Analyzing Executive Order 14117:  What companies might be affected and how might their business processes change

 

Executive Order 14117 will prohibit certain transactions that involve American companies sharing or selling sensitive personal data with “countries of concern”.  This order is designed to completely restrict the direct transfer of specific types of data and will have to restrict the downstream transfer of that data so that the information does not eventually wind up in the possession of the identified countries.  Though the rules have not been created at this time, this article anticipates which businesses may be affected and how they may be affected, both in terms of operation and in terms of enterprise value.  The third installment will focus solely on how businesses will manage their compliance with the Executive Order (“EO”).

Companies from multiple industries will be affected by the EO, but the biggest impact will likely be felt in the biotech space, and particularly with startups that need to save costs and increase cash flow.  The three categories of companies most likely to be affected are: 1) financial companies who collect information on clients and sell it to other companies for their marketing purposes, whether to sell their own financial services or in marketing goods or services; 2) applications with a reason to track movements and location data, or social media apps that must differentiate between the content produced and the metadata associated with the content; and 3) genomics companies, like 23andMe, that have compiled valuable raw genetic data and have built partnerships with biotech companies that produce much needed revenue and cash flow.

Each business will face external impacts and internal impacts on processes.  The external impacts will involve operations and cash flow.  The internal impacts will involve processes, such as compliance and data security.  The bottom line of the EO is that businesses may have far less money coming in, and will spend significantly more on internal expenditures.  There is a strong possibility that some biotech, particularly startup genomic companies, will have to change their revenue structure or face bankruptcy and failure.

The enterprise value of technology companies is strongly correlated to the amount of data it collects.  Whether this data is sold to third parties to create a revenue stream for the business, or analyzed and applied to create revenue for the business, data has been a top driver of economic value for technology companies.  Though these companies range in industries from genetic testing startups to social media platforms selling targeted advertising, the value of raw data that can be analyzed to drive revenue has been the most significant basis of the enterprise value of most tech companies.  This EO, because it targets data, necessarily targets the enterprise value of technology companies.  For an example, 23andMe deserves to be studied.  23andMe sells a genetic testing kit that, at a retail level, will disclose the ancestral locations of a person’s forbears through identifying genetic markers in the test taker’s DNA.  But their business model goes beyond ancestral reports.

A February 2024 CNN article on 23andMe provides a useful illustration of the enterprise risk the EO will be to biotech companies.  The article highlights that its share price has fallen around 96% (97.2% at the time of this writing) and that 23andMe could run out of money this year.  How did 23andMe become a valuable company, though?  In 2018, it reached an agreement with London-based GlaxoSmithKline (GSK) that eventually reached an investment value of $370 million for access to 23andMe’s genetic data, supplied by people seeking ancestry kits.  Pay $100 to learn your ancestry, and they sell the data for $370 million to a biotech company.  Though selling to an English company would not violate the EO, as the United Kingdom is not a “country of concern”, the principle remains that genetic companies derive value from selling access to data.  Thermo Fisher, an American company that also sells genetic testing kits, announced in January it would stop selling its genetic testing kits in areas of China that contain ethnic minorities, like Tibet, where the Chinese government is suspected of targeting the population.  This EO will close off potentially lucrative partnerships for American companies, particularly to those companies facing cash flow issues.  

The EO will have significant operational impacts on businesses as well.  These impacts can be separated into two categories: external impacts and internal impacts.  The external impacts follow the paragraph above.  Partnerships will have to be cleared to make sure that countries of concern do not directly, or indirectly, receive sensitive personal data from American companies.  An American genetic testing company could reach a partnership agreement with a British biotech company, but that company will not be able to share that data with a Russian biotech company.  This will certainly decrease the number of partnership opportunities available, and likely lower the value of permissible partnerships to the data holding company by giving more negotiating power to the buyers, and may adversely impact cash flow and funding efforts.

Internally, however, companies will see their expenses increase.  The EO suggests a compliance framework will be created by NIST, which will combine NIST’s cybersecurity frameworks and privacy framework.  Companies will pay more to track the flow of data, to always know its precise locations, and particularly after the data is permissibly shared.  Companies will need to build internal processes around data maintenance and data tracking at movement to make sure that both the company and its partners are complying with the EO. 

Furthermore, because adversarial nations will no longer have lawful access to American testing information, one can expect efforts to hack the data to become even more frequent.  In January, 23andMe was sued because hackers were able to access and steal genetic information about test takers with Ashkenazi Jewish heritage.  Not only will companies that possess sensitive personal data become more frequent targets of hacking activity, but their processes will also have to be recorded to show compliance with the EO and alignment with the new NIST framework. 

In the end, this EO will produce a significant financial inversion.  Cash flows from partnerships will likely decrease while expenses to comply with the order will increase.  If hackers are successful, then an adversarial nation that once could have provided a financial benefit will still wind up with the data, and the company will face serious lawsuits.  Put differently, while the reduced cash flow would suggest to companies that they should curb expenses, the companies will have to spend considerably more to do all they can to ensure that foreign hackers from countries of concern do not wind up stealing the information and landing the company in lawsuits.

