Congresses and Parliaments

The seventh congress of the North Korean Workers’ Party (WPK) held from May 6 to 8 was a carefully choreographed affair designed to show the world that its newly installed Chairman Kim Jong-un is fully in control of the North Korean state. By taking the title of Chairman, Kim has signaled that he is no longer reliant solely on the legacy of his father and grandfather, that he is determined to lead, and that he expects the international community to accommodate his absolute leadership of a nuclear North Korea. Through his speech at the conference, Kim Jong-un revealed big plans to safeguard North Korea’s security through its nuclear accomplishments and grow its economy. But Kim has not yet shown how he will gain international acquiescence to North Korea’s nuclear development or how he can secure international support for North Korea’s economic growth. Kim’s plans for economic development are laudable. In his first public speech in 2012, Kim stated that his people should “never have to tighten their belt again.” Since then, North Korea has improved its agricultural production, experimented with limited agricultural reforms, transferred some decision-making responsibility from the state to the firm level, and has stopped opposing private market transactions. The North Korean economy is reported to have grown by one or two percent per year, with the Hyundai Research Institute reporting that North Korea’s annual GDP growth may have reached as high as seven percent. Kim’s reestablishment of a new five-year economic plan at the Party Congress provides needed leadership designed to stoke North Korea’s economic growth. But Kim’s twin emphasis on nuclear and economic development—his Byungjin policy—stands in the way of a real economic take-off because it starves North Korea of opportunities for external economic cooperation. Kim may exhort his people to improve agriculture, construction, and light industry and to become a scientifically and technologically powerful state in areas including information technology, nano-technology, bioengineering, energy, space, and nuclear technology. But the North Korean economy will fail in these areas unless his country is connected to the outside world. International opposition to North Korea’s nuclear development results in sanctions that generate economic pressures on North Korea and cut the country off from the outside world. As much as Kim needs connection to the outside world in order to achieve economic growth, he needs political isolation for his system to survive. Kim may regard North Korea’s nuclear deterrent capabilities as an insurance policy against growing challenges to the legitimacy of his single-man rule. Kim’s power depends on his ability to stand atop a system in which he commands absolute loyalty by suppressing both internal and external political competition. The Party Conference affirmed Kim’s monopoly on power and showcased both his demands and the rewards for absolute fealty among the highest-ranking members of North Korean society. In this respect, Kim’s nuclear program serves two purposes: it helps to ensure North Korea’s isolation by engendering international hostility to the regime while also defending an otherwise vulnerable North Korean state against the possibility of attacks from external enemies. Thus, Kim may regard his formula as his best chance to both preserve his system and maintain the status quo. This is why Kim declared: “We will consistently take hold on the strategic line of simultaneously pushing forward the economic construction and the building of nuclear force and boost self-defensive nuclear force both in quality and quantity as long as the imperialists persist in their nuclear threat and arbitrary practices.” By declaring the permanence of a nuclear North Korea at the Workers’ Party Congress, Kim Jong-un has used the issue to shore up his power internally, but at the expense of North Korea’s international standing. Instead of accepting North Korea as a nuclear weapons state, the international community has consistently condemned its nuclear pursuit and is bent on increasing pressure on Kim through economic sanctions. This makes the nuclear program a primary obstacle to North Korea’s ability to achieve its economic goals. Kim asserted at the Workers’ Party Congress that North Korea would be a responsible nuclear power, pledging only to use nuclear weapons if it is attacked with nuclear weapons. He also called for global denuclearization, perhaps in an attempt to align North Korea with the position of the five legitimate nuclear weapons states originally recognized in the Nuclear Non-Proliferation Treaty (NPT). But North Korea’s unilateral exit from the NPT, its failure to meet past denuclearization pledges, and the extreme concentration of political power in the hands of Kim Jong-un are insurmountable barriers to international acceptance of North Korea as a nuclear weapons state. In response to Kim’s claim that North Korea would be a “permanent” nuclear weapons state, South Korea’s Unification Ministry spokesperson reiterated that; “it is only when the North shows sincerity about denuclearization that genuine dialogue is possible.” The United States has rejected North Korean peace overtures, insisting that peace talks are meaningless without talks on denuclearization. Even China’s proposal for talks envisages the United States and North Korea engaging in parallel peace and denuclearization talks. The international community insists that Kim must choose between economic and nuclear development because the last thing the world thinks Kim Jong-un needs, even at his own party coronation, is two slices of cake. This article originally appeared on TheMarkNews.com.

The first rule of watching South Korean elections is the same as the first rule for watching Korean TV dramas: be prepared to be surprised. In this respect, South Korea’s 2016 National Assembly electoral result delivered, as virtually no one predicted the magnitude of the failure of the ruling Saenuri party or its major standard bearers. The results left the former majority party in second place at 122 seats, well short of the 151 seats needed to exercise a majority in the 300-seat National Assembly. The first place Minjoo or Democratic Party of Korea, pruned by the departure of entrepreneur-turned-National Assemblyman Ahn Cheol-soo, who started his own People’s Party, captured 123 seats to become the largest party in the National Assembly. Ahn’s own start-up experience proved sufficient to lead the newly-established People’s Party to a better-than-expected thirty-eight seats, primarily centered in Korea’s southwestern Jeolla region. The election also was a defeat for South Korea’s queen of elections, Park Geun-hye, following over a decade of dominant influence on national electoral outcomes. The result will constrain her presidency to initiatives that do not require National Assembly approval and will hobble her ability to secure legislative approval for future cabinet appointments. South Korea’s executive office wields significant power, especially over national security and foreign policy, but there are virtually no prospects for progress on any other matter that requires legislative support or approval. As with any good Korean drama, now that the shock has sunk in, it is clear that the signs of deep divisions within the Korean electorate exposed by this election were there all along. The biggest signal that the ruling party was headed for failure was revealed in the handling of the candidate selection process. Since at least 2000, South Korean voters have consistently expressed discontent with political parties, seeing them as corrupt and unfaithful intermediaries that distort the will of the people and translate