Get off of my cloud: A six-month status report on China’s Cybersecurity Law

Last month, Reuters and the Wall Street Journal announced that AWS was selling its data centers to Beijing Sinnet for $2 billion yuan or $320 million USD. The news triggered breathless predictons that AWS was withdrawing as a cloud provider in China. As it turns out, such predictions were premature. On November 13, AWS clarified that it was selling off its China-based web services to comply with China’s new cybersecurity law, but has every intention of continuing to provide cloud services in partnership with Sinnet.

With this latest move, AWS joins a growing body of multi-national companies that are taking proactive steps to comply with a cybersecurity law that legal experts have characterized as frustratingly vague and overly broad. Under at least one interpretation, individuals with multiple computers could be considered network operators and subject to the strict security requirenents imposed by the new law. AWS and other multinational companies (MNCs) aren’t taking any chances when it comes to compliance. Apple opened a data center in the Guizhou region and Microsoft Azure partners with Chinese partner 21 Vianet Group to offer cloud services. In 2016, Airbnb announced that it was moving its user data to a Chinese location to comply with local data laws and IBM also relies on Chinese data centers.

Moving data to locally-controlled data centers isn’t the only step companies are taking to comply with the law. Both Apple and Sinnet have shut down virtual private networks that would allow users to circumvent the so-called Great Firewall of China. Spurred by economic interests— iPhone sales in China account for 21% of its global sales–Apple has taken things even further, agreeing to remove news apps provided by the New York Times from its Chinese app store. The tech leader has also committed to building two research and development centers in China and investing $1 billion in a Chinese ride-hailing service.

The proactive steps appear to be working. Apple successfully sidestepped a request to install backdoors in its system that would allow governments and other organizations to bypass the company’s encryption of data stored and transmitted via its systems. Apple has also stated that it will retain encryption keys for data stored at the Guizhou center and that its partner, Guizhou-Cloud Big Data, will not have access.

While tech companies are adopting a strategy of preemptive cooperation, the US government has asked China to delay full implementation of the law. In a document presented to the World Trade Organization, the US argued that the law could negatively impact cross-border services provided by MNCs, writing that the impact of the law would “fall disproportionately on foreign service providers operating in China,” because “companies located outside of China supplying services on a cross-border basis . . .  must depend on access to data from their customers in China.”

The US paper to the WTO echoes charges of protectionism made by MNCs. However, Chinese legal experts have pushed back, maintaining that the law is less strict than the EU’s General Data Protection Regulation and other data localization laws. Given the global trend toward greater data privacy, the most persuasive argument for loosening the grip China has on cyberseciurity within its borders might be cost. As MNCs grapple with increased expense and loss of efficiency in complying with the law, Chinese consumers will likely bear the brunt of rising fees for cloud services. Still, exerting pressure on China to delay implementation or loosen requirements is a gamble in which China has the best hand. According to Synergy Research Group, Chinese firms account for roughly 80 percent of total cloud services revenue in China, and roughly half of the data center market. Given the economic reality of China’s dominance in the Asian cloud services market, making concessions on data localization and investing in technological innovation is not just a winning strategy, it’s the cost of doing business with an economic powerhouse.


Outsourcing: The Changing Face of Insider Threats

When news broke that government contractor Reality Leigh Winner had leaked classified documents about the hacking of the 2016 election, the TV gods smiled. For the NSA, the incident was another embarrassing blow to its reputation as the premier security agency in the United States. Since Anthony Snowden’s revelations in 2013, the public and private sectors have endured a series of high profile data breaches caused by contract workers. While some, like the Target breach, were caused by negligence, the Snowden and Reality Winner incidents were carried out for political motivations.

In Snowden’s case, at least, the leaks reflected the culmination of a troubled relationship with the government consulting firm Booz Allen Hamilton. Alarmed by the sheer scope of the surveillance he witnessed, Snowden expressed his concerns to no less than ten superiors during his employment only to encounter a wall of indifference and inaction. In the midst of growing frustration, Snowden also feared that US whistleblower laws did not apply to contractors. Armed with a libertarian ethos and a principled set of convictions, Snowden made the fateful decision to expose the NSA’s surveillance activities to journalists Glenn Greenwald, Laura Poitras, and Ewen MacAskill.

