ISMG Editors: How Ukraine's Cyber Defenders Prepped for WarAlso: Meta Fined 1.2 Billion Euros for Privacy Issues; GDPR's 5-Year Anniversary
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including top takeaways from Ukraine's cyber defense success, how a European regulator suspended Facebook data transfers to the United States, and the state of the EU General Data Protection Regulation on its five-year anniversary.
The panelists - Anna Delaney, director, productions; Tony Morbin, executive news editor, EU; and Mathew Schwartz, executive editor, DataBreachToday and Europe - discuss:
- What lessons policymakers and defenders should be learning and applying 15 months after Russia intensified its cyberwarfare offensive against Ukraine;
- How Facebook's owner, Meta, has been fined 1.2 billion euros - $1.3 billion - for mishandling people's data when transferring it between Europe and the United States;
- The state of GDPR five years after the tough privacy law went into effect.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the May 12 edition on how the federal government hacked Russia's "Snake" Operation and the May 19 edition on the increasing fallout from the Capita breach.
Anna Delaney: Hello, this is the ISMG Editors' Panel. I am your host Anna Delaney and this is our weekly spot where we discuss and recap the top InfoSec stories and cybercrime trends you need to know about. I'm delighted to be joined by my colleagues today, Mathew Schwartz, executive editor of DataBreachToday & Europe and Tony Morbin, executive news editor for the EU. Wonderful to see you both.
Tony Morbin: Good to see you.
Mathew Schwartz: Great to be back, Anna.
Delaney: Very good. We are a cozy team today. Tony, what a beautiful statue behind you. Tell us more.
Morbin: Mercury. I took him for the god of communications which he is, not realizing he is also the god of financial gain, boundaries, luck, trickery, merchants and thieves. So I don't know how relevant all the other ones are. But I'm going to be talking about data transfer across the Atlantic so we might get some of all of those.
Delaney: Perfect for today. I didn't know communication thieves for ever something.
Morbin: Apparently so. It might well be the fact that it is the god of financial gain.
Delaney: And Matt, that's the halo above you?
Schwartz: Yeah, that's a bridge Anna. That's the Millennium Bridge in Newcastle. Yes. I've got it for sale too, if you want. But yes, the gorgeous Millennium Bridge on the keys of Newcastle in England, where I was this past weekend to go to a music festival in a number of different venues. And it was just a lovely spring weekend in the north of England.
Delaney: I've not been to Newcastle. So, it's on my list.
Schwartz: My first time.
Delaney: Yeah, very good. Well, I love the shot. I'm, well - Facebook, but I don't usually go on to or very much at least these days. But when I do, I enjoy the memories that they share and reminders of what happened several years ago and Facebook today told me that 11 years ago today, I was in Barcelona with my mom. So this is happy memories from Gaudí's Park Güell's mosaic artwork for you. Okay. And the sunshine that I'm missing. Anyway, bring it on. Matt, you wrote a piece earlier this week that considers the cybersecurity lessons policymakers and defenders should be learning and applying 15 months after Russia intensified its invasion on Ukraine. So let's first do a little bit of an assessment of where we are right now with the war, what the cyber angle looks like, and how much of a role cyberattacks continue to play in the war. And then we can move on to key takeaways.