it to serve their own interests. Because South Korean voters know that candidate selection is vulnerable to corruption that empowers the party leadership at the expense of the constituents, the parties that have implemented transparent or impartial candidate selection processes have tended to receive greater voter support. But the Saenuri party process this cycle was defined by perceptions of meddling and factional infighting between pro- and anti-Park forces, turning voters off. In retrospect, there were enough signs to know how this year’s National Assembly election drama would end all along. The veneer of unity generated by the Park administration’s efforts to engineer social and political cohesion and support has given way, revealing at least four types of deep divisions within South Korea’s electorate: First, there is the generational division between progressive younger voters who are concerned about jobs and the conservative older voters who are concerned about welfare. Park’s presidential victory in late 2012 was fueled by support from the older generation and generated disillusionment among younger voters. Three years later, voters are dissatisfied with the Park administration’s performance on both jobs and welfare. Second, there are personal divisions, personified most clearly by the fact that Park’s 2012 economic advisor, Kim Chong-in, who coined the phrase “economic democratization,” took leadership of the Democratic Party of Korea, while Lee Sang-don, who ran the Saenuri party selection process in 2012, was a prominent member of the newly-established People’s Party. In other words, former Park supporters were in the vanguard for the opposition. Third, there are structural divisions that are exacerbated by the dynamics that occur when the quadrennial National Assembly election lands in the fourth year of a five-year presidential term. This means that the time horizon of National Assembly candidates is longer than the time line of the president and therefore less likely to be controlled by presidential wishes. In addition, National Assembly elections become a dress rehearsal for the next presidential election in which leading candidates seek advantage or are winnowed out by the legislative electoral result. Dramatic failures this time included losses by former Seoul mayor Oh Se-hoon and former Gyeonggi provincial governor Kim Moon-soo. Fourth, there are not only ideological divisions between parties, but personal divisions within parties that will be exacerbated as members focus on the December 2017 race for the presidency and fight for party nominations of the three main bases that now have the organization and funding to run a national election campaign. Each party must contend with internal divisions: Saenuri will be hobbled by continued pro- and anti-Park competition; Minjoo will face continued rivalry between pro-Roh and anti-Roh factions; Ahn Cheol-soo is the face of the People’s Party, but Jeolla province (former president Kim Dae Jung’s stronghold) is its base. In my view, further splits are unlikely because the People’s Party’s performance qualifies it to receive public funds under Korean election law, but a new party without a track record would not qualify to receive those funds. A progressive merger between the Democratic and People’s Parties will be often discussed, but in my view is unlikely now that rival organizational bases have been established to support a presidential run. The aftershocks of this election have reshaped the political ground in advance of South Korea’s December 2017 presidential election. Given the known flaws of Korea’s known professional politicians and public doubts that they are truly capable of addressing Korea’s increasingly intractable, interlocking, and mutually contradictory challenges of economic growth, demands to expand public welfare, and income inequality, the ground is set for an outsider candidate that is able to credibly promise transformational leadership and sterling administrative management. And UN Secretary General Ban Ki-moon may not be the only plausible outsider who could shake things up. As the late Don Oberdorfer used to say about Korea’s most exciting political drama: hold on to your hats.

Today, the Obama administration announced the Cybersecurity National Action Plan. Already turned into an acronym in Washington, DC, CNAP is not so much a bold new direction as a tidying up of loose ends to set the stage for the next administration. Critics are already lambasting the plan as “nothing new.” Yet given the political calendar, it would be hard for the president to set an entirely new course. And given the reality of the cybersecurity challenge, it would also not be warranted. The Obama administration has focused its efforts to date on preserving and extending an “open, interoperable, secure, and reliable” Internet. Its cybersecurity policies (at least after the failed 2011 regulatory attempt) have been about avoiding cures for cyber threats that are worse than the disease. In other words, don’t launch a Manhattan Project to reinvent the Internet so that it is inherently secure and therefore easily controlled; do try to increase adoption of two factor authentication. Cybersecurity is an area in which many have demanded bold new approaches but few have been able to articulate what those would be. Witness Jeb Bush’s cyber plan, which basically (and wisely) calls for a continuation of the Obama administration’s policies while taking swipes at Hillary Clinton’s email server. Similarly, Ben Carson’s plan called for creating a series of programs that already exist and creating a new agency that looks a lot like the Department of Homeland Security. From this perspective, the CNAP isn’t so much about setting a new direction as it is about implementation. It takes long-overdue actions like appointing a single official to be in charge of federal agency cybersecurity in a new Chief Information Security Officer. It creates a privacy council to resolve the many privacy challenges associated with implementing cybersecurity. And it calls for modernizing insecure an unsecurable legacy IT systems. The plan also not-so-subtly puts the onus on Congress to put its money where its mouth is. For two successive years, Congress has managed to pass new laws that clarified mandates and set the stage for the federal government to act. Now the president is asking for the funds to put those authorities to use. If President Obama succeeds in getting Congress to boost the cyber budget by 35 percent, those funds will mostly be spent by whoever wins the election in November. For close watchers of cybersecurity policy, the timing and approach is very similar to what the Bush administration did in its last year with the then classified Comprehensive National Cyber Initiative (CNCI). That program put billions of dollars into cybersecurity, beginning many of the programs that came to fruition in the Obama administration. Michael Daniel, the President’s cybersecurity advisor and the reported force behind the CNAP, is a former Office of Management and Budget official who worked on that program. When the Center for Strategic and International Security assembled a group of experts in 2008 to make recommendations to the next president on cybersecurity, their number one piece of advice was simple: “Do not start over.” Instead, build off of CNCI, making adjustments and changes where necessary. It was sage advice. Whatever progress President Obama and his team can make in the next year should be the foundation for the next administration. If the next president gets to declare victory on the cybersecurity challenge, it won’t be because he or she charted a bold new course, but because previous administrations laid the groundwork for success.

