At a glance.
- 2020 NSA Cybersecurity in Review is out.
- Chinese policy and its implications for other nations' cybersecurity.
- IoT security standards in the US and the UK.
- Vietnam cracks down on online dissent.
- A lawyer's look at the likely direction of US cybersecurity legislation.
NSA's Cybersecurity Directorate looks back on its first full year.
This morning the National Security Agency's Cybersecurity Directorate released its annual report, 2020 NSA Cybersecurity Year in Review. That the year was a difficult one, crowned in December by the discovery of the long-running Running Solorigate cyberespionage campaign, no one would dispute, but NSA's Cybersecurity Directorate points with justifiable satisfaction to some solid accomplishments, not the least of which was a much expanded program of public outreach. The Directorate is pleased to have:
- "Contributed to the whole-of-government approach securing the 2020 election by sharing insights on adversary cyber actors and activates, particularly regarding indicators of intent to interfere.
- "Supported Operation Warp Speed by providing cyber threat intelligence, cybersecurity assessments, and foundational cybersecurity guidance.
- "Provided 30 unique, timely and actionable cybersecurity products since the directorate’s standup, working with our partners across the U.S. Government and Five Eyes partners to share relevant information to secure our customer’s networks.
- "Supported the DoD’s transition to telework, releasing written products and providing Commercial Solutions for Classified Capability packages to enable approximately 100,000 users to telework securely.
- "Strengthened public-private partnerships through our Cybersecurity Collaboration Center and Center for Cybersecurity Standards.
- "Communicated directly with the cybersecurity community through our Twitter account, @NSAcyber."
Anne Neuberger, the first head of NSA's Cybersecurity Directorate, is slated to become the Deputy National Security Advisor for cyber in the next administration, and her letter at the beginning of the Year in Review probably foreshadows the advice she'll provide there.
Chinese policy: the mandate of heaven implies a mandate for collection.
An opinion piece in The Hill highlights a December Department of Homeland Security advisory cautioning businesses using Chinese technology about the “major threat to data security.” As we’ve seen, Beijing’s 2017 National Intelligence Law along with its 2020 Data Security and Cryptology Laws require citizens to assist state data processing efforts, in violation of international norms. This assistance may assume the form of data harvesting and backdooring or sharing of encryption keys. Impacted tech ranges from China-linked data centers and software to social apps and wearables.
Beijing’s grand plan, enunciated in "Made in China 2025," the Belt and Road Initiative, and Military-Civil Fusion policies, is to become the “leading global technological superpower by 2049,” the hundredth anniversary of Chairman Mao Zedong’s revolutionary takeover. Industries in other countries, especially those touching artificial intelligence and genomics, should be on high alert for government-facilitated IP theft and corporate espionage. Beijing’s plan also has military and moral implications, since poached information strengthens the People’s Liberation Army and enables human rights abuses. The article concludes allies’ trade agreements with China show “regrettable” and “grotesque” disregard for the country’s concentration camps and escalating global threat.
Comment on recently enacted US IoT security standards.
Semiconductor Engineering reports that the unanimously passed US IoT Cybersecurity Improvement Act of 2020 has in effect followed the path paved by the 2020 UK Government response to the Regulatory proposals for consumer Internet of Things security consultation, 2020 California SB-327, and 2017 EU baseline security recommendations. Some argue that these developments should be regarded as a baseline, not a finish line, given the potential ramifications of threat actors hijacking devices as simple as light bulbs and HVAC units. (Use your imagination; we leave specific horror stories as an exercise for the reader.) Example areas for improvement include supply chain and identity management standards.
Vietnam prepares for Communist Party conference with a crackdown on dissent.
The South China Morning Post says Hanoi is squashing critics before the Communist Party’s high-stakes January 25th meeting, where officials will vie for power, as officials do. Several media figures, including four well-known journalists and a poet, have been jailed under a 2019 cybersecurity law criminalizing online criticism of the state. Amnesty International claims the country holds a total of one-hundred-seventy “prisoners of conscience,” with forty percent having landed there for social media use.
Comment on the likely direction of US cybersecurity legislation during 2021.
We received some notes from Scott Pink, special counsel in the Silicon Valley office of O'Melveny & Meyers, where he also serves as a member of the law firm's Data Security and Privacy Group. With respect to US legislation, he expects more regulation, especially at the state-level, and especially with matters having to do with personal data. Some such regulation will emerge in tandem with efforts to contain the pandemic, he says: “COVID-19 health data is of immediate concern as we move into the pandemic’s next phase. Governments and health care systems are collecting vast amounts of contact tracing and vaccine-related information. Implementing laws, policies, and procedures to ensure the integrity of that data will be key." And criminal law will evolve to better address the threat of ransomware. “These attacks are a significant risk, as they can severely impact operations of government agencies, companies, schools, and beyond. It’s vitally important to remain vigilant, especially as remote working and the increasing sophistication of phishing and social engineering attacks create more vulnerabilities than ever before."