Snowden’s case underscores the troublesome reality that contractors face when it comes to employment. All too often, contractors lack both internal support from employers and external protections from state and federal government. The resulting disaffection provides fertile soil for insider threat to proliferate. Increasingly, this disaffection is resulting in so-called “malicious insider activity” that has placed the public and private sectors on the defensive.

To combat growing concerns about insider threats among government contractors, the federal government enacted the NISPOM Change 2 Insider Threat Mandate in the waning days of the Obama Administration. In addition to requiring companies with federal contracts to establish insider threat programs, NIPSOM requires all federal contract workers to complete insider threat training to maintain their security clearances. The training mandate went into effect on June 1, 2017, so the jury is out on whether this requirement will neutralize the ever-expanding quagmire of leaks and breaches currently dogging the public and private sectors.

Some government officials, like top intelligence chief Bill Evanina, dispute the threat represented by government contractors, arguing that concerns about the security of this labor force are overblown and that contractors are “kicking butt” in the fight against leaks. However, when it comes to public perception, Evanina and other protest too much. The general consensus is that insider threat perpetrated by contractors poses a growing threat to data security.

Indeed, the working conditions of contractors can exacerbate the potential for malicious activity, especially at the lower levels, where work is less predictable, pay is lower, and there are no benefits. According to the CERT division at Carnegie Mellon University’s Software Engineering Institute, financial insecurity and discontent over work conditions are two of the top risk factors for creating malicious insiders. Added to these indicators is the fact that contractors don’t work for the organizations who outsource work. They work for companies who contract with these organizations. The loyalty that “company men” held toward long-term employers in the 1950s and 1960s is as archaic as pensions, private sector unionization, and a host of other incentives that once reinforced the allegiance of workers toward their employers.

It would be misleading to characterize all contractors as malcontents nursing a growing pile of grievances toward the organizations that employ them. Independent contractors who are self-employed sole proprietors report greater levels of satisfaction than their counterparts in traditional jobs. Regardless of the potential security risks posed by contractors, government agencies and private corporations show no signs of abandoning outsourcing. According to some sources, contractors make up 70% of the intelligence community, with 5 million holding security clearances and 1.4 million holding top secret clearances. In the private sector, contingent workers, made up of temps, contractors, and part-time workers now make up 40% of the workforce.

With the rise of the gig economy and conservatives controlling all three branches of government, outsourcing is unlikely to decline any time soon. However, the very factors that make outsourcing attractive to employers also pose unique security concerns. If organizations are going to maintain control over sensitive data, they will need to address the economic challenges of an independent workforce that lacks the protections of traditional employment. At the same time, employers must be careful not to create a culture of surveillance that undermines collaboration and morale while miring businesses in a sea of red tape created by security protocol. Even if organizations could implement a top-flight security program, intelligence officials like Evanina believe eliminating all insider threat would be impossible. Organizations who wish to mitigate insider threat will need to balance security requirements with privacy concerns and efficiency. For the time being any way, insider threat appears to be an inescapable cost of doing business.

Data Privacy in the Age of Trump

In my last post, I speculated what a Trump presidency might mean to data privacy. I mentioned his pro-business stance as a possible check to Trump’s authoritarian populism, but ended with a cautionary note about the damaging effects of unfettered government intelligence on civil liberties. We are now well into Trump’s first 100 days. While mainstream media has focused on fact-checking Trump’s tweets and covering his missteps with the travel bans and healthcare, his administration has been busy rolling back legislation that protects consumer data. In this post, I’ll look at some of the changes the Trump administration is making when it comes to data privacy.

Big Brother is coming to an Internet café near you

Reeling from internal divisions that prevented a repeal and replace of Obamacare, Republicans are looking for a chance to flex their legislative muscles. A rollback of regulations limiting data collection by the telecommunications industry may fit the bill. Last week, the Senate approved a repeal of Obama-era FCC regulations limiting the ability of broadband providers to collect personal data. The House is expected to approve the rollback this week.

For those concerned about the prospect of big business accessing personal data, state legislatures provide a sliver of hope in a data privacy landscape darkened by deregulation.  Illinois is leading the vanguard, with three bills that would give citizens privacy rights equivalent to those enjoyed by EU members. The legislation includes a right-to-know bill that would allow consumers to request information on the types of data social media companies like Google and Facebook collect on them and which businesses have access to that information. Other bills include one limiting the use of microphones on internet-connected devices and another regulating the circumstances under which a company can track consumer locations using smartphone applications. Should the legislation pass, it may serve as a model for other states concerned about data privacy in the age of Trump.

Numerous other states are also considering bills or have already passed bills that limit how and when the government can monitor Internet use by private citizens. California and Connecticut have both updated regulations restricting government access to online communications, including email, with an equivalent bill under consideration in New Mexico. Two other states—Nebraska and West Virginia—have passed legislation limiting how employers can monitor social media accounts. Hawaii and Missouri are considering similar legislation.

No more net neutrality?

The new FCC chairman Ajit Rai has been busy since taking office last January. In addition to dismantling Obama-era limits on data collection, Rai has championed a rollback of regulations prohibiting “zero-rating” exceptions to limits on data caps. Advocates of Internet freedom see this development as a threat to more far-reaching rules protecting net neutrality. For those who missed the ongoing controversy of the last few years, net neutrality prevents Internet broadband providers from establishing “fast lanes” for preferred customers and slow lanes for everybody else, including the Average Joe surfing the Internet. During the Obama years, consumers joined privacy advocates over fears that preferential treatment would limit their ability to stream video and gaming content and successfully championed rules to preserve net neutrality.

Now, Rai has pulled the FCC’s investigation into the practice of zero rating, in which telecommunications companies exploit loopholes in data cap limits to offer certain types of streaming content. Consumer advocates fear closure of the investigation signals a larger repeal of net neutrality rules in the months to come. The FCC has responded to such criticism by arguing that consumers will be the winners, giving them access to more data-free offerings like DirecTV streaming via ATTNow on mobile devices that don’t count against data caps.

What does it all mean?

Almost 70 days in to Trump’s presidency, pundits have some meaty data to chew on when assessing the administration’s impact on data privacy.  Far from acting as check on his authoritarian impulses, Trump’s pro-business support for deregulation is augmenting an attempt to expand executive power. While Trump’s maneuvers justifiably invoke charges of fascism, defenders of civil liberties can take heart in the numerous setbacks to Trump’s authoritarian ambitions. First the judiciary dealt a blow—not once, but twice—to his travel ban. Then the legislative branch put a stop to Trump’s campaign promise to repeal and replace the Affordable Care Act. Now federalism, the very principle Republicans use to justify a rollback of federal regulations, is being used to implement protections for data privacy at the state level. If Trump’s presidency has accomplished nothing else, it is providing a powerful lesson in civics by showing us our Constitutional system of checks and balances in action.


Kang, Cecilia. (February 5, 2017). Trump’s F.C.C. Pick Quickly Targets Net Neutrality Rules. New York Times. Accessed on February 9, 2017.

Dougherty, Connor. (March 2, 2017). Push for Internet Privacy Rules Moves to Statehouses. New York Times. Accessed on March 27, 2017.

A False Sense of Security

Egyptian technophiles got a rude awakening on December 20, 2016 when they discovered that Signal, an app that protects communications from third-party surveillance, had been blocked by the Egyptian government. The go-to app is favored by journalists and activists seeking to protect their sources from government retaliation. One week later, parent company Open Whisper Systems added new features to bypass the block, restoring access to free speech advocates throughout Egypt. Although this story has a happy ending, the incident represents a growing tension over internet security between tech leaders and governments.

Attempts to interfere with encrypted communications in the name of national security aren’t limited to the Middle East. Just last year, members of the US Senate’s Intelligence Committee championed a bill that would have compelled manufacturers to program a “backdoor” to encrypted devices. The move, introduced to enable government surveillance in cases of suspected terrorism, alarmed industry leaders, who argued that the bill would undermine consumer confidence and impose burdensome restrictions on how tech companies design and market smart devices. Security professionals joined the chorus of protests. Programming vulnerabilities into the very DNA of smart devices, they maintained, would allow cybercriminals to exploit this backdoor for profit and bragging rights.

US lawmakers soon backed off support for the bill, but many tech experts fear that further attempts to restrict security are right around the corner following Trump’s election. Styling himself as an authoritarian law and order president, Trump has called for the monitoring of Muslims and deportation of Syrian refugees, fueling fears that he will use intelligence gathering to infringe upon the civil liberties of American citizens and carry out possible human rights violations against immigrants.

Given Trump’s recent standoff with the US intelligence community over reports of Russian election hacking, fears of government intervention in the tech industry may be greatly exaggerated. Trump’s strong pro-business, anti-regulation agenda also provides a ray of hope for security professionals who wish to preserve the integrity of encryption from government interference. On the other hand, members of Congress have signaled a willingness to limit Internet access in the name of intelligence gathering and Senator Richard Burr has already vowed to reintroduce the backdoor bill during the next session of Congress.

Business leaders and technology experts who value true security above government intelligence objectives rightly argue that other means exist to monitor potential terrorist threats, as evidenced by the FBI’s legal showdown with Apple. Following a mass shooting in San Bernardino, the FBI sought to compel Apple to decrypt the shooter’s mobile phone. Apple successfully rebuffed this demand, citing its policy of maintaining the security of Apple smart devices. The case was resolved without a court ruling when the FBI found alternative methods to access the data, thereby preserving Apple’s sovereignty over its mobile security technology.

While free market advocates may argue that economic imperatives will provide a corrective check to government overreach, I’m less sanguine about the fate of encryption and other security measures in today’s political climate. If we’re going to combat the false sense of security that intelligence gathering promises, we must advocate to preserve the integrity of security technology with a proven track record of protecting personal data. As history has repeatedly demonstrated, the price of freedom is eternal vigilance not unfettered intelligence.



The Illusory Promise of Data Sovereignty Laws

Prior to 2016, you’d be hard-pressed to find any political scientists predicting retreat from the transnational global economy that emerged in the 1990s. The formation of the EU, the passage of free trade agreements like NAFTA, and the thawing of the Cold War promoted global exchange in a seeming Manifest Destiny that transcended national boundaries by forming new jurisdictions based on regional and economic affiliation.

Technology proved a willing ally in the relentless march to globalism. The Internet ushered in a new way of communicating and conducting business through interconnected computer networks. When the cloud appeared on the horizon, users gained 24/7 digital access from any location with an Internet connection. Now, the Internet of things promises to place digital transformation at our fingertips through smart phones, smart appliances, and wearable devices that automate every aspect of daily living.

Then 2016 happened. Brits voted to Brexit the EU. Donald Trump defied expectations and got himself elected president. Italy’s prime minister self-immolated over a failed referendum vote that promised to end gridlock in Italy’s Parlamento Italiano. Not even a close defeat of Austria’s far-right Freedom party gave globalists much room to breathe, not with elections in France and the Netherlands threatening to topple the EU’s once impregnable hold on the European market. Populism is now the name of the day, with China, the US, and Russia shaking up old alliances and staking out adversarial positions based on national interests.

Of course, signs of trouble were apparent long before Donald Trump and Brexit, especially when it comes to data privacy. The real alarm sounded in 2013, when Anthony Snowden revealed the NSA’s vast surveillance of US citizens and foreign nations. Deciding that the US failed to provide adequate protection of EU member data, the EU struck down the Safe Harbor program, the program that allowed US businesses to self-certify that they met the EU’s criteria for protecting personal information.

Individual countries responded to Snowden’s revelations by passing data sovereignty laws, placing a chilling effect on data transfers by mandating that servers hosting citizen data be located within national borders. To date, over 100 countries have already passed data localization laws, with another 40 countries currently considering similar legislation. True to form, Russia has enacted one of the most sweeping data localization laws. Federal Law No. 242-FZ goes beyond requiring companies to locate servers hosting specific types of “sensitive” data within its borders and requires that all citizen data be stored on databases located within Russia. Nor does the law exempt foreign companies from its requirements, meaning that multinational companies will need to invest considerable time, energy, and money into complying with the latest Amendments to Russia’s Federal Law on Data Protection.

Data localization and the new nationalism appear to be here to stay, at least for the short term. Some experts predict an increase in market demand “for local or regional data centers and for software or hardware that facilitates geographic localization.” Other experts offer a less than rosy assessment of data localization, fearing such laws could throttle technological innovation. One recent study warned that fragmentation of the internet based on national borders could threaten new advances in information technology, including cloud computing, big data and the Internet of things. Moreover, by restricting the location of servers, data localization laws sacrifice the cloud’s primary benefits—namely affordability and scalability—which depend on service providers being able to move data between servers in different locations for load balancing and to take advantage of energy discounts and lower labor costs.

