By signing up you agree to allow POLITICO to collect your user information and use it to better recommend content to you, send you email newsletters or updates from POLITICO, and share insights based on aggregated user information. You further agree to our privacy policy and terms of service. You can unsubscribe at any time and can contact us here. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Did an Ivy League professor crack the key to 702 oversight?

Presented by

— With help from Maggie Miller

Driving the Day

— A Princeton professor’s new method for estimating how much U.S. data gets swept up in a powerful foreign spying program is reviving support for reform that civil liberties advocates have long viewed as critical to oversight. But questions remain.

HAPPY MONDAY, and welcome to Morning Cybersecurity! Dumbarton Oaks is the perfect place to tell your sister you accidentally canceled the dinner reservation for night one of her long-anticipated D.C. visit.

It’s just too beautiful there to stay angry.

Got tips, feedback or other commentary? Send them my way at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Today's Agenda

National Security Council and Office of National Cyber Director officials speak at a U.S. Chamber of Commerce discussion on the new national cybersecurity strategy. 1:30 p.m.

Surveillance

GALVANIZING REFORM — A Princeton professor has developed a new way to calculate the amount of data a powerful foreign surveillance program collects on Americans, potentially overturning a key defense the intelligence community has levied to defeat prior efforts to install new civil liberties safeguards over U.S. spying.

The breakthrough could throw a wrench into a bitter and ongoing debate between Capitol Hill, the White House and the intelligence community about how to reform Section 702 of the Foreign Intelligence Surveillance Act before it expires at year’s end.

Thus far, lawmakers keen to introduce new safeguards have focused on the intelligence community’s access to U.S. data that has already found its way into a 702 database. The new approach instead seeks to provide greater transparency into the data the program hoovers up from Americans in the first instance — insight some view as critical to preventing privacy abuses.

“The entire basis for this program is this notion that it is OK to do warrantless surveillance inside the U.S. where the targets are foreigners outside the U.S,” said Jonathan Mayer, the Princeton professor who developed the approach. “If it turns out you’re just intercepting a bunch of communications to Americans, that really matters to evaluating this program from a policy and legal perspective.”

The backstory — In prior FISA reauthorization battles, lawmakers and civil liberties advocates have called on the intelligence community to calculate the amount of U.S data that is collected “incidentally” under the foreign surveillance program.

For example, a 2014 report from the Privacy and Civil Liberties Oversight Board, an executive branch watchdog, concluded the lack of knowledge about incidental collection “hampers attempts to gauge whether the program appropriately balances national security interests with the privacy of U.S. persons.” And the law authorizing the program includes a provision requiring the intelligence community to conduct yearly reviews of whether such figures are possible.

But U.S. spies and intelligence hawks have defeated those efforts time and again by arguing that the effort is impractical — a contention Mayer, a former Senate staffer who worked on the last FISA reauthorization battle in 2018, wanted to disprove.

The scientific weeds — Along with his research assistant Anunay Kulshrestha, Mayer developed a new method for estimating U.S data hoovered up in the program via a cutting-edge cryptographic technique known as secure multiparty computation. It allows parties to share and analyze two sensitive data sets without having to decrypt them.

In theory, the new math solves a Catch-22 the intelligence community has cited to squash prior efforts to force it to produce such a figure: that doing so would require searching through 702 data to figure out who is and who isn’t American — the exact privacy violation reformers aim to prevent.

Withstanding early tests — Technically speaking, there’s been no significant objections to Mayer’s work, which he published in a peer-reviewed scientific publication last year.

He’s also begun to win support from the PCLOB, which is in the closing stages of another report on Section 702.

“One of the best ways to understand the risk of incidental collection to U.S. persons is to have a sense of data contained through the authority,” Travis LeBlanc, a PCLOB board member who has already signaled his desire that the IC calculate statistics on incidental collection, told MC in an interview.

The Office of the Director of National Intelligence and the Attorney General’s office, which oversee Section 702, did not respond to requests for comments about whether they had reviewed Mayer’s work and, if not, whether they intended to.

Not foolproof — There is no guarantee the approach could be implemented at scale — or if the figure it produced was accurate, whether the number would be meaningful. For example, data on U.S. persons can be collected when those located within the country are cooperating with terrorists or foreign spy agencies, making them legitimate targets of Section 702.

“It’s a misguided focus,” argued Glenn Gerstell, a former general counsel of the NSA. “The real question should be what are we going to do with the fact that we’ve got these Americans’ communications. Who’s looking at it, who sees it, what’s the context?”

“I haven’t heard anyone say that that methodology is wrong. Whether it’s going to get what people want out of it, I’m not sure,” said Lee Tien, senior staff attorney at the Electronic Frontier Foundation.

Tien, who still supports Mayer’s initiative, argued that the country’s oversight problems run deeper. The fundamental problem is that the intelligence community is so opaque, yet it’s outsiders who are forced to devise oversight mechanisms for it.

It’s a little like “ask[ing] the customers to do the work of the restaurant,” he said.

Last word — For his part, Mayer acknowledged that the figure would not represent a silver bullet for 702 oversight.

Still, he argued it didn’t make sense to hold back because the outcome might be misconstrued by the public. Besides, he said, there’s no more fundamental safeguard for a powerful foreign intelligence program than ensuring it’s, well, foreign.

“That’s the whole ballgame,” said Mayer.

Industry Intel

STATE-BACKED EXCLUSION — Global cyber insurance markets are set for a shake-up, as a controversial and oft misunderstood policy shift surrounding state-backed cyberattacks will start kicking into effect later this week.

