Recently, the Office of Personnel Management acknowledged it was targeted by a foreign cyberattack that resulted in the theft of about 4 million current and former federal employees’ personal data. Soon, OPM is expected to reveal that this breach also exposed the details of potentially millions more U.S. security clearances of federal employees.
Those breaches were unfortunate – particularly for households like mine that are led by two current-or-former federal employees who hold (or held) U.S. security clearances.
Fortunately, the gravity of the OPM cyberattack and its consequences could also help federal officials assess whether their own data would be significantly more secure if the Federal Trade Commission could – and actually did – treat federal agencies as it has routinely treated private U.S. businesses that have unintentionally disclosed sensitive third-party data as a result of deliberate, foreign cyberattacks.
When foreign cyberattacks – like the one that targeted Wyndham Resorts – cause a U.S. business to unintentionally disclose potentially sensitive third-party data, the FTC responds, if at all, by having its Consumer Protection Bureau (CPB) accuse the attack’s victim of “unfair” data-security practices. CPB then argues that if an attacked U.S. business did inadvertently disclose customer data, then its data-security practices were necessarily “unfair” and illegal – because it was better situated to thwart the attack than the average consumer. In effect, that can subject private U.S. victims of even the most sophisticated foreign cyberattacks to strict liability for disclosures of any third-party data.
In such cases, private U.S. victims of deliberate cyberattacks almost always submit to “consent orders” that impose 20-year “FTC-monitoring” obligations. Almost all small- and medium-size U.S. businesses do so because they cannot afford the financial and reputational costs of litigating a multi-layered FTC enforcement action in Washington.
Large, powerful corporations and their lawyers may agree to such “consent orders” for different reasons. For example, it is not clear that any federal agency can enforce FTC “consent orders” as “orders” within the meaning of the FTC Act. That act only empowers the FTC to adjudicate and enforce “orders” that determine whether specified practices are “deceptive” or “unfair.” Most FTC “consent orders” make no such determinations.
Now that foreign cyberattacks against public and private U.S. targets have become more frequent and sophisticated, the U.S. government must rethink its response strategies. In 2006, the World Bank found that rule of law was the most valuable economic asset of developed countries like the United States. In 2015, as a result of Internet cyberattacks, U.S. state and federal governments now have a vastly reduced capacity to perform their most basic, productive duty – to provide rule of law by defining and defending the legal rights of their own citizens within their own territorial jurisdictions.
Federal law-enforcement agencies, like the FTC, can try to ignore that cold, hard truth by sanctimoniously accusing private victims of even sophisticated attacks of inadequate security practices. But such hypocrisy will be exposed; episodes like the OPM cyberattack will repeatedly reveal that the data-security practices of federal agencies tend to be even more “unfair” than those of private, growth-generating U.S. businesses.
The increasing rate of diversity and sophistication of cyberattacks against federal, state and private U.S. targets has thus created a shared public-private challenge. Denying that is increasingly futile. And that should suggest the need for a more collaborative – and less accusatory – federal approach to improving both public and private cybersecurity measures.
It should also suggest a shared public-private need to determine when, how and who should be entitled to undertake potential retaliatory measures against identifiable foreign cyberattackers. Some have analogized our current cybersecurity challenges to the lawless, “Tombstone” days of the American Wild West. Those analogies do capture something important about the seriousness of the resulting threat to rule of law, but they are also flawed.
For example, when Wyatt Earp and Doc Holliday found themselves on the receiving end of outlaws’ gunfire at the O.K. Corral, it was at least clear that they were both legally entitled to shoot back. It is now time to begin thinking seriously about whether, and when, both private and public U.S. entities should have the option of generating deterrence via retaliation in the far more difficult and murky context of cyberattacks.
The ultimate goal of such efforts should be to restore true rule of law on the Internet, at least within the United States. But that is a practical goal best pursued by acknowledging our government’s now vastly reduced ability to provide their citizens with rule of law – the single most valuable asset that we once had.
