An Interview with Ian Corey and Doug DePeppe, Moderated by Randy Bagwell
A few days ago, I was talking with two former Army JAG Corps colleagues, who both happen to be cyberlaw experts. When the conversation turned to the increasingly destabilizing cyberattack landscape, I was intrigued. Having spent most of my own career in International Humanitarian Law, I have for years monitored efforts like the Tallinn Manual, which seeks to provide guidance on how cyberattacks should be treated under international law. Also, since serving at The Judge Advocate General's Legal Center and School, I have had a keen interest in the intersection of law and cybersecurity.
So, I asked my two friends if they would be willing to let me interview them to see if they could make the case that 2018 represents a transformative year in cybersecurity, and that duties for managing cyber risk may emerge in 2019 that could fundamentally change the governance landscape.
Colonel Ian Corey is the former chief lawyer at Army Cyber Command, who retired in 2018 after 30 years of military service. Lieutenant Colonel Doug DePeppe retired in 2008 after helping lead the Army’s establishment of cyberlaw capabilities and serving in several cyber operations commands. Both now practice cyberlaw at eosedge Legal, a boutique cyberlaw practice that Doug founded.
Before offering perspectives on how events in 2018 may signal a change in how data privacy is viewed and how cybersecurity is addressed in 2019, and to put the conversation into perspective, I asked them to share their views against the backdrop of author Malcolm Gladwell’s The Tipping Point: How Little Things Can Make a Big Difference.
DOUG DePEPPE: In the media, in Congress, in state legislatures, and among regulators, bureaucrats, pundits and experts, there has been no shortage of talk about causing change to improve cybersecurity. But there is not a lot of action. Despite this lack of action, Ian and I believe that 2019 likely represents a tipping point.
Malcolm Gladwell wrote:
“The tipping point is that magic moment when an idea, trend or social behavior crosses a threshold, tips, and spreads like wildfire.”
Among the evangelists, thought leaders, and practitioners in the cyber domain, we grapple with the slowness of the public’s awakening to the tremendous risks emanating from the Internet, particularly with respect to cybersecurity and disinformation.
Against this backdrop of complacency, Gladwell also articulated more cynical observations about the challenges that precede a tipping point:
“We have trouble estimating dramatic, exponential change…. There are abrupt limits to the number of cognitive categories we can make…. The way we function and communicate and process information is [not] straightforward and transparent…. It is messy and opaque.”
What we are seeing in cyber today are the catalysts of change emerging, like the first light of dawn. In 2018, we witnessed a diverse set of events that create the conditions for a tipping point. What we have seen over the past year are major occurrences and trends in the cyber landscape that represent important pivots that could well trigger change in 2019. Gladwell noted that change often happens in small doses that, in hindsight, can be observed as pieces of a larger movement: ”in order to create one contagious movement, you often have to create many small movements first.”
RANDY BAGWELL: Under Gladwell’s model, what are some “exponential change” factors or events that occurred in 2018 that might signal transformational change in 2019?
IAN COREY: Let’s begin with Facebook.
To say that 2018 was a challenging year for Facebook would truly be an understatement. In March, a joint investigation by The New York Times, The Guardian, and The Observer, reported that the British political data firm Cambridge Analytica had collected the personal data of some 87 million Facebook users, without their consent or knowledge. The firm then reportedly used this data for targeted political ads during both the 2016 U.S. presidential election and the U.K.’s 2016 Brexit referendum.
In September, Facebook announced its discovery of a security breach that compromised over 50 million user accounts (later revised downward to 30 million). The breach triggered one of the first major investigations under Europe’s new General Data Protection Regulation (GDPR), and could result in a substantial fine.
Then in November, The New York Times reported that Facebook’s Chief Operating Officer, Sheryl Sandberg, had sought to minimize evidence of Russian use of Facebook to interfere in the 2016 U.S. election, and that Facebook had hired an opposition research firm to discredit anti-Facebook groups by linking them to liberal billionaire George Soros.
