[{"command":"settings","settings":{"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"ajaxPageState":{"libraries":"eJwry0wtL9YvA5F6ufkppTmpOmBOfGJWYkV8emqJPowBFc_MS8vMyyxJjS9OLsrPyYFo1YWJ6kJEAdF1Ikc","theme":"cfr_theme","theme_token":null},"ajaxTrustedUrl":[],"views":{"ajax_path":"\/views\/ajax","ajaxViews":{"views_dom_id:5165d3a2706a9dd8bd653444aacaf7381ff78992c28140abb708a81f998fdfdf":{"view_name":"blog_posts","view_display_id":"block_archived_blog_posts","view_args":"17\/252719\/2016","view_path":"\/custom\/ajax\/archived_blog_posts\/17\/252719\/2016","view_base_path":null,"view_dom_id":"5165d3a2706a9dd8bd653444aacaf7381ff78992c28140abb708a81f998fdfdf","pager_element":0}}},"viewsAjaxGet":{"blog_posts":"blog_posts"},"user":{"uid":0,"permissionsHash":"e331052eb0a1bc4b2feb3d0cfc1f0f2f6ec5dfd9a50125d1397e4ccee31da7be"}},"merge":true},{"command":"add_css","data":[{"rel":"stylesheet","media":"all","href":"\/sites\/default\/files\/css\/css_sgviVl_37H6Ta5Bl-lc7uAkjneU0Dj6JvASOxbgV9L8.css?delta=0\u0026language=en\u0026theme=cfr_theme\u0026include=eJwry0wtL9YvA5F6ufkppTmpOmBOfGJWYkV8emqJPowBFc_MS8vMyyxJjS9OLsrPyYFo1YWJ6kJEAdF1Ikc"}]},{"command":"add_js","selector":"body","data":[{"src":"\/themes\/custom\/cfr_theme\/node_modules\/jquery\/dist\/jquery.min.js?v=3.1.0"},{"src":"\/themes\/custom\/cfr_theme\/node_modules\/jquery-migrate\/dist\/jquery-migrate.min.js?v=3.1.0"},{"src":"\/core\/assets\/vendor\/once\/once.min.js?v=1.0.1"},{"src":"\/core\/misc\/drupalSettingsLoader.js?v=10.2.11"},{"src":"\/core\/misc\/drupal.js?v=10.2.11"},{"src":"\/core\/misc\/drupal.init.js?v=10.2.11"},{"src":"\/core\/assets\/vendor\/tabbable\/index.umd.min.js?v=6.2.0"},{"src":"\/core\/misc\/progress.js?v=10.2.11"},{"src":"\/core\/assets\/vendor\/loadjs\/loadjs.min.js?v=4.2.0"},{"src":"\/core\/misc\/debounce.js?v=10.2.11"},{"src":"\/core\/misc\/announce.js?v=10.2.11"},{"src":"\/core\/misc\/message.js?v=10.2.11"},{"src":"\/core\/misc\/ajax.js?v=10.2.11"},{"src":"\/themes\/contrib\/stable\/js\/ajax.js?v=10.2.11"},{"src":"\/modules\/contrib\/views_ajax_get\/views_ajax_get.js?tcwifo"},{"src":"\/core\/assets\/vendor\/jquery-form\/jquery.form.min.js?v=4.3.0"},{"src":"\/core\/modules\/views\/js\/base.js?v=10.2.11"},{"src":"\/core\/modules\/views\/js\/ajax_view.js?v=10.2.11"},{"src":"\/modules\/contrib\/views_infinite_scroll\/js\/infinite-scroll.js?v=10.2.11"}]},{"command":"insert","method":"html","selector":".blog-series__accordion-item[data-year=\u00222016\u0022] .blog-series__accordion-body","data":"\u003Cdiv class=\u0022views-element-container\u0022\u003E\u003Cdiv class=\u0022js-view-dom-id-5165d3a2706a9dd8bd653444aacaf7381ff78992c28140abb708a81f998fdfdf\u0022\u003E\n \n \n \n\n \n \n \n\n \u003Cdiv data-drupal-views-infinite-scroll-content-wrapper class=\u0022views-infinite-scroll-content-wrapper clearfix\u0022\u003E\n\n\n\n \u003Cdiv class=\u0022views-row\u0022\u003E\n \u003Cdiv class=\u0022views-field views-field-search-api-rendered-item\u0022\u003E\u003Cspan class=\u0022field-content\u0022\u003E\n\n \n\n\u003Cdiv class=\u0022card-article-large article card-article-large--with-thumbnail\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__container\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__content\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__topic-tag\u0022\u003E\n \u003Ca href=\u0022\/defense-and-security\/cybersecurity\u0022 class=\u0022card-article-large__topic-tag-link\u0022\u003E\n Cybersecurity\n \u003C\/a\u003E\n \u003C\/div\u003E\n \n \u003Ca href=\u0022\/blog\/year-review-russia-and-2016-us-election \u0022 class=\u0022card-article-large__link\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__title\u0022\u003E\n The Year in Review: Russia and the 2016 U.S. Election\n \u003C\/div\u003E\n \u003Cdiv class=\u0022card-article-large__image\u0022\u003E\n \n \u003Cdiv class=\u0022card-article-large__image-cover\u0022 style=\u0022background-image: url(\/\/cdn.cfr.org\/sites\/default\/files\/styles\/card_landscape_m_380x253\/public\/image\/2016\/10\/RTSORST-Putin.jpg.webp)\u0022\u003E\u003C\/div\u003E\n \u003C\/div\u003E\n \u003C\/a\u003E\n\n \u003Cdiv class=\u0022card-article-large__dek clamp-js\u0022 data-clamp-lines=\u00224\u0022\u003EMove over Comment Panda and Putter Panda, make way for Fancy Bear and Cozy Bear. 2016 was the year Russian hackers pushed their Chinese counterparts out of the limelight, becoming a major focus of the presidential election and transition, and driving policy discussions about attribution, norms, deterrence, and countering information operations and fake news. How the United States responds to the hacking of the presidential election, or doesn\u2019t, will have a far-ranging impact on domestic cybersecurity and state behavior in cyberspace.\n\nAttention shifted from Beijing to Moscow in part because\u00a0Chinese industrial espionage declined. More important, however, was a qualitative, and highly disruptive change in the actions of Russian hackers. For years, the intelligence community has warned that the skills of Russian hackers exceeded those of the Chinese.