Why We Need a National Data Protection Strategy – Just Security
by Alex Joel
April 4, 2024
Artificial Intelligence, CFIUS, Cyber, Cyber espionage, Cybersecurity, Data privacy, Data Protection, Department of Commerce, Department of Justice (DOJ), foreign investment, Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), GDPR, intelligence community, national security, Team Telecom, Treasury Department
by Alex Joel
April 4, 2024
In the space of a month, two branches of the U.S. government have put forward ambitious measures to protect Americans’ personal data from exploitation by adversarial regimes. Although they take different paths, these measures share similar goals and are rooted in the same national security concerns.
This confluence of executive and legislative action is striking. These measures come at a time when Congress cannot agree on either comprehensive privacy legislation or on how to reauthorize a crucial surveillance authority in a manner that enhances privacy safeguards. The apparent convergence suggests a growing consensus on a crucial point: protecting Americans’ data is essential for national security.
It may be tempting to think of these actions as narrow privacy measures, and compare them with sectoral Federal privacy laws, the expanding number of state privacy laws, or comprehensive privacy regimes such as the European Union’s General Data Protection Regulation (GDPR). That would be a mistake. These are national security measures and are best understood in the national security context.
On their own terms – as targeted measures focused on specific threats – they hold promise for shoring up the country’s cyber defenses, making it more difficult for adversaries to accomplish their goals, and providing certain privacy protections in the process. But to be truly effective, such measures need to form part of a comprehensive, all-of-government data protection campaign focused on defending personal data from malicious exploitation. We have a National Security Strategy, a National Intelligence Strategy, and a National Cybersecurity Strategy. The threats these measures aim to address highlight the need for a National Data Protection Strategy as well.
On Feb. 28, 2024, President Joe Biden issued Executive Order 14117 on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (Bulk Data Order). Its ambitious goal is to protect the personal data of Americans from exploitation by “countries of concern.” The Order directs the Department of Justice (DOJ) to issue implementing regulations. A few days later, DOJ kicked off that process by publishing an advance notice of proposed rulemaking (ANPRM) spanning 23 pages of dense legal text, with detailed proposals, examples, and requests for public input. Key elements include:
Contemporaneously, the Department of Commerce published its own ANPRM, focusing on information and communications technology (ICT) used in connected vehicles. The ANPRM solicits public input on addressing the risk of foreign adversaries using ICT-equipped vehicles for nefarious purposes, including the collection of Americans’ sensitive personal data.
Soon thereafter, on March 20, 2024, the House of Representatives unanimously passed a bill intended to prohibit “data brokers” from making available “sensitive data of a United States individual” to foreign adversary countries (China, Russia, Iran and North Korea).
Many in government received a rude wakeup call a decade ago when they learned that a huge volume of highly sensitive—and highly personal—background investigation records at the Office of Personnel Management (OPM) had been hacked. The OPM intrusion, along with similar cyber intrusions of Equifax, Marriott, and Anthem health insurance, was later attributed to the government of the People’s Republic of China (PRC). Earlier this year, the government published a cybersecurity advisory assessing that “People’s Republic of China (PRC) state-sponsored cyber actors [referred to as Volt Typhoon] are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”
These attacks contribute to the threat landscape that the IC has been warning about with growing urgency. The ANPRM quotes from the 2023 Annual Threat Assessment of the U.S. Intelligence Community for the proposition that “[o]ur adversaries increasingly view data as a strategic resource. They are focused on acquiring and analyzing data—from personally identifiable information on U.S. citizens to commercial and government data—that can make their espionage, influence, kinetic and cyber-attack operations more effective; advance their exploitation of the U.S. economy; and give them strategic advantage over the United States.”
In February of this year, the Director of National Intelligence (DNI) released the 2024 version of the annual threat assessment, which warns that
“China remains the most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks. Beijing’s cyber espionage pursuits and its industry’s export of surveillance, information, and communications technologies increase the threats of aggressive cyber operations against the United States and the suppression of the free flow of information in cyberspace.”
It points out that “[i]f China believed that a major conflict with the United States were imminent, it would consider aggressive cyber operations against U.S. critical infrastructure” to “imped[e] US decisionmaking, inducing societal panic, and interfering with the deployment of U.S. forces.”
What about the other “countries of concern”? The threat assessment warns that Russia poses “an enduring global cyber threat,” viewing “cyber disruptions as a potential foreign policy lever to shape other countries’ decisions,” and maintaining “its ability to target critical infrastructure” in the U.S. and allied countries. The assessment also highlights Russia’s “wide-ranging efforts to try to divide Western alliances, undermine U.S. global standing, and sow domestic discord” through malign influence operations. Iran is called out for its “growing expertise and willingness to conduct aggressive cyber operations,” and North Korea for its “ongoing cyber campaign, particularly cryptocurrency heists” and similar criminal operations.
The assessment does not identify comparable cyber threats from Cuba or Venezuela, though on March 5, 2024 President Biden extended for another year the declaration of a national emergency with respect to Venezuela. In addition, a 2021 Intelligence Community Assessment on Foreign Threats to the 2020 US Federal Elections found that Cuba and Venezuela “took some steps to attempt to influence the election.”
In addition, the IC has warned more generally about digital repression. In a National Intelligence Council (NIC) Assessment issued in 2022, the NIC reported that “foreign governments are increasingly using digital information and communication technologies to monitor and suppress political debate domestically as well as in their expatriate and diaspora communities abroad.” The NIC further noted that “[g]rowing use of social media platforms with global reach will offer autocrats increasingly enriched user data to target select groups,” and highlighted a report that “China-based ByteDance—the parent company for TikTok, the most popular social media platform worldwide—had a plan to use the application to monitor and surveil US citizens.”
According to the 2024 Annual Threat Assessment, “Digital technologies have become a core component of many governments’ repressive toolkits even as they continue to engage in physical acts of transnational repression, including assassinations, abductions, abuse of arrest warrants and familial intimidation.” One of these “digital technologies” is, of course, artificial intelligence (AI). According to the 2024 assessment, “China is pursuing AI for smart cities, mass surveillance, healthcare, drug discovery, and intelligent weapons platforms,” and “Russia is using AI to create deepfakes and is developing the capability to fool experts.”
