Here is a quick round-up of this week’s technology headlines and related stories you may have missed:
1. Happy GDPR day! The European Union's General Data Protection Regulation (GDPR) enters into force today and its effect is being felt around the world. The GDPR sets out how companies can collect the personal data of persons in the European Union, and how they can use it. For example, companies must receive an EU individual's explicit consent before collecting and using their data, give that individual the ability to see what data the company has collected and correct it, and companies cannot make their service contingent on the collection of personal data. Importantly, GDPR applies to anyone doing business (or seeking to do business) in the EU, which is why companies around the world have been rushing to comply. U.S. companies have taken markedly different approaches. Many have spammed inboxes with terms of service updates, and some websites have temporarily cut off access to EU users. For their part, Microsoft announced that it will be rolling out its new GDPR-compliant privacy features beyond the EU, and Facebook and Google have already been sued for non-compliance. Although the European Union issued guidance on how the new rules should be enforced, actual enforcement will be up to the data protection authorities in each member state. It's a brave new world!
2. It’s full steam ahead for CFIUS reform. This week a U.S. Senate panel attached a bill that would strengthen oversight of foreign investments in the United States to a must-pass defense bill, all but ensuring its passage. The Foreign Investment Risk Review Modernization Act of 2017 (FIRRMA) would grant the Committee on Foreign Investment in the United States (CFIUS) new powers to review foreign investments in sensitive areas, most notably emerging technology. Support for the beefing up the CFIUS process began last year when a Pentagon report raised the alarm about Chinese investments in early-stage technology firms, suggesting the Chinese government could use such investments to diminish the technological advantage of the United States.
3. Can we please stop saying that cyberspace is lawless? Jeremy Wright, the attorney general of the United Kingdom, outlined Britain's view on how to apply existing international law to cyberspace in a speech delivered at Chatham House. It was the first time that the UK government publicly outlined its interpretation of international law as it applies to cyberspace outside of the context of the UN Group of Governmental Experts. Much of Wright's remarks retread existing UK positions, such as the applicability of articles 2(4) (prohibition of the use of force), 2(7) (non-interference in internal affairs), and 51 (inherent right of self-defense) of the UN Charter to cyberspace. Wright also reiterated that attributing a cyber activity to a state actor is more than just a matter of law, but also a political decision, which will guide how the country responds to an operation against it. Over at Lawfare, CFR Senior Fellow Matthew Waxman unpacks the elements that might be more consequential, and Isa Qasim at Just Security notes that Wright's remarks on sovereignty contradict the Tallinn Manual's approach. Expect more legal analysis over the next few days.
4. All your botnets are now belong to us. U.S. law enforcement is working overtime to seize a massive botnet, controlled by an infamous Russian hacking group. On Wednesday, The Justice Department announced that the FBI had received a court order to seize a domain connected to the botnet before it wreaks more havoc. The hacking group in question, known as APT 28 or Fancy Bear, is linked to the Russian military and was previously implicated in the hacking of the Democratic National Committee in 2016. The FBI could help stymie the botnet’s expansion, though it is working against the clock. Cisco’s intelligence unit Talos warned this week that the hackers had already infected at least 500,000 devices. Researchers have shown that malware is spreading at “an alarming rate” in Ukraine, a favored testing ground for Russian cyberweapons. This has led Craig Williams, the head of Talos’s security team, to warn that the botnet could be used to carry out a “potential sequel” to last year’s NotPetya attack.