Christmas comes but once a year and, for the last two years, Congress has delivered a bag of goodies in cybersecurity legislation. While most corporate counsels are still trying to figure out what the Cybersecurity Act of 2015 (CSA) does for them, I’ll take a cue from my five-year-old and start composing my wish list for next year now. To be clear, there are a lot of things I like about the CSA. Even with the last minute changes, the drafters avoided a parade of horribles. The law explicitly excludes violations of terms of service agreements from the definition of a cybersecurity threat (win). It defines a defensive measure to exclude anything that should rightly be labeled offensive (win). It has provisions that require the minimization of personal data (win). And it maintains the traditional division between civilian and military roles (huge win). Still, there is room for improvement even at this early stage and the drafters seem to know it. The law requires the executive branch provide no fewer than twenty-four reports to Congress on various aspects of the act (with unclassified versions to be made public). It even goes so far as to require a report to Congress that requests the administration’s views on whether further changes to the law are necessary. So, in that spirit, here are five things Congress should contemplate over the coming year: Antitrust may have gone too far (or not far enough): There can be no more whining about antitrust as a barrier to information sharing. Even before the bill, the Department of Justice had gone out of its way to make clear that antitrust wasn’t a concern. CSA makes clear that two or more parties can exchange cyber threat information without violating antitrust law. Unless, or course, you are doing it for anticompetitive purposes (see Sec. 108(e)). That’s fine for companies in most sectors that don’t compete on cybersecurity but problematic for the cybersecurity industry. Can Symantec and McAfee engage in two way sharing and exclude smaller players? Better to sanction more formal constructs with rules for participation as a group of companies have done with the Cyber Threat Alliance. Are Internet Service Providers (ISPs) “information systems”? As I have written before, the act provides legal clarity on what owners and operators of information systems can do for cybersecurity purposes. The trouble remains that it’s not clear if an ISPs’ network qualifies as an information system or a telecommunications system. If ISPs decide the act covers them, then they can screen all traffic for cyber threats without consent. Lawsuits await. Better for Congress to clarify what they mean. Let the Department of Defense (DOD) establish information sharing programs with defense companies: CSA rightly makes the Department of Homeland Security the main portal for information sharing with the private sector. It also gives the president the authority to establish information sharing portals at Commerce, Energy, Justice, and Treasury. It may make sense under a sector-specific model to broaden this list to other departments that have specific sector expertise, like Health and Human Services and Transportation. The act explicitly excludes the Department of Defense, foot stomping the point by parenthetically excluding the National Security Agency (two points for clarity). While the desire to keep NSA out of domestic information sharing is laudable, excluding all of DOD is unwise. The Defense Cyber Crime Center runs the best information sharing program out there for defense companies. While its grandfathered in, DOD should be able to expand this program with the full protection of the new law. Classified sharing requires a classified network: CSA calls for the timely sharing of “classified threat indicators” with the private sector. In cyberspace, timely does not mean quarterly in person briefings in a government facility. Congress needs to authorize and fund development of a classified network for sharing cyber indicators with private companies. Read more on that here. It may undermine sharing: For many years, bad lawyers would tell their clients that engaging in information sharing could create liability for them if they received information but failed to act on it. They recommended an ostrich-like strategy. Most CISOs ignored that advice and participated in information sharing anyway. Over time, as more organizations shared information amongst themselves, it began to create a standard of care where organizations that received cyber threat information acted upon it. It’s in the NIST Cybersecurity Framework and NIST has a draft special publication on it. CSA undoes all of that by making explicit that sharing threat information does not create a duty to warn or duty to act. That’s crazy. If we expect information sharing to help our cybersecurity woes, the least we can do is not absolve negligent organizations that didn’t act on the information they received.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: 1. Australian PM Turnbull and President Obama talk cyber. Australian Prime Minister Malcolm Turnbull brought up cyber during a visit to Washington, DC, this week, saying that states should stop supporting the cyber-enabled theft of intellectual property and that Internet governance should be led by “the communities that use” the Internet, not governments. Turnbull announced a new annual dialogue on cybersecurity between the United States and Australia, to be led by the Center for Strategic and International Studies and the Australian Strategic Policy Institute. Both sides will work together to define norms for state behavior in cyberspace and create cooperative measures for responding to cyber incidents. Turnbull also said that Australia is working to counter the online narrative of the Islamic State group and noted approvingly cooperation between the U.S. government and private sector in this area. 2. We have an intractable problem? Let’s study it! Rep. Mike McCaul (R-TX) and Sen. Mark Warner (D-VA) are planning to introduce a bill in Congress that would create a national commission to examine how law enforcement officials can gain access to the encrypted data of criminal suspects without weakening the privacy or security of Americans. While law enforcement has repeatedly asked tech companies to find a technical solution to the problem, security experts have said that’s impossible without severely weakening encryption. McCaul and Warner’s proposed commission intends to get around that impasse by convening tech industry executives, privacy advocates, academics, and law enforcement and intelligence officials to discuss the issue. They would make joint recommendations on both legislative and technological measures around the encryption problem. The congressmen haven’t set a date for when they’ll introduce their bill. However, others may supersede them with a less conciliatory approach. Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA) are working on legislation requiring tech companies to put backdoors in their encryption, and state legislators in New York and California have already taken steps toward banning encrypted devices at the urging of law enforcement officials. Meanwhile, NSA director Adm. Mike Rogers appeared to announce his support for strong encryption this week. 3. A tiny ray of additional sunlight on the U.S. government’s zero-day policy. The Electronic Frontier Foundation (EFF) was able to obtain more information about the U.S. policy on zero-days. Regular readers of Net Politics will remember that last September, the U.S. government, for the first time, published a heavily redacted version of the policy that outlines how the it handles zero-day vulnerabilities. We analyzed the issue here. This week, the EFF able to obtain a new copy of the policy with slightly less redactions. The document now reveals that the United States engages in offensive cyber activities and that the zero-days the government discovers it acquires can be used for both offensive and defensive purposes. Quelle surprise!