Finally, in December yet another The New York Times investigation revealed that Facebook had shared users’ personal data with over 150 companies, often without the users’ knowledge or agreement. Facebook has disputed a number of these latest allegations.
These and a number of other unflattering revelations regarding Facebook have led to increased scrutiny from government officials and law enforcement entities both in the U.S. and abroad, steep losses in Facebook’s stock price, and a growing #DeleteFacebook movement. Meanwhile, Facebook executives have gone on apology tours and acknowledged — in what also smacks of an understatement: “We know we’ve got work to do to regain people’s trust.”
RANDY BAGWELL: It may be accurate that Facebook represents a wake-up call, and that the U.S. Congress and legislative committees in the United Kingdom have begun calling upon others in Silicon Valley, such as Twitter and Google, to account for privacy-invasive product features. But can we really consider these efforts as transformational?
DOUG DePEPPE: These hearings and media exposure cannot be viewed in isolation, but rather against the history of inactivity going back decades. Scott McNealy, then of Sun Microsystems, famously declared consumer privacy a “red herring” in a 1999 Wired Magazine story, and expanded his view with this statement:
"You have zero privacy anyway. Get over it.”
That always struck me as both troubling and problematic. And rather bombastic. It is very important to understand that the law is often a trailing indicator. When great harms begin to proliferate, the law operates to rebalance interests. And law, of course, is made by people, and is usually a result of society’s reflections on proliferating harms. We need to compare the governmental scrutiny of Facebook, Twitter and Google in 2018 against an extended period of inaction, and even lack of concern for privacy.
RANDY BAGWELL: Fair enough, but if your premise is that the institution of law is starting to react to rebalance interests, I think you need more evidence to make that case.
DOUG DePEPPE: In May, 2018, the European Union’s new General Data Protection Regulation (GDPR) took effect, and in 2018 the U.S. Department of Commerce rolled out an implementation regime for U.S. companies called Privacy Shield. The GDPR creates robust and comprehensive obligations for protecting online privacy. The New York Department of Financial Services issued new cybersecurity regulations over covered entities in 2017 and phased in implementation measures during 2018, ahead of full implementation by February 15, 2019.
California and Colorado, to name just two states, passed new privacy protection statutes in 2018 (with California’s stringent requirements becoming effective in 2020) that create affirmative duties for companies to protect privacy. And a Pennsylvania Supreme Court decision in 2018, Dittman v. UPMC, created a common law duty among employers to act reasonably with regard to protecting their employees’ personal privacy.
Duties to investigate network compromises, duties to report data breaches, and affirmative duties to protect privacy, whether resulting from legislation or court decision, are creating a fiduciary environment surrounding data privacy. The establishment of enforceable duties in the law are a game-changer! Indeed, in most instances, these new duties are not prescribed with precise cybersecurity requirements or standards; rather, there is a broad duty of “reasonableness”.
The image of Silicon Valley CEOs appearing before Congress was powerful in 2018, but one might reasonably expect something similar in courtrooms in 2019.
RANDY BAGWELL: That is interesting. But don’t people have to care about privacy online?
IAN COREY: That is certainly true. Plaintiffs bringing lawsuits will care, and they will be looking for redress for their harms. Doug is speaking to the pocketbook aspects, both with individuals and corporations. There are also other values at stake.
Gladwell’s admonition about the “limits to the number of cognitive categories” is important, but so is his observation about the many factors that create the “contagious movement”. Consider, for example, American competitiveness around the world, and the threats it faces from cyberspace.
