Cyber Scene #59 - Cyber Around the World
Cyber Scene #59 -
Cyber Around the World
Ill-gotten cyber gains continue to extend their reach. This month's Cyber Scene starts in Asia but moves around the world. Brand new to Cyber Scene is the inclusion of Taliban, which also is playing a cyber role in making Southeast Asian history today.
As there is not yet any confirmation on alleged hacks to the US Department of State (DoS), we shall focus on confirmed disturbances to the cyber universe. As customary for Cyber Scene, we will weave in what the White House, Congress, and parts of the U.S. judicial system are doing about these cybersecurity issues. We will end with "how to handle your T-Mobile hack" as a grand finale: from the big global picture to what's in your pocket.
Afghanistan has now reached headlines not only for the Taliban's rapid terrestrial dominance, but also for the significant role it is playing regarding cyber. The Taliban has exhibited a skillful use of cyber for winning hearts and minds. A sometimes-graphic overview of this development spanning the last decade is captured in Ian Fritz's Atlantic article of a then-U.S. airman (himself) who listened in on 600 hours of Taliban discussions on means of attacks, proselytism, and use of media to win.
Recently, Washington Post reporter Craig Timberg presented a description of how the Taliban had been promoting its policies on websites spanning five languages: Pashto, Dari, Arabic, Urdu and English. These websites "went dark" as of 19 August. Who or why was left unexpressed, but Mr. Timberg noted that previously a San Francisco-based cyber company, Cloudflare, that helps websites defend against cyberattacks, had been protecting Taliban sites; however, US companies must abide by US sanctions laws. Mr. Timberg said that Taliban groups on WhatsApp, which belongs to Facebook, were also shut down. Facebook has officially banned Taliban accounts--its spokesperson stated: "We're obligated to adhere to U.S. sanctions laws. This includes banning accounts that appear to represent themselves as official accounts of the Taliban." Twitter has not yet banned the Taliban. The Taliban's Twitter spokesperson said it has told its over 375,000 followers that the Taliban will "…respect the rule of law, property rights, and the rights of women." DoS has designated the Taliban as a foreign terrorist organization, and Rita Katz, the executive director of the SITE Intelligence Group, which monitors online extremism, noted that the Taliban has been significantly contributing to "the empowerment of global violent extremism."
New York Times (NYT) reporters Paul Mozur and Zia ur-Rehman provide a short history of how the Taliban turned to social media to control the populace. They point out that initially, in 1990, Taliban banned the internet. Now it plays a significant role as a "powerful tool to tame opposition and broadcast their messages." Particularly, they are using thousands of Twitter accounts, official or anonymous, to address their readership. The social media campaign may have influenced the surrender of the country over the last few weeks. Whether the Taliban wins hearts and minds and cements power, or whether, as the reporters discuss, an "Arab Spring-like" counterinsurgency rises, remains to be seen.
On the flip side, Paul Mozur writes the same day that Facebook has added security features to help Afghans control their accounts as they fear retaliation. This includes disabling temporarily the possibility of searching and viewing friends' lists on Facebook inside Afghanistan and the ability to close their own account instantly if they feel targeted. Apparently, the Taliban is still overriding some Facebook banning. Facebook's security chief Nathaniel Gleicher acknowledged indirectly that there are risks of having personal information online. Afghans have apparently taken note of this, as many "…have shuttered their social media accounts and deleted messages out of fear that their digital footprints could make them targets." He also cited the history of Taliban reprisals. Mr. Gleicher advised people whose Afghan friends are in contact with them to consider security measures regarding their own settings. Meanwhile, migration to Twitter continues, increasing the hard decisions the company must make.
On another front, Congress continues to wrestle with national security risks sourced to China. Following the Chinese hack of Microsoft discussed in last month's (July 2021) Cyber Scene, Defense News reporter Andrew Eversden conveys that a bipartisan group of Congressional lawmakers want to amend the Pentagon's upcoming defense policy bill to better map supply chain issue risks and to cut those connected to Chinese products.
Of particular concern is sole-source material in the Defense Industrial Base coming from China. This was codified in a 22 July House Armed Services Committee's (HASC) Defense Critical Supply Chain Task Force report published by Defense News and the Pentagon's Early Bird. The final task force report provided six recommendations, forcing the Pentagon to address the Chinese use of backdoor spying or sabotage of weapons systems related particularly to semiconductors, rare earth elements for defense systems, pharmaceutical ingredients and energetic propellant for bullets or missiles.
The HASC report also calls for a DoD risk assessment strategy and a process for continuous monitoring of supply chain risks. Not explicit, but perhaps understood in the article, was the sidebar issue of withholding access to sole-source material.
The HASC forward movement, led by Rep. Mike Gallagher (R-WI) and Rep. Elissa Slotkin (D-MI), alluded to this. While Rep. Slotkin's hypothetical example of a vulnerability is an ammo propellant shortage due to political disagreements with China, such a vulnerability applies directly to cyber-related issues as well.
Sadly, these vulnerabilities are nothing new. In April 2021, Wired reporter Lily Hay Newman presented a synopsis of specific cybersecurity blindspots cited in a 2021 Government Accountability Office (GAO) report on cybersecurity hygiene, which criticized DoD for such vulnerabilities. The study underscored the need for an implementation of a 2015 attempt to plug them. Ms. Newman noted that the new report finds that DoD had abandoned or lost track of most of its dozens of security hygiene goals. Peter Singer, a cybersecurity-focused strategist at the New America Foundation stated simply: "If you can't track it, you can't measure it. If you can't measure it, you can't manage it. And if you can't manage it, you're not going to succeed."
