cybersecurity

The RESTRICT Act’s Durable Framework for Addressing Technological Threats

By Lawrence L. Muir, Jr.

President of Broughton House

In a late March Pew Research poll, Americans favored a ban of TikTok by a 50%-22% margin.  But four years into federal efforts to ban the app, Americans are no closer to getting the political outcome they desire.  Congress has introduced four bills, with rumors of others on the way, to ban the app.  At the risk of being bogged down from bills that have the same goals but different approaches, Congress should prioritize bills that are constitutionally secure and legislatively durable.  Of the bills presented to this point, the RESTRICT Act is the closest to meeting those two benchmarks.

     In a previous editorial I addressed the potentially fatal legal flaw in the TikTok ban bills produced by Senators Hawley and Rubio.  I argued that by limiting their respective bills to ByteDance and TikTok exclusively, the bills may be struck down as unconstitutional bills of attainder under Article I, Section 9.  Further, basing their legislation solely in IEEPA opens other legal challenges for TikTok.  IEEPA provides the President, through designees, with specific powers to act, producing swifter and more decisive actions.  But as three judicial opinions have ruled, IEEPA is fundamentally flawed as a choice for banning TikTok because of the Berman Amendment, which creates exceptions for personal communications not involving money and informational materials.  Their legislation attempts an end run around the Berman Amendment by simply saying that section does not apply to their TikTok bills, but this language only strengthens the bill of attainder argument because the Berman Amendment would still apply to any other app from any other company and country.  On March 29, Senator Rand Paul expressed concerns over the bills’ “First Amendment issues”, which presumably refer to censorship through the blocking of personal communications and information that the Berman Amendment sought to protect.

     The bipartisan RESTRICT Act negates both of those legal problems through one fundamental decision: the choice to focus the bill on underlying technologies rather than specific actors.  This choice eliminates the bill of attainder argument because the technology decision makes the bill inherently neutral as to what must be reviewed and can be blocked and does not identify a specific company.  The bill also broadens the list of bad actor states to six nations.  As importantly, the previous use of IEEPA highlighted the difference between indirect regulation of personal communications, which is impermissible, and permissible incidental burdens.  Framing the RESTRICT Act as a ban on technology that shares data with a foreign political party underscores the national security rationale.  This means the ban can be seen as an incidental burden on communications and information rather than an indirect regulation of them.  The focus on technology, as opposed to the owner of the technology, takes away bill of attainder concerns.  The RESTRICT Act’s approach will narrow the tenable legal challenges available to TikTok, which in turn would increase the likelihood a ban on TikTok will remain effective, and be useful against future technologies.  

     The RESTRICT Act does have some language concerns that should be addressed.  Section 3(b) of the Restrict Act sets out a procedure consistent with Section 4 of President Trump’s Executive Order 13942, which directs the action through the Secretary of Commerce.  In the RESTRICT Act, the Secretary must identify and deter, or otherwise mitigate, defined technologies from those six nations that the Secretary determines poses “an undue or unacceptable risk.”  Though Section 5(b) lists the source materials and analysis the Secretary can consider in making this determination, the Act does not provide the criteria used in making the determination.  The phrase “undue or unacceptable risk” appears 12 times in the bill, but none of those appearances define what that term means.  No guidance is given as to what technological features or actions meet that definition, only possible outcomes.  Conservative Republicans have expressed concerns that the Act may give expansive powers subject to abuse by members of the executive branch.  Providing definitions of what technological features and actions pose an undue or unacceptable risk might assuage those valid concerns.  Definition and guidance would also give affected parties clear grounds to challenge the Secretary’s determination, bolstering the argument that the RESTRICT Act provides for due process in a way the other bills do not.

     Politically, the decision to empower the Secretary of Commerce may prove problematic.  The current Secretary of Commerce has seemingly not been able to comply with President Biden’s Executive Order 14034, dated June 9, 2021.  This EO required Secretary Raimondo to make recommendations to the national security advisor on steps to take regarding unauthorized access to personal data (TikTok sharing with the CCP) within 120 days; and to make executive and legislative recommendations within 180 days.  It seems that these reports have not been produced and are now well overdue.  In early March Secretary Raimondo expressed her political concern that banning TikTok would lead to losing voters in the 18-35 age group, a consideration that is not typically made in the national security space, and certainly not when deciding whether to comply with an executive order.