Data localization laws won’t just dampen technological innovation, however. Cloud computing and Internet eCommerce are big business. In 2015, the revenues of public cloud vendors reached a combined 75.3 billion U.S. dollars, while revenue from the Software as a Service segment alone was projected to reach 49.9 billion U.S. dollars.  According to Forrester, E-commerce sales will approach $500 billion by 2018 and are expected to grow to more than $400 billion in the next several years.

However, countries seeking a competitive advantage by passing data localization laws may be in for a rude awakening. A study by the European Center for International Political


If data localization laws prove unsustainable, how will companies and nations get around concerns over data privacy? Some experts predict that trade agreements will include limitations on data localization laws as a condition of doing business. Individual corporations may sidestep localization laws by meeting national adequacy determinations through self-certification, binding corporate rules, or model clauses. Political instability may also reverse some of the populist trends of the past year. Far from draining the swamp, Donald Trump is staffing his cabinet with a combination of insiders, political cronies, and deregulators who are ideologically opposed to government intervention in the economy and maintain close ties to multi-national

organizations. Even Brexit appears to be on hold at least temporarily, with new PM Theresa May delaying invocation of

Article 50 until 2017. A recent High Court ruling that the British government must get Parliamentary approval before using Article 50 buys even more time for opponents of Brexit.

Given the instability of the current political landscape, companies seeking to maximize the benefits of cloud computing and ecommerce might be wise to adopt a two-tier strategy. In the short-term, business leaders may want to seek out cloud service providers with data centers in geographic regions where data localization laws apply. In the long-term, the best bet may be to negotiate agreements that curtail data localization laws while promoting economic growth by leveraging the advantages of information




Introducing Data Confidential

In 1952, Robert Harrison introduced Confidential Magazine, a precursor to modern-day tabloids featuring the misdeeds of pop culture celebrities. The magazine made its reputation by promising readers inside information about their favorite stars. The magazine hit upon a winning formula by combining a few well-established facts with plenty of speculation and innuendo, all delivered in a breezy, conversational style that became the publication’s trademark.

You might be wondering what data protection has in common with a Hollywood scandal rag. Surely securing personal information against unauthorized use and disclosure deserves a little more levity. Certainly, people take their privacy very seriously, as evidenced by the recent furor Evernote unleashed when it announced that technicians would access user notes to improve the software’s machine learning capabilities. Faced with mass defections from its customers, Evernote did a quick about-face and reversed the privacy policy, assuring customers it will only access data if users give explicit consent.

Data breaches also generate big headlines and sometimes a little scandal as well. The infamous Ashley Madison hack exposed the personal information—including real names, credit card information, personal addresses, and search histories—of almost 6 million individuals, not to mention exposing millions of would-be philanderers to public scrutiny. The Sony breach of 2014 created major headaches for the studio, which initially canceled release of the Seth Rogan/James Franco comedy The Interview due to security concerns. Among the tidbits exposed by the hack was Scott Rudin’s email characterization of Angelina Jolie as a “minimally talented spoiled brat” in an exchange with Sony exec Amy Pascal. The revelation led to one of my all-time favorite celebrity photos—a frosty exchange between Pascal and a less-than-impressed Angelina Jolie.

While it’s tempting to focus on the sensational aspects of data breaches, there’s a lot at stake when it comes to high-profile hacks. The alleged Russian hacking of DNC emails during the 2016 election cycle discredited the Democratic Party, led to the ousting of chairperson Debbie Wasserman Schultz, and may have cost Hilary Clinton the chance to become the United States’ first female president. The high stakes of data protection warrant serious coverage, but that doesn’t mean the coverage has to be dry or boring. Data Confidential covers trending topics in data security and privacy, but strives to do so in an entertaining way. The site’s title, which alludes to the tension between the private nature of confidential information and the very public consequences of inadequate data security and privacy breaches, offers a perfect illustration of Data Confidential’s approach to its subject matter.

In the unpredictable world of data security and privacy, the only certainty is constant change, so fasten your seatbelts. It’s going to be a bumpy ride.