Administration put out a second legislative proposal in the winter of 2015, there was nary a mention of regulation. Yet the “information sharing problem” was never anything more than a digital age red-herring. The reality is that companies share cybersecurity information all the time. Literally, millions of indicators everyday. Fears that the Justice Department will bring up charges of antitrust violation have proven unfounded for over a decade. ISACs have been sharing information among their members since 1998. More recently, Symantec and Intel Security (formerly McAfee) are two of four founding members to the Cyber Threat Alliance. The core requirement to join is to share 1,000 unique malware samples a day. If these two rivals in the same industry can share cybersecurity information with each other legally and in full view of the public, who can’t? If the long precedent of cyber information sharing was not enough to convince wary general counsels that antitrust was not a concern, the Department of Justice and the Federal Trade Commission have gone out of there way to make that point clear. In a statement of policy issued in 2014, the chief enforcers of antitrust law made clear that not only was sharing cybersecurity information not a concern, “information exchanges could be procompetitive in effect.” Any general counsels that still have concerns can ask the Department of Justice for a business review letter. Thus far, only one company, TruStar Security, has done that. You can read the letter here. Want to share information with the federal government but worried it could be subject to the Freedom of Information Act (FOIA) or shared with regulators? You don’t need the Cybersecurity Information Sharing Act (CISA) to pass. The Department of Homeland Security already operates the Protected Critical Infrastructure Information sharing program—PCII for short. Information shared through it cannot be disclosed under FOIA, state and local sunshine laws, through civil litigation or to regulators. Cybersecurity information is categorically considered PCII. Many companies already share cybersecurity information with the federal government through this program. So, what then, if anything would CISA do? For most companies, the answer is nothing. Information sharing will continue. If any companies thought monitoring their Internet traffic for security threats was a problem not solved by end user agreements and security banners, Congress has you covered (if this was actually a problem, we wouldn’t have companies like FireEye today). The privacy and civil liberties communities believe the intention of the bill is not to allow the private sector to share more information but to be able to collect more information. As Senator Ron Wyden put it, “it’s a surveillance bill by another name.” I used to agree with Senator Wyden. But that was before the Snowden revelations made cozy relationships with the U.S. government bad for business. Before Snowden, a system where private companies could voluntarily share information with, oh say the NSA, would have been a problem. Now, the U.S. government is lucky to get information out of companies with a court order. The list of companies that on a voluntary basis actually want to share information with the Federal government, let alone the intelligence community, is pretty short. If CISA passes, it probably won’t do much harm. It also won’t do much to increase cybersecurity information sharing. But it will have one tremendously positive effect: finally, we will be able to shut up about information sharing and figure out what legislation might actually do something to improve cybersecurity in this country.

Samantha Dickinson is an Internet governance consultant and writer. You can follow her on Twitter at @sgdickinson and via her blog, Lingua Synaptica. The eagerly anticipated draft outcome document for the UN General Assembly’s December High Level Meeting on the review of the World Summit on the Information Society (WSIS) appeared fashionably late last week. At the two major summits in 2003 and 2005, which together were known as “WSIS”, UN Member States agreed to a number of activities aimed at bringing the benefits of information and communications technologies (ICTs) to everyone in the world, and in particular to those in the developing world. This latest document, called the “zero draft”, will form the basis of negotiations in New York next week when Member States continue to debate the next steps in achieving the WSIS goals. The draft arrived a little too fashionably late as states, with the input of other stakeholders (the private sector, civil society, the technical community and academia), race to find common ground before December’s meeting. There are significant divergences of opinion on WSIS issues—security, Internet governance, human rights, and policies that improve Internet access are just a few—and they have largely existed in the same form since the original WSIS discussions of a decade ago. Moreover, Member States have only in the last few weeks diverted their attention to the WSIS process given that much of their time was consumed with the much larger Sustainable Development Goals (SDG) process. Many Member States didn’t feel able to form full positions on WSIS until they knew what the SDGs would finally be. The convergence of all these factors means that the