Key Questions:
- What are the benefits of cross-border data flows?
- Why is there a need for a global workforce for data flows?
- What is telemetry data?
- What does data flow regulation look like in the United States?
Resources:
Trancript
Sasha O'Connell
Welcome back to Start Here. In this series of podcasts, we are working to give you a framework for analyzing foundational cyber policy questions. In our previous episode, we looked at ransomware and some of the challenges companies and governments face in trying to stop it. My name is Sasha O'Connell, and I'm a Senior Professorial Lecturer at American University, and I'm joined again today by Drew Bagley, Vice President and Counsel for Privacy and Cyber Policy at CrowdStrike, and Megan Brown, a partner at Wiley and Co-Chair of the firm's Privacy, Cyber, and Data Governance practice.
We're going to take on the next topic, and that is cross border data flows. As we all know, being online is completely fundamental to our lives. I start every semester with an exercise where I work with students to list the ways we interact with the internet from sunup to sundown, and sometimes, honestly right, overnight, and it's, of course, every time we do it, a remarkable list. For the purposes of this episode, it's really important, I think we start with that recognition that one of the reasons being online has been so, frankly, incredibly useful and functional and really a necessity in our daily lives is all built on technical protocols that are in fact global and decentralized, and those are also dependent on the ability of major providers to move data around the world at lightning speed. It's what makes all the magic work. Over time, of course, it turns out that that set of global protocols, and in particular as relevant to this episode, the associated free flow of data has some consequences that are important to acknowledge and balance with all the primary benefits that it also provides.
In an effort to assert their vision of the correct balance of those two things, the costs and benefits, if you will, governments around the world have started to push for data localization policies and laws. This is a concept that requires, essentially, companies to store data in particular countries and puts restrictions, sometimes outright bans, or requires export licensing on moving data around the world. We've even seen some recent moves in the U.S. to limit the transfer of data to certain countries. So we want to talk about it. Should data be treated more like a physical product in international trade with a whole scheme of rules and requirements for bringing it into the U.S. or sending it out? We picked this topic for Start Here because there are real practical and policy issues that are at play, including impacts on cybersecurity activities, which we're going to talk about in just a second, when governments limit the movement of data across borders or require in country storage.
So with that, I'm going to turn to Megan and Drew here. I mean, we talked a bit about the benefits, the free flow of data underlying just about everything we do on the internet. Can you talk a little bit more about maybe some of the other benefits that aren't so intuitive?
Drew Bagley
Sure. Absolutely, Sasha. Yeah. As you noted, there are many economic benefits from a business perspective, even in the ability to set up a multinational business across borders. There are cultural benefits, but importantly, and I think that policymakers often overlook this, there are lots of cybersecurity benefits and even, I would argue, cybersecurity necessities to the free flow of data. So for example, all of the devices that we use today have some sort of unique identifier being generated, or otherwise statically associated with the device and those unique identifiers are important, because as we're online, that means that if an adversary is attempting to get into our laptops, our phones, or any other device, there is some sort of interchange between data. Between unique identifiers that might be associated with that adversary and unique identifiers that could be associated with the victim. And those breadcrumbs are really important for cybersecurity and those can be important in terms of preventing a cyber attack and detecting something that could be adversarial behavior, or even in terms of investigating a cyber attack after the fact. And in fact, these days, there are even cybersecurity mandates backed up by official guidance that call for the use of threat hunting, for example. Whereby you would have people 24/7, so because of time zones, you'd have to have people around the globe, looking at this sort of telemetry data that has these unique identifiers for purposes of catching things that the technology alone might not catch. Find that hands on keyboard activity. There's also use of identifiers in red teaming, where you are asking a security company to come in and try to penetrate your defenses and see how good of a job you do protecting against that. All of those things, by the very nature of how you describe the Internet, require some sort of cross border data flows and this all exists in an era in which, in some legal regimes, even something as public as an IP address is sometimes categorized as regulated data that should be localized, and so that's where cybersecurity really is affected by data localization.
