At a glance.
- US Department of Energy announces plans to develop a "quantum Internet" within ten years.
- Updates on Sino-American cyber tensions.
- CISA and NSA issue joint warning for OT systems in critical infrastructure.
- EU privacy regulators may have a sharply increased workload coming.
US Energy Department and the University of Chicago announce a quantum Internet R&D program.
The Wall Street Journal reports that the US Department of Energy and the University of Chicago will lead a national effort to develop an inherently secure "quantum Internet," which could be ready within ten years. Funding will come from some of the $1.275 billion allocated to the US National Quantum Initiative.
Sino-American tensions in cyberspace.
China orders the US consulate in Chengdu shuttered, Reuters reports, in response to the US closure of China’s Houston consulate. Such a move had been widely expected. The only unknown was which city’s consulate would be the one to go.
Concerns mount over the risk of data exposure through Chinese-manufactured DJI drones, CyberScoop and others write. The concern is that DJI’s Android interface could capture data from users’ phones and transfer them to Chinese intelligence and security services. Researchers at Paris-based Synacktiv and GRIMM, which operates mostly in Maryland and Northern Virginia, found that the app collected information from users' devices, updated itself in an unsupervised way, and engaged in other suspicious ways that, the New York Times notes, could constitute violations of Android developer terms of service. The threat, and it's one based on the a priori probability that Chinese law requires Chinese companies to surrender data on demand, is thtat the drones could be used for cyberespionage. There’s no particular evidence that DJI has done this, but it’s clearly a possibility, and as the Washington Post suggests, Sino-American cyber relations are clearly in a state where no one is prepared to accept absence of evidence as evidence of absence.
US Secretary of State Pompeo has been strongly critical of China, and in particular of the ruling Chinese Communist Party (CCP), in ways that Defense One sees as reminiscent of the rhetoric that marked the Cold War against the Soviet Union. “We have to keep in mind that the CCP regime is a Marxist-Leninist regime. General Secretary Xi Jinping is a true believer in a bankrupt totalitarian ideology. Americans can no longer ignore the fundamental political and ideological differences between our countries just as the CCP has never ignored them.”
The current state of conflict seems to have shifted, an essay in Foreign Policy argues. With Huawei apparently on its way to containment, the "central front" has shifted to TikTok, and the essayist argues that this shift is with good reason. TikTok may be for the most part devoted to sharing goofy videos create and posted by teens and tweens, but it is, the essay says, in fact a vast and successfully gamified graph that casts an indefinitely wide net, and that net is in principle in the hands of the CCP.
US agencies warn of foreign threat to critical infrastructure.
A joint warning from the US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) points out a heightened cyber threat to the industrial Internet-of-things. Recent months, the agencies say, have seen significantly increased attention paid to “internet-accessible operational technology (OT) assets” as “cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against critical infrastructure.” Operators of such systems should be ready, CISA and NSA say, to protect themselves during a “time of crisis.”
The agencies don’t name names in their warning, but the media have. WIRED, in a representative piece, calls out Fancy Bear, Russia’s military intelligence service, the GRU, as the cyber actor snuffling at US critical infrastructure. The campaign has apparently been in progress for the better part of a year, which suggests that it’s in its reconnaissance and battlespace preparation phase. The alert warns that that the agencies have seen an increase in email spearphishing attacks aimed at gaining access to critical infrastructure networks with the aim of pivoting into OT systems. They’ve also seen ransomware attempts against such systems, and ransomware is both disruptive in itself as well as affording an opportunity for information theft.
The alert lists the techniques CISA and NSA have seen:
- “Spearphishing to obtain initial access to the organization’s information technology network before pivoting to the OT network.
- “Deployment of commodity ransomware to Encrypt Data for Impact on both networks.
- “Connecting to Internet Accessible PLCs requiring no authentication for initial access.
- “Utilizing Commonly Used Ports and Standard Application Layer Protocols, to communicate with controllers and download modified control logic.
- “Use of vendor engineering software and Program Downloads,” and finally,
- “Modifying Control Logic and Parameters on PLCs.”
The problems these could induce could include loss of system availability, loss of human operators’ visibility into systems, loss of productivity (which means loss of revenue) and disruption of physical processes.
CISA and NSA recommend a set of actions operators should take to become harder targets. Many of them are solid advice at any time, like their recommendations to develop and exercise resilience and incident response plans, and to disconnect devices from the Internet that don’t need to be connected to it.
Some of them, however, including the most urgent recommendations, may be less familiar. “Create an accurate ‘as-operated’ OT network map immediately,” for example, and the related “Understand and evaluate cyber-risk on “as-operated” OT assets.”
Take phishing. It’s not an advanced technique--anyone can do it, and do it they will, from the high-end operators back at the Aquarium to the grubby grifter living on pizza and Mountain Dew in his parents’ basement. It’s troubling, though, when nation-states are involved: their reach is far greater, their timing and coordination are more damaging, and they can be far more patient and focused than the proverbial skid with a phishing kit. “It is important to note that while the behavior may not be technically advanced,” CISA and NSA say in their warning, “it is still a serious threat because the potential impact to critical assets is so high.”
EU privacy regulators may have more than they can handle.
According to the Wall Street Journal's Brussels Report, last week's ruling by the European Court of Justice that effectively abandoned the Privacy Shield arrangements that had governed transatlantic data transfers may have given the EU's privacy enforcers more work than they can realistically handle.