\u00a0Director of National Intelligence James Clapper, for example,\u00a0told a conference\u00a0at the University of Texas in 2014\u00a0\u201cI worry a lot more about the Russians\u201d than the Chinese. But while Chinese hackers targeted the government, private sector, and civil society, the Russians were relatively restrained, concentrating on\u00a0espionage and mapping the battlefield. Russian hackers limited their actions to collecting information from political and military targets, and surveiling networks that might be attacked if the United States and Russia engaged in serious conflict.\n\nThis year, Russian behavior changed. In June, the\u00a0Democratic National Committee\u00a0announced that two groups of Russian hackers had penetrated its network: Fancy Bear (also known as APT 28), which works for GRU, or Russia\u2019s military intelligence service; and Cozy Bear (APT 29), which is suspected of having ties to the Federal Security Service, the successor to the KGB. Russian hackers\u00a0also successfully attacked\u00a0the Democratic Congressional Campaign Committee, Hillary Clinton\u2019s presidential campaign, and the campaigns of several\u00a0Democratic candidates for Congress. They tried to gain access to computer networks at the Republican National Committee, but failed. That effort was\u00a0reportedly\u00a0less aggressive and much less persistent.\n\nWhat probably started as an intelligence gathering operation became something different when the documents stolen from the DNC and Clinton campaign began showing up on websites such as Wikileaks and DCLeaks.com, and was then amplified on social networks, Russian news outlets, and U.S. media. This doxing was designed to undermine confidence in institutions and sow confusion and discord, and was a new adaption of what Russians call\u00a0\u003Cem\u003Ekompromat\u003C\/em\u003E, a mix of fabrication and truth.\n\nWho was behind the attack and what they hoped to achieve has been highly politicized.\u00a0CrowdStrike, the company the DNC hired to secure its networks, quickly attributed the attack to Russia, but an individual calling themselves Guccifer 2.o soon took credit for the hack (the original Guccifer was arrested in for hacking into the accounts of Colin Powell, John Negroponte, Richard Armitage, and others).\u00a0Journalists,\u00a0online researchers, and other\u00a0cybersecurity firms, however, continued to turn up data that pointed to Moscow. In October, the Director of National Intelligence and Department of Homeland Security issued a joint statement declaring, \u201cThe U.S. Intelligence Community is confident that the Russian Government directed the recent compromises of e-mails from U.S. persons and institutions, including from U.S. political organizations.\u201d\n\nDuring the election, Donald Trump questioned the government\u2019s ability to identify the hackers, claiming that \u0022it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that\u00a0weighs 400 pounds.\u0022 That skepticism turned into criticism of the intelligence community when the\u00a0\u003Cem\u003EWashington Post\u003C\/em\u003E\u00a0reported on December 9 that the CIA had assessed that Russia interfered in the election to tilt the election to Trump, not just undermine confidence in the electoral system. While the CrowdStrike and other cybersecurity firms have provided public evidence linking Russian attackers to the DNC hack, verification of claims about motivation is highly unlikely as it would most likely require revealing technical measures and perhaps even the existence of spies in Putin\u2019s inner circle.\n\nThe United States is not the only democracy being targeted. German Chancellor Angela Merkel\u00a0has warned of Russian influence on the 2017 German parliamentary election through cyberwarfare and disinformation. German authorities have claimed Russian hackers were responsible for previous attacks on the Bundestag, the lower house of parliament, and on the headquarters of the ruling Christian Democratic Union. The National Cybersecurity Agency of France has briefed presidential candidates on hacking threats to the election. Alex Younger, Chief of the British Secret Intelligence Service, has warned that \u0022The connectivity that is at the heart of globalization can be exploited by States with hostile intent to further their aims deniably. \u00a0They do this through means as varied as cyber-attacks, propaganda or subversion of democratic process.\u0022\n\nIn the wake of the leak of the CIA finding,\u00a0President Obama ordered\u00a0a \u201cfull review\u201d of \u201chacking-related activity aimed at disrupting\u201d elections that dates back to 2008 to be completed before he leaves office. There have been bipartisan calls for hearings and the creation of a select committee to investigate cyber attacks on the United States.