Sasha O'Connell
Drew, I know you have a paper out you co-authored on this topic. One thing, again, you mentioned it briefly, to go back to is the need for a global workforce and the need to move data around. Can you explain that? What does that mean for CrowdStrike? And what does that mean for the need to move data across borders?
Drew Bagley
Sure, so I co-authored a paper with Peter Swire and several other co-authors that focused on taking the MITRE ATT&CK Framework, which is the closest thing you can get to an industry standard in cybersecurity for what a cybersecurity framework looks like and we applied that to various data localization rules, and essentially, an adversary is going to take data across the border anyway; regardless of the rules. They're not exactly rule followers and yet a defender, if a defender is hamstrung by data localization rules, that means that you could have a defender in one jurisdiction, able to only look at a certain set of data and as soon as there was, let's say lateral movement within a system, meaning an adversary is moving from one machine to another across the network, then all of a sudden that same defender might not be allowed to look at the data that technically is in another jurisdiction. Where this really comes into play these days is most attacks use legitimate credentials, as we've talked about in previous episodes, and so if you're talking about identity credentials, and those are personal data, well, there's an interplay going on constantly through various internet protocols to authenticate those identities and so if a defender is not allowed to look at authentication logs once they cross a certain threshold, then that's very problematic; and essentially what you have under ideal circumstances, and again, under official guidance, even from the European Union Cyber Security Authorities, under ENISA, is that you have 24/7 security operations centers staffed by people who are doing threat hunting, but even, and forgetting even that technical cybersecurity, you just have 24/7 customer support if something technical is going wrong and that requires access to data, basic data. And if those things are disrupted, then that's something that can really only benefit the adversary who doesn't have to play by the rules and doesn't have a whole lot of benefit for the defender that's going to be boxed in by the rules.
Sasha O'Connell
I heard you say, too, that it makes sense for CrowdStrike, for example, to have folks work the evening when it's day in another country, just sort of by definition, which interests me because it's a real people issue, at the end of the day, not a technical issue. So that aspect is interesting as well.
Drew Bagley
Even when we think about cyber workforce shortages today. Think about in a single jurisdiction, even a larger jurisdiction with a big population, I have yet to find a policymaker in the world that doesn't complain about the cyber workforce shortage. So, imagine if then you've reduced your pull because of data localization, it's hard enough with a follow the sun model, but with a follow thesun model, you can do this. And especially where we have cyber haves and cyber have nots, you have a lot of organizations that have to depend on managed service providers that have that 24/7 backbone to help them from a security standpoint. So, then you're really just shifting that burden if you're making it so that the rules are that you can only find talent in a certain jurisdiction within certain hours that they're going to work and then hope for the best during the other parts of the day.
Megan Brown
Or worst case, I think, or an additional downside of all of this is you're just introducing friction. You may have to have multiple people doing the same thing because they're in different jurisdictions and I think when you're talking about cyber defense or response, speed is really important, and so it's not satisfying when I hear some policymakers say, well, you know, you can just contract around that or there's ways to work around that. Maybe, maybe, but it introduces friction, contract negotiations, additional bodies, and it's just not– it gets in the way of the speed that I think Drew's been talking about being so important.
Sasha O'Connell
So, anything else on benefits? Again, we sort of brushed over, but importantly, 90 percent of probably what we do on the internet, is dependent just from a convenience perspective on this flow of data globally. We obviously have this really interesting addition of the cybersecurity aspect to it. Any other benefits on this before we move to maybe what some of the risks are to this kind of data flow?
Megan Brown
I mean, I'll just flag, I think we take for granted in our connected economy that when we travel, for example, our services are going to work. Like you can hail a ride share in Greece that you could also do here in Washington, and if you don't have data transfer and portability, all of that can be much more difficult, much more costly and less seamless for end users. You know, in addition, we've had, cloud services are enabling huge cost effective storage as well as ready access around the globe and a lot of these data localization questions impact those efficiencies, and so I think just policymakers need to understand that whenever you're putting up an additional hurdle to the use of data or the movement of data, you are having these on services, and technology that a company wants to be able to send telemetry data to its engineers in India for processing for some cool new thing. If they have to check with their lawyers every time they want to do that, you're introducing a lot of friction to the economy.