     Once the Secretary determines what technologies present an undue and unacceptable risk, the Secretary identifies the risk and refers it to the President.  The text states, “[T]he President may take such action as the President considers appropriate to compel divestment of, or otherwise mitigate the risk.”  The phrase “otherwise mitigate the risk” is quite broad authority, and might contemplate banning technology, but it is unclear what actions the President might take.  This concern matches the previous concern about the potential for expansive actions that were not specifically contemplated by Congress.  Furthermore, the CFIUS (Committee on Foreign Investment in the United States) authorizing statute gives the President the power to order divestment.  The territorial overlap between Treasury and Commerce on divestment is addressed, but it might cause confusion amongst bureaucrats and affected parties.  

     Section 7 attempts to limit some of the authority given to the executive branch by allowing Congress to produce joint resolutions when they disagree with the Secretary’s decision to either designate a technology as an unacceptable risk or remove the designation of unacceptable risk from a technology.  This power seems to act as a veto of executive actions, and the joint resolution undoes the designation decisions made by the Secretary.

     The RESTRICT Act contains a criminal penalty section that has received attention from detractors of the bill.  Section 11(c)(1) sets out a fine of not more than one million dollars, or prison time of not more than 20 years.  Those criminal penalties are not unique to the RESTRICT Act.  The language is verbatim taken from the penalty in the IEEPA statute found in 50 U.S.C. 1705(c), making the RESTRICT Act level with the intent in President Trump’s Executive Orders.

     The RESTRICT Act will be a more durable and effective way to ban TikTok and other technologies that undermine American national security.  It will almost certainly hold up better under judicial scrutiny than the other TikTok bills.  But by empowering an unwilling Secretary of Commerce, and by letting critical decision-making criteria go undefined, the bill will face some difficult political battles in its current form.  Some strategic compromises in drafting that tighten key operative provisions to provide clearer guidelines for the designation of “undue and unacceptable risk” can allay some of the concerns about the potential for the RESTRICT Act to be abused.  The RESTRICT Act provides a framework for enduring legislation that can effectively block technology that undermines American national security, with room to accommodate well-founded concerns from conservatives by tactically limiting some powers and defining more precisely just which risks run afoul of the law.  These modest changes may be enough to give Americans the ban they want.

The TikTok ban bills: are they unconstitutional bills of attainder?

By Lawrence Muir

President of Broughton House

TikTok encourages the app’s short videos to be looped on repeat.  While that may make the app more enjoyable for users, as well as more addictive, TikTok hits on repeat is a trend that Americans should want to break.  Reversing this TikTok trend should start in the courtroom, where TikTok is undefeated against federal attempts to ban its use.  Americans need Congress to produce one tight, constitutionally ironclad bill that will ban, not just TikTok, but other technologies that undermine American national security.  Though clean, limited, and targeted legislation, Senator Hawley’s “No TikTok on United States Devices Act” and Senator Rubio’s ANTI-SOCIAL CCP Act have potential Constitutional defects that may be unable to survive legal challenges, including a violation of the Constitutional provision against bills of attainder.  The generally preferable targeted legislation may, ironically, be the bills’ judicial undoing. 

     The Bill of Attainder Clause of Article I, Section 9, clause 3 of the United States Constitution states, “No Bill of Attainder or ex post facto Law shall be passed.”  As stated by the Second Circuit in Consolidated Edison v. Pataki, “A constitutionally proscribed bill of attainder is ‘a law that legislatively determines guilt and inflicts punishment upon an identifiable individual without provision of the protections of a judicial trial.’”  Further, “a statute can be a bill of attainder only if (1) it ‘determines guilt and inflicts punishment,’ (2) ‘upon an identifiable individual,’ and (3) ‘without provision of the protections of a judicial trial.’”

