The Nexus Between Cyber Crime and Emerging Global Threats
The right to privacy must be balanced with the ability to fight cyber threats, says TF 7 Guest
There are arguments to be made on both sides of the issue of right to individual privacy versus the right of governments to obtain data in the name of cybersecurity.
This was a focal point of Monday’s Task Force 7 Radio episode 53, with the host, the president and CEO of Taskforce 7 Radio and Task Force 7 Technologies, George Rettas.
Rettas’ guest was cyber security legal expert Adriana Sanford, and the topic was cyber security and global threats, especially in light of the evolving security landscape and the growing number of terror attacks over the last decade.
The conversation started with a discussion about the fact that New Zealand recently passed a law requiring travelers to reveal their device passwords, which Sanford called a “digital strip search.” Now, if you're a foreigner visiting New Zealand or even a citizen of that country, government authorities have a right to request not only your cell phone but any devices, along with the passwords, codes and encryption keys, she said.
If the information is not divulged it can result in a $3,000 fine, and “a huge concern" because of the fundamental right to privacy in many countries and a general concern for US citizens.
"If you're talking to somebody who believes in the fundamental basic human right of privacy, you're violating that right."
This will also be an issue in the European Union because European citizens are supposed to be protected wherever they go because they fall under the General Data Protection Regulation (GDPR).
In the U.S. there has been an “arrangement between the tech companies and the government that certain information could be disclosed to the users.” We are evidencing, however, that members of the 'Five Eyes Alliance’ (U.S., the U.K., Canada, New Zealand, and Australia) are revising their legislation. The alliance takes the stance that the personal data should accessible to regulators in order to confront international organized crime, terrorist financing, and terrorism, Sanford said.
Rettas commented that some of his previous guests on the show have come down in favor of privacy of the individual over the authority of the government to issue a warrant, or, induce the technology company to provide them with some type of backdoor assistance in obtaining access to that device. He asked Sanford where she stands on that issue.
She replied that it “depends on your values and it depends on your priorities. And different cultures will look at this differently. If you're talking to somebody who believes in the fundamental basic human right of privacy, you're violating that right.”
That has to be balanced with the fact that obtaining access to data is “a modern investigative technique,” if a government can prove that this is the best way to stamp out terrorism and organized crime, she added. A government’s stance on this will vary by country.
“Some of our allies actually do believe in a fundamental human right, and these are borderless crimes,’’ Sanford observed. “So in order for us to be successful, we need to be cooperating.”
If we don’t, it becomes very difficult to fight the cyber security battle.
Pay a ransom for data?
Both Rettas and Sanford agreed that it is challenging to find a balance between the right to privacy versus the ability to protect people and countries.
“I think the most important thing is, we need to figure out how to control our networks and how to engage the private sector, because right now the private sector has so many cyber attacks, and they're paying ransoms,’’ Sanford pointed out. Whereas terrorists used to finance their attacks through counterfeiting and charities, now they are turning to hijacking data. “This may now be the new space where terrorist financing starts to really, really develop, if it hasn't already.”
Rettas said that he’s noted before on the show that the FBI has advised people not to pay these ransoms, although companies sometimes do. The dilemma is that if small- to medium-sized companies have their data encrypted, and don’t pay a ransom to get it back that could cripple them and ultimately, put them out of business, he said.
On the flip side, though, companies don't know who they're giving the money to, so it could be terrorists, organized crime figure – all sorts of nefarious groups that are using that money toward anti-American interests, he added.
He asked Sanford what small companies have to be concerned about if they hire security firms that advise them to pay the ransom.
“I would say you have criminal liability if you're doing something like that,’’ she responded. “Because what's going to happen at the end of the day is if these are rogue states, or terrorists, or criminal networks, and you are giving money and you say, ‘Okay, well it was because it was a ransom...'" In the past, the Department of Justice and the Federal Communications Commission have penalized companies with major fines for this, she pointed out.
Small companies should not be paying a ransom when they don’t know who the money is going to, she emphasized. “It could undermine our economy, it could undermine our democracy, they could steal our intellectual property, there's so much that could happen, and our national security could be a stake. So, anybody who is advising someone to pay those ransoms rather than going to the government, that's really bad.”
Rettas said that in the short-term, maybe a company will get their data back, but in the long-term, paying a ransom affects their reputation and they run the risk of a class- action suit if they are publicly traded.
Mass surveillance, the GDPR and CCPA
In the show’s second segment, Rettas and Sanford turned to the topic of mass surveillance and the ongoing struggle in other countries compared to the U.S. Sanford said certain countries believe mass surveillance is probably one of the best ways of targeting terrorists and organized crime.
"Personal information under the CCPA includes browsing history, ads you've clicked on, and things that you added to your cart but have yet to purchase.”
With the GDPR in effect now, the U.S. is also mulling over another law that would have a significant impact on businesses because of its “extra-territorial reach” Rettas observed.
