At a glance.
- Reaction to the US sanctions against Russia.
- Sweden thinks the GRU did it, but that there's no point in prosecuting individuals.
- Export controls on US personal data?
- Emerging US policy for enhancing power grid security.
The carrot as the stick: more reactions on the US response to Russian hacking.
The Biden Administration’s much-anticipated response to Holiday Bear’s tear was coupled with an invitation to improve bilateral relations, as SecurityWeek observes. President Biden gave President Putin a heads up about the measures and pitched a summer summit, according to NBC, claiming this “is the time to de-escalate” and expressing the desire to dodge a “downward spiral.” Secretary of State Blinken clarified that Washington seeks “opportunities for cooperation, with the goal of building a more stable and predictable relationship.” Breaking Defense recounts Stanford researcher Herbert Lin’s doubts that the sanctions will steer Moscow towards better behavior, as the Kremlin promises an “inescapable” riposte.
Atlantic Council notes that the response “leave[s] room for escalation,” for example against Kremlin “cronies,” though the measures have already had significant economic impact. (Foreign Policy mentions that some anticipated stronger action, finding the fiscal policy “timid,” since the more important secondary market for Russian debt was left alone.) Council contributors characterized the move as “big politics,” in contrast to available incremental alternatives, explaining that the approach takes on “Putinism” writ large. They worried, however, that the message delivered was not one of resetting relations, and the simultaneous Black Sea and Nord Stream 2 backtracking, which the Moscow Times and Politico detail, send mixed signals about the US’ resolve.
In the Administration’s view (via NBC), the reaction was “resolute but proportionate” and preserved the opportunity for mutually beneficial partnership. On Moscow’s view, per Foreign Policy, President Biden is “trying to destroy relations between the two countries.” Others—without holding out hope for a productive reply from Russia— see in the approach a direct communication of goals and a sound foundation for future action.
Stockholm decides prosecuting the GRU is pointless.
The Record reports that Sweden has ditched efforts to prosecute the Russian perpetrators of a 2017 athletic regulator hack. While for the first time naming and shaming Fancy Bear for the Swedish Sports Confederation incident, the Swedish Prosecution Authority said pursuing charges against state-backed actors would be legally infeasible—another first for the international community.
Washington charged the hackers in 2018, and Berlin has also filed charges against APT actors in the past, but thus far others like London, Canberra, Ottawa, Wellington, and Oslo have stuck to formal attribution. One cyber scholar described Stockholm’s decision as “very realistic” given that “there is literally zero chance” of extradition or domestic prosecution. Taking perhaps a middle path, the White House yesterday, as we saw, announced sanctions on roughly three dozen people and organizations in response to Russian mischief.
Export controls on US personal data?
The Washington Post unpacks Senator Wyden’s (Democrat of Oregon) plan to stopper the bulk sale of Americans’ data to questionable foreign entities. The Protecting Americans’ Data From Foreign Surveillance Act would apply to data export-control regulations similar to those governing weapons, with the potential to upset a “multibillion-dollar data-broker economy.” The Department of Commerce would be tasked with delineating sensitive data and safe countries. Enforcement measures would encompass penalties for executives and a private right of action for injured parties.
Currently no legislation restricts the foreign purchase of US datasets, and concerns about malicious mining efforts are gaining prominence. Some worry that data is “gathered, bundled, licensed, shared, sold and transmitted across the Internet, including through an opaque market of apps, ad networks, data brokers and other operations” in a plethora of ways the law wouldn’t cover.
Executive Orders and power grid security.
The SolarWinds compromise and other signs of threats to the electrical power grid have motivated the US Administration to prepare policies designed to enhance the security of power generation, transmission, and distribution. Insurance Journal published a summary of the measures under preparation. We received comment from Edgard Capdevielle, CEO of Nozomi Networks, on the planned steps. He sees the problem as one that extends through all critical infrastructure sectors:
“This is something that should be happening across all critical infrastructure. Not being able to see, secure and defend against inevitable attacks can lead to unnecessary deaths or cripple our economy.
"A plan like this is definitely a step in the right direction. While there may be some reluctance to share data with the government, the alternative of not doing anything or enough could be devastating. The critical infrastructure sectors need authority, budget, and technology, in the middle of a severe skilled worker shortage, in order to address the escalated level of threats. It’s good to see action finally being taken at the highest levels to incent companies and organizations to defend against potential crippling attacks.”