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: United States and Chinese officials led respectively by Secretary of Homeland Security Jeh Johnson and Minister of Public Security Guo Shengkun met in Washington, DC Tuesday for the first round of a high-level dialogue on cybercrime. The two sides agreed on guidelines for jointly combating cybercrime, announced a joint cybersecurity tabletop exercise to be held in spring 2016, and began planning a hotline for cyber issues. The next round of the dialogue will be in Beijing in June 2016. The meeting came as China’s state news service reported that the cyber-enabled theft of personal information from the U.S. Office of Personnel Management (OPM) was conducted by criminals, rather than state-sponsored actors as U.S. lawmakers have claimed. The Washington Post also reported that China arrested suspects in relation to the OPM hack in September prior to Chinese President Xi Jinping’s state visit to the United States, although some Chinese media reports dispute this account. BlackBerry will no longer operate in Pakistan, the company announced Monday. BlackBerry provides encrypted e-mail and messaging services to its corporate clients through its Blackberry Enterprise Servers (BES), which prevents the Pakistani intelligence services from achieving their surveillance goals. When the company refused to build encryption backdoors, Pakistan’s telco regulator ordered mobile network operators to shut down access to Blackberry servers, which would essentially make the handsets useless. The short-term impact of Blackberry’s decision on Pakistanis is likely to be minimal, as the company holds just 0.3 percent of the world smartphone market share. However, as mobile device makers increasingly move to end-to-end encryption, we may see similar showdowns between Pakistani regulators and bigger phone manufacturers like Apple and Samsung. In other encryption news, my colleague Matt Waxman has a good roundup of Israeli encryption policy over at Lawfare. Pakistan is not the only central Asian government that’s trying to limit Internet freedom. Kazakhstan’s primary telecommunications provider Kazakhtelecom JSC announced Monday that it and other telcos are "obliged" by law to conduct surveillance on HTTPS connections to addresses outside the country. Starting next year, Kazakhtelecom will require all users to install a "national security certificate" on their Internet-enabled devices that will trick programs into thinking the telecom’s servers are the legitimate websites users intended to visit. This will allow Kazakhtelecom to man-in-the-middle any encrypted connection to servers outside the country, giving them the power to see all the online activity of their users. Some commentators have called it a cheap version of China’s Great Firewall, although they’re fundamentally different systems albeit with similar effects. Although the company subsequently pulled the announcement from their website, you can expect it to come back soon; Kazakhstan has one of the worst records in the world for online freedom. Max Schrems’ crusade against Facebook isn’t over yet. In October, the Austrian grad student’s case against the Irish data protection authority resulted in the Court of Justice of the European Union (CJEU) invalidating the Safe Harbor framework that governed data transfers between the EU and the United States. In letters to data regulators in Ireland, Belgium, and Germany this week, Schrems calls on the authorities to suspend all data flows from Facebook’s local subsidiaries to the U.S.-based company, ahead of the January 2016 deadline EU regulators have given companies to change their practice. January 2016 is also the self-imposed deadlines that EU regulators set to have a new Safe Harbor framework in place, but that seems increasingly unlikely. EU officials said this week that they’d like to give national data regulators a greater role in ascertaining that the privacy of EU citizens is protected in the United States. The good news is that the Judicial Redress Act currently being considered by Congress could help move the negotiations forward. The bad news is that it’s not looking like it will be passed any time soon. Meanwhile, the Dutch minister of justice says he doesn’t expect a conclusion to the Safe Harbor negotiations any time soon. A House Judiciary Committee hearing Tuesday examined the Email Privacy Act, which has languished in Congress for two and a half years despite having more than three hundred cosponsors and broad support from the tech industry. The bill would update the Electronic Communications Privacy Act (ECPA) to require the government to obtain a warrant before accessing emails more than 180 days old, rather than seizing them with a subpoena, as ECPA allows. Federal regulators and law enforcement officials are concerned this revision would tie their hands, and in a committee hearing Tuesday reviewing the bill, House Judiciary Committee Chairman Bob Goodlatte (R-VA) reiterated these apprehensions. Goodlatte said that while he supports the “core” of the bill, he wants an exception allowing the government to demand information from tech companies without a warrant when it has determined that an “emergency” exists. It’s unclear when the bill might get a vote in the committee.

Release of the text of the Trans-Pacific Partnership agreement (TPP) has launched the "tale of two treaties" saga so familiar when new trade and investment agreements appear—it is the best of treaties, it is the worst of treaties. Praise for and criticism of the TPP’s chapter on e-commerce form part of this saga, and the gap in rhetoric calls for scrutiny of the legal text in light of the chapter’s strategic goals and the political challenges it faces. The TPP’s strategic objectives include advancing trade and investment liberalization and counterbalancing China’s growing influence. The e-commerce chapter supports these objectives. With WTO negotiations stalled, the TPP provides a way to catalyze liberalization among countries representing forty percent of the global economy, which creates e-commerce opportunities, with expanding digital commerce generating new trade and investment possibilities. The chapter facilitates this dynamic because it will apply on an unprecedented geographic and economic scale. Strategic concerns with China include competition on global e-commerce. The e-commerce chapter is designed to preserve an open, global Internet and can be a model for future agreements. These objectives inform the politics surrounding e-commerce. By facilitating liberalization, critics argue the TPP privileges private over public interests, subordinates privacy to profits, and constricts policy space for welfare-enhancing regulation through substantive and dispute settlement rules that favor companies. Counterbalancing China does not require diluting privacy or empowering corporations at the expense of regulatory sovereignty. These critiques fuel the political debates that will determine whether countries ratify the TPP. Whether international agreements achieve their strategic objectives in politically palatable ways depends, in large part, on what they require countries to do. The TPP’s e-commerce chapter contains four types of provisions. First, the chapter supports liberalization by requiring non-discriminatory treatment, prohibiting customs duties for electronic transmissions, restricting various barriers to e-commerce, prohibiting requirements to use local computing facilities, and facilitating cross-border transfers of information. Second, the chapter balances liberalization with protection of other interests and values. It requires parties to adopt laws for electronic transactions, online consumer protection, and personal information protection. The chapter provides exceptions to liberalization obligations for measures implementing legitimate public policy objectives. Third, the chapter addresses e-commerce’s intersections with other cyber policy concerns. It requires parties to regulate spam e-mail, recognizes the benefits of consumer access to the Internet for e-commerce (net neutrality), and acknowledges cybersecurity’s importance. Fourth, disputes are subject to the TPP’s state-to-state and investor-state dispute settlement (ISDS) procedures. These provisions generate different legal effects. Some provisions create binding obligations, such as the mandate for non-discriminatory treatment of digital products. Other provisions are binding but less demanding, including those stating that parties “shall endeavour” to undertake specific actions. Still other provisions establish no binding obligations, such as those where parties simply recognize issues or agree they should or may behave in certain ways. Determining the meaning of binding obligations, and exceptions thereto, requires applying the complex jurisprudence on trade and investment treaties. The deeper analysis goes into the law, the harder it becomes to make sweeping statements about the chapter’s potential political and strategic importance. Controversies with trade and investment treaties often arise when liberalization obligations (e.g., market access) purportedly clash with public interest regulations (e.g., on health). Opponents of the e-commerce chapter argue the obligation on cross-border transfers of information could override privacy laws and permit corporations to challenge such laws under ISDS. For either of these things to happen would require challenges to privacy regulations to navigate numerous legal requirements and tests frequently interpreted and applied in ways not hostile to public interest regulation. In addition, challenges would unfold against the chapter’s requirement that each party adopt privacy laws that should be informed by principles developed by international bodies, which could include UN human rights treaties and mechanisms. A corporation challenging privacy laws under ISDS could not base its claim on the e-commerce chapter’s obligations on cross-border transfers of information. Instead, it would have to argue, for example, that privacy laws violated non-discrimination duties, failed to provide the minimum standard of treatment required by customary international law, or constituted an illegal expropriation—none of which seem likely given how privacy laws function. The investment chapter also provides that non-discriminatory regulations protecting legitimate public welfare objectives, which would include privacy, are not expropriations, except in rare circumstances. The treaty text, informed by the web of existing jurisprudence, does not ensure the e-commerce chapter will always operate with trade and investment objectives in political harmony with public interest regulations. Nor do the legal complexities assure that the e-commerce chapter will deliver the promised strategic benefits for the United States. But, with the text now in hand, the political viability and strategic consequences of “the most ambitious trade policy ever designed for the Internet and electronic commerce” have become pressing legal responsibilities of the digital age.

