Cyber Week in Review: April 1, 2022

The European Union and the United States reach a preliminary agreement on a Trans-Atlantic Data Privacy Framework 

After two years of prolonged negotiation, the United States and European Union (EU) announced that they reached a preliminary data transfer agreement. The Trans-Atlantic Data Privacy Framework will replace the Privacy Shield agreement, which was struck down by the European Union’s highest court in 2020 due to concerns about U.S. surveillance law violating the privacy of European citizens. While the details of the agreement remain vague, the United States pledged to establish new safeguards and oversight of surveillance and to enact a two-level redress mechanism involving a data-protection review court. This follows last week’s announcement that the European Parliament is nearing an agreement on the Digital Markets Act, which will subject “gatekeeper” businesses to greater regulation and significantly affect the business of major American technology companies like Apple and Google in the EU. 

Nokia’s role in Russian digital surveillance exposed in new report 

On Monday, it was revealed that Finnish telecommunications company Nokia played a significant role in enabling Russia’s digital surveillance tool, the System for Operative Investigative Activities (SORM). The Russian government uses SORM to intercept communications and monitor the phone calls, emails, and texts of individuals in the country, including political dissidents such as Aleksei Navalny and Boris Nemtsov. While Nokia does not make the interception technology, it has supplied the equipment and services that connect SORM to Russia’s largest telecom service provider, MTS. Though Nokia stopped sales to Russia in the wake of its invasion of Ukraine, the New York Times reports that it left behind its extensive infrastructure used to run SORM. 

China frames genetic data as a national resource 

China’s Ministry of Science and Technology issued new draft guidelines that would increase government control over the genetic information of Chinese citizens. The new guidelines require the science and technology bureaus of Chinese provinces to conduct a review of human genetic databases every five years and emphasize that genetic data is a national strategic resource. Critics warn that the data could be abused, noting that the collection of genetic information has been used to track the Uighur population in China. As China consolidates control of its own citizens’ genetic information, it has also faced accusations of stealing sensitive biometric data from foreign countries. Last year, the United States’ National Counterintelligence and Security Center cautioned that the American private sector is vulnerable to data theft as China focuses on building the world’s largest database of biological information. 

Cyberattack on Ukrainian telecom company 

On Monday, hackers attacked Ukraine's state-owned telecommunications company, disrupting internet services. While it remains unclear whether the malicious activity was a distributed denial of service (DDoS) attack or a more sophisticated intrusion, service was restored fifteen hours after the initial compromise. A tweet by the State Service of Special Communications and Information Protection of Ukraine blamed “the enemy,” suggesting Russia may have been behind the attack. This follows the February 24 attack on satellite internet provider Viasat, which caused communications outages as Russian forces invaded the country. Last week, U.S. intelligence analysts concluded that the attack could be attributed to the Russian military spy service, the GRU, while cybersecurity researchers believe they have identified the malware used in the attack. 

Australia introduces major new cybersecurity laws 

Australia’s parliament passed a series of cybersecurity laws that create stringent requirements for Australian companies. The laws are focused on eleven sectors of the economy deemed critical infrastructure by the government. In addition, the laws give the government and Australian Signals Directorate (ASD), the country’s signals intelligence agency, “last resort” powers to take over the networks or allow the ASD to intervene to prevent catastrophic cyberattacks. The new laws were originally part of another series of laws focused on critical infrastructure enacted in 2021, but were removed from the original package to allow the government to consult with private industry. The government also announced a new $7.5 billion fund for the ASD, which will allow the agency to develop new cyber capabilities and hire 1,900 new staff.