The White House recently issued an executive order authorizing the attorney general to prevent the large-scale transfer of Americans’ sensitive personal data — such as health, geolocation and financial data, to countries of concern — including China and Russia.

Based on my experience as a former Department of Defense counterterrorism intelligence officer, this order is a welcome one. It reflects the shifting value and appeal to nation states of individual data, including data from small and medium-sized businesses.

The mere quantity of data has now taken on a quality all its own.

Big data is a hot commodity for bad actors

Big data has become a sought-after target for countries, as it can be used for blackmail, AI training and analysis, monitoring dissidents, identifying and tracking intelligence officers, medical research, among a multitude of other purposes.

While people often associate the nation-state acquisition of data with large data breaches, such as the 2015 Office of Personnel Management breach that resulted in the theft of personnel records and security clearance forms, the fact is, massive troves of sensitive data can be obtained through much easier commercial means.

A nation state does not need subterfuge or custom malware to acquire this data since companies collect and sell personal information to data brokers, which can then be resold again — all entirely legally — and end up in the possession of foreign military or intelligence services.

Even with small targets, value adds up

This new executive order reflects the reality that the cyberespionage attack surface for a country’s security and strategic interests no longer ends at a government’s or defense contractor’s sensitive computer networks. It now extends to every individual citizen.

While many people assume, and usually rightly so, that they are unlikely to be individually targeted by a foreign country for a cyberespionage operation, they may be neglecting the value of their personal data as part of a larger whole. 

It’s data that, when examined collectively, can unintentionally reveal useful strategic information.

This can include geolocation, financial data, medical or genetic information, or any other kind of sensitive information that could be used en masse to reveal valuable insights, such as the locations of sensitive sites (e.g., identifying areas where there is little geolocational data despite proximity to highways or parking lots) or to identify financial characteristics of individuals susceptible to blackmail or bribery.

The same is true for SMBs, which also frequently assume that they are unlikely to be the targets of cyberespionage operations.

True, SMBs have been called out as potential points of entry for attacks on much larger organizations, such as in the 2013 Target data breach, or as reflected in the recent government warning regarding the potential targeting of smaller companies to gain access to critical infrastructure.

However, the executive order also calls out another potential security concern: the targeting of these companies by countries of concern for investment, vendor and employment relationships for the purpose of gaining access to Americans’ data.

Why steal when you can buy?

This attack vector underscores the threat to sensitive data beyond the standard breach tactics. Rather, the new executive order charges the Departments of Justice and Homeland Security with setting “high security standards to prevent access by countries of concern to Americans’ data through other commercial means.” 

In short, to prevent foreign adversaries from collecting sensitive data through the acquisition of businesses or manipulation of business relationships. Why steal what you can easily buy?

This executive order will help protect U.S. citizens against this new reality in which nation-state cyberthreats pose a risk to everyone’s data, not just those individuals who are specifically targeted.

We can expect to see more on the executive order as it is implemented, and as further details are released.

In the meantime, the executive order presents a reminder that we should all consider ourselves (and our data) potential targets on a much wider scale than just cybercrime — and take the right steps, such as being mindful of where and with whom you share your personal data to protect ourselves, and our businesses, accordingly.