Sasha O'Connell
Can I ask you guys to define telemetry data?
Megan Brown
No.
Sasha O'Connell
Thanks. Good talk. Drew? It came up twice. On behalf of our listeners everywhere, telemetry data.
Drew Bagley
Absolutely. I'd be more than happy to. It's such a fascinating term to define. So, sure, at its core, telemetry data is generally speaking, and this is something that changes over time as technology evolves, but the metadata being generated, either by a device, so we can think of Internet of things, devices generating some sort of data about what's going on on the device. But more commonly in the context of cybersecurity, it's really the metadata about the processes going on a device. So when you open your office software, for example, there's an executable file that opens. The content of that executable file is not the telemetry, it's the fact that that executable file opened, and then whatever happens subsequently. So that file might call out to different libraries that are on the system, and then the operating system might take other types of actions, and so that chain of events is very important from a cybersecurity standpoint because if, for example, if you opened a Word document, and then all of a sudden there was a file delete event after that; that would just be the telemetry itself. You wouldn't have to look at the document to know what's in it. But that pattern might be indicative of ransomware on the system, and so that data, again, is useful for cybersecurity, but it's only useful if you're able to identify the adversary and stop the adversary, identify the victim machine and block what's going on on the victim machine. If you remove all those identifiers, then that's something where you can't have it both ways. And so I think oftentimes, when these data localization conversations happen, cybersecurity is being thought about as if it's 20 years ago during the malware wars and most attacks today don't even use any malware. So you're not talking about matching hashes to a known list of badness. Instead, you're talking about using this telemetry.
Sasha O'Connell
Okay, perfect. So the point here is that telemetry data would be included in any data restriction?
Megan Brown
It could be. It's all definitional and I think that's another thing policymakers just have to always keep in mind is don't cast too wide a net when you're defining what data has to be protected.
Sasha O'Connell
Yep. That makes sense. Okay. So, I see a ton of benefits here. Are there any benefits to restricting data? Can you guys explain, where this is coming from? Either from a general perspective or a more tactical perspective? What are the benefits on the other side of some restrictions?
Megan Brown
So, there's always going to be some risk relating to the collection, handlings, sharing, trade, and data, right? There's commercial data, there's sensitive personal data, there's all kinds of data, and that's what many times the bad guys are looking for, so, it is reasonable to try and minimize that. It may be reasonable in certain circumstances to try and keep that data from getting out to countries of concern, certain kinds of data, we policymakers might say. We don't want this kind of data in our adversaries hands but there's several justifications that regulators around the world will offer. One frequent one is, a country may have made a value judgment about what privacy and security demands they have domestically, and they are worried that the export of that data will subject that data to less protection. So that's, one model to export your privacy standards to the destinations for your citizens data. Often, it's to ensure that data is going to stay available in a country so that that government can have access to it for their own purposes. That might be counterintelligence, that might be law enforcement regular old surveillance. If someone is in their country to be able to get that information for law enforcement purposes, for example, and some countries really do want to support their own domestic economic growth by encouraging companies to build data centers and offer cloud services in their own countries. That generates jobs and promotes their own economic growth in the tech space. So, that's another kind of motivation that I think many would say is a benefit from some of these limitations on cross border data movement.
Sasha O'Connell
That makes sense. So I hear it again, just saying back to you to make sure I've got it too, so there's kind of a export of privacy values, right, to make sure that the way we do business in our country, we're protecting that as our data goes forward. There are government sort of uses, be it for the government's surveillance and the last, which is again, I really gravitate toward the human, the sort of non technical aspects, this idea of literally creating jobs by keeping the data in your country to build data centers or otherwise. Anything else, Drew, on that or you're, you think we covered the benefits?