development of an outcome document for the December High Level Meeting has been, and will continue to be, challenging. The two co-facilitators of the preparatory process have tried their hardest in the zero draft to set forth language that States may perhaps be able to accept. However, there is very little likelihood of reaching any agreement on significant changes to the current WSIS priorities or agreement on any new ones. This, of course, won’t stop participants in the preparatory process from making their case. Developing countries will push for a larger role for multilateral institutions to manage the Internet and many in the West will push back. Russia will advocate for a recognition of the concept of “national Internet segments” and civil society groups will parry, arguing that it risks fragmenting the Internet and undermining access to ICTs. As December gets closer, negotiators are likely to focus on the following sticking points: Enhanced cooperation in Internet governance. In 2005, Member States agreed that “enhanced cooperation” was necessary “to enable governments … to carry out their roles and responsibilities in international public policy issues pertaining to the Internet.” It’s a vaguely worded compromise, the meaning of which is still debated today. Does enhanced cooperation mean a government-only platform to address Internet policy issues? Would the platform be open to non-government representatives to participate in or to observe? Or does it mean better cooperation between all stakeholders engaged in Internet governance processes? Whether to hold another summit or high level event aimed at developing specific and concrete outcomes. Many participants wanted more specific and significant outcomes and updates to the direction of WSIS for the December meeting, but it’s clear that’s not going to be possible. Hence, there is debate about holding another summit, possibly in 2020, which would be a far more costly exercise than this current process for everyone involved. But for many, the costs would be justifiable if the next summit can achieve the significant changes that are not likely to be agreed in December. Cybersecurity and human rights. These are separate issues in the zero draft, but are closely related to each other, particularly in the wake of Edward Snowden’s disclosures, where a number of States are invoking human rights to argue against other governments accessing information about their citizens’ communications. Funding mechanisms for achieving the WSIS goals. As always, it comes down to debates about who should pay for it all. In the end, the final outcome document is more likely to note the existence of diverse views instead of reconciling them. As the process moves forward, the views and actions that don’t have strong support will begin to disappear from the draft, leaving only what states can agree on. That middle ground is likely to be based on the existing WSIS framework agreed between 2003 and 2005, with some additional amendments based on other related texts agreed since that time. Unless there’s a major change to the way Member States are approaching this review of WSIS, don’t expect agreement on concrete solutions to any of the topics above any time soon.

When I first saw “the Snowden treaty” in a tweet, I thought it was from The Onion. Wrong, and inexcusable for a guy who published The Snowden Reader. In September, Snowden and his supporters announced they are working on a new treaty to address problems his disclosures and experiences as a whistleblower exposed. Far from satire, the proposal is serious, and the proposers earnest. However, taking this effort seriously proves disappointing because what is proposed seems insufficiently radical for the problems advocates of a Snowden treaty identify. The proposal’s formal title is “International Treaty on the Right to Privacy, Protection against Mass Surveillance, and Protection of Whistleblowers.” The idea came from David Miranda, the partner of Glenn Greenwald, the journalist who helped Snowden. Previously, the UN Special Rapporteur for the Right to Privacy, Joseph Cannataci, identified a potential need for a “Geneva Convention-style” agreement in the wake of Snowden’s revelations. Miranda is working with privacy advocates and lawyers to produce a treaty text Miranda promises will be “a bulletproof document.” The text has not been released yet, but it has been shared with Snowden, “a handful of sympathetic governments,” and Pope Francis. According to a summary, the treaty will reaffirm privacy as a fundamental right, outlaw mass surveillance, and protect whistleblowers. To achieve these goals, the treaty will contain obligations (e.g., no mass surveillance) and mechanisms (e.g., oversight) to monitor and improve compliance. Advocates claim the treaty responds to “real demand” from “the global public,” but they acknowledge adoption will be hard, with many people dismissing it as wildly idealistic. Yes, it is unlikely a U.S. president would negotiate and the Senate consent to a Snowden Treaty. But glib punditry won’t faze the effort. More telling are problems with the proposal on its own terms. Snowden argued that the mass surveillance he disclosed violated international law on privacy in the Universal Declaration of Human Rights and human rights treaties. Similar assertions appear concerning the Snowden treaty. So, if