At a glance.
- Chinese security firm describes eleven-year CIA hacking campaign against Chinese targets.
- The US warns foreign adversaries against election interference.
- The Cyberspace Solarium offers remarks on election security.
- The US Justice Department offers advice on collecting threat information legally.
- Singapore will begin labeling connected devices.
- Congress sends the Secure and Trusted Communications Networks Act of 2019 to the President for signature.
Beijing does some naming and shaming.
Chinese security firm Qihoo 360 has outlined an eleven-year campaign by the US Central Intelligence Agency to compromise targets in China, particularly in the civil aviation sector. The report, apart from some suggestions that incursions into civil aviation extended beyond China, is mostly warmed-over Vault 7 material from WikiLeaks. The report makes much of the case of Joshua Schulte, currently standing trial in the US on Federal charges related to the Vault 7 leaks. Qihoo 360 has published useful warnings of cyber risk in the past, but as Forbes points out, this report depends heavily on material published earlier, with a heavy dose of speculation and not much in the way of detailed evidence for attribution. Thus the report seems likely to be Beijing’s riposte for Washington’s recent naming-and-shaming of Chinese cyber operators.
Mr. Schulte's case has gone to the jury. The Washington Post reports that the defense’s closing arguments portrayed Mr. Schulte as a patriot and a whistleblower whom an embarrassed agency made the fall guy for its own stumblebum performance. The prosecution argued that the former CIA employee was angry and vindictive, a disgruntled worker who wanted to damage the agency, knew what he was doing, and took steps to cover it up.
An interagency statement warns foreign governments to stay out of US elections.
The US Government issued a terse warning to foreign adversaries in advance of today's Super Tuesday presidential primaries: "any effort to undermine our democratic processes will be met with sharp consequences." The Secretary of State, Attorney General, Secretary of Defense, Acting Secretary of Homeland Security, and the Acting Director of National Intelligence all signed the joint statement, as did the heads of the FBI, US Cyber Command and NSA, and CISA. They also stressed the citizen's role in rejecting disinformation: know where and when to vote, know what the issues are, and know what identification will be required at the polls. And they commended state and local election authorities to voters as the best source of reliable information.
The Cyberspace Solarium offers an election-special preview of its recommendations.
This morning the Cyberspace Solarium held a public session to preview their recommendations on election security. The commissioners, especially Senator Angus King (Independent of Maine) gave the Government’s warning and advice about election security a big thumbs-up. Senator King compared what was happening with respect to election interference to like cyber jujitsu, a yin, soft-style attack where the opposition uses our strengths--like freedom of speech and democratic processes--against us. Nina Jankowicz of the Wilson Center discussed Estonia’s experiences with a comprehensive Russian cyber campaign in 2007. She described ways in which the US might look to other countries’ experiences with Russian cyber operations and draw lessons that could be applied to attempts to interfere in US affairs.
CISA Director Christopher Krebs came to the session from a briefing about last night’s tornadoes in Nashville. He thought it worth pointing out that there were significant commonalities between cyberattacks and natural disasters. Election officials have contingency plans in place for disasters. The job of election officials is to prepare for every possible scenario, and they do it well, he thought, as the Nashville disaster shows. The tornadoes should also remind us that those officials’ focus is much broader than cybersecurity, and that CISA functions as an assistant to help augment their capabilities in cybersecurity.
Advice on how to collect threat information legally and safely.
The US Department of Justice has published advice about how to collect intelligence in cyberspace and stay on the right side of US Federal law. The Department notes that, “When properly conducted, such activities can improve organizations’ cybersecurity readiness and help prepare them to respond to cybersecurity threats effectively and lawfully.”
They boil their advice down to two overarching themes: “Don’t Become a Perpetrator,” and “Don’t become a victim.” Typically, passively gathering information is perfectly legal. But avoid, they say, accessing any online forum without authorization, or surreptitiously intercepting communications on such a forum. Don’t assume someone else’s identity without their consent. Using a fake online identity, by itself, isn’t usually a violation of Federal criminal law, but when your fake identity is someone else’s real identity, that becomes a problem.
Singapore will begin labeling connected devices with a security rating.
Singapore's Cybersecurity Labelling System (CLS) will come into use this year. "The CLS will serve to differentiate smart devices with better cybersecurity provisions in the market, and aims to incentivise manufacturers and product vendors to develop products with recognised and improved security features," Channel News Asia quotes the Ministry of Communications and Information. "Currently, consumer smart devices are often designed to optimise functionality and cost." The labels will indicate how well the products measure up against known design flaws, in security tests, and on their incorporation of best design practices.
US law designed to help rural carriers goes to the President.
After unanimous passage by the Senate, the Secure and Trusted Communications Networks Act of 2019 has been sent to President Trump for his signature. Among other things, the Bozeman Daily Chronicle reports, the bill provides a fund of $1 billion to help rural telecommunications carriers remove Huawei and ZTE equipment from their networks. Business Insider thinks a billion won't be enough, and that the measure may drive closer partnerships if not actual consolidation among smaller providers.