National Security

Subscribe to National Security

As reported last week, a state-sponsored hacker may have breached multiple U.S. government networks through a widely-used software product offered by SolarWinds. The compromised product, known as Orion, helps organizations manage their networks, servers, and networked devices. The hacker concealed malware inside a software update that, when installed, allowed the hacker to perform reconnaissance, elevate user privileges, move laterally into other environments and compromise the organization’s data.

The CJEU (the European Union Court of Justice) has handed down a decision which makes clear that general and indiscriminate retention of electronic communications is unlawful. National legislation of each European Member State should ensure that mass surveillance only occurs where it is strictly necessary in order to combat serious crime as well as terrorism and meets other stringent requirements.

The references were made by the Swedish and UK courts and concerned the interpretation of the Privacy and Electronic Communications Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC) (the “Directive”), in light of the rights granted by the Charter of Fundamental Rights of the European Union (the “Charter”), particularly, the right to privacy (Article 7) and the right to protection of personal data (Article 8), and the decision of the CJEU in Digital Rights Ireland (C‑293/12 and C‑594/12).

The dream of hack-proof communication just got a little closer to reality. On August 16, 2016, China launched the world’s first “quantum satellite,” a project the Chinese government hopes will enable it to build a communication system incapable of being hacked. Such a system, if perfected, would allow for encrypted communications between any two devices with absolute certainty that the encryption could not be broken, and with a built-in mechanism for alerting the sender/receiver if someone tried.

Over the course of the coming weeks, we will examine the various options available to companies in light of the European Court of Justice’s (CJEU) decision invalidating the US-EU Safe Harbor framework, including model contracts, binding corporate rules (BCRs), consent and reliance on derogations.

News out of Germany, however, indicates that a one-size-fits all approach to data transfers from the EU to the U.S. may be difficult to achieve.

Last week, Australia became the latest country to pass a mandatory data retention law. The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015, which amends Australia’s Telecommunications (Interception and Access) Act 1979, requires telecommunications and Internet service providers (ISPs) to store customer metadata for two years. This means that Australian ISPs and telecom providers will have to store data associated with electronic communications, such as the names and addresses of account holders, the names of the recipients of any communications, the time and duration of communications, the location of equipment used to make the communication (such as cell towers), and computers’ IP addresses. Although the law does not require ISPs and telecoms to store the contents of customers’ electronic communications, metadata still can provide a picture of an individual’s identity, interests, and even location, which makes it of great interest to law enforcement and national security agencies seeking to prevent crime and terrorist attacks. Indeed, the law was promoted as a national security measure designed to give law enforcement access to information that could allow them to prevent terrorist attacks, but its opponents have decried it as a means to subject Australians to mass government surveillance.

In February of 2013, President Obama signed an executive order with the purpose of creating a cybersecurity framework (or set of voluntary standards and procedures) to encourage private companies that operate critical infrastructure to take steps to reduce their cyber risk (see our blog here). Critical Infrastructure Systems such as the electric grid, drinking water, and trains are considered vulnerable to cyber attack, and the results of such attack could be debilitating. The Departments of Commerce, Homeland Security, and Treasury were tasked with preparing recommendations to incentivize private companies to comply with heightened cybersecurity standards. On August 6, 2013 the White House posted its preliminary list of incentives encouraging the adoption of cybersecurity best practices.

As announced during the 2013 State of the Union Address, President Obama recently signed an Executive Order on cybersecurity.  The primary goals of the Executive Order are to (a) improve communication between private companies and the federal government about emerging cyber threats and (b) safeguard the nation’s critical infrastructure against cyber attacks by developing and implementing baseline cybersecurity standards. Critical infrastructure refers to those systems and assets, both physical and virtual, so vital to our nation that any cyber attacks upon them would have a debilitating impact on national security, economic security, and/or public health or safety.

According to a report issued by the Department of Homeland Security (the “DHS”) in December 2012, there were 198 cyber attacks on the nation’s critical infrastructure last year, several of which were successful.  One such successful attack involved highly sophisticated malware found on critical engineering workstations at a power generation facility.  According to the DHS’ Industrial Control Systems Cyber Emergency Response Team Monitor, an “ineffective or failed cleanup would have significantly impaired” the power plant’s operations.  Critical infrastructure systems ranging from air traffic control systems, highways, and hospitals to electrical grids, water systems, power plants and financial systems all have virtual components that are vulnerable to cyber attack.  Over the past year, the need for stronger defenses against cyber attacks has gained traction in the public eye, as hackers have successfully targeted numerous high profile companies, including major newspapers, banks, and federal agencies.

President Obama’s Executive Order on cybersecurity comes in the wake of proposed cybersecurity legislation, which was stalled in Congress last year. The Executive Order relies heavily on a voluntary program that encourages private companies operating critical infrastructure to adopt baseline cybersecurity standards, which the federal government will develop with industry assistance.

The simultaneous denial of service attacks on the three largest U.S. banks which occurred two weeks ago were reported to have originated in Iran. After years of stealth cyber attacks on American interests, U.S. intelligence officials recently publicly accused China of cyber espionage of American high-tech data for their own economic gain. The head of U.S. Cyber Command has stated that there has been a twentyfold increase in cyberattacks on critical infrastructure from 2009 to 2011. With the need for national cybersecurity more evident now than ever before, the White House announced that it is close to completing a new cybersecurity executive order to address this critical issue.