Germany

Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations.  Something remarkable happened a few months ago. Bernard Barbier, the former head of signals intelligence (SIGINT) between 2006 and 2014 at France’s foreign intelligence agency (DGSE), gave a speech at one of France’s top engineering schools in which he reflected on his career and imparted some of his wisdom to students. He also said some things that he probably shouldn’t have, like confirming that France was behind the Animal Farm advanced persistent threat, commenting on the SIGINT capabilities of European allies, and reacting to the revelation that the U.S. National Security Agency (NSA) had compromised the networks of the French presidency. Last week, Barbier’s speech surfaced on YouTube but was quickly taken down (UPDATE: A new version of the video is up here. H/T Boing Boing). However, it was up long enough for French daily Le Monde to transcribe some of the highlights. Here they are, paraphrased and translated from the original French. 1. "I got the order from Mr. Sarkozy’s successor [current President Hollande] to shout at the Americans ... it was a great moment in my professional career" Barbier recalls that he was first informed of a possible compromise at the Élysée palace in 2012, when a former colleague working IT security at the palace reached out for analysis on a piece of malware. With the help of a new metadata capability the French obtained in 2012 and Edward Snowden’s revelation of the NSA’s QUANTUM capability in 2013, Barbier’s staff concluded that the attack on the Élysée was the work of the United States. Barbier recalls:   I received the order from Mr. Sarkozy’s successor to go to shout at the Americans. It was on April 12, 2013 and it was really a great moment in my professional career. We were convinced it was them. At the end of the meeting, Keith Alexander [director of the NSA from 2005 to 2014] was not happy. While we were in the bus, he told me he was disappointed because he never thought they would have been caught. He added: "You are pretty good." As allies, we didn’t spy on them. The fact that the Americans broke this rule took us by surprise.   2. "And yes, it was a Frenchman"  In 2014, Le Monde published documents from the Snowden archive revealing that Canada’s SIGINT agency, the Communications Security Establishment (CSE), suspected that Paris was behind a cyber espionage campaign that began in 2009 targeting Iran’s nuclear program but also targeting computers in Canada. CSE was able to attribute the campaign to the French based on some reverse engineering revealing that the malware developer used references to a French children’s cartoon character, Babar the Elephant. That reference also led Kaspersky to baptise the malware Animal Farm. Barbier recalls that CSE "concluded that he [the malware author] was French. And yes, it was a Frenchman." 3. The pipe dream of united European intelligence agency and the possibility of merging French and German intelligence.  In one of the more surprising aspects of Barbier’s speech, he mused about the possibility of creating a European intelligence agency but quickly dismissed the notion, noting that only a fusion of French and German intelligence agencies would be feasible.   It is impossible to build a single European intelligence agency with twenty-eight countries that don’t have the same capabilities or the same culture. The best, by population size, are the Swedes. The Italians are bad. The Spanish are a bit better, but don’t have the capabilities. And the Brits, with 6,500 staff at GCHQ [Government Communications Headquarters, the UK SIGINT agency] are very good, but are they European? And France has the strongest technical capabilities for intelligence collection in continental Europe.   That leaves the Germans, who are solid partners. I’ve worked a lot with them, sometimes transmitting our knowhow and bringing them some technical capability. German and French engineers work very well together. In contrast, a British engineer with a French engineer is complicated. To be more effective, I told French politicians that we had to merge the BND [the German foreign intelligence agency] and the DGSE. It’s the only solution. It would be a an agency with 15,000 staff. The NSA has 60,000 people, and the SIGINT section of the DGSE is 3,000 agents. But the French politicians never followed up.   Merging the BND and the DGSE would have made for some awkward conversations given that last year, news reports revealed that the BND had been spying on France. 4. Snowden is a traitor that "rather helped us" Finally, Barbier gives his opinion on Edward Snowden, presumably in response to a question from the audience.   For me, Snowden is a traitor to his country, but he has nothing to do with Julian Assange. The Americans made Snowden, who was an external contractor, a systems administrator. Those who do that job in the DGSE are bureaucrats that have between fifteen and twenty years of seniority. The possibility of having a Snowden in France is very low. Snowden showed that espionage between allies existed and that Americans compromised hardware, such as that sold by Cisco and poses a problem for technological independence. In that sense, Snowden rather helped us.  