Drew Bagley
Sure. I'd say sometimes you see a conflation of all of those in different jurisdictions. So, for example, in Europe, there are definitely data localization restrictions that exist under privacy regimes like GDPR that, of course, have exceptions and the idea is how you create mechanisms for other countries to either bolster their privacy protections or at least bolster contractual protections that follow the data. But then there are also equally, and maybe even right now getting even more traction, there are trade equities at stake. So, this notion that if you are able to control and regulate the data, then you're going to be able to in theory, shape the marketplace and shape how companies are able to play by the rules and especially in certain jurisdictions where you might face that your entire marketplace is dominated by foreign companies. It's a way to have a stake in the market and so in Europe right now, in addition to privacy laws, having some data localization requirements, there are also different certifications. So for example, there's a certification in France called SecNumCloud that's been proposed that would actually have.
Sasha O'Connell
Good French Drew.
Drew Bagley
Thank you! It would have data sovereignty provisions in addition to data localization, meaning that there would even be this component in it where the data being stored by a certified company would not be allowed to be subject to foreign laws. And so, we have to remember that data localization actually comes in different flavors. There's, as Megan was outlining, there's data localization where you have to keep a copy of data in a jurisdiction. Then you go all the way to the other extreme where you're not even allowed to have any other law apply to that data.
Sasha O'Connell
That's fascinating and creative policymaking, as I hear it. So in a second, I want to get back to this kind of balance of trade versus national security, because I think it speaks to a lot of what's going on in the U.S. right now in terms of some ongoing discussions, but where is China on all this, Megan? Can you talk a little bit about that?
Megan Brown
Yeah. I would put China at the extreme of the data localization mandates and sort of data sovereignty as Drew sort of described it. They want data that is created in China to stay in China. They have some permissions for exporting that data, but it has made the business climate for multinational companies very challenging and they justify their rules based on national security interests, and I've heard Chinese government officials, at various events say, we need this data because we need to be able to make sure that we don't have domestic terrorism and we don't have, et cetera. So I would put China on the far extreme in terms of the domestic obligations and the rights that they assert to look at that data, and that has given a lot of U. S. companies and multinationals real heartburn, and it creates problems that, you know, we'll talk about in a minute about how U. S. law is going to deal with that. India is another example of a, pretty big data localization country. I think some observers have said that they're starting to moderate that a bit because they were seeing some economic downsides from being kind of an island but there's a spectrum, of how countries have approached it.
Sasha O'Connell
So it's interesting. So countries can be in this game, but for different reasons, Drew, is kind of what you were saying and maybe framed politically even one way, and maybe there's some other stories going on. I'm getting big nods here in the studio. So okay, let's turn to the U.S. It's a really interesting story right now, and maybe we can start with just the lay down of where are we, Megan? Like, are there U.S. data localization laws today? My understanding is traditionally globally, right? We have been all for the free flow of data. Where are we today on that? And then maybe Drew, you can add in some of the players today and we can talk about what's going on.
Megan Brown
Yeah. So I think we are at a really interesting pivot point for U.S. policy in this area. You're right. Traditionally, the U. S. has been a champion of not just the global open internet, but also the free flow of data, and that's been a policy that the U.S. Trade Representative has long championed as a way to push back on some of the arguably protectionist impulses that Drew discussed, that maybe the European Union is taking a different approach for maybe different reasons, but I think the U.S. government is starting to shift that approach and you see that in several ways, and there's a lot of different dynamics going on here. You've had pressure from Europe for a long time. They have traditionally looked skeptically at U.S. law because they think there's too much surveillance. I think we could have a whole separate discussion about whether that's correct or not. But they've sort of, wanted the U.S. to do more from a privacy perspective but the U.S., they used to push back, I think, a little bit on that. They've pivoted a little bit now. Notably, the U.S. trade representative last fall did a big change in the policy approach. They walked back some longstanding advocacy supporting the free flow of data so that the United States can take a more regulatory approach. One of the reasons the United States wants to take that more regulatory approach and tighten up the flows of data is because of national security concerns that folks are saying all this data, lots of data is ending up in China and we are deeply uncomfortable with genomic data, with lots of sensitive personal information. So, that's caused this, and maybe it's been given them an excuse to do something that they otherwise want to do, but there is a pivot going on at the United States government level, to entertain these notions and to start going towards a more permission-based approach to the global data trade.
