with Cat Zakrzewski and Bastien Inzaurralde
The technology industry now largely accepts that federal privacy rules are coming — and their appearance on the Hill today signals that they’re convinced they’re better off trying to help lawmakers craft new legislation that might be more favorable to them than pushing back against what may be inevitable.
Companies have faced bipartisan scrutiny in recent months for mishandling of customers’ personal data, with controversies ranging from Facebook’s Cambridge Analytica scandal to Equifax’s botched disclosure of its massive data breach. Taking the seat at the table allows them to exert influence early in the process -- and do so in a high-profile setting where they can try to steer the debate not only in Congress but also set the tone for privacy principles for the rest of the industry.
“We are in a different place than we were last year,” said Sen. Brian Schatz (Hawaii), the top Democrat on the committee’s panel on communications, technology, innovation and the Internet, told the Cybersecurity 202 in an interview Tuesday. “We now have broad consensus that we need federal privacy legislation.”
And it’s not just Congress that is ready to hold the tech and telecom companies’ feet to the fire — the executive branch is taking action, too. Just yesterday, the Commerce Department put out a call for public comments on how to set new rules protecting consumer privacy. States are also stepping up their efforts to rein in the industry, with California passing the country’s toughest privacy protections over the summer.
The hearing marks the start of a complex debate for Congress. Any sweeping federal law would have to balance consumer privacy against the disparate and often competing demands of software makers, social media companies and Internet service providers. But they're committed to it anyway. “The question is no longer whether we need a national law to protect consumers’ privacy,” Senate Commerce Committee Chairman John Thune (R-S.D.) said in an op-ed in the Hill newspaper Tuesday. “The question is what shape that law should take.”
Here are four things to watch in today’s hearing:
1. How will tech companies disagree?
The companies testifying today represent a cross-section of the tech industry, with data practices and business models that diverge from one another. They may say they're ready for federal privacy legislation, but expect some clashes over what they want it to look like. “We’ve gotten much past the point where the Internet thinks one thing,” said India McKinney, a legislative analyst at the Electronic Frontier Foundation. The hearing will set the stage for a bill-making process where lawmakers will not only have to weigh customer interests against tech companies’ interests -- but also the interests of tech companies versus tech companies.
2. How will new privacy laws in California and Europe inform the debate?
California’s sweeping new privacy law is part of what has driven companies to the negotiating table. Tech industry players are worried that the law could lead other states to pass similar legislation, creating a patchwork of regulations that would be hard — and expensive — for them to navigate. Europe’s General Data Protection Regulation has put similar pressure on the industry, prompting Google, Apple and other American companies with global customer bases to update their data collection policies. Lawmakers probably will use these laws as reference points throughout the debate. It’ll be interesting to hear what objections the companies raise about the laws’ restrictions — and their statements could set the stage for a fight over whether a tough state law such as California’s should be superseded by a potentially less restrictive federal privacy law.
3. How tech-savvy are the lawmakers?
Lawmakers will need to be ready to address the companies’ data collection practices and exhibit knowledge of their business models. They’ll also have to think ahead about ways to address emerging forms of data these companies are collecting, such as biometrics. Lawmakers were ill-prepared on these fronts when Facebook CEO Mark Zuckerberg testified in a joint hearing of the Senate Commerce and Judiciary committees in April — critics panned them for asking vague and uninformed questions about the social network. We’ll find out whether they’ve done their homework this time around.
4. Who’s in and who’s out with Congress?
Lawmakers have turned their displeasure with the tech executives into a spectacle in other hearings involving the industry this year. When Google declined to testify on foreign election interference before the Senate Intelligence Committee earlier this month, lawmakers blasted the company's “no-show” and even left an open seat to call attention to its absence. Facebook and Twitter have also found themselves in the doghouse this year, with lawmakers grilling their executives about their data collection policies. And then there's President Trump's own feud with Amazon; he's accused the company on Twitter of dodging taxes and receiving special treatment from the Postal Service. (Amazon's chief executive Jeffrey P. Bezos also owns The Washington Post.)
But not every encounter has been so adversarial. When Facebook Chief Operating Officer Sheryl Sandberg and Twitter CEO Jack Dorsey testified in the Senate this month, lawmakers struck a more conciliatory note. With such a broad group of companies testifying today, we'll be watching the tone the committee wants to set as it sets out to craft this legislation.
| You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news. | |
| Not a regular subscriber? | |
|
PINGED, PATCHED, PWNED
PINGED: While Russia's cyber activities and interference efforts continue to draw scrutiny from U.S. officials, Director of National Intelligence Daniel Coats on Tuesday warned that China is “asserting a whole-of-nation strategy in the cyber domain that is unprecedented in scale.” Coats, who spoke at an intelligence and cybersecurity conference hosted by The Citadel, a military college in Charleston, S.C., said that “in contrast to Russia, China often executes its strategy in a more deliberate and subtle manner.” Coats also said that China not only seeks to influence policies in the United States and carry out propaganda efforts, but also tries to divide American officials at different levels of government. “It is trying to exploit any divisions between federal and local levels on policy and uses investments and other incentives to expand its influence,” he said.
