By Anne E. Railton and James D. Gatta
On July 19, 2018, Attorney General Jeff Sessions announced the public release of the first report produced by the Department of Justice’s (DOJ) Cyber-Digital Task Force, which the Attorney General established in February to combat cyber-enabled threats confronting the United States and, specifically, to answer two fundamental questions: First, what is the DOJ doing to address global cyber threats? And second, what can the DOJ do to accomplish this mission more effectively? In discussing the report at the Aspen Security Forum on July 19, Deputy Attorney General Rod J. Rosenstein explained that the Report answers the first question, “providing a detailed assessment of the cyber threats confronting America and the Department’s efforts to combat them.”
In his remarks, Deputy Attorney General Rosenstein explained that the Cyber-Digital Task Force Report describes six general categories of cyber-related threats: (1) malign foreign influence operations; (2) damage to computer systems; (3) data theft; (4) cyber-enabled fraud schemes; (5) threats to personal privacy; and (6) attacks on critical infrastructure such as energy, transportation and telecommunications systems. Much of the Report focuses on the first category – malign foreign influence operations – and the Deputy Attorney General likewise emphasized the broad-ranging risks posed by this type of threat, which he described as “a form of information warfare” that targets America’s political processes, including elections.
Private Sector Role In Countering Malign Foreign Influence Operations
Deputy Attorney General Rosenstein described the malign foreign influence threat as one that “requires a unified, strategic approach across all government agencies,” akin to terrorism and other national security threats, as well as awareness and involvement of other sectors of society such as state and local governments, public officials and members of the public. He also specifically underscored the role that technology companies themselves are expected to play in “prevent[ing] misuse of their platforms” and “counter[ing] covert foreign influence efforts”: “Technology companies bear primary responsibility for securing their products, platforms, and services from misuse,” he said, adding that the DOJ encourages companies “to make it a priority to combat efforts to use their facilities for illegal schemes.” The Deputy Attorney General lauded “self-policing” efforts to remove “fake accounts” and encouraged companies to “consider the voluntary removal of accounts and content” that are linked by the FBI to foreign agents’ activities, which he said “violate terms of service and deceive customers.” The Cyber-Digital Task Force Report likewise notes that part of the DOJ’s preparation for the 2018 midterm elections includes the Federal Bureau of Investigation’s (FBI) development of “strategic relationships” with social media and other technology companies.
“Looking Ahead” To Address Cooperation With And Effect On The Private Sector
The effect of cyber-related threats on private sector companies, and the role these companies can play in preventing, investigating and deterring cyber threats, is also discussed in the Report’s concluding chapter, “Looking Ahead.” Broadly speaking, this chapter identifies several “challenges” that the DOJ reportedly faces in securing assistance from the private sector, discusses certain legal and policy changes that have already been made to address these challenges, and highlights potential future changes that may continue to affect how companies navigate cyber threats and the government’s efforts to investigate and prosecute them, in three key areas: (1) encouraging and protecting organizations that engage in legitimate computer security research, which helps identify exploitable vulnerabilities; (2) encouraging targets or potential targets of malicious cyber activity to report breaches and attempted intrusions; and (3) accessing and obtaining data from providers of technology or services through which cybercrimes are committed or concealed.
First, with respect to the involvement of the computer security research community, the Cyber-Digital Task Force Report acknowledges the potential concern that law enforcement may misconstrue as criminal activity the methods of searching for and analyzing vulnerabilities, the potential chilling effect such concerns might have, and the need for the DOJ to consider legal protections that formally protect legitimate research. The Report notes that a 2016 exemption to the Digital Millennium Copyright Act (DMCA) prohibition on circumventing technological controls (e.g., encryption and password protocols) for “security research” has enabled researchers to conduct vulnerability research on certain consumer products, including Internet of Things (IoT) devices, motorized land vehicles and certain medical devices. The DOJ supports an additional extension and expansion of this security research exemption. The Report notes that the DOJ “should continue evaluating existing laws and regulations to identify other opportunities to support and encourage legitimate computer security research,” including with the input of the computer security community.
Second, with respect to encouraging the reporting of cyber breaches and attempted intrusions, the Report acknowledges that companies may be reluctant to report such attacks out of concerns about generating negative publicity and potentially causing reputational and/or financial harm, or may even try to act on their own to address the problem—even though it notes that such actions may trigger civil or criminal liability. The Report directs DOJ components to consider how to build deeper trust with the private sector and address these kinds of concerns, including by considering “how best to incentivize reporting,” working with regulators to “evaluate expectations and encourage clear thresholds for reporting,” and consider enacting a national data reporting requirement to standardize what the Report acknowledges is currently a state-specific maze of requirements.
Third, with respect to investigating and prosecuting cybercrime, the Report notes there have been several recent developments aimed at improving the DOJ’s ability to collect data related to criminal activity, including the recent enactment of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which institutes a framework for companies to comply with investigative demands for overseas data. As the Report notes, however, these developments are not without limitations—including, for example, the CLOUD Act’s inability to reach overseas data that is not possessed or controlled by an entity subject to U.S. jurisdiction. And despite these legal changes, there remains uncertainty about what companies with a significant European presence will be willing to disclose to U.S. law enforcement in light of the E.U.’s recently-passed and sweeping General Data Protection Regulation (GDPR)—which, in turn, may affect not only the U.S. government’s ability to obtain data in connection with investigations and prosecutions, but may also affect companies’ ability to take advantage of the DOJ’s cooperation incentives in areas such as FCPA enforcement and antitrust matters, among others, where fulsome disclosure of relevant information is a necessary prerequisite. Finally, the Report also notes that encryption practices may continue to hinder law enforcement investigations notwithstanding these recent developments, and suggests that the DOJ consider efforts to address such access challenges, including advancing legislation to help facilitate law enforcement efforts and by seeking to hold content and service providers accountable for failure to produce all information in their possession that is called for by compulsory process.
Takeaways
The DOJ’s Cyber-Digital Task Force Report’s acknowledgement of the often-competing considerations that private sector companies may face when confronted with cyber threats or government requests for data related to cyber threats is a positive sign. It is also encouraging that the DOJ is directing prosecutors and investigating agencies to seek specific input from private sector participants to enhance collaboration, and anecdotal evidence suggests that certain United States Attorney’s Offices and field offices of agencies like the FBI have already engaged in such efforts. The DOJ also continues to strongly emphasize its expectations that private sector companies will engage in what it views as responsible behavior, however – including Deputy Attorney General Rosenstein’s comments calling out the importance of self-policing in the face of malign foreign influence threats and the Report’s emphasis on holding companies accountable for failing to meet certain expectations – even while acknowledging that companies may be reluctant to self-report or may believe they are constrained by certain laws and regulations from taking advantage of some of DOJ’s cooperation incentives. Where the DOJ will draw the line in defining reasonable and sufficient cooperation in this area remains to be seen, and, in light of this relatively uncharted territory, companies necessarily have to consider carefully when and how they should engage with the DOJ when faced with breaches, intrusions, and other cyber-related threats.
Anne E. Railton and James D. Gatta are partners at Goodwin.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.