This paper is the second in a series on technology policy through the lens of national security, published in partnership with the Mossavar-Rahmani Center for Business and Government at the Harvard Kennedy School. Read the first paper on the digital advertising ecosystem here.

Executive Summary

The permissive and sector-based data governance laws that have shaped technological innovation in the United States have constituted both a tremendous boon to U.S. innovation and a growing vulnerability in our national security. Authoritarian states, like Russia and especially China, have made control over data, both domestic and foreign, a centerpiece of their global strategies. The EU has approached data very differently, adopting the General Data Protection Regulation (GDPR) to establish rules governing firms that use the data of European citizens. The United States’ approach has so far been piecemeal, but the very openness that has been an engine of U.S. technological development is also increasingly weaponized by authoritarian powers who see advantage or opportunity in the control and abuse of Americans’ data.

To meet this threat, the U.S. government will need to adopt reforms to its regulatory approach that guarantee privacy and data integrity while also preserving the openness that facilitates experimentation and innovation. Important regulation has taken place on the state level, as state governments like California and Virginia have refused to wait for federal authorities to act. The following proposals breakdown the data governance challenges into five actionable steps that Congress and the administration can take at the federal level to improve U.S. national security, while protecting user data and providing a predictable and manageable regulatory regime for industry.


Proposal 1. Require third-party data brokers to register with the FTC (or a newly established data protection authority), pay annual registration fees to fund enforcement, disclose ties to foreign governments and corporations, and establish limits on the types of data that can be sold to third parties without explicit user consent. 

Data brokers gather users’ information into datasets that have commercial value to their clients. But this data can also frequently be of value to foreign intelligence services, as well as malign non-state actors. Though firms are barred from selling to such groups directly, bad actors use straw-purchasers and intermediaries with impunity because the market remains unregulated. Requiring FTC or other registration would be a strong first step to protect the integrity of Americans’ data.

Proposal 2. Limit the acquisition and sale of biometric and genomic data (e.g., facial recognition images, fingerprints, DNA) to exclude certain covered foreign entities.

Certain individually identifying and immutable biometric data, including facial structure/mapping, DNA, and fingerprints, are so fundamentally sensitive as to be worthy of special scrutiny when regulating the use, sale, and storage of data. Authoritarian states have placed a high premium on such data because of its value to the tools and tactics of authoritarian social control. The U.S. owes it to its citizens and residents to protect this data, and to require firms operating in the U.S. to do the same. This means preventing the sale or transfer of biometric data to foreign entities likely to abuse it for violations of rights and civil liberties.

Proposal 3. Require more of companies that amass citizen data by tying cybersecurity requirements to the amount and type of data collected, processed, or stored.

Preserving an innovative environment while improving security can be aided by developing a tiered approach to data regulation that requires higher standards of firms dealing with larger quantities of data. Such an approach permits experimentation and development while incentivizing firms to build data security into their growth plans.

Proposal 4. Pass a small business cybersecurity tax credit.

Such a tax credit would incentivize firms to invest in cybersecurity from the beginning, making them more likely to make it a priority as they grow, and spur growth in a critically important cybersecurity market.

Proposal 5. Require companies to notify a federal authority, such as CISA, of a breach, including the type of incident, soon after the company became aware of the intrusion.

Current law, at the state level, only requires firms that have suffered a data breach to alert authorities if the breach compromised personally identifying information (PII). This means that many incidents, some of national security interest to the United States, go unexamined by investigators, researchers, and regulators. To establish a clear threat picture of authoritarian cyber actors and incidents, notification for data breaches beyond those containing PII is needed.