Schwartz: Great. So just to do a brief recap on the cyber war, if you will, that wasn't really a cyber war. Before, as you said, Russia intensified its invasion. February 24 2022 is when it went all out. And before that, there had been a number of online attacks, intensification of online attacks, probing attempted disruption, especially of some critical infrastructure sectors and wiper malware. And then in the early part of the intensified invasion, there was a lot of wiper malware, and a lot of cyberattack, online attack activity, we saw the rise of hacktivists, and we can talk about that perhaps in just a moment as a force, both working in supportive Moscow, and as a force working in support of Ukraine. The hacktivists angle was a surprise to a lot of people. What was also a surprise to a lot of people once Russia went all out was the fact that we didn't really see cyber war, we have not seen cyber war, whatever that might be. But however you're going to define it, we really haven't seen it. We've not seen close coordination between kinetic attacks or physical attacks and online attacks. So troops aren't assaulting a position backed by just-in-time malware, for example, they crashed the electric grid in the region where they are. There are a number of explanations for that. But I think the simplest and that's probably the most likely is it's really hard to coordinate online attacks with physical attacks. Also, if you've gone to the effort, if you're Russia, of pre-positioning yourself in various systems, do you want to use that once as part of a ground attack that might get repelled, might not work, or do you want to use that for as long as possible as part of a cyber espionage operation. And so, if I can conclude the brief-ish recap, what experts suspect is that when it comes to the online arena, what Russia is doing is continuing to focus a lot on cyber espionage and giving itself insight into Ukraine and other countries, of course, as well. But trying to give itself the best intelligence it can get about what's going on, what decision makers are thinking, and so on. We've seen some wiper malware, but it looks like they had some in reserve, or some ready to use, and they used it up. And it's not clear that they've had enough time to replenish. Russia, by all accounts, thought that the war was going to last a week, maybe two. So there may have been some really poor preparation and planning before it launched its war. Unfortunately, Russia can be in things for the long haul, as we've seen, and as many prognosticators are predicting, the Ukraine-Russia war might not end anytime soon. So that's my brief introduction about lessons learned, I think, about how Russia is waging its campaign, especially when it comes to the online arena. So maybe this is a good time to shift that into what are some of the takeaways? So there was a great session recently held by the Center for Strategic and International Studies - online session - that was launching a new report that was commissioned by the National Cybersecurity Center here in Britain, where we all are. And the NCSC asked this question, "What are the takeaways that we can take away at this point in the conflict?" and I'm just going to start with what one of the conclusions was - an excellent conclusion by a woman named Erica Lonergan who is an assistant professor in the Army Cyber Institute at the US Military Academy at West Point. And she said something great, which is, we have to be really careful - I'm paraphrasing - not to harp on what the most convenient explanations of success are so far. And we're going to go into some of those points of success here in just a moment. But just because we think something was a success, we need to be really careful. She said, we need to do some really careful analysis, because there's lots about this conflict that hasn't come to light yet. And what are the other great points made in this presentation that they had to launch the report is that we don't know what Russia's goals are. The goals that Russia has the conflict, it might be meeting all of those goals in terms of how the conflict is being waged, we might look at what's going on and think, "Well, they could have done that really well." But as Paul Chichester, who's director of operations at the NCSC said, their view of success and ours may prove to be different in the future. And we're not going to know that until much later. That was one of the takeaways. I think, James Lewis, who helped with the report, he wrote the introduction to the report, he's at CSIS. He said, this is one of the lessons that came out from the Soviet era, when the wall came down and people looked really closely at what Russia had been trying to do, what the Soviet Union had been trying to do. Oftentimes things the West thought were failures were successes inside the Soviet Union. So I love that umbrella there of, "We need to be careful about what we decide worked and didn't work." But if we're going to focus on what we think is working, I'm going to go back to Paul Chichester, and one of the things he said, which I love, is the key thing is that we can see the defenders get a vote. A lot of people thought Ukraine wouldn't survive Russia's invasion. Setting aside the ground war, Ukraine has really distinguished itself in the cyber defense sphere. It's been lucky - not really luck - but it's been targeted by Russia for so long. And it's been getting help from the EU, it's now a part of the NATO Cooperative Cyber Defense Center of