Welcome to the dog days of summer 2015.   Three privacy & security bits and bytes to start your week (if you are reading this on vacation … good for you!)

1.   ICYMI: Massive Data Breach at OPM Claims Victim — The Director

One day after Office of Personnel Management Director Katherine Archuleta broke the news to a congressional hearing that the second data breach at the agency exposed the records of 21.5 million people — the largest data breach in U.S. government history — she submitted her resignation to President Obama.  The databases involved in the second breach included highly sensitive background check information.   Back in early June, the OPM had announced that personnel files for 4.2 million current and former federal employees had been breached.  About 3.6 million individuals were reportedly affected by both breaches, therefore the total number affected is about 22.1 million.

The information in the second breach includes everything from Social Security numbers, mental health records, financial histories, names of old roommates and other information on basically everyone who has undergone a background check through the agency since 2000, as well as the fingerprints of about 1.1 million people.   This information also includes personal information of family, friends and other contacts of individuals who have undergone detailed background checks for top-level security clearances.

2.  Mark Your Calendars

The next Mintz Privacy Wednesday Webinar is coming up on Wednesday, August 26th at 1 PM ET.   We’ll be looking at privacy and security risk in the context of third-party vendors – the weak link in the security chain.  If you don’t believe us, just ask Target Corporation.   It will be compelling beach viewing, we promise!

3. James Lewis Speaks at ABA Event on International Cybernorms

Ari Moskowitz

Mintz Levin was in attendance at a talk by James Lewis of the Center for Strategic and International Studies and rapporteur for the UN Group of Governmental Experts for Information Security, hosted by the American Bar Association Standing Committee on Law & National Security. Lewis talked about the recently concluded meeting of the UN Group of Governmental Experts to establish a set of international guidelines for nation-states operating in cyberspace. That meeting culminated in a report that was delivered to UN Secretary General Ban Ki-moon and will be released publicly in several weeks.

Mr. Lewis said that there were four goals of the 2015 talks: to (1) elaborate international cyber-norms that countries should abide by, whether in peacetime or wartime; (2) build capacity among the UN and world governments; (3) establish confidence building measures countries can take in cyberspace; and (4) address the application of International law to cyberspace. He compared this approach to achieving international agreement on cybersecurity with the international approach to nonproliferation. And like nonproliferation, he believes it will take a long time, but will ultimately succeed. At this stage, he suggested, it is not feasible to get a treaty, and so the talks were designed to get international agreement on a set of norms.

The U.S. proposed five norms prior to this round of talks and was successful in getting international agreement on four of those. Specifically: (1) no nation should knowingly damage another nation’s critical infrastructure; (2) nations should work to prevent malicious cyberattacks coming from their territory; (3) nations should assist other nations that are subject to cyberattacks; and (4) no nation should target another’s cyber-emergency responders.

The fifth norm supported by the United States, that no nation should enable cyber-theft of intellectual property, did not make it in to the final report. Lewis said that the parties could also not agree on the threshold of what constitutes cyberattack. Another U.S. supported proposal that is missing from the final consensus report is the application of Article 51 of the UN Charter to cyberspace. Article 51 is the source of the right of self-defense in the UN charter, which the U.S. wanted as a backstop to authorize responses to cyberattacks. But Lewis suggested that other countries, specifically Russia and China, strongly objected to anything that would authorize force in cyberspace, which he speculated was really a concern over how the U.S. might respond to such incidents and attacks as the Office of Personnel Management data breach.

Lewis noted that the fifth goal – the application of International Law to cyberspace, including the application of Article 51 – proved the most difficult to achieve agreement on. Opposition to U.S. proposals was more coordinated and stronger at this set of meetings, he suggested, than it had been in previous years. Lewis attributed this to better organization by Russia and China, the elimination of some U.S. allies such as Canada and Australia from this year’s talks by the UN, and changes to the political landscape since the talks started in 2010. Among the changes highlighted by Lewis are the Russian annexation of Crimea, China’s island-building and intensifying conflict in the South China Sea, the leaks by Edward Snowden, and the muted U.S. response to the OPM data breach.

As for the future, the report, including the agreed upon cyber-norms may eventually be voted on by the UN, but in the meantime Lewis suggested they are more likely to be adopted by International organizations and individual nations. Lewis also noted that Russia proposed another set of meetings for 2016. But Lewis was optimistic about the prospects for maintaining a global Internet. He stated that he is not worried about balkanization as every nation sees the value of a global Internet, as even countries that have developed a closed network for political purposes keep the network open for business.