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: 1. Further developments in the Shadow Brokers hack. Since an individual or group calling itself the "Shadow Brokers" posted hacking tools widely believed to be created by the National Security Agency, there has been some speculation that an NSA insider, like Edward Snowden, was behind the leak, perhaps physically smuggling the tools out of the NSA in a flash drive. However, the evidence suggests that it’s more likely that a careless NSA operator left the tools on an unsecured NSA server, where the Shadow Brokers were able to find them by tracing back from a system the NSA had compromised. Researchers digging into the tools this week also found a script that would hide an attacker’s presence in Huawei firewalls, on top of the Cisco, Juniper, and Topsec exploits already discovered. Another group of researchers was able to update one of the leaked exploits, which appears to have been stolen in 2013 and targets older versions of Cisco’s ASA firewall, so that it works on a much more recent version. And according to a linguist, despite the bad English used in the Shadow Brokers’ online posting, it appears that the person who wrote the statement was a native English speaker who deliberately introduced errors. 2. France and Germany not ready to concede crypto wars. Meeting in Paris Tuesday, the interior ministers of the two countries discussed plans to regulate encryption in the fight against terrorism. They called on the European Commission to require so-called "over-the-top" telecommunications providers, like video, voice, and text chat apps such as Skype, WhatsApp, or Telegram, to maintain a capability to decrypt encrypted messages and turn over the communications of suspected terrorists to law enforcement authorities. The commission is currently considering extending existing privacy regulations, which stipulate how traditional telecoms handle customer data, to such over-the-top services. The ministers meeting in Paris cited recent terrorist attacks in Europe as the reason they need to access encrypted communications, despite it being unclear whether perpetrators of the recent attacks actually used encrypted systems. Privacy advocates were quick to criticize the ministers’ proposal. 3. WikiLeaks: good on transparency, not so good on privacy and security. According to a report by the Associated Press, WikiLeaks’ releases have included the personal information of several hundred people. While the website’s founders have said in the past that they have a "harm minimization policy" that aims to protect "legitimate secrets" in the documents they leak, such as medical records, it doesn’t seem that this policy was followed in recent leaks. The documents, most of which were released as part of a dump of Saudi Arabian foreign ministry files, include medical records of children, refugees, and individuals with psychiatric conditions. Other documents identify victims of sexual assault, couples going through divorces, and individuals who are deeply in debt. Separately, a Bulgarian security researcher announced last week that he’d discovered several hundred pieces of malware among documents released by the transparency organization. 4. Journalists in Russia target of hacks. According to CNN, journalists with the New York Times and other news agency have been the target of cyberattacks by Russian intelligence agencies in recent months. The Times subsequently announced that its Moscow bureau was the target of an attempted hack, although a spokesperson for the paper said they had no evidence that any of their networks had been breached, and that they had not hired any outside firms to investigate the issue. Both outlets report that the Federal Bureau of Investigation is looking into the issue. While alarming in light of recent breaches of the networks of the Democratic National Committee, such attacks are old hat, both for the New York Times and for Russia. Russian intelligence services have long targeted domestic journalists with cyberattacks, and the New York Times’ networks were breached by Chinese hackers in 2013.