Sasha O'Connell
And who do you talk to about these issues in the U.S. government? Which departments and agencies have equities here? Can you kind of break that down for us?
Drew Bagley
Yeah, absolutely. There are many players in the U. S. Government. We can think about traditionally the Department of Commerce having a very big role here. Especially if we think about the Bureau of Information Security, maintaining a list of different types of export controlled information. For example, munitions information is on that list. And we also can think about though, new kids on the block, like the Cyber Bureau at the State Department, having an equity here and definitely being involved in the discussion about cross border data flows, and so, even though there are you know, different data types have always had different rules, right now what we're seeing is that data as a whole or entire subsets of data like personal data are now facing more friction. This isn't just happening at the federal level. In fact, just last summer, the state of Florida, actually enacted a law that regulated healthcare data and the flow of healthcare data that essentially forbid certain types of PHI from being processed outside of the United States or Canada. And that's something where, you know, on its face seems, simple enough and probably you know, intended to apply to medical records, but again, when we start thinking about how complex data sets are, either with cybersecurity or even with AI training models and whatnot, and that's something that really quickly can really trickle down and add a lot of friction to how data flows work.
Sasha O'Connell
Where do you guys see this all going in the U.S.? So there's a little movement at the state, as you described, Drew. We have, I know maybe we should talk a little bit about a recent executive order that just came out on this. Where does this all, where do you think this ends up?
Megan Brown
Well, I think we are seeing this. I used to think it was incremental. I feel like accelerating rapidly. You know, we've seen in the past some data localization, for instance, the committee on foreign investment in the United States and the team telecom process, which reviews when foreign companies want to buy parts of U.S. telecommunications companies. They impose mitigation agreements that require data localization or they prohibit storage in certain countries. So we've seen bits of that. We've now seen the Commerce Department being more active. There's a rulemaking that they're kicking, that they've kicked off to try and to get a better handle on the U.S. computing infrastructure. They call it infrastructure as a service and they want to understand what companies are making use of that here in the United States. But I think the biggest pivot that I'm looking forward to, I think Drew's going to address, is this executive order, where we've really just jumped into the deep end of the pool, I think, on broad new government oversight of data transfers and it starts out by looking at so called countries of concern. But, I don't know that it stops there, and even if the ultimate restrictions are focused on a few countries, the friction that we keep talking about will apply broadly across the economy as companies have to figure out if they're covered by these new restrictions that the President wants to put on data transfer.
Sasha O'Connell
So here in March 2024, for those listening, maybe later on down, what just happened, Drew? What is this executive order, Megan's talking about?
Drew Bagley
Sure, so the President issued an executive order on the bulk transfer of data to foreign countries. And so right now we're actually in a holding pattern to figure out what the implementation will look like because the executive order delegated to various agencies, different rulemaking responsibilities and so what we're going to see are lots of public comment opportunities for anyone listening in the early in the year 2024. A lot of public comment opportunities and how this gets implemented but the overarching framework is that the President is laying out that there should be an apparatus for the restriction of certain data types from being stored in
all of the certainty is coming later. It's coming later; but that's exactly, but that's the general framework and so the hypothetical sorts of scenarios and threats that, it appears this is intended to deal with are those related to say bulk biometrics being stored and what if those were stored in a country that was hostile to the United States. What would that mean in terms of protecting the citizens from a national security perspective?
Rather than this executive order being designed in a way that's intended to really address privacy or trade or some of the other things that we've talked about. Now that's not to say that especially once we see how it's implemented, it won't affect all of those things and have an impact on all those things, but the way it's set up is really under the notion of the fact that there is more data collected about individuals than ever before. This data can be used for more nefarious purposes if it gets into the wrong hands and there needs to be some sort of means, to have some sort of oversight over where that data is going and curtail those data flows.