The third and final article in this series will be a more in-depth discussion of how the compliance regime will likely develop.  As for now, American companies that hold sensitive personal data should start to examine their operational procedures to compare to the likely shape of the EO, because just like their genetic testing, the EO is attempting to create a different world in which they will try to survive.

Explaining Executive Order 14117: “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern”

On February 28, 2024, the Biden Administration released Executive Order) 14117, the latest in a series of Executive Orders (“EO”) issued over the past decade that seeks to use emergency national security powers to limit adversarial nations’ access to data concerning American citizens.  This EO is broader in sweep than other bans, for example President Trump’s now-overturned EO attempting to ban the Chinese Communist Party from collecting data on American citizens through the TikTok app, and therefore is implicitly designed to survive Constitutional challenge.  This article is the first of three articles on EO 14117.  This article simply explains what provisions are included in the EO.  The second article attempts to analyze how the EO may affect American businesses and business practices.  The third article addresses corporate compliance.

   The subject matter of the EO is data, specifically “sensitive personal data.”  The EO defines the term as, “covered personal identifiers, geolocation and related sensor data, biometric identifiers, human 'omic data, personal health data, personal financial data, or any combination thereof, …, and that could be exploited by a country of concern (emphasis added) to harm United States national security if that data is linked or linkable to any identifiable United States individual or to a discrete and identifiable group of United States individuals.”  The essence of this definition is that it seeks to prevent foreign countries’ intelligence operations from building dossiers on individual American citizens.  A complete dossier would include information about a person’s finances, which can be used to compromise a person; geolocation data, which can build patterns of behavior based on where a person routinely goes as tracked by smartphones and smartwatches; and intrinsic health information, which includes not only medical records, but information from genetic testing that can disclose vulnerabilities to sicknesses or compromised personal relationships inside of families.  Any of these categories in whole or in isolation, can be used to approach and compromise a citizen, to threaten their security and freedom of movement, or to blackmail or extort from someone.  

   There are exceptions to the application of the EO, but those exceptions are limited to three categories: 1) information already in the public record; 2) the personal communications of a person; and 3) informational materials.  The latter two are known as the Berman Amendments, which were included in IEEPA as a civil liberties protection, but more significantly were the stumbling block of the Trump TikTok ban because the content of videos would necessarily have been suppressed in the process of blocking the app.

   The term “country of concern” is used within the definition of sensitive personal data.  This term creates the national security tie-in at the heart of the EO.  The EO defines the term as, in essence, “means any foreign government that, as determined by the Attorney General…, has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of United States persons, and poses a significant risk of exploiting bulk sensitive personal data…”  Who are these nations?  Per the DOJ fact sheet on the EO, the nations likely contemplates identifying China, Russia, Iran, North Korea, Cuba, and Venezuela as countries of concern under this program. 

   Why the concern over sensitive personal data and adversarial foreign nations?  The rise in computing power and artificial intelligence has made the possibility of constructing these espionage dossiers, or unlocking a genetic “deficiency” that leaves a subset of people vulnerable to a specific attack, has become both realistic and potentially achievable.  The “countries of concern” have already begun collecting this data.  In June 2018, Facebook (Meta) acknowledged sharing personal data of users with four Chinese electronics companiesdeemed national security threats.  A Chinese genetics company called the BGI Group has developed a prenatal test for Non-Invasive Fetal Trisom Y that captures genetic information about the mother.  A BGI study used a military supercomputer to look for genes and characteristics that could be singled out in minority Tibetan and Uyghur populations.  And to further the concern for abusing ethnic subsets, the genetic testing database of 23andMe was hacked and the hackers searched specifically for the genetic data of Ashkenazi Jews and ethnically Chinese customers.

   But to return to the text of the Executive Order, what conduct is the EO prohibiting?  Section 2(c) suggests a framework for what conduct will eventually be prohibited, but the National Security Division of the Department of Justice will issue a notice of proposed rulemaking and the commentary will shape the prohibitions.  The framework includes the identification of the classes of transactions to be prohibited, such as selling genetic data to researchers in countries of concern; identify classes of transactions where the risk of improper access can be mitigated against by Homeland Security’s CISA agency; the identification of countries of concern and covered persons who shall not be allowed to receive such sensitive personal data; and the creation of a licensing process to undertake allowable transactions involving sensitive personal data.  Homeland Security will also develop interpretive guidance and enforcement guidance.  Other provisions exist in the bill, but an interesting nugget that will increase the cost of compliance is that the National Institute for Standards and Technology (NIST) will develop a framework, based on their Cybersecurity and Privacy Frameworks to help companies engaging in business that collects sensitive personal data comply with the regulations.

   Multiple government agencies will be involved in the development and execution of the EO.  Many separate departments will contribute to the EO and have responsibilities after the final rule has been made.  The Department of Justice will work with the Secretary of State and Secretary of Commerce to identify the countries of concern.  The AG will also work with Homeland Security to identify the prohibited transactions and the related substance of the EO.  Homeland Security will assist with promulgating rules and regulations using the IEEPA authorities, as well as use CISA to help entities understand compliance responsibilities.  Finally, an interagency committee known as “Team Telecom” will work to review transactions involving foreign investment in American companies that possess this data.

