POLITICO Pro Cyber Insights: Munich 5G chatter — AI in cyber agency cross hairs — Schrems vs. Facebook in Vienna

by

Press play to listen to this article

Voiced by Amazon Polly

Presented by Avaaz

https://g8fip1kplyr33r3krz5b97d1-wpengine.netdna-ssl.com/wp-content/uploads/2020/01/cyberinsights_rule_600.png
https://g8fip1kplyr33r3krz5b97d1-wpengine.netdna-ssl.com/wp-content/uploads/2019/03/headphones2_25.png View in your browser or listen to audio

By LAURENS CERULUS

With Vincent Manancourt, Mark Scott and Nicholas Vinocur.

PRESENTED BY

https://g8fip1kplyr33r3krz5b97d1-wpengine.netdna-ssl.com/wp-content/uploads/2020/02/logos_avaaz_logo_pink_brand-1.png

TODAY’S TOP LINE — US TO MERKEL: HOW ABOUT PRIVACY? The U.S. delegation in Munich toned down intelligence-sharing threats and built its message on Huawei around privacy, trade secrets and human rights.

WELCOME to Cyber Insights, POLITICO’s cybersecurity and data protection newsletter, giving you the daily lowdown on hacks, leaks and cybersecurity policy chatter in Europe.

MUNICH

US PITCHES IP, HUMAN RIGHTS AS PART OF HUAWEI CASE: Armed with fresh indictments from the Justice Department on Huawei’s alleged theft of trade secrets, the U.S. is asking European lawmakers to examine threats to trade secrets, as well as the human rights implications, when opting to allow Chinese telecom vendor Huawei into their networks.

The IP argument: Huawei faces a new indictment in the U.S. for copying intellectual property and then using it in products sold around the world. Six U.S. companies are said to have fallen victim to IP theft. That underpinned the U.S. fighting words in Munich: “Data privacy is of great interest here in the EU,” John Demers, DoJ’s assistant attorney general for national security told reporters. He said China is rolling out a “very top-down, very orchestrated effort to steal intellectual property and data on citizens.”

The human rights argument: There are “basic fundamental human rights issues related to some Chinese companies, including Huawei,” said Rob Strayer, the State Department’s 5G point person. He said Huawei has exported its surveillance tech to “rogue regimes, including North Korea and Iran.” He added “Huawei has a … relationship with the security apparatus in the Xinjiang province of China,” where Muslim minorities are being detained on a massive scale.

The gist: “It's important that governments and operators think about whether they want to be doing business with this company ... that doesn't have the same values,” Strayer said.

Best of Blair: Robert Blair, special representative for international telecommunications policy and assistant to President Donald Trump, is in Munich. He had messages for European leaders …

To Boris: “The U.K. is one of our closest partners. They'll continue to be one of our closest partners. There will be no erosion in the intelligence cooperation.” (Yes, the U.S. is cheekily backtracking on its previously very clear threat that it would cut intelligence sharing with countries that allow Huawei.)

To Angela: “The president has great respect for the chancellor. We're here as partners.”

TOUR D’EUROPE — CRACKS IN THE TOOLBOX: Europe’s joint approach to “high-risk vendors” in future 5G networks is showing its first cracks in Munich. At the end of January, the EU presented its plan, dubbed the “toolbox”: A series of suggested measures for countries to take to limit the risks associated with Chinese vendors Huawei and ZTE. The key question is how capitals use these tools. Speaking to officials in Munich, it is becoming clear that key players aren’t yet seeing eye-to-eye.

🇩🇪 The German coalition is still making up its mind on how to handle Huawei. But the country’s chief cybersecurity official, Arne Schönbohm of the BSI agency, said the solution lies in testing and certification. "From my perspective, digital sovereignty comes from testing and understanding what goes on" in products and services, he said.

German carmaker Volkswagen only codes 10 percent of its software itself, Schönbohm pointed out. His point? That Europe should focus on "auditing and risk management” of what it procures from suppliers and vendors, rather than putting all its attention on insourcing or producing hardware and software within its own borders. More here.

Es-tu là, Thierry? The comment is gentle pushback on the EU Commission’s and France’s efforts to boost “technological sovereignty” by developing local, “made in Europe” industrial capabilities. According to Schönbohm, “we don't have [digital sovereignty] and we'll never have it.”