The ANPRM lays out how, in the government’s view, “[u]nrestricted transfers of bulk sensitive personal data and government-related data to countries of concern, through commercial transactions or otherwise, present a range of threats to U.S. national security and foreign policy.”
It may be helpful to think of these general categories:
To respond to these threats, the executive branch has been pulling the legal levers available to it in three general streams of responsive effort. For our purposes, it may be easiest to start with the Committee on Foreign Investment in the United States (CFIUS). The CFIUS process represents a concerted effort to review foreign investments for threats to national security. In 2018, Congress passed the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), updating and enhancing CFIUS authorities.
Notably, FIRRMA included a “sense of Congress” that the CFIUS process should consider “the extent to which a covered transaction is likely to expose, either directly or indirectly, personally identifiable information, genetic information, or other sensitive data of United States citizens to access by a foreign government or foreign person that may exploit that information in a manner that threatens national security.” In 2020, the Department of Treasury issued regulations implementing FIRRMA (31 CFR part 800), including detailed provisions on “sensitive personal data.”
President Biden followed up on these measures with Executive Order 14083, Ensuring Robust Consideration of Evolving National Security Risks by the Committee on Foreign Investment in the United States (September 15, 2022). The Order found that “[d]ata is an increasingly powerful tool for the surveillance, tracing, tracking, and targeting of individuals or groups of individuals, with potential adverse impacts on national security.” It directed CFIUS to consider whether a covered transaction “involves the transfer of United States persons’ sensitive data to a foreign person who might take actions that threaten to impair the national security of the United States as a result of the transaction.”
However, the CFIUS process is designed to cover only proposed investment transactions, and leaves open other ways in which foreign governments could gain access to data. CFIUS, in essence, closes only one of several entry points to Americans’ data, leaving others open, such as the purchase or licensing of data from data brokers.
A second stream of responsive effort stems from Executive Order 13873, Securing the Information and Communications Technology and Services (ICTS) Supply Chain (May 15, 2019). In that Order, President Donald Trump found that
“foreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services, which store and communicate vast amounts of sensitive information, facilitate the digital economy, and support critical infrastructure and vital emergency services, in order to commit malicious cyber-enabled actions, including economic and industrial espionage against the United States and its people.”
The Order seeks to prohibit certain information and communications technology transactions with “foreign adversaries” that the Secretary of Commerce determines—in consultation with other agencies—pose unacceptable national security risks.
It is pursuant to this authority that Commerce has taken two actions of relevance here. First, in reliance on this authority, Commerce issued the connected vehicles ANPRM discussed above. Second, Commerce issued a regulation (15 CFR 7.4) defining “foreign adversaries” under the ICTS executive order as the People’s Republic of China, including the Hong Kong Special Administrative Region; Republic of Cuba; Islamic Republic of Iran; Democratic People’s Republic of Korea (North Korea); Russian Federation (Russia); and Venezuelan politician Nicolás Maduro (Maduro Regime). In DOJ’s ANPRM for the bulk data executive order, it proposes defining “countries of concern” by reference to this regulation, and thus consisting of the same governments.
A third stream of effort is rooted in Executive Order 13913, Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Service Sector (April 4, 2020). That Order creates an interagency committee (referred to as Team Telecom, an entity which existed informally for decades prior to its codification in 2020) “to assist the [Federal Communications Commission (FCC)] in its public interest review of national security and law enforcement concerns that may be raised by foreign participation in the United States telecommunications services sector.” DOJ chairs this committee.
What are we to make of these streams? For one thing, the drafters of the bulk data order are intimately familiar with their capabilities—and limitations—and have crafted the new order to close gaps. As stated in DOJ’s fact sheet:
Our existing national-security authorities, like Committee on Foreign Investment in the United States (CFIUS) and Team Telecom, allow us to review and address these data-security risks on a case-by-case basis for discrete kinds of activities. However, no existing laws comprehensively and prospectively address the national security risks posed by access by countries of concern or covered persons subject to their jurisdiction or control to sensitive personal data through commercial transactions. This targeted new program will be designed to address this gap in our national security authorities.
Relatedly, a team of experienced officials is already in place to administer the new Order, though more are certainly now needed. Within DOJ, responsibility for implementing the Order rests with the National Security Division’s Foreign Investment Review Section (FIRS). FIRS also houses DOJ’s CFIUS, Team Telecom, and supply-chain security experts, thus positioning it to implement and enforce these authorities—in consultation with other agencies such as Commerce—in an integrated manner.
Note that these issuances have all come relatively quickly in the past few years, based primarily on executive, rather than legislative, action. This indicates an increasing concern about the threat, and a desire to act now using available authorities rather than wait for Congress to enact new legislation. However, relying on existing authorities within the Executive Branch raises issues of its own.
As psychologist Abraham Maslow once said, “it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.” If the Executive Branch is to act on its own to counter a growing threat, it will need to use the legal authorities at its disposal and rely on its existing pool of experts to deploy those tools. The new Order and accompanying ANPRM demonstrate the experience and expertise of those experts. These measures are, in many ways, natural extensions of the existing work being done by the relevant interagency teams with provisions designed to fill gaps they have identified in their existing authorities. Many issues remain to be resolved—and the long list of thoughtful questions in the ANPRM demonstrates the government’s willingness to consider public input before it proceeds to the next step (the deadline for submitting comments is April 19, 2024).
As dramatic as the new Order appears to be, it can be seen as an incremental, albeit an ambitious, step forward. Viewed alongside Commerce’s connected vehicles ANPRM, it is apparent that the government is taking a tactical approach, targeting specific transactions and technologies that pose heightened risks. (Indeed, DOJ’s fact sheet explicitly characterizes the program as “targeted” four different times.)
The desire to focus on the most serious threat areas is understandable, particularly considering the government’s desire to “minimize[e] the impact on economic and other activities” and to “safeguard the continued cross-border data flows that are vital to our economy and communities.”
That said, this raises the question of future “targets” for regulation, along the following dimensions.