     Senator Hawley’s bill does single out TikTok, even specifically naming TikTok in the title (line 4) and by exclusively naming ByteDance and TikTok in the bill.  Senator Rubio’s bill also exclusively applies to ByteDance and TikTok.  It’s inarguable that both bills single out ByteDance and TikTok.  The question that remains is whether the company can be an “individual”.  The Supreme Court of the United States has not been asked to decide whether corporations are “individuals” in bill of attainder jurisprudence but has applied the law to “private groups” and has stated in dicta it applies to “firms”.  The Second Circuit extended these protections to corporations in the ConEd case and left only the two questions of whether the legislation determined guilt, and whether the legislation inflicted punishment.  We turn to the element of guilt.

     Bills of attainder possess a retrospective focus on guilt, meaning the conduct punished by the new legislation has already occurred.  In TikTok’s case, that conduct has been sharing Americans’ data, communications, and more with the Chinese Communist Party.  No additional facts need to be proven to find ByteDance & TikTok guilty of violating the legislation for the TikTok app has already undermined American national security.  But this legitimate basis for banning TikTok looks different in bill of attainder analysis, because the pre-determination of guilt based on facts that came into evidence prior to the passage of the legislation support TikTok’s argument that the legislation is unconstitutional.  In essence, the legislation is itself the trial, and the verdict has been rendered.  And once found guilty, the only question is whether the legislation also includes punishment.  If a court finds the legislation does punish TikTok, then the law will be deemed to be an unconstitutional bill of attainder.

     Punishment, in the corporate setting, will take an economic or financial form compared to incarceration for individuals.  The Supreme Court has addressed the question of punishment in bill of attainder analysis.  The Supreme Court articulated three factors to guide a court’s determination of whether a statute directed at a named party is punitive: “(1) whether the challenged statute falls within the historical meaning of legislative punishment; (2) whether the statute, ‘viewed in terms of the type and severity of burdens imposed, reasonably can be said to further nonpunitive legislative purposes’; and (3) whether the legislative record ‘evinces a [legislative] intent to punish.’”

     The legislation would effectively take TikTok’s property and business when it bans TikTok from American operations.  The legitimate national security goals of the two bills could rebut TikTok’s argument that the bills are punitive in nature.  TikTok has, however, gotten out ahead of this factor by putting forward Project Texas, an effort to address the national security concerns, and which TikTok argues is a less burdensome program that CFIUS could approve and negate the need to ban the app.  Until CFIUS announces a decision on Project Texas, the presence of a potentially-less burdensome proposal in the hands of the federal government works against this legislation.  Finally, the Court would hear evidence of the legislative intent to punish during the debate to pass the two bills.  This editorial will not delve into the history of public comment regarding TikTok.

     Senators Hawley and Rubio should consider two amendments to their bills that would remove the bill of attainder risk.  First, the Senators should broaden the prohibited actors by creating more generalized concerns about hardware and software that share data with foreign governments, create risks of malware, and other identifiable risks to American national security.  This broadening will thereby reduce the specificity of the bill and eliminate the challenge that the bill is aimed at a single, identifiable actor.  Shifting the focus to the technology will make a more durable law.  Further, in debate and in public commentary, begin highlighting the non-punitive functions of the legislation.

     Senators Hawley and Rubio deserve credit for trying to advance narrowly-tailored legislation that improves American national security.  But paradoxically both gentlemen would do better to broaden the scope of their respective bills to not focus exclusively on ByteDance & TikTok.  America will not be safer if the legislation meant to protect against a foreign threat is struck down by the courts.  If Americans want the loop of TikTok legal victories to finally stop playing, it would be wise to pass legislation that is not completely focused on TikTok, and that can survive to be used against the inevitable future threats that will emanate from technologies from China and other nations.

 

What is the NIST Cybersecurity Framework? Managing your cybersecurity risk can be the difference between expansion and extinction for your business

One of the most substantial expenses a business incurs generates no revenue and can be mathematically difficult to quantify.  Cybercrime has become an open-ended cost center to businesses. For those businesses that don’t address cybercrime, they can lose eye-popping amounts of money (see Target, who has estimated the cost of their data breach has reached $202 million, and on May 23, 2017 settled a lawsuit with 47 states and the District of Columbia for $18.5 million). Worse, the stolen object might not be limited to your business’s data, but rather the entirety of your business. (See once venerable Nortel Networks, whose loss of intellectual property through corporate cyberespionage was the end of their existence).  Alternatively, businesses have invested money in strategic planning for cybersecurity, a cost-loss that has rendered them more resilient to detecting intrusions and preventing the theft of intellectual property. Executives of businesses of all sizes are now trying to decide how to best limit their exposure to cybercrime, and the federal government has suggested a way to help.

