White House continues push for access to overseas data

The White House continues to push for a new legal framework to allow the U.S. government to access data stored abroad.

In a wide-ranging speech at the Institute for Critical Infrastructure Technology, White House Cyber Coordinator Rob Joyce laid out the administration's cybersecurity focus for the coming year, touching on how watershed events like the WannaCry and NotPetya attacks and the Equifax hack affected U.S. cybersecurity policy and shifting ultimate accountability for breaches upwards to the department head or secretary level.

Joyce also focused on the administration's worries about the problem of data sought in U.S. criminal or cybersecurity investigations being stored in other countries, often out of reach of U.S investigators, despite being stored by U.S. firms.

"While we're all concerned about cybercrime in the security of our networks, we're also really concerned about other countries around the world creating this convoluted patchwork of laws and regulation that impact our ability to move data," said Joyce.

He cited the framework of 2016 bilateral information sharing deal with the United Kingdom as a model that could be adopted in arrangements with other countries. The 2016 framework allows for more rapid data sharing between U.S. and U.K. law enforcement than was possible under mutual legal assistance arrangements.

Some open Internet advocates believe such data-sharing agreements may lead to a broader erosion of internet freedom and privacy rights.

"To avoid a race to the bottom in terms of human rights, it is critically important that strong protections be built into any legislation clearing the way for such agreements," said Gregory Nojeim, senior counsel and director of the Freedom, Security and Technology Project at the Center for Democracy and Technology.

Joyce said that such agreements could be expanded to other nations beyond the U.K. but only on the condition that they "hold our similar values and aren't looking to balkanize the Internet for repression of their people."

Joyce was notably cooler toward another potential avenue of cyber defense: the concept of "hacking back," when governments or companies defend themselves from an attack by bringing offensive cyber tools to bear. Proposed legislation like the Active Cyber Defense Certainty Act, introduced in 2017 by Rep. Tom Graves (R-Ga.), would permit organizations to conduct certain forms of active cyber defense, or retaliatory attacks, against groups hacking into their systems.

He characterized offensive cyber as "an inherently governmental act" and that "as a general defense for companies and countries overall, it's got to be a sparing solution in the tools that the government use, and I believe infrequently -- or not used at all -- in the commercial world."