At a glance.
- NATO considers adaptations to a new strategic environment.
- Insecure US county voting websites identified.
- Steps toward a pan-African GDPR.
- The House of Commons defence committee says Huawei is working for China's government.
- Facebook, Twitter, flag coordinated inauthenticity.
North Atlantic Treaty Organization (NATO) head Secretary General Jens Stoltenberg said “the world has fundamentally changed” over the past decade and called for an update to the alliance’s stance towards Beijing, terrorism, and emerging technologies, according to SecurityWeek. New risks have arisen since the last strategic overhaul, stemming from China’s ascendance and Middle East and North Africa (MENA) unrest, along with developments in cyberwarfare, big data, and telecom tech. "[O]ur first line of defense must be strong societies able to prevent, endure, adapt and bounce back from whatever happens," Stoltenberg said.
Local US election websites remain insecure.
Expanding on their January study of US swing states, software company McAfee surveyed the cybersecurity practices of county election webpages in all fifty states. Although “.gov” domains are available only to government bodies and thus help differentiate genuine from phony sites, and HTTPS encryption is a standard security measure, only sixteen percent employ both. Eighty percent of county pages use an alternate domain, and almost half go without HTTPS. US states Ohio, Hawaii, and Arizona performed best on the combined metric, with percentages in the seventies and eighties. Ohio scored the only one-hundred percent, in HTTPS encryption, apparently thanks to an order by the Secretary of State. The East Coast took a beating. Delaware, Maine, New Hampshire, and Vermont all maxed out at zero percent on both counts.
At stake is confidence in the election: threat actors can exploit these vulnerabilities to steal voter information and spread misinformation about contenders or voting procedures on sham sites. The FBI has already found dozens of such pages, as CyberScoop reports. McAfee says, “There should be one recipe for the security and integrity of government websites such as election websites and that recipe should be .GOV and HTTPS.”
We heard from Chris Howell, CTO at Wickr, who emailed some comments on the technology behind the vulnerabilities:
“Verifiable domains and HTTPS encryption are table stakes features for all serious websites built in the past decade. Beyond the threat of exposing voter registration/PII or the potential of disinformation around polling hours and locations, sites that lack these protections today also pose a significant threat to visitors related to the proliferation of malware. With the right tools, attackers can drop malicious payloads into web traffic to siphon sensitive data from visitor computers or execute damaging ransomware or related attacks without having to compromise the website hosting infrastructure.
"Election sites are attractive targets for more organized threat actors and nation-states as well, which increases the likelihood that weak sites will be exploited.
"Perhaps even more concerning is if so many election sites haven’t done the most basic of things necessary to secure themselves, what else aren’t they doing? Verifiable domains and HTTPS are only the first steps; they don’t keep your servers patched or your application software free of security vulnerabilities, which is how most sites are compromised today. Our banking and e-commerce services know this. Our election system requires no less security; perhaps more.
"The scary thing is if we add it all up - a low average security score across the board, a target that attracts the most highly motivated and capable attackers, and the likelihood that even a single attacker “victory” would produce broad chaos amongst the electorate - it’s a recipe for disaster. Those with the power to act should do so quickly and effectively.”
Movement toward a pan-African GDPR?
Select African countries are developing a unified data protection plan with the goal of making the continent “a single market,” Nigeria’s The Guardian reports. Google privacy lawyer Peter Fleischer said a cohesive policy “is a lot more effective and efficient for protecting user privacy,” not to mention easier for global corporations to manage. He hopes Google, a company not known for its privacy advocacy, will be involved in formulating and launching the framework.
The House of Commons defence committee accuses Huawei of working for the Chinese government.
The BBC reports that a British Parliamentary committee yesterday released a report that concluded there was “clear evidence of collusion” between Huawie and the Chinese Communist Party. While tut-tutting a bit to innoculate itself against charges of “ill-informed, anti-China hysteria,” the House of Commons defence committee supported its conclusions by noting the subsidies the company has received from the Chinese government: some $75 billion over the last three years. That subsidy enabled Huawei, the report said, to lowball its competition and secure great marketshare by selling its equipment at a "ridiculously low price point.”
The report also cites research that alleges that the Shenzhen hardware giant has "engaged in a variety of intelligence, security, and intellectual property activities." In sum, the Parliamentary study concludes, "It is clear that Huawei is strongly linked to the Chinese state and the Chinese Communist Party, despite its statements to the contrary. This is evidenced by its ownership model and the subsidies it has received."
The report is expected to have the effect of advancing the replacement of Huawei equipment in the UK’s telecommunications infrastructure. For its part, Huawei expressed its confidence that “people will see through these accusations of collusion and remember instead what Huawei has delivered for Britain over the past 20 years.”
Fortune sees the report as harsher than any official statements other critics of Huawei, including the US and Australian govenmenet, have so far offered. It represents a direct, official accusation that Huawei is actively working for the Chinese government. Previous warnings have concentrated on the company’s susceptibility to Beijing’s influence, and this report goes beyond that.
Coordinated inauthenticity flagged.
Yesterday both Facebook and Twitter disclosed the discovery and suspension of politically-motivated or state-connected networks of inauthentic accounts.
Facebook’s takedowns involved coordinated inauthenticity that sought to engage mostly domestic audiences. A US-based network of “thinly veiled personas” associated with the Rally Forge marketing firm which appears to have worked on behalf of Turning Point USA and another conservative political organization that favored the re-election of President Trump. The network’s audience was primarily a US domestic one.
Facebook also dismantled a network in Myanmar that consisted of seventeen Pages, fifty Facebook accounts and six Instagram accounts. Their line was critical of the National League for Democracy and political leader Aung San Suu Kyi; there was also some anti-Rohingya content. The network was linked to members of Myanmar’s military.
The social network removed five-hndred-eghty-nine Facebook accounts, seven-thousand-nine-hundred-six Pages and four-hundred-forty-seven accounts on Instagram based in Azerbaijan. These were engaged in praise of President Ilham Aliev and the New Azerbaijani Party, criticism of the opposition (with accusations of treason), and denials that human rights were being abused in Azerbaijan. They also included patriotic content about the ongoing fighting with Armenia over Nagorno-Karabakh.
Finally, in Nigeria, seventy-nine Facebook accounts, forty-seven Pages, ninety-three Groups and forty-eight Instagram accounts were suppressed. The networks supported Ibrahim Zakzaky and Nigeria’s Islamic Movement; they were critical of the government.
Twitter’s cancellations showed little overlap with Facebook’s most recent round, although some of them did coincide with Facebook’s September enforcement round. Twitter cancelled inauthentic Iranian accounts that aimed principally at deepening US social fissures during the election season. The company also removed more than five-hundred Cuban accounts. It also cancelled Saudi accounts that operated principally against regional rival Qatar. The most interesting takedowns were of a network of accounts associated with the Royal Thai Army that “amplified” pro-government and anti-opposition content. Stanford’s Internet Observatory called the Army’s operation “low-impact” and “cheerleading without fans.” The Bangkok Post reports that the Royal Thai Army has denied any involvement in disinformation.