The NIST Cybersecurity Framework (CSF) is a helpful, yet imperfect, document to guide a business through the creation of a cyber-risk management plan.  The use of the NIST CSF will, however, provide your business with a good starting point to assess its cyber-risk, and take affirmative steps to mitigate losses from cybercrime.  Used properly, the CSF can not only be a way to mitigate loss, but also to generate business with customers, other businesses, and with the federal and state governments by differentiating your business as more cybersecure and being able to explain the cybersecurity risk in your products.  Managing your cybersecurity risk can be the difference between expansion and extinction for your business.

Overview of the CSF

The NIST CSF is a self-assessment tool for your business to understand its cybersecurity posture.  The CSF is not federally-mandated, and you need not (and should not) share your self-assessment with the federal government or with other businesses.  It is simply a tool for upper-level management to assess where their cybersecurity practices are at the moment, and where management wants to take its cybersecurity posture in a given time period. If done according to the CSF goals, the CSF will produce a strategic road map toward minimization of cybersecurity risk.  

In the simplest terms, the CSF has three meaningful sections.  The first section is the Framework Core.  The second is the Framework Profile.  The third contain Implementation Tiers. Each section will be briefly outlined below. 

The Framework CoreThe managerial tool for assessing cybersecurity risk

The Framework Core functions as the managerial overview of cybersecurity risk. The emphasis of the Core is on high-level strategic planning, outcomes, and repeatable methodology. The stated goal is a set of cybersecurity activities and references that are common across critical infrastructure sectors organized around particular outcomes. The Core presents standards and best practices in a manner that allows for communication of cybersecurity risk through the organization from the senior executive level to the implementation/operations level. The Framework Core consists of five Functions—Identify, Protect, Detect, Respond, Recover—which can provide a high-level, strategic view of an organization’s management of cybersecurity risk. Those Functions then break down into 23 Categories and 108 Subcategories, and matches Subcategories with Informative References such as existing standards, guidelines, and best practices. 

The Core has five functions, in four categories. Identify: categories of outcomes like: asset management, governance, risk assessment, etc. Protect: Develop safeguards to ensure service delivery through risk management plan, such as: Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, and Protective Technology. Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect function enables timely response and the potential to limit or contain the impact of potential cyber incidents. Respond- Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event. Recover- Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the capabilities or critical infrastructure services that were impaired through a cybersecurity event.

The importance for your business is that you will identify the data that is most valuable to the revenue production of your business, and the loss of which would have the most drastic consequences for the organization. You’ll strategize and operationalize how to protect that data, put in place mechanisms to secure it, and detect attempted intrusions directed at that data. You’ll plan responses to the intrusion, a technical response, and how to recover if that critical data is exfiltrated or inaccessible. 

The Framework ProfileThe self-assessment tool for where you are and where want to be in the future

The Profile is a self-assessment tool intended to represent the outcomes that a particular system or organization has achieved or is expected to achieve as specified in the Framework Categories and Subcategories. The Profile can be characterized as the alignment of industry standards and best practices to the Framework Core in a particular implementation scenario. The Profile’s smartest use assists an organization to identify opportunities for improving cybersecurity by comparing a “Current” Profile with a “Target” Profile. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation.  In short, the Profile functions as a self-assessment tool.

            The Framework Profile is thin on guidance, but that may not necessarily be a defect.  An active business can customize the profile to its needs.  The business can mold it to protecting specific intellectual property, testing the security of its networks, testing employee behaviors with clicking on false links in emails that leave your network open to penetration, and so on. 

