Corporate data collection and U.S. national security: Expanding the conversation in an era of nation state cyber aggression

Cordero’s remarks were adapted for an article in Lawfare, where she writes, in response to the question, “What has the Russia investigation revealed about risks inherent in mass private data collection?”:

Although the Senate Select Committee on Intelligence (SSCI) and special counsel investigations are not yet complete, we know enough already about Russia’s interference in the 2016 election to understand that data collected from private companies and organizations can be accessed, exposed and potentially misused in a way that is harmful to the country’s institutional stability. At the very least, its misuse sows distrust and confusion. At worst, it shreds the institutional and societal fabric that holds the country together.

Among the many lessons of the Russia investigation may be that there is a more substantial national security issue than previously considered, posed by the collection and use of individual’s data, and data about individuals, collected and retained by social media and other technology companies. This includes the downstream access to this data by foreign intelligence services or their surrogates.

So far, the Russia investigation has produced the following examples of how Americans’ online presence and digital data was accessed, compromised, used or manipulated in the course of efforts to manipulate the 2016 election. These are not exhaustive, but are illustrative:

· Communications, including emails, of the Democratic National Committee were hacked and released publicly via WikiLeaks.

· Emails of additional high-profile individuals were publicly released by D.C. Leaks and Guccifer 2.0, who is believed to be affiliated with Russian intelligence.

· Facebook has identified accounts associated with APT28—a group linked to the Russian intelligence services—that took part in malicious cyber activity on the platform that targeted employees of U.S. political parties.

· Facebook also determined that over 29 million users were exposed to information in their news feed from the Internet Research Agency, the Russian government-sponsored organization indicted in federal court for, among other charges, conspiracy to defraud the United States.

·Twitter reported that in one day, it detected close to half a million suspicious log-ins. This was revealed through new processes that Twitter has implemented as a result of election inquiries exposing how the automated use of Twitter has been manipulated, and to better identify suspicious accounts and activity.

· The use of our online data for political purposes is not limited to any one company. Cambridge Analytica obtained access to over 50 million Facebook accounts on behalf of the Trump campaign, for political advertising purposes. Google played an important role in the Obama campaign.

On one hand, use of this data for domestic political purposes may make perfect sense as a 21st century expression of democracy. But what if that same data is obtained or manipulated, or its users are targeted, as a foreign intelligence operation? At that point, we have a national security problem.

As Clint Watts—a former FBI agent and leading authority on Russian active measures—explained in testimony before the Senate intelligence committee, Russia’s goal is to “topple democracies.” And in order to do that, the Kremlin is using Americans’ own information and technologies that the United States has popularized.

Pierre Omidyar, eBay’s founder, has put it another way, writing in the Washington Post last year that “the monetization and manipulation of information is swiftly tearing us apart.” Many of the most-affected technology companies in the Russian influence matter—and other companies and organizations that are aware of the nation-state cybersecurity threat—have taken voluntary steps to mitigate the risks to data and users. But again, all of these acts are voluntary. That voluntariness may not adequately address the threat.

While the federal government is no model of data protection, the government is applying some pre-existing mechanisms to address state-sponsored cyberattacks. Consider, for example, the government’s use of criminal prosecution as a means of providing accountability to Chinese government actors for economic espionage. But the Chinese cases allege a different type of activity than what the public record tells us about the purpose of the Russian influence activities. Another government response available to cyberattacks from nation states is available in the military context—but that type of response requires certain legal and policy thresholds to be met, which are lacking here.

In the civilian space, the government does have at least one structured way of evaluating the national security implications of private sector activities: the process by which the Committee on Foreign Investment in the United States (CFIUS) reviews mergers and acquisitions for national security consequences. In most cases, CFIUS reviews a proposed activity and approves it. But in some cases, CFIUS reviews a proposed activity and recommends modifications—or recommends that the activity not progress at all. In other words, the proposed activity—a wholly private sector transaction—is reviewed for national-security consequences in advance, because Americans collectively recognize that a threat exists and needs to be mitigated.

CFIUS is just one example, and it is not a model that has been replicated in other contexts. But it is a useful illustration, to point out that, today, we have no similar framework for even thinking about how to evaluate private sector data collection activities from a national security perspective.

Cordero concludes:

National security issues are defined by their how they have the potential to affect American institutions, freedoms, communities—overall, our way of life. Setting aside whether there was knowing involvement by Americans in the Russian effort to influence the election, there is no disputing the existence of a Russian influence campaign intended to affect our democratic elections—or that the actors involved stole, accessed or used communications and other digital data available through a variety of sources to implement their plan. This effort was carried out, in some part, by the acquisition of data or access to users available via private sector digital platforms. The hearings into Russian interference so far have properly asked what more companies can do to mitigate the activities of hostile nation states for the data they have already collected. But there also seems space here to ask whether there is a greater role for government, in the civilian arena, than to merely ask the companies to do more.

Read the article: Carrie Cordero, “Corporate data collection and U.S. national security: Expanding the conversation in an era of nation state cyber aggression,” Lawfare (1 June 2018)