We recently spoke with Joseph Carson, Head of Product at Arellia and Head of Cyber Security at ESC Global Security, to discuss the current state of data protection both in the United States and in Europe as well as the evolution of cyber insurance.
In this first part of our four-part series, Carson shared his thoughts about the recent invalidation of the Safe Harbor framework.
Understanding the Safe Harbor Framework
In the wake of increasingly sophisticated cyber crime, the European Commission implemented a Directive on Data Protection in 1998, leaving a gap between American and European cyber regulation.
The US Department of Commerce and the European Union (EU) created the Safe Harbor framework to close this gap, establishing a streamlined and cost-effective way for U.S. companies to comply with EU data protection regulations without sacrificing transactions.
The Safe Harbor framework was finalized in 2000 and seemed to work well until recently. When Edward Snowden leaked news in 2013 that the NSA was gathering tens of millions of phone records of U.S. citizens, the Safe Harbor framework began to crumble.
After hearing pushback from Max Schrems about Facebook transferring data from Ireland servers to the United States, the ECJ invalidated the Safe Harbor framework in late 2015. This seems like a win for data protection, but there’s more to the story.
The clock is ticking on a January deadline for a new Safe Harbor framework. Thousands of companies that make trans-Atlantic transactions must sit and wonder what they’ll do if data transfers between countries with different cyber standards are banned. Carson has a few ideas about salvaging the Safe Harbor rules.
What Safe Harbor Supporters Can Learn from Estonia
After safeguarding the country with high-tech infrastructures to defend newfound freedom in 1991, Estonia soon realized that a DDoS attack could shut the country down and leave it open to any land-based attack. Their solution can serve as a foundation for a Safe Harbor revival.
“The simplest thing to do to protect yourself against DDoS attacks is to distribute your network,” said Carson. “Put your data in multiple locations. Estonia is such a small country that internal distribution wasn’t possible. They had to distribute themselves in multiple countries. Estonian law prevented data distribution in other countries, which led to the idea of incorporated data embassies.”
With data embassies, data center locations in other countries can be considered sovereign land, enabling you to distribute it for greater protection from nation-state attackers.
“With multiple countries housing Estonian data, the country was able to solve their doomsday scenario,” continued Carson. “Now, in the case of a DDoS attack, nation-states aren’t just attacking Estonia—they’re attacking other NATO countries, which can be considered an act of cyber warfare.”
What exactly does Estonia’s distribution have to do with the Safe Harbor rules for the European Commission and US Department of Commerce? Carson had this to say:
“The key is to leverage other companies to mutually protect data. The Safe Harbor rules could have a future because cyber threats driven by nation-states would be less likely due to economic or political implications.”
Distribution and Deception: Protect Data Under Any Regulation
The goal of the Safe Harbor rules was to ensure European consumers that their data would be protected at the same high standards of the Directive of Data Protection both at home and abroad. The current Safe Harbor framework is gone, but it can be salvaged by stressing the importance of data distribution and mutual interest in weaving economic implications throughout any cyber incident.
Distributing your network is a form of deception—forcing attackers to work harder to uncover the truth within your network. Carson concluded by saying: “The more deceptive you can become, the better you get at defending your network from any cyber attacks.”
Recommended for you: