Biden EO aims to safeguard sensitive data on fed employees, facilities

The Biden administration, as part of a broader data privacy effort, is attempting to curtail foreign adversaries from gathering sensitive data on federal employees and military service members.

The new initiative comes under an executive order President Joe Biden was expected to sign Wednesday. The EO is aimed at protecting Americans’ sensitive data from being accessed by so-called “countries of concern” through data brokerages and other transactions.

Under the EO, the Justice Department will issue regulations around the bulk sale of sensitive data to unfriendly foreign nations, including China, Russia, Iran, North Korea, Cuba, and Venezuela. The EO will specifically highlight geolocation data, personal health data, personal financial data, and biometrics, among other categories.

“Buying data through data brokers is currently legal in the United States,” a senior Biden administration official told reporters on Tuesday. “And that reflects a gap in our national security toolkit that we’re working to fill with this program.”

In a fact sheet, DoJ also described how its program will regulate the sale of “government related data,” regardless of whether it meets the “bulk” thresholds or not.

DoJ’s regulations will focus on sensitive data marketed “as linked or linkable to current or recent former employees or contractors, or former senior officials, of the federal government, including the intelligence community and military.”

The rulemaking will also address government-related locations by focusing on “geolocation data that is linked or linkable to certain sensitive locations within geofenced areas that the department would specify on a public list,” the department said in its factsheet.

Officials have warned for years that foreign adversaries could use commercially available data as an intelligence tool. In a January 2023 white paper, the MITRE Corporation summarized how advertising technology or “adtech” on mobile phones and other devices could be used to target influential individuals for blackmail and coercion, or even physically map and target sensitive sites.

Brandon Pugh, policy director of the R Street Institute’s cybersecurity and emerging threats team, noted members of the military and intelligence professionals face unique threats in the digital age.

“Adversaries have an interest in identifying them, targeting them for blackmail and disinformation, and tracking their movements to and from government facilities for strategic advantage,” Pugh told Federal News Network. “We have seen this play out in the Russia-Ukraine conflict and there is no doubt that countries like China have similar interests.”

Pugh also noted it will be difficult to track when and how sensitive data reaches countries like China and Russia.

“An area that will be tricky to follow and enforce is when data is ‘re-exported,’ where third parties share the data with countries of concern,” he said.

CISA security requirements for sensitive data

While DoJ will play a lead role under the EO with its advanced notice of proposed rulemaking, several other agencies will be involved in advancing the order’s goals to better protect sensitive data

The Cybersecurity and Infrastructure Security Agency, for instance, will establish security requirements for “restricted transactions” that will be allowed to go forward under the EO, so long as they meet certain stipulations.

“These security requirements will be designed to mitigate the risk of access by countries of concern or covered persons and may include cybersecurity measures such as basic organizational cybersecurity posture requirements, physical and logical access controls, data masking and minimization, and the use of privacy-preserving technologies,” the DoJ fact sheet explains.

Pugh said it will be notable to watch “how prescriptive these requirements are, how they are assessed and monitored, and how they might evolve over time.”

“Enhancing baseline cybersecurity has been a priority of the federal government even outside of this executive order as the updated NIST cybersecurity framework from this week conveys,” he added.

Meanwhile, the departments of Defense, Health and Human Services, Veterans Affairs, and the National Science Foundation will “consider taking steps to use their existing grant making and contracting authorities to prohibit federal funding that supports, or to otherwise mitigate, the transfer of sensitive health data and human genomic data to countries of concern and covered persons,” the DoJ fact sheet states.

Biden urges Congress on privacy legislation

The White House acknowledged that while the EO is aimed at protecting American’s sensitive data, it isn’t a substitute for broader privacy actions. Biden is encouraging the Consumer Financial Protection Bureau to take steps to prevent data brokers from “illegally assembling and selling extremely sensitive data, including that of U.S. military personnel,” the White House said.

And Biden is also urging Congress to pass “comprehensive bipartisan privacy legislation, especially to protect the safety of our children.”

In a statement, Sen. Mark Warner (D-Va.) applauded the forthcoming EO. “While I welcome these steps, today’s action does not assuage the need for comprehensive data privacy legislation,” Warner said. “I urge my colleagues to come together on legislation that finally protects Americans’ privacy online.”

Meanwhile, Sen. Ron Wyden (D-Ore.) also praised the White House’s actions, while calling on the Senate to consider his Protecting Americans’ Data from Foreign Surveillance Act of 2023, which could potentially apply to a much broader set of countries than Biden’s EO.

“Authoritarian dictatorships like Saudi Arabia and UAE cannot be trusted with Americans’ personal data, both because they will likely use it to undermine U.S. national security and target U.S. based dissidents, but also because these countries lack effective privacy laws necessary to stop the data from being sold onwards to China,” Wyden said.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.