\u00a0Questioned in his year-end press conference about why the United States had not responded more forcefully and vocally, President Obama gave an answer that touched on domestic politics and cyber strategy.\u00a0Reticence\u00a0had been motivated by a fear of being seen as taking sides in a \u0022hyper-partisan\u0022 environment, \u00a0President Obama also claimed, that by warning President Putin to \u0022cut it out\u0022 during a one-on-one meeting at the G20 in China, he had deterred further attacks that could \u0022hamper vote counting.\u0022\n\nThe President promised that the United States would respond \u0022at a time and place of our choosing.\u0022 \u0022Some of it we do publicly,\u0022 he said at his press conference. Some activities \u0022we will do in a way that they know, but not everybody will.\u0022 The difficulty for the United States is that it must design a response that penalizes Russia but does not risk escalation. It must deter future attacks on the United States and its allies but at the same time not undermine efforts to develop rules of behavior for states in cyberspace. Numerous analysts have suggested sanctions and travel restrictions on Russian elites combined with cyberattacks designed to weaken Putin, perhaps by releasing information about his finances or private life, or by damaging the technologies the government uses to control the Russian internet.\u00a0In his final days, the most President Obama can hope to accomplish is bolstering the public attribution of the attacks through the selective release of intelligence. This might have some limited deterrent effect on future attacks. More important, it will pressure the incoming administration to take some action, despite Trump signalling his intention to reset the relationship with Moscow.\n\nTo say the future is uncertain seems a massive understatement. Much of the cybersecurity community is now struggling with how the United States should deter, contain, and control a conflict that is primarily a mix of espionage, disinformation, and disruption, but has the potential to escalate to destructive attacks. The new administration is apparently intent on arguing that those attacks never happened, and that the United States should move closer to the primary suspect behind the attacks. This tension will only be resolved by domestic politics, in particular if Republicans in Congress push the administration to take a harder line, and by the success or failure of Trump\u2019s foreign policy. Cybersecurity policy has never been more important, or more in flux.\u003C\/div\u003E\n \n \u003Cdiv class=\u0022card-article-large__metadata\u0022\u003E\n \u003Cspan class=\u0022card-article-large__authors\u0022\u003Eby \u003Ca href=\u0022\/expert\/adam-segal\u0022 class=\u0022card-article-large__authors-link\u0022\u003EAdam Segal\u003C\/a\u003E\n \u003C\/span\u003E\n \n \n \u003Cspan class=\u0022card-article-large__date\u0022\u003E December 29, 2016\u003C\/span\u003E\n \n \n \u003Ca href=\u0022\/blog\/net-politics\u0022 class=\u0022card-article-large__series\u0022\u003E\n Net Politics\n \u003C\/a\u003E\n \u003C\/div\u003E\n \u003C\/div\u003E\n \u003C\/div\u003E\n\u003C\/div\u003E\n\n\u003C\/span\u003E\u003C\/div\u003E\n \u003C\/div\u003E\n \u003Cdiv class=\u0022views-row\u0022\u003E\n \u003Cdiv class=\u0022views-field views-field-search-api-rendered-item\u0022\u003E\u003Cspan class=\u0022field-content\u0022\u003E\n\n \n\n\u003Cdiv class=\u0022card-article-large article card-article-large--with-thumbnail\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__container\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__content\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__topic-tag\u0022\u003E\n \u003Ca href=\u0022\/defense-and-security\/cybersecurity\u0022 class=\u0022card-article-large__topic-tag-link\u0022\u003E\n Cybersecurity\n \u003C\/a\u003E\n \u003C\/div\u003E\n \n \u003Ca href=\u0022\/blog\/year-review-major-setbacks-digital-trade-2016 \u0022 class=\u0022card-article-large__link\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__title\u0022\u003E\n The Year in Review: Major Setbacks for Digital Trade in 2016\n \u003C\/div\u003E\n \u003Cdiv class=\u0022card-article-large__image\u0022\u003E\n \n \u003Cdiv class=\u0022card-article-large__image-cover\u0022 style=\u0022background-image: url(\/\/cdn.cfr.org\/sites\/default\/files\/styles\/card_landscape_m_380x253\/public\/image\/2015\/11\/RTX15P9T-TPP.jpg.webp)\u0022\u003E\u003C\/div\u003E\n \u003C\/div\u003E\n \u003C\/a\u003E\n\n \u003Cdiv class=\u0022card-article-large__dek clamp-js\u0022 data-clamp-lines=\u00224\u0022\u003EWhat a difference one year makes. When 2015 ended, prospects for digital trade looked good. In bilateral, regional, and multilateral contexts, initiatives were advancing that were, in part, designed to increase opportunities for digital commerce and strengthen rules for it. The European Union launched its Digital Single Market strategy and was negotiating the Trans-Atlantic Trade and Investment Partnership (TTIP) agreement with the United States. In addition to TTIP, the United States concluded the Trans-Pacific Partnership (TPP) agreement with eleven countries, and was negotiating the Trade in Services Agreement (TISA) with over twenty nations and the European Union.