            The Profile enables leaders across the C-suite to determine the top priorities for the cybersecurity of your specific business and to install processes to protect those business requirements.  For example, you can customize an assessment of how you’re storing your most important or sensitive data and test it against security and appropriate access.  You can test specific vulnerabilities and score yourself and devise plans to improve that scoring over a period of time.  The lack of guidance is balanced against the customization available to your business as you assess your system’s suitability to conduct the business of the organization.

The Implementation Tiers:  Scoring your organization’s approach to cybersecurity

Framework Tiers describe how cybersecurity risk is managed by an organization. The Tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4), progressing from informal, reactive implementations to approaches that are agile and risk-informed. 

The Framework Implementation Tiers (“Tiers”) describe how an organization manages its cybersecurity risk. The Tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. Organizations should determine the desired Tier, ensuring that the selected levels meet the organizational goals, reduce cybersecurity risk to critical infrastructure, and are feasible and cost-effective to implement.

The Four Tiers

·     Tier 1: Partial: Organizational cyber security risk management is not formalized and is reactive; no external collaboration or cooperation.

·     Tier 2: Risk Informed: Management is incorporated in cyber security management but is not organizational-wide policy; knows its role in the ecosystem but does not share or receive information.

·     Tier 3: Risk-Informed and Repeatable: Cybersecurity risks are acknowledged and formalized in organization-wide policies that are updated when necessary. Shares and provides cyber threat information with suppliers and dependencies.

·     Tier 4: Adaptive: Organization adapts cyber policies based on lessons learned and predictive analysis. Organization adopts a culture of cyber security and frequently shares information with suppliers and dependencies. 

Conclusion

The NIST Cybersecurity Framework can become an invaluable tool to your business. If you are an executive at a business, and cybersecurity is a concern to you, then you will want to use this Framework to identify and mitigate your risk.  If you’re an executive and you’re not concerned about cybersecurity…you should re-think that position!

The next blog post will cover how to use the NIST Cybersecurity Framework, and how you can work with my consulting firm to use and implement the Framework. Please drop us a comment if this helped you!

(c) CM IP Holdings, LLC 2019

 

 

 

 

Implementing the NIST CSF into your organization

The first blog post in this series provided an overview of the NIST Cybersecurity Framework.  This post discusses how to use the CSF and why you should implement it in your business or agency. At the outset, I recommend that you use an outside consultant to assist with the implementation of the CSF.  Inside your business, each person has restraints on why something isn’t, or shouldn’t be, done.  The CIO or CISO will have technical issues and limitations. The CFO will have very real budget limitations because, first, money is a finite resource; and second, the CFO must justify spending resources on non-revenue producing services.  The COO will have concerns about the accessibility of information to workers.  Your company will benefit from a neutral mediator that can mediate divides between the executives to arrive at the best solution for your business, the one that mitigates the most amount of risk for the resources you can devote.

How to Use the CSF

The CSF provides a basic overview of cyber security for senior management. It answers how the organization is doing and provides a plan for moving ahead to accomplish goals.  The CSF can be implemented in six steps.  

·     Step 1: Identify. The organization identifies its mission objectives, related systems and assets, regulatory requirements and overall risk approach.  The company identifies its business requirements and attaches those requirements to specific systems, networks, software, hardware, and access structure. 

·     Step 2: Create a Current Profile. Beginning with the Categories specified in the Framework Core, the organization develops a Current Profile that reflects its understanding of its current cybersecurity outcomes based on its implementation of the Identify Function. The organization selects key subcategories representative of its business requirements and selects metrics by which to quantify its current performance on mitigating cybersecurity risk to the infrastructure that supports those processes. 

·     Step 3: Conduct a Risk Assessment. The organization analyzes the operational environment in order to discern the likelihood (mathematical probability) of a cybersecurity event and the impact that the event could have on the organization.  The impact should reflect both the actual costs to remediate the consequences of the risk and should quantify the losses to the organization derived from the event.  It is important that critical infrastructure organizations seek to incorporate emergent risks and outside threat data to facilitate a robust understanding of the likelihood and impact of cybersecurity events. The general public is more reliant upon these critical infrastructure organizations for basic necessities, and therefore these organizations have a higher duty of care in matters of cybersecurity risk mitigation.