Answering the above and related questions will be difficult for existing interagency processes to address, even if buttressed with additional hiring. To confront a major challenge like this, it is important to think strategically. What is the overall nature of the threat? What existing legal authorities can be marshaled in response? What new authorities are needed? What elements of national power can best be deployed, and how? Which agencies must be involved?
Importantly, developing a national strategy requires careful consideration of the overall effectiveness of contemplated measures in light of ever-changing technologies and a rapidly evolving threat landscape. Indeed, it is hard to think of how any response can be sustainable over the long term without a holistic approach recognizing the value of personal data, and the range of ways in which that data can be used, abused, and misused, by a range of actors. The threat to personal data is not limited to “covered persons” who are subject to the jurisdiction of “countries of concern.” Criminals and other bad actors seek personal data for their own harmful purposes.
Elements of such a strategy would include extensive public and congressional engagement, not focused solely on a specific proposed rule, but on the broader questions of how to best protect personal data from national security threat actors. It would also involve working with our partners and allies abroad, to ensure that like-minded democracies are acting together to ensure that data can continue to flow to those we trust, with comparable measures deployed to protect data from exploitation by those we distrust.
This approach highlights the need for comprehensive federal privacy legislation providing basic, standardized, nationwide privacy safeguards for companies to follow. By ensuring that our own government accesses commercially available personal information pursuant to a transparent and clear legal framework, the United States could position itself as a leader (and distinguish itself from its adversaries) in the realm of privacy and civil liberties.
In short, a national strategy would better position the United States to follow through on the promise of the new Order: to protect personal data as a national security imperative.
Artificial Intelligence, CFIUS, Cyber, Cyber espionage, Cybersecurity, Data privacy, Data Protection, Department of Commerce, Department of Justice (DOJ), foreign investment, Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), GDPR, intelligence community, national security, Team Telecom, Treasury Department
by Keegan McBride
Jun 6th, 2024
by Maria J. Stephan
Jun 5th, 2024
by Norman L. Eisen, Ruth Ben-Ghiat, Siven Watt, Andrew Warren, Jacob Kovacs-Goodman and Francois Barrilleaux
Jun 5th, 2024
by Norman L. Eisen, Ryan Goodman, Siven Watt and Francois Barrilleaux
Jun 5th, 2024
by Sead Turčalo
Jun 3rd, 2024
by Just Security
Jun 1st, 2024
by Rogier Bartels
May 31st, 2024
by Catherine Amirfar and Duncan Pickard
May 21st, 2024
by Anh-Thu Vo
May 17th, 2024
by Elene Kintsurashvili, Nathan Kohlenberg and Joshua Rudolph
May 15th, 2024
by Ryan Goodman, Jacob Glick, Mary B. McCord and Rupa Bhattacharyya
May 15th, 2024
by Luke Moffett
May 14th, 2024
by Ambassador (ret) Ian Kelly and David J. Kramer
May 14th, 2024
by Arthur Holland Michel
May 13th, 2024
by John Ramming Chappell
May 11th, 2024
by Yuliia Fysun
May 10th, 2024
by Mutasim Ali and Yonah Diamond
May 9th, 2024
by Katharine Fortin and Ezequiel Heffes
May 8th, 2024
by Joanna Naples-Mitchell and Annie Shiel
May 7th, 2024
by Lisa Homel and Ambassador Daniel Fried
May 3rd, 2024
by Tom Joscelyn and Ryan Goodman
May 2nd, 2024
by Sead Turčalo
May 1st, 2024
by Albert W. Alschuler
Apr 30th, 2024
by Norman L. Eisen, Ryan Goodman, Siven Watt and Francois Barrilleaux
Apr 28th, 2024
by Faiza Patel and Patrick C. Toomey
Apr 26th, 2024
by Noura Erakat and Josh Paul
Apr 24th, 2024
by Delaney Simon
Apr 24th, 2024
by Anna Tkachova
Apr 23rd, 2024
by Adam Klasfeld
Apr 22nd, 2024
by Clara Apt
Apr 18th, 2024
by Jonathan Hafetz
Apr 18th, 2024
by Norman L. Eisen, Adam Klasfeld and Jacob Kovacs-Goodman
Apr 17th, 2024
by Eliav Lieblich
Apr 16th, 2024
by Adam Klasfeld
Apr 15th, 2024
by Adam Klasfeld
Apr 14th, 2024
by Evgenia Kara-Murza
Apr 10th, 2024
by Andrew Boyle
Apr 9th, 2024
by Ikechukwu Uzoma
Apr 8th, 2024
by George Croner
Apr 5th, 2024
by Noah Chauvin and Elizabeth Goitein
Apr 5th, 2024
by Ronald A. Brand
Apr 3rd, 2024
by Tom Joscelyn, Fred Wertheimer and Norman L. Eisen
Apr 2nd, 2024
by Natalia Kubesch
Apr 1st, 2024
by Adil Ahmad Haque
Mar 30th, 2024
by Jeremy Konyndyk
Mar 28th, 2024
by Rebecca Hamilton
Mar 27th, 2024
by Norman L. Eisen, Andrew Warren and Siven Watt
Mar 27th, 2024
by Douglas London
Mar 21st, 2024
by Brian Finucane
Mar 19th, 2024
by Tom Dannenbaum
Mar 19th, 2024
by Leo Greenberg
Mar 18th, 2024
by Christopher S. Chivvis
