Stitching Together the Cybersecurity Patchwork Quilt: Data
Published by The Lawfare Institute
in Cooperation With
Editor's Note: This piece is the first in a two-part series by Jim Dempsey on cybersecurity initiatives taken during the Biden and Trump administrations. Part 2, “Stitching Together the Cybersecurity Patchwork Quilt: Data,” can be found here. Dempsey’s work on this series was funded in part by a grant from the Army Cyber Institute at West Point.
TikTok. Biometric identifiers. Connected cars. Data brokers. Anti-virus software. Cloud computing services. Artificial intelligence. Ship-to-shore cranes. Undersea cables. Internet routing. How are all of these things related?
One answer is that they all pose risks at the intersection of data, technology, cybersecurity, and national security. Another is that each has been the subject this year of congressional action, federal agency rulemaking, or both. The number and complexity of the initiatives can be overwhelming, and it can be hard to discern how they fit together. But their motivation is clear and is found in the regular drumbeat of warnings of adversarial probing and compromise of U.S. infrastructure and data networks.
Taken together, the initiatives add additional fabric to the patchwork quilt of U.S. cybersecurity law. Moreover, they represent a rare expression of bipartisan agreement (if not always joint action) in American politics. Underappreciated, perhaps, is the way in which these measures represent a long-running evolution in U.S. cybersecurity policy, going back (at least) to the Trump administration. And it is a trajectory that may well continue regardless of the outcome of the upcoming presidential election (despite Trump’s recent promise to “save TikTok”). Largely overlooked on the last page of the Republican Party’s platform—released in July—was a commitment to “use all tools of National Power to protect our Nation’s Critical Infrastructure and Industrial Base from malicious cyber actors.” In language quite similar to President Biden’s March 2023 National Cybersecurity Strategy, the platform goes on to pledge “to raise the Security Standards for our Critical Systems and Networks.” “All tools” to raise standards might just include regulatory measures of the kind that are generally off the table for Republican policymakers in other realms.
It is by no means certain that these initiatives will be effective. Some rest on shaky legal grounds. Many may fall victim to their own complexity—or to the underlying complexity of the industries they address (for example, data brokerage). Corporations running critical infrastructure continue to resist mandated cybersecurity improvements, supported in some cases by Republican attorneys general, and current Supreme Court jurisprudence makes it easier to block federal regulation. Most importantly, despite this year’s flurry of activity, significant gaps remain in the coverage of U.S. critical infrastructure.
This two-part series is intended to summarize various initiatives so far this year from a cybersecurity perspective, trace their Trump-era origins, caution against the reporting that suggested immediate results would be realized, tease out some overarching themes, highlight the urgent need for Congress to clarify the authority for these and similar measures that need to follow, and call on the administration to promptly issue its gap analysis. I have split the analysis into two parts, this part focused on data flows and the second, to follow, on hardware, software, and infrastructure, recognizing, of course, that the line is blurry.
The Legal Cornerstone: IEEPA
Many of the executive branch’s efforts to address cybersecurity rely on the International Emergency Economic Powers Act (IEEPA). First adopted in 1977, IEEPA is available whenever the president declares there is a national emergency due to “any unusual and extraordinary threat,” which has its source outside the United States, to the national security, foreign policy, or economy of the United States. Upon such a declaration, IEEPA gives the president power to regulate or prohibit any acquisition, transfer, importation, exportation, or transactions by any person subject to U.S. jurisdiction involving any property in which any foreign country or foreign national has any interest. It’s very broad, but the statute has exceptions that specifically limit its potential in the area of information technology: It denies to the president any authority to regulate or prohibit any personal communication, directly or indirectly, and, under what is known as the Berman amendment or amendments (named after Rep. Howard Berman, D-Calif.), any export or import of information or informational material.
As cybersecurity concerns have come to focus on nation-state threats, and given Congress’s limited action, IEEPA has become a critical tool of U.S. cybersecurity policy, serving as the basis for multiple initiatives, including President Obama’s attempt to punish North Korea for its 2014 attack on Sony Pictures, multiple administrations’ imposition of sanctions against ransomware gangs, and President Trump’s failed effort to ban TikTok and WeChat (which ran smack into the Berman amendments and the protection of personal communications).