Additionally, Coats emphasized China's assertiveness on cybersecurity issues on the international stage. “In the cyber domain, China seeks to influence international cyber norms, emphasizing state sovereignty over information,” he said. “Beijing is working against the values that the international community has championed, including protecting personal privacy, the free flow of information and the protection of commercial secrets.” Before he made the case that China is “among the most active foreign states” in cyberspace against U.S. interests, Coats reminded the audience that Russia remains a concern for the United States. “In recent months I have spoken out candidly about the persistent and pervasive Russian effort to undermine our democracy,” he said. “This challenge continues to be at the forefront of our current threat environment.”
PATCHED: “Sen. James Lankford (R-Okla.) said Tuesday that a bipartisan election security bill won’t be passed by Congress ahead of November’s midterm elections,” the Hill's Jacqueline Thomsen reported. “Lankford told The Hill that the text of the bill, known as the Secure Elections Act, is still being worked out. And with the House only being in session for a limited number of days before the elections, the chances of an election security bill being passed by then are next to none.”
The legislation stalled last month after the Senate Rules and Administration Committee canceled a meeting to take up the bill. As I reported then, some Republican lawmakers backtracked amid concerns from the White House and some state officials over the legislation. Sen. Amy Klobuchar (D-Minn.), who co-sponsors the bill alongside Lankford, told the Hill that lawmakers must take action as the midterms approach. “With just 42 days until the midterm election, it is critical that we pass the Secure Elections Act as soon as possible,” Klobuchar said in a statement, as quoted by Thomsen. “The bill is supported by both Democrats and Republicans who continue to work to get this done. With our nation under attack from foreign governments every day, there is a federal obligation to act.”
PWNED: “A National Security Agency employee who worked at home without authorization on sensitive hacking tools was sentenced to more than five years in prison Tuesday, prosecutors said,” The Washington Post's Justin Wm. Moyer reported. “In December, Nghia Hoang Pho, 68, of Ellicott City, Md., pleaded guilty to willful detention of national defense information. A developer in the NSA’s Tailored Access Operations, the agency’s elite hacking unit, he took classified material in hard copy and digital form home between 2010 and 2015.”
Assistant Attorney General for National Security John C. Demers said Pho jeopardized intelligence capabilities. “Pho’s intentional, reckless, and illegal retention of highly classified information over the course of almost five years placed at risk our intelligence community’s capabilities and methods, rendering some of them unusable,” Demers said in a statement. “Today’s sentence reaffirms the expectations that the government places on those who have sworn to safeguard our nation’s secrets.”
Pho was sentenced to 66 months in prison followed by three years of supervised release, according to a news release from the U.S. attorney's office for the District of Maryland. “Pho’s case, one of many significant NSA breaches, was also noteworthy because he was using Kaspersky Lab anti-virus products — software from a Russian firm the agency never used for fear that it could facilitate spying,” Justin wrote.
PUBLIC KEY
— House Minority Leader Nancy Pelosi (D-Calif.) on Tuesday named Rep. Jim Langevin (D-R.I.) and former congressman Patrick Murphy as appointees to the Cyberspace Solarium Commission, according to a news release from Pelosi's office. The commission, which was created as part of the annual defense authorization bill, will be tasked with establishing a cyberdefense strategy for the United States. (I wrote about the goals of the commission in July.)
“In the decade I have worked on cybersecurity policy, it has become abundantly clear that we need strong strategic leadership to guide policymaking in this new domain,” Langevin said in a statement. “The threats we face, which range from interference in our democracy to disruption of our critical infrastructure, are only growing as all elements of our society become connected to the Internet.”
— “The U.S. could face heightened national security threats and lose its economic edge if the government doesn’t step up its game when it comes to artificial intelligence, according to a pair of oversight lawmakers,” Nextgov's Jack Corrigan reported. “Reps. Will Hurd, R-Tex., and Robin Kelly, D-Ill., on Tuesday published a report detailing the current state of the country’s artificial intelligence ecosystem and offering recommendations for how government could steer and accommodate the technology’s development in the years ahead.”
— “A group examining election security in Pennsylvania urged Congress and state lawmakers Tuesday to speed up the funding required to replace voting machines, noting most lack a paper record needed to check for fraud and errors,” the Associated Press's Mark Scolforo reported. “The Blue Ribbon Commission on Pennsylvania’s Election Security released interim recommendations and said the estimated $125 million to replace all machines statewide was ‘a relative bargain.’ ”
— More cybersecurity news from the public sector:
PRIVATE KEY
SECURITY FAILS
— “Health data breaches are on the rise, a new study shows,” Reuters's Linda Carroll reported. “While the largest number of data breaches occurred at health care providers’ sites — such as hospitals and physicians’ offices — it’s health care plans that account for the greatest number of patient records stolen over the past seven years, according to the study published in JAMA.”
THE NEW WILD WEST
ZERO DAYBOOK
Today
- Senate Commerce Committee hearing on consumer data privacy.
- Two Senate Armed Services subcommittees hold a hearing on the Defense Department's “cyber operational readiness.”
- The Senate Homeland Security and Governmental Affairs Committee examines several cybersecurity bills during a business meeting.
Coming soon
- House Energy subcommittee hearing on the Energy Department's Office of Cybersecurity, Energy Security, and Emergency Response tomorrow.
EASTER EGGS
Key moments from Trump's speech at the U.N. General Assembly:
Bill Cosby sentenced to at least three years in prison:
Kangaroo on the loose in Florida neighborhood:
