Can New Cyber Strategy Legalize Sending Foreign Militaries US Citizen Data?

This week, Defense Secretary Ashton Carter described "three missions" of his department's cyberstrategy during a speech at Stanford University.

"The first is to defend DoD networks, systems, and information," Carter said. "The second is to defend the U.S. homeland and U.S. national interests against cyberattacks of significant consequence," he said. "And the third is to provide integrated cyber capabilities to support military operations and contingency plans."

However, some analysts say a provision of the Pentagon’s new Cyber Defense Strategy may allow government agencies to send information about US citizens to foreign militaries.

The provision in the strategy made public last week reads, "As a part of its cyber dialogue and partnerships, DOD [Department of Defense] will work with key Middle Eastern allies and partners to improve their ability to secure their military networks as well as the critical infrastructure and key resources upon which U.S. interests depend. Key initiatives include improved information sharing to establish a unified understanding of the cyber threat, an assessment of our mutual cyber defense posture, and collaborative approaches to building cyber expertise."

The strategy is causing some alarm among the privacy community.

“If the attacker can gain access to a user account with lots of access rights, like a computer administrator, they will be able to move right past all the alarms and defenses,” said Matt Kodma of the cyber intelligence analytics group Recorded Future according to DefenseOne. “However, the behavior of that user account, once it's been hijacked by a cyber attacker, will be unusual.”

Tucker also suggests monitoring certain actions like the uploading of large files with plenty of mystery code that doesn’t seem to have a clear purpose.

“This authorization would not just seriously undermine Americans’ Fourth Amendment rights, which would otherwise require the government to obtain a warrant based on probable cause to access much of that same information, it would create an expansive new means of general-purpose government surveillance. (Sec. 5(d)(5)(A)),” wrote Robyn Greene, who serves as policy counsel for the Open Technology Institute at the New America Foundation.

Mark Jaycox, a legislative analyst at the Electronic Frontier Foundation, has made similar arguments.

“Existing private rights of action for violations of the Wiretap Act, Stored Communications Act, and potentially the Computer Fraud and Abuse Act would be precluded or at least sharply restricted … It remains to be seen why such immunity is needed when just a few months ago, the FTC and DOJ noted they would not prosecute companies for sharing such information.”