News for the cybersecurity community during the COVID-19 emergency
Obfuscation and misdirection.
One of the difficulties of assessing the COVID-19 pandemic in ways that might usefully inform effective disease-control policies has been the challenge of understanding the pandemic’s extent and the course infection takes in its sufferers. Chinese information control practices haven’t helped. The US Intelligence Community last week delivered a classified study to the White House that concluded, according to Bloomberg, that “China’s public reporting on cases and deaths is intentionally incomplete.”
Others with fewer or at least different dogs in this particular fight have reached the same conclusion. Vice summarizes Beijing’s policy with respect to information about the coronavirus, and it finds a comprehensive program of censorship and disinformation directed at both domestic and international audiences. Stanford University’s Internet Observatory says that deliberate misdirection and obfuscation (false suggestion and suppression of truth) have been in progress since January.
The pandemic's economic toll.
Lockdowns, illness, self-isolation, enforced closures, and the attendant throttling of commerce have taken a toll on all sectors. CNBC, in a non-rigorous but informative look at start-ups, concludes that more than thirty-five-hundred jobs were eliminated during March at some forty companies who’d collectively raised more than $14 billion in capital. The New York Times calls the job destruction “the great unwinding.” The tech sector and its security subsector have been less heavily affected than some others, but they’ve by no means been immune.
The case of Zoom.
Zoom has had a remarkable, wild, and decidedly mixed ride over the course of the pandemic. The remote conferencing service (listed on the Nasdaq as ZM) had between October and the end of January traded between $60 and $80. On February 3rd (three days after the US banned travel from China and the day after the first death outside China from COVID-19 was reported) the company’s shares rose to $87.66. They peaked at $159.56 on March 23rd (the day the UK’s lockdown began, six days after France imposed a nationwide lockdown and eight days after the US Centers for Disease Control recommended social isolation). It’s a telework-driven surge: as of last week, MarketWatch marveled, Zoom’s daily active user count was up 378% from where it was a year ago.
Zoom has since fallen off those highs, closing yesterday at $137.00. Problems with security and privacy have made for what Axios calls a “tarnished moment of glory.” WIRED thinks the issues--data-sharing that’s prompted a class action lawsuit, oversharing of user data, the relative ease with which skids and others have been able to intrude into sessions (“Zoombombing”), and two new zero days--collectively mean that “the Zoom privacy backlash is only getting started.”
Zoom itself (which Forbes credits with having at least as much transparency as to render the company relatively journalist-friendly) is working to fix its privacy and security issues. CEO Eric Yuan blogged that the company has frozen all updates other than those designed to enhance security. He’s also announced a variety of training and support initiatives, and has offered clarification (and where appropriate apologies) about certain Zoom features, notably its encryption, which turns out to have been less rigorous than marketing claims may have led users to believe.
The difficulties Zoom is experiencing are no doubt connected with its success: a sudden transformation from a reliable and user-friendly conferencing service to what amounts almost to a public utility. That’s Zoom’s view. As CEO Yuan wrote, “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”
Axios offers a speculative but plausible explanation of what’s happening: “The same design choices and default settings that made Zoom so easy to install and use are the ones that make it vulnerable. The level of trust that users within a large company assume as they work together breaks down among more heterogeneous groups in public environments.” And it's so easy to use that it almost constitutes an attractive nuisance, as a Wall Street Journal story about virtual happy hours suggests.
What's become of cybersecurity conferences?
They're either being cancelled, postponed, or moved online. Three familiar names in the cybersecurity event space have announced plans to hold their events in virtual form. Suits and Spooks has announced its pleasantly named Safe House project, whose inaugural session will kick off on May 7th. SecurityWeek will run a full series of virtual summits, with seven scheduled so far. And Billington Cybersecurity, as it prepares to take its well-known summits online, is interested in hearing from the community about the topics and speakers they'd most like to engage. Sure, distributing swag will be a challenge, but it will be interesting to see how security conferences and the community they serve adapt to the challenges the current emergency poses.