Overnight the US and the EU Commission reached an agreement on transatlantic data flows, 3 months after the European Court of Justice ruled the old ‘Safe Harbour’ framework was invalid. The EU Commission stated that the new agreement will provide ‘stronger obligations on companies in the US to protect the personal data of Europeans and stronger monitoring and enforcement by the US’. The EU Commission statement also notes that the US has agreed not to conduct ‘indiscriminate mass surveillance’ on EU citizens data shared with the US.
Discussions towards the new agreement were almost derailed earlier this week after a Republican amendment to a bill for the Judicial Redress Act. The Bill, which would allow EU citizens to use US courts to challenge misuse of their personal data, was a critical prerequisite in reaching the new agreement. The amendment raised European Commission concerns stated that the bill mustn’t negatively affect national security interests, and requires EU countries covered by the bill to allow commercial data flows to the US.
Sticking in the US, Republican Party candidate Ben Carson has released a policy paper calling for the establishment of a National Cyber Security Administration (NCSA) as a single centre of government and private sector cybersecurity. Carson wants the US to be the ‘unquestioned cyber power on the planet’, and has even referenced the Space Race as an analogy for his vision of US cyber dominance. Over at the Washington Post, Jim Lewis of the Center for Strategic and International Studies (and ICPC Fellow) notes that Carson’s analogy is weak at best, as the space Race was an engineering problem but cybersecurity involves more complex political and policy issues. Ryan Hagemann from the libertarian Niskanen Center thinks that centralising cyber security policy in the NCSA will inhibit rather than incentivise the cooperation needed between the public and private sectors to enhance US cybersecurity.
Also vying for the title of cyber power is Israel. Prime Minister Benjamin Netanyahu has prioritised the development of Israel’s cybersecurity industry to drive economic growth and support national security. Adam Segal from the Council on Foreign Relations has analysed a number of key aspects of Netanyahu’s speech to the annual Cybertech conference in Tel Aviv on 26 January. Notably, Netanyahu discussed his perspective on government’s role in cybersecurity as ‘immunising’ organisations through best practice and standards, while responding to larger ‘epidemics’. Netanyahu remains skeptical of effectiveness of a ‘universal code’ of cyber norms, advocating for likeminded countries to define norms and sanction those who violate them.
During the speech Netanyahu also raised new government guidelines on the application of export control laws for cybersecurity products. Netanyahu claimed they are necessary to balance the risk of cyber capability sharing with the economic potential of the cybersecurity industry. Israeli government figures show that its cybersecurity industry, comprising about 250 companies, represent about 20% of global investment in cyber security and exported US$3.5 billlion in products and services in 2015. The industry has largely been founded on personnel trained in the Israeli Defence Force who, once released from national service, use their expertise to work in major firms such as CheckPoint and CyberArk, or start their own firms. Israel remains a big target for hackers, and news that Israel’s Electric Authority was infected with ransomware spread after an employee opened a spear phishing email brings home that even the best aren’t immune to cyber incidents.
Regional cooperation between Asia–Pacific computer emergency response teams (CERTs) has taken another step forward with the announcement that India’s CERT-In announced has signed agreements with Japan, Singapore and Malaysia. The four countries will share knowledge and experience in detection, resolution and prevention of cybersecurity incidents. Last week, Japan announced a new recruitment drive for government cybersecurity officials. 40 new positions will be established within the National Centre of Incident Readiness and Strategy for Cybersecurity, increasing total personnel in the Centre to 180. At least 18 of the positions will be recruited from the private sector, and government personnel will be seconded to private firms for further training.
And finally, in the first case of its kind, a 20-year-old Kosovar man who was arrested by Malaysian police in October last year has faced court in the US for hacking a US company and providing the information to Daesh. The US Justice Department claims that the man, Ardit Ferizi, provided the information that Daesh released in August last year detailing 1,300 US citizens personal information, exhorting its followers to attack and kill those named on the list.