The backstory — In August, the world’s largest insurance market, Lloyd’s of London, announced it would require standalone cyber insurance policies to introduce exclusions for damages stemming from debilitating state cyberattacks.

The policy, which comes into effect Friday, was meant to clear up ambiguity about how traditional insurance carve-outs for acts of war would apply in the digital world, where states constantly jockey for advantage.

It followed two high-profile court cases in which insurers argued they should not be liable for losses stemming from a widespread Russian cyberattack in part because the attack hobbled companies in countries not at war with Moscow.

Source of confusion — To a certain extent, the announcement had the opposite effect, said Joshua Motta, co-founder and CEO of cyber insurance firm Coalition.

Many interpreted it as a blanket exclusion for state-backed cyberattacks — a potentially enormous carve-out that would be difficult to litigate, since it can be hard to prove who was behind a cyberattack.

Getting it straight — In fact, said Motta, Lloyd’s new guidance sets a “pretty high bar” for the types of things insurers could weasel their way out of, only excluding the type of large-scale cyber events that few would expect insurers to pick up the bill on, anyway.

“I don’t think it’s accurate to call it a state-backed exclusion,” said Motta. “I think it’s more accurate to call it a catastrophic state-sponsored exclusion.”

Not backing away — Under the new policy, Motta said, insurers would even be made to cover incidents on the scale of the 2014 North Korean attack on Sony Pictures Entertainment, which cost the studio millions of dollars in damages.

That means businesses don’t have to be skittish about insurers pulling the cyber insurance rug out from under them.

“Lloyd’s, I believe, is still committed to continuing to provide a significant amount of capacity for cyber risks in the U.S. market,” said Motta.

China

A TAIWAN TRILEMMA — A Chinese invasion of Taiwan would present U.S. policymakers and cybersecurity officials with a painful tradeoff between defending troops and protecting civilians, says the organizer of a wargame put on for House Republicans two weekends ago.

The simulation, which took place during the GOP’s Orlando policy retreat, put U.S. lawmakers in the shoes of the secretary of Homeland Security in 2025, said Mark Montgomery, a senior director at the Foundation for Defense of Democracies and director of the CSC 2.0.

As Chinese naval and air forces stream across the Taiwan straits, the simulation asked mock DHS chiefs to weigh three options, said Montgomery: surging cyber resources to protect military deployment efforts, keep Chinese hackers from hitting key civilian infrastructure, or slow disinformation efforts against U.S. residents.

Rock and a hard place — If the DHS secretary doesn’t allocate resources to the military, said Montgomery, the Chinese might be able to launch cyberattacks against U.S. air or seaports that delay the mobilization of American forces.

But if the secretary doesn’t defend U.S. critical infrastructure, the Chinese could cause “power, financial services or water disruptions” that cause havoc for civilians.

Not a fantasy? — Speaking at a closed door media dinner last week, a senior U.S. defense official told reporters that China’s preparations for a future invasion of Taiwan extend to the cyber domain and are already underway.

“Things are going on in Taiwan that aren’t for intelligence gathering,” the official said, implying the Chinese are already laying groundwork for destructive attacks.

From problem to solution — To head off some of these challenges for future U.S. administrations, Montgomery said lawmakers should explore how the federal government can provide more rapid support to far-flung parts of the country.

That includes more incident response teams for CISA, new regional field offices for the cyber defense agency and better threat sharing mechanisms between the government and the private sector.

“We want to ensure we have the relationships, communication and the knowledge” to be able to identify and respond to concerted attacks against critical infrastructure, said Montgomery. “How fast are we really going to know that today? I don’t know,” he added.

Industry Intel

TECH FIRMS TEAM UP AGAINST CYBER MERCENARIES — A volunteer grouping of 150 large technology firms is unveiling a set of five principles to arrest the continued growth of “hack-for-hire” industry, in which companies sell commercial spyware or offensive hacking capabilities. The principles, announced today by the Cybersecurity Tech Accord, include steps like raising cybersecurity awareness among the public and combating tech products or services that harm people. Signatories include Microsoft, Meta and Trend Micro.

People on the Move

Katy Montgomery is now EVP and chief client officer at Adfero. She previously was EVP for corporate affairs and comms at Cyber Defense Labs.

Tweet of the Weekend

Groundbreaking new way to assess large language models:

Quick Bytes

— In Ukraine, Russian forces are learning how to locate and jam operators of Starlink satellites. (Defense One)

— After some initial resistance, the Defense Department is learning to love ethical hacking programs. (The Record)

— The FBI and CISA are investigating a cyberattack against Puerto Rico’s water authority. (The Record)

— DOJ announces charges against the administrator of Breached, a notorious cybercriminal marketplace. (The Record)

Chat soon.

Stay in touch with the whole team: Maggie Miller ([email protected]); John Sakellariadis ([email protected]); and Heidi Vogt ([email protected]).

Follow us on Twitter

Heidi Vogt @HeidiVogt
Maggie Miller @magmill95
John Sakellariadis @johnnysaks130

Did an Ivy League professor crack the key to 702 oversight?

Driving the Day

Today's Agenda

Surveillance

Industry Intel

China

Industry Intel

People on the Move

Tweet of the Weekend

Quick Bytes

Follow us on Twitter

Follow Us

Monday, 5/8/23

Monday, 5/1/23

Monday, 4/24/23

Monday, 4/17/23

Monday, 4/10/23

The Drug-Fueled Protest in Dianne Feinstein’s Office You Haven’t Heard About

5 takeaways from Trump’s CNN smackdown

Feinstein's return fails to unstick controversial judicial nominee

Trump world booked CNN hoping for a big audience. Now, they’re in the thick of it.

Cable carnage: Trump turns CNN town hall into televised combat