Executive Orders: bulk power, social media. FISA reauthorization. Contact tracing. Styles of cyberespionage.

Summary

By the CyberWire staff

At a glance.

Possible background to the US Executive Order on Securing the United States Bulk-Power System.
Executive Order on social media reported to be under consideration.
Reauthorization of FISA on hold.
France prepares to roll out a national COVID-19 exposure notification system.
With Test and Trace, they say the large print giveth and the small print taketh away.
International approaches to cyberespionage: a Canadian perspective.

Possible background to the US Executive Order on Securing the United States Bulk-Power System.

The US Executive Order on Securing the United States Bulk-Power System described itself as a cybersecurity measure, but was noteworthy for its concentration on hardware (including transformers) as opposed to the more usual concentration on networks. A Wall Street Journal story may offer a partial explanation as to why this was so: last summer the US Department of Energy diverted a Jiangsu Huapeng produced transformer destined for Denver to Sandia National Laboratory, where it's been under study since, presumably for whatever security risk it represents.

Executive Order on social media reported to be under consideration.

According to the Wall Street Journal and others, President Trump is considering a draft Executive Order that would limit the legal protections social media companies currently enjoy under Section 230 of the Communications Decency Act. The proposed measure would move toward treating social media platforms not as a protected public square, but rather as a monopoly that exerts substantial control over individual speech.

The rumored Executive Order is generally being received as connected with Twitter’s recent “fact check” of a Presidential tweet, in which Twitter added a “fact check” link, to two of President Trump’s tweets about problems he saw with mail-in ballots. The fact check link text was a restrained “Get the facts about mail-in ballots," and Twitter CEO Jack Dorsey explained yesterday that “This does not make us an ‘arbiter of truth.’ Our intention is to connect the dots of conflicting statements and show the information in dispute so people can judge for themselves. More transparency from us is critical so folks can clearly see the why behind our actions.”

Reauthorization of FISA on hold.

The US House of Representatives abandoned a proposed reauthorization of certain national security powers under the Foreign Intelligence Surveillance Act when Republicans and progressive Democrats declared themselves against the measure, the Washington Post reports.

France prepares to roll out a national COVID-19 exposure notification system.

The National Assembly and the Senate yesterday approved StopCovid, the exposure notification app developed for voluntary deployment to French users' smartphones. The Commission nationale de l'informatique et des libertés (CNIL), the national privacy watchdog agency, had approved the app on Tuesday, according to SecureWeek. Euro News says that the contentious debate that surrounded the vote focused on privacy concerns, and on getting assurances that StopCovid would be independent of Apple and Google, so Big Tech wouldn't become Big Brother.

Le Grand Frère or not, the app could be available for installation as soon as this coming Monday, Connexion reports. Designed for both iPhones and Android devices, users would voluntarily install the app, turn on Bluetooth, and accept notifications. The app will note any one-meter (or less) approach to other users' devices that lasts fifteen minutes (or more). Any user who's subsequently diagnosed with COVID-19 would receive a QR code from their testing lab which they would (again, presumably voluntarily) image with their device so the app would know they'd tested positive for the virus. At that point other users who'd been within a meter of the infected person's phone for a quarter of an hour would be pinged with an invitation "to take precautions and be tested themselves if necessary." Presumably this would involve some interaction with a centralized database, but the government has given assurances that the app won't identify infected persons, and that its data will all be encrypted and anonymous.

There are of course the foreseeable objections on grounds of privacy: “I do not want someone to know, or even to be able to know, who I have spent 15 minutes with, within one metre. It’s none of your business,” Connexion quotes Jean-Luc Mélenchon, head of the France Insoumise party. But critics also object on grounds of the app's expected usefulness, which they assess as low, and several complain that StopCovid is simply arriving too late to do much good.

With Test and Trace, they say the large print giveth and the small print taketh away.

In the UK, Computing close reads the National Health Service's Test and Trace website. What they've extracted from the text of the British government's site isn't especially reassuring with respect to privacy protections. Sure it's in beta, so take what comfort you may from that, but Computing sniffs that the appearance of such Americanisms as "personal identifying information" (sic) suggests that the whole thing was rushed out. The site reads in part, "If you have had a positive test for COVID-19, we will ask for information about your illness, recent activities you did and people you met whilst you were potentially infectious. If you are a contact of a person who tested positive, we will ask about your health and provide health advice to keep yourself and others safe." You can ask the government to delete your data, but you've got no absolute right to such deletion, and the government plans to hang onto your information for twenty years.

International approaches to cyberespionage: a Canadian perspective.

Canadian security authorities warn that foreign intelligence services are exploiting the pandemic. The CBC reports that Canada's Centre for Cyber Security (a unit of the Communication Security Establishment) has issued a Cyber Threat Bulletin in which the Centre offers an overview of how cyber threats have been shaped by the COVID-19 pandemic. The Bulletin is dated April 27th, but was posted only this Tuesday.

The Centre for Cyber Security notes that the “global health sector” is under “extreme pressure” during the pandemic, and that this has made it an even more attractive target for ransomware extortionists than usual. That same pressure has served to draw the attention of espionage services, who are interested not only in stealing intellectual property related to COVID-19 treatments, but in assessing the effects of the pandemic on adversaries’ economies and military readiness.

Both criminals and state espionage services have been using spoofed versions of Canadian government websites to collect information or install malware. The National Post reports that more than fifteen-hundred such bogus websites have been identified during the pandemic.

The Centre also notes that state-sponsored threat groups are themselves facing staff reductions and adopting a lower operational tempo is interesting, and seems to represent the Centre's assessment of the probable effects the global economic downturn is having on intelligence services. The Bulletin mentions another probable effect of economic pain: intelligence services may well turn to revenue-generating cybercrime to make up their budget shortfalls.