🇫🇷 If you ask France’s head of cyber agency ANSSI, Guillaume Poupard, certification “is important, but I consider that certification is not enough ... It would take too much time to be efficient,” Poupard told us in a recent interview.

The Germans’ take previously got criticism from security experts and hawks wary of Huawei’s presence.

🇬🇧 British cyber agency chief Ciaran Martin said the U.K. doesn’t expect other countries to copy-paste what it did. “Don’t take [our approach] as a model,” Martin told Cyber Insights. Other countries have other solutions, he said.

LOOKAHEAD — MUNICH TAXATION CONFERENCE? Facebook’s chief executive flies into the Munich Security Conference tomorrow, but it’s not security that’s top of mind for him. It’s his taxes. “We accept that may mean we have to pay more tax and pay it in different places,” Zuckerberg is expected to say, according to excerpts of his upcoming speech seen by POLITICO. Mark Scott has a full preview of the speech for POLITICO Tech, Trade and Financial Services Pros.

**A message from Avaaz: Loving and secure relationships are built on a foundation of honesty. That’s why the best Valentine’s gift for world security today would be firm action in the fight against disinformation that is tearing apart European societies. We have a solution wrapped up in a bow and ready to go. Happy Valentine’s day!**

EMERGING THREATS

EU AGENCY WANTS AI THREAT STUDY: The EU’s Cybersecurity Agency ENISA wants to conduct a threat landscape study on artificial intelligence. “Artificial Intelligence is the next important technology after 5G where different actors should pursue a prudent risk-management approach,” the agency’s Executive Director Juhan Lepassaar told Cyber Insights in the margins of the MSC summit. He said companies using AI should make sure “AI-enabled services are trustworthy.”

ENISA “will review how we can support policymakers to create a deeper understanding of the cyber risks and the threat landscape around AI,” he said. The agency previously conducted a 5G Threat Landscape study, which laid much of the technical groundwork for capitals to draft their 5G security “toolbox” released in January.

So … how does an “AI security toolbox” sound to you?

DATA PRIVACY

SCHREMS V FACEBOOK: Facebook’s European privacy director Cecilia Alvarez faced some tough questioning from Austrian privacy activist Max Schrems’s gang in a Vienna court yesterday.

What’s it all about? The case has rumbled on for five years, and centers on who controls data on the platform – the user or Facebook – as well as how the company obtains consent, and how it complies with access to data requests by users.

How did it go? According to Schrems, “really good.” He told POLITICO his team had gotten the evidence they need — including the fact that Facebook continues to store users’ old passwords for eight years. In a statement this morning, Schrems’s activist outfit noyb.eu said some points “now seem undisputed”: Facebook’s collection of user data from third-parties, without consent, for instance.

The noyb.eu statement also highlighted what they called “bizarre” claims by Facebook’s legal team, including that tracking cookies are not covered by data protection law, and that it would “economically impossible” for Facebook to comply with the EU’s flagship privacy law, the General Data Protection Regulation.

Facebook’s side: A spokesperson for the company said that Schrems’s claims are based on a misunderstanding of how Facebook, and advertising, works. They said that users are clearly told – and value – the personalised service they get with Facebook, including regarding targeted ads.

What next? The Vienna court will issue a judgment in a matter of weeks or months, following which the case will almost certainly be appealed to Austria’s highest court. Schrems expects a “swift” procedure here, since no more oral hearings are possible.

See you in Luxembourg? Schrems says it is “very likely” that one of the courts will refer the case to the European Court of Justice. What will that be? Schrems III, Schrems IV? We’re losing count…

GOING DUTCH: The Dutch privacy regulator — which oversees Uber and Netflix — today griped that a lack of resources means it can’t open as many investigations as it would like. "With the current number of employees, we can only process most complaints after six months. That must be done differently: people have the right to protection of their privacy and must be able to get this quickly," said the regulator's head Aleid Wolfsen in a statement. Vincent has more here.

THREAT REPORT

OUT NOW — GERMANY FACES INCREASED IRAN HACKING THREAT: Cybersecurity firm FireEye said in a new threat landscape report that “we have also recently observed an increase in Iranian threat activity due to rising global tensions that may impact German entities as part of broader targeting of Western entities and critical infrastructure.”