Dr. Sandro Gaycken is the Director of the Digital Society Institute, a former hacktivist, and a strategic advisor to NATO, some German DAX-companies and the German government on cyber matters. The hack of the Democratic National Committee (DNC) definitely looks Russian. The evidence is compelling. The tools used in the incident appeared in previous cases of alleged Russian espionage, some of which appeared in the German Bundestag hack. The attackers, dubbed Cozy Bear and Fancy Bear, have been known for years and have long been rumored to have a Russian connection. Other indicators such as IP addresses, language and location settings in the documents’ metadata and code compilation point to Russia. The Kremlin is also known to practice influence operations, and a leak before the Democrats’ convention fits that profile as does laundering the information through a third party like Wikileaks. Finally, the cui bono makes sense as well; Russia may favor Donald Trump given his Putin-friendly statements and his views on NATO. Altogether, it looks like a clean-cut case. But before accusing a nuclear power like Russia of interfering in a U.S. election, these arguments should be thoroughly and skeptically scrutinized. A critical look exposes the significant flaws in the attribution. First, all of the technical evidence can be spoofed. Although some argue that spoofing the mound of uncovered evidence is too much work, it can easily be done by a small team of good attackers in three or four days. Second, the tools used by Cozy Bear appeared on the black market when they were first discovered years ago and have been recycled and used against many other targets, including against German industry. The reuse and fine-tuning of existing malware happens all the time. Third, the language, location settings, and compilation metadata can easily be altered by changing basic settings on the attacker’s computer in five minutes without the need of special knowledge. None of technical evidence is convincing. It would only be convincing if the attackers used entirely novel, unique, and sophisticated tools with unmistakable indicators pointing to Russia supported by human intelligence, not by malware analysis. The DNC attackers also had very poor, almost comical, operational security (OPSEC). State actors tend to have a quality assurance review when developing cyberattack tools to minimize the risk of discovery and leaving obvious crumbs behind. Russian intelligence services are especially good. They are highly capable, tactically and strategically agile, and rational. They ensure that offensive tools are tailored and proportionate to the signal they want to send, the possibility of disclosure and public perception, and the odds of escalation. The shoddy OPSEC just doesn’t fit what we know about Russian intelligence. The claim that Guccifer 2.0 is a Russian false flag operation may not hold up either. If Russia wanted to cover up the fact it had hacked the DNC, why create a pseudonym that could only attract more attention and publish emails? Dumping a trove of documents all at once is less valuable than cherry picking the most damaging information and strategically leaking it in a crafted and targeted fashion, as the FSB, SVR or GRU have probably done in the past. Also, leaking to Wikileaks isn’t hard. They have a submission form. Given these arguments, blaming Russia is not a slam dunk. Why would a country with some of the best intelligence services in the world commit a whole series of really stupid mistakes in a highly sensitive operation? Why pick a target that has a strong chance of leading to escalatory activity when Russia is known to prefer incremental actions over drastic ones? Why go through the trouble of a false flag when doing nothing would have been arguably better? Lastly, how does Russia benefit from publicly backing Donald Trump given that Republicans have been skeptical of improving relations? The evidence and information in the public domain strongly suggests Russia was behind the DNC hack, even though Russian intelligence services would have had the choice of not making it so clear cut given what we know about their tools, tactics, procedures, and thinking. The DNC hack leads to at least four “what if” questions, each with its own significant policy consequences. First, if Russia had poor operational security and misjudged its target, it needs to be educated about the sensitivity of certain targets in its favorite adversary countries to avoid a repeat of this disaster. Second, if Russia deliberately hacked the DNC to leak confidential information, it would represent a strategic escalation on behalf of the Kremlin and the world would need to prepare for difficult times ahead. Third, if the breach and leak were perpetrated by a bunch of random activists using the pseudonym “Guccifer 2.0“, it would be the first instance of non-state actors succeeding in creating a global incident with severe strategic implications, demanding more control of such entities and a much better design of escalatory processes among nations. Finally, it is entirely possible that this was a false flag operation by an unknown third party to escalate tensions between nuclear superpowers. If this is the case, this party has to be uncovered. Despite to the many “what ifs,”  this incident is serious and requires a more thorough investigation and explanation than what is provided by a self-serving private sector IT-security industry and hobby cyber analysts.