existing treaties and other international documents already recognize privacy is a fundamental right and outlaw mass surveillance, why the need for a new treaty that does the same thing? The existing treaties don’t work? So, the answer is to choose the same strategy, a treaty, to protect the same right? How would a Snowden treaty fare any better? Why would states, which—according to Snowden’s supporters—don’t abide by existing treaties, now decide to respect one that enshrines privacy as a fundamental right and outlaws mass surveillance? How will the same legal strategy to protect the same right yield different results with the same states? These questions can’t be dismissed by claiming the Snowden treaty will be different because, based on what is available, nothing different is proposed. The goal is a treaty negotiated, agreed, ratified, and implemented by states, just like existing treaties. The proposed treaty will re-affirm privacy as a fundamental right, so it is doing nothing new with this right, even in terms of mass surveillance in the digital age. These questions might have answers if the Snowden treaty innovates with the right to privacy rather than simply reaffirming existing international law. Changing the right would mean existing treaties are not sufficient and a new agreement would have a clear rationale. The proposal states the treaty will contain stronger whistleblower protections than international law presently recognizes—a change treaty law could, in theory, advance. But, tweaking the right to privacy to address what Snowden disclosed would suggest his disclosures did not, as claimed, reveal clear violations of international law. Perhaps innovations will appear in compliance and implementation mechanisms. The proposal promises the treaty will require states to establish independent supervision of surveillance activities and periodically review these activities. Any country can, right now, adopt such measures without a Snowden treaty. But, according to Snowden, “around the world governments are aggressively pressing for more power, more authority, more surveillance rather than less.” How do we get innovative, robust compliance and implementation procedures from governments not interested in them? This predictable problem explains why oversight mechanisms in human rights treaties are notoriously weak. Put another way, states can riddle bulletproof documents with holes because they, not privacy advocates, write treaty rules. Oddly, the Snowden-treaty movement wants us to traipse, once again, into this cul-de-sac. Most surprisingly, the Snowden treaty seems very un-Snowden. For many, the power of Snowden’s rallying cry for privacy in the digital age comes from his challenge to established rules and processes and the impact this defiance has had. This example calls for more than believing states will, this time, adopt an effective treaty. So, for @Snowden: Why a treaty? Why not something more radical, like a Snowden Charter—an accord among civil society, consumers, and technology companies to confront governments and confound mass surveillance through, among other things, continuing to expand encryption in our digital lives?

Alan Charles Raul is a partner in the Privacy, Data Security and Information Law practice of Sidley Austin LLP.  You can follow his group at datamatters.sidley.com. In a decision Tuesday that was as shocking as it was predictable, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor for westward bound international transfers of personal data. The companies whose information flows to the United States will be impeded by the EU decision need to look to the U.S. government and not just the EU for letting this mess happen. The case stems from a complaint Max Schrems filed with the Irish Data Protection Authority about the privacy risks of using Facebook. He was concerned that electronic communications transferred to the United States would end up in the hands of the NSA’s PRISM program. PRISM involves the NSA’s use of a provision in the Foreign Intelligence Surveillance Act, section 702, that allows it to target non-U.S. persons located outside the United States for foreign intelligence purposes. This section only applies to collections from electronic communication service providers located in the United States. The CJEU, followed a recommendation of its Advocate General that assumed without any facts or analysis that NSA surveillance under section 702 is massive and "indiscriminate." Without the opportunity to receive any evidence or argument from the U.S. government, any U.S. company, or any amicus filing a brief on behalf of the United States, the CJEU decided that the EU’s executive branch, the Commission, had improperly determined that the U.S. Safe Harbor assured EU citizens an "adequate" level of privacy and data protection. This finding was necessary because the EU prohibits sending personal data to a non-EU country that does not provide "adequate" protection, which the CJEU understood as requiring the third country in fact to ensure, “by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.” Accordingly, a company needing to send its HR data or customer records to the United States requires an EU-approved mechanism to legitimate transfers of the personal data across the Atlantic. Until yesterday, companies could certify to comply with the fundamental