Mar 15th, 2024
by Just Security
Mar 13th, 2024
by Just Security
Mar 13th, 2024
by Mieczysław (Mietek) Boduszyński and Jasmin Mujanović
Mar 13th, 2024
by Larry Lewis
Mar 12th, 2024
by Yuval Shany and Amichai Cohen
Mar 12th, 2024
by Beatrice Lindstrom
Mar 9th, 2024
by Bryan Frederick and Caitlin McCulloch
Mar 7th, 2024
by Brianna Rosen
Mar 1st, 2024
by Federica Paddeu
Mar 1st, 2024
by Lia van Broekhoven, Sangeeta Goswami, Floor Knoote and Thalia Malmberg
Feb 28th, 2024
by Preston Lim
Feb 27th, 2024
by Jenny Maddocks
Feb 26th, 2024
by Philippa Webb
Feb 26th, 2024
by Brian Finucane
Feb 23rd, 2024
by Ekaterina Kotrikadze
Feb 23rd, 2024
by Olga Butkevych, Rebecca Hamilton and Gregory Shaffer
Feb 22nd, 2024
by Ivan Horodyskyy
Feb 21st, 2024
by Maggie Mills, Thomas Poston and Oona A. Hathaway
Feb 20th, 2024
by Ambassador Daniel Fried
Feb 16th, 2024
by Matthew Levinger
Feb 13th, 2024
by Andrew Weissmann and Ryan Goodman
Feb 10th, 2024
by Eliav Lieblich
Feb 6th, 2024
by Oona A. Hathaway
Feb 5th, 2024
by Amichai Cohen and Yuval Shany
Feb 1st, 2024
by Senator Ron Wyden
Jan 31st, 2024
by Richard Gowan
Jan 30th, 2024
by Just Security
Jan 26th, 2024
by Ryan Goodman and Siven Watt
Jan 26th, 2024
by Steven Katz and John Ramming Chappell
Jan 25th, 2024
by Vadim Prokhorov
Jan 24th, 2024
by Thomas Carothers
Jan 22nd, 2024
by Paloma van Groll
Jan 19th, 2024
by Ambassador Thomas Graham Jr. and David Bernell
Jan 12th, 2024
by Ambassador Thomas Graham Jr. and David Bernell
Jan 12th, 2024
by Sean Murphy
Jan 10th, 2024
by Joshua Matz and Laurence H. Tribe
Jan 10th, 2024
by Norman L. Eisen, Matthew A. Seligman and Joshua Kolb
Jan 9th, 2024
by Bruce Hoffman and Jacob Ware
Jan 8th, 2024
by Meghan Conroy and Justin Hendrix
Jan 6th, 2024
by Samuel Issacharoff
Jan 5th, 2024
by Kayla Blomquist and Keegan McBride
Jan 4th, 2024
by Amichai Cohen and Yuval Shany
Jan 2nd, 2024
by Megan Corrarino
Dec 29th, 2023
by Wa’el Alzayat and Jeremy Konyndyk
Dec 22nd, 2023
by Brianna Rosen
Dec 15th, 2023
by Jasmine D. Cameron, Judge Dariusz Mazur and Anna Wójcik
Dec 12th, 2023
by Jane Stromseth
Dec 2nd, 2023
by Clara Apt
Nov 30th, 2023
by Norman L. Eisen, Ruth Ben-Ghiat, Siven Watt, Andrew Warren, Jacob Kovacs-Goodman and Francois Barrilleaux
Jun 5th, 2024
by Clara Apt
Apr 18th, 2024
by Ryan Goodman, Justin Hendrix and Norman L. Eisen
Mar 14th, 2024
by Gwendolyn Whidden, Katherine Fang and Clara Apt
Sep 27th, 2023
by Just Security
Apr 5th, 2024
by Just Security
Jun 1st, 2024
by Allison Mollenkamp
Dec 4th, 2023
by Megan Corrarino
Feb 20th, 2024
by Joumana Seif
Feb 19th, 2024
by Gwendolyn Whidden
Oct 31st, 2023
by Brianna Rosen
Oct 18th, 2023
by Brianna Rosen
Sep 11th, 2023
by Just Security
Jul 17th, 2023
by Just Security
May 9th, 2023
by Paul R. Williams, Milena Sterio, Yvonne Dutton, Alexandra Koch, Lilian Waldock, Floriane Lavaud, Ashika Singh and Isabelle Glimcher
Feb 13th, 2023
by Eileen B. Hershenov and Ryan B. Greer
Jan 26th, 2023
by Ambassador Peter Mulrean (ret.) and William J. Hawk
Jan 4th, 2023
by Clara Apt and Katherine Fang
Nov 18th, 2022
by Amanda L. White Eagle
Oct 10th, 2022
by Brianna Rosen
Oct 25th, 2022
by Oona A. Hathaway
Sep 20th, 2022
by Tess Bridgeman and Brianna Rosen
Mar 24th, 2022
by Nasir A. Andisha and Marzia Marastoni
Aug 15th, 2022
by Megan Corrarino
Feb 18th, 2022
by Mary B. McCord
Jan 24th, 2022
by Emily Berman, Tess Bridgeman, Megan Corrarino, Ryan Goodman and Dakota S. Rudesill
Jan 20th, 2022
by Laura Brawley, Antara Joardar and Madhu Narasimhan
Oct 29th, 2021
by Leila Nadya Sadat
Sep 13th, 2021
by Tess Bridgeman, Rachel Goldbrenner and Ryan Goodman
Sep 7th, 2021
by Just Security
Jul 19th, 2021
by Kate Brannen
Jun 30th, 2021
by Fionnuala Ní Aoláin and Kate Brannen
Jun 14th, 2021
by Steven J. Barela and Mark Fallon
Jun 1st, 2021
by Christine Berger
May 29th, 2021
by Beth Van Schaack
Feb 1st, 2021
by Beth Van Schaack and Chris Moxley
Nov 16th, 2020
Scholar-in-Residence and Adjunct Professor at the Washington College of Law, where he is part of the Tech, Law & Security Program. Until June 2019, he served as the Chief of the Office of Civil Liberties, Privacy and Transparency (CLPT) at the Office of the Director of National Intelligence (ODNI). Follow him on Twitter @awjoel.
Send A Letter To The Editor
by Keegan McBride
Jun 6th, 2024
by Clara Apt
May 30th, 2024
by Amos Toh and Ivey Dyson
May 30th, 2024
by Emile Ayoub
May 24th, 2024
by Spencer Reynolds and Faiza Patel
May 21st, 2024
by Arthur Holland Michel
May 13th, 2024
by Faiza Patel and Patrick C. Toomey
Apr 26th, 2024
by Norman L. Eisen, Ryan Goodman, Siven Watt and Francois Barrilleaux
Apr 26th, 2024
by Jeffrey Vagle
Apr 25th, 2024
by Noura Erakat and Josh Paul
Apr 24th, 2024
by David Aaron
Apr 18th, 2024
by Melanie Geller and Julian Melendi
Apr 12th, 2024
Just Security is based at the Reiss Center on Law and Security at New York University School of Law.