\n\nAs 2016 ended, these initiatives were damaged, in danger of failure, or dead. The Brexit referendum began the United Kingdom\u2019s departure from the European Union and the single European market. With all major U.S. presidential candidates opposing it, the TPP agreement was in trouble before Donald Trump won. President-elect Trump confirmed the United States would not join, effectively killing one of the most important trade initiatives of the twenty-first century. The TTIP agreement\u2019s chances suffered from opposition within the EU, the decision of the United Kingdom\u2014a TTIP supporter\u2014to exit the bloc, and the anti-trade policies of president-elect Trump. TISA negotiators cancelled the December 2016 meeting where they once expected to finalize the agreement, with doubts swirling whether negotiations would be revived given Trump\u2019s hostility to trade agreements.\n\nThe forces that produced these outcomes go beyond criticisms of the digital trade aspects of these initiatives. The Brexit vote and the anti-trade zeitgeist of the U.S. election revealed widespread anger with cornerstones of British and American international economic engagement\u2014liberalization of trade and investment through treaties as a strategic commitment\u00a0of the UK and U.S. governments. The dimmed prospects for digital trade are collateral damage from a populist upheaval against economic interdependence and globalization.\n\nPrior to this upheaval, digital technologies helped catalyze interdependence and globalization, even when treaties lagged behind how digital devices and networks transformed the global movement of goods, services, capital, and information. The impact of digital technologies on commerce produced concerns about privacy, cybersecurity, abuse of market power by tech companies, and sovereignty. Despite these concerns, governments around the world supported liberalization of digital trade and worked to promote this objective in trade and investment agreements. The Digital Single Market, TTIP, TPP, and TISA represented, in different contexts, strategies to advance digital commerce\u2019s deeper integration into international economic law. \n\nBrexit, the death of TPP, the demise of TTIP, and doubts about TISA do not portend the imminent collapse of digital trade. After all, digital commerce expanded much faster than countries addressed it in trade and investment agreements in the post-Cold War era. However, what happened in 2016 takes away the support these initiatives gave to advancing and protecting digital trade in global economic governance. The absence of this support might allow countervailing forces, including requirements for data localization and national cybersecurity measures, to produce increasing restrictions on digital trade. Existing trade and investment agreements, such as the WTO\u2019s General Agreement on Trade in Services, might prove inadequate in managing disputes over new restraints on digital commerce.\n\nIn addition, new trade and investment agreements might not have provisions for digital trade that achieve what the initiatives discussed above aimed to accomplish. For example, the chapter on electronic commerce in the Comprehensive Economic and Trade Agreement concluded by the European Union and Canada in 2016 comes nowhere close to what Canada accepted in the TPP agreement and what the European Union seeks in the Digital Single Market.\n\nIn 2017, indicators of where digital trade is headed will emerge from four sources. First, the Trump administration\u2019s implementation of its trade policies will signal how it plans to promote U.S. digital commerce. Second, the European Union will pursue the Digital Single Market without British participation, and this initiative, in combination with EU privacy law, will affect digital commerce between the European Union and its trading partners. Without TTIP, the European Union has fewer incentives to moderate its regulation of U.S. tech companies, and the Trump administration will lack leverage to bargain on their behalf. The TPP\u2019s death also means the European Union does not have to worry about whether that agreement would have created market pressures on how it regulated digital commerce in the single market. \n\nThird, as Brexit moves forward, the UK government will seek to conclude trade and investment agreements with the European Union, the United States, and other countries. What the United Kingdom negotiates will be important in understanding how nations are thinking about liberalizing and protecting digital trade. Finally, how China promotes its Regional Comprehensive Economic Partnership to fill the void left