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: 1. Fretting over Chinese tech regulations as China’s internet czar steps down. In a surprising move, the head of the Chinese Cyberspace Administration, Lu Wei, departed from his position on Thursday, according to Xinhua. A firm defender of state control of the internet, Lu bolstered China’s vision of "internet sovereignty” with foreign companies, and remained adamant that they abide by Chinese law in the name of preserving social stability. He was also behind efforts to promote new regulations imposing data localization requirements and mandating that foreign technology imported in the country be "secure and controllable." Those regulations obtained a second reading this week in the Chinese legislature, leading the U.S. Chamber of Commerce to express their concern. Lu’s iron grip on social media was a pillar of the Chinese state’s manipulation of social networks for party propaganda and censorship. It is unclear why Lu stepped down, though there are rumors that he may be tapped to lead the communist party’s propaganda department. He will be replaced by his current deputy, Xu Lin, who worked directly under President Xi when he was still party secretary of Shanghai in 2007. 2. German intelligence agency calls out China, Russia, and Iran cyber espionage. Germany’s domestic security agency (BfV) released its annual report and was surprisingly frank about the state-sponsored cyber threats facing the country. According to a translation provided by Kings College Professor Thomas Rid, China is moving away from cyber operations that vacuum as much information as possible and getting more discrete in its targeting; and Russian operations try to shape German public opinion online and target German universities, research institutes and companies for espionage purposes. BfV also identified Iran as another threat, with a “high likelihood” that intelligence services perpetrated attacks through “excellent social engineering.” The BfV’s findings are consistent with those of other western intelligence agencies but provide additional detail generally not found in public reporting. 3. Indian Supreme Court dismisses petition to ban WhatsApp. In line with Brazil’s recent repeal of a temporary ban on WhatsApp, India’s Supreme Court rejected a public interest petition to ban the messenger service. The petition targeted apps such as WhatsApp, Telegram, Signal, and Viber, claiming that end-to-end encryption features are a threat to national security and called for companies to share encryption keys during investigations. The Court dismissed the petition and redirected the plaintiff to the Telecom Disputes Settlement and Appellate Tribunal. With over 1 billion users, WhatsApp is the largest online messaging service with deployed end-to-end encryption. Since the roll out, Google and Facebook have said that they will roll out encryption, albeit optional, on their respective Allo and Messenger app. 4. Belgium is indifferent to Facebook’s hand in the cookie jar. The Belgian Commission for the Protection of Privacy (CPP) overturned a Belgian court’s 2015 decision that prohibited Facebook from tracking individuals on the web. Facebook uses cookies on websites that feature its "Like" and "Share" buttons that track visitors to those websites, irrespective of whether they are Facebook users or logged into their Facebook accounts. Although the CPP handed a Facebook a win, it did so on technical grounds, noting that Belgian courts don’t have jurisdiction to rule on privacy matters involving a foreign company (Facebook’s European offices are in Ireland).

Sabina Frizell is a research associate in the Civil Society, Markets, and Democracy Program at the Council on Foreign Relations. This week alone, Turkey jailed two journalists on trumped-up terrorism charges, threatened to sue a professor for insulting President Erdogan, and pushed forward the same construction project that sparked massive anti-government protests in 2013. As Turkey’s democracy deteriorates, German-Turkish relations have gone from tense to outright hostile. Chancellor Angela Merkel is vacillating on whether to hold firm to core European Union (EU) values of democracy and human rights or appease Turkey. She can either continue to waver, tacitly accepting Erdogan’s behavior, or send Turkey a strong signal that its human and civil rights violations are unacceptable. Germany and Turkey are bound by over fifty years of migration. Starting in the 1960s, hundreds of thousands of Turks began immigrating to Germany under its supposedly temporary Gastarbeiter (guest worker) program—but many stayed beyond the intended one-to-two years, bringing their families and settling for good. Today Germany has over three million citizens and residents of Turkish descent, making Turks the country’s largest immigrant group. Amid the ongoing refugee crisis, migration again ties the two countries together. Germany and Turkey were the primary negotiators of the EU-Turkey migrant deal, which set up a one-for-one trade of asylum seekers for Syrian refugees. The EU also pledged €6 billion for Turkey to help settle migrants, and raised the possibility of visa-free travel for Turks. Though widely declared a human rights catastrophe (and rightly so), the deal is critical to Merkel’s already-waning popularity at home—and its success in stemming the flow of migrants hinges on Turkey’s cooperation. As a result, Merkel’s government developed some degree of dependency on Turkey, despite Erdogan’s many affronts to democracy and ever-tightening grip on power. In this context, Germany has at times compromised its own values rather than strain its relationship with Turkey, as in the case of the charges against German comedian Jan