The Biden Administration’s Sensitive Data Executive Order and Rulemaking
In 2019, President Trump invoked IEEPA to issue Executive Order 13873, declaring a national emergency with respect to the nation’s information and communications technology and services supply chain. The order found that “the unrestricted acquisition or use” in the U.S. of technology or services developed by persons subject to the control of foreign adversaries augmented the ability of those adversaries to create and exploit vulnerabilities in the U.S. digital ecosystem, “with potentially catastrophic effects.” Although seen as aimed at Huawei and other China-made switches in the telecommunications network, the order swept broadly, authorizing the secretary of commerce to prohibit or impose mitigation measures on any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service (referred to as ICTS transactions) that posed undue or unacceptable risks to the U.S. communications infrastructure, the national security of the U.S., or U.S. persons. A rule issued under the executive order designated six adversaries for these purposes: the People’s Republic of China, Cuba, Iran, North Korea, Russia, and “Venezuelan politician Nicolás Maduro (Maduro Regime).” However, except for TikTok, President Trump’s secretary of commerce never designated any ICTS transactions for restriction. (A 2020 designation aimed at WeChat was withdrawn before publication.)
In 2021, President Biden issued his own data-focused executive order, also relying on IEEPA, in which he preserved Trump’s Executive Order 13873. Each year since, Biden has continued the national emergency declared by Trump.
In his 2021 order, President Biden directed his administration to develop recommendations to protect against harm from the unrestricted sale of, transfer of, or access to Americans’ sensitive data, including access to large data repositories by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary. The results of that review became apparent on Feb. 28, when Biden signed Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Data and United States Government-Related Data by Countries of Concern.” The order expands the scope of the IEEPA national emergency declared by President Trump in Executive Order 13873 and directs the Department of Justice to establish a regulatory process aimed at two categories of data: bulk sensitive personal data (defined as personal identifiers, geolocation and related sensor data, biometric identifiers, “human ‘omic data,” personal health data, and personal financial data) and U.S. government-related data (defined as sensitive data in any volume that is linked to or can be used to identify government personnel). It contemplates outright bans on some transfers and, for others, restrictions that would impose security requirements intended to mitigate the risk of access by adversaries. It would regulate transfers to “countries of concern” and starts with those identified under the Trump executive order: China, Cuba, Iran, North Korea, Russia, and Venezuela. It encompasses not only transfers directly to those countries’ governments but also transactions between U.S. persons and persons subject to ownership, control, jurisdiction, or direction of those countries.
Immediately after President Biden issued his 2024 executive order, the Department of Justice released an advance notice of proposed rulemaking. The notice indicated that the Justice Department is planning to take an incremental approach, considering at first to define two classes of prohibited data transactions: data-brokerage transactions (which seems very broad) and any transaction that provides a country of concern or covered persons with access to bulk human genomic data or biospecimens from which human genomic data can be derived. The Justice Department also indicated that it was considering establishing three categories of restricted transactions to the extent they involve bulk U.S. sensitive personal data: vendor agreements, including agreements for technology services and cloud services; employment agreements; and investment agreements. Those categories foreshadow a complicated and potentially extensive regulatory scheme that would require American companies to be very careful with any relationships that might involve access to covered types of data.
Peter Swire and Samm Sacks provided an in-depth analysis of the order and rulemaking, situating them in the context of what they describe as “a much bigger departure from the traditional U.S. support for free and open flows of data across borders.” Justin Sherman found significant value in the process’s potential to compel data brokers “to better assess and monitor what data they are selling, to whom, for what purpose, and with what technical privacy or security measures in place,” thus partly filling the huge gap left by congressional inaction on broader privacy legislation.
Another way to understand the Biden executive order and Justice Department rulemaking is in the context of cybersecurity. Recall the Chinese government’s thefts of enormous databases of Americans’ data from the Office of Personnel Management, Equifax, Anthem Health, Marriott, and probably others. Recall, too, concerns that Chinese investments in U.S. companies would put Americans’ data at risk and concerns that the Chinese government could force China-based companies offering telecommunications products and services in the U.S. to collect and turn over data transiting their networks or passing through China-made switches. All the criminal indictments of Chinese officials for data theft, all the regulatory enforcement actions aimed at the breaches of companies collecting and holding sensitive data, all the data protection-related mitigation measures that the U.S. government has forced on the parties to foreign investments in U.S. companies, and all the money spent ripping out and replacing China-made switches from U.S. telecommunications networks would be inadequate if adversaries could simply buy the data they want on the open market: hence Biden’s order and the Justice Department’s rulemaking.