by the TPP\u2019s demise bears watching for its impact on digital commerce in Asia. \u003C\/div\u003E\n \n \u003Cdiv class=\u0022card-article-large__metadata\u0022\u003E\n \n \n \u003Cspan class=\u0022card-article-large__date\u0022\u003E December 28, 2016\u003C\/span\u003E\n \n \n \u003Ca href=\u0022\/blog\/net-politics\u0022 class=\u0022card-article-large__series\u0022\u003E\n Net Politics\n \u003C\/a\u003E\n \u003C\/div\u003E\n \u003C\/div\u003E\n \u003C\/div\u003E\n\u003C\/div\u003E\n\n\u003C\/span\u003E\u003C\/div\u003E\n \u003C\/div\u003E\n \u003Cdiv class=\u0022views-row\u0022\u003E\n \u003Cdiv class=\u0022views-field views-field-search-api-rendered-item\u0022\u003E\u003Cspan class=\u0022field-content\u0022\u003E\n\n \n\n\u003Cdiv class=\u0022card-article-large article card-article-large--with-thumbnail\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__container\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__content\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__topic-tag\u0022\u003E\n \u003Ca href=\u0022\/social-issues\/privacy\u0022 class=\u0022card-article-large__topic-tag-link\u0022\u003E\n Privacy\n \u003C\/a\u003E\n \u003C\/div\u003E\n \n \u003Ca href=\u0022\/blog\/year-review-encryption-and-privacy-2016 \u0022 class=\u0022card-article-large__link\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__title\u0022\u003E\n The Year in Review: Encryption and Privacy in 2016\n \u003C\/div\u003E\n \u003Cdiv class=\u0022card-article-large__image\u0022\u003E\n \n \u003Cdiv class=\u0022card-article-large__image-cover\u0022 style=\u0022background-image: url(\/\/cdn.cfr.org\/sites\/default\/files\/styles\/card_landscape_m_380x253\/public\/image\/2015\/04\/RTR3LDWQ-lock.jpg.webp)\u0022\u003E\u003C\/div\u003E\n \u003C\/div\u003E\n \u003C\/a\u003E\n\n \u003Cdiv class=\u0022card-article-large__dek clamp-js\u0022 data-clamp-lines=\u00224\u0022\u003E\u003Cem\u003EAlex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations.\u00a0\u003C\/em\u003E\n\nThere were a number of developments that shaped the encryption and digital privacy landscape this year.\n\nIt started off with a bang in February when the\u00a0FBI successfully obtained a court order requiring Apple to build software to unlock\u00a0the iPhone of one of the San Bernardino terrorists. That sparked a month-long debate among pundits, lawmakers, and civil society groups who lined up behind their respective champion and shouted invective at each other. Even then-candidate\u00a0Donald Trump got in on the action, calling for a boycott of Apple in response to the tech giant\u2019s unwillingness to comply with the order. The debate ended almost as quickly as it started when the FBI\u00a0asked the court to rescind its order given that a third party had approached the agency with a proof of concept to get into the iPhone without Apple\u2019s help.\n\nDespite the intensity of the debate, it\u2019s hard to gauge what impact it had, if any, toward finding a compromise between the law enforcement and civil liberties camps. Last year, this blog noted the ritualization of the encryption debate, whereby something bad happens, people yell at each other, the debate goes away, and nothing has been accomplished. The same thing happened this year. Bills were introduced into Congress, commissions\u00a0were proposed, but nothing really happened.\n\nDuring the Apple-FBI fight, the United States and Europe announced their agreement on the successor to the invalidated Safe Harbor pact, calling it Privacy Shield.\u00a0In contrast to the previous agreement, Europeans now have a right to redress in U.S. courts if they believe their privacy rights were violated and an ombudsperson to resolve any complaints on behalf of Europeans concerned about the U.S. intelligence community capturing\u00a0data transferred under\u00a0the deal.\n\nAlthough data protection authorities in Europe expressed skepticism of the deal, they said they would give it at least a year before reviewing its adequacy and possibly challenging it in EU court. Their actions were preempted by Digital Rights Ireland, a privacy group, which challenged\u00a0the European Commission\u2019s assertion that the shield was adequate to protect EU citizens\u2019 privacy rights. The Privacy Shield challenge, along with the possible invalidation of model clauses--another legal mechanism used to transfer data across the pond--increase the likelihood of more turbulence for U.S.-EU data transfers next year.\n\n2016 also saw the passage of a number of controversial interception and data retention laws. In the United Kingdom, the Investigative Powers Bill--known to detractors as the Snooper\u2019s Charter--received royal assent. Among other things, the bill requires communications service providers\u00a0(CSPs) to maintain \u0022internet connection records\u0022 of their users, reiterated existing requirements that CSPs maintain a capability to decrypt communications, and created a new oversight body to monitor law enforcement and the intelligence community\u2019s use of the new powers.