Böhmermann. After Böhmermann read a crude poem insulting Erdogan on television, the Turkish government filed a criminal complaint demanding that Germany charge him for violating an archaic German law from the 19th century that prohibits slander of foreign heads of state. Though the law leaves some room for interpretation—it applies to slander, but not satire, riding a fine and subjective line—Merkel approved a criminal prosecution against Böhmermann, and even apologized for the poem. With Turkey extending limitations on free speech beyond its borders, many Germans were outraged, saying Merkel was kowtowing to Erdogan for fear that he might back out of the migrant deal. But the Bundestag has also proved ready to challenge Turkey. This month, the parliament voted almost unanimously to officially recognize the Ottomans’ slaughter of some 1.5 million Armenians during World War I as genocide. Germany follows over twenty countries that have passed similar resolutions, but its voice is especially significant given both its own history, and its complicity with the Armenian genocide as a then ally of the Ottoman Empire (which the resolution acknowledges, calling Germany “partially responsible.”) The Turkish government, which vehemently denies the killings constitute genocide contrary to almost all historical assessments, called Germany’s vote a “test of friendship” and within hours recalled their ambassador to Turkey—warning the move was just a first step. Judging by Turkey’s short memory of other countries’ rulings on the genocide, the threats will likely die down. But the episode nevertheless rattled the countries’ fragile bond. Germany is attempting a precarious balance with Erdogan, and should adopt a more coherent stance—one that recognizes his government’s transgressions consistently, not selectively. To start it should make aid, not just visa-free travel, contingent on Turkish respect for human rights, especially those of the migrants. With a wave of far right parties gaining momentum across Europe and the refugee deal falling apart, Merkel’s center right Christian Democratic Union party may be in jeopardy. Recent polls show support for the bloc is at an all-time low, while distrust of Turkey is rising. Merkel’s ability to manage relations with Ankara will be one crucial piece of maintaining public support.

Pamela S. Passman is the president and CEO of the Center for Responsible Enterprise and Trade (CREATe), which recently published Cyber Risk: Navigating the Rising Tide of Cybersecurity Regulation. The increase in volume and intensity of cyberattacks, including recent ransomware attacks against healthcare organizations, catapulted government officials and business leaders into action. Governments worldwide are rushing to put policies and regulation in place to address the evolving threat landscape for public and private institutions. The result is a growing patchwork of disparate policies and regulations that results in an increased regulatory burden for any company or agency trying to comply with the scores of proposals guidance and regulations under consideration. . However, guidance from the U.S. Department of Commerce’s National Institute for Standards and Technology (NIST)—the Cybersecurity Framework—provides the opportunity to bring some cohesion for organizations operating domestically and globally. Flurry of Proposals In just the past three years, more than 240 bills, amendments and other legislative proposals have been introduced in the U.S. Congress as a way to regulate cybersecurity in some form or another. Even if a fraction of those regulations make it into law, the increased regulation could spell chaos for many companies and agencies with already constrained IT and security budgets. In the European Union, companies and organizations face similar challenges. They are reckoning how to comply with the new EU Network and Information Security (NIS) Directive, which went into effect in April 2016. Under this directive, each national government must adopt a national network and information security strategy, appoint responsible agencies, develop a plan to identify possible risks, and identify measures for preparedness, response and recovery, including cooperation between the public and private sectors. In Germany and Japan, firms and agencies are assessing the requirements of Germany’s IT Security Act of July 2015, and the Japanese government’s Cybersecurity Strategy adopted in September 2015. Other countries, including China, are evaluating their current cybersecurity laws in light of the increased threats. Laws requiring government departments to improve management of their own cybersecurity are also appearing around the world, with obvious implications for government contractors. In the United States, every government agency is required to implement information security protections based on their risks under the Federal Information Security Management Act (FISMA) originally released in 2002 and updated in 2014. The EU’s NIS Directive also places new obligations on European governments to put their houses in order. In Australia, where cybersecurity is still largely governed by recommended guidelines and industry frameworks, federal government agencies are required to comply with two security frameworks for protecting information and other assets. These are just a few of the many other national and state governments tightening up cybersecurity programs. Companies are also facing new mandates on other fronts. Trade secret protection is one such area, as indicated by the recently passed Trade Secret Directive in the European Union; and