COMMISSION ON ENHANCING NATIONAL CYBERSECURITY 49
U.S. companies provide electronic communications services
globally, including to many subjects of foreign law enforcement
investigations. When the communications data for those persons
are stored or accessible only in the United States, a conflict can
arise between the requirements of U.S. laws and of the foreign
country’s laws. The MLAT process was designed to facilitate
the lawful fulfillment of foreign law enforcement requests
for information and evidence, but it was designed for another
era, with far fewer requests, before electronic evidence was
routinely stored in other countries, such as in cloud services; it
lacks the speed, agility, and resources needed to stop today’s
criminals. Dissatisfaction with the MLAT process has fueled calls
by many countries for data localization, which would harm the
U.S. technology industry and impede development of new global
Internet services.
In addition to reforming the MLAT process and increasing DOJ
funding to support it, Congress should pass legislation proposed
by the Administration
44
that provides a speedier alternative for
qualifying governments to obtain extraterritorial communications
data related to preventing, detecting, investigating, or prosecuting
serious crimes. The United States and United Kingdom have
negotiated a bilateral agreement that eliminates conflicts of
laws so that each nation, under certain conditions, may have
its requests for copies of data honored by companies in the
other nation. However, in order to implement the agreement,
legislative changes are necessary, including establishing
a broader framework and the standards to implement that
framework that will be needed to bring numerous countries into
similar agreements. In order to ensure that such agreements
are reciprocal, and to meet the needs of U.S. law enforcement
investigations, Congress should also ensure that in appropriate
44 The Department of Justice has proposed legislation that would permit
direct access to U.S. providers pursuant to agreements entered into
between the executive branch and governments that meet specified criteria.
These criteria are designed to ensure that only countries that afford robust
substantive and procedural protections for privacy and civil liberties will be
permitted to request data directly from U.S.-based companies. In return,
the United States would be assured reciprocal access to data abroad for
its law enforcement investigations. A recent U.S. court decision held that
the federal government could not require companies storing data in another
nation to provide copies of that data to the government based solely on a
U.S. warrant. Microsoft Corp. v. United States, No. 14-2985 (2d Cir. 2016),
http://cases.justia.com/federal/appellate-courts/ca2/14-2985/14-2985-
2016-07-14.pdf?ts=1468508412. If that decision stands and its reasoning
is adopted by other federal courts, the United States may not have the
authority to avail itself of this benefit, and the proposed agreements would
not be reciprocal.
circumstances, U.S. law authorizes law enforcement to obtain
electronic data located abroad.
Action Item 6.1.5: NIST and the Department of State should
proactively seek international partners to extend the Cybersecurity
Framework’s approach to risk management to a broader
international market.
(SHORT TERM)
NIST, in coordination with other sector-specific agencies (e.g.,
the Departments of Energy, Transportation, and Treasury),
should proactively expand U.S. participation and leadership in
the development of international cybersecurity standards for
industry and other nations. The Department of State should
identify partners to help extend this approach globally. The
United States has developed important cybersecurity risk
management approaches that could benefit organizations here
and abroad. Developing and selecting international standards
is an increasingly important element of many nations’ economic
strategy, and the United States has a corresponding opportunity
to enhance the capabilities of those participating nations. In
particular, NIST should promote the use of the Cybersecurity
Framework by actively working with industry to seek its
acceptance in international standards bodies.
Action Item 6.1.6: The Department of State, DHS, and other
agencies should continue to assist countries with cybersecurity
capacity building in light of growing needs and recent
developments.
(SHORT TERM)
The United States can more effectively respond to foreign cyber
threats when our international partners have their own strong
cybersecurity capabilities, in planning, preparation, and response.
U.S. cybersecurity and privacy capacity building is essential
in creating international partners with common interoperable
technologies, policies, and supportive laws to ensure the
security of the global digital economy. This assistance includes
helping other nations to use internationally accepted standards
and conformance programs in building their cybersecurity
capabilities, and to adhere to and enforce international laws.
Capacity building will help improve cybersecurity threat and
vulnerability information sharing, as well as supply chain security,
attack identification and attribution, and cooperation in critical
infrastructure protection. The federal government should review
its existing capacity-building efforts, identify any gaps that
exist, and develop solutions to fill those gaps. It should then
coordinate with other nations to provide capacity building where