\n\nIn China, the cybersecurity law that went through several drafts since 2015 finally entered into force in November. In addition to U.S. business concerns that it will subject their wares to regular security audits and pose a threat to their intellectual property, the Chinese bill requires\u00a0CSPs to mandate users register with their real world identities (no anonymity allowed) and a requirement for undefined \u0022critical information infrastructure operators\u0022 to store user data in the country--a practice known as data localization. Like the UK measure, the Chinese law requires that tech companies provide \u0022technical support\u0022 with law enforcement investigations, presumably meaning providing a decryption capability.\n\nFinally, the election of Donald Trump as president of the United States gave a shot in the arm to privacy activists. His election sparked discussions about the state of online privacy for the next four years and concerns that even modest reforms the NSA surveillance programs will be rolled back. A month after his election, Signal, the Edward Snowden-endorsed messaging app, experienced a 400 percent jump in daily app downloads.\n\n2016 was pretty hectic for the privacy world, but probably no more than previous years. What does 2017 have in store? Court challenges and opinions. Expect lots of them. Privacy activists and companies are likely\u00a0to test the legality of the UK\u2019s Investigative Powers Act, the viability of model clauses and the Privacy Shield, and trigger another encryption fight if U.S. law enforcement can\u2019t unlock a device\u00a0during the investigation of a high profile or particularly heinous crime.\u003C\/div\u003E\n \n \u003Cdiv class=\u0022card-article-large__metadata\u0022\u003E\n \u003Cspan class=\u0022card-article-large__authors\u0022\u003Eby Guest Blogger for Net Politics\u003C\/span\u003E\n \n \n \u003Cspan class=\u0022card-article-large__date\u0022\u003E December 27, 2016\u003C\/span\u003E\n \n \n \u003Ca href=\u0022\/blog\/net-politics\u0022 class=\u0022card-article-large__series\u0022\u003E\n Net Politics\n \u003C\/a\u003E\n \u003C\/div\u003E\n \u003C\/div\u003E\n \u003C\/div\u003E\n\u003C\/div\u003E\n\n\u003C\/span\u003E\u003C\/div\u003E\n \u003C\/div\u003E\n\n\n\n\n\t\t \t \u003Cli class=\u0022views-row\u0022\u003E\n\t \u003Cdiv class=\u0022views-field views-field-search-api-rendered-item\u0022\u003E\u003Cspan class=\u0022field-content\u0022\u003E\n\n \n\n\u003Cdiv class=\u0022card-article-large article card-article-large--with-thumbnail\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__container\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__content\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__topic-tag\u0022\u003E\n \u003Ca href=\u0022\/politics-and-government\u0022 class=\u0022card-article-large__topic-tag-link\u0022\u003E\n Politics and Government\n \u003C\/a\u003E\n \u003C\/div\u003E\n \n \u003Ca href=\u0022\/blog\/year-review-militaries-got-more-cyber-2016 \u0022 class=\u0022card-article-large__link\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__title\u0022\u003E\n Year in Review: Militaries Got More Cyber in 2016\n \u003C\/div\u003E\n \u003Cdiv class=\u0022card-article-large__image\u0022\u003E\n \n \u003Cdiv class=\u0022card-article-large__image-cover\u0022 style=\u0022background-image: url(\/\/cdn.cfr.org\/sites\/default\/files\/styles\/card_landscape_m_380x253\/public\/image\/2016\/12\/RTX2GMFB-US-Airstike.jpg.webp)\u0022\u003E\u003C\/div\u003E\n \u003C\/div\u003E\n \u003C\/a\u003E\n\n \u003Cdiv class=\u0022card-article-large__dek clamp-js\u0022 data-clamp-lines=\u00224\u0022\u003E\u003Cem\u003EAlex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations.\u00a0\u003C\/em\u003E\n\nThis year marked a turning point in military uses of cyberspace. For the first time, the United States, United Kingdom, and Australia\u00a0acknowledged deploying offensive cyber tools against the Islamic State. The fact that the United States, China, Russia, and others break into adversary computer networks is not new--intelligence organizations have done so\u00a0since the early 1990s. But openly acknowledging that a military, as opposed to largely civilian intelligence organizations, is using malware to gain an advantage during an armed conflict breaks new ground.\n\nIt all started in late February\u00a0when Defense Secretary Ash Carter declared\u00a0that the United States was looking to attack\n\n\u0022the ability of someone sitting in Raqqa to command and control [self-declared Islamic State, also known as\u00a0ISIS] forces outside of Raqqa or to talk to Mosul or even to talk to somebody in Paris or to the United States. So these are strikes that are conducted in the war zone using cyber essentially as a weapon of war. Just like we drop bombs, we\u2019re dropping cyber bombs.