the Defend Trade Secrets Act in the United States. The implementation of both legal schemes will no doubt look to cybersecurity requirements as part of the steps companies must take to demonstrate that it has protected its trade secrets. Also on the rise are securities laws and tightened government contracting requirements. The Cost of Compliance The motivations behind many of the policies and regulations are different: some are to protect individuals’ sensitive personal, health and financial information; while others are to focus on safeguarding companies’ proprietary data and competitiveness; and still others seek to defend critical infrastructure and national security. When organizations have multiple priorities, the ensuing policies fuel rather than stem the confusion. In many companies, security is dictated by responding to regulatory requirements rather than implementing an enterprise-wide, risk-based approach encompassing security strategy. In many U.S. healthcare IT departments, for example, significant resources are focused on HIPPA compliance at the expense of other important security gaps that need to be addressed. The price for noncompliance is great. Companies are being fined for noncompliance to regulations by government agencies and sued by shareholders in an environment where the standards are evolving. For example, after hackers stole personal and credit card information of approximately 56 million Home Depot customers, a shareholder derivative suit in September 2015 followed more than forty four other civil suits by consumers and financial institutions. The suits allege the company breached its fiduciary duties of loyalty, good faith, and due care by failing to take reasonable measures to protect customer information. A better approach Governments and the private sector are working together to develop security frameworks and guidance to help organizations protect confidential information more effectively. The most thorough and broad-based cybersecurity approach is the U.S. National Institute for Standards and Technology’s Cybersecurity Framework. It breaks down security concerns into functions, categories, and subcategories, and provides a way for organizations to identify and meet security outcomes. Crucially, it doesn’t mandate a specific risk management process or specify any priority of action, instead leaving it up to organizations based upon individual risk profiles. With the rising tide of cyber regulation, there is an opportunity to cooperate and consolidate efforts across countries to help companies and government agencies proactively prepare. The emergence of voluntary guidance, such as the Cybersecurity Framework, offers an approach that helps companies and governments integrate cybersecurity into an organization’s overall risk management and compliance program, and as a result, ensure that people, process and technology issues are assessed and managed effectively.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: 1. German spy accuses Russia of last year’s Bundestag cyber incident. Hans-Georg Maassen, the head of Germany’s domestic intelligence agency (BfV), accused "the Russian state" of being behind the cyber incident that crippled the German parliament’s computer networks for a few days last year. Maassen said that the incident represented a shift in Russia’s tactics, as Russian intelligence agencies now show "a willingness to conduct sabotage" instead of simply spying. This isn’t the first time the Russia has been accused of engaging in sabotage-related cyber activity. Last year, L’Express reported that French investigators suspected that a Russian-based threat actor, known as APT28, Sofacy, and Pawn Storm--the same group the BfV believes to be behind the Bundestag incident--was behind the incident took TV5 Monde off the air. According to the Wall Street Journal, a Kremlin spokesperson was unavailable for comment though Russia will most likely deny the accusation. 2. Accusations of Facebook bias raise broader questions of algorithmic neutrality. Technology website Gizmodo reports that Facebook allegedly suppresses conservative news content in its "trending" module, located in the top right corner of Facebook’s browser version. The anonymous source on which Gizmodo bases its reporting and who is a self-described conservative alleges that Facebook’s human curators omitted to recognize "Mitt Romney or Glenn Beck or popular conservative topics" as trending. Facebook denied the accusation, though it acknowledged some form of human curation to determine which stories people see in their news feeds (possibly to prevent your news feed from turning into Tay). The debate over neutrality of algorithms and human curation in tech products is not new. Google, given its market dominance in search, has long been accused of curating people’s search results based on user preference and its own search algorithm. It’s unsurprising that Facebook faces similar allegations as it becomes a primary source for news content, something that New York Times columnist Farhad Manjoo says should prod Facebook into developing journalistic standards. 3. Comey no fan of WhatsApp. In a development that will surprise no one, FBI Director Jim Comey said this week that WhatsApp’s deployment of end-to-end encryption will make it harder for law enforcement to implement wiretap orders and use other legal means to investigate national security cases. Comey also said that encryption was "essential tradecraft" for terrorist groups and that, between October 2015 and March 2016, the FBI couldn’t unlock 500 phones among the 4000 it was asked to inspect, a failure rate of about 12 percent. If you want more on the encryption debate sure to check out this CFR event, in which Michael Chertoff, Cyrus Vance and I debate going dark, backdoors, and the value of privacy in the digital age.