Cybersecurity made an appearance in the eighth round of the US–China Strategic and Economic Dialogue which took place in Beijing ^[1] last week, chaired by State Councillor Yang Jiechi and Secretary of State John Kerry. Both countries reaffirmed ^[2] the value of the Senior Experts Group on International Norms in Cyberspace and Related Issues, their commitment to refrain from supporting cyber-enabled theft of intellectual property and their positive anticipation of the second High-Level Dialogue on Cybercrime and Related Issues to be held in Beijing on June 14.

The first of those ministerial-level US–China cybercrime talks ^[3] was held last December, breaking the freeze in Sino-US cyber relations ^[4] that started when China withdrew from a bilateral working group in response to the US indictment of 5 Chinese military officials back in May 2014. The recent December talks established ^[5] a set of guidelines, a hotline and plans to conduct a tabletop exercise and continue discussions on the issue in 2016. The weekend’s terrible shooting in Orlando ^[6] has meant that the second iteration of talks scheduled for this week will now be conducted ^[7] at the sub-ministerial level. For a handy synopsis of US–China cyber perspectives, check out this Cipher Brief interview ^[8] with Adam Segal from the Council on Foreign Relations.

Achieving additional bilateral goals, President Obama talked cybersecurity with Indian Prime Minister Narendra Modi ^[9] at the White House last week. As part of their third major bilateral summit, the leaders released a joint statement ^[10] that committed to deepening their cooperative partnership in regards to combatting cybercrime, securing critical infrastructure and promoting voluntary norms of state behaviour. During the talks, the US and India penned a ‘Framework for the US-India Cyber Relationship ^[11]’ that’s expected to be signed ^[12] by the two leaders within the next 60 days. The framework recognises both countries’ simultaneous commitment to a ‘multistakeholder model of Internet governance’ and ‘the leading role for governments in cyber security matters relating to national security’. That duality is an interesting addition to a sequence of inconsistent policy ^[13] stances taken by the Indian government over the past year, which has included variations of a government-led multilateral approach and a broader multistakeholder approach.

There’s more good news for Indian cybersecurity, with the establishment ^[14] of a new Microsoft Cyber Security Engagement Centre last week. Microsoft selected the city of Gurgaon as the location for one of only seven such cyber security hubs worldwide. The centre is intended to stimulate public–private cooperation in the fight against cybercrime and increase cooperation amongst Indian businesses, government and academic organisations. Microsoft’s initiative will be run in collaboration with ^[15] the National Cybersecurity Coordinator, as well as CERT-India, meaning it’s a great step forward for public–private partnership in India.

It seems that everybody is interested in the US Presidential race, with the Democratic National Committee’s networks suffering a breach ^[16] at the hands of Russian hackers. The two groups involved were reportedly removed from the system by Crowdstrike ^[17] over the weekend, after several months of clandestine activity. The intrusion focused on internal staff communications and opposition research on Donald Trump, disregarding the personal information of donors, suggesting motivations of espionage ^[18] rather than financial cybercrime. This, paired with the ongoing issue ^[19] of Clinton’s email server, leaves Democratic cybersecurity wanting.

The UK House of Commons passed ^[20] the contentious ‘Investigatory Powers Bill ^[21]’ last week, licensing the government to collect bulk data on the online activity and smartphone use of Brits. The first cut of the surveillance bill ^[22], rejected after it elicited strong private sector objection ^[23], required businesses to increase their retention of customer data and help law enforcement undermine encrypted communications. Facebook, Google, Microsoft, Twitter and Yahoo released a joint submission ^[24] outlining their concerns last December, specifically in reference to ‘obligations relating to the removal of electronic protection applied by a relevant operator to any communication or data’. Clearly heeding the harsh industry feedback and attempting to avoid the mess of the Apple-FBI debate ^[25], the final version requires that companies overcome encryption measures only if it’s reasonable ^[26] in terms of cost and technology. However, these amendments haven’t satisfied critical civil rights and privacy advocates, who refer to this bill as the ‘Snooper’s Charter ^[27]’, and who will likely wait with baited breath to see if the legislation is passed by the House of Lords later this year.

European privacy is a hot topic this week, with Germany fining three companies ^[28] for transferring data under the auspices of an overturned privacy law. As we’ve covered previously ^[29], the Safe Harbour agreement supported the transfer ^[30] of EU data across the Atlantic by US companies, based on self-regulation. This agreement was deemed invalid ^[31] by the European Court of Justice last October, making such data transfers illegal. This week, Adobe Systems, PepsiCo subsidiary Punica, and Unilever have been slapped with fines totalling €28,000 ^[32] for failing to establish an alternative method of cross-border data transfer. The Hamburg Data Commissioner stated ^[33] that ‘the data transfer of these companies to the USA was thus without any legal basis and unlawful’.