   The EO is a useful framework for the public and the federal agencies, but the substance of it will be determined through the rulemaking process.  Per the Department of Justice, “The purpose of the ANPRM is to provide transparency and clarity about the intended scope of the program and to solicit input from the public before it goes into effect. The Department welcomes comments on the ANPRM from industry, civil society, and advocacy groups with expertise on data security and cybersecurity, organizations and entities affected by the proposed regulations, and anyone else with an interest in the proper administration of the Executive Order’s directions to prohibit or restrict certain transactions involving Americans’ bulk sensitive personal data or U.S. Government-related data with countries of concern or persons subject to their jurisdiction. Written comments on the ANPRM may be submitted within 45 days on regulations.gov. The ANPRM will be followed by proposed regulations at a later date.” 

   Until the rules are out, companies will not know how to comply with the Executive Order.  However, they will be able to make educated guesses as to how such an EO might change their business practices, from external customers to internal process management, and companies would be wise to assess how they might be affected by the EO, and to use their time to shape the EO in a way that comports with their business practices.  The next article in this series will provide my projections on how businesses that collect sensitive personal data might have to change their business practices.

A Durable Framework for Banning TikTok: A TikTok Compromise Bill

TikTok recently admitted to storing American user data in China, contradicting sworn testimony to the contrary, but the renewed efforts to ban TikTok have stalled in Congress.  A political horseshoe alliance of far-left Democrats and right-leaning libertarian Republicans object to any TikTok ban bill, with the latter group actively campaigning against the bipartisan RESTRICT Act and tabling discussion of the bills put forward by conservative Republicans.  If any TikTok ban bill is to reach the President’s desk, then the self-identified moderate Democrats and Republicans will have to find common ground with conservative Republicans to build a coalition to pass a single compromise bill.  This editorial proposes a framework by which a compromise bill that combines the strengths of the RESTRICT Act and the IEEPA based bills can be created, while also providing limitations to protect civil liberties through clearer definitions and separated analytical processes.

The compromise should install a dual process set of authorities gauged to the seriousness and immediacy of the stated risk.  One track, embedded in the RESTRICT Act, would assess the technologies that create undue threats, matched against a codified list of technological features and actions that create undue risks, and recommend appropriate remedial actions from a strictly construed list of powers.  The second track, embedded in the conservative Republicans’ bills, would amend IEEPA and use emergency authorities for managing extraordinary threats.  This two-track process would limit the RESTRICT Act’s currently unlimited Presidential authority to address undue risks, while providing stronger Presidential authority to take more serious action against extraordinary threats under IEEPA. 

RESTRICT and IEEPA use different standards when defining threats, underscoring the need for two separate processes.  The RESTRICT Act uses the “undue and unacceptable risk” standard for potential risks while the IEEPA-based bills use the heightened “unusual and extraordinary threat” standard.  RESTRICT focuses on technologies, but the four delineated risks are actually attack vectors.  Conservatives have expressed two concerns over the limitless definition of “undue and unacceptable risk.”  The catchall language “otherwise poses an undue risk” swallows any limitations imposed in the four listed categories.  Second, the four categories are mismatched to the nature of ICTS.  A more tailored, yet more powerful, approach is to define the risk by actions taken and technological features, which provides precision and clarity.  The TikTok risk could be captured as “sharing private user data and metadata with foreign governments or foreign political parties.”  The sabotage category can include corrupting data, hardware, software, etc. to destroy or impair the proper functioning of critical infrastructure.  These guidelines will help the Secretary of Commerce know what to review, how to define the risk, and how to assess the unacceptability of that risk.  Mitigation measures under the RESTRICT Act process should be specifically listed and can include referral to study potential divestment, rescinding contracts for purchases of the technology, and other longer-term, commercially focused objectives. 

Currently RESTRICT provides the President with unlimited authority to address an “undue risk”, defined as divestment or “any other action” to mitigate the risk.  This authority overlaps into emergency powers in IEEPA.  The second authority in the unified bill, taken from the conservative Republican bills, would amend IEEPA to allow for swift and decisive emergency action based on extraordinary threats.  These remedies would be more severe, to match the heightened risk, and include banning the technology for a specified period while the technology is reviewed, withdrawing systems from usage immediately upon declaration of the emergency and issuance of the order, and other emergency powers.  Together, these two amendments create two separate deliberative processes that match the stated technological risks to the correct process to produce commensurate outcomes through a series of tailored provisions.

Conservatives prefer the IEEPA route, so to build a coalition around the compromise bill, the decisive and tailored actions of the IEEPA-based TikTok bills should be incorporated, thus protecting the President’s ability to act on technologies that present an extraordinary threat.  The compromise bill must directly amend IEEPA.  A federal judge blocked President Trump’s attempt to ban TikTok using IEEPA because the Berman Amendment protected non-financial personal communications and information within videos.  The filed IEEPA-based bills attempt to get around that issue by saying the Berman Amendment does not apply to TikTok, though it would apply to every other social media app in the world.  The solution lies in specifying technology classes.  The compromise bill should create 50 U.S.C. 1702(a)(1)(D), which would provide the President with emergency powers to investigate, block, etc., technologies that have been defined by the RESTRICT Act so that the separate powers are colinear.  The Berman Amendment, contained in section (b) of 1702, should be limited by what is effectively an exception to the exceptions.  The Berman Amendment shall not apply to exercises of authority exercised under the new (a)(1)(D) because actions under that power are aimed at technology and only impose incidental burdens to informational materials. 