Here’s a fun party game. The next time you are at a cybersecurity industry event—an evening event with an open bar—find one of the many lawyers in the room and ask them whether the Cybersecurity Information Sharing Act (CISA) would apply to internet service providers (ISPs). Every time one of them answers with “it depends,” take a shot. If the lawyers are any good, you’ll be hammered by the time you call for your Uber ride home. Here’s why. As I wrote about in my last post, for most companies, the problems that CISA is trying to solve don’t exist. Companies share tons of cybersecurity information with each other every day. They also use defensive measures that inspect their Internet traffic for malicious activity and block it. All in a day’s work for your average IT administrator. No one ever gets sued and no laws are being broken. But for ISPs, it’s not so simple. Under the Electronic Communications Privacy Act (ECPA), an ISP like AT&T, Verizon, or Comcast is a bit different than say, the Ford Motor Company. While Ford can look at all the traffic crossing its network, AT&T can’t. AT&T is a big dumb pipe that passes on packets no matter what is in them, be it malware, child pornography, or stolen copies of The Interview. The only traffic monitoring AT&T can legally do is what it can justify as necessary to keep those packets zipping along (the so-called “owner operator exception”) or if one of its customers has contracted with it to provide security services, thereby providing consent to be monitored. CISA, in one view, would allow ISPs to monitor all traffic for cybersecurity threats, operate defensive measures to stop those threats, and share information about these threats with the federal government. That, to Senator Wyden, and others looks a lot like mass Internet surveillance under the guise of a voluntary information sharing bill. Although CISA contains language in a series of notwithstanding clauses that would seemingly override ECPA, definitional problems create some doubt. The monitoring and defensive measures authorized by CISA can only take place on “information systems.” CISA defines information systems as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” It’s basically the same definition used from U.S law governing federal information systems. So, does the Internet backbone qualify as an information system under CISA? Is it a discrete set of resources? The words alone are confusing enough. Now place them in context. Many lawyers, though not all, will conclude that the definition pertains to Ford’s computer network but not AT&T’s Internet backbone. Some lawyers, though not all, will draw a distinction between information systems and “telecommunications systems”. To make things clear as mud, CISA’s drafters explicitly included one other type of information system in the definition—industrial control systems (ICS). Some lawyers, though not all, will view the fact that the drafters included the ICS definition as evidence that the existing definition was not all inclusive. If ICS need to be explicitly included, so would ISPs. If the bill goes forward with these definitions, whether CISA applies to ISPs will depend on where their lawyers come down on these definitions, how risk averse their CEOs are, and, ultimately, whether a judge agrees with the ISPs’ lawyers. With the bill headed to a conference with the House, a simple request to conferees: insert a clause in the definition that explicitly includes or excludes ISPs. It will save years of court battles and the livers of anyone who tries out this drinking game.

The Digital and Cyberspace Policy Program has launched its fourth Cyber Brief. This one is authored by Danielle Kriz, cybersecurity fellow at New America and formerly the director for global cybersecurity policy at the Information Technology Industry Council. Policymakers around the world are increasingly concerned about the security of information and communications technology (ICT) supply chains. As governments rely more on ICT to conduct services, they worry about the proliferation of counterfeit products and malicious code, as well as the growing number of cyberattacks on these ICT systems. Within this context, governments are demanding that vendors improve the security of ICT products sold to the government, with a particular focus on vendors’ supply chains. Danielle argues that recent policy proposals threaten to do more harm than good. She proposes a number of recommendations to develop effective supply-chain risk management policies. Namely policymakers should ensure the policies address clearly identified gaps, build on existing best practices, promote solid risk management practices, work globally, improve the government’s own ICT procurement practices, and facilitate more actionable cyber-threat information sharing with affected vendors. In addition, she argues that U.S. trade negotiators should discourage discriminatory, country-of-origin-focused prohibitions emerging from China and India. You can find the full brief here.

It was a brilliant political maneuver. In the spring of 2011, the Obama Administration put out an ambitious legislative proposal on cybersecurity. Among other initiatives, it called for granting the Department of Homeland Security the authority to regulate cybersecurity for critical infrastructure providers. The Chamber of Commerce made it its mission to kill the bill. They used a simple argument: government doesn’t need to regulate; it needs to make it possible for companies to share information with each other. The argument worked. The idea of regulating our way out of cybersecurity died a slow and painful death. When the Obama Administration put out a second legislative proposal in the winter of 2015, there was nary a mention of regulation. Yet the “information sharing problem” was never anything more than a digital age red-herring. The reality is that companies share cybersecurity information all the time. Literally, millions of indicators everyday. Fears that the Justice Department will bring up charges of antitrust violation have proven unfounded for over a decade. ISACs have been sharing information among their members since 1998. More recently, Symantec and Intel Security (formerly McAfee) are two of four founding members to the Cyber Threat Alliance. The core requirement to join is to share 1,000 unique malware samples a day. If these two rivals in the same industry can share cybersecurity information with each other legally and in full view of the public, who can’t? If the long precedent of cyber information sharing was not enough to convince wary general counsels that antitrust was not a concern, the Department of Justice and the Federal Trade Commission have gone out of there way to make that point clear. In a statement of policy issued in 2014, the chief enforcers of antitrust law made clear that not only was sharing cybersecurity information not a concern, “information exchanges could be procompetitive in effect.” Any general counsels that still have concerns can ask the Department of Justice for a business review letter. Thus far, only one company, TruStar Security, has done that. You can read the letter here. Want to share information with the federal government but worried it could be subject to the Freedom of Information Act (FOIA) or shared with regulators? You don’t need the Cybersecurity Information Sharing Act (CISA) to pass. The Department of Homeland Security already operates the Protected Critical Infrastructure Information sharing program—PCII for short. Information shared through it cannot be disclosed under FOIA, state and local sunshine laws, through civil litigation or to regulators. Cybersecurity information is categorically considered PCII. Many companies already share cybersecurity information with the federal government through this program. So, what then, if anything would CISA do? For most companies, the answer is nothing. Information sharing will continue. If any companies thought monitoring their Internet traffic for security threats was a problem not solved by end user agreements and security banners, Congress has you covered (if this was actually a problem, we wouldn’t have companies like FireEye today). The privacy and civil liberties communities believe the intention of the bill is not to allow the private sector to share more information but to be able to collect more information. As Senator Ron Wyden put it, “it’s a surveillance bill by another name.” I used to agree with Senator Wyden. But that was before the Snowden revelations made cozy relationships with the U.S. government bad for business. Before Snowden, a system where private companies could voluntarily share information with, oh say the NSA, would have been a problem. Now, the U.S. government is lucky to get information out of companies with a court order. The list of companies that on a voluntary basis actually want to share information with the Federal government, let alone the intelligence community, is pretty short. If CISA passes, it probably won’t do much harm. It also won’t do much to increase cybersecurity information sharing. But it will have one tremendously positive effect: finally, we will be able to shut up about information sharing and figure out what legislation might actually do something to improve cybersecurity in this country.