privacy principles worked out in the Safe Harbor framework in 2000 between the US Department of Commerce and the EU Commission. Participating companies must also agree to submit to the enforcement jurisdiction of the Federal Trade Commission in the event of non-compliance with those principles, making their commitments legally binding. Other than Safe Harbor, U.S. companies can transfer data pursuant to certain EU-approved data transfer contracts, which can be implemented even between offices of the same multinational in different countries, or by adopting so-called Binding Corporate Rules where a company agrees to self-impose EU privacy standards for transfers of EU data throughout the company’s global operations. International data transfers are also allowed if EU citizens are informed and freely consent to the transfer of their data. The rationale for the CJEU’s invalidating the Safe Harbor is not really clear. The CJEU was apparently not required to, and did not, conduct any analysis of U.S. law, let alone review the statute authorizing NSA collection of foreign intelligence material under section 702. Accordingly, the CJEU merely assumed, and did not actually rule (or even consider) whether the PRISM program of concern to Mr. Schrems was indeed indiscriminate or unjustified. If the CJEU had examined that statute, it would have found checks and balances, including judicial oversight, more rigorous than controls on government surveillance in most if not nearly all other countries, including EU member states. Even beyond the requirement for judicial approval, the Attorney General and Director of National Intelligence must both certify that the NSA surveillance involves obtaining foreign intelligence information, is subject to rigorous minimization procedures to avoid excess collection, and is a collection that requires the assistance of an electronic communication service provider. After such detailed authorization, the Department of Justice Inspector General and the relevant intelligence community Inspector General must investigate and report on the surveillance practices, and the relevant intelligence agency must provide an annual report to the House and Senate Intelligence Committees, and also to the House and Senate Judiciary Committees. The Privacy and Civil Liberties Oversight Board (PCLOB), now a fully independent, free-standing institution of the federal government, is another oversight body authorized to investigate and assess these national security surveillance practices. In fact, the PCLOB concluded that the Prism program “consists entirely of targeting specific persons about whom an individualized determination has been made”—hardly indiscriminate surveillance. Significantly, the PCLOB has specifically asserted its role and authority to assess the impact of such surveillance on non-U.S. Persons. In its 2014 report to Congress, the PCLOB addressed the issue head on, noting that many of the “applicable protections that already exist under U.S. surveillance laws apply to U.S. and non-U.S. persons alike” and that it will contribute to President Obama’s effort to add additional privacy protections to non-U.S. persons. So how could the CJEU be unaware of the extensive certifications, checks, balances, judicial approval and independent oversight applicable to the national security surveillance in question? The answer is because the U.S. government simply does not defend or even explain how the privacy system works—neither with respect to national security privacy issues, nor with respect to commercial privacy regulation. The President has designated no one to be in overall charge of coordinating these issues government-wide and to serve as a senior public spokesperson with responsibility to communicate effectively on privacy to foreign and domestic constituencies. Accordingly, it is no wonder that the CJEU made no real effort (indeed no effort at all) to understand the significant protections built into the U.S. system, even for foreigners. Another recent example of the negative consequences of having no White House privacy coordinator is that the Department of Justice was left free to serve a search warrant in 2014 on Microsoft to compel disclosure in the US of one of its customer’s communications that were stored in Ireland. With no senior policy person to tell DOJ how much damage this would cause to the United States’ international privacy reputation, the fallout has been highly damaging to global respect for the U.S. privacy and data protection regime. The data the DOJ seeks could have been readily obtained from Ireland using the Mutual Legal Assistance Treaty process. In sum, the sky may not fall with the (perhaps temporary) collapse of the Safe Harbor.  EU officials have indicated they are determined to protect transatlantic data flows, and are likely to find away to enhance the Safe Harbor in the future and acquiesce in short-term workarounds. In the meantime, companies can also sign data transfer contracts between their subsidiaries, or look to individual consent and other mechanisms for legitimating the transfer of personal data to the US. And while the CJEU’s decision in the Schrems case was neither logical nor informed, the US government needs to do a lot better job to explain (and defend) U.S. privacy and data protection laws so this sort of mess doesn’t happen again.  