By focusing on only certain categories of data, the Biden administration seems to believe it can avoid the problems that the Trump bans on TikTok and WeChat encountered. The administration’s theory seems to be that transfers of personal data are not expressive and thus not protected under the First Amendment, and that the limitations of the Berman amendments are co-extensive with the First Amendment. That latter point was accepted by at least one district court, interpreting the initial, 1988 version of the Berman amendment, which covered “information materials” but did not include “information.” There is also some support for it in the legislative history of Rep. Berman’s second amendment, in 1994, adding “information.” But relying just on the words of the statute, the theory seems vulnerable; data is “information,” which is categorically excluded from the president’s powers under IEEPA.
Context: Limits on Data Under the CFIUS Process
In recent years, the Committee on Foreign Investment in the United States (CFIUS) has increasingly focused on regulating acquisitions, investments, and other transactions involving access to Americans’ data. As a result, CFIUS has prohibited some noteworthy deals outright. In 2018, CFIUS blocked Ant Financial from buying MoneyGram over concerns about the security of Americans’ financial data. In 2019, CFIUS forced China’s Beijing Kunlun Tech to sell the dating app Grindr, which Kunlun had purchased in 2018. Also in 2019, CFIUS forced Chinese investors to divest from the medical data sharing platform PatientsLikeMe.
In the majority of matters that come before CFIUS, the transaction is not prohibited but, rather, is approved subject to mitigation measures. For example, CFIUS compelled the China-based financial holding group Oceanwide Holdings and the Genworth insurance company to work through a U.S. third-party data administrator to ensure that the Chinese company could not access the insurer’s data on its U.S. customers. In this context, the Biden order and the Justice Department rulemaking can be seen as an effort to routinize through regulation the case-by-case negotiations that have been occurring in the CFIUS process, thereby applying the same mitigating measures across entire classes of transactions without the need for individualized review. Note, however, that CFIUS operates not under IEEPA but under the Defense Production Act, which has no provision excluding information from its scope. If and when the Justice Department issues its regulations under the Biden order, relying on IEEPA, and if those regulations are struck down as contrary to the Berman amendments, data restriction efforts could continue under the CFIUS process, case by case.
Protecting Data From Adversaries: The TikTok Saga
President Trump’s efforts to ban or force divestiture of TikTok (efforts he now says he opposes) were always an imperfect proving ground for the pursuit of cybersecurity interests. From the outset, analysts have debated whether the anti-TikTok campaign was better justified by concerns over data access or content manipulation. Under either theory, IEEPA’s Berman amendments and the First Amendment sank Trump’s efforts. A parallel CFIUS action against TikTok remains in force but unenforced.
In April, in the Ukraine-Israel supplemental appropriations act, Congress circumvented IEEPA by adopting free-standing legislation requiring divestiture of TikTok. The law makes it unlawful to distribute, maintain, or update (such as through a mobile app store) a “foreign adversary controlled application.” Foreign adversary controlled application is specifically defined to include any app owned by TikTok (unless divested from its China-based parent ByteDance), but the term also includes any other app operated by a company that is controlled by a foreign adversary and determined by the president to present a significant threat to the national security.
The law gives TikTok 270 days (that is, until Jan. 19, 2025, subject to one 90-day extension) to divest from ByteDance, or face a nationwide ban in the United States. TikTok has challenged the law in the U.S. Court of Appeals for the District of Columbia, with briefing now underway and oral argument scheduled for Sept. 16.
At least from a data perspective, the singular focus on TikTok was almost certainly a mistake and has probably been overtaken by events. The China-based e-commerce app Temu is now the most downloaded app on Americans’ phones. (The information manipulation concerns remain, however, as TikTok continues to serve as a critical platform for political campaigns.) In his 2021 order, President Biden sought to generalize the data concerns represented by TikTok by calling for a comprehensive strategy around connected software apps that collect Americans’ data. With the order and Justice Department rulemaking this February, the administration seems to have shifted. Rather than trying, as Trump did, to keep out of the U.S. apps that would collect Americans’ data and send it back to China, the Biden administration seems to be focused on blocking the export of the data itself, whether collected by apps or other means.
