Key implications for business of Trump administration national security policies
November 2017 | SPOTLIGHT | CORPORATE LAW
Financier Worldwide Magazine
November 2017 Issue
In this era of rapidly advancing technology and greater economic and social integration across the globe, governments increasingly expect the private sector to assist with counterterrorism and achieving other national security goals. Threats from terrorist organisations and state actors are proliferating, prompting an evolution in official efforts to respond. In the US, recent moves by the Trump administration to address national security needs have had significant implications for technology companies, defence contractors, financial institutions, information service providers, telecommunications companies and energy suppliers, among others.
The recent news that the names, addresses, social security numbers, credit card accounts and other personally identifiable information of up to 143 million Americans – more than half the adult population – have potentially been exposed in a cyber breach of a major US credit monitoring company caused grave concern not only around the country, but around the world. Coming on the heels of a report that hackers successfully gained access to the operational networks of several companies in the energy sector in Europe and North America, leaving homes and businesses at risk of being unexpectedly plunged into darkness, these events demonstrate that cyber security is a matter of both consumer protection and national security.
The Trump administration has continued the Obama administration’s focus on strengthening the nation’s cyber security posture. Recently, the president ordered the elevation of US Cyber Command (CYBERCOM) to the status of a Unified Combatant Command focused on cyber space operations, to show “increased resolve against cyberspace threats and…help reassure our allies and partners and deter our adversaries”. Elevating CYBERCOM to the same level as the US Strategic Command places the cyber threat on par with the threat posed by weapons of mass destruction. There is bipartisan support for the reform, which Congress called for in December 2016 and the Obama administration strongly endorsed.
In May 2017, the president released an executive order on cyber security that, for the first time, makes clear that agency heads, and not their information technology officers, are responsible for managing cyber security risk for their organisations. Private companies would be wise to follow that lead and to ensure that senior management and boards of directors are directly involved in providing strategic cyber security guidance. The order also reinforces prior US government focus on critical infrastructure, such as the energy and financial services sectors, including by promoting market transparency of cyber security risk management practices by that sector. US Securities and Exchange Commission (SEC) chair Jay Clayton recently echoed that point, stating: “I am not comfortable that the American investing public understands the substantial risks that we face systemically from cyber issues. I’d like to see better disclosure around that”. The administration has also continued US government efforts to encourage voluntary information sharing between the government and critical infrastructure companies, and to promote a voluntary cyber security framework, established in 2014 in partnership with the private sector, for critical infrastructure companies to follow. The framework creates a set of industry standards and best practices, including a shared vocabulary about cyber security, to help decision makers manage cyber security using a risk-based approach. It is intended to be a living document, and a draft revision was issued in January 2017.
But more remains to be done. The president’s National Infrastructure Advisory Council issued a draft report in August warning that although “the US government and private sector collectively have the tremendous cyber capabilities and resources to defend critical private systems from aggressive cyber attacks…today, we’re falling short”.
The private sector increasingly receives government demands for information related to national security and other law enforcement investigations, demands that raise questions of the balance between security and privacy. In recent years, courts have wrestled with the scope of the US government’s authority in this area, particularly as private companies have resisted broad demands. There are many unresolved constitutional and statutory questions, and litigation in these areas is likely to proliferate – particularly as technology continues to change.
The Trump administration has called for cooperation between companies and the government, while also raising the prospect of legislation to expand government access to information. The question of encryption has received renewed attention. In late August, the deputy attorney general, Rod Rosenstein, raised the need for cooperation from the private sector in obtaining information in light of what he views as the problem of encryption that defeats access by the government. Emphasising that, “after a terrorist attack, obtaining stored electronic information is an effective and necessary law enforcement technique”, he warned that “the use of encrypted services poses a novel threat to public safety” and expressed concern that “some companies are unwilling to help enforce court orders to obtain evidence of criminal activity stored in electronic devices”. Mr Rosenstein expressed hope for cooperation but cautioned that “legislation may be necessary”. During his confirmation process to be, attorney general Jeff Sessions struck a similar tone, saying it is “critical” that “national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations”.