When Senators return to Washington, DC this fall, they will take up work on legislation to make it easier for companies to share cybersecurity information with each other and with the government. The future of the bill, the Cybersecurity Information Sharing Act, is uncertain. Beset with concerns over privacy and civil liberties, many past attempts at addressing this issue have failed to reach the President’s desk. Senators will have to wade through twenty-one amendments offered by both Republican and Democratic colleagues and then try and get it through the House. Unfortunately, if they succeed, neither the bill in its current form nor any of the amendments will do much to increase the effectiveness or timeliness of cybersecurity information sharing. One of the bill’s primary objectives is to ensure that companies aren’t liable for sharing cybersecurity information with government. But liability is not the problem it was once thought to be. Companies exchange millions of pieces of cybersecurity information each day. Non-profit groups like the Financial Services Information Sharing and Analysis Center, the Center for Internet Security, and the Cyber Threat Alliance have coalesced whole industries to share data. Private companies like ThreatConnect, TruStar, and AlienVault provide information sharing services to their clients. So, what then is there left for Congress to do? None of these commercial products do two things that government is best suited to do: provide validation that companies and individuals are trustworthy partners and a secure, classified network over which such sharing can take place. When the unclassified email servers of the Joint Chiefs of Staff were recently hacked, the ability to communicate securely on classified networks kept Pentagon operations moving. Cyber incident response teams managing the breach could communicate with the intelligence community, law enforcement, and other parts of the Pentagon without the alleged Russian attackers listening in. Contrast this with what happens when a private company is hacked by the same actors. The compromised network cannot be trusted to communicate on the remediation. Even phone calls, now mostly carried over the Internet, are not considered secure. If the FBI wants to share information with you, expect federal agents to darken your doorstep. When the government has classified information to share, it must be shared in a secure, government facility. That happens at best on a quarterly basis making it neither timely nor actionable. A better model has been piloted by the Department of Defense for several years. Companies within the defense industrial base like Lockheed Martin, Boeing, and Raytheon have access to such capabilities today. They use a separate classified network called the DIBNET to share cybersecurity information securely with each other and with the Department of Defense. Only personnel working at participating defense companies that have been cleared through the background investigation process made famous by the hacking of the Office of Personnel Management can access the network. When unclassified networks that are accessible from the Internet become compromised, the network is used to coordinate incident response so that such communications are not intercepted. While the program for the defense sector is a good start, companies that operate our financial, electric, water and other critical systems must also be granted access to classified networks for cybersecurity purposes. Cybersecurity is often characterized as a partnership between the government and the private sector. For that partnership to be fully realized, private companies bearing the costs of defending themselves against nation-state adversaries like China and Russia must be allowed access to the same networks and same information that federal agencies use to prevent and respond to cyberattacks. When Congress returns, leadership should move quickly to ensure that any cyber information sharing legislation that passes directs the creation of such a network for these companies.

On June 16, the House of Representatives passed an Intelligence Authorization Act for Fiscal Year 2016, which requires the Director of National Intelligence (DNI) to produce a report on terrorist use of social media (Section 344). On July 7, the Senate Select Intelligence Committee approved an intelligence authorization bill that does not include the House bill’s mandate for a DNI report but does require social media companies to report terrorist activity to the federal government (Section 603). These proposals are new developments in the growing efforts to counter terrorist use of social media. The House Requirement for a DNI Report The House bill requires the DNI to produce a report containing the "assessment of the intelligence community on terrorist use of social media." The report must assess: What role social media plays in radicalization in the U.S. and elsewhere; How terrorists and terrorist organizations use social media; The intelligence value of social media posts by terrorists; and The impact on U.S. national security of terrorist content on social media for fundraising, radicalization, and recruitment. This proposal connects to efforts to understand terrorist use of social media, its national security implications, and ways to counter it. Legislative interest in the intelligence community’s assessment of these issues is understandable, but controversies about, for example, the role social media plays in radicalization, will heighten scrutiny of the intelligence community’s conclusions. Depending on what it contains, the DNI’s report could increase congressional interest in regulating social media for counter-terrorism purposes—another reason such a report could be consequential. The Senate Requirement for Social Media Company Reporting The bill approved by the Senate Intelligence Committee requires anyone who "obtains actual knowledge of any terrorist activity" while providing electronic communication or remote computing services to the public through means of interstate or foreign commerce to provide federal authorities with "the facts or circumstances of the alleged terrorist activities." This requirement directly regulates social media providers and raises more questions and policy implications than the House mandate for a DNI report. The provision does not define "terrorist activity," beyond requiring reports of activities touching on the federal crime of "distribution of information relating to explosives, destructive devices, and weapons of mass destruction" (see 18 USC sec. 842(p)). Without parameters, companies could interpret "terrorist activity" differently, creating under-reporting (which would harm the purpose for reporting) and over-reporting (which would create privacy and free speech concerns). To protect privacy, the provision states that it may not be construed to require a provider to monitor users, subscribers, or customers or the content of their communications. Although social media providers do not have to conduct active surveillance, the provision does not address privacy or free speech worries associated with reporting communications to the federal government (my recent Cyber Brief provides some guidance on these issues). Further, the provision does not specify what federal agencies (FBI, DHS, NSA, CIA) should receive reports because it assigns that responsibility to the Attorney General. Nor does the provision say anything about what agencies can do with submitted information. Thus, the provision raises concerns similar to those advocates of civil liberties have raised about proposed cybersecurity legislation designed to increase information sharing between the private sector and the federal government. News reports raise questions about the purpose of the reporting requirement. Senator Diane Feinstein, a member of the Senate Intelligence Committee, argued that "social media companies should be working with the government to prevent the