Excellence as well. That just happened this month. It's getting lots of great input. And in exchange, especially now with this NATO angle, it's also feeding back about what it is doing, and how that's helping, what works, what doesn't work. So far in the conflict, CyberPeace Institute says third parties have catalogued about 1,600 cyberattacks and operations tied to the conflict attributed to 93 different threat actors. So there's a significant amount or quantity of cyber operations happening here. Obviously, this is something we should be taking lessons away from. So as I mentioned, Paul Chichester saying defenders get a vote, I love that. If you prepare, you can repel the likes of Russia. Will Ukraine continue to do that in six months and 12 months? Hopefully, I mean, this is where we are so far. But one of the big takeaways is resilience. And we saw that with the Biden administration's new National Cybersecurity strategy, released in March, and again, James Lewis, CSIS, notes that previously, deterrence was one of the main focal points for governments, but especially as we've seen with the U.S. cybersecurity strategy, deterrence is still useful in a political sphere to signal the intention of a government. Resilience, however, is where it's at these days. And the great thing about resilience is it doesn't matter if you're attempting to combat a nation state or a criminal, or proxy elements. If you are resilient, you can repel them all. So which was another great point, I think. Finally, what I would highlight is one of the big surprises for people, aside from the there was no major roll of cyber war, has been the role of allies and business partners. So I touched on allies already. Business partners, though, has been, and continues to be, essential. And they've also been some unforeseen consequences. For example, Starlink helped Ukraine and the government and the military stay online, when Russia launched a major malware attack that bricked a lot of the satellite routers, the Viasat satellite routers that were being used in Ukraine that should have knocked or could have knocked Ukraine offline. Starlink came in and helped out. Later in the conflict, though, Starlink said, "Oh, wait, we didn't know these were being used for offensive military operations," its routers. And there is a little bit of a tussle there about what might happen. Starlink eventually backed off. But some of the people who wrote essays for this report said this is something that other governments need to think about, because it's going to be the rare government that can keep itself online, that can keep its services in the cloud without using cloud providers, because on-premises doesn't work in a battle sphere. Oftentimes, if you're being invaded, you need to get your stuff into the cloud. Microsoft helped with that. Amazon helped with that. And so, these experts such as Julia Voo, a cyber fellow at Harvard's Belfer Center for Science and International Affairs, says governments need to be thinking about this, they need to be putting things in place, legal mechanisms, as well, that perhaps give some legal immunity to the organizations they're working with, and which specify how these services can be used. For example, for the military. Do this now, she says, because, as we see with Starlink, and some other things, you don't want to have to be doing this in the middle of an all-out war. So there's lots of lessons that can be learned here, a lot of it comes down to resilience, which comes down to preparation. And, again, always looking at what others who are at the sharp end or facing the sharp end of the spear are having to deal with and thinking if that's us in a week, a month, a year? How do we ensure that we are where we need to be in order to best repel whoever is trying to do us harm?
Delaney: That was excellent. And as you say, this huge collaboration between the private and public spheres. But what if this war were to last for years? We don't know how long this will go on. Are policymakers, governments thinking about how this will be funded this model or how it will continue?
Schwartz: Well, that's a huge point. And that was raised by this collection of essays that CSIS put together. The participants are saying, yes, what does happen if it's 2-3-4 or five years, Ukraine is a bit of a special case. The world has rallied, well parts of the world have rallied to his defense. And thus far, you have businesses like Microsoft, saying, "This is costing us a lot of money, and we're happy to donate it." But will this carry on? Can it afford to carry on? Can Starlink afford to gift access to Ukraine? So one of the models that's been proposed is charitable giving, basically just appealing to people to donate, do the right thing, do the moral, do the ethical thing. Not clear that that would be a sustainable long-term solution. One of the other things has been proposed, which I think is sustainable, is the likes of NATO or the UN or some governmental organization creates a fund to which people can contribute and in times of conflict, this fund pays out to get them the vital services they need. And again, here, you can build in these rules or agreements where vendors agree to work with the fund. And they agree to play by the funds rules, which is this might go to the military, for example, to help keep its forces online to help its drones be able to function, that sort of thing. So, yes, really interesting policy questions and discussions having now and that need to be happening now.