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
April 4, 2024
Artificial Intelligence, CFIUS, Cyber, Cyber espionage, Cybersecurity, Data privacy, Data Protection, Department of Commerce, Department of Justice (DOJ), foreign investment, Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), GDPR, intelligence community, national security, Team Telecom, Treasury Department
by Alex Joel
April 4, 2024
In the space of a month, two branches of the U.S. government have put forward ambitious measures to protect Americans’ personal data from exploitation by adversarial regimes. Although they take different paths, these measures share similar goals and are rooted in the same national security concerns.
This confluence of executive and legislative action is striking. These measures come at a time when Congress cannot agree on either comprehensive privacy legislation or on how to reauthorize a crucial surveillance authority in a manner that enhances privacy safeguards. The apparent convergence suggests a growing consensus on a crucial point: protecting Americans’ data is essential for national security.
It may be tempting to think of these actions as narrow privacy measures, and compare them with sectoral Federal privacy laws, the expanding number of state privacy laws, or comprehensive privacy regimes such as the European Union’s General Data Protection Regulation (GDPR). That would be a mistake. These are national security measures and are best understood in the national security context.
On their own terms – as targeted measures focused on specific threats – they hold promise for shoring up the country’s cyber defenses, making it more difficult for adversaries to accomplish their goals, and providing certain privacy protections in the process. But to be truly effective, such measures need to form part of a comprehensive, all-of-government data protection campaign focused on defending personal data from malicious exploitation. We have a National Security Strategy, a National Intelligence Strategy, and a National Cybersecurity Strategy. The threats these measures aim to address highlight the need for a National Data Protection Strategy as well.
On Feb. 28, 2024, President Joe Biden issued Executive Order 14117 on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (Bulk Data Order). Its ambitious goal is to protect the personal data of Americans from exploitation by “countries of concern.” The Order directs the Department of Justice (DOJ) to issue implementing regulations. A few days later, DOJ kicked off that process by publishing an advance notice of proposed rulemaking (ANPRM) spanning 23 pages of dense legal text, with detailed proposals, examples, and requests for public input. Key elements include:
Contemporaneously, the Department of Commerce published its own ANPRM, focusing on information and communications technology (ICT) used in connected vehicles. The ANPRM solicits public input on addressing the risk of foreign adversaries using ICT-equipped vehicles for nefarious purposes, including the collection of Americans’ sensitive personal data.
Soon thereafter, on March 20, 2024, the House of Representatives unanimously passed a bill intended to prohibit “data brokers” from making available “sensitive data of a United States individual” to foreign adversary countries (China, Russia, Iran and North Korea).
Many in government received a rude wakeup call a decade ago when they learned that a huge volume of highly sensitive—and highly personal—background investigation records at the Office of Personnel Management (OPM) had been hacked. The OPM intrusion, along with similar cyber intrusions of Equifax, Marriott, and Anthem health insurance, was later attributed to the government of the People’s Republic of China (PRC). Earlier this year, the government published a cybersecurity advisory assessing that “People’s Republic of China (PRC) state-sponsored cyber actors [referred to as Volt Typhoon] are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”
These attacks contribute to the threat landscape that the IC has been warning about with growing urgency. The ANPRM quotes from the 2023 Annual Threat Assessment of the U.S. Intelligence Community for the proposition that “[o]ur adversaries increasingly view data as a strategic resource. They are focused on acquiring and analyzing data—from personally identifiable information on U.S. citizens to commercial and government data—that can make their espionage, influence, kinetic and cyber-attack operations more effective; advance their exploitation of the U.S. economy; and give them strategic advantage over the United States.”
In February of this year, the Director of National Intelligence (DNI) released the 2024 version of the annual threat assessment, which warns that
“China remains the most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks. Beijing’s cyber espionage pursuits and its industry’s export of surveillance, information, and communications technologies increase the threats of aggressive cyber operations against the United States and the suppression of the free flow of information in cyberspace.”
It points out that “[i]f China believed that a major conflict with the United States were imminent, it would consider aggressive cyber operations against U.S. critical infrastructure” to “imped[e] US decisionmaking, inducing societal panic, and interfering with the deployment of U.S. forces.”
What about the other “countries of concern”? The threat assessment warns that Russia poses “an enduring global cyber threat,” viewing “cyber disruptions as a potential foreign policy lever to shape other countries’ decisions,” and maintaining “its ability to target critical infrastructure” in the U.S. and allied countries. The assessment also highlights Russia’s “wide-ranging efforts to try to divide Western alliances, undermine U.S. global standing, and sow domestic discord” through malign influence operations. Iran is called out for its “growing expertise and willingness to conduct aggressive cyber operations,” and North Korea for its “ongoing cyber campaign, particularly cryptocurrency heists” and similar criminal operations.
The assessment does not identify comparable cyber threats from Cuba or Venezuela, though on March 5, 2024 President Biden extended for another year the declaration of a national emergency with respect to Venezuela. In addition, a 2021 Intelligence Community Assessment on Foreign Threats to the 2020 US Federal Elections found that Cuba and Venezuela “took some steps to attempt to influence the election.”
In addition, the IC has warned more generally about digital repression. In a National Intelligence Council (NIC) Assessment issued in 2022, the NIC reported that “foreign governments are increasingly using digital information and communication technologies to monitor and suppress political debate domestically as well as in their expatriate and diaspora communities abroad.” The NIC further noted that “[g]rowing use of social media platforms with global reach will offer autocrats increasingly enriched user data to target select groups,” and highlighted a report that “China-based ByteDance—the parent company for TikTok, the most popular social media platform worldwide—had a plan to use the application to monitor and surveil US citizens.”
According to the 2024 Annual Threat Assessment, “Digital technologies have become a core component of many governments’ repressive toolkits even as they continue to engage in physical acts of transnational repression, including assassinations, abductions, abuse of arrest warrants and familial intimidation.” One of these “digital technologies” is, of course, artificial intelligence (AI). According to the 2024 assessment, “China is pursuing AI for smart cities, mass surveillance, healthcare, drug discovery, and intelligent weapons platforms,” and “Russia is using AI to create deepfakes and is developing the capability to fool experts.”
The ANPRM lays out how, in the government’s view, “[u]nrestricted transfers of bulk sensitive personal data and government-related data to countries of concern, through commercial transactions or otherwise, present a range of threats to U.S. national security and foreign policy.”
It may be helpful to think of these general categories:
To respond to these threats, the executive branch has been pulling the legal levers available to it in three general streams of responsive effort. For our purposes, it may be easiest to start with the Committee on Foreign Investment in the United States (CFIUS). The CFIUS process represents a concerted effort to review foreign investments for threats to national security. In 2018, Congress passed the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), updating and enhancing CFIUS authorities.
Notably, FIRRMA included a “sense of Congress” that the CFIUS process should consider “the extent to which a covered transaction is likely to expose, either directly or indirectly, personally identifiable information, genetic information, or other sensitive data of United States citizens to access by a foreign government or foreign person that may exploit that information in a manner that threatens national security.” In 2020, the Department of Treasury issued regulations implementing FIRRMA (31 CFR part 800), including detailed provisions on “sensitive personal data.”
President Biden followed up on these measures with Executive Order 14083, Ensuring Robust Consideration of Evolving National Security Risks by the Committee on Foreign Investment in the United States (September 15, 2022). The Order found that “[d]ata is an increasingly powerful tool for the surveillance, tracing, tracking, and targeting of individuals or groups of individuals, with potential adverse impacts on national security.” It directed CFIUS to consider whether a covered transaction “involves the transfer of United States persons’ sensitive data to a foreign person who might take actions that threaten to impair the national security of the United States as a result of the transaction.”
However, the CFIUS process is designed to cover only proposed investment transactions, and leaves open other ways in which foreign governments could gain access to data. CFIUS, in essence, closes only one of several entry points to Americans’ data, leaving others open, such as the purchase or licensing of data from data brokers.
A second stream of responsive effort stems from Executive Order 13873, Securing the Information and Communications Technology and Services (ICTS) Supply Chain (May 15, 2019). In that Order, President Donald Trump found that
“foreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services, which store and communicate vast amounts of sensitive information, facilitate the digital economy, and support critical infrastructure and vital emergency services, in order to commit malicious cyber-enabled actions, including economic and industrial espionage against the United States and its people.”
The Order seeks to prohibit certain information and communications technology transactions with “foreign adversaries” that the Secretary of Commerce determines—in consultation with other agencies—pose unacceptable national security risks.
It is pursuant to this authority that Commerce has taken two actions of relevance here. First, in reliance on this authority, Commerce issued the connected vehicles ANPRM discussed above. Second, Commerce issued a regulation (15 CFR 7.4) defining “foreign adversaries” under the ICTS executive order as the People’s Republic of China, including the Hong Kong Special Administrative Region; Republic of Cuba; Islamic Republic of Iran; Democratic People’s Republic of Korea (North Korea); Russian Federation (Russia); and Venezuelan politician Nicolás Maduro (Maduro Regime). In DOJ’s ANPRM for the bulk data executive order, it proposes defining “countries of concern” by reference to this regulation, and thus consisting of the same governments.
A third stream of effort is rooted in Executive Order 13913, Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Service Sector (April 4, 2020). That Order creates an interagency committee (referred to as Team Telecom, an entity which existed informally for decades prior to its codification in 2020) “to assist the [Federal Communications Commission (FCC)] in its public interest review of national security and law enforcement concerns that may be raised by foreign participation in the United States telecommunications services sector.” DOJ chairs this committee.
What are we to make of these streams? For one thing, the drafters of the bulk data order are intimately familiar with their capabilities—and limitations—and have crafted the new order to close gaps. As stated in DOJ’s fact sheet:
Our existing national-security authorities, like Committee on Foreign Investment in the United States (CFIUS) and Team Telecom, allow us to review and address these data-security risks on a case-by-case basis for discrete kinds of activities. However, no existing laws comprehensively and prospectively address the national security risks posed by access by countries of concern or covered persons subject to their jurisdiction or control to sensitive personal data through commercial transactions. This targeted new program will be designed to address this gap in our national security authorities.
Relatedly, a team of experienced officials is already in place to administer the new Order, though more are certainly now needed. Within DOJ, responsibility for implementing the Order rests with the National Security Division’s Foreign Investment Review Section (FIRS). FIRS also houses DOJ’s CFIUS, Team Telecom, and supply-chain security experts, thus positioning it to implement and enforce these authorities—in consultation with other agencies such as Commerce—in an integrated manner.
Note that these issuances have all come relatively quickly in the past few years, based primarily on executive, rather than legislative, action. This indicates an increasing concern about the threat, and a desire to act now using available authorities rather than wait for Congress to enact new legislation. However, relying on existing authorities within the Executive Branch raises issues of its own.
As psychologist Abraham Maslow once said, “it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.” If the Executive Branch is to act on its own to counter a growing threat, it will need to use the legal authorities at its disposal and rely on its existing pool of experts to deploy those tools. The new Order and accompanying ANPRM demonstrate the experience and expertise of those experts. These measures are, in many ways, natural extensions of the existing work being done by the relevant interagency teams with provisions designed to fill gaps they have identified in their existing authorities. Many issues remain to be resolved—and the long list of thoughtful questions in the ANPRM demonstrates the government’s willingness to consider public input before it proceeds to the next step (the deadline for submitting comments is April 19, 2024).
As dramatic as the new Order appears to be, it can be seen as an incremental, albeit an ambitious, step forward. Viewed alongside Commerce’s connected vehicles ANPRM, it is apparent that the government is taking a tactical approach, targeting specific transactions and technologies that pose heightened risks. (Indeed, DOJ’s fact sheet explicitly characterizes the program as “targeted” four different times.)
The desire to focus on the most serious threat areas is understandable, particularly considering the government’s desire to “minimize[e] the impact on economic and other activities” and to “safeguard the continued cross-border data flows that are vital to our economy and communities.”
That said, this raises the question of future “targets” for regulation, along the following dimensions.
Answering the above and related questions will be difficult for existing interagency processes to address, even if buttressed with additional hiring. To confront a major challenge like this, it is important to think strategically. What is the overall nature of the threat? What existing legal authorities can be marshaled in response? What new authorities are needed? What elements of national power can best be deployed, and how? Which agencies must be involved?
