On Cybersecurity Laws – and Their Interpretations
Oleg Abdurashitov, Head of Public Affairs, APAC
"Our focus is not on the country of origin, or the company, but it’s about what is the rule of law under which that product is potentially subject to.” – Chris Krebs, Head of the DHS’s Cybersecurity and Infrastructure Security Agency
Today, comparative law scholars generally agree that laws and legislation are not born out of a universal blueprint; they are instead complex products of specific legal cultures and environments they are brought into[i].
This is why interpreting a country’s laws is not a linear comparison exercise – especially when dealing with complex and relatively new issues such as cybersecurity. The written laws of any country are not aimed at external audiences – hence, for an outsider, a deeper understanding of domestic context is essential to fully grasp the implications of cybersecurity or data protection laws, and the reasons why they were introduced.
It is helpful that some countries’ legal and political cultures allow having consultations among broad audiences regarding upcoming laws and regulations. Other states tend to discuss security-related aspects behind closed doors, allowing only limited engagement of selected domestic players – or none at all. Policy professionals would instinctively prefer the former to the latter, but in reality f whether these consultations take place, what their outcomes are, or what the parties think of them may not have any significant impact on the actual policy.
Let’s conduct a little thought experiment here.
Despite industry’s vocal criticism, Country X introduces a new anti-encryption law that a security agency has lobbied for. The new law allows security agencies unprecedented access to data assets of all technology companies, requires vendors to enable selective disablement of data protection mechanisms on targeted equipment, compels employees to install snooping devices or spyware on their company’s networks and products, and even threatens prison terms for anyone who does not keep these activities secret – from the public or even their own supervisor.
In the meantime, Country Z holds several rounds of public consultations on its upcoming cybersecurity law. After receiving feedback from large international business associations and local businesses, the government’s security agencies agree to remove some requirements (such as a mandatory local office), soften their approach regarding others (such as mandatory data localization), clarify their position on what infrastructure it deems critical, and currently continue to engage international business in dialogue on the actual implementation of this new law.
Which one of those two countries you would consider to be democratic and which one sounds more like a one-party state?
Cybersecurity legislation usually is not a black-and-white matter of democratic systems vs. non-democratic ones. For instance, both the Australian tech industry and its civil society believe that they were not properly consulted with on the implications of the far-reaching Assistance and Access Act[ii], while Chinese internet giants may have in fact helped push back the most contentious restrictions of the much criticized Chinese Cybersecurity Law[iii].
It would make little sense to discuss the Chinese Cyber Security Law, the Australian Assistance and Access Act, Russian SORM package, or any other similar legislation around the world without a deeper knowledge of the inner workings of the respective countries’ political, legal and judicial systems; of the interplay between their internet businesses, users and regulators; of domestic data governance practices and cultures; and without studying the broader sociopolitical context. Some or all of these actual practices might be opaque, controversial, contextual, and even not entirely visible to an external observer – and it often takes a lifetime of study to understand them properly.
It is thus not surprising that among the many commentators on cybersecurity legislation there are very few actual experts – they’re a rare breed; also, their articles rarely make catchy headlines of the ‘us against them’ type. What we see in the policy-making field – at least in public – is, unfortunately, neither rigorous expert debate, nor genuine effort to understand the nuances of the cybersecurity regulation of other countries.
When a top-ranking US official says that ‘the problem lies with foreign tech companies that are subject to government demands without the visibility or appeal process that exists in the United States[iv]’ – he is likely seeking justification of a political decision, not an understanding of foreign realities. This position does not suggest that there are numerous avenues for companies across the globe to protect their turf from governments’ interference, address their concerns to regulators, and appeal government decisions – even if the process does not look like the one in the US. More specifically, this public position downplays the fact that even deciding whether a company is subject to specific legislation is not always as straightforward as it may seem, as Dr. Kaj Hober’s analysis of Kaspersky’s legal obligations in Russia has amply demonstrated[v].
As we have long argued, there should be better ways to assess the risk profile of a global technology supplier than the country of its origin – and our continuous efforts in our Transparency Initiative are one example of this approach. Unfortunately, when a country’s legal system is deemed a threat in its own right – especially when it conveniently fits the current geopolitical narrative – there is very little room for constructive expert dialogue and debate.
PS: For those who were wondering: Country X is Australia, and Country Z) is the Socialist Republic of Vietnam. Kaspersky has been engaged in consultations on legislation in both countries.
[i] The Enduring Connections Between Law and Culture: Reviewing Lawrence Rosen, Law as Culture, and Oscar Chase, Law, Culture, and Ritual. Paul Schiff Berman, George Washington University Law School, 2009.
[ii] “It’s faux democracy”: Decryption bill backlash continues. Edward Pollitt, Australia Computer Society, October 23, 2018.
[iii] Testimony of Samm Sacks, Cybersecurity Policy and China Digital Economy Fellow to the Senate Committee on Commerce, Science, and Transportation’s Subcommittee on Security. New America
March 7, 2019.
[iv] DHS official sounds alarm on authoritarian states ‘operationalizing their tech sectors’. Sean Lyngaas, Cyberscoop, April 5, 2019.
[v] Report of Prof. Dr. Kaj Hober. January 31, 2019.