Congress must include a severability provision so that if a judge reads the Berman Amendment into the bill, the powers provided to address “undue or unacceptable risks” still survive.  This new, amended RESTRICT Act would continue to be a durable tool to protect American networks from unacceptable risks.

The RESTRICT Act specifically provides the President with divestment authority.  The divestment process has historically resided in Treasury’s CFIUS.  The Secretary of Commerce, however, possesses the recommendation authority in the RESTRICT Act process.  This seems to create multiple divestment authorities, or at least separate processes between Treasury and Commerce.  To ensure consistency Treasury and Commerce should clarify which entity has authority to review transactions where divestment is a possible outcome, and which Secretary’s recommendation shall be considered by the President. 

A compromise bill that follows these recommendations should pass through Congress and also survive challenges in court.  But just like a TikTok video itself, one senses the opportunity to ban the app and China’s access to American information is quickly running out of time.

The RESTRICT Act’s Durable Framework for Addressing Technological Threats

By Lawrence L. Muir, Jr.

President of Broughton House

In a late March Pew Research poll, Americans favored a ban of TikTok by a 50%-22% margin.  But four years into federal efforts to ban the app, Americans are no closer to getting the political outcome they desire.  Congress has introduced four bills, with rumors of others on the way, to ban the app.  At the risk of being bogged down from bills that have the same goals but different approaches, Congress should prioritize bills that are constitutionally secure and legislatively durable.  Of the bills presented to this point, the RESTRICT Act is the closest to meeting those two benchmarks.

     In a previous editorial I addressed the potentially fatal legal flaw in the TikTok ban bills produced by Senators Hawley and Rubio.  I argued that by limiting their respective bills to ByteDance and TikTok exclusively, the bills may be struck down as unconstitutional bills of attainder under Article I, Section 9.  Further, basing their legislation solely in IEEPA opens other legal challenges for TikTok.  IEEPA provides the President, through designees, with specific powers to act, producing swifter and more decisive actions.  But as three judicial opinions have ruled, IEEPA is fundamentally flawed as a choice for banning TikTok because of the Berman Amendment, which creates exceptions for personal communications not involving money and informational materials.  Their legislation attempts an end run around the Berman Amendment by simply saying that section does not apply to their TikTok bills, but this language only strengthens the bill of attainder argument because the Berman Amendment would still apply to any other app from any other company and country.  On March 29, Senator Rand Paul expressed concerns over the bills’ “First Amendment issues”, which presumably refer to censorship through the blocking of personal communications and information that the Berman Amendment sought to protect.

     The bipartisan RESTRICT Act negates both of those legal problems through one fundamental decision: the choice to focus the bill on underlying technologies rather than specific actors.  This choice eliminates the bill of attainder argument because the technology decision makes the bill inherently neutral as to what must be reviewed and can be blocked and does not identify a specific company.  The bill also broadens the list of bad actor states to six nations.  As importantly, the previous use of IEEPA highlighted the difference between indirect regulation of personal communications, which is impermissible, and permissible incidental burdens.  Framing the RESTRICT Act as a ban on technology that shares data with a foreign political party underscores the national security rationale.  This means the ban can be seen as an incidental burden on communications and information rather than an indirect regulation of them.  The focus on technology, as opposed to the owner of the technology, takes away bill of attainder concerns.  The RESTRICT Act’s approach will narrow the tenable legal challenges available to TikTok, which in turn would increase the likelihood a ban on TikTok will remain effective, and be useful against future technologies.  

     The RESTRICT Act does have some language concerns that should be addressed.  Section 3(b) of the Restrict Act sets out a procedure consistent with Section 4 of President Trump’s Executive Order 13942, which directs the action through the Secretary of Commerce.  In the RESTRICT Act, the Secretary must identify and deter, or otherwise mitigate, defined technologies from those six nations that the Secretary determines poses “an undue or unacceptable risk.”  Though Section 5(b) lists the source materials and analysis the Secretary can consider in making this determination, the Act does not provide the criteria used in making the determination.  The phrase “undue or unacceptable risk” appears 12 times in the bill, but none of those appearances define what that term means.  No guidance is given as to what technological features or actions meet that definition, only possible outcomes.  Conservative Republicans have expressed concerns that the Act may give expansive powers subject to abuse by members of the executive branch.  Providing definitions of what technological features and actions pose an undue or unacceptable risk might assuage those valid concerns.  Definition and guidance would also give affected parties clear grounds to challenge the Secretary’s determination, bolstering the argument that the RESTRICT Act provides for due process in a way the other bills do not.

     Politically, the decision to empower the Secretary of Commerce may prove problematic.  The current Secretary of Commerce has seemingly not been able to comply with President Biden’s Executive Order 14034, dated June 9, 2021.  This EO required Secretary Raimondo to make recommendations to the national security advisor on steps to take regarding unauthorized access to personal data (TikTok sharing with the CCP) within 120 days; and to make executive and legislative recommendations within 180 days.  It seems that these reports have not been produced and are now well overdue.  In early March Secretary Raimondo expressed her political concern that banning TikTok would lead to losing voters in the 18-35 age group, a consideration that is not typically made in the national security space, and certainly not when deciding whether to comply with an executive order.

