At a glance.
- Possible background to the US Executive Order on Securing the United States Bulk-Power System.
- Executive Order on social media reported to be under consideration.
- Reauthorization of FISA on hold.
- France prepares to roll out a national COVID-19 exposure notification system.
- With Test and Trace, they say the large print giveth and the small print taketh away.
- International approaches to cyberespionage: a Canadian perspective.
Possible background to the US Executive Order on Securing the United States Bulk-Power System.
The US Executive Order on Securing the United States Bulk-Power System described itself as a cybersecurity measure, but was noteworthy for its concentration on hardware (including transformers) as opposed to the more usual concentration on networks. A Wall Street Journal story may offer a partial explanation as to why this was so: last summer the US Department of Energy diverted a Jiangsu Huapeng produced transformer destined for Denver to Sandia National Laboratory, where it's been under study since, presumably for whatever security risk it represents.
Executive Order on social media reported to be under consideration.
According to the Wall Street Journal and others, President Trump is considering a draft Executive Order that would limit the legal protections social media companies currently enjoy under Section 230 of the Communications Decency Act. The proposed measure would move toward treating social media platforms not as a protected public square, but rather as a monopoly that exerts substantial control over individual speech.
The rumored Executive Order is generally being received as connected with Twitter’s recent “fact check” of a Presidential tweet, in which Twitter added a “fact check” link, to two of President Trump’s tweets about problems he saw with mail-in ballots. The fact check link text was a restrained “Get the facts about mail-in ballots," and Twitter CEO Jack Dorsey explained yesterday that “This does not make us an ‘arbiter of truth.’ Our intention is to connect the dots of conflicting statements and show the information in dispute so people can judge for themselves. More transparency from us is critical so folks can clearly see the why behind our actions.”
Reauthorization of FISA on hold.
The US House of Representatives abandoned a proposed reauthorization of certain national security powers under the Foreign Intelligence Surveillance Act when Republicans and progressive Democrats declared themselves against the measure, the Washington Post reports.
France prepares to roll out a national COVID-19 exposure notification system.
The National Assembly and the Senate yesterday approved StopCovid, the exposure notification app developed for voluntary deployment to French users' smartphones. The Commission nationale de l'informatique et des libertés (CNIL), the national privacy watchdog agency, had approved the app on Tuesday, according to SecureWeek. Euro News says that the contentious debate that surrounded the vote focused on privacy concerns, and on getting assurances that StopCovid would be independent of Apple and Google, so Big Tech wouldn't become Big Brother.
Le Grand Frère or not, the app could be available for installation as soon as this coming Monday, Connexion reports. Designed for both iPhones and Android devices, users would voluntarily install the app, turn on Bluetooth, and accept notifications. The app will note any one-meter (or less) approach to other users' devices that lasts fifteen minutes (or more). Any user who's subsequently diagnosed with COVID-19 would receive a QR code from their testing lab which they would (again, presumably voluntarily) image with their device so the app would know they'd tested positive for the virus. At that point other users who'd been within a meter of the infected person's phone for a quarter of an hour would be pinged with an invitation "to take precautions and be tested themselves if necessary." Presumably this would involve some interaction with a centralized database, but the government has given assurances that the app won't identify infected persons, and that its data will all be encrypted and anonymous.
There are of course the foreseeable objections on grounds of privacy: “I do not want someone to know, or even to be able to know, who I have spent 15 minutes with, within one metre. It’s none of your business,” Connexion quotes Jean-Luc Mélenchon, head of the France Insoumise party. But critics also object on grounds of the app's expected usefulness, which they assess as low, and several complain that StopCovid is simply arriving too late to do much good.
With Test and Trace, they say the large print giveth and the small print taketh away.
In the UK, Computing close reads the National Health Service's Test and Trace website. What they've extracted from the text of the British government's site isn't especially reassuring with respect to privacy protections. Sure it's in beta, so take what comfort you may from that, but Computing sniffs that the appearance of such Americanisms as "personal identifying information" (sic) suggests that the whole thing was rushed out. The site reads in part, "If you have had a positive test for COVID-19, we will ask for information about your illness, recent activities you did and people you met whilst you were potentially infectious. If you are a contact of a person who tested positive, we will ask about your health and provide health advice to keep yourself and others safe." You can ask the government to delete your data, but you've got no absolute right to such deletion, and the government plans to hang onto your information for twenty years.
International approaches to cyberespionage: a Canadian perspective.
Canadian security authorities warn that foreign intelligence services are exploiting the pandemic. The CBC reports that Canada's Centre for Cyber Security (a unit of the Communication Security Establishment) has issued a Cyber Threat Bulletin in which the Centre offers an overview of how cyber threats have been shaped by the COVID-19 pandemic. The Bulletin is dated April 27th, but was posted only this Tuesday.
The Centre for Cyber Security notes that the “global health sector” is under “extreme pressure” during the pandemic, and that this has made it an even more attractive target for ransomware extortionists than usual. That same pressure has served to draw the attention of espionage services, who are interested not only in stealing intellectual property related to COVID-19 treatments, but in assessing the effects of the pandemic on adversaries’ economies and military readiness.
Both criminals and state espionage services have been using spoofed versions of Canadian government websites to collect information or install malware. The National Post reports that more than fifteen-hundred such bogus websites have been identified during the pandemic.
The Centre also notes that state-sponsored threat groups are themselves facing staff reductions and adopting a lower operational tempo is interesting, and seems to represent the Centre's assessment of the probable effects the global economic downturn is having on intelligence services. The Bulletin mentions another probable effect of economic pain: intelligence services may well turn to revenue-generating cybercrime to make up their budget shortfalls.