The problem of attacker attribution makes it difficult to accurately assess the scope of nation-state cyberattacks in 2018. Nonetheless, there was a marked increase in the U.S. government’s use of so-called “naming and shaming” tactics, including a number of Department of Justice (DoJ) indictments of foreign nationals linked to malicious nation-state cyber operations:
March: nine Iranians allegedly working on behalf of Iran’s Islamic Revolutionary Guard Corps, for attacking 320 universities around the world — 144 in the U.S. — and stealing 315 terabytes of data
July: twelve Russian hackers with ties to the Main Intelligence Directorate, or GRU, for hacking the Democratic National Committee in 2016
September: a North Korean with ties to the government-sponsored Lazarus Group, for alleged involvement in the 2014 Sony Pictures hack and the 2017 WannaCry ransomware attack, among others
October: seven Russian GRU officers, for hacking the World Anti-Doping Agency and the Organisation for the Prohibition of Chemical Weapons
October: ten Chinese affiliated with China’s Ministry of State Security, for economic espionage involving U.S and foreign companies
December: two Chinese also affiliated with the Ministry of State Security for a global campaign targeting technology companies and government agencies around the world, over more than a decade
Notably, in conjunction with the December indictment of the Chinese hackers, the U.K., Australia, Canada, and New Zealand joined the U.S. in condemning China’s rampant theft of intellectual property. While some question the utility of charging foreign nation-state sponsored hackers who are unlikely to ever actually face prosecution in a U.S. courtroom, others say it sends an important signal regarding norms of acceptable behavior and has at least some deterrent value. Regardless, it appears the U.S. government is becoming increasingly less reticent about calling out malicious adversaries.
Of course, this reflects only part of what is publicly known about our government’s non-military posture toward nation-state adversaries in 2018. We know much less about the military posture, though it was widely reported that the Trump Administration made significant changes to Presidential Policy Directive 20 (PPD-20), which governs the conduct of U.S. offensive and defensive cyberspace operations. Notably, the reporting indicates that PPD-20 was revised to speed and enhance U.S. Cyber Command’s ability to conduct offensive operations. This policy shift also arguably has deterrent value.
DOUG DePEPPE: To me, this represents a tipping point within the Departments of Justice and Defense to more aggressively pursue cyber threats that represent unconventional ways that government adversaries seek to undermine American interests. But these cyberattacks also threaten individual Americans and corporations. Naturally we need national-level cyber defenses, yet the vast majority of attacks are well below that threshold: stealing individuals’ credentials to get inside networks, attempting to influence voters ahead of an election, or theft of corporate intellectual property.
Americans do care that nation-state adversaries are targeting our national interests; it’s just taken time for “cognitive” recognition, to use Gladwell’s term, that the causes and effects of foreign hacking are undermining our individual slices of Americana and what we value about our privacy and liberties. So there is a heightened need for collective cybersecurity improvement to protect those interests.
RANDY BAGWELL: I’ll concede that these are good points by both of you, and I can certainly see that a convergence of cyber events and the law have culminated in 2018 to a significant extent. But you have also cited the complacency around cyber and data privacy that has prevailed for years. Even if the conditions have been set for a transformational shift, what evidence can you point to that suggests a pivot will occur in 2019?
DOUG DePEPPE: Predicting the future is surely a foolish endeavor. Yet, taking stock of salient changes is a sound analytic step as we look back on 2018. That the conditions for change are in place is a conclusion I am comfortable with making.
IAN COREY: Legislation and regulation, such as those Doug addressed, have and will only continue to exert pressure on private sector entities to conform to new norms regarding the handling of information. For example, troves of highly sensitive and classified defense information have been stolen not from the DoD itself, but from some of its contractors or their sub-contractors. As a result, DoD is imposing strict requirements for the safeguarding of defense information stored on contractors’ information systems, and these requirements will flow down the entire supply chain.
Contractors are scrambling to meet the requirements; some, many of them small businesses, have concluded they are not resourced to do so, and that it is simply no longer worth the effort to continue to work for DoD. The bottom line is that those contractors who cannot or will not fall in line will be shown the door. I think we can extrapolate this result within the broader legislative and regulatory context and will see a “thinning of the herd,” if you will, across a number of sectors.
RANDY BAGWELL: In the spirit of light-hearted New Year predictions, and given we are talking about reaching a tipping point, there must be some reasonable foreshadowing to be drawn from the conditions for change you identified. What’s your sense for what might occur in 2019 that you would consider transformational?
DOUG DePEPPE: Not only will we see the advancement of a kind of “Main Street U.S.A.” cyber efforts that assemble local champions seeking better solutions at more affordable pricing, but these efforts will spur greater innovation. The flow-down cybersecurity requirements Ian noted, along with the risk exposures also mentioned, will cause businesses lower in the supply chain to address their risks and lack of competitiveness. That’s market forces at work. They will be forced to either change or face business losses.
And governments are already starting to respond to this pressure by launching programs and provisioning resources. Many states have launched cyber initiatives, for example, that are developing capability and promoting economic development in the cyber sector. The Small Business Administration, through its Small Business Development Center network, is expanding its resources and capabilities. Finally, at a recent workshop hosted by the DHS Cybersecurity and Infrastructure Security Agency's National Risk Management Center, an industry-driven initiative, Cyber on Main, was announced as a collaborative effort to improve resilience and capability among small businesses at community levels.
IAN COREY: Doug is pointing out the resources and activities that exist and are likely to grow in 2019. But it’s the spark from ongoing attacks, like ransomware, and fear of either not staying competitive or being drawn into a lawsuit or enforcement action that are likely to drive businesses to these activities in 2019. Laws and regulations that establish a duty to manage cyber risk are a game changer. When there is a duty, businesses can no longer risk noncompliance.
Moreover, that plaintiffs’ attorneys have already begun to challenge companies’ failures to protect privacy is a harbinger of things to come. Recent lawsuits against Facebook and Google that have pursued a “failed duty” theory are just the starting point. My view is that the establishment of an affirmative legal duty of reasonable security practices will result in companies budgeting even more for cybersecurity in 2019.
RANDY BAGWELL: Thank you both. Of course, no one knows what the future holds for certain, but you have certainly made a strong case that 2019 will be the tipping point in cybersecurity. I will be anxiously watching in 2019 for trends that show a more rapid adoption of reasonable security practices. Even more importantly, whether community efforts in cybersecurity take root.
About the Contributors:
Randy Bagwell is Director for International Humanitarian Law, American Red Cross after more than thirty years of service as a Judge Advocate General (JAG) Officer in the U.S. Army. As a legal advisor for the Army, Randy performed duties ranging from prosecuting and defending criminal cases to advising on administrative and regulatory matters, however, his specialty, and the majority of his assignments, were in International Humanitarian Law (IHL). Randy has taught IHL at the U.S. Naval War College, the U.S. Army JAG School, the Defense Institute of International Legal Studies, the NATO School and the Institute of International Humanitarian Law in Sanremo, Italy. He has also instructed on IHL with partner nations in over 20 countries. Additionally, he has advised senior military commanders on IHL during operational deployments to Hungary in support of Operations in Bosnia, two tours in Afghanistan and one in Iraq. Prior to joining the Red Cross, Randy held the position of Dean of the Army’s Judge Advocate General’s School in Charlottesville, Virginia.
Ian Corey recently joined eosedge Legal after a military career that included tours as general counsel for some of the Army’s key organizations, most recently Army Cyber Command. He helps his clients successfully navigate within a complex legal and policy framework, simultaneously identifying and helping to manage and mitigate risk. Ian is also an advisor to the Cyber Resilience Institute and has helped train students in cyber threat exchange through the c-Watch interdisciplinary cyber operations course.
Doug DePeppe, a former advisor to the White House 60-Day Cyberspace Policy Review, has fashioned a niche practice as a cyber-risk attorney and consultant, as well as possessing diverse expertise across multiple cyberspace verticals. He helps businesses design and implement commercially reasonable security practices to mitigate the growing liability exposure from cybersecurity threats. Data breach response, privacy, compliance, legislation, law enforcement and national security assistance, forensics analysis, and national and international engagements related to public-private partnerships and cyber-threat information sharing frameworks are part of his portfolio. He offers expertise in all facets of the law and policy dimensions to the cybersecurity challenge, in both the commercial and government spaces. He is the founder of eosedge Legal, co-chairman of the Cyber on Main Initiative, Board President of the Cyber Resilience Institute, co-founder of the Sports-ISAO, co-chair of the Government Relations Working Group for the ISAO Standards Organization, and chairs the RC3 Cyber Working Group.
Find Doug on LinkedIn