use of their systems by violent militants." The Washington Post quoted an unnamed Senate aide who indicated the provision seeks to stop companies from removing content related to terrorism without informing the federal government in order to avoid losing potentially valuable intelligence. Reuters quoted "an official familiar with the bill" stating that its "main purpose was to give social media companies additional legal protection if they reported to the authorities on traffic circulated by their users." Legislation can serve multiple objectives, but, given sensitivities about tech companies providing information to the federal government, clarity on the purposes of this proposed regulation is critical. The provision leaves other questions unanswered. What happens to a social media provider that does not report terrorist activity of which it is aware? What oversight is needed to monitor reporting terrorist activity on social media to the federal government? How will such regulation be perceived by foreign customers of U.S. companies who are, post-Snowden, upset about the U.S. tech sector’s cooperation with, and vulnerability to, the U.S. government? Does the requirement apply to foreign companies that, in providing communication or computing services, access facilities or means of foreign or interstate commerce? The House and Senate proposals demonstrate intensifying concern in Washington, D.C. about terrorist use of social media, with the Senate bill containing the first attempt to require social media companies to support the federal government’s fight against digital terrorism. Although neither bill is close to becoming law at the moment, what happens next bears watching for national security, civil liberties, and business reasons.

The National People’s Congress posted the draft of a new cybersecurity law (in Chinese) on Monday. The purpose of the law, according the NPC, is to maintain "cyberspace sovereignty." The law is open for comments until August, and the important questions will be in how it is modified, interpreted, and implemented. But here are some of the key points: Government will establish national security standards for technical systems and networks. Real name registration to be enforced more strictly, especially with messaging apps where enforcement has been lax. Internet operators must provide “support and assistance” to the government for dealing with criminal investigations and national security. Nicholas Bequelin, East Asia Director at Amnesty International, tells Reuters that Article 50 gives authorities the legal power to cut Internet access in to maintain order as Beijing did in Xinjiang in 2009. “Timely warning and notification” system for cybersecurity incidents. Greater investment in cybersecurity (including subsidies for cybersecurity companies, internet operators, etc.) and cybersecurity education. The Cyberspace Administration of China (CAC) will review cybersecurity practices of key telecommunication operators, conduct regular emergency drills, and provide help in implementing the law. Employees must undergo background checks, and the CAC will review procurement. User data for the key operators must be stored in China (if there’s a business imperative to store data overseas, they can apply for exceptions). Collection and use of user data must “comply with the principles of legality, justice, and necessity” (遵循合法、正当、必要的原则) and operators must secure users’ agreement to have their data used. Data collected must be related to the service the Internet operator is providing. Collected user data must have adequate protections and data breaches must be responded to in a timely manner. The foreign business community will be reading the law closely, trying to determine how the cybersecurity standards and procurement provisions will be implemented. The past few months will not give them great comfort, as Beijing has adopted a national security law and other provisions to make technology used in China "secure and controllable." Just weeks after the Strategic and Economic Dialogue ended, and months before President Xi Jinping’s visit to the United States, cybersecurity and information technology are becoming an even greater source of tension in the bilateral relationship.

Last Friday marked the second anniversary of the start of Edward Snowden’s disclosures. The days preceding this anniversary highlighted Snowden’s continued prominence. On June 1, Section 215 of the USA PATRIOT Act—the legal basis for the domestic telephone metadata surveillance program Snowden revealed—expired. On June 2, the Senate passed and President Obama signed the USA FREEDOM Act, which the House of Representatives previously approved. This legislation transforms how the U.S. government will access domestic telephone metadata for foreign surveillance. On June 4, the New York Times published a story based on Snowden-disclosed documents claiming the NSA secretly expanded “Internet spying at the U.S. border.” Also on June 4, Snowden published an op-ed claiming that “the world says no to surveillance.” It was a good week for Snowden. But has it been a good two years for the rest of us? Section 215 and the Domestic Telephone Metadata Program Snowden’s signature achievement involved exposing what the U.S. government did under a secret interpretation of Section 215. He defended the principle that the government should not exercise power under secret laws. Although oversight bodies found no NSA abuses, this conclusion did not overcome the rule-of-law defect Snowden emphasized. However, Snowden’s challenge was not the only factor in Section 215’s death. The metadata program was ineffective as a counter-terrorism tool, which led some in the intelligence community to welcome its demise. Had the program contributed to foiling terrorism, its utility might have overcome the taint of its secret jurisprudence. Section 702 Surveillance Against Foreign Targets Snowden also exposed programs operated under Section 702 of the Foreign Intelligence Surveillance Act (FISA). For example, the Times article on June 4 used Snowden-provided documents to disclose that the U.S. government began conducting surveillance for malicious cyber activities suspected to originate from foreign governments. Section 702 authorizes surveillance against foreign governments, so the cyber surveillance fits within this legal authority. The NSA was interested in conducting cybersecurity surveillance without identifying a foreign target. Such a step might have secretly expanded Section 702, but the Department of Justice blocked the idea. Like Snowden’s other Section 702 revelations, this disclosure did not reveal secret activities that break the law or abuse legal authority. Instead, Snowden’s disclosures provided transparency about Section 702 programs. Information released by the intelligence community and contained in oversight reports brought even more transparency. Controversies about the scope of Section 702 surveillance, the scale of incidental collection of communications of non-targeted persons, and government uses of incidentally collected information existed before Snowden came along. The new transparency rekindled these controversies, but also revealed how valuable Section 702 surveillance is to the U.S. government. President Obama imposed additional restrictions on U.S. government use of incidentally collected information but did not curtail the surveillance. Congress has not, so far, amended Section 702. At the two-year mark, Snowden’s impact concerning Section 702 is less definitive. Section 702 surveillance continues with robust support, leaving advocates of civil liberties lamenting the lack of curtailment of these programs. Further, the new restrictions on the use of incidentally collected information have not placated domestic opponents or foreign governments and nationals. In many ways, pre-Snowden debates about Section 702 continue because the transparency Snowden triggered provides all sides with ammunition. The Global