Selected Reading

International Plea for Governments to Protect Healthcare from Cyber-Attacks (Infosecurity Magazine) Cyber Peace Institute’s call for the defense of healthcare providers garners international support

Yes, Blame WHO for Its Disastrous Coronavirus Response (Foreign Policy) A step-by-step reconstruction of events reveals a long series of mistakes and missteps.

Canada to lead global effort to counter election interference (TheHill) The government of Canada, alongside Microsoft and the Alliance for Securing Democracy, will lead a global effort to counter the use of cyberattacks and disinformation campaigns to disrupt elections, officials announ

AP EXPLAINS: Why China is pushing Hong Kong security law (Federal News Network) China is taking matters into its own hands after last year’s tumultuous anti-government protests in Hong Kong that often descended into tear gas-filled clashes…

()

U.S. Officially Declares That Hong Kong Is No Longer Autonomous (Wall Street Journal) The State Department has officially determined that Hong Kong is no longer autonomous from China, Secretary of State Mike Pompeo said in a statement that holds implications for the future of economic ties and could lead to sanctions against China.

How the U.S. Could Really Hurt China (Wall Street Journal) Scrapping the privileges the U.S. affords Hong Kong would downgrade the city’s economic role, but a broader basket of financial sanctions could be even more painful for China.

‘We must use fighting to promote stability’, Chinese defence minister says (South China Morning Post) US has intensified its ‘suppression and containment’ of China since start of Covid-19 pandemic, top defence official and PLA general Wei Fenghe says.

Huawei hits out at fresh UK network probe (ComputerWeekly) UK cyber security agency confirms it will conduct a new investigation into the security-worthiness of Huawei’s 5G technology.

Australia is painting a big red cyber target on its critical infrastructure (ComputerWeekly) Australian’s critical infrastructure is particularly vulnerable right now to cyber attacks due to years of under investment in cyber security and aging legacy systems

Bern Up Cyber Defenses (Finews) Switzerland is ramping up its cyberdefenses, including by hiring new specialists. The move represents a massive expansion of preventive measures in the last 18 months.

Trump Threatens to Shut Social Media Companies After Twitter Fact Check (Bloomberg) Attack comes after Twitter fact-checked, labeled Trump tweet Tech companies have faced criticism from conservatives of bais.

Trump Draft Order Could Seek to Limit Protections for Social-Media Companies (Wall Street Journal) The draft executive order would make it easier for federal regulators to hold companies such as Twitter and Facebook liable for curbing users’ speech, for example by suspending their accounts or deleting their posts.

Trump to sign executive order on social media amid Twitter furor (POLITICO) “Big Tech is doing everything in their very considerable power to CENSOR in advance of the 2020 Election,” Trump tweeted late Wednesday.

()

Twitter's New 'Fact-Checking' Label Has Dangerous Implications, Experts Say (Epoch Times) Twitter, in a first for the social media platform, has added a fact-checking label to posts by President Donald ...

Nick Clegg says Facebook is not in the business of vetting what politicians say (The Telegraph) Sir Nick says it is not up to private tech companies to fact-check politicians, a day after Twitter adds label to Donald Trump's tweet

US Lawmakers Push for Internet Privacy Amendments to USA Freedom Act (SecurityWeek) US lawmakers this week will vote on an amendment to the surveillance bill known as the USA FREEDOM Reauthorization Act that would limit law enforcement access to people’s search and browsing histories

USA: The EARN IT Act - Analysis and Critique (Boxcryptor) Why is the EARN IT Act a threat to end-to-end encryption? In our security blog we explain the strategy of the 4 senators and look at the implications.

With new standards, the time to prepare is now (Fifth Domain) While it remains unclear what the full impact of COVID-19 will be on the CMMC process, defense contractors have no time to waste in preparing for this new certification.

WSJ News Exclusive | U.S. Seizure of Chinese-Built Transformer Raises Specter of Closer Scrutiny (Wall Street Journal) Federal authorities last summer diverted a giant transformer built by Jiangsu Huapeng Transformer Company to a U.S. lab, a move experts said could herald tighter scrutiny of foreign-made gear over security concerns.

Control system device insecurity is addressed by the Presidential Executive Order but is being ignored at your own peril (Control Global) You can’t secure control systems and the critical infrastructures without having the right people and processes in place.

Does the Justice Department Need a Dedicated Compliance Expert? (Wall Street Journal) The Justice Department in recent years has issued a series of policies designed to incentivize companies to invest in programs that ensure employees don’t violate the law. Few have been as central to those efforts as Andrew Weissmann, who was chief of the department’s criminal fraud section from 2015 to 2017.

New Cyber Office Will Unify NAVSEA's Digital Efforts (USNI News) Vice Adm. Tom Moore has listed “cyber” as a top priority for Naval Sea Systems Command (NAVSEA) since assuming command four years ago, but despite the emphasis, the organization hadn’t found a way to define and pursue cyber and digital issues in any kind of unified way. Even after nudging from former Chief of Naval …

Canada court finds against Huawei CFO Meng Wanzhou on double criminality; extradition trial to continue (TechCrunch) In a closely watched decision today, the Supreme Court of British Columbia published a key decision in the extradition case of Meng Wanzhou, the CFO of Huawei Technologies, China’s largest telecommunications company and a frequent target of U.S. policymakers. In its ruling, the court said that the …

Canadian judge OKs extradition proceedings for Huawei CFO (CyberScoop) A Canadian Supreme Court judge has ruled that extradition proceedings should continue for an executive of Chinese telecommunications giant Huawei.