For years, the United States has argued that economic espionage by governments is wrong and should stop. The U.S. government became more vocal about this position as the Internet provided means for governments to engage in economic espionage on an unprecedented scale. But, among allies and adversaries, the United States made no headway on its international norm—until last Friday, when the White House announced the U.S. and Chinese governments agreed not to engage in or support economic espionage and to cooperate in implementing this commitment. As CFR’s Rob Knake and others have said, this gobsmacking development is important, particularly as a breakthrough in Sino-American cyber relations. Even thoughtful skepticism underscores the need to come to grips with its implications. Appropriately, attention has focused on the deal’s impact on the U.S.-China relationship, but it also has significance because it gives the U.S.-supported norm against economic espionage global potential it never had before. To grasp this change, recall the difficulties the United States had as evidence of economic cyber espionage by China mounted during the Obama administration. The Mandiant report released in February 2013 on Chinese economic cyber espionage galvanized concerns previously expressed by executive branch and congressional officials and led quickly to a new strategy on the theft of U.S. trade secrets. However, U.S. efforts to advance an international norm against economic espionage did not produce much, if any, support from other countries. At this time, the normative case against economic espionage confronted the problem that neither binding international law nor “soft law” contained indications that states recognized this norm. International law contained no serious restrictions on espionage and did not distinguish between traditional and economic espionage. This problem led to attempts to find footholds in other areas of international law, such as the principle of non-intervention and World Trade Organization agreements, but these efforts—whatever the merits of their legal analyses—did not change state practice. Part of the new U.S. strategy on protecting trade secrets included advancing the norm against economic espionage in U.S. diplomacy, including in negotiations for trade agreements. Snowden’s disclosures, which started in June 2013, damaged this project. The disclosures tarnished U.S. credibility, revealed U.S. intelligence collection against foreign companies and commercial sectors to inform diplomatic and trade negotiations, and gave China ammunition against U.S. complaints about its cyber behavior. The U.S. effort to distinguish between permitted and prohibited types of espionage became more difficult, even while the U.S. government and private cybersecurity companies believed Chinese economic cyber espionage continued unabated, if not actually intensified. Continued U.S. attempts to emphasize its norm, such as through indicting Chinese military personnel in May 2014, failed to gain international traction. This background illuminates why the agreement on economic espionage announced last week is politically surprising and normatively important. Initial reactions often focused on why China seemed to accept the U.S. position despite not previously recognizing the validity of the U.S. stance on economic espionage. Experts frequently commented on the potential impact of the U.S. decision to impose sanctions on Chinese companies that benefit from economic espionage. The release of more information and further analysis might reveal a more complex explanation. But what happened is equally important as why it happened. Now, the United States is no longer the lone normative voice in the economic espionage wilderness. The leaders of the world’s two biggest political and economic powers have agreed to act together against economic espionage. The agreement is not binding international law, but it opens space for advancing the norm against economic espionage globally that the United States, even before Snowden, did not create on its own. This development gives the United States leverage in raising the norm against economic espionage in other diplomatic contexts, including trade negotiations, regional and bilateral cooperation on cybersecurity, and further UN talks about norms of state behavior in cyberspace. This leverage gives the United States an opportunity to push more credibly for countries to accept this norm and anchor it in international law, which potentially creates a rare moment in which international legal restrictions on espionage are even conceivable. Yes, the deal might be, or prove to be, less than what its text contains. Although not a legal document, the agreement might well be “lawyered” by both sides to suit their interests, raising questions whether the two governments are reading the same words. The implementation mechanisms might prove ineffective, or be used tactically in Sino-American disputes about other issues. Great power politics often prove the graveyard for international norms. But, for the moment, the agreement ensures that what happens next on economic espionage will unfold in a different normative context, and that is a remarkable result of cyber statesmanship by Presidents Obama and Xi.