     Once the Secretary determines what technologies present an undue and unacceptable risk, the Secretary identifies the risk and refers it to the President.  The text states, “[T]he President may take such action as the President considers appropriate to compel divestment of, or otherwise mitigate the risk.”  The phrase “otherwise mitigate the risk” is quite broad authority, and might contemplate banning technology, but it is unclear what actions the President might take.  This concern matches the previous concern about the potential for expansive actions that were not specifically contemplated by Congress.  Furthermore, the CFIUS (Committee on Foreign Investment in the United States) authorizing statute gives the President the power to order divestment.  The territorial overlap between Treasury and Commerce on divestment is addressed, but it might cause confusion amongst bureaucrats and affected parties.  

     Section 7 attempts to limit some of the authority given to the executive branch by allowing Congress to produce joint resolutions when they disagree with the Secretary’s decision to either designate a technology as an unacceptable risk or remove the designation of unacceptable risk from a technology.  This power seems to act as a veto of executive actions, and the joint resolution undoes the designation decisions made by the Secretary.

     The RESTRICT Act contains a criminal penalty section that has received attention from detractors of the bill.  Section 11(c)(1) sets out a fine of not more than one million dollars, or prison time of not more than 20 years.  Those criminal penalties are not unique to the RESTRICT Act.  The language is verbatim taken from the penalty in the IEEPA statute found in 50 U.S.C. 1705(c), making the RESTRICT Act level with the intent in President Trump’s Executive Orders.

     The RESTRICT Act will be a more durable and effective way to ban TikTok and other technologies that undermine American national security.  It will almost certainly hold up better under judicial scrutiny than the other TikTok bills.  But by empowering an unwilling Secretary of Commerce, and by letting critical decision-making criteria go undefined, the bill will face some difficult political battles in its current form.  Some strategic compromises in drafting that tighten key operative provisions to provide clearer guidelines for the designation of “undue and unacceptable risk” can allay some of the concerns about the potential for the RESTRICT Act to be abused.  The RESTRICT Act provides a framework for enduring legislation that can effectively block technology that undermines American national security, with room to accommodate well-founded concerns from conservatives by tactically limiting some powers and defining more precisely just which risks run afoul of the law.  These modest changes may be enough to give Americans the ban they want.

The TikTok ban bills: are they unconstitutional bills of attainder?

By Lawrence Muir

President of Broughton House

TikTok encourages the app’s short videos to be looped on repeat.  While that may make the app more enjoyable for users, as well as more addictive, TikTok hits on repeat is a trend that Americans should want to break.  Reversing this TikTok trend should start in the courtroom, where TikTok is undefeated against federal attempts to ban its use.  Americans need Congress to produce one tight, constitutionally ironclad bill that will ban, not just TikTok, but other technologies that undermine American national security.  Though clean, limited, and targeted legislation, Senator Hawley’s “No TikTok on United States Devices Act” and Senator Rubio’s ANTI-SOCIAL CCP Act have potential Constitutional defects that may be unable to survive legal challenges, including a violation of the Constitutional provision against bills of attainder.  The generally preferable targeted legislation may, ironically, be the bills’ judicial undoing. 

     The Bill of Attainder Clause of Article I, Section 9, clause 3 of the United States Constitution states, “No Bill of Attainder or ex post facto Law shall be passed.”  As stated by the Second Circuit in Consolidated Edison v. Pataki, “A constitutionally proscribed bill of attainder is ‘a law that legislatively determines guilt and inflicts punishment upon an identifiable individual without provision of the protections of a judicial trial.’”  Further, “a statute can be a bill of attainder only if (1) it ‘determines guilt and inflicts punishment,’ (2) ‘upon an identifiable individual,’ and (3) ‘without provision of the protections of a judicial trial.’”

     Senator Hawley’s bill does single out TikTok, even specifically naming TikTok in the title (line 4) and by exclusively naming ByteDance and TikTok in the bill.  Senator Rubio’s bill also exclusively applies to ByteDance and TikTok.  It’s inarguable that both bills single out ByteDance and TikTok.  The question that remains is whether the company can be an “individual”.  The Supreme Court of the United States has not been asked to decide whether corporations are “individuals” in bill of attainder jurisprudence but has applied the law to “private groups” and has stated in dicta it applies to “firms”.  The Second Circuit extended these protections to corporations in the ConEd case and left only the two questions of whether the legislation determined guilt, and whether the legislation inflicted punishment.  We turn to the element of guilt.

     Bills of attainder possess a retrospective focus on guilt, meaning the conduct punished by the new legislation has already occurred.  In TikTok’s case, that conduct has been sharing Americans’ data, communications, and more with the Chinese Communist Party.  No additional facts need to be proven to find ByteDance & TikTok guilty of violating the legislation for the TikTok app has already undermined American national security.  But this legitimate basis for banning TikTok looks different in bill of attainder analysis, because the pre-determination of guilt based on facts that came into evidence prior to the passage of the legislation support TikTok’s argument that the legislation is unconstitutional.  In essence, the legislation is itself the trial, and the verdict has been rendered.  And once found guilty, the only question is whether the legislation also includes punishment.  If a court finds the legislation does punish TikTok, then the law will be deemed to be an unconstitutional bill of attainder.