Sanford said this is the CCPA: the California Consumer Privacy Act, that will take effect in 2020. “That is a new and unique legislation here in the United States that deals with privacy … for California residents. Unlike the GDPR, which basically follows the EU citizens wherever they go, the CCPA only applies to those California residents.”
Related Webinar: Managing Vendor Risk In Today's Global Privacy Climate
The CCPA, unlike the GDPR, will also not address government surveillance, she said.
The other big difference between them is that the CCPA goes a lot further with personal information than most legislation, Sanford noted.
“Personal information under the CCPA includes not only your IP address, what you've purchased and basic information like your address and emails, but it also includes your browsing history of things that maybe you looked at, ads that you clicked on, things that you may not have purchased but maybe you left on hold, or you added to your cart.”
Essentially, the CCPA says that as a consumer, you have a right not to have that information collected; you have a right to know who's collecting it; who they're sharing it with and whether they're selling it or just sharing it. It gives California residents a lot more power, but not to the extent of the GDPR because it does not address mass surveillance.”
Violations of both the CCPA and GDPR will carry hefty fines, Sanford said. There is also the risk of criminal prosecutions against business executives and their attorneys.
Why legislation is important
The discussion turned to laws being implemented and revised because of global cyber threats. Currently, there are 41 countries revising and amending their laws to fight corruption, which adds a significant layer of complexity to compliance, Sanford said. As a result of new legislation in cyber security and privacy, she said, we're going to see an increase in compliance and data management costs.
“And this will, of course, pull attention away from other important initiatives within companies,” Sanford said. “So, these are all new issues for executives. Another one is the unmet board expectations when companies are exposed to these … cyberattacks.”
Rettas pointed out that there are different types of cyber criminals -- those who are “economically motivated” and then there are “hacktivists,” and those that commit espionage. He asked Sanford to address the nexus between cyber security and anti-money laundering (AML) compliance.
She said it’s important to understand the impact of how they work together; how financial institutions fight money laundering. “They need to have an in-depth knowledge of their customers and they also need to know the patterns of crime.” Similarly, with regard to organized crime and money laundering, we need to understand the crime patterns: where the money is going, and where it was coming from.
“We have to follow that trail of money to see whether it actually involves an illegal activity and a lot of times we can do this, but if they are concealing those trails through electronic payment systems … it will stop us from being able to go after those money launderers.”
The future of both cybersecurity and AML compliance needs to be “imagined together,” she said, and money laundering cannot be looked at separately.
Other global threats
There is also a nexus between cyber threats and how companies and supply chains are dealing with human trafficking, Sanford said, and she called this “another huge global threat.” The U.S. does not have strong laws with regards to human trafficking, compared to countries like France and the Netherlands, whose laws “have teeth.”
"In-house counsel may have a dilemma, because the laws compete and conflict with one another in different countries...either path the attorney takes is going to create an issue.”
Now, a lot of companies are turning to blockchain to document data in the supply chain around human trafficking, she said.
When Rettas commented that companies are setting up intelligence teams to evaluate regulatory risks, Sanford said they should be carefully vetted the same way suppliers are. She also stressed that companies need to review compliance processes and audits.
“It's a new world out there. New legislation. Noncompliance can be very, very severe. You can have criminal liability. Remember your in-house counsel. You've got to make sure that the laws in that country allow you to have attorney-client privilege because if that … in-house counsel does not have the attorney-client privilege, your information will be disclosed.” In that case, she added, you need external counsel to step in and deal with those issues.
Companies today must take a global perspective on how they operate, Sanford said. “Even if you're not operating internationally, the laws have extraterritorial reach and it will affect you. We see that with the GDPR.”
According to Sanford, the absence of uniform global rules of legal ethics creates serious ramifications for US attorneys with multijurisdictional practices; while a US attorney may (depending on the state bar(s) where licensed) be prohibited in the United States from disclosing ongoing illegal activities of their employer by confidentiality rules, the possible outcomes for failure to report such conduct in foreign territories are varied, problematic, and, can create personal criminal liability for the in-house lawyer. This is an issue in the United States that at this point in time is unresolved. Accordingly, Sanford said that "in-house counsel with multijurisdictional practices in foreign territories may have a dilemma, because the laws compete and conflict with one another in different countries...either path the attorney takes is going to create an issue.”
Her advice to business executives was to “know your territory, figure out what those risks are …. Global threats are different in different territories,” and there are different issues depending on the industry you are in.
“Do your homework and make sure that you know how the laws compete or conflict with one another in the space that you're working.”
Sanford concluded by saying that she is a proponent of countries adopting similar frameworks like the GDPR or a variation of it to streamline the way some global threats are approached. That way, executives and their in-house counsel will know “how to handle the reporting of ongoing illegal activity when laws are conflicting with one another.” With time, she said, hopefully some of these issues will be resolved.
“Of course, there will be new, emerging, vulnerable situations for us, but at least we have got our eyes open and I think that's a first step.”
The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes, click here.