The executive order itself though, even though, again, it's not super specific since that's going to come later, it still even has this notion of exceptions built in and everything. So we'll see where this really ends up. My suspicion is it's one of those powers that, the President is laying out to have this power, to have this card to play, in some sort of future event, or to have some sort of leverage, in different situations down the road, rather than this to be a new overarching framework that's akin to a privacy framework or something.
Sasha O'Connell
And I'm thinking as you're talking, does what the U.S. does matter disproportionately because so many of the tech companies that have our data are here in the United States? How does that play into this kind of global discussion?
Drew Bagley
I think that that's even if you look at some of the examples Megan cited about other countries that are even attempting to influence our behavior. That would be the European view, for example, is that, we're going to scrutinize whether or not the United States has a federal privacy law because U.S. tech companies tend to dominate the market. Whereas the European Union, for example, generally does not come out and take an opinion on China, which has laws that literally force encryption keys to be turned over source code to be turned over, et cetera, but, their argument is you know, less relevant.
Megan Brown
Well, I think we do have some indications of where the government's going to go, and I think I may disagree a little bit with Drew on the ultimate breadth here. I think the government and the executive order says that it has kind of this modest goal, but the devil really is going to be in the details. The DOJ, the Department of Justice, is delegated substantial regulatory power under that executive order, and they have already released right on the heels of the executive order. They put out what's called an advanced notice of proposed rulemaking, and we may, I'm not going to take us down into, you know, an administrative law nerd, but, they've telegraphed in this ANPRM that they are interested in a broad array of different data categories as sensitive. They have a lot of questions that show potentially quite a broad reach of the ultimate rules. How they define what is a bulk transfer; the countries of concern are fairly narrowly circumscribed but it envisions that even if you're not directly giving data to a country of concern, that you'll have to potentially put contract terms in your vendor agreements that restrict third parties abilities to give your data to countries of concern. So I think there is a lot to unpack here as this executive order flows through, and it really is a big change in how the United States has thought about the free flow of data, and it's just a fundamental philosophical move that we've made to now go to perhaps a more license based approach, but this permission based approach.
Sasha O'Connell
So, on that example of the new executive order, if the issue the U.S. is thinking about in terms of what it wants to solve is the potential misuse or abuse of sensitive data of U.S. persons, are these kind of data restriction regulations or laws going to get us that direction, Megan? Like, you know, we talked about, we love the free flow of data, but there's sometimes unintended, challenging consequences. We make a move to address those consequences to potentially again, now have unintended consequences of those policies that restrict that data. What do you think?
Megan Brown
Yeah. I mean, I think the question that policymakers have to keep in mind when they're drafting something like the Notice of Proposed Rulemaking at the Department of Justice or BIS Export Controls is what are the unintended consequences? Are they focused really tightly in on the actual problem that they're trying to solve? Have they gotten good data about the costs of it, and those costs are not just the restrictions themselves, let's just hypothesize they get it right and they're really focused on a few types of data and a few countries of concern. One of the challenges is all the other companies that have to go through the process of figuring out if they're covered, talking to their lawyers. Analyzing every word that's in the new rule to, so there's the potential for over breadth, that the rules themselves may in fact sweep more broadly than the government thinks is necessary and the sort of damage that's done in economic costs to subjecting businesses, to additional uncertainty and more regulatory hurdles. So all of that, I think, suggests that, folks need to tell the government in response to these public comment opportunities, but policymakers really need to focus in on getting a cost benefit analysis, good definitions that are realistic and talking to people who actually will have to live under these regimes because there's very real practical impacts on intercompany transfers, all kinds of things that they might not anticipate.
Sasha O'Connell
Interesting. Well, this topic is certainly one on the front burner and one to watch going forward. I think with that, we're going to wrap this episode. We hope everyone visits us on our website for Start Here and the link will of course be in the show notes. To see additional resources and have the availability for the transcript as well. We hope you join us next time and we want to send a special shout out for this episode to the production team of Erica Lemen and Josh Walden and the team here at Wiley for hosting us in the studio this month. Woohoo. Thanks guys.
Drew Bagley
Better production quality.
Sasha O'Connell
Exactly. See you next time.