At a glance.
- US warns of GRU's Drovorub malware.
- India scrutinizes Chinese apps.
- Industry comment on US-EU privacy negotiations, post-Schrems II.
NSA and FBI issue a joint warning on GRU malware.
The US National Security Agency and Federal Bureau of Investigation this morning issued a joint alert concerning a hitherto undiscussed malware toolset operated by Russia's military intelligence service, GRU. The report describes Drovorub, malware deployed by APT28, which of course is Fancy Bear. Drovorub is a multifunctional "Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server."
The report is detailed and interesting. "Drovorub," which means "woodcutter," is GRU's internal name. That NSA is willing to offer so much information is striking. The report's authors say, in an accompanying FAQ, “We’re sharing this information with our customers and the public to counter the capabilities of the GRU GTsSS, an organization which continues to threaten the United States and its allies. We continuously seek to counter their ability to exploit our Nation’s critical networks and systems.” But it also seems likely that this is an instance of what NSA's sister organization, US Cyber Command, would call "persistent engagement," which it's said for the last couple of years it intends to visit on adversaries like Russia. Effectively saying "I know what you did last summer" (or this summer) and then showing that you do in fact know, can be as menacing in cyberspace as it is in a horror movie.
More scrutiny of Chinese apps.
It's well known now that both Twitter and (especially) Microsoft are considering buying TikTok from its Chinese owner ByteDance, and that such an acquisition may ward off the pending, mid-September ban US President Trump promised in his August 6th Executive Order. India has already banned TikTok and there may be a similar solution in the works there. TechCrunch reports that ByteDance is in talks with Indian retail giant Reliance Industries Limited about an investment that the Indian government might find an acceptable way of addressing its security concerns. Sputnik says that the Indian government's strictures on TikTok have led ByteDance to freeze hiring in its largest market.
Comment on US-EU negotiations on a successor to Privacy Shield.
The US and the European Union are in talks concerning a successor to the former Privacy Shield data handling agreement, recently invalidated by the European Court of Justice in its Schrems II decision. We received some industry comment on what a post-Schrems II data privacy regime should look like. In general, those who commented seem to expect US movement toward Europe, not vice versa. If, that is, there's any movement at all: they share some degree of skepticism about the outcome of the transatlantic conversation.
Saryu Nayyar, CEO of Gurucul, thinks Schrems II was entirely foreseeable:
“Europe's top court striking down Privacy Shield, and Safe Harbor before it, is really no surprise. The internet spans the globe, with data going everywhere, all the time, for billions of users. While the internet was hailed as a borderless platform to bring the world together, the reality is each region has its own concerns and laws governing it. This is a perfect example of exactly that. The European Union puts data privacy for its citizens first, ahead of Law Enforcement and State needs. The US puts National Security and Law Enforcement interests ahead of personal privacy. It's a fundamental difference in perspective, which makes it difficult for businesses to navigate the legal hurdles while simultaneously complying with conflicting regulations on a global scale. Finding common ground will take negotiation and compromise, but it is vital. The data must flow.”
Dan Piazza, Technical Product Manager at Stealthbits Technologies, will believe the talks are productive when they actually result in some sort of workable agreement:
“The EU and the U.S. are working on a new Privacy Shield agreement, however, there's much room for skepticism after both Safe Harbor and the first Privacy Shield were struck down by the European Court of Justice over the past few years. A joint statement between the U.S. Secretary of Commerce and the EU Commissioner for Justice states the two sides are working towards a new agreement, however, it all seems to be hand waving at this point until the U.S. government makes drastic changes to national data security policy and procedure.
“Privacy Shield was struck down primarily because federal U.S. security agencies, such as the NSA, have too much access to personal information stored by U.S. tech companies and other organizations.
“Without drastic reform to data privacy standards in the U.S., and the reach of agencies like the NSA, any potential new Privacy Shield agreements will most likely be swiftly shut down by the same court in the EU. It's clear the U.S. needs a mechanism like Privacy Shield in place, however, so far, the U.S. government hasn't taken any clear action that indicates they intend to start taking data privacy more seriously.”
Chloé Messdaghi, Vice President of Security at Point3 Security sees the issue as one of reconciling the significantly looser American privacy standards with Europe's more stringent regime, and she thinks that will take some surveillance reform. And she's also skeptical about whether Schrems II represents a firm European commitment to change, or simply a puppet show for home consumption:
“The situation needs a serious surveillance reform. To this day, it crosses the line of human rights and privacy. Our US data protection laws are different from the EU. They offer much less protection than EU laws. In return, personal data from across the Atlantic could be stored without security measures, can be used without users' knowledge, sold to other companies without protection, and possibly stolen. The EU-U.S. privacy shield was supposed to help provide protection to data and enforce companies to protect trans-Atlantic data with EU standards while providing limits on the data being shared or accessed. However, when it was being formed there were plenty of surveillance holes.
“On July 16th, the EU struck down the EU-U.S. privacy shield. To the public, it was a way to push for the U.S. to get onboard with surveillance reform as well as a push for business interests to do the same. In return, the situation provides the U.S. with two options: 1) to change their ways; or 2) companies will have to move their operations to Europe and split their systems into two parts.
"But let's be real – did the EU do this to push for change? Or to "be seen" by the public to push for change? Because the reality is the U.S. has their hands deep in tech platforms. Thus, the EU often bends backwards for the U.S. because of its power and control, which we saw when creating the EU-U.S. privacy shield. And because of this power and control, the U.S. and EU are again trying to reach another "agreement" to make sure everything continues to function. But whoever controls tech has the ability to do what they want – and since that’s the US, it prevent the EU from imposing anything because they don't have equal standing. Unless both parties are equally weighted during talks, the one in control can continue to have their demands met more than the weaker party.
“Let's face it – it’s understood that there’s serious conversation that’s either happening or that needs to about the U.S. taking further steps toward a global approach to surveillance reform and people's right to privacy. Is this the next step in reforming the data industrial complex or an initiative for the sake of appearances? We’ll see...”