In the last few years we’ve had huge leaks of highly confidential and potentially embarrassing digital information about our government and its actions through Wikileaks. In the last few months we learned from Mandiant Corporation that in all probability China is actively hacking American companies and government servers. In the last few days we found out that the Federal Government is apparently gathering massive amounts of data regarding individuals, and it is implied by Britain that governments may be exchanging data quid pro quo to circumvent their own privacy laws. We learned in just the last two days that the source of the leak (who outed himself) was a Government contractor employee, Edward Snowden, and is now reputedly hiding in Hong Kong: China. All this as President Obama and Chinese President Xi Jinping dance around issues of cybersecurity.
Ironically, DOJ’s latest target for revealing Government secrets undoubtedly considers himself a hero whistleblower for exposing the Government’s previously undisclosed surveillance program. While details continue to come out, it is obvious and apparent that the “whistleblower,” Edward Snowden will be prosecuted, though Hong Kong (or China proper) may not make extradition easy. The most interesting details will obviously be the nature of the communications, the terms of any agreements Snowden signed, and ultimately, whether Snowden does qualify as a protected whistleblower – either under the Whistleblower Protection Act (WPA) 5 USC § 2302 or any other of a stack of similar provisions.
This incident also underscores some of the major challenges of cybersecurity: 1) employees and insiders account for a large percentage of hacking type issues – Bradley Manning is another example; (2) no contract, no regulation, no policy can protect against “bad apples” working on the inside beforehand – only internal oversight can even hope to “nip this in the bud;” and (3) in the end, the only option may be to pursue civil and criminal remedies after the fact, perhaps under the Computer Fraud and Abuse Act (CFAA) or similar state statutes, as Centre did for a client recently in the Tech Systems, Inc. v. Lovelen Pyles matter. Vengeance leaves the cat out of the bag, however.
Behind all this is the backdrop of the February 12, 2013 Executive Order and efforts to create regulations governing cybersecurity, particularly with respect to contractors. While National Institute of Standards and Technology (NIST) has produced its analysis of cybersecurity comments and cybersecurity critical infrastructure framework project, those reasoned, reasonable documents may fall by the wayside thanks in part to Snowden’s revelations. Centre, and every other individual and company involved in government contracting is following those efforts closely. We caution all involved, given recent revelations, that the result may be vast over-regulation and an unreasonable frameworks not only unworkable for government contractors, but also unsustainable for government agencies. When headlines and media spin coincide with rule making the resulting regulations are often spin based as well. We’ll let you know what we think as these developments progress.
By: Dov Szego