At a glance.
- China proposes international data security standards.
- US Space Policy Directive 5 outlines cyber-hardening for space systems.
- EU politicians: Privacy Shield revival will depend upon changes to US data regulations.
- COVID-19 research high on cyberespionage target lists.
- Cybersecurity for COVID-19 biomedical research.
China outlines its vision for Chinese-led global data security standards.
The Wall Street Journal describes China's “Global Initiative on Data Security,” announced today by Foreign Minister Wang Yi. China calls on all countries to address data security in a “comprehensive, objective and evidence-based manner.” It also calls for the maintenance of what the Journal calls "an open, secure and stable supply chain for information and communications technology and services." And it includes a call for an international regime of respect for data sovereignty, under which governments would control all aspects of the Internet in their own country.
The last two points may seem to be tension with one another, although perhaps such apparent dissonance is ultimately taken to be harmonized by the first principle of a "comprehensive, objective, and evidence-based" approach to cybersecurity. Given current Sino-American tension, it's not surprising that the Foreign Minister's statement complains of its unnamed rival: "Bent on unilateral acts, a certain country keeps making groundless accusations against others in the name of ‘clean’ network and used security as a pretext to prey on enterprises of other countries who have a competitive edge. Such blatant acts of bullying must be opposed and rejected.” "Clean" is the tip-off, if any be needed: it's an allusion to the US Clean Network program that's designed to exclude what the US regards as risky and often nefarious Chinese systems from US networks.
US President Trump issues Space Policy Directive 5 on cybersecurity for space systems.
On Friday President Trump signed Space Policy Directive 5, Cybersecurity Principles for Space Systems, which outlines an approach to securing space systems from cyberattack. SPD-5 establishes five principles for securing space systems:
- "Space systems and their supporting infrastructure including software, should be developed and operated using risk-based, cybersecurity-informed engineering;
- "Space systems operators should develop or integrate cybersecurity plans for space systems that include capabilities to: protect against unauthorized access; reduce vulnerabilities of command, control and telemetry systems; protect against communications jamming and spoofing; protect ground systems from cyber threats; promote adoption of appropriate cybersecurity hygiene practices; and, manage supply chain risks;
- "Space system cybersecurity requirements and regulations should leverage widely-adopted best practices and norms of behavior;
- "Space system owners and operators should collaborate to promote the development of best practices and mitigations; and
- "Space systems operators should make appropriate risk trades when implementing cybersecurity requirements specific to their system."
EU politicians: Privacy Shield revival will depend upon changes to US data regulations.
European Union politicians are described in the Wall Street Journal as saying that Privacy Shield, invalidated by the Schrems II decision, is unlikely to be revived soon, and that any ultimate accommodation can be expected to hinge on US willingness to adapts its data protection laws and regulations to a more European standard.
COVID-19 cyberespionage programs.
Georgian authorities confirm that a cyberattack on the Lugar Lab biomedical research center in Tbilisi took files related to research into the COVID-19 pandemic. The cyberespionage is not yet attributed to anyone, but Georgia’s Foreign Ministry says it’s investigating, and won’t hesitate to name the perpetrator once they’ve determined who’s responsible.
While Russia’s SVR foreign intelligence service has displayed a close interest in pandemic-related biomedical research, Chinese and Iranian intelligence services have also undertaken considerable efforts to collect intelligence on COVID-19 work.
Such espionage isn't of course confined to Lugar Lab isn’t a one-off. The New York Times reports that COVID-19 research has become a common target for collection by espionage agencies. In this Chinese services have been particularly active. Their targets have tended to be US research universities--the Times’s story makes particular mention of the University of North Carolina--with some effort also made to penetrate biomedical companies. It appears they’ve had limited success with the companies they’ve targeted (Gilead Sciences, Novavax and Moderna) but universities seem to offer a relatively softer target than government or corporate labs. And according to the Times Beijing has sought to make use of its influence with the World Health Organization to facilitate collection of biomedical intelligence.
Russian efforts to steal COVID-19 research have been more focused on the United Kingdom, where Oxford University and its pharmaceutical corporate partner, AstraZeneca, have been targeted by the espionage services.
US security and assurance for rapid COVID-19 vaccine development.
CyberScoop has an account of US efforts to secure vaccine research. “Operation Warp Speed” is the name that’s been given to the American crash effort to produce a vaccine by January, and the program has a significant security component. Formally known as Security and Assurance, this subprogram represents a joint effort among the Defense Digital Service, National Security Agency, FBI, the Department of Homeland Security and the Department of Health and Human Services. The program provides security advice and assistance to the companies developing the vaccine, and to the companies establishing the supply chain that will deliver the three-hundred-million doses Warp Speed intends to produce by the beginning of 2021.