The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged a “Shields Up” defense in depth approach, as Russian use of wiper malware in the Ukrainian war escalates. The Russian malware “HermeticWiper” and “Whispergate” are destructive attacks that corrupt the infected computers’ master boot record rendering the device inoperable. The wipers effectuate a denial of service attack designed to render the device’s data permanently unavailable or destroyed. Although the malware to date appears to be manually targeted at selected Ukrainian systems, the risks now escalate of a spillover effect to Europe and the United States particularly as to: (i) targeted cyber attacks including on critical infrastructure and financial organizations; and (ii) use of a rapidly spreading indiscriminate wiper like the devastating “NotPetya” that quickly moves across trusted networks. Indeed, Talos researchers have found functional similarities between the current malware and “NotPetya” which was attributed to the Russian military to target Ukranian organizations in 2017, but then quickly spread around the world reportedly resulting in over $10 billion dollars in damage.[1] The researchers added that the current wiper has included even further components designed to inflict damage.
Recent decisions from the European Union (EU) have placed renewed focus on the use of common cookies used on ecommerce and other websites used by consumers and employees and transfers of personal data collected through cookies to the United States. The EU Data Protection Authorities (DPAs) found that the use of widely used website technologies (i.e., cookies and java script) to automatically collect identifiers from the users’ devices or through their use of internet protocols (e.g., IP addresses) resulted in the collection of personal data. The DPAs further found that the subsequent transfer of this data to Google servers located in the United States violated EU cross-border data transfer requirements because there were inadequate safeguards under the Schrems II decision invalidating the EU-US Privacy Shield. One notable impact of the decisions is to dismiss the adequacy of encryption technologies where the service provider (such as Google) has access to the cryptographic key and can be compelled to surrender it in order for the data to be decrypted and read by U.S. surveillance authorities. Consideration of the impact of these decisions is critically important for ecommerce and other websites operating in the EU, as well as more generally for organizations that transfer personal data of consumers and employees to the U.S.
Blog Editors
Recent Updates
- The Sleeping Giant: New York’s Commercial Division Expert Disclosure Rules
- Commission Commitments: Massachusetts Appeals Court Upholds Obligation to Continue Paying Commission for the Life of the Underlying Customer Relationship
- A Win for Out-of-Network Providers
- Mastering Legal Writing: Elevate Your Written Advocacy – Speaking of Litigation Video Podcast
- DOJ’s First Civil Cyber-Fraud Initiative Litigation Serves as Warning to Government Contractors Who Fail to Abide by Contractual and Statutory Cybersecurity Requirements