At a glance.
- State-espionage service phishes Germany PPE procurement task force.
- Limiting dependence on foreign companies for cloud and 5G infrastructure.
- Cyber operations and cyber deterrence.
- Election interference and online voting.
State-espionage service phishes Germany PPE procurement task force.
IBM’s X-Force reports that Task Force Schutzausrüstung, organized by Germany’s Health Ministry to procure personal protective equipment, has been subjected to a phishing campaign directed against PPE supply chains. It's thought likely to be the work of a nation-state intelligence service interested in gaining competitive advantage in the market. The intent appears to be the crippling of a competitor for a range of commodities. Doing so could clear the field and give the attacker a better chance of obtaining scarce PPE at lower prices. There are other possibilities as well: there’s a degree of overlap between executives connected with the task force and those connected with the development of COVID-19 vaccines and treatments. Intelligence about these may also be a goal.
Limiting dependence on foreign companies for cloud and 5G infrastructure.
There are more moves toward restricting the role foreign companies will be allowed to play in national infrastructure. The Wall Street Journal reports that the European Union is undertaking a European cloud project designed to limit the EU’s dependence on American Big Tech. And as Prime Minister Johnson moves to consider limiting the role Huawei will be permitted to play in the UK’s 5G infrastructure, the BBC notes that Huawei embarks on a charm offensive with open letters in British newspapers. Governments are also showing an interest in keeping tech startups in domestic hands. France's Foreign Ministry, Bloomberg reports, has established a €500 million fund to provide financial support to French startups that could otherwise be vulnerable to acquisition by foreign firms.
Cyber operations and cyber deterrence.
Regional rivals continue expanding their operations in cyberspace. Pakistani operators Telegana Today describes as “criminals” are said to be smishing Indian Defense officials. Their aim appears to be data exfiltration. The goal and the target set suggest a connection to espionage. Both India and Pakistan are said by Eurasian Times to be increasing their cyber operational capability, and doing so with the aid of allies, respectively Israel and Pakistan.
As more information about the exchange of cyberattacks between Iran and Isreal comes to public attention, an essay in Foreign Policy assesses those operations as indicating the future of warfare: increasingly conducted in cyberspace, especially at the lower end of the spectrum of conflict, and increasingly overt. Both recent operations hit civilian infrastructure: Iranian operators are said, by Israel, to have attacked water treatment and distribution systems. Those attacks are believed to have been unsuccessful, their effects mitigated by defenders. Israeli operators are believed, on the basis of apparently deliberate leaks from within the Israeli government, to have retaliated by crippling operations at an Iranian port.
Election interference and online voting.
Remote voting online has been used in some US states’ primaries, and may see some limited use in November’s general elections. The New York Times discusses the risks this may pose for direct manipulation of votes by hostile intelligence services (they focus, of course, on Russian services).
Delaware, West Virginia, and New Jersey plan to use Democracy Live’s OmniBallot platform, but researchers at MIT and the University of Michigan report that OmniBallot “represents a severe risk to election security and could allow attackers to alter election results without detection.”
OmniBallot isn’t new, researchers Michael A. Specter and J. Alex Halderman write. It’s “ long been used to let voters print ballots that will be returned through the mail.” What’s new this year, they say, is its use for filing ballots online. The three states are using it differently. New Jersey has decided to make online voting available to voters with certain disabilities, and it’s treating that limited availability as a pilot that could be expanded if the need arose. West Virginia lets the disabled, military voters, and West Virginia citizens overseas to vote online with OmniBallot. Delaware is making the most expansive use of the system. As Specter and Halderman write, online voting will be an option to anyone who’s sick, self-quarantining, or engaging in social distancing, which as a practical matter includes close to everyone in the state.
The researchers see four problems with the system.
First, they conclude that OmniBallot’s ballot return function cannot achieve either software independence or end-to-end verifiability. The system used “third-party services and infrastructure,” including Amazon’s cloud, with JavaScript executed from Google and Cloudflare. Either unauthorized third-parties or Democracy Live itself could alter votes without being detected. The threats could be either malicious insiders or external threats who’ve gained access.
Second, the version of the ballot marking mechanism that’s being used in Delaware in particular sends the voter’s identity and ballot selections to Democracy Live, even if the voter opts to print the ballot and mail it in. This, the researchers say, needlessly places ballot secrecy at risk.
Third, even where OmniBallot is used only to deliver blank ballots, the researchers find that the ballots could be misdirected or altered in ways that would cause them to be counted incorrectly. Election officials could mitigate these risks, but only with the expenditure of considerable effort, and in conducting “rigorous post-election audits.”
And, finally, in all cases Democracy Live, the platform’s corporate parent, collects a great deal of sensitive personally identifiable information. That information includes voters’ names, addresses, dates of birth, physical locations, party affiliations, and partial social security numbers. And when the system is used to submit ballots online, more comes in, including ballot selections and a browser fingerprint. The possibilities for misuse of this information are extensive and obvious. It could be used, for example, for targeted political advertising, equally rifle-shot accuracy in hitting targets for disinformation, and so on. And the researchers point out that OmniBallot seems to have no privacy policy posted, leaving it unclear what, if any, safeguards may be in place.