DoD has gone over the GAO report and agrees with some of the criticism, but finds other issues overtaken by events. Drawn from two DoD Cybersecurity Initiatives in 2015, of the 28 initiatives, 10 were completed, four were determined by DoD in 2021 to be outdated as circumstances and technology have changed, and the status of the others is unknown as they have not been tracked. Much has changed in the last five years, but cybersecurity blind spots or vulnerabilities are with us still.
While dealing with these issues, Russia has been active. The White House has been working to constrain ransomware attacks while Russia has been working in a considerably opposite direction. The Atlantic Council's Cyber Statecraft Initiative fellow Justin Sherman has provided a comprehensive synopsis, via the Early Bird's Military Times, of the state of the Russian cyber landscape vis-à-vis cybersecurity. Although the two chiefs of state committed to future cybersecurity dialogues, albeit at a lower level, following their meeting in Geneva, a Russian-based ransomware attack on a U.S. company addressed last month in Cyber Scene occurred. Putin has been arguing for an "isolatable domestic internet" which pundits have often considered as separate from Russia's "cyber ecosystem." But Mr. Sherman argues that the more an internal internet is developed, the less transparency the world would have regarding ransomware. He outlines what measures have already been taken by Russia and believes that "The regime's coercion of domestic tech companies—meshed with its overall coercion and control of regime-threatening forces—underscores that Putin could crack down on cybercrime if he so desires." He concludes that the U.S. and its NATO and EU allies must move jointly and counter this Russian cyber direction "head-on."
From another perspective in early August, Mr. Sherman presents (in Wired's eye-catching "Putin is Crushing Biden's Room to Negotiate on Ransomware") the UN angle on the issue of an isolatable internet. Mr. Sherman maintains that this attempt to introduce a new international cyber treaty to the UN reconfirms Putin's unwillingness to cooperate with Biden on cybercrook threats. The proposed treaty is intended to replace the Budapest Convention on cybercrime that Russia does not support. The article goes on to analyze Putin's understanding of the terminology, concluding that "…the new cyber treaty …conveys a sense of commitment to the same old lack of cooperation." He adds that even the definition of "cybersecurity" is not agreed upon.
One agreement that has grown some, if uneven, teeth is the EU's General Data Protection Regulation (GDPR). Regular readers will remember that EU countries seeking to end the tax-free ride that several giant Big Tech multinationals have enjoyed moved to enforce their new law. Attempts to do so had been inconsistent. However, Wired's Matt Burgess reports (first through Wired UK), that Luxembourg, which happens to be a serious European financial center, has gone to the courts. Amazon was declared "guilty" and fined $883 million. The figure is, according to Mr. Burgess, twice the total number of GDPR fines. He opines that the decision is extremely noteworthy because it displays the power of GDPR while exposing "…cracks in how inconsistently such regulation are applied cross the EU." A French civil liberties group had initiated the court case. The article notes that Luxembourg and the Republic of Ireland are the most important data protection authorities, small as they are. For those not familiar with the process, Mr. Burgess explains: "Under GDPR law, companies that operate across multiple countries in Europe can select one country—where their main office is based—to act as the nation where complaints are funneled through. This process is called the one-stop-shop mechanism. Before a decision—which can include a fine or enforcement action that can make companies change their behavior—is issued, all the European nations that are interested in the case are given a right to reply." While the GDPR system is still in its infancy, it seems to have shed its baby teeth. Big Tech is a big target.
The legal boom is also being lowered on Google regarding several of its products made in China that the wireless speaker-tech company Sonos maintains infringes their copyright per the NYT's reporter Daisuke Wakabayashi. He reports US federal court was first engaged in 2020, but the US International Trade Commission—a quasi-judicial body that decides trade cases and can block importation of goods—is now engaged as well. Google and Sonos are now suing each other, claiming infringement on U.S. or Chinese patents, trademarks or copyrights. At risk, are Google Home smart speakers, Chromecast systems and its Pixel phones and computers.
Yet another Big Tech legal issue might also touch you. The Economist reports on 14 August that the US and China have agreed on a big trade issue that includes some big cyber players. As grievances in America developed due to transgressions of large foreign companies, the Holding Foreign Companies Accountable Act was passed, requiring audits for companies traded on American exchanges. Skipping submissions of audits triggers automatic delisting from the exchanges (as in the New York Stock Exchange, the NASDAQ, or even the Chicago Exchange, etc.) within three years. Surprisingly, China and the US agree on this. The article notes that "Rare as this moment of Sino-American agreement is, it hardly spells good news for investors." It goes on to say that China has $1.5 trillion of market value in US exchanges.
Just in case you feel that you have sidestepped a political, technical, and monetary crevasse, if you use T-Mobile you might want to think again. The Washington Post of 20 August, as reported by Chris Velazco, has provided you with what could be called a "disaster relief" program, as T-Mobile has confirmed reports of a major data breach. Hackers have snared personal information including full names, dates of birth, social security numbers, drivers' licenses and customer phone identification of 40 million past, present and potential customers…some 45.3 million people. You should hear from T-Mobile, but you can also follow the Post's suggestions.