\u0022\n\nThe use of the term \u0022cyber bomb\u0022 caught like wildfire, and was pilloried for the imagery that it conjured. Subsequent explanations of what Carter meant provided more specificity about the nature of the United States\u2019 cyber bombs. According to the \u003Cem\u003ENew York Times\u003C\/em\u003E, U.S. military units\u00a0aimed to \u0022disrupt the ability of the Islamic State to spread its message, attract new adherents, circulate orders from commanders and carry out day-to-day functions, like paying its fighters.\u0022 In other words, the United States sought to sow enough chaos in the ranks of the self-declared Islamic State to disrupt command and control networks and sap the morale of fighters. In a pre-internet age, these activities would have been considered a combination of electronic warfare and information operations. Now, it\u2019s all cyber.\n\nSenior U.S. policymakers have not yet said whether they believe offensive cyber tools have been effective against the Islamic State. ISIS\u00a0has suffered significant territorial losses and its recruiting efforts are much less successful than they once were. These setbacks could be attributed to the cyber campaign or to more\u00a0conventional means, such as aerial bombardment and social media companies\u2019 work to remove terrorist recruitment content. In fact, the \u003Cem\u003EWashington Post\u003C\/em\u003E has reported that senior Pentagon officials have been disappointed\u00a0with the slow pace of the deployment of U.S. Cyber Command\u2019s operations.\n\nMoreover, launching malware is arguably more complex, both in terms of development and deployment, than deploying ordinance or conventional military weapons. As Herb Lin recently wrote on \u003Cem\u003ENet Politics\u003C\/em\u003E, malware has to be tailored to a specific target, exploiting software vulnerabilities unique to it--unlike a bomb which can be effective against\u00a0a diversity of targets.\n\nDespite these growing pains, the use of offensive cyber operations in a military context is significant for three reasons. First,\u00a0offensive cyber operations are likely to be integrated into most, if not all, military efforts in the future. As many have said, there will be no such thing as a purely cyber war where adversaries stick to launching bad packets at each other. Instead, military efforts will be supplemented by a cyber component that will assist an overall campaign, such as assisting with reconnaissance or generating less violent effects (e.g. rendering a military target inoperable through cyber means\u00a0instead of blowing it up and risking civilian casualties).\n\nSecond, it will allow the United States to test the practicalities of applying international humanitarian law (IHL), also known as the law of armed conflict, to cyber operations in a military context. Since the launch of its international cyber strategy in 2011, the United States has advocated that IHL applies in cyberspace and that no new international law is required to regulate state use of cyber tools, a minority view in the non-western world.\u00a0Being one of the first to break the ice, the United States will now have practical experience to\u00a0back up its policy advocacy. Russia and China might not be swayed by such arguments, but a number of regional powers, like Brazil, India, and others, might after having seen the results of judge advocate general\u00a0officers guiding cyber targeting decisions in compliance with IHL.\n\nThird, militaries\u2019 use of offensive cyber tools will require a rethink of the current approach to offensive cyber activity. The vast majority of state-sponsored cyber activity has been in the form of espionage, where stealth and non-attribution are prized. In an offensive military context, an attacker\u00a0might want an enemy to know that it was behind a particular cyber incident. This difference will require new thinking and new toolsets specifically designed for the military and separate from those used in the intelligence community. That is already beginning to happen in the United States, where there has been talk of divorcing Cyber Command from the National Security Agency. The United Kingdom, Australia and others looking to jump into this space might consider the same.