Context Snowden intended to spark global debate by framing expansive surveillance and espionage as threats to universal human rights. His June 4 op-ed claimed a “change in global awareness” is underway and “the balance of power is beginning to shift.” However, the gap between these claims and reality is great, suggesting his impact globally has been weak, if not counterproductive. The latest Freedom on the Net survey does not support Snowden. Between May 2013 and May 2014 (roughly the first year of his disclosures), Internet freedom declined “for the fourth consecutive year, with 36 out of 65 countries assessed . . . experiencing a negative trajectory[.]” Little has happened since May 2014 to suggest this trend has been reversed. Increased surveillance by many states, including democracies, contributed to this trajectory’s momentum. For example, governments in France, Turkey, and the United Kingdom said “yes” to increased surveillance. In the midst of this decline, Snowden damaged the U.S. government’s international standing, created rifts among democracies, and harmed U.S. technology companies. The Snowden-triggered move by tech companies toward stronger encryption pits democratic governments against the private sector and civil society in a looming zero-sum brawl. Meanwhile, unperturbed by Snowden, autocratic countries exploit the disarray within and among democracies, bash the hyposcrisy of Internet freedom’s champions, conduct intrusive surveillance at home and abroad, and strengthen their manipulation, control, and censorship of digital communications. Given these facts, the UN resolution on the right to privacy in the digital age, which represents global progress for Snowden, does not reflect consensus among states on the relationship between surveillance and human rights. An unprincipled but ineffective program is dead. Long-standing controversies about large-scale surveillance programs targeting foreigners continue. Government surveillance powers are increasing, democracies are bitterly divided, and Internet freedom is in retreat. Whether these outcomes mean we have, as a country and an international community, reached a better place is hotly debated—a reminder that history’s arc is longer than two years.

Last week, a federal appeals court ruled that Section 215 of the PATRIOT Act does not authorize the NSA’s telephone metadata surveillance program. Since Edward Snowden disclosed it in June 2013, the program has been so controversial that its fate has taken on historic significance. The decision in American Civil Liberties Union v. Clapper arrived as Congress must decide whether to reform the program, continue it by re-authorizing Section 215, or let Section 215 expire on its June 1 sunset date. The judgment provided the program’s defenders and critics with ammunition in this debate. Moreover, the court, through its decision, seems to be sending the political branches explicit constitutional messages about what should happen next. Troubling Aspects of the Decision This case began in August 2013 when the ACLU filed suit in response to the program’s disclosure. In December 2013, a federal district court denied the ACLU’s request for a preliminary injunction, reasoning that federal law precluded judicial review of Section 215 and the program did not violate the Fourth Amendment. The appeals court over-ruled the district court. It decided Congress did not preclude judicial review of Section 215, and it held Section 215 did not authorize bulk collection of telephone metadata because this activity was not, and could not reasonably be interpreted as being, relevant to authorized counter-terrorism investigations. The court did not issue a Fourth Amendment ruling. Nor did it grant the preliminary injunction the ACLU sought. Commentary of the appeals court’s decision has mostly focused on whether the court was legally correct or persuasive and what impact the decision might have on Capitol Hill. However, the decision has troubling features that have received less attention but deserve examination. To begin, the court compared the firestorm over the program to scandals in the 1970s concerning surveillance within the United States. Like federal courts did in the 1970s, it held that the phone metadata surveillance program was illegal. Yet, in not issuing an injunction, the court allowed the program to continue because of the “national security interests at stake.” Under constitutional law, surveillance should have a legal basis. After the court’s interpretation of Section 215, that basis could only be the president’s constitutional national security powers. But, federal courts in the 1970s rejected claims that these powers justified the domestic surveillance at issue. The Bush administration turned to Section 215 to avoid continuing to rely on presidential powers to justify the metadata program legally. So, with presidential authority suspect, what is the legal basis for the program as it continues to collect phone metadata on Americans? Concerns multiply when we consider the privacy implications of government collection of metadata in the age of ubiquitous digital technologies. The court acknowledged dependence on these technologies raises difficult questions about the “third-party doctrine,” where data is not protected under the Fourth Amendment if it is shared with a third party, such as a phone company. Given this acknowledgment, is the court allowing a surveillance program to continue that not only lacks a legal basis but also might violate the Fourth Amendment? Making Sense of the Decision In its decision, the court is sending two strong messages to the legislative and executive branches about their responsibilities to protect national security and safeguard individual rights. First, the court believes the best outcome over the the Section 215 program is agreement between the political branches. Issuing a preliminary injunction because the metadata program had no legal basis or making a Fourth Amendment ruling because of the impact of digital technologies would take federal courts deeper into volatile national security, privacy, constitutional, and political controversies. The court asserts that legislation provides the most effective way to design metadata surveillance programs for counter-terrorism and to signal what the political branches deem is permissible under the Fourth Amendment. In short, the political branches can directly authorize metadata surveillance to protect national security (avoiding the surreal interpretive brawl Section 215 became) tailored to reflect privacy concerns about government collection and analysis of metadata in the digital age (avoiding potentially divisive judicial decisions on the Fourth Amendment). Second, the court’s reasoning contains warnings to the political branches as they consider their next steps. Its interpretation of “relevance” in Section 215 sends the message that invoking national security should not contort laws in ways that defy their language and intent. The court also rejects the argument that Congress ratified the executive branch’s expansive definition of relevance when it reauthorized Section 215 in 2011. In doing so, the court communicated that secret legislative review of secret interpretations of public laws is not legitimate. Finally, the court signaled its view that changes in communication technologies raise serious constitutional concerns with the third-party doctrine, suggesting that it might have held the metadata program in breach of the Fourth Amendment had it reached this question. In sending these messages, the court recognized the constitutional prerogatives of the political branches in national security but provided rule-of-law guidance to Congress and the president in crafting new legislation the United States so badly needs. Whether the political branches live up to these responsibilities in the coming days will signal to the world if the United States understands how to protect the security and rights of a free people.