Search

Begin New Search Topic Security Author Michael Garcia

1. Taking Action on Cyber Enforcement: Assessing US Legislative Progress in the 116th Congress

Author:
Michael Garcia and Pat Shilo
Publication Date:
02-2021
Content Type:
Commentary and Analysis
Institution:
Third Way
Abstract:
The 116th Congress experienced events like no other in American history, including unprecedented levels of malicious cyber activity. Global estimates say that ransomware attacks have increased by 148% since February 2020, with many US hospitals and schools falling victim and having their operations suspended.1 Leading up to and during the pandemic, Members of the 116th Congress responded and drafted cybersecurity legislation, introducing 316 bills to tackle the issue—a 40% increase from the previous Congress. This memo presents a comprehensive analysis of the cybersecurity legislation introduced in the 116th Congress and is a successor to our memo assessing the cybersecurity legislation in the previous Congress. Unlike the 115th Congress, the two chambers of the 116th were each under the control of a different party. Still, more than half of the introduced bills were bipartisan, including 85% of the bills signed into law. However, only 11% of the introduced bills focused on imposing consequences for the human actors behind cyberattacks, such as imposing sanctions or strengthening laws to prosecute criminals to hold them accountable for their actions. Following the trend of past congresses, most of the bills focused on protecting data and securing critical infrastructure. But while defending data and infrastructure is important, the lack of legislation to address the challenges of imposing consequences on the human actor suggests that Congress should prioritize introducing and passing bipartisan legislation that reduces the impunity with which malicious cyber actors, particularly cybercriminals, act. Here are the main takeaways from the bills introduced last Congress: Cybersecurity-related legislation increased by 40% since the 115th Congress. Of the 316 bills introduced, 14 became law, with nine related to appropriations or agency authorizations legislation. However, only 36 of the 316 bills introduced in the 116th Congress, and just three of the 14 provisions signed into law, focused on imposing consequences on the human actors behind cyberattacks. Cybersecurity remains a largely bipartisan issue. Over 50% of all legislation and 85% of all bills signed into law had a bipartisan co-sponsor.
Topic:
Security, Science and Technology, Cybersecurity, Legislation, and Cyberspace
Political Geography:
North America and United States of America

2. To Patch or Not to Patch: Improving the US Vulnerabilities Equities Process

Author:
Josh Kenway and Michael Garcia
Publication Date:
06-2021
Content Type:
Commentary and Analysis
Institution:
Third Way
Abstract:
The process that determines when and how the US government discloses unknown cybersecurity vulnerabilities to relevant companies or withholds them for government purposes lacks sufficient accountability, transparency, and public trust. Malicious actors do not hesitate to exploit “zero-day vulnerabilities,” or vulnerabilities that a company has had zero days to patch, with Chinese-based hackers most recently using a zero-day in Microsoft Exchange Servers to infect hundreds of thousands of systems.1 Yet, the government also uses zero-days to carry out activities that are in the nation’s interest and, as a result, does not tell the impacted software or hardware vendor about the vulnerability. In this case, the government determines that the benefit of not disclosing the vulnerability outweighs the consequence of a bad actor potentially exploiting the vulnerability for nefarious purposes. In 2010, the US government created the Vulnerabilities Equities Process (VEP) to convene federal agencies that represent a range of national interests—including security, intelligence, foreign policy, commerce, and civil rights and liberties protection—to weigh distinct perspectives on how vulnerabilities should be patched or briefly kept open for law enforcement, intelligence gathering, or military purposes. However, the VEP is not codified in law and has failed to deliver greater transparency around government retention of vulnerabilities nor ensures accountability for the government’s decisions. Congress and the Biden administration should address deficiencies with the VEP to increase transparency, strengthen accountability, build public and industry trust, and establish a world-leading model for decision-making around what to do about high-value vulnerabilities. This paper details seven steps for the Biden administration to enhance transparency and accountability in the VEP while preserving government priorities, as well as flexibility for the defense of democratic values and institutions.
Topic:
Security, Defense Policy, Science and Technology, Governance, Cybersecurity, and Transparency
Political Geography:
North America and United States of America

3. Where Are We Now? Examining the Trump Administration’s Efforts to Combat Cybercrime

Author:
Michael Garcia and Anisha Hindocha
Publication Date:
06-2020
Content Type:
Special Report
Institution:
Third Way
Abstract:
Amid the COVID-19 pandemic, the United States has seen an acceleration of an already massive cybercrime wave. Daily reports of cybercrime to the FBI’s Internet Crime Complaint Center have nearly quadrupled since the pandemic began, to roughly 4,000 reports per day. Unfortunately, even before this crisis began, the enforcement rates for these crimes are low – for every 1,000 reported cyber incidents, only three arrests of the perpetrators occur. In the fall of 2018, the White House released the “National Cyber Strategy of the United States,” which detailed how the Administration would create or update policies for combating cybercrime. While no implementation plan for this Strategy was ever published, Third Way conducted an analysis of publicly available information of the Administration’s actions and budgetary allocations since the strategy’s release to examine their cybercrime enforcement efforts.
Topic:
Security, Defense Policy, Science and Technology, Cybersecurity, Pandemic, COVID-19, and Digitalization
Political Geography:
North America and United States of America

4. Weakened Encryption: The Threat to America’s National Security

Author:
Mieke Eoyang and Michael Garcia
Publication Date:
09-2020
Content Type:
Special Report
Institution:
Third Way
Abstract:
For years, law enforcement officials have warned that, because of encryption, criminals can hide their communications and acts, causing law enforcement to struggle to decrypt data during their investigation—a challenge commonly referred to as “going dark.” They called on technology companies to build a process, like a “master key,” to enable law enforcement to unlock encrypted communications. While this may seem like a tempting idea, it would have grave implications for our national security. As more and more of our communications move online, users seek out encrypted services to protect their privacy. Unlike telephonic communications, and despite repeated requests by law enforcement to do so, Congress has not required internet communications platforms to give law enforcement access to intercept user communications or access stored communications. In this paper, we assess the national security risks to a requirement to provide that master key (referred to throughout as “exceptional” or “backdoor” access) to encrypted communications and propose alternative approaches to address online harms.
Topic:
Security, Science and Technology, Cybersecurity, and Encryption
Political Geography:
North America and United States of America

5. A Roadmap to Strengthen US Cyber Enforcement: Where Do We Go From Here?

Author:
Allison Peters and Michael Garcia
Publication Date:
11-2020
Content Type:
Special Report
Institution:
Third Way
Abstract:
The following report is the result of a multiyear effort to define concrete steps to improve the US government’s ability to tackle the scourge of cybercrime by better identifying perpetrators and imposing meaningful consequences on them and those behind their actions
Topic:
Security, Defense Policy, Science and Technology, Governance, and Cybersecurity
Political Geography:
North America and United States of America