Cyber Week in Review: June 24, 2016
Here is a quick round-up of this week’s technology headlines and related stories you may have missed:
1. No, that FireEye report isn’t proof the China-U.S. cyber espionage deal is working. This week, FireEye reported it has observed a precipitous decline in Chinese state-sponsored cyber activity activity since mid-2014. The cybersecurity company attributes the decline in network compromises to a number of factors, including increased scrutiny on Chinese cyber activity (for which FireEye pats itself on the back), President Xi’s military reforms and anti-corruption campaign, and U.S. pressure such as the 2014 indictments and the threat of sanctions. There are also other plausible explanations that could explain the decline unmentioned in the report, such as the Chinese refining their tradecraft to avoid FireEye’s detection, being more selective in their targets, or that targets of Chinese attacks have improved their defenses. The report does not establish causality between the decline and the China-U.S. pact against cyber-enabled espionage for commercial gain given that the decline began in 2014, not 2015 when Presidents Obama and Xi struck the deal. In any case, more data would be required to establish causality between the decline and the deal, namely evidence that the Chinese espionage was benefitting Chinese companies to gain a commercial advantage over their foreign competitors. Simply showing that the Chinese hacked less wouldn’t cut it.
2. Russia shows its way in through the backdoor. As part of a new set of anti-terrorism laws, the Russian parliament recently approved a bill to make cryptographic backdoors mandatory for all messaging apps in Russia. If enacted, companies that develop encrypted messaging apps, such as WhatsApp, Wickr, Viber, and Telegram, would be required maintain a capability allowing the Federal Security Service (FSB) to gain access to user communications, or would be fined up to 1 million rubles, or $15,000. The measure is not entirely unsurprising. Since 1995, the FSB has had the legal authority and technical capability to monitor all telephone and internet communications in the country through its SORM system. It’s unclear how the Russian government plans to enforce the new law given that many of the affected apps are not designed in Russia or by companies with a presence in Russia.
3. The European Union and the United States tinker with the Privacy Shield. EU Justice Commissioner Vera Jourova told reporters this week that she has successfully negotiated amendments to the EU-U.S. Privacy Shield, making it more likely that it will obtain the approval of privacy regulators in the European Union. The Privacy Shield was announced in February as a replacement to the Safe Harbor framework that facilitated the transfer of personal data, which the Court of Justice of the European Union invalidated in October 2015. The Privacy Shield obtained a very tepid response, with data protection authorities in EU member states and the European data protection supervisor arguing it wouldn’t withstand judicial scrutiny. The revised Privacy Shield, expected to be released in early July, is supposed to address those concerns by listing the cases where bulk data collection can occur and clarifying how U.S. intelligence agencies use and collect data in bulk.
4. Global panel provides recommendations on the future of a healthy internet. The Global Commission on Internet Governance (GCIG) released its final report at the OECD Digital Economy Ministerial Meeting, outlining challenges facing the internet and its growth. The result of two years of research, the report addresses a host of topics, including internet fragmentation, human rights, access, cybersecurity cooperation, and trade and development. The commission concluded that the internet will likely evolve into one of three scenarios: a dangerous and broken cyberspace, where criminals and government restrictions violate human rights and curtail the internet usage; uneven and unequal cyberspace, where only a fraction of users will earn digital dividends because of government failure to preserve its openness; or a progressive cyberspace, where the internet succeeds in providing access to information and knowledge, growth, and improving quality of life. Given the contentious nature of cyber politics, my money is that option two—an uneven and unequal cyberspace—is the most likely outcome.