from Net Politics and Digital and Cyberspace Policy Program

Cyber Week in Review: February 10, 2017

February 10, 2017

Blog Post
Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

1. Ireland vs. Facebook. U.S.-EU data transfer mechanisms came under renewed fire this week as the Irish Data Protection Commissioner challenged the validity of Facebook’s model contracts, arguing that the European Union’s top court should review their validity. Model contracts are common legal agreements used by thousands of firms that ensure European privacy regulations are met during the transatlantic transfer of EU citizens’ personal data. The model contracts are one of three transfer mechanisms, the other two being binding corporate rules and the much vaunted Privacy Shield. The data protection commissioners of all EU member states are slated to review effectiveness of the Privacy Shield later this year. Combined with EU skepticism of the Trump administration, it is entirely possible that the two most prominent transatlantic transfer mechanisms fall apart this year.

2. China establishes review commission for foreign tech. Earlier this week, China’s internet regulators moved to create a cybersecurity review commission to vet all foreign technology before it is used in government or critical sectors such as finance, energy, and telecommunications. The commission makes good on a goal of China’s controversial cybersecurity law, which is to ensure technology is “secure and controllable,” especially when used in government. Although the law formulates much needed national cybersecurity standards, critics say the Chinese government  is closing itself off from foreign technology. Responding to criticism, government scholar Qin An argued in People’s Daily that reviewing foreign technology before it is used in critical sectors is the “standard configuration” in most advanced countries. However, foreign firms worry that the Chinese government’s extensive list of sectors that fall under “critical information infrastructure” will seriously disadvantaged their products in the Chinese market.

3. Introducing Tallinn 2.0. The NATO Cooperative Cyber Defense Center of Excellence launched the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. The manual sets out what international law applies to state actions in cyberspace that fall below the threshold of an armed conflict. That stands in contrast to the first Tallinn manual, released in 2013, that identified the rules that bound state action in cyberspace during an armed conflict. Both efforts, led by Michael Schmitt and sponsored by the government of the Netherlands, give states a sense of what cyber operations they can legally carry out in peacetime and during a time of conflict. Schmitt provides more detail over at Just Security. Over at Lawfare, Andrew Keane Woods applauds the effort but wonders whether it makes sense to build a manual around a concept of sovereignty that no longer makes sense in the digital era.

4. Seriously, no one saw him walk out with the crown jewels over the course of twenty years? A grand jury indicted former National Security Agency (NSA) contractor Harold Martin with over twenty criminal counts of willful retention of highly sensitive national defense information. The documents found in his home and car include classified materials from U.S. Cyber Command, the Central Intelligence Agency, the NSA, and the National Reconnaissance Office taken between 1996 and 2016. One rumor circulating online is Martin may have stolen up to 75 percent of the tools and software used by Tailored Access Operations, the NSA’s elite hackers. Martin is expected to appear before a federal grand jury in Maryland next week.

5. Hand it over, Google. A U.S. judge has ordered Google to turn over customer emails stored on foreign servers in compliance with a search warrant pertaining to domestic fraud. The order is noteworthy as it directly contradicts a previous and near identical order that Microsoft was able to successfully reverse on appeal late last year.