Drew Bagley, VP and Counsel, Privacy and Cyber Policy, CrowdStrike
Data protection efforts are proliferating. Clearly a response to daily news about data breaches and other unauthorized data exposures, these efforts are all well-intended. Increasingly, advocates and policymakers recognize the need to harmonize cybersecurity requirements within data protection laws. But proposals to localize data persist — and threaten to undermine improvements to both data protection broadly and cyber resilience specifically.
Common Cybersecurity Requirements Provide a Roadmap for Privacy Compliance
Despite a seemingly confusing “alphabet soup” of data protection requirements in the form of GDPR, CCPA, APPI, amendments to the Australian Privacy Act and an increasing number of U.S. privacy laws, there have been positive developments for those seeking to build a global program. The text of these regulations actually share seemingly common security requirements demanding the implementation of safeguards “appropriate” or “reasonable” to the risk. For years, it has been understood that these requirements were designed to ensure organizations did not view data protection compliance as a “one and done” but instead enhanced data protection methods as threats and technologies evolved.
Today, we have both more clarity and greater consensus than in years past as to what constitutes “appropriate” or “reasonable.” Common cybersecurity technologies and practices appear in the ENISA “State of the Art” guidelines, the U.S. Executive Order on Improving the Nation’s Cybersecurity and the latest guidelines from the New York State Department of Financial Services. These best practices include endpoint detection and response (EDR), dark web monitoring, log management, threat hunting and Zero Trust identity protection. Moreover, it appears that patching against known vulnerabilities has shifted to a compliance priority in the wake of the Federal Trade Commission’s statement after Log4Shell. This common recognition of specific cybersecurity practices means that practitioners now have more certainty into baseline standards in the face of potential regulatory enforcement and litigation.
Confusing Policy Trends Can Undermine Cybersecurity Best Practices
Simultaneously, but in contrast to the increased clarity in meeting the security requirements of data protection laws, emerging data localization proposals threaten to misalign data protection priorities. Current cybersecurity trends make clear that cyber intrusions continue to pose a significant threat to privacy. In essence, security requirements and the endorsed practices are designed to prevent unauthorized access to data.
Nonetheless, many policy proposals around the globe seek to deny otherwise authorized access, such as managing a network across jurisdictions, in effect limiting defenders’ means to protect against unauthorized access. Recent examples include provisions in India’s draft Digital Personal Data Protection Bill, France’s draft cybersecurity certification, SecNumCloud, an early draft of Italy’s Presidential Decree implementing NIS 1.0, certain interpretations of post-Schrems II cross-border data flows, and other policies promoting data sovereignty for domestic intelligence gathering or industrial policy objectives.
While these policy debates remain fluid, the reality is clear that data localization requirements would actually limit use of the very cybersecurity best practices for which there is consensus around the globe. To utilize these, defenders require software-as-a-service (SaaS) platforms, aggregated security data, unified visibility across an enterprise, centralized log management, the ability to track lateral movement, and 24/7 services, which invariably require data flows.
The irony is that threat actors don’t follow the rules, so defenders lacking global analytics and threat hunting capabilities would be met by threat actors naturally aiming to exfiltrate data across borders and move laterally within a global network. In other words, data localization requirements could incentivize organizations to mitigate against the perceived risks of foreign legal processes at the expense of complying with domestic requirements to use the right technologies to protect data against breaches.
Fortunately, there have been some positive developments, including an OECD agreement on government data access principles, which has the opportunity to resolve many of the concerns of data localization proponents.
Cybersecurity Realities Give New Meaning to Today’s Privacy Requirements
As security and privacy teams work together to comply with modern data protection standards of “reasonable” and “appropriate” to the risk, and policy makers weigh the merits of data localization debates, it is important to take note of how different today’s threats are.
Data leak extortion poses a significant threat to privacy and security today. Moreover, from a tactical perspective, modern attacks are identity-driven, leveraging the use of legitimate credentials. Other trends include some of the findings in CrowdStrike’s 2022 Falcon OverWatch Threat Hunting Report:
• Malware-free activity accounted for 71% of all detections indexed by CrowdStrike Threat Graph®
• Adversaries move fast, with the average speed of measurable breakout time being 1 hour 24 minutes, with 30% of those intrusions indicating the ability to move from one host to another within 30 minutes
The stakes of today’s attacks and the techniques leveraged make it important for organizations to ask whether or not security technologies deployed on their network are appropriate to the risk, meet today’s legal standards, and adhere to common best practices. Similarly, such realities can inform policy debates on whether or not certain proposals would create better cybersecurity outcomes.
It is important to reflect on what holistic data protection entails, and how critical cybersecurity is, not only for compliance but for protecting privacy and human rights. Data breaches pose a significant threat to privacy today. Accordingly, policy makers and government agencies can improve privacy not only by promoting transparency but also by incentivizing the adoption of best practices to protect data against breaches. This should be prioritized instead of seemingly arbitrary proxies for privacy like data localization.
Today, modern IT infrastructure, cybersecurity and privacy compliance programs are dependent upon global data flows. Introducing frameworks that enhance security and provide certainty for data transfers is an important element to achieving holistic data protection.