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed. Given the upcoming holiday season, please note that this will be the last week in review post of the year. 1. The European Union agrees to a revamped data protection law. After nearly four years of negotiation, the European Parliament, the European Commission, and EU member states have agreed to a data protection legislative package. The package will provide EU residents with a right to know when their personal information held by a third party, such as a social network or data broker, has been compromised, a right to require the deletion of information collected about them, and a right to easily transfer data from one provider to another. Companies will be required to be more explicit in how they use customer data and seek customer consent every time the company wishes to use the data in a manner the customer has not explicitly authorized. Firms that run afoul of the new rules are liable to a fine of up to four percent of their global revenue. According to Ars Technica, if ever Google were found to have violated the law, it could face fines of about $2.5 billion. On the bright side, firms that collect personal data now only have to answer to one European-level regulator, not data protection authorities in each of the twenty-eight member states. Once the European Parliament provides final approval of the legislation in early 2016, EU member states will have two years to incorporate the changes into domestic law. 2. The UN General Assembly adopts WSIS+10 resolution. The review of the World Summit on Information Society (WSIS) goals concluded this week in New York, with UN member states adopting a resolution noting progress in improving access to information and telecommunications technologies (ICTs) but highlighting that more needs to be done. Launched in 2003 and 2005, the WSIS aims to bridge the digital divide and improve access to ICTs. (For a backgrounder on the WSIS, check out this Council on Foreign Relations interactive). As expected, cybersecurity, human rights and Internet governance were the main sticking points. Human rights groups, the United States and its allies were pleased that the resolution has strong references to the multistakeholder Internet governance model and reiterates that the same rights that people have offline apply online. According to the New York Times, China tried but failed to include language "that would have made authority for Internet-related public policy issues ’the sovereign right of states’" despite the fact that world leaders had agreed to identical language in 2005. However, China got a win when it obtained recognition that governments have the lead role "in cybersecurity matters relating to national security." Net Politics will have more analysis on the WSIS outcome next week. Stay tuned. 3. China hosts second World Internet Conference. The Chinese government held a conference promoting their view of the Internet this week in Wuzhen, China. The conference drew an even bigger crowd (and more foreign delegates) than last year, which China will likely use as evidence of the conference’s success. Chinese President Xi Jinping used parts of his remarks to rebutt the cyber norms promoted by the West and foreign delegates got swanky Xiaomi phones pre-loaded with credentials to bypass the Great Firewall. Last year, China tried to get conference attendees to sign onto a last-minute joint declaration that endorsed China’s views of "cyber sovereignty." So far, it seems like the organizers have learned their lesson as there haven’t been any last minute shenanigans this year. You can find my take on the Xi’s speech here. 4. The Cybersecurity Information Sharing Act (CISA) sneaks its way into an omnibus bill. CISA, the subject of much hand wringing over the past year despite being mostly a red herring, made its way into a must-pass budget bill that keeps the U.S. government running. Paul Rosenzweig at Lawfare has the essential details. In a nutshell, the Department of Homeland Security (DHS) becomes the hub for information sharing, meaning that companies looking to share cyber threat information with the U.S. government will have to go through them, not the NSA or the FBI. Information DHS receives could only be shared within government for cybersecurity purposes or preventing a specific threat of "death or serious bodily injury" or "serious economic harm." That last provision has some advocacy groups and some legislators up in arms. They would have preferred only allowing DHS to share information for cybersecurity purposes and requiring the private sector to implement more stringent requirements to strip out personally identifiable data from information being shared with government. 5. Facebook, Google and Twitter agree to a mechanism to remove hate speech in Germany. As a result of the deal, the U.S. companies will remove hate speech from their websites within twenty-four hours of being flagged, using the hate speech standard established by German law, not the companies’ terms of service. German authorities believe the deal will help stem the tide of hateful and xenophobic speech directed at the over 1 million refugees that have settled in Germany this year. The deal with German authorities comes at a time when some U.S. legislators want to create legal requirements for social media companies to report terrorist activities to the FBI.