Importantly, developing a national strategy requires careful consideration of the overall effectiveness of contemplated measures in light of ever-changing technologies and a rapidly evolving threat landscape. Indeed, it is hard to think of how any response can be sustainable over the long term without a holistic approach recognizing the value of personal data, and the range of ways in which that data can be used, abused, and misused, by a range of actors. The threat to personal data is not limited to “covered persons” who are subject to the jurisdiction of “countries of concern.” Criminals and other bad actors seek personal data for their own harmful purposes.
Elements of such a strategy would include extensive public and congressional engagement, not focused solely on a specific proposed rule, but on the broader questions of how to best protect personal data from national security threat actors. It would also involve working with our partners and allies abroad, to ensure that like-minded democracies are acting together to ensure that data can continue to flow to those we trust, with comparable measures deployed to protect data from exploitation by those we distrust.
This approach highlights the need for comprehensive federal privacy legislation providing basic, standardized, nationwide privacy safeguards for companies to follow. By ensuring that our own government accesses commercially available personal information pursuant to a transparent and clear legal framework, the United States could position itself as a leader (and distinguish itself from its adversaries) in the realm of privacy and civil liberties.
In short, a national strategy would better position the United States to follow through on the promise of the new Order: to protect personal data as a national security imperative.
Artificial Intelligence, CFIUS, Cyber, Cyber espionage, Cybersecurity, Data privacy, Data Protection, Department of Commerce, Department of Justice (DOJ), foreign investment, Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), GDPR, intelligence community, national security, Team Telecom, Treasury Department
by Keegan McBride
Jun 6th, 2024
by Maria J. Stephan
Jun 5th, 2024
by Norman L. Eisen, Ruth Ben-Ghiat, Siven Watt, Andrew Warren, Jacob Kovacs-Goodman and Francois Barrilleaux
Jun 5th, 2024
by Norman L. Eisen, Ryan Goodman, Siven Watt and Francois Barrilleaux
Jun 5th, 2024
by Sead Turčalo
Jun 3rd, 2024
by Just Security
Jun 1st, 2024
by Rogier Bartels
May 31st, 2024
by Catherine Amirfar and Duncan Pickard
May 21st, 2024
by Anh-Thu Vo
May 17th, 2024
by Elene Kintsurashvili, Nathan Kohlenberg and Joshua Rudolph
May 15th, 2024
by Ryan Goodman, Jacob Glick, Mary B. McCord and Rupa Bhattacharyya
May 15th, 2024
by Luke Moffett
May 14th, 2024
by Ambassador (ret) Ian Kelly and David J. Kramer
May 14th, 2024
by Arthur Holland Michel
May 13th, 2024
by John Ramming Chappell
May 11th, 2024
by Yuliia Fysun
May 10th, 2024
by Mutasim Ali and Yonah Diamond
May 9th, 2024
by Katharine Fortin and Ezequiel Heffes
May 8th, 2024
by Joanna Naples-Mitchell and Annie Shiel
May 7th, 2024
by Lisa Homel and Ambassador Daniel Fried
May 3rd, 2024
by Tom Joscelyn and Ryan Goodman
May 2nd, 2024
by Sead Turčalo
May 1st, 2024
by Albert W. Alschuler
Apr 30th, 2024
by Norman L. Eisen, Ryan Goodman, Siven Watt and Francois Barrilleaux
Apr 28th, 2024
by Faiza Patel and Patrick C. Toomey
Apr 26th, 2024
by Noura Erakat and Josh Paul
Apr 24th, 2024
by Delaney Simon
Apr 24th, 2024
by Anna Tkachova
Apr 23rd, 2024
by Adam Klasfeld
Apr 22nd, 2024
by Clara Apt
Apr 18th, 2024
by Jonathan Hafetz
Apr 18th, 2024
by Norman L. Eisen, Adam Klasfeld and Jacob Kovacs-Goodman
Apr 17th, 2024
by Eliav Lieblich
Apr 16th, 2024
by Adam Klasfeld
Apr 15th, 2024
by Adam Klasfeld
Apr 14th, 2024
by Evgenia Kara-Murza
Apr 10th, 2024
by Andrew Boyle
Apr 9th, 2024
by Ikechukwu Uzoma
Apr 8th, 2024
by George Croner
Apr 5th, 2024
by Noah Chauvin and Elizabeth Goitein
Apr 5th, 2024
by Ronald A. Brand
Apr 3rd, 2024
by Tom Joscelyn, Fred Wertheimer and Norman L. Eisen
Apr 2nd, 2024
by Natalia Kubesch
Apr 1st, 2024
by Adil Ahmad Haque
Mar 30th, 2024
by Jeremy Konyndyk
Mar 28th, 2024
by Rebecca Hamilton
Mar 27th, 2024
by Norman L. Eisen, Andrew Warren and Siven Watt
Mar 27th, 2024
by Douglas London
Mar 21st, 2024
by Brian Finucane
Mar 19th, 2024
by Tom Dannenbaum
Mar 19th, 2024
by Leo Greenberg
Mar 18th, 2024
by Christopher S. Chivvis
Mar 15th, 2024
by Just Security
Mar 13th, 2024
by Just Security
Mar 13th, 2024
by Mieczysław (Mietek) Boduszyński and Jasmin Mujanović
Mar 13th, 2024
by Larry Lewis
Mar 12th, 2024
by Yuval Shany and Amichai Cohen
Mar 12th, 2024
by Beatrice Lindstrom
Mar 9th, 2024
by Bryan Frederick and Caitlin McCulloch
Mar 7th, 2024
by Brianna Rosen
Mar 1st, 2024
by Federica Paddeu
Mar 1st, 2024
by Lia van Broekhoven, Sangeeta Goswami, Floor Knoote and Thalia Malmberg
Feb 28th, 2024
by Preston Lim
Feb 27th, 2024
by Jenny Maddocks
Feb 26th, 2024
by Philippa Webb
Feb 26th, 2024
by Brian Finucane
Feb 23rd, 2024
by Ekaterina Kotrikadze
Feb 23rd, 2024
by Olga Butkevych, Rebecca Hamilton and Gregory Shaffer
Feb 22nd, 2024
by Ivan Horodyskyy
Feb 21st, 2024
by Maggie Mills, Thomas Poston and Oona A. Hathaway
Feb 20th, 2024
by Ambassador Daniel Fried
Feb 16th, 2024
by Matthew Levinger
Feb 13th, 2024
by Andrew Weissmann and Ryan Goodman
Feb 10th, 2024
by Eliav Lieblich
Feb 6th, 2024
by Oona A. Hathaway
Feb 5th, 2024
by Amichai Cohen and Yuval Shany
Feb 1st, 2024
by Senator Ron Wyden
Jan 31st, 2024
by Richard Gowan
Jan 30th, 2024
by Just Security
Jan 26th, 2024
by Ryan Goodman and Siven Watt
Jan 26th, 2024
by Steven Katz and John Ramming Chappell
Jan 25th, 2024
by Vadim Prokhorov
Jan 24th, 2024
by Thomas Carothers
Jan 22nd, 2024
by Paloma van Groll
Jan 19th, 2024
by Ambassador Thomas Graham Jr. and David Bernell
Jan 12th, 2024
by Ambassador Thomas Graham Jr. and David Bernell
Jan 12th, 2024
by Sean Murphy
Jan 10th, 2024
by Joshua Matz and Laurence H. Tribe
Jan 10th, 2024
by Norman L. Eisen, Matthew A. Seligman and Joshua Kolb
Jan 9th, 2024
by Bruce Hoffman and Jacob Ware
Jan 8th, 2024
by Meghan Conroy and Justin Hendrix
Jan 6th, 2024
by Samuel Issacharoff
Jan 5th, 2024
by Kayla Blomquist and Keegan McBride
Jan 4th, 2024
by Amichai Cohen and Yuval Shany
Jan 2nd, 2024
by Megan Corrarino
Dec 29th, 2023
by Wa’el Alzayat and Jeremy Konyndyk
Dec 22nd, 2023
by Brianna Rosen
Dec 15th, 2023
by Jasmine D. Cameron, Judge Dariusz Mazur and Anna Wójcik
Dec 12th, 2023
by Jane Stromseth
Dec 2nd, 2023
by Clara Apt
Nov 30th, 2023
by Norman L. Eisen, Ruth Ben-Ghiat, Siven Watt, Andrew Warren, Jacob Kovacs-Goodman and Francois Barrilleaux
Jun 5th, 2024
by Clara Apt
Apr 18th, 2024
by Ryan Goodman, Justin Hendrix and Norman L. Eisen
Mar 14th, 2024
by Gwendolyn Whidden, Katherine Fang and Clara Apt
Sep 27th, 2023
by Just Security
Apr 5th, 2024
by Just Security
Jun 1st, 2024
by Allison Mollenkamp
Dec 4th, 2023
by Megan Corrarino
Feb 20th, 2024
by Joumana Seif
Feb 19th, 2024
by Gwendolyn Whidden
Oct 31st, 2023
by Brianna Rosen
Oct 18th, 2023
by Brianna Rosen
Sep 11th, 2023
by Just Security
Jul 17th, 2023
by Just Security
May 9th, 2023
by Paul R. Williams, Milena Sterio, Yvonne Dutton, Alexandra Koch, Lilian Waldock, Floriane Lavaud, Ashika Singh and Isabelle Glimcher
Feb 13th, 2023
by Eileen B. Hershenov and Ryan B. Greer
Jan 26th, 2023
by Ambassador Peter Mulrean (ret.) and William J. Hawk
Jan 4th, 2023
by Clara Apt and Katherine Fang
Nov 18th, 2022
by Amanda L. White Eagle
Oct 10th, 2022
by Brianna Rosen
Oct 25th, 2022
by Oona A. Hathaway
Sep 20th, 2022
by Tess Bridgeman and Brianna Rosen
Mar 24th, 2022
by Nasir A. Andisha and Marzia Marastoni
Aug 15th, 2022
by Megan Corrarino
Feb 18th, 2022
by Mary B. McCord
Jan 24th, 2022
by Emily Berman, Tess Bridgeman, Megan Corrarino, Ryan Goodman and Dakota S. Rudesill
Jan 20th, 2022
by Laura Brawley, Antara Joardar and Madhu Narasimhan
Oct 29th, 2021
by Leila Nadya Sadat
Sep 13th, 2021
by Tess Bridgeman, Rachel Goldbrenner and Ryan Goodman
Sep 7th, 2021
by Just Security
Jul 19th, 2021
by Kate Brannen
Jun 30th, 2021
by Fionnuala Ní Aoláin and Kate Brannen
Jun 14th, 2021
by Steven J. Barela and Mark Fallon
Jun 1st, 2021
by Christine Berger
May 29th, 2021
by Beth Van Schaack
Feb 1st, 2021
by Beth Van Schaack and Chris Moxley
Nov 16th, 2020
Scholar-in-Residence and Adjunct Professor at the Washington College of Law, where he is part of the Tech, Law & Security Program. Until June 2019, he served as the Chief of the Office of Civil Liberties, Privacy and Transparency (CLPT) at the Office of the Director of National Intelligence (ODNI). Follow him on Twitter @awjoel.
Send A Letter To The Editor
by Keegan McBride
Jun 6th, 2024
by Clara Apt
May 30th, 2024
by Amos Toh and Ivey Dyson
May 30th, 2024
by Emile Ayoub
May 24th, 2024
by Spencer Reynolds and Faiza Patel
May 21st, 2024
by Arthur Holland Michel
May 13th, 2024
by Faiza Patel and Patrick C. Toomey
Apr 26th, 2024
by Norman L. Eisen, Ryan Goodman, Siven Watt and Francois Barrilleaux
Apr 26th, 2024
by Jeffrey Vagle
Apr 25th, 2024
by Noura Erakat and Josh Paul
Apr 24th, 2024
by David Aaron
Apr 18th, 2024
by Melanie Geller and Julian Melendi
Apr 12th, 2024
Just Security is based at the Reiss Center on Law and Security at New York University School of Law.
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