The firm said “information operations and disinformation pose a regular frequency, moderate intensity threat to German entities, with perceived activity tied to Russian and Iranian actors seeking to influence public opinion.” It also said that “organizations in both the public and private sector connected to geopolitically important projects such as Nordstream 2, 5G telecommunications, or China’s Belt and Road Initiative may face increased risks of cyber espionage targeting.”

Top stat: Malware Emotet takes up 80 percent of detections in the country. The malware hit Frankfurt’s city network, Berlin’s high court and many other institutions in Germany in past months.

CYBER DIPLOMACY

NEW YORK — UN TURNS INTO BATTLE GROUND FOR CYBER NORMS ... but the parties fighting it out may surprise you. The United Nations today wraps up its second “substantive session” of its Open-Ended Working Group (OEWG) in New York today (here). The group was proposed in 2018 by Russia in the hope of pushing its own vision on international rules on state hacking and sovereignty over internet networks — much to the dislike of the U.S. and EU.

An unexpected challenger: The NGO community is now standing up to challenge Russia’s control over the process. “There is a shift,” said Wolfgang Kleinwächter, member of the Global Commission on the Stability of Cyberspace. A ragtag group of activists and academics, a “rainbow coalition” as Kleinwächter jokingly called them, is pushing for stronger rules to stop states from engaging in cyber warfare, espionage and putting citizens at risk with surveillance and cyber attacks.

The OEWG’s mandate requires the discussions to be open to non-state actors, which is forcing the chair of the OEWG to involve this rainbow coalition. “It’s funny that Russia now has to deal with these types of people,” Kleinwächter said. The OEWG continues its work until the end of the year, leaving the door open for the NGO coalition to further pressure states to tighten the rules on cyber. Read more on the Council on Foreign Relations’ blog.

JOB OPENING DU JOUR

WATCHDOG ROLE: The U.K.’s data regulator, the Information Commissioner’s Office, is advertising for a technology advisor to deal with … adtech. The ICO is currently under pressure to act on online advertising, as Vincent wrote here.

MOVERS & SHAKERS

UK DIGITAL CHIEF: Oliver Dowden was promoted to become U.K. digital and culture secretary as Prime Minister Boris Johnson reshuffled his top team, Emilio Casalicchio reports from London.

ELSEWHERE ON THE WEB

— U.S. Senator Kirsten Gillibrand outlines plans for a federal data protection authority. Medium

— 5G: 2020 is when it gets real, but not for everyone. ZDNet

— On data protection, the UK says it will go it alone. It probably won't. ZDNet

— ICYMI: Inside Mark Zuckerberg’s lost journal. Wired

— How businesses are building an industry using your DNA. Quartz

— Finland’s ministry of justice has released its report on the legal questions surrounding the automated decision-making tech, which will be the basis for future regulation. Report

**A message from Avaaz: Our investigations have uncovered the chilling scale of disinformation poisoning our democratic politics and making the world less secure — from disinformation networks flooding Europe with polarizing content ahead of the parliamentary elections with over 750 million estimated views on Facebook alone, to a wave of disinformation around the upcoming US 2020 election that could be greater than the one we saw in 2016. The problem is only getting worse, and the EU’s attempts at self-regulation are far from enough. But there is an antidote — in order to defend EU citizens, the EU must move to regulate social media platforms immediately. Two regulatory principles can limit disinformation: platforms must Correct the Record to everyone who sees disinformation, and Detox their Algorithms so they stop recommending false information and hate speech, putting an end to radicalizing rabbit holes. President Von der Leyen: Europeans count on your leadership.**

Here’s a recap of today’s news, along with Pro articles and alerts from overnight.

Dutch data regulator laments lack of resources
By Vincent Manancourt | 2/14/20, 12:53 PM CET

Commission eyes up to €6B investment in data spaces
By Melissa Heikkilä, Laura Kayali | 2/13/20, 8:59 PM CET

US charges Huawei with decadeslong theft of American trade secrets
The indicted defendants include Huawei and four subsidiaries, as well as Huawei’s chief financial officer, Meng Wanzhou.
By Steven Overly | 2/13/20, 8:08 PM CET

German cyber chief: 'We'll never have' digital sovereignty
By Laurens Cerulus | 2/13/20, 5:28 PM CET

Oliver Dowden becomes new UK digital secretary
By Emilio Casalicchio | 2/13/20, 3:19 PM CET