Cyber Week in Review: October 6, 2017

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

1. The NSA can't keep a secret. The Wall Street Journal reports that Russian state-sponsored hackers were able to access classified information about the NSA's cyber tools and techniques thanks to a NSA contractor who decided it was a good idea to work on them from home. How the Russian government got its hands on the NSA tools from the contractor is unclear. The contractor had Kaspersky anti-virus installed on his home computer and it detects certain malware signatures associated with the Equation Group, a cyber threat actor widely believed to be the NSA. It is possible that Kaspersky discovered the NSA tools and flagged them to Russian intelligence, confirming longstanding U.S. intelligence community concerns about the company and explaining the recent effort to ban it from U.S. government networks. Another possibility is that Russian intelligence has moles in the company, which flagged the tools to their handlers without the knowledge of Kaspersky's leadership. In any case, this is the third major breach of the NSA's cyber secrets in four years (all of which caused by contractors), and raises huge questions about the agency's security practices.

2. Do you have a warrant? The debate over the reauthorization of section 702 of the Foreign Intelligence Surveillance Act, which allows the U.S. government to intercept foreign communications in the United States, is heating up. Earlier this week, the House Judiciary Committee circulated a draft reform bill, which would codify the NSA’s recent decision to end “about” collection, the practice of collecting communications that merely mention foreign surveillance targets, and to instead only collect communications sent to and from overseas targets. Although civil liberties groups applauded the move, they also expressed concern that the bill would not close the "backdoor search loophole" that allows the FBI to query data collected under 702 for evidence of criminal activity without a warrant. According to Politico, the Senate expects to take up the issue before the end of the month. For a primer on the reform debate, check out Laura K. Donahue's Cyber Brief on the subject.

3. Max Schrems came in like a wrecking ball. The Court of Justice of the European Union (CJEU) is once again going to review the legal mechanisms that allow companies to transfer data between Europe and the United States. Earlier this week, the Irish High Court found that there were "well founded concerns" that the standard contractual clauses (SCCs) that Facebook relies on to transfer data across the Atlantic are insufficient to protect Europeans' data from the U.S. intelligence community. As a result, the Irish court punted the case up to the CJEU. Under EU rules, data about EU citizens can only leave the bloc if similar protections exist in the destination country. Max Schrems, the Austrian privacy activist that brought the case, argues that U.S. intelligence practices and surveillance law undercut European data protection standards. The CJEU has a history of nullifying US-EU data transfer mechanisms--in 2013, it nullified the Safe Harbor framework in another case brought forth by Schrems on similar grounds. Approximately 88 percent of companies that transfer data out of the EU rely on SCCs, and voiding them could have a huge ripple effect on the way U.S. companies process Europeans' data.

4. Shooting yourself in the foot. According to a new report, temporarily cutting off internet access in Sub-Saharan African countries can cost their economies up to one million dollars a day. Over the last two years, researchers have calculated that twelve Sub-Saharan African countries, including Togo, Cameroon, Uganda, Burundi and the Central African Republic, temporarily shut down internet access over the course of 236 days, costing their economies a collective $237 million in lost investment, productivity and economic growth. Governments around the world are getting more comfortable temporarily restricting internet access to curb civil unrest, a trend the UN Human Rights Council condemned last year.

5. Cyber from down under. Australia launched a new international cyber engagement strategy to promote an "open, free and secure cyberspace." As part of the strategy, Australia aims to "set clear expectations for state behavior in cyberspace," promote human rights online, and maximize the opportunity for economic growth. The strategy also pledges to commit ten million dollars to improve cybersecurity in the Indo-Pacific region.