As cybercrime and cybersecurity threats have become increasingly at issue both domestically and abroad, Congressional action plays a critical role in the future of U.S. national security in the cyber domain. Representative Eric Swalwell (D-CA) of California’s 15th congressional district in the U.S. House of Representatives, where he serves on the House Permanent Select Committee on Intelligence, the Committee on Science, Space, and Technology, and subcommittees on energy, research and technology, and the CIA. The freshman congressman and former prosecutor sat down with the Georgetown Journal of International Affairs to discuss recent Congressional action on cyber, U.S. strategy in the cyber domain, and cybersecurity issues stemming from the intersection of law and technology.
GJIA: How can the United States operate best under the current structure of international agreements that pertain to cybercrime, specifically the Budapest Convention on Cybercrime? Do you think that structure is effective, or would re-hauling it better serve U.S. national security interests in the cyber domain?
ES: My concern is, and speaking primarily as a former prosecutor, right now I think there is little deterrent for cybercriminals outside of the United States. What I mean is the nonstate actors. You have countries that are funding cyber activities. Sometimes that is espionage, stealing state secrets, being disruptive, trying to test networks, et cetera. What I’m talking about is a cybercriminal not affiliated with the state that is primarily interested in stealing money, wreaking havoc on networks like a utility grid, or stealing personal information for extortion.
The problem is that if it happens outside the United States, and it’s not a country that we have great extradition policies with or liaison relationships like Canada, Britain, or countries that we cooperate a lot with on police matters, if it happened with Russia, Ukraine, or other Eastern European countries where the relationship is more tenuous, it is very hard to do anything about it. We can identify where the attack or theft has come from, but if you don’t have willing partners in those third party countries, you can’t deter people. Until people pay an actual criminal price for what they’re doing, you’re not going to see a reduction. You will see an escalation as generations become more familiar with electronics and have the capacity and gall, because they’re not deterred. That’s what I think the biggest challenge is.
Even if we couldn’t find a way to work with Russia on regional security on issues like Ukraine, or with what’s going on in Syria in the Middle East, even if we have these long-standing deep issues with Russia, I think it would be in both countries’ interests to find ways on this issue alone to work together. Probably Russia probably would like to know if it has non-state cyber criminals in its country and of course it would help the United States to extradite these individuals and prosecute them. I would like to see trying to use cybercrime as an opportunity to build relationships with countries we haven’t necessarily been able to work with as well.
There’s no real penalty for it at this time. In the United States, it’s very difficult if you have a domestic case it is quite difficult to prosecute a cybercriminal. I remember when I would get an identity theft case, you would get hundreds of pages and it would take weeks to put together these cases. It’s very hard to prove so law enforcement may not make much of a priority because it is such an undertaking, given the nature of the evidence.
GJIA: Is the Mutual Legal Assistance Treaty (MLAT) process an efficient system for obtaining evidence from international counterparts? Since the MLAT process is particularly relevant in the recent Microsoft Ireland case, do you think the MLAT process should be reformed or remain as-is?
ES: What we want to have in place is a system that prevents trade secrets from being stolen from U.S. companies, and also promises that our country is not engaging in that and will cooperate with other countries if they suspect that is happening by U.S. businesses. Having the assurance that if we believe an actor or company in a foreign country is trying to steal trade secrets, that country will cooperate with us, not tolerate that behavior, work with us to prosecute that case, and vice versa. The United States, if presented with evidence that it was conducting such behavior, would not tolerate that either.
The Cybersecurity Information Sharing Act of 2015 (CISA) passed unanimously out of the Intelligence Committee and with over 350 votes on the floor, and then it was incorporated into the most recent omnibus package. That was a good indicator that we can work together on these cybersecurity issues in a bipartisan way, and I point to that as something that gives me hope. When it comes to issues of importance and national security, and financial security is on the line, Republicans and Democrats can work together. CISA is a voluntary program, meaning that it’s not compulsory. It doesn’t require businesses to turn over any threats but it says that if you want help from the government, we have a lot of resources. If you want help from the government, we now have a process in place and can get assistance. That gives me hope that we can work in a bipartisan way.
GJIA: Do you think bipartisan cooperation on cyber issues will continue?
ES: Yes, I think also that knowing these attacks that take place on sites like .mil or .gov sites, they take place because of poor cyber hygiene. Making sure that we continue to have standards of cyber hygiene is important. That can protect our financial health as well as personal records.
GJIA: Do you think individual companies are sufficiently motivated to participate in this program as of now? What would encourage that?
ES: I think to encourage additional participation it would be wise to have best-practice standards, especially for federal contractors and vendors. It would be hard to find a Fortune 500 company, just to start there, that doesn’t have a federal contract or isn’t doing some business in some way for the government. They have some percentage of their work done with the federal government. Others can say, “Look, we want to give you the work, but we need to have you implementing best practices as far as cyber hygiene.” That is one way to incentivize good behavior by awarding these contracts.
GJIA: Since there is so much information online already and people may be wary of releasing more information, how do you think it is best to balance privacy and security in cyberspace?
ES: We have two-point validation requirements on a lot of the private industry. I think having that dual scrubbing of personal identifying information that we put into CISA is a way to scrub that information from private entity to government. And then before the receiving agency sends it off to the respective agency that examines the threat information is protected through that dual scrubbing or multifactor authentication. Taking out the PII ensures that the zeros and the ones of the threat are being shared, and not personal information that would compromise privacy. Additionally, having civil legal recourse options in place that protect someone and make sure that people feel like that their privacy has been breached, they have recourse. CISA does have that. It does not immunize the government, it does not immunize the company if that concern occurs, which was important and something that a lot of outside groups that work in the area of litigation wanted as a legal recourse.
GJIA: How do you think the courts can catch up to all of the concerns that technological innovation brings? The courts have a lot of backlog, understandably, and of course due diligence is extremely important but how can the process be made more efficient?
ES: Our courts across the country still largely use paper filings and paper files. Our court system in Alameda County [California] is undergoing a transformative process where they are taking every paper filing and, by August, everything will be online. Every filing, every appearance in court, every record of a criminal and civil case will all be online. That’s not going to be comfortable for judges, lawyers, and clerks who are used to the paper system, but I think if in your daily practices you’re using technology to do your job that makes it easier when the substance of the cases that come before the court also involves technology. That is the first thing we can do. We’ve done that in the medical field with the electronic medical record requirements that were put into the Affordable Care Act to take doctors away from paper records and move to electronics records, so that we could share patient records among different hospitals and providers more easily. It would behoove the courts to do the same.
Congressman Eric Swalwell has represented California’s 15th congressional district in the U.S. House of Representatives since 2013. He was interviewed by Donna V. Artusy, a graduate student at Georgetown University’s School of Foreign Service, on 6 July 2016 at the Cannon House Office Building in Washington, D.C. The interview has been lightly edited for clarity.