Cyber Scene #71 - Sizing up the Cloudburst, Above and Below

Cyber Scene #71 -

Sizing up the Cloudburst, Above and Below

The 27 July Economist, in "Cloudburst," has a new acronym for the US tech oligopoly comprising Meta, Alphabet, Amazon, Microsoft, and Apple: "MAAMA." It singles out this Big Tech group for bearing the brunt of the NASDAQ gravity crash (cloudburst) and the vanishing of "exceptionalism" which has provided "borderless cyberspace" exclusions, internationally, of financial impositions. This feature article maintains that MAAMA's "tech titans" are now exposed to ills such as supply chain issues, protectionism, competition, shortage of workers, etc. that have been inflicted on "mere mortal" cyber companies for some time. Internet barriers in Europe and India are cropping up to "…become more protective of their citizens' data and to their own digital darlings." Except from China, MAAMA has not faced much constraint from its landlords in the past. The big question is "MAAMA mia, can you grow again?" according to The Economist.

Turning to other cyber concerns, Wall Street Journal's Dustin Volz reports on 20 August that the UK Conservative Party has decided to allow online voting this round for election of the new Prime Minister (PM) following the departure of Boris Johnson. This is the first time such voting options are available for a PM election, although lesser elections have allowed recent leaders, such as opposition party leads, to be elected through online voting. Vote by mail is acceptable for the UK too. Its National Security Cyber Centre (NCSC), part of the UK's General Communications Headquarters (GCHQ), reportedly ok'd the move.

The scale is quite different from general elections in the US, however; the UK's Conservative Party has a possible maximum vote of 160,000 for two candidates while the 2020 US presidential election involved roughly 158 million voters. In the run-up to the US 2020 presidential election, according to Volz's reporting, US federal agencies privately warned states that voting by internet would run a high cybersecurity risk and would be vulnerable to disruption. While some states allow ballots to be sent out electronically they are returned by mail or in person.

Volz notes that no US state permits all its voters to cast a ballot online, but some allow overseas voters, military voters, or disabled voters to do so. In addition, some states send blank ballots electronically for voters to print and return by mail. The WSJ notes that some other countries including Canada and Switzerland have explored broad online voting but have either halted or curtailed it over security concerns, according to Dan Wallach, a computer science professor at Rice University who has researched the issue. Estonia is the exception, having continued online voting backed, as its host, to the NATO Cooperative Cyber Defence Center of Excellence, but once again, the scale is quite different from the US.

Vote by mail in the US remains a contentious political issue even as the US works through primary midterm elections as you read this, with midterm elections in November 2022.

The Washington Post's Naomi Nix reports, "In new election, Big Tech uses old strategies to fight the 'big lie', that "…social media giants are pushing forward with a familiar playbook to police misinformation this electoral cycle, even as false claims that the last presidential election was fraudulent continue to plague their platforms." Facebook is cited as deciding to not remove election fraud claims but rather to redirect users to accurate election information. Twitter is taking another option: applying misinformation labels or removing posts, such as unverified election-rigging claims about 2020. Twitter didn't explain when it would remove tweets that violate its rules but felt that visibility of erroneous claims would be reduced.

Returning to Europe with special guest spokesperson Sir Jeremy Fleming, the GCHQ Director himself, the 18 August Economist captures Sir Jeremy's views on Russia in the process of losing the cyber info war in Ukraine. His perspective expands on what Cyber Scene has reported about earlier on the duality of a cyber and physical war. The GCHQ chief notes that it is "…a very modern digital and cyber war, as much as it is a brutal and destructive physical one." He emphasizes the development of an excellent private-public partnership supported by the NCSC: "There is now much greater co-operation between big tech companies and governments on security than before the war, a polarisation of positions on the use of cyber in war and a renewed effort to redefine cyber norms." He attributes this support and coordination in part to Ukraine's own success as an extremely effective cyber defender which, "…painstakingly, developed a digital fortress…" since Russia's annexation of the Crimea in 2014. The GCHQ Director casts this digital fortress as, "…arguably, the most effective defensive cyber activity in history. Operating under sustained pressure against a very capable adversary, this team of industry, intelligence, security agencies and in some cases, citizens, has worked side by side to warn, respond and remediate."

Referring to the importance of stealth and ambiguity as key attributes of cyber operations, Sir Jeremy simply adds that the UK's National Cyber Force (NCF) combines the strengths of GCHQ and the Ministry of Defence to build upon its "…world class cyber defence and resilience to deliver offensive cyber capabilities."

As for the US, The Hill (see below) reports that the Pentagon has just announced on 19 August an allocation of another $775 million for Ukraine's military to include high speed anti-radiation missiles, howitzers and ammunition, reconnaissance drones, armored vehicles, and ammunition for rocket systems for Ukraine's war with Russia as the conflict enters a near standstill. There was no overt discussion of cyber support, perhaps out of respect for stealth and ambiguity.

On the other hand, on 21 August The Hill's opinion contributor, Anastasios "Tasi" Arima, provides a synopsis and analysis of President Biden's 9 August signing of the CHIPS and Science Act into law. This law is successful on two planes: "Heralded by supporters as a significant investment in U.S. competitiveness and innovation, this legislation has been the cause for recent bipartisan praise — and rightfully so. The bill injects more than $280 billion into U.S. manufacturing and research of semiconductor chips, but it's only a first step toward solving global chip production issues."

Arima discusses the origins of the supply chain issues hamstringing companies (e.g., tensions with Russia and China, the pandemic, and economic problems).  Things could be looking up for those running short on titanium, waiting for your EV or even a new Toyota. She concludes: "The CHIPS and Science Act deserves its place among landmark legislation of the past quarter-century, but the government should act quickly to catalyze targeted investment in U.S. critical metal and mineral production."

The Senate Appropriations Committee (SAC) Chairman Senator Patrick Leahy (D-VT), with apparent bipartisan support from and thanks to his Vice Chair Senator Richard Shelby (R-AL) released the committee's mark on the NDAA FY 2023 bill "consistent with" the House's NDAA version. Chairman Leahy underscored the importance of wrapping this up before the end of this 117th Congressional term (3 January 2023); however, the fiscal year ends on 30 September 2022. No, a finalized version is not completed yet by both the Senate and House. It takes a big wagon to move $850 billion through the Senate, House of Representatives, and the White House. The attitude of these powerhouses appears to be conciliatory, so stay tuned for next month's update. SAC Chairman Leahy has also published a formal synopsis of the SAC's NDAA mark.

So just when things appear promising, your new worldwide 5G is showing vulnerabilities. On 9 August, Wired's Lily Hay Newman examines the "ultrafast speeds and enhanced security protections" that are also accompanied by 5G's "…own raft of potential security exposures." The analysis of these vulnerabilities, focused on Application Programming Interfaces (APIs), was to have been presented on 10 August at the DefCon Black Hat Las Vegas conference. The overriding problem is that the Internet of Things (IoT) service platforms for 5G are not standardized; each carrier, company, and country makes its own choices. A researcher at Technical University of Berlin links this issue to the release of users' data and possible access to their IoT devices. Although they can be fixed, these vulnerabilities were already identified on three continents.

Hay Newman looks at another issue to have been presented three days later: John Deere has upgraded its tractors so that farmers must override tech upgrades to avoid the precious time and trouble of turning to the manufacturer for help. The problem (seemingly always a two-sided sword) is that hackers can do this too. The company has agreed to address this problem. Interestingly, this issue appears to be resonant of the recent, wider "right-to-repair" movement urging appliance manufacturers, inter alia, to provide parts for repair instead of a complete appliance replacement.