·     Step 4: Create a Target Profile. The organization creates a Target Profile that focuses on the assessment of the Framework Elements (e.g., Categories, Subcategories) describing the organization’s desired cybersecurity outcomes. The Target Profile should use the same metrics as the Current Profile, and the selected goals should be measurable and comparable on-demand.

·     Step 5: Determine, Analyze, and Prioritize Gaps. The organization compares the Current Profile and the Target Profile to determine gaps, and then determines resources necessary to address the gaps.  Attaching operational and tactical steps to these gaps will produce operational plans around the strategic plan.  Specific tactical plans should focus on: 1) responding to a cyberevent, 2) recovering from a cyberevent, 3) communication before, during, and after a cyberevent to the appropriate groups, and 4) communicating your cybersecurity risk in the supply chain to vendors and customers and consumers. 

·     Step 6: Implement Action Plans. The organization implements the steps defined in the action plans and monitors its current cybersecurity practices against the Target Profile.  This plan should be communicated to interdependent partners, especially where supply chain cybersecurity risk management is concerned.

Developing a Team to Implement the Framework

The NIST CSF is a top-down, management-level view of cybersecurity within the business.  It’s an executive management tool.  Thus, the individuals within an organization that should be part of the cybersecurity planning team could include the CEO, the CFO, the CIO or CISO, the COO, the CTO, the CRO and the outside consultant that will facilitate the planning discussions amongst these representatives.

The CEO should be included because he or she has ultimate decision-making responsibility in each facet of the plan and sees the context in which each step impacts the entire business.  The CEO must weigh the cybersecurity risks and vulnerabilities against the need for information access and the manner in which the business is run against the financial impact of the recommendations.  The CEO must be able to communicate overall cybersecurity risk and risk mitigation to the Board of Directors or legislative oversight authority.

The CIO or CISO understands the company’s network, its data storage and accessibility structure, and the external risks the company faces each day. The CIO must know the information the company stores.  It must know where the intellectual property is located and how it is protected and do the same for personal identifying information that the network possesses. The CIO must know what personnel, internal and external to the organization, can access what information, and what barriers are in place to protect that information from external threats (hackers) and internal threats (employees negligent in their care of information, or rogue employees working against the company’s interest).  The CIO must know the technical capabilities of network protection, the information that must be protected, and from whom, and the working needs of the business. The CIO must also formulate responses to intrusions and the loss of data.

The COO understands the corporate structure and what parties need access to what information.  The COO needs to decide the restrictions on information balanced against the need for operational efficiency.  The COO must also understand the consequences a loss of data might have on each section of the business.  The COO must also focus on the quality of the information, as marked both by its integrity and confidentiality requirements.

            The CFO understands the finances of the company.  This understanding comes to light in two separate places.  First, what resources are available to be spent on implementing the recommendations in the CSF plan?  Second, what would be the financial impact upon the business if certain information was breached and lost? What would be the loss in business revenue? What disclosures should be made to the public, and how would that affect the company financially? These reflections could be in lost revenue to the business, money expended to remediate the breach, or a loss in stock price due to the financial impact of the breach, or the lost confidence caused by the breach.  The CFO can work with the CISO to develop the numbers and risk formulas that will prioritize cybersecurity risk mitigation efforts.

            The outside consultant must, like the CEO, see the big picture for the business, but also must be detail-oriented for making specific and effective recommendations.  The outside consultant must work with each of the interested individuals individually, while also addressing valid concerns raised by one to the whole group.  The outside consultant must bring about effective strategic and operational plan, and that involves an honest broker communicating information as needed, understanding the business and the information and security needs, and understanding the limitations faced within the organization.  The outside consultant, finally, must be able to directly work with the CEO so that the CEO can make the most-informed decisions as to each part of the CSF implementation.

Conclusion

Implementing the NIST CSF is an important decision for a business.  As cyber-risk grows, not just in threat vectors but in financial magnitude, planning for how to mitigate that cyber-risk becomes of paramount importance.  The best planning involves all of the upper-level management, acting in their individual roles within the organization, and with the best interests of the organization in mind, to bring about the most realistic and efficiently-implemented plan. 

 

 (c) CM IP Holdings, LLC 2019