In a new post on the Inside Tech Media blog, our colleagues discuss the “Quantum Computing Cybersecurity Preparedness Act,” which President Biden signed into law in the final days of 2022. The Act recognizes that current encryption protocols used by the federal government might one day be vulnerable to
Continue Reading President Biden Signs Quantum Computing Cybersecurity Preparedness ActAlexander Berengaut
Alex Berengaut is a nationally recognized litigator and co-chair of Covington’s Government Litigation practice group. He has served as lead counsel in a range of commercial disputes and government enforcement proceedings, and currently represents several leading technology companies in litigation and compliance matters relating to data privacy, platform liability, artificial intelligence, and cybersecurity.
In recent years, Alex obtained a series of landmark victories against the federal government in bet-the-company disputes for technology clients. Alex represented TikTok in challenging the Trump Administration’s efforts to ban the app, delivering the winning argument that led the court to enjoin the ban hours before it was set to take effect. He also represented Xiaomi Corporation in challenging the Department of Defense designation that would have blacklisted the company from U.S. financial markets, delivering the winning argument that led the court to enjoin the designation, restoring $10 billion to Xiaomi’s market capitalization.
At the state level, Alex has successfully challenged unconstitutional state legislation and defended against state consumer protection actions. He obtained an injunction blocking Montana’s law banning the TikTok platform, and he secured the outright dismissal of multiple State AG consumer protection lawsuits relating to data privacy and security—a string of victories which resulted in Alex being recognized as Litigator of the Week.
Alex has served as counsel to Microsoft Corporation in precedent-setting cases involving government surveillance issues, including Microsoft’s landmark challenge to the government’s attempt to compel disclosure of customer emails stored in Ireland using a search warrant; Microsoft’s First Amendment challenge in the Foreign Intelligence Surveillance Court to restrictions on disclosures about government surveillance; and Microsoft’s constitutional challenge to the statute that allows courts to impose gag orders on technology companies, resulting in nationwide reform of the government’s practices under the statute.
Alex maintains an active pro bono practice, focusing on trial-level indigent criminal defense and youth immigration matters. From 2017 to 2020, Alex represented the University of California in challenging the Trump Administration’s rescission of the Deferred Action for Childhood Arrivals (DACA) program, ultimately resulting in a 5-4 victory in the U.S. Supreme Court. See Department of Homeland Security, et al. v. Regents of the University of California et al., 140 S. Ct. 1891 (2020).
The Supreme Court Denies Certiorari in American Civil Liberties Union v. United States
On November 1, 2021, the Supreme Court denied a petition for a writ of certiorari in American Civil Liberties Union v. United States. In its petition, the American Civil Liberties Union (ACLU) sought the Supreme Court’s review of the Foreign Intelligence Surveillance Court (FISC) and the Foreign Intelligence…
Continue Reading The Supreme Court Denies Certiorari in American Civil Liberties Union v. United States
U.S. and U.K. Sign CLOUD Act Agreement
Litigation Options For Post-Cyberattack ‘Active Defense’
In March 2017, Rep. Tom Graves, R-Ga., introduced a draft bill titled the Active Cyber Defense Certainty Act. The bill would amend the Computer Fraud and Abuse Act to enable victims of cyberattacks to employ “limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.”[1] More specifically, the ACDC would empower individuals and companies to leave their own network to ascertain the perpetrator (i.e., establish attribution), disrupt cyberattacks without damaging others’ computers, retrieve and destroy stolen files, monitor the behavior of an attacker, and utilize beaconing technology.[2] An updated, bipartisan version of the bill was introduced by Rep. Graves and Rep. Kyrsten Sinema, D-Ariz., in October 2017.[3]
There has been significant debate on whether the types of “self-help” measures that the ACDC expressly authorizes — sometimes referred to as “active defense” — are currently prohibited by the CFAA. While no court has yet ruled on the issue, several commentators (and the U.S. Department of Justice) have long argued that because the CFAA prohibits accessing computers without “authorization,” cyberattack victims expose themselves to criminal liability if they venture outside their network to unmask an attacker and disrupt, disable or destroy the attacker’s system.[4] The purpose of the ACDC is to reduce legal uncertainty by, in effect, providing a statutory safe harbor for victims of cyberattacks to “hack back” — under the right circumstances, and subject to limitations.
In addition to the legal question of whether active defense is currently barred by the CFAA, the desirability of active defense as a policy matter has also been debated. Advocates of the ACDC have argued that companies, no matter how sophisticated their preventive cyber defenses, continue to suffer major breaches, and that the number of cyberattacks far exceeds the government’s ability to identify and prosecute criminals. They argue that in a lopsided cyber battlefield, victims need additional tools to actively respond to ongoing attacks. In critics’ view, however, the bill will promote cyber-vigilantism by victims who are overeager to aggressively strike back at cyber intruders and thieves — thereby creating tit-for-tat patterns of retribution and a significant risk of collateral damage to innocent third-party computer systems.
While the legal and policy debates raised by the ACDC are important, they often overlook the fact that victims of hostile cyber activity may already be able to avail themselves of the judicial process to lawfully engage in the types of “active defense” measures that the ACDC would expressly authorize. Several such techniques of “active defense through litigation” are relatively well-established; others are untested. Because active defense through litigation necessarily involves the judicial process, moreover, it can be relatively time-consuming (particularly in comparison with the more immediate responsive measures contemplated by the ACDC). Although courts can provide certain forms of expedited relief in a matter of days or even less, this time frame may be prohibitive in some cases. Nevertheless, for victims of cyberattacks that are weighing an active response, it may be worth considering one or more of these options.
The most established and typical form of active defense through litigation is using third-party discovery to obtain information about the perpetrators of a cyber-intrusion and, potentially, establishing “attribution” of the culprit. In Liberty Media Holdings LLC v. Does 1-59, for example, hackers unlawfully accessed copyrighted materials on a company’s protected website.[5] The company brought suit against the unknown culprits — named “John Does” in the complaint — for violating the CFAA, the Electronic Communications Privacy Act and the Copyright Act.[6] It then provided the court with the internet protocol addresses of each defendant.[7] The court granted the company’s motion that it be allowed to serve subpoenas on the defendants’ internet service providers and cable providers to compel them to “produce all documents and/or information sufficient to identify the users of the IP addresses.”[8]
Continue Reading Litigation Options For Post-Cyberattack ‘Active Defense’
CLOUD Act Creates New Framework for Cross-Border Data Access
…
Continue Reading CLOUD Act Creates New Framework for Cross-Border Data Access