top of page

New Executive Order 14117: "Safeguarding Americans' Sensitive Data"

Writer's picture: Keith PachulskiKeith Pachulski


In February 2024, President Biden introduced Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The primary aim of this order is to prevent hostile nations from obtaining sensitive data about U.S. citizens that could be used to undermine national security. This includes data that can be exploited by foreign adversaries—often referred to as “countries of concern”—such as China, Russia, Iran, North Korea, and other identified nations.


At the surface, this executive order might appear to be a knee-jerk reaction to the increasing sources of cyberattacks and the exfiltration of sensitive data to these adversarial nations. With ongoing reports of major breaches involving foreign entities—particularly state-sponsored actors—the order seems aimed at controlling a rapidly growing issue of data theft by legally restricting the transfer of sensitive information. Countries like China and Russia, with their robust cyber espionage efforts, have been accused of leveraging stolen data to undermine U.S. interests. The sheer scale of these attacks has likely influenced the decision to enact this order, which is a defensive response to the expanding capabilities of these foreign adversaries to utilize digital dossiers against U.S. citizens​


The executive order was born out of concerns regarding the growing sophistication of computing technology, particularly artificial intelligence and big data analytics, which adversarial countries use to gather detailed personal profiles on U.S. individuals. This information could be used for blackmail, cyber espionage, or other national security threats. Executive Order 14117 seeks to limit foreign access to such information by controlling the transfer of certain types of data and imposing regulations on the entities that manage this data.


Key Points of Executive Order 14117


Executive Order 14117 identifies specific countries that have engaged in behavior deemed harmful to U.S. national security. It outlines categories of sensitive personal data, which includes personal identifiers, geolocation information, financial data, biometric records, and health information. The order seeks to prevent adversarial intelligence agencies from compiling detailed profiles of U.S. citizens.


The executive order also introduces a framework that distinguishes between prohibited and restricted transactions involving sensitive data. Prohibited transactions, such as the sale of bulk human genomic data, are completely banned. Meanwhile, restricted transactions, such as vendor agreements involving cloud services, are allowed but only under stringent data security conditions, which are yet to be fully developed by the Department of Homeland Security.


Various government bodies, such as the DOJ and DHS, are responsible for enforcing this order and setting up a licensing system for restricted data transfers. These agencies will ensure compliance, impose due-diligence requirements, and monitor data-related transactions. Despite these regulations, the order does not impose data localization requirements, allowing businesses to continue cross-border data exchanges as long as they meet the national security standards outlined.


Comparison to USC 18 Laws on Computer Crime


While Executive Order 14117 addresses data transfers and potential national security threats posed by foreign actors, the U.S. Code (USC) Title 18 laws on computer crime primarily focus on criminal acts related to computers, such as unauthorized access, hacking, and fraud. Specifically, 18 U.S.C. § 1030, also known as the Computer Fraud and Abuse Act (CFAA), deals with prosecuting malicious cyber activity. The primary distinction is that while the executive order focuses on preventing legal transactions from jeopardizing U.S. data, USC 18 addresses illegal cyber activities.


Executive Order 14117 is proactive and preventative, aiming to control sensitive data flows to known adversaries before they become a threat. On the other hand, USC 18 deals with prosecuting cybercriminals who violate the law by hacking into systems or causing damage. The two approaches, therefore, complement each other, with one focusing on restricting foreign access to sensitive data through lawful channels and the other addressing criminal activities within cyberspace.


Strengths and Weaknesses of Executive Order 14117


One of the strengths of Executive Order 14117 is its focus on national security by directly addressing data transfers that could compromise U.S. interests. By targeting sensitive personal data such as biometric information, financial records, and health data, the order tries to prevent hostile foreign nations from acquiring information that could be used against U.S. citizens. Another strength is the introduction of security measures, such as data masking and encryption, to enhance protections for restricted transactions.


However, the order has some notable weaknesses. First, it is limited in scope because it only regulates legal data transfers, primarily targeting business transactions involving sensitive information. It does not address illegal data breaches, hacking, or cyber espionage, which are arguably more pressing concerns in the current cyber landscape. Secondly, the order does not require data to be stored in the U.S., which could allow foreign entities to access this information in other legal ways.


Additionally, the focus on only "countries of concern" leaves gaps in protection, as emerging threats from non-state actors or other countries may not be addressed under the current framework. The fact that the executive order mainly controls known adversarial nations means its scope is narrower than the globalized nature of cyber threats demands.


Opinion: Limited Value in the Executive Order's Approach


While the executive order is well-intentioned, its effectiveness may be limited by its focus on controlling legal data transfers to foreign adversaries. In a world where cybercrime, hacking, and illicit data breaches are rampant, this executive order seems more like a stopgap measure. By focusing on regulating lawful business transactions rather than the real threats posed by illegal cyber activities, the order might not fully address the pressing concerns of cybersecurity.

Although it is designed to limit the access of known hostile nations to U.S. citizens' sensitive data, the executive order could be viewed as insufficient in curbing the growing global cybersecurity threats that go beyond just legal transactions. To provide a meaningful impact, future regulations or laws will need to address more aggressive and covert means by which foreign adversaries gain access to U.S. data.


While Executive Order 14117 provides some protections against the misuse of sensitive data by foreign adversaries, its overall impact may be minimal due to its focus on legal data transactions. Without stronger measures against cyber espionage, hacking, and illicit data access, its value in preventing national security risks could be limited.




4 views0 comments

Comments


bottom of page