from Net Politics and Digital and Cyberspace Policy Program

Cyber Week in Review: March 25, 2016

Iran Hackers Cyber Net Politics CFR
Iran Hackers Cyber Net Politics CFR

March 25, 2016
5:00 pm (EST)

Iran Hackers Cyber Net Politics CFR
Iran Hackers Cyber Net Politics CFR
Blog Post
Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed.

1. I accuse you, you, and you! The Department of Justice (DOJ) had a busy week, indicting Iranians on hacking charges, putting Syrian hackers on its most wanted list, and obtaining a guilty plea in the Su Bin case. First, the federal government indicted seven Iranian hackers for engaging in a denial of service campaign against U.S. banks and accessing the network of a small dam outside New York City. Although the accused are unlikely ever to appear in a U.S. court, experts are interpreting this as a government effort to signal its attribution capabilities and deter others, drawing analogies to the 2014 indictments against Chinese military officials. Unlike the Chinese indictments, however, the indictment against the Iranian hackers doesn’t explicitly draw a connection between the hackers and the Iranian government, aside from asserting that they had worked for companies that "performed work on behalf of the Iranian government." Second, the FBI put three members of the pro-Assad Syrian Electronic Army (SEA) on its most wanted list. They’re accused of multiple counts of unauthorized access to computer systems, most notably when the Associated Press’s compromised Twitter account announced that President Obama had been killed in a bombing at the White House. Third, Su Bin, a Chinese national, pleaded guilty to a conspiracy to hack the networks of defense contractors and send information to China. I examine the case, which has received relatively little notice in the United States, and explain its potential impact on the U.S.-China relationship.

2. The FBI’s deus ex machina moment in the Apple case? The FBI claims it has found an "outside party" that has proposed a solution to access the encrypted data on one of the San Bernardino attackers’ iPhone. The FBI says that the outside party, rumored to be Israeli computer forensics company Cellebrite, approached it shortly before the DOJ and Apple were scheduled to appear in court, where Apple aimed to vacate the February order requiring it to assist the FBI unlock the phone. Cellebrite has refused to comment on the case—and some are skeptical that they’re the ones helping the FBI—but that hasn’t stopped them from getting tons of free advertising. This unexpected twist in the Apple-FBI case raises a number of questions, many of which Net Politics contributor David Fidler outlines here. Among them, if the outside party is able to hack into the iPhone, should the FBI be required to tell Apple how they did it? Over at Passcode, Jay Healey says yes, while Ben Wittes writing for Lawfare says no. The FBI is scheduled to report back to the court in two weeks. We should know then whether the outside party’s method worked. This is far from over.

3. French data protection regulator fines Google over right to be forgotten. France’s data protection regulator, known by its French acronym CNIL, slapped Google with a €100,000 fine, or about US$110,000, for failing to abide by Court of Justice of the European Union’s 2014 right to be forgotten ruling. The ruling allows Europeans to request that search engines remove information about them in the event it is "inaccurate, inadequate, irrelevant or excessive." The French regulator has clashed with Google for months over the ruling’s implementation. CNIL wants Google to de-index information (i.e. remove a link to a website) relating to a complaint across its entire search engine, and not just make the link inaccessible in Europe as Google had proposed. Google argues that CNIL’s interpretation of the right to be forgotten amounts to an extraterritorial application of EU law. Mike Masnick at TechDirt questions whether CNIL can see the forest from the trees: "Would France be comfortable if, say, China or Iran or North Korea suddenly decide that Google must also be censored to block out links to content they dislike, and that such content must be inaccessible in search results in France?" Google hasn’t yet commented on the fine—chump change for the company—but it can appeal it to France’s highest administrative court, the Conseil d’État.