After an all night sessions at the Marriot Wardman Park, the United States has emerged with a landmark cybersecurity agreement with China. The deal has three parts: China agrees to stop engaging in economic espionage. This concession is massive. Whether they live up to their word remains to be seen but the agreement is a game changer. China will respond to requests for law enforcement and CERT-to-CERT assistance. In the context of the agreement to stop economic espionage, this is how the United States will measure the Chinese commitment. When thefts occur, if China picks up the phone, investigates, and makes arrests, we’ll know they are serious. If they don’t, we will know they never intended to honor their commitment. A ministerial-level dialogue and red phone system will be established. The Secretary of the Homeland Security and the Attorney General will lead the U.S. effort. The red phone will be used to deal with situations in which China doesn’t cooperate. Some quick reactions: This was masterful diplomacy: the Obama Administration has been playing three dimensional chess and they won. The threat of sanctions brought the Chinese government to the table and kept them there. Sanctions will still happen: the President has promised that this tool will be used. Expect them to come but to target companies not Chinese officials. Expect China to roll this into anti-corruption efforts: China will crack down on officials and private companies involved in hacking U.S. companies. They will frame it as part of their internal efforts to reduce corruption and not as caving to U.S. pressure. Reports that the agreement would cover critical infrastructure attacks were a red herring: it was never in the United States’ interests and deterrence is probably already working with China in this space. They have as much to lose from taking down the NYSE as we do. Keep calm and spy on: none of this is about the OPM hack or traditional spying. Nor should it be. The big win is to change behavior on spying. Kudos to the White House and State Department team. Now go home and get some sleep.

The New York Times has an article that sheds further light upon what is apparently a disagreement within U.S. Central Command (CENTCOM) about how successful the U.S.-led war, which is intended to “degrade, and ultimately destroy” the self-declared Islamic State, is progressing. Building upon earlier reporting by the Times and The Daily Beast, today’s article explicitly names the senior Iraq intelligence analyst at CENTCOM, Gregory Hooker, and reiterates the opposition of Hooker’s team to the Obama administration’s generally optimistic portrayal of progress in Operation Inherent Resolve (OIR). What Brig. Gen. Thomas Weidley, chief of staff of Combined Joint Task Force-OIR, first proclaimed in May remains the Obama administration’s position today: “We believe across Iraq and Syria that Daesh is losing,” adding, “The coalition strategy, I believe, is clear and our campaign is on track.” However, as noted on the one-year anniversary of OIR, despite killing a lot of suspected militants, destroying their equipment and facilities, and reducing the terrain they control, there has been little actual progress in achieving the always unrealistic strategic objective of destroying the Islamic State. Moreover, compared to other U.S.-led air wars in recent history, OIR is actually featuring a very limited number of bombs being dropped per day. The Times story also contains two quotes directly pertinent to my forthcoming book, Red Team: How to Succeed By Thinking Like the Enemy (Basic Books, 2015) First: “Some analysts suggested that leaders in Tampa feared that reporting bad news might anger the White House. Others described an institutional bias that makes it hard for the military to criticize its own operations.” Both phenomena are pressures that all intelligence analysts encounter. There is the inherent challenge in “voicing up” dissenting or challenging opinions that contradict those opinions that are openly promoted by bosses. This pressure is especially prevalent among military analysts, where uniformed officers believe that their proper role is to execute policies that their civilian bosses authorize. Where the strategic guidance is clear, such as that outlined in President Obama’s September 10, 2014, Islamic State strategy speech, military analysts often told me that their professional responsibility is to monitor and assure that the strategy and associated lines of effort are being faithfully implemented. Mavericks exist, but in small numbers and with little impact. The second pressure, the difficulty of self-criticism, is the expected outcome of the hierarchical structures and insular cultures that exist within command staffs. Command staffs are highly susceptible to groupthink, a phenomenon that often prevails within institutions characterized by rigid hierarchy and shared values, and comprised of people who work in dangerous and high-stress environments. By design, individuals conceive of themselves as part of a team that should be working in a unified manner toward achieving a common objective. In such an environment, criticism can put the team effort and strategic mission at risk. The second quote in the Times comes from retired Army Colonel Kevin Benson, who has taught at the University of Foreign Military and Cultural Studies (UFMCS) —recently rebranded Cognitive Dominance Education Program—since 2007. In my book, I feature the efforts of UFMCS to educate and train red teamers for the Army, other armed services, and select civilian agencies. I was fortunate to attend the UFMCS short-course as a student, and witness how Benson—a friend and colleague—teaches critical thinking to instruct military officers (often majors and lieutenant colonels) and a few civilians. In the Times article, Benson is quoted as saying, “You can get pulled into watching the laser dot on a target and watching it blow up. After that, it can be hard to hear that you’re not making progress, because you saw it.” In my book, I document the many challenges faced by the U.S. military in developing and promoting red teams within the Army and Marine Corps. As Benson told me, “Red teams as an integral part of the design and decision-making process give commanders and staffs the opportunity to think the unthinkable—ask ‘what if’, and challenge assumptions and facts.” Reportedly, this sort of “what if?” questioning and assumption challenging is not happening with regards to assessing progress in OIR. If CENTCOM intelligence analysts cannot do this, either due to pressure from their bosses or the inherent difficulty of self-criticism, the White House might empower an autonomous and impartial red team to evaluate the war against the Islamic State. That is, assuming Obama administration officials want to hear the potentially bad news from an independent set of outside analysts.