While the administration has not, to date, pushed legislation on the encryption issue, the crowded agenda in Congress this autumn will see a debate on whether to continue another intelligence tool, Section 702 of the Foreign Intelligence Surveillance Act, which is scheduled to sunset at the end of the year. The intelligence community has called the reauthorisation of Section 702 and related provisions its top legislative priority for 2017. Section 702 allows the government to require telecommunications providers to assist in collection of foreign intelligence information on non-US persons located outside the US. Procedures governing the targeting of individuals and the dissemination of collected information must be approved by a special Foreign Intelligence Surveillance Court, with oversight within the executive branch and by Congress. Section 702 was enacted in 2008 and renewed without change for five years in 2012. It has been the subject of a robust debate, about both its usefulness as a national security tool and the adequacy of the procedures surrounding it. The attorney general and the director of national intelligence recently confirmed the intelligence community’s view that Section 702 collects “vital information about international terrorists, cyber actors, individuals and actors engaged in the proliferation of weapons of mass destruction and other important foreign intelligence targets”. And significantly, the administration is asking Congress to reauthorise Section 702 without amendment or a sunset date, making the authority permanent. Several affected companies have advocated additional protections for their customers and are closely watching this legislative process.
On 2 August 2017, the president signed into law the Countering America’s Adversaries Through Sanctions Act. Passed with overwhelming bipartisan support, this law represents a dramatic incursion into executive power, including, in the president’s words, “a number of clearly unconstitutional provisions”. Although the legislation largely continues Obama-era policies by codifying sanctions imposed in response to cyber intrusions by the Russians intended to interfere with the US electoral process, as well as to Russian actions in the Crimea, the legislation is remarkable because it constrains the use of sanctions by the executive branch as a foreign policy tool. Although the executive traditionally has significant discretion in determining whether and when to provide relief from particular sanctions, the Act purports to prevent the president from lifting sanctions for a 30-day period, to give Congress a chance to act in a contrary manner. And until shortly before the legislation was adopted, it contained language that seemed to be contrary to the interests of at least some of our European allies, with whom the US historically had been closely coordinating in response to the situation in the Crimea. Prior to the last-minute insertion of language to require coordination with US allies prior to the imposition of sanctions, it appeared that the bill would have penalised European companies involved in energy projects in Russia, including the Nord Stream 2 pipeline, designed to transit the Baltic Sea from Russia to Germany and owned by Russian energy giant Gazprom, causing significant consternation by some in Europe. Although that problem seems to be fixed, companies remain concerned by the possibilities of inconsistencies in the sanctions regimes imposed by the US and the EU.
Federal law allows the executive branch to review some transactions involving foreign investment in the US and authorises the president to block transactions on certain national security grounds. This review is led by the Committee on Foreign Investment in the United States (CFIUS), which is chaired by the treasury secretary and includes other high-ranking officials from various agencies. If CFIUS concludes, after consideration of factors spelled out in the statute, that the effect of a covered transaction on national security warrants suspending or prohibiting the transaction, then it submits a recommendation to the president for an ultimate decision. Indeed, in mid-September, the president accepted CFIUS’s recommendation and blocked his first transaction on national security grounds. Although CFIUS has provided guidance on the types of transactions it believes present national security concerns, the process remains quite opaque to businesses. In recent months, the treasury secretary and members of both houses of Congress have raised the possibility of legislative reform of the CFIUS process. One key question is whether the scope of CFIUS review would be broadened beyond national security concerns to address economic issues, such as the effects of a transaction on jobs in the US. Secretary Mnuchin has come out against that view: “Fundamentally we want to keep CFIUS as a national security review and we want to deal with economic issues separately. We don’t want to confuse those issues.”
Caroline D. Krass and Stuart F. Delery are partners at Gibson, Dunn & Crutcher LLP. Ms Krass can be contacted on +1 (202) 887 3784 or by email: firstname.lastname@example.org. Mr Delery can be contacted on +1 (202) 887 3650 or by email: email@example.com.
© Financier Worldwide
Caroline D. Krass and Stuart F. Delery
Gibson, Dunn & Crutcher LLP