Morbin: While I totally agree with all those takeaways and particularly, you know, resilience, and very interesting, what you had coming from the NCSC there and Chich talking about this - we don't know what we don't know, in terms of what their intentions were. But I'm going to disagree with the overall premise that we haven't seen cyber war because I think trying to take down the satellites was an out-and-out attempt at using cyber to affect their real-world goals. Same goes for the wipers, they kind of shot their boat with bringing down Ukraine's electricity years ago, so they were a lot better prepared when it came to a war. And so I think it was a mixture of 1) Ukraine successfully fought off the cyber war, in my view, even though we don't know if Russia has another SolarWinds hidden somewhere. We don't know that. But, you know, from what we've seen, they fought off everything that was thrown at them. But not only that, the big issue is that cyber is a bit of a damp squib compared to dropping a bomb on somebody. So you know, and I think that's the big thing is that kinetic trumps cyber.
Schwartz: Well, and that was one of the points made again by James Lewis from CSIS. Kinetic seems to tump cyber, but if you could get it right, would cyber plus kinetic be even more powerful? And that's not clear. And we don't know why Russia hasn't done it. Is it its inability to do it? Is it because it's very costly? Did it test it and it didn't work out the way it wanted it to? So that's a bit of an open question. To your cyber war point, it's a question of semantics. A lot of people who study the area think cyber operations is probably a better term just because what is cyber war? It is very nebulous. So a lot of people that are favoring something a bit more specific, which is, again, the cyber operations. And that gets to the nuance of is it espionage? Is it something in support of a military operation? We don't always know all of these wrinkles. And so it's difficult to see the bigger picture. I guess, perhaps when the war is over, we can look back at what was the cyber war aspect of it. But we don't always know. And also about the satellite, it didn't take out the satellite, it took out the routers, and then the provider of the service replaced the routers. So yes, it was an onslaught. But I mean, we've seen attacks brick routers before, typically not in a service of an invasion. So yeah, they can be called the cyber war. But it wasn't the cyber war that many people were predicting.
Morbin: Oh, absolutely not. I mean, you know, we haven't seen a Stuxnet as such. We haven't, for obvious collateral damage reasons, we haven't seen a WannaCry. And I wonder how much that may have influenced Russia's actions with cyber weapons that you can't control the collateral damage. And then there may be additional kinetic consequences from that.
Schwartz: Yeah, Russia has been very circumscribed in who it attacks. And even the proxies, like KillNet, the hacktivist group have been very circumscribed in who they attack and actually they're really not doing much damage. It's more information operations and supportive Kremlin propaganda. But in terms of actual attributed to Russia, that's based on what's become public. It's possible things have happened that we don't know about, but based on what's become public, Russia is not targeting the West. Western governments warn that might happen. They've not seen it. A lot of people are deducing that Moscow really doesn't want to get anywhere near those red lines.
Delaney: Well, I have to say the conversation doesn't stop here. But in order to move on for time, to Tony's topic, Facebook's owner Meta has been fined 1.3 billion dollars this week for mishandling people's data when transferring it between Europe and the United States. So it's the largest fine to date imposed under the EU General Data Protection Regulation privacy law, and coincidentally comes in the same week as the GDPR's fifth anniversary. So what went wrong for Facebook or what didn't go wrong? What's your take? Tony?
Morbin: Okay, I mean I was going to take sort of a wider look at privacy, but obviously then focusing on what's happened with Facebook. And, you know, just as one man's freedom fighter is another man's terrorist, so it is with privacy, where what's seen as a legitimate expectation of an individual's privacy by some is regarded as undermining necessary security measures for another, or the stifling of free market and innovation for yet another. So here we are, as you say, five years on from the implementation of GDPR, where the EU effectively took a stand against the hoovering up of its citizens data by a U.S. social media giant for commercial exploitation. At the time, it appeared the issue was purely between Europeans, whose public had privacy concerns centered on how their data was being taken without their consent to better sell them products and services. And the US where privacy concerns tended to focus on the suspicion of creeping government overreach into surveillance of their lives, sometimes are allied to conspiracy theories, sometimes allied to actual government policies and the Ukraine sort of falling somewhere between the U.S. and Europe. Of course, in authoritarian regimes such as Russia, China, North Korea, and many in the Middle East, the impact of public opinion falls a long way behind the need to ensure stability of the government. And this is done by limiting opposition at home and abroad. So privacy is framed on a national security basis, not letting the foreigners get your information or gathering all you can yourself. Today, all of those three concerns converge. And in all three constituencies, all of them can come up with actual examples of where their worst fears have been realized. So coming back to Facebook, most significantly this week, the European Union hit Facebook parent Meta with $1.3 billion privacy fine, and ordered it to stop transferring users' personal information across the Atlantic by October this year. The move is the culmination of a 10-year saga between Facebook/ Meta, and Austrian privacy campaign and Max Schrems, who objected to potential surveillance by U.S. intelligence agencies of Europeans data, as revealed by NSA contractor Edward Snowden. In litigation, Schrems sunk previous regulations that formed the basis to allow European and US data transfer. Schrems himself this week has said for 10 years, Meta has not taken any material precaution, but simply ignored the European Court of Justice and the European Data Protection Board. Now Meta does not only have to pay a record fine, but also return all personal data to its EU data centers. This can be very hard to do. And even hosting data in the European Economic Area will not necessarily overcome all the concerns raised by the regulators, if Meta in the US can still access the data stored in the EU. Plus, it could cause issues with some of Meta's advertisers, if they're still using this data to target their ads. Now while the aim of the regulation is to change corporate behavior with privacy by design, it can be viewed as challenging some of the business models use or in some cases, outright preventing them. And this particularly applies to information gathered for one purpose such as health monitoring is used for another such as targeted advertising. Along the way, we've also seen the Israeli offensive surveillance industry decimated following NSO's use against the US, including the closure of NSO competitor QuaDream announced today they've been clamped down on the use by Western governments - Huawei, in comparison, Kaspersky technology and apps such as TikTok, but on the other side, China and Russia are introducing data residency and app use restrictions with China this week, banning US chipmaker micron back to GDPR. Initially, enforcement there was viewed as weaker than anticipated, but it has ramped up in recent years, and reported total fines now reach some 2.6 billion euros and others in process could bring that up to 3.5 billion. Now that's going to increase dramatically with the mattifying. The auditor stop transatlantic transfers of the personal data will apply to the users data, such as names, email, IP addresses, messages, viewing history, geolocation data, and other information that Meta and others such as Google use for their targeted online ads. We're also seeing many countries around the world now replicating GDPR-style privacy regulations, which set the bar of its potential, find a 4% of annual global turnover for offenders. Some 70% of the world's countries now have some form of privacy or data protection legislation in place and another 10 to 15% are reported working on it in this area. Unusually for the US is playing catch up as it's appearing to introduce privacy regulations state at a time. Meta has warned that services in Europe could be cut off and it's appealing the decision, but commentators suggest it's going to be unsuccessful, and it may subsequently face class actions and other big tech organizations will likely face similar action. The Irish DPC, which issued the fine, did suggest that we have sufficient encryption, the transfers may have been permitted, and others have called for greater use of data virtualization, as well as the use of AI to automate the recording location and visibility of data. But going forward, the core issue will be about making the right decisions at the beginning of a product's life cycle or data life cycle, so that data protection is embedded early, including in core business functions. While AI might be part of the solution, it's also been pointed out that there are inherent tensions between the principles of data protection and the principles of two AI systems, data minimization, purpose, limitation, learning and transparency. When it comes to data transfers, at least wider adoption of privacy regulation provides a baseline for discussion. But geopolitical tensions and divergent ideological approaches to the rights of individuals versus those of the community or especially in the state will make this difficult. If the US and the Europe can't broker a deal, how much more difficult is that going to be to reach an agreement with those who truly see the world differently?
Delaney: Excellent. And Tony, five years on, we're in a different place. Since the beginning, when it was enforced, where we've got cloud computing and ChatGPT and remote working - do you think GDPR is fit for purpose right now in this new environment?
Morbin: It's certainly improved, but there's inconsistency is probably the biggest issue. You know, I noticed your discussion you had recently in a panel where they compared Spain and Portugal, I think I'll make the figures up. But it was something like 87 complaints issued in Portugal and in the hundreds in Spain. And so that's an issue. And particularly if we're trying, one of the whole purposes was to get consistency. Having said that, the ramping up of fines recently does sharpen the focus for businesses as to making sure that they're compliant.
Delaney: Brilliant, I think Matt agrees. He's nodding there.
Schwartz: Definitely. I mean, it's very difficult to get a country-by-country view of GDPR enforcement. And when we do get it, some of it has to be deduced by firms that are looking at these things. And as Tony said, it can be wildly different. Some countries don't even really release details about who they find or what sorts of enforcement actions they have undertaken. So there's very different - I don't know if you want to say it's cultural, but definitely different countries have different approaches. And I think that's made it difficult to ascertain to what extent things are being fairly and even-handedly applied. But as we see with this fight against Meta, where the Irish DPC was basically told that it needed to, it was overruled by the European Data Protection Board. There is pressure being brought to bear to make sure that things that are seen as being a problem are being addressed.
Delaney: Well, I have plenty more questions, but in the interest of time, we have to move on to my final quick question for fun. I want you to turn to the great Bard himself for inspiration now, William Shakespeare, of course. Which of his plays or quotes best describes the state of cybersecurity today. Matt?
Schwartz: I'll jump in. So one of my favorite plays from Shakespeare, having done some Shakespeare when I was at university, is Anthony and Cleopatra. And Anthony's gone, Caesar shows up and basically tells Cleopatra how it's going to be. And he's like, "I'm going to be the master, I'm going to be the Lord, and if as long as we can agree on that, everything will be fine." Exit. And Cleopatra turns to her entourage and goes, "He words me girl, he words me" and that I should not be noble to myself, basically is the end of the quote. But I love that "he words me" because I just feel like with so many of the communications we see with data breaches, recently Capita, many offenders previous to that. They are wording us, they're just throwing words, trying to absolve themselves of any responsibility or to make themselves seem like something they're not. And I think that gets to, as everyone would say about Shakespeare, essential aspects of human nature.
Delaney: And that fits in perfectly with Tony's Mercury behind him. Tony, are you inspired today?
Morbin: Well, I mean, just for the title alone, I would have said "all's well that ends well" as a very hopeful - it's all about resilience, what happens along the way, but the story doesn't fit. So I'll grab a quote, "Wise men ne’er sit and wail their loss, but cheerily seek how to redress their harms." - Henry, the VI, part three, so, you know, no point wailing about it, just get on out there and fix it. That's the job.
Delaney: Did you dig into your compendium of Shakespeare and dig that out?
Morbin: That's one that didn't come off the top of my head.
Delaney: Mine is from Romeo and Juliet, "Wisely and slow, they stumble that run fast". And if you remember, you recall Friar Laurence is advising Romeo to think very carefully and wisely about his decision to marry Juliet. So I think we can take something from this. I mean, obviously Romeo didn't listen to Laurence, but in terms of defense, we often hear CISOs talk about taking a very well measure considered strategic approach to their defense strategy, as opposed to running in and rushing in. It's never a good idea.
Morbin: One of the quotes was quite good was, "When the sea was calm all ships alike showed mastership in floating" in Coriolanus. So yeah, when it was calm, everybody is good, when things get tough, that's when we find out who's actually prepared.
Delaney: Yes, the cyber master here. And I think there were quite a few more that I had my eyes on. But anyway, enough for now, for this week, farewell. We'll see you soon. Thank you very much. And thanks so much for watching.