\u003C\/div\u003E\n \n \u003Cdiv class=\u0022card-article-large__metadata\u0022\u003E\n \u003Cspan class=\u0022card-article-large__authors\u0022\u003Eby Guest Blogger for Net Politics\u003C\/span\u003E\n \n \n \u003Cspan class=\u0022card-article-large__date\u0022\u003E December 26, 2016\u003C\/span\u003E\n \n \n \u003Ca href=\u0022\/blog\/net-politics\u0022 class=\u0022card-article-large__series\u0022\u003E\n Net Politics\n \u003C\/a\u003E\n \u003C\/div\u003E\n \u003C\/div\u003E\n \u003C\/div\u003E\n\u003C\/div\u003E\n\n\u003C\/span\u003E\u003C\/div\u003E\n\t \u003C\/li\u003E\n\t\t \t \u003Cli class=\u0022views-row\u0022\u003E\n\t \u003Cdiv class=\u0022views-field views-field-search-api-rendered-item\u0022\u003E\u003Cspan class=\u0022field-content\u0022\u003E\n\n \n\n\u003Cdiv class=\u0022card-article-large article card-article-large--with-thumbnail\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__container\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__content\u0022\u003E\n \n \u003Ca href=\u0022\/blog\/cyber-week-review-december-23-2016 \u0022 class=\u0022card-article-large__link\u0022\u003E\n \u003Cdiv class=\u0022card-article-large__title\u0022\u003E\n Cyber Week in Review: December 23, 2016\n \u003C\/div\u003E\n \u003Cdiv class=\u0022card-article-large__image\u0022\u003E\n \n \u003Cdiv class=\u0022card-article-large__image-cover\u0022 style=\u0022background-image: url(\/\/cdn.cfr.org\/sites\/default\/files\/styles\/card_landscape_m_380x253\/public\/image\/2016\/01\/RTX1VY8D-Euro-Commission.jpg.webp)\u0022\u003E\u003C\/div\u003E\n \u003C\/div\u003E\n \u003C\/a\u003E\n\n \u003Cdiv class=\u0022card-article-large__dek clamp-js\u0022 data-clamp-lines=\u00224\u0022\u003EHere is a quick round-up of this week\u2019s technology headlines and related\u00a0stories you may have missed:\n\n\u003Cstrong\u003E1. No more data for you\u003C\/strong\u003E. The\u00a0Court of Justice of the European Union\u00a0invalidated portions of the United Kingdom\u2019s new Investigatory Powers Act\u00a0that require communications service providers retain user data so that it can later be examined if determined relevant to a criminal investigation. The Court called such provisions\u00a0\u0022general and indiscriminate\u0022 and that they exceed \u0022the limits of what is strictly necessary and cannot be considered to be justified within a democratic society.\u0022 The UK government, as well as many law enforcement organizations throughout Europe, have consistently claimed that such powers are necessary for\u00a0national security, terrorism, and\u00a0organized crime investigations. It\u2019s unclear how the decision will affect the United Kingdom given its intent to leave the European Union, though the it\u00a0has signalled its intent to appeal. Over at \u003Cem\u003ELawfare\u003C\/em\u003E, Andrew Keane Woods examines the court\u2019s decision.\n\n\u003Cstrong\u003E2. Now my work is export controlled?\u003C\/strong\u003E\u00a0The United States failed to convince the states party to the Wassenaar Arrangement to revise the listing of common hacking tools as controlled munitions subject to export control.\u00a0Back in 2013, Wassenaar Arrangement countries had agreed to slap controls on the use of \u0022intrusion software\u0022 largely to prevent countries with dubious human rights records or other malicious actors from purchasing tools that could be used\u00a0to break into\u00a0computer networks. However, the rule was so broadly written that some U.S. security researchers,\u00a0whose job it is to poke holes in systems to test their security,\u00a0argued it\u00a0would subject their work to the controls and hinder cybersecurity efforts.\n\n\u003Cstrong\u003E3. Please don\u2019t bring your fake news here.\u003C\/strong\u003E German lawmakers are considering fining social media firms up to\u00a0\u20ac500,000 (US$522,400) for publishing fake news, according to a report in \u003Cem\u003EDer Spiegel\u003C\/em\u003E. Social media platforms, and Facebook in particular, have been under intense scrutiny given the role that misleading or false information seemed to have played in the U.S. election. Some German officials are likely concerned that\u00a0the same thing could play out in the German federal election in 2017. Compounding that concern is the fact that the head of German domestic intelligence recently signalled\u00a0that Russia would be looking to manipulate German media to sow distrust in the German political process.\n\n\u003Cem\u003E(Editor\u2019s note: There will be no week in review on Friday, December 30. Happy Holidays!)\u003C\/em\u003E\u003C\/div\u003E\n \n \u003Cdiv class=\u0022card-article-large__metadata\u0022\u003E\n \u003Cspan class=\u0022card-article-large__authors\u0022\u003Eby \u003Ca href=\u0022\/expert\/adam-segal\u0022 class=\u0022card-article-large__authors-link\u0022\u003EAdam Segal\u003C\/a\u003E\n \u003C\/span\u003E\n \n \n \u003Cspan class=\u0022card-article-large__date\u0022\u003E December 23, 2016\u003C\/span\u003E\n \n \n \u003Ca href=\u0022\/blog\/net-politics\u0022 class=\u0022card-article-large__series\u0022\u003E\n Net Politics\n \u003C\/a\u003E\n \u003C\/div\u003E\n \u003C\/div\u003E\n \u003C\/div\u003E\n\u003C\/div\u003E\n\n\u003C\/span\u003E\u003C\/div\u003E\n\t \u003C\/li\u003E\n\t\u003C\/div\u003E\n\n \n\u003Cul class=\u0022js-pager__items pager\u0022 data-drupal-views-infinite-scroll-pager\u003E\n \u003Cli class=\u0022pager__item\u0022\u003E\n \u003Ca class=\u0022button\u0022 href=\u0022?page=1\u0022 title=\u0022Load more items\u0022 rel=\u0022next\u0022\u003ELoad More\u003C\/a\u003E\n \u003C\/li\u003E\n\u003C\/ul\u003E\n\n\n \n \n\n \n \n\u003C\/div\u003E\n\u003C\/div\u003E\n","settings":null}]