When Senators return to Washington, DC this fall, they will take up work on legislation to make it easier for companies to share cybersecurity information with each other and with the government. The future of the bill, the Cybersecurity Information Sharing Act, is uncertain. Beset with concerns over privacy and civil liberties, many past attempts at addressing this issue have failed to reach the President’s desk. Senators will have to wade through twenty-one amendments offered by both Republican and Democratic colleagues and then try and get it through the House. Unfortunately, if they succeed, neither the bill in its current form nor any of the amendments will do much to increase the effectiveness or timeliness of cybersecurity information sharing. One of the bill’s primary objectives is to ensure that companies aren’t liable for sharing cybersecurity information with government. But liability is not the problem it was once thought to be. Companies exchange millions of pieces of cybersecurity information each day. Non-profit groups like the Financial Services Information Sharing and Analysis Center, the Center for Internet Security, and the Cyber Threat Alliance have coalesced whole industries to share data. Private companies like ThreatConnect, TruStar, and AlienVault provide information sharing services to their clients. So, what then is there left for Congress to do? None of these commercial products do two things that government is best suited to do: provide validation that companies and individuals are trustworthy partners and a secure, classified network over which such sharing can take place. When the unclassified email servers of the Joint Chiefs of Staff were recently hacked, the ability to communicate securely on classified networks kept Pentagon operations moving. Cyber incident response teams managing the breach could communicate with the intelligence community, law enforcement, and other parts of the Pentagon without the alleged Russian attackers listening in. Contrast this with what happens when a private company is hacked by the same actors. The compromised network cannot be trusted to communicate on the remediation. Even phone calls, now mostly carried over the Internet, are not considered secure. If the FBI wants to share information with you, expect federal agents to darken your doorstep. When the government has classified information to share, it must be shared in a secure, government facility. That happens at best on a quarterly basis making it neither timely nor actionable. A better model has been piloted by the Department of Defense for several years. Companies within the defense industrial base like Lockheed Martin, Boeing, and Raytheon have access to such capabilities today. They use a separate classified network called the DIBNET to share cybersecurity information securely with each other and with the Department of Defense. Only personnel working at participating defense companies that have been cleared through the background investigation process made famous by the hacking of the Office of Personnel Management can access the network. When unclassified networks that are accessible from the Internet become compromised, the network is used to coordinate incident response so that such communications are not intercepted. While the program for the defense sector is a good start, companies that operate our financial, electric, water and other critical systems must also be granted access to classified networks for cybersecurity purposes. Cybersecurity is often characterized as a partnership between the government and the private sector. For that partnership to be fully realized, private companies bearing the costs of defending themselves against nation-state adversaries like China and Russia must be allowed access to the same networks and same information that federal agencies use to prevent and respond to cyberattacks. When Congress returns, leadership should move quickly to ensure that any cyber information sharing legislation that passes directs the creation of such a network for these companies.