At a glance.
- US Cyber Command defends elections by "hunting forward."
- Germany's defense minister calls out Huawei's security issues as "a big thing."
- Singapore updates data protection laws.
For two years prior to yesterday’s presidential election, US Cyber Command deployed “the whole spectrum of offensive and defensive measures” against threat actors in Moscow, Tehran, and Beijing, CNN reports. The New York Times says Cybercom sent squads to Europe, Asia, and the Middle East to investigate tactics, techniques, and procedures. Deputy Commander Lt. Gen. Charles Moore explained, “We want to find the bad guys in red space, in their own operating environment. We want to take down the archer rather than dodge the arrows.”
So far election interference has been minimal, but some concern remains about unpredicted “black swan” occurrences or renewed attacks in the event of a contested result. Americans are urged to “remain calm and vigilant” throughout this period of heightened vulnerability. Cybercom will continue its efforts indefinitely, with General Moore calling election defense a “persistent and ongoing campaign.”
Not all the action in the post-election phase will be political or foreign. The criminals will be out and about, too. We received some reflections on the form post-election cyerbattacks are likely to assume from Jerry Ray, COO of SecureAge, who wrote:
“The election results are already in dispute is the message being championed by the party more in fear of losing. And while domestic and foreign actors alike are trying to sow further discord thereafter by spreading falsehoods about the election results, cyber criminals are already relishing in the madness. The higher the temperature of those defending or defaming the election results, the lower their awareness of multitude of attacks awaiting them through phishing emails, fraudulent websites, and all of the well known forms by which the highly distracted may be exploited online.
As the votes continue to be counted, the most inevitable and effective cyber attacks will be subtle, unnoticed, unattributable, and masked within the culture of doubt and suspicion cast upon the election for the sake of either plausible deniability by the victors or grounds for dispute by the vanquished. With only a fraction of a percent of the voting population determining the outcome, the attackers need only work in the margins and against those least able to defend themselves or least likely to notice.”
German defense minister backs US on Huawei.
As the CyberWire noted last month, Berlin has indicated that it will join the growing coalition of countries planning to exclude Chinese telecom tech from their infrastructure. The Washington Examiner reports on Defense Minister Annegret Kramp-Karrenbauer’s tough posture. “If the technology offered to us is not beyond reproach, it cannot be used," she remarked to the Sydney Morning Herald. (The Herald observed that Kramp-Karrenbauer “is the first German minister to confirm publicly” that new regulations would block Huawei from the country’s 5G rollout.)
Canberra sounded an alarm over Huawei and ZTE in 2018, expressing unease about “extrajudicial directions from a foreign government." Last year US Secretary of State Mike Pompeo began putting allies on notice that they might need to choose between Huawei and US military collaboration. Kramp-Karrenbauer commented that despite “tiffs across the Atlantic,” the important thing is to “get the big stuff right. China is big stuff.”
Singapore’s updated data protection law.
Singapore’s Monday amendment of its Personal Data Protection Act brought two main revisions, according to The Business Times. The maximum fine for breaches was increased, and organizations were given additional leeway over data usage, in an attempt to harmonize competing interests of consumers and companies. The bill highlights four primary goals: augmenting individuals’ autonomy, businesses’ responsibility, the bases for data handling, and the Personal Data Protection Commission’s (PDPC’s) enforcement capabilities. Some worry that the higher penalties might drive away business.
After performing a risk assessment, organizations can process data without consent for “legitimate” purposes like fighting crime. This means, for example, IoT data can be used in investigations without consumers’ permission. Companies are required to provide an opt-out interval for other novel applications, and must inform victims and the PDPC about serious breaches.