By CHHS Extern Cailey Duffy

On September 30^th, the U.S. Court of Appeals for the District of Columbia allowed a stay of the September 16^th ruling in Huisha-Huisha v. Mayorkas. Circuit judges Rogers, Millett, and Katsas allowed the Biden administration to continue enforcing the Title 42 order while their appeal is in progress. Title 42 was issued under former president Trump in March 2020. It allows the government to prevent certain individuals from entering the U.S. during public health emergencies. Former President Trump cited the coronavirus pandemic as a reason to expel migrants attempting to enter the United States. President Biden has continued this order, deporting over 900,000 migrants, and rationalizing it as a preventative measure to keep detention centers from overflowing during the pandemic. To combat the order, the ACLU filed a preliminary injunction in U.S. District Court, arguing that individuals at the border should be allowed to seek asylum under U.S. law. On September 16^th, the injunction was granted.

In his opinion in Huisha-Huisha, Judge Sullivan ruled that Congress is not authorized to expel migrants under Title 42 – it is only allowed to limit who enters. He held the plaintiffs had shown they were likely to suffer irreparable harm as a result of deportation, as many would have to return to violent and unsafe home countries. Furthermore, he argued that the migration would not likely affect coronavirus rates, due to the wide availability of testing and vaccines. The injunction did not prevent the expulsion of single adults, so many individuals were still left with no choice but to be returned to their previous country of residence. The Biden administration appealed, and the appeal was granted. The administration cites the need for the Title 42 order as preventing a surge of migrant families that the nation is unable to handle given the current pandemic. They worry that an influx of migrants would lead to higher rates of COVID-19. However, the administration has not provided evidence that this would actually be the case.

Biden is under pressure from the Republican Party to crack down on migration due to the increasing number of arrests at the border. His critics believe that reversal of former president Trump’s immigration policies has led to an uptick in migration. However, it is more likely this increase in migration is due to political turmoil and food insecurity in nations like El Salvador, Guatemala, and Haiti. While Biden’s administration has exempted unaccompanied children from the Title 42 deportations and is trying to be more lenient with families at the border, many are concerned that the continuance of Title 42 in any capacity contradicts Biden’s campaign promises of a more humane approach to immigration. Biden is surely in a difficult spot, caught between Democratic critics of the Title 42 order and republican critics of his immigration reform. However, categorizing migration as a public health threat is not only speculative, but creates serious humanitarian concerns.

By CHHS Extern Mike Rovetto

A few weeks ago, multiple news agencies covered a memo President Biden’s administration released calling on private business entities to do more against the threat of ransomware and to “better understand [their] critical role”. While the President’s Executive Order is a good first step in fixing the nation’s cybersecurity problem, the E.O. does not go far enough for the simple fact that it only affects federal agencies and government contractors with active government contracts.

The U.S. approaches cybersecurity much in the way it does other regulatory matters, in a laissez faire manner that focuses more on self-regulation. In a cybersecurity self-regulatory scheme, an industry is expected to “police themselves” and set standards for how best to protect their cyber-infrastructure. Proponents of this approach argue that self-regulation is the best practice because the industry itself is the best entity to determine what vulnerabilities the industry has. If the past year has shown us anything, it should show that the self-regulation of the cyber world lacks the necessary security proponents argue comes from industry expertise. The city of Baltimore was attacked with ransomware. Public reports of the attack stated the cost to the city was over $18 million to restore services, such as payment processing for utility bills, basic email communications, and critical emergency systems like 911. Last year, reports began surfacing of a security breach within the State Department. It was revealed that SolarWinds, a government IT contractor who specializes in providing software for supporting IT infrastructure, was hacked by Russian nationals who inserted malicious code into software that allowed the hackers to “hide in plain sight” and appear as legitimate network traffic. Ultimately the SolarWinds hack has affected dozens of federal and state agencies as well as private enterprises who downloaded the infected software. The hack compromised systems and allowed the hackers to steal information such as FireEye’s hacking tools that they use to test client’s security. And this past March, Microsoft, one of the largest software companies in the world, suffered a data breach in their Microsoft Exchange Server Platform which hosts entities ranging from police departments to credit unions. The attack saw over 30,000 organizations which represent and/or holds data for millions of people across the country, have private email communications stolen. Victims of the hack include law firms, infectious disease experts, defense contractors, and higher education intuitions.

Recently the District of Columbia Metropolitan Police Department was the victim of a major data breach. An attack on the Department’s IT servers saw dozens of private personnel files, including home addresses, cellphone numbers, and more released by hackers after payment demands were refused. Just last month, the group responsible released raw intelligence related to everything from the Jan. 6 riots to intelligence on criminal activity. The hacking group  In Florida, in what might be the first active cyberterrorist attack on U.S. soil that could cost American lives, hackers were able to access a water treatment facility command and control system and attempted to poison an entire city’s water supply. Finally, in two back-to-back attacks on major critical infrastructure, major portions of the country were severely disrupted. The Colonial Pipeline attack saw gas shortages for weeks that disrupted the entire East Coast. In that case, a ransomware attack locked down a critical pipeline that feeds gas from New Jersey to Texas and touches nearly every state in-between. If that wasn’t enough, the most recent attack on the nation’s critical infrastructure, this time an attack on our nation’s food supply, should be. In that attack, criminal groups related to Russia forced a shutdown of one of our nation’s largest meat suppliers.

To sum, we have three major metropolitan areas, one critical federal agency, two critical infrastructure sectors, with about eleven states and millions of people affected by some type of cybersecurity attack. And for all but one, that is just within the last eight months. Self-regulation cannot fix this. Experts from both the private and public sectors agree on this. Microsoft President stated before Congress “We need to impose a clear, consistent disclosure obligation on the private sector”. Chairman Richard Glick of the Federal Energy Regulatory Commission response to the Colonial Pipeline attack highlights the issue completely “Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors”. If self-regulation were capable of meeting this threat, the Department of Homeland Security would not be issuing new regulations for pipeline security measures.

What is clear from the evidence over the last two years is that self-regulation in the cybersecurity and data privacy realm is failing. Leaders from across multiple sectors have called on the government to provide leadership in this area and establish standards that companies must abide by. While there has been some action in the last few months, President Biden’s Executive Order, the President’s appointment of an a National Cyber Director, and DHS’s move to regulate pipeline security are excellent first steps, there are still massive shortcomings in the way cybersecurity is handled across a wide breadth of sectors in the United States. While the President’s E.O. is a good first step at the federal level, it does nothing to address infrastructure at the state level. Another question to ask is, does the E.O. affect business entities’ with non-government contracts (say Boeing’s commercial manufacturing)? Further, the E.O. does nothing for the thousands of other small-to-moderate sized businesses that store sensitive data that do not have government contracts at all. The U.S. needs to stop relying on business entities to police themselves and instead empower the most capable entity it can create with the ability to propose standards, regulate all cyber-related industries in the U.S., and enforce regulations like mandatory breach notification, encrypting all personal information, and requiring basic security measures like firewalls. When it’s your own industry base calling for regulations like mandatory breach notification, it’s past time to call for that same industry to do better.