Congress Regulates Data Brokers
The recognition that the data is what really matters informed the Protecting Americans’ Data from Foreign Adversaries Act of 2024, also included in the Ukraine-Israel supplemental. The law, which took effect on July 17, makes it unlawful for a data broker to sell, license, or disclose “personally identifiable sensitive data of a United States individual” to any foreign adversary country or an entity that is controlled by a foreign adversary—meaning China, Russia, Iran, and North Korea. Sensitive data is broadly defined as data that identifies or is linked or reasonably linkable to an individual or to a device that identifies or is linked or is reasonably linkable to an individual. It includes government-issued identifiers (for example, Social Security numbers, driver’s license numbers, and so on), health data, financial data, precise geolocation data, and online browsing data, among other listed categories.
However, by focusing on data brokers, the law has a major limitation. A data broker is defined as an entity that sells, licenses, discloses or otherwise makes available data that the entity did not collect directly from individuals. That leaves out first-party data collectors, such as the many mobile apps that collect and sell location data or health data from their users, and which are a large part of the data ecosystem. As Justin Sherman has pointed out, this yields a perverse result: If, as required under the TikTok section of the supplemental, TikTok were to be totally divested from its China-based owner, TikTok could still sell or disclose all of its user data to the Chinese Communist Party, for TikTok would not be a data broker under the data broker provisions of the same bill.
The Long and Winding Road
“U.S. Limits Sales of Americans’ Personal Data to China,” announced the Wall Street Journal after President Biden issued his bulk sensitive data executive order in February. According to Reuters, “Biden cracks down on US data flows to China, Russia.” “Biden Acts to Stop Sales of Sensitive Personal Data to China and Russia,” said the New York Times. The stories were more nuanced, but the headlines were just wrong. What the executive order actually did was direct the attorney general to issue a proposed rule by Aug. 26, 2024. Such deadlines in executive orders are often missed, and in any case that proposed rule would be subject to notice and comment, almost certainly pushing final adoption into 2025. The gargantuan nature of the attorney general’s task was reflected in the advance notice of proposed rulemaking itself: While displaying a huge amount of forethought, it posed 114 questions that the Justice Department wants input on before it issues the proposed rule.
The challenges of implementation in this field are enormous. Under the Trump administration, the Commerce Department was 15 months late in issuing the rule necessary to implement Executive Order 13873 and ultimately never applied it. And the length of this process cannot simply be blamed on Trumpian dysfunction: In November 2021, the Biden administration initiated revisions of the Trump rule that weren’t completed until June 2023. A March 2021 Biden proposal to establish a licensing or preclearance process for ICTS transactions covered by Executive Order 13873 has yet to be completed. And a proposed rule on computing infrastructure as a service (to be discussed in Part 2 of this series) issued on Jan. 29 came more than two years after comments closed on the Biden administration’s advance notice of proposed rulemaking.
Meanwhile, the first action under President Trump’s 2019 Executive Order 13873 came only this past June, when the Commerce Department issued a final determination prohibiting Kaspersky Lab, Inc., the U.S. subsidiary of the Russia-based anti-virus software and cybersecurity company, from directly or indirectly providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons.
Implementing trade controls of any kind is, to put it simply, very difficult. And when it comes to the communications sector and the digital economy, moving quickly or comprehensively has proved to be a challenge. Consider the seemingly straightforward initiative to block Huawei from receiving American technology. In 2019, President Trump’s Commerce Department put Huawei on the Entity List, which should have halted exports of American technology to the company. Yet under both Trump and Biden, the Commerce Department continued to issue licenses allowing Huawei to acquire U.S. technology. This March (that is, five years after Trump’s order), reporting revealed that Huawei’s newest laptop was powered by an Intel (an American company) chip, exported under a license issued during the Trump administration and never revoked by Biden’s team. One can read this as a failure to fully implement the Trump policy. Or one can read it, as Secretary of State Antony Blinken did in an interview, as evidence that the Trump embargo is being implemented in a nuanced way that addresses national security threats while allowing U.S.-based companies to continue to benefit from the Chinese market. “[W]hat we’ve done,” Blinken said, “is to work to build a very high fence around a very small yard.”
The ecosystem for monetization of Americans’ personal data is complicated (meaning that the yard to be protected—as Blinken referenced—is quite large), and U.S. companies that benefit from it could find ways to neuter or evade the regulatory system envisioned by Biden’s sensitive data executive order (that is, under the regulatory scheme, the fence may have lots of holes). That said, it is striking how much effort the Biden administration has put into advancing what Trump launched. If there is a second Trump administration, it would be a shame if they forgot who initiated all of this.