At a glance,
- UK PM Johnson warns