What If Russia’s Most Successful Cyberattack Is Hiding in Plain Sight?

Daniel Castro December 16, 2021
December 16, 2021

(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)

The following is a work of fiction. Any resemblance to actual persons, living or dead, or actual events, is purely coincidental…

Imagine the following: It is 2014, and the president of Russia is feeling restless. After granting Edward Snowden asylum in the Motherland, he had hoped the young American leaker would continue to disrupt transatlantic alliances with his revelations about U.S. intelligence agencies spying on their European allies. But while Snowden was proving to be a thorn in the side of U.S. intelligence agencies, both U.S. President Barak Obama and German Chancellor Angela Merkel had embraced a hard-nosed pragmatism that allowed them to look past the domestic drama over surveillance and focus on their shared foreign policy goals.

The transatlantic alliance might have seemed stable to most observers at that point, but the former KGB officer knew it was an illusion—by applying enough pressure he could make the entire system implode. What he needed was a new tactic to weaken the West’s growing economic integration driven by its digital connectivity. A direct attack, such as meddling in European elections or pushing an anti-American legislative agenda in Europe, would be expensive and risky, potentially exposing Russia to blowback if exposed. No, the best way to attack a powerful adversary was to turn its strengths into weaknesses.

In this case, the EU’s judicial system—designed to protect a vague set of human rights at any cost—offered an ideal means of disrupting transatlantic relations. Russian sources located an Austrian activist who, with a bit of prodding and outside help, elevated a complaint initially filed with (and rejected by) the Irish Data Protection Commission to the European Court of Justice (ECJ). Not surprisingly, the ECJ ignored the practical realities of global data transfers and in 2015 it invalidated the Safe Harbour Agreement that served as the key legal instrument enabling digital trade in the West by allowing data transfers from the EU to the United States.

The United States and the European Union immediately understood the gravity of this ruling. Acting quickly, the U.S. Department of Commerce and the European Commission worked together to establish a new framework for transatlantic data transfers: the EU-US Privacy Shield. But the Russian president’s agents knew his strategy would work again. With barely a nudge, their trusty European activists would challenge the new legal agreement, and in a matter of years, Moscow would cheer once more as the ECJ declared it invalid too.

The most powerful attacks often come from inside the system. And the legal challenges were certain to keep coming. Activists created a nonprofit organization that would accept funding from anyone in the world. As staunch advocates for privacy, they insist on anonymity for their individual donors. Russia does not want to show its cards, but it is easy enough for the FSB to transfer some cryptocurrency each month to keep the lights on. Moreover, after the EU enacted its General Data Protection Regulation (GDPR), it virtually guaranteed that opponents of European data transfers would find a receptive judiciary for future complaints and American and European policymakers would find their hands tied to craft an easy solution.

Looking back, the Russian president could gloat at his incredible victory—even with a new administration, the United States and the EU still have been unable to get over their impasse and transatlantic data transfers are in shambles.

# # #

The story above is (probably) a work of fiction. But it underscores some core truths:

  1. The United States and the EU both would benefit from closer integration on digital policy;
  2. Geopolitical adversaries like Russia and China welcome these self-inflicted economic wounds that rival in magnitude any cyberattack they have launched; and
  3. The only way to stop this maddening cycle of court challenges and economic disruption is for the EU to establish a durable legal mechanism that facilitates the lawful exchange of data with the United States for commercial, law enforcement, and national security purposes.

As the United States and the European Union continue to work on building back better the transatlantic relationship in the coming year, they should make resolving data flows a top priority.