Dr Annegret Bendiek is Senior Associate and Head of Project at the German Institute for International and Security Affairs (SWP). Christoph Berlich und Tobias Metzger are Project Staff on “The challenges of digitalization for German Foreign and Security Policy”, a project funded by the German Federal Foreign Office. The SWP advises the German Parliament and the German Government in all matters of foreign and security policy. German policymakers in their Digital Agenda of 2014 understand cyberspace as an “open, safe and free space.” However, Internet freedom and the innovation potential that depends on it are being threatened by increasing governmental control. When Germany assumes the annual chairmanship of the Organization for Security and Co-operation in Europe (OSCE) in 2016, its approach—strengthened by its non-militarily driven national cybersecurity strategy—should be to establish confidence and security building measures (CSBMs), which incorporate cybersecurity in all three of OSCE’s areas of focus (called “baskets” in OSCE parlance) for the first time: security, economic cooperation, and exchange on culture and human rights. The fifty-seven OSCE member states, which include the USA, Russia, Canada and the European states, reached agreement in 2013 on an initial package of eleven cybersecurity CSBMs. Although important, the CSBMs only focused on politico-military trust-building and paid no attention to economic cooperation or human rights. Harness Germany’s experience to benefit the OSCE Germany can lead this effort because, first, it has strong political and economic ties to both the West and the East, and its diplomatic efforts as a mediator are respected. Second, Germany is a cybersecurity leader, known for setting high technical and regulatory standards in areas like data security and privacy. Third, Germany has been successfully engaged in bodies of norms- and rules-setting for cyberspace, including the United Nations Groups of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE). Germany can build upon this wealth of experience. First Basket: Security The 2013 cyber CSBMs are voluntary and do not bind OSCE member states to take  concrete action. Member states agreed to use the OSCE as a platform to continuously exchange information related to cyber incidents and to improve their ability to protect their networks. But cooperation thus far has been lackluster, largely due to the lack of trust amongst participants, the complex and technical nature of cyber incidents and disagreement over terminology. There is, for example, no generally accepted definition of the term “information security.” In China and Russia, information security includes efforts to block foreign propaganda and the political aspirations of dissidents, whereas in the West it refers to the protection of systems and the data therein. To prevent cooperation on critical infrastructure protection from being torpedoed by a lack of understanding of technological issues or by terminological differences, the German chairmanship should work to ensure that scientists—computer scientists above all—are included in all aspects of cyber diplomacy, not just in the security dimension. Scientific exchange can help diffuse diplomatic tensions, as demonstrated by the Pugwash Conferences, which since the 1950s have brought together leading physicists from around the world to discuss nuclear security. The group was awarded the Nobel Peace Prize in 1995 for its ground-breaking contribution to disarmament and non-proliferation. Second Basket: Economic Cooperation This past summer, Germany passed its IT Security Act, which mandates high security standards for the protection of critical infrastructure. The predominantly private owners and operators of critical infrastructure are now required to report computer security incidents. Such reporting and information sharing is intended to help thwart future attacks. It strengthens the cooperation between the public and private sector to ensure the safety of a wide range of critical infrastructure, including the finance, transport and energy sectors, and underlines the importance of Germany’s industry as a critical asset. The IT Security Act makes Germany one of the few, if not the only, OSCE member state with a strong legislative framework and Germany’s approach has become a point of reference in current negotiations over the EU’s Network and Information Security (NIS) Directive. Similarly, Germany’s Federal Office for Information Security (BSI) has become a model of technical expertise on IT security standards for many OSCE partners. The German chairmanship can contribute to the development of these kinds of institutional capacities in OSCE partner countries to safeguard economic growth. This opens a new horizon of capacity-building within the context of OSCE economic cooperation. Third Basket: Human Rights The OSCE promotes human rights as part of its third basket. In many instances, however, member states continue to severely restrict free speech on the Internet. This stands in contradiction to Germany’s policy to protect the freedom of cyberspace, and Germany should, therefore, work ardently to improve the situation in the most severely affected countries. Suitable institutions for this purpose include the OSCE’s Office for Democratic Institutions and Human Rights (ODIHR), which assesses the compatibility of proposed legislation in member states with rule-of-law principles, or the OSCE Representative on Freedom of the Media, who provides early-warning of repression against journalists. Germany should take measures to ensure that these bodies receive more resources and focus on digital human rights issues, such as censorship, network surveillance and abuses of copyright law. Cyberspace was created by human beings and encompasses all aspects of human society. Concentrating on military aspects alone means limiting oneself to a one-dimensional focus on isolation, distrust and power politics between states. This impedes cooperation among representatives of civil society who advocate Internet freedom. For this reason, new sets of CSBMs must be designed to take into account all three OSCE baskets. Germany has the unique opportunity in 2016 to create an international framework for this purpose. The economic benefits of such an approach may be powerful enough to win over some of those who stand in opposition to Internet freedom