october, 2020.

Versão em português

In a recent work (“Three tales of attribution in cyberspace: Criminal law, international law and policy debates”), you discuss the issue of attribution for malicious activities in cyberspace from the perspective of criminal law and mentions some dilemmas that states need to address in order to advance the discussion about accountability. How do you see the role of companies in this scenario?

Attribution of malicious cyber activities can take different forms: technical attribution, legal attribution or political attribution. Each form of attribution has the purpose of identifying the (state or non-state) actor who is allegedly responsible for the activity. One type of attribution does not exclude the other. Technical attribution can be described as the process of discovering and interpreting technical indications in such a way that they point towards a specific responsible actor. It often precedes legal or political attribution, but when new information is discovered attribution can take a different form. Malicious cyber activities are often so sophisticated that this is a complex, layered process that could also touch upon diplomatic relations between states.

Companies can play an important role in attribution of cyber attacks by disclosing their own expert findings of technical attribution. Obviously, we are then talking about companies specialized in cyber security. For example in the Belgacom hack, Symantec published a report and in the case of the DNC hack, Crowdstrike was involved in technical attribution. With their technical expertise, companies can support the attribution process and help identify the alleged attacker.

And what is your opinion on having companies assisting state authorities in gathering evidence of cross border criminal offenses in the digital environment?

Cross border evidence gathering is first of all a mechanism between those state authorities involved in investigating and prosecuting criminal offences: police and prosecuting authorities. In the traditional mutual legal assistance in criminal matters national Ministries of Justice were involved as well for the purpose of sending and receiving foreign requests for mutual legal assistance. This was significant because it was the Ministry’s task to verify whether a request from a particular country should be complied with or not. A country with a questionable track record on human rights for example, would likely see its request for assistance be denied. In more recent legal instruments, especially in the EU, the sending of requests between police and prosecution authorities of different countries – not via the Ministry of Justice – is allowed. However, the verifying of the requesting state and whether or not it is appropriate to execute the request is in that situation still done by a judicial authority. In the case of digital evidence though, legislative initiatives lean towards putting companies in the position of doing this first check. This means that a prosecution authority of state A could send a request for digital data directly to a telecommunication provider in state B. It would then be the provider’s task to verify whether it is appropriate to deliver assistance to state A. Only if the provider would determine that the request for the data – for example – violates human rights, a judicial mechanism would be triggered in order to decide on this issue. Such system puts companies in the drivers’ seat and I think this is not a good solution for several reasons. First, companies are not equipped to make such decisions because they have different interests than the interests of the state they are based in. Second, companies do not necessarily have the resources to make such decisions. A large provider may have a considerable legal department that can take on these issues, but SME’s would have to make significant investments. Third, this system may lead to liability issues. Imagine that a provider would comply with a request and transfer data without flagging the request as breaching proportionality. When afterwards the data would be used in a criminal trial, this could lead to a claim against the provider for violating privacy and data protection rules.

It should be stressed that the described system was only a proposal by the European Commission to deal with cross-border digital evidence gathering. After fundamental criticism and many amendments, the proposal is still being debated and an adequate solution for the cross-border gathering of digital evidence is not ready yet. It will be interesting to see what the negotiations on EU level will bring on this topic.

In your opinion, what are the most important issues corporations should address when handling cybersecurity and data protection into their compliance programs? 

I think plenty has already been said and written about compliance, cyber security and data protection. I want to draw attention though to two points that are often overlooked in this context and both are connected to each other. First of all, compliance does not equal security. Being compliant does not mean that you are secure. Compliance means following the law and checking all the boxes that the applicable law requires you to check. That does not mean that a company checking all these boxes can rest assured that it has perfect security. One reason is that legal provisions often represent a minimum standard of security. Depending on what type of company you are, depending on what type of services or goods you deliver and depending on the vendors you work with, you may want to go further than what the law tells you to do. In that respect, the risk-based approach that the EU General Data Protection Regulation is built on is an excellent way of looking at it. Another reason is that technology develops much faster than new laws can be adopted. Malicious actors constantly look for new vulnerabilities in IT infrastructures and they do not care whether you are fully compliant with the applicable law. What may look like a waterproof cyber security for your company today, may be the target of a new type of hack employed by a malicious actor tomorrow. Lastly, compliance does not necessarily consider the human factor and that brings me to the second point I want to draw attention to. Building real security in your organization means investing in true awareness of your staff. It means building a security culture among your employees by training them continuously. Simply being compliant with the applicable law will for example not include being aware of an insider threat, an employee who is either disgruntled and ready to do damage to your company or who is bribed or otherwise forced to breach into your systems. Compliance also does not mean that accidents cannot happen. Often, data breaches are not caused by malicious activities but by simple human errors. Building a security culture among your employees can also mitigate this risk.

With respect to data protection, do you expect any important changes regarding EU and US cooperation initiatives in criminal matters after Schrems II?

Yes. So for the second time the CJEU deemed the legal basis for data transfers between the EU and the US invalid and contrary to the EU standards of data protection. The tool of standard contractual clauses (SCC) is still valid, but their legal basis is not. This needs to be taken up by the EU institutions, however in the meantime companies need to continue their business. And for many, that includes data transfers between the EU and the US.

This creates a number of problems for companies. Some data protection authorities in the EU have been advising companies to store their data exclusively on EU based servers. Others are not. This creates a patchwork of approaches that puts companies in a difficult position.

What I think is problematic about the Schrems II ruling is that the Court of Justice states that companies that are data controllers and are transferring personal data on the basis of SCCs should verify whether the law of the requesting third state ensures adequate protection under EU law. This means that companies are again put in the position of assessing a country’s data protection legal framework, including its human rights enforcement. I do not think this is a good evolution for the same reasons I do not agree with the original EU proposals on digital evidence, which I explained above. It is again placing companies in a position that should be held by a public authority. Besides the concerns I expressed regarding companies not being equipped for such task, this will also create a patchwork of different approaches. Different data controllers may make different assessments of the same country’s legal framework. If the European Commission would make such assessment, a harmonized approach would be the result. This would increase legal certainty for the data controllers as well as for citizens.