States Seek Help To Ensure Security Of Election Systems – In the weeks and months leading up to Election Day 2016, states have made preparations to increase the security of their election systems, despite assurance from the U.S. Intelligence Community (“USIC”) that it would be extremely difficult for someone to alter ballot counts or elections results via cyber-attack or intrusion. USIC’s assessment was based on the decentralized nature of our election system and the number of protections state and local election officials have in place, such as ensuring that voting machines are not connected to the internet. Even so, the steady hacking and release of emails, including those from Democratic Party institutions, have demonstrated that certain hackers are committed to disrupting and discrediting the U.S. election process.
On October 7, the Department of Homeland Security (“DHS”) and the Office of the Director of National Intelligence (“DNI”) released a joint statement confirming that the Russian government was behind the recent e-mail hacking of U.S. persons and institutions. The release states that the agencies are “confident” that the recent disclosures of hacked e-mails are consistent with the “methods and motivations” of Russian-directed efforts and are aimed at disrupting the integrity of the U.S. elections. Dmitri Alperovitch, the chief technology officer of CrowdStrike, said last week that Russia is targeting the United States’ elections with an “unprecedented influence operation.”
DHS reported that several states have seen scanning and probing of their election systems, in many cases originating from servers operated by a Russian company (although DHS notes that it is not yet able to attribute this activity to the Russian government). Given the rise in such activity, DHS has encouraged states to be vigilant and has offered to help states and local governments test and prepare their election systems. DHS offered to assist with cyber “hygiene” scans, risk and vulnerability assessments, information sharing, and best practices for securing voter registration databases and addressing potential cyber threats. As of last week, forty-six states had accepted DHS’s offer to help.
In a letter to the National Board of State Election Directors, House and Senate Leaders encouraged states to “take full advantage of the robust public and private sector resources available to them to ensure that their network infrastructure is secure from attack,” and reminded states that DHS “stands ready to provide cybersecurity assistance to those states that choose to request it.”
In addition to help from DHS, Ohio is using the National Guard to help keep the state’s elections systems safe. Republican Secretary of State Jon Husted said last week that the National Guard’s cyberprotection unit will be testing the state’s computer system for vulnerabilities ahead of the November 8 election.
Reporter, Lauren M. Donoghue, Washington, DC, +1 202 626 8999, email@example.com.
EU Privacy Regulators Issue Letters To Yahoo And WhatsApp – In late October 2016, European Union (“EU”) data protection authorities issued letters to Yahoo and WhatsApp related to alleged privacy incidents involving those companies. The letters were issued by a collective of EU data protection authorities known as the “Article 29 Working Party” or “WP29”, which is comprised of representatives of the data protection authorities of each of the EU’s 28-member states, the European Data Protection Supervisor, and the European Commission.
The letter issued to Yahoo related to two recent privacy incidents. First, in September, Yahoo announced that hackers had infiltrated its systems in late 2014 and lifted account data tied to at least 500 million users. The EU regulators noted their “deep concern” over this data breach, called on Yahoo to take certain measures to communicate with European Yahoo users about the data breach, and requested that Yahoo provide additional information about the data breach. Second, in October, reports surfaced that Yahoo had scanned customer emails for U.S. intelligence purposes at the request of U.S. intelligence agencies. The EU regulators expressed interest in understanding the legal basis and justification for the alleged surveillance activity, including an explanation of how this activity complied with EU law.
In a press release announcing the issuance of the letters, the Article 29 Working Party explained that it had recently formed a WP29 enforcement subgroup due to the increasing number of cross-border data security incidents. The enforcement subgroup is tasked with facilitating the exchange of views on enforcement strategies and actions in cross-border cases and with helping European data enforcement authorities to prepare for implementation of the recently adopted EU General Data Protection Regulation. The enforcement subgroup will hold its first meeting in November. During that meeting, it will addresses the topics covered in the letters issued to WhatsApp and Yahoo.
Reporter, Ashley B Guffey, Atlanta, + 1 404 572 2763, firstname.lastname@example.org.
Department Of Justice Releases Charging Policy For Computer Crime Matters – On October 24, 2016, the Department of Justice (“DOJ”) publicly released an internal policy memorandum dated September 11, 2014 (“the policy”), that details the factors federal prosecutors should use in determining whether to investigate or bring charges in matters relating to computer crime. Specifically, the policy, which was issued internally within DOJ by former Attorney General Eric Holder, provides guidelines for prosecutors determining when to open an investigation or charge an offense under the Computer Fraud and Abuse Act (18 U.S.C. § 1030). According to the policy, these guidelines seek to ensure that charges are brought only “in cases that serve a federal interest.”
The factors that should be considered include:
- The sensitivity of the affected computer system or the information;
- The potential for significant impact of the activity on national or economic interests, including unauthorized access to classified information, and whether the information accessed or the conduct otherwise impacts national security, critical infrastructure, public health and safety, economic market integrity, or international relations;
- The connection of the conduct to other criminal activity or the impact on potential victims, including the risk of bodily harm;
- Whether the conduct relates to an abuse of a position of trust, such as potential actors exceeding their authorized access to sensitive systems or information; and
- The deterrent value of an investigation or prosecution, including whether the activity involves a new or expanding area of criminal activity, a recidivist defendant, use of a novel or sophisticated technique, or particularly egregious or malicious conduct.
Similar to other previous public DOJ guidance on issues such as anti-corruption, this policy provides information that may be helpful for companies and executives to assess whether federal law enforcement would take interest in an incident involving unauthorized cyber activities by employees or data breaches relating to company systems or information.
The policy also notes that additional considerations for prosecutors include the nature of the impact that the criminal conduct has on a particular district or community, and whether any other jurisdiction (such as another federal district or state authorities) is likely to prosecute the criminal conduct effectively, if the matter is declined for federal prosecution by one federal district. Further, in an effort to make application of these practices consistent, the policy requires that prosecutors across the country coordinate charging decisions and related investigations with DOJ’s Computer Crime and Intellectual Property Section, located in Washington, D.C.
Reporter, Ehren K. Halse, San Francisco, +1 415 318 1216, email@example.com.
Reporter, Anush Emelianova, Atlanta, +1 404 572 4616, firstname.lastname@example.org.