     Punishment, in the corporate setting, will take an economic or financial form compared to incarceration for individuals.  The Supreme Court has addressed the question of punishment in bill of attainder analysis.  The Supreme Court articulated three factors to guide a court’s determination of whether a statute directed at a named party is punitive: “(1) whether the challenged statute falls within the historical meaning of legislative punishment; (2) whether the statute, ‘viewed in terms of the type and severity of burdens imposed, reasonably can be said to further nonpunitive legislative purposes’; and (3) whether the legislative record ‘evinces a [legislative] intent to punish.’”

     The legislation would effectively take TikTok’s property and business when it bans TikTok from American operations.  The legitimate national security goals of the two bills could rebut TikTok’s argument that the bills are punitive in nature.  TikTok has, however, gotten out ahead of this factor by putting forward Project Texas, an effort to address the national security concerns, and which TikTok argues is a less burdensome program that CFIUS could approve and negate the need to ban the app.  Until CFIUS announces a decision on Project Texas, the presence of a potentially-less burdensome proposal in the hands of the federal government works against this legislation.  Finally, the Court would hear evidence of the legislative intent to punish during the debate to pass the two bills.  This editorial will not delve into the history of public comment regarding TikTok.

     Senators Hawley and Rubio should consider two amendments to their bills that would remove the bill of attainder risk.  First, the Senators should broaden the prohibited actors by creating more generalized concerns about hardware and software that share data with foreign governments, create risks of malware, and other identifiable risks to American national security.  This broadening will thereby reduce the specificity of the bill and eliminate the challenge that the bill is aimed at a single, identifiable actor.  Shifting the focus to the technology will make a more durable law.  Further, in debate and in public commentary, begin highlighting the non-punitive functions of the legislation.

     Senators Hawley and Rubio deserve credit for trying to advance narrowly-tailored legislation that improves American national security.  But paradoxically both gentlemen would do better to broaden the scope of their respective bills to not focus exclusively on ByteDance & TikTok.  America will not be safer if the legislation meant to protect against a foreign threat is struck down by the courts.  If Americans want the loop of TikTok legal victories to finally stop playing, it would be wise to pass legislation that is not completely focused on TikTok, and that can survive to be used against the inevitable future threats that will emanate from technologies from China and other nations.

 

What is the NIST Cybersecurity Framework? Managing your cybersecurity risk can be the difference between expansion and extinction for your business

One of the most substantial expenses a business incurs generates no revenue and can be mathematically difficult to quantify.  Cybercrime has become an open-ended cost center to businesses. For those businesses that don’t address cybercrime, they can lose eye-popping amounts of money (see Target, who has estimated the cost of their data breach has reached $202 million, and on May 23, 2017 settled a lawsuit with 47 states and the District of Columbia for $18.5 million). Worse, the stolen object might not be limited to your business’s data, but rather the entirety of your business. (See once venerable Nortel Networks, whose loss of intellectual property through corporate cyberespionage was the end of their existence).  Alternatively, businesses have invested money in strategic planning for cybersecurity, a cost-loss that has rendered them more resilient to detecting intrusions and preventing the theft of intellectual property. Executives of businesses of all sizes are now trying to decide how to best limit their exposure to cybercrime, and the federal government has suggested a way to help.

The NIST Cybersecurity Framework (CSF) is a helpful, yet imperfect, document to guide a business through the creation of a cyber-risk management plan.  The use of the NIST CSF will, however, provide your business with a good starting point to assess its cyber-risk, and take affirmative steps to mitigate losses from cybercrime.  Used properly, the CSF can not only be a way to mitigate loss, but also to generate business with customers, other businesses, and with the federal and state governments by differentiating your business as more cybersecure and being able to explain the cybersecurity risk in your products.  Managing your cybersecurity risk can be the difference between expansion and extinction for your business.

Overview of the CSF

The NIST CSF is a self-assessment tool for your business to understand its cybersecurity posture.  The CSF is not federally-mandated, and you need not (and should not) share your self-assessment with the federal government or with other businesses.  It is simply a tool for upper-level management to assess where their cybersecurity practices are at the moment, and where management wants to take its cybersecurity posture in a given time period. If done according to the CSF goals, the CSF will produce a strategic road map toward minimization of cybersecurity risk.  

In the simplest terms, the CSF has three meaningful sections.  The first section is the Framework Core.  The second is the Framework Profile.  The third contain Implementation Tiers. Each section will be briefly outlined below. 

The Framework CoreThe managerial tool for assessing cybersecurity risk

The Framework Core functions as the managerial overview of cybersecurity risk. The emphasis of the Core is on high-level strategic planning, outcomes, and repeatable methodology. The stated goal is a set of cybersecurity activities and references that are common across critical infrastructure sectors organized around particular outcomes. The Core presents standards and best practices in a manner that allows for communication of cybersecurity risk through the organization from the senior executive level to the implementation/operations level. The Framework Core consists of five Functions—Identify, Protect, Detect, Respond, Recover—which can provide a high-level, strategic view of an organization’s management of cybersecurity risk. Those Functions then break down into 23 Categories and 108 Subcategories, and matches Subcategories with Informative References such as existing standards, guidelines, and best practices. 

The Core has five functions, in four categories. Identify: categories of outcomes like: asset management, governance, risk assessment, etc. Protect: Develop safeguards to ensure service delivery through risk management plan, such as: Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, and Protective Technology. Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect function enables timely response and the potential to limit or contain the impact of potential cyber incidents. Respond- Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event. Recover- Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the capabilities or critical infrastructure services that were impaired through a cybersecurity event.

The importance for your business is that you will identify the data that is most valuable to the revenue production of your business, and the loss of which would have the most drastic consequences for the organization. You’ll strategize and operationalize how to protect that data, put in place mechanisms to secure it, and detect attempted intrusions directed at that data. You’ll plan responses to the intrusion, a technical response, and how to recover if that critical data is exfiltrated or inaccessible. 

The Framework ProfileThe self-assessment tool for where you are and where want to be in the future

The Profile is a self-assessment tool intended to represent the outcomes that a particular system or organization has achieved or is expected to achieve as specified in the Framework Categories and Subcategories. The Profile can be characterized as the alignment of industry standards and best practices to the Framework Core in a particular implementation scenario. The Profile’s smartest use assists an organization to identify opportunities for improving cybersecurity by comparing a “Current” Profile with a “Target” Profile. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation.  In short, the Profile functions as a self-assessment tool.

            The Framework Profile is thin on guidance, but that may not necessarily be a defect.  An active business can customize the profile to its needs.  The business can mold it to protecting specific intellectual property, testing the security of its networks, testing employee behaviors with clicking on false links in emails that leave your network open to penetration, and so on. 

            The Profile enables leaders across the C-suite to determine the top priorities for the cybersecurity of your specific business and to install processes to protect those business requirements.  For example, you can customize an assessment of how you’re storing your most important or sensitive data and test it against security and appropriate access.  You can test specific vulnerabilities and score yourself and devise plans to improve that scoring over a period of time.  The lack of guidance is balanced against the customization available to your business as you assess your system’s suitability to conduct the business of the organization.

The Implementation Tiers:  Scoring your organization’s approach to cybersecurity

Framework Tiers describe how cybersecurity risk is managed by an organization. The Tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4), progressing from informal, reactive implementations to approaches that are agile and risk-informed. 

The Framework Implementation Tiers (“Tiers”) describe how an organization manages its cybersecurity risk. The Tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. Organizations should determine the desired Tier, ensuring that the selected levels meet the organizational goals, reduce cybersecurity risk to critical infrastructure, and are feasible and cost-effective to implement.

The Four Tiers

·     Tier 1: Partial: Organizational cyber security risk management is not formalized and is reactive; no external collaboration or cooperation.

·     Tier 2: Risk Informed: Management is incorporated in cyber security management but is not organizational-wide policy; knows its role in the ecosystem but does not share or receive information.

·     Tier 3: Risk-Informed and Repeatable: Cybersecurity risks are acknowledged and formalized in organization-wide policies that are updated when necessary. Shares and provides cyber threat information with suppliers and dependencies.

·     Tier 4: Adaptive: Organization adapts cyber policies based on lessons learned and predictive analysis. Organization adopts a culture of cyber security and frequently shares information with suppliers and dependencies. 

Conclusion

The NIST Cybersecurity Framework can become an invaluable tool to your business. If you are an executive at a business, and cybersecurity is a concern to you, then you will want to use this Framework to identify and mitigate your risk.  If you’re an executive and you’re not concerned about cybersecurity…you should re-think that position!

The next blog post will cover how to use the NIST Cybersecurity Framework, and how you can work with my consulting firm to use and implement the Framework. Please drop us a comment if this helped you!

(c) CM IP Holdings, LLC 2019

 

 

 

 

Implementing the NIST CSF into your organization

The first blog post in this series provided an overview of the NIST Cybersecurity Framework.  This post discusses how to use the CSF and why you should implement it in your business or agency. At the outset, I recommend that you use an outside consultant to assist with the implementation of the CSF.  Inside your business, each person has restraints on why something isn’t, or shouldn’t be, done.  The CIO or CISO will have technical issues and limitations. The CFO will have very real budget limitations because, first, money is a finite resource; and second, the CFO must justify spending resources on non-revenue producing services.  The COO will have concerns about the accessibility of information to workers.  Your company will benefit from a neutral mediator that can mediate divides between the executives to arrive at the best solution for your business, the one that mitigates the most amount of risk for the resources you can devote.

How to Use the CSF

The CSF provides a basic overview of cyber security for senior management. It answers how the organization is doing and provides a plan for moving ahead to accomplish goals.  The CSF can be implemented in six steps.  

·     Step 1: Identify. The organization identifies its mission objectives, related systems and assets, regulatory requirements and overall risk approach.  The company identifies its business requirements and attaches those requirements to specific systems, networks, software, hardware, and access structure. 

·     Step 2: Create a Current Profile. Beginning with the Categories specified in the Framework Core, the organization develops a Current Profile that reflects its understanding of its current cybersecurity outcomes based on its implementation of the Identify Function. The organization selects key subcategories representative of its business requirements and selects metrics by which to quantify its current performance on mitigating cybersecurity risk to the infrastructure that supports those processes. 

·     Step 3: Conduct a Risk Assessment. The organization analyzes the operational environment in order to discern the likelihood (mathematical probability) of a cybersecurity event and the impact that the event could have on the organization.  The impact should reflect both the actual costs to remediate the consequences of the risk and should quantify the losses to the organization derived from the event.  It is important that critical infrastructure organizations seek to incorporate emergent risks and outside threat data to facilitate a robust understanding of the likelihood and impact of cybersecurity events. The general public is more reliant upon these critical infrastructure organizations for basic necessities, and therefore these organizations have a higher duty of care in matters of cybersecurity risk mitigation.

·     Step 4: Create a Target Profile. The organization creates a Target Profile that focuses on the assessment of the Framework Elements (e.g., Categories, Subcategories) describing the organization’s desired cybersecurity outcomes. The Target Profile should use the same metrics as the Current Profile, and the selected goals should be measurable and comparable on-demand.

·     Step 5: Determine, Analyze, and Prioritize Gaps. The organization compares the Current Profile and the Target Profile to determine gaps, and then determines resources necessary to address the gaps.  Attaching operational and tactical steps to these gaps will produce operational plans around the strategic plan.  Specific tactical plans should focus on: 1) responding to a cyberevent, 2) recovering from a cyberevent, 3) communication before, during, and after a cyberevent to the appropriate groups, and 4) communicating your cybersecurity risk in the supply chain to vendors and customers and consumers. 

·     Step 6: Implement Action Plans. The organization implements the steps defined in the action plans and monitors its current cybersecurity practices against the Target Profile.  This plan should be communicated to interdependent partners, especially where supply chain cybersecurity risk management is concerned.

Developing a Team to Implement the Framework

The NIST CSF is a top-down, management-level view of cybersecurity within the business.  It’s an executive management tool.  Thus, the individuals within an organization that should be part of the cybersecurity planning team could include the CEO, the CFO, the CIO or CISO, the COO, the CTO, the CRO and the outside consultant that will facilitate the planning discussions amongst these representatives.

The CEO should be included because he or she has ultimate decision-making responsibility in each facet of the plan and sees the context in which each step impacts the entire business.  The CEO must weigh the cybersecurity risks and vulnerabilities against the need for information access and the manner in which the business is run against the financial impact of the recommendations.  The CEO must be able to communicate overall cybersecurity risk and risk mitigation to the Board of Directors or legislative oversight authority.

The CIO or CISO understands the company’s network, its data storage and accessibility structure, and the external risks the company faces each day. The CIO must know the information the company stores.  It must know where the intellectual property is located and how it is protected and do the same for personal identifying information that the network possesses. The CIO must know what personnel, internal and external to the organization, can access what information, and what barriers are in place to protect that information from external threats (hackers) and internal threats (employees negligent in their care of information, or rogue employees working against the company’s interest).  The CIO must know the technical capabilities of network protection, the information that must be protected, and from whom, and the working needs of the business. The CIO must also formulate responses to intrusions and the loss of data.

The COO understands the corporate structure and what parties need access to what information.  The COO needs to decide the restrictions on information balanced against the need for operational efficiency.  The COO must also understand the consequences a loss of data might have on each section of the business.  The COO must also focus on the quality of the information, as marked both by its integrity and confidentiality requirements.

            The CFO understands the finances of the company.  This understanding comes to light in two separate places.  First, what resources are available to be spent on implementing the recommendations in the CSF plan?  Second, what would be the financial impact upon the business if certain information was breached and lost? What would be the loss in business revenue? What disclosures should be made to the public, and how would that affect the company financially? These reflections could be in lost revenue to the business, money expended to remediate the breach, or a loss in stock price due to the financial impact of the breach, or the lost confidence caused by the breach.  The CFO can work with the CISO to develop the numbers and risk formulas that will prioritize cybersecurity risk mitigation efforts.

            The outside consultant must, like the CEO, see the big picture for the business, but also must be detail-oriented for making specific and effective recommendations.  The outside consultant must work with each of the interested individuals individually, while also addressing valid concerns raised by one to the whole group.  The outside consultant must bring about effective strategic and operational plan, and that involves an honest broker communicating information as needed, understanding the business and the information and security needs, and understanding the limitations faced within the organization.  The outside consultant, finally, must be able to directly work with the CEO so that the CEO can make the most-informed decisions as to each part of the CSF implementation.

Conclusion

Implementing the NIST CSF is an important decision for a business.  As cyber-risk grows, not just in threat vectors but in financial magnitude, planning for how to mitigate that cyber-risk becomes of paramount importance.  The best planning involves all of the upper-level management, acting in their individual roles within the organization, and with the best interests of the organization in mind, to bring about the most realistic and efficiently-implemented plan. 

 

 (c) CM IP Holdings, LLC 2019