At a glance.
- NSA's warning that China is actively exploiting known vulnerabilities.
- Election rumor control.
- Anti-trust interest in Google reaches Japan.
- Developments in TikTok and Huawei bans (and permissions).
- US Senate bill would expand states' authority to assign the National Guard cyber missions.
- Boosting the cyber workforce.
NSA warns that Chinese services are exploiting known vulnerabilities.
The US National Security Agency yesterday advised that twenty-five vulnerabilities are under active exploitation by Chinese government cyber operators. All twenty-five are well-known, with patches and mitigations readily available. As the Wall Street Journal points out, the alert is of particular importance to the Defense Industrial Base. Two points at least are worth noting: first, unpatched known bugs are probably more of a problem than are the zero-days that draw so much attention, and, second, NSA is clearly growing into the more public role in US cybersecurity it's been assigned.
Jayant Shukla, CTO and Co-founder of K2 Cyber Security, wrote us to say that the warning should come as a reminder of the importance of good patching practices. "The new list of top 25 vulnerabilities being exploited by Chinese hacking is a great reminder that the easiest protection against cyber attacks is keeping your operating systems, applications, devices, and software patched and up to date. For organizations that can’t keep up to date or don’t have the resources to keep their software up to date, they should look into virtual patching solutions that protect the application, like the ones offered by RASP (Runtime Application Self-Protection) solutions, which are now mandated by the latest version of the NIST SP800-53 Revision 5 Security and Privacy Framework. RASP solutions also protect the organization against new and unpatched vulnerabilities."
Chloé Messdaghi, VP of Strategy at Point3 Security, seconded NSA's warning. “We definitely saw an increase in this situation last year and it’s ongoing. They’re trying to collect intellectual property data. Chinese attackers could be nation state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies... in other words, to steal and use for their own gain. I’m glad that the NSA has issued this. Publishing this report reinforces the work that companies need to do to secure their intellectual property, and pushes them to make the patches and maintenance they need to do." She doesn't, however, approve of calling hoods hackers. “It’s disappointing to see the NSA refer to threat actors as hackers. I hope this changes. Many in the hacking community are legitimate security researchers who alert companies to vulnerabilities in order to secure – not steal – their intellectual property. Many other agencies and Federal entities (such as the Department of Defense) collaborate closely with the hacking community and their vulnerability disclosure programs define the research scope, contact processes, etc. – to help ensure that vulnerabilities are identified and addressed before threat actors can move on them."
Election security and election rumor control.
The US Cybersecurity and Infrastructure Security Agency (CISA) has set up a rumor control page for 2020 election security. The page is easy to understand, and it emphasizes the difference between errors, accidents, and even normal behavior on the one hand, and on the other hand a compromised election.
We heard from Todd Rychecky, the VP of Americas for Opengear, and he noted the complexities of online services and the ways in which they'll be challenged with increased traffic during the elections: “During this election season, we will see increased traffic surges and many hackers trying to disrupt voting. Many challenges and threats can be easily eliminated by following network security and resilience best practices. This includes separating the management plane from the primary production network and enabling capabilities like automatic updates and issue prevention, reduced on-site interventions and faster disruption recovery. Safeguarding voting infrastructure means not only preventing and mitigating threats, but also ensuring a robust and flexible network.”
Tokyo aligns with EU and US in Big Tech anti-competitive actions.
Japan Fair Trade Commission Chairman Kazuyuki Furuya announced his intention to support EU and US regulation of the Big Four, Reuters reports. Recognizing the importance of international cooperation where international businesses are concerned, Furuya said, “We’ll work closely with our US and European counterparts, and respond to any moves that hamper competition.”
TikTok and Huawei developments.
The Pakistan Telecommunication Authority removed its TikTok embargo eleven days after imposing it, according to TechCrunch. The social media app, which has 20 million users in the country, agreed to police its platform in line with “societal norms and laws.” Islamabad said they’d better, or they’re looking at a forever ban. PT Profit reports the state demanded censorship of political criticism in addition to vulgarity. Earlier this year Facebook, Google, and Twitter bucked Pakistan’s proposed content restrictions.
Reuters covers Sweden’s exclusion of Huawei and ZTE from their 5G infrastructure in line with counsel from the country’s military and intelligence agencies, which called China "one of the biggest threats against Sweden.” As we’ve seen, the no-Beijing-telecom-tech party is growing by the month.
As we’ve also seen, China is not happy about this party, and they’ve found an ally in the European Competitive Telecommunications Association (ECTA), Telecoms.com reports. The ECTA condemned geopolitically driven prohibitions and praised competition in the marketplace. For its part, China has passed a new export control law authorizing retaliation against offending countries. Telecoms.com says Beijing is “signaling its willingness to escalate,” and whether or not it does so will probably hinge on the outcome of next month's US elections.
Bill proposed in US Senate would facilitate states' use of National Guard for cybersecurity.
Legislation proposed by Senators Hassan (Democrat of New Hampshire) and Cornyn (Republican of Texas) would amend Section 502(f)(1) of title 32, United States Code, to make it easier for the states to assign Guard units cybersecurity missions. "Such training or other duty may include cybersecurity operations or missions undertaken by the member’s unit at the request of the Governor of the State concerned to protect critical infrastructure (as that term is defined in the Critical Infrastructures Protection Act of 2001 (42 U.S.C. 5195c)).’’
A cyberstudies booster.
War on the Rocks has introduced a collection of essays on normative and practical cyberstudies topics out of concern for the field’s dearth of “rigorous theoretical and empirical analysis” and interdisciplinary communication. The publication hopes to advance new lines of inquiry at a time when cyberpolicy is undergoing tectonic shifts. Among other things, the issue considers Sino-American tensions, the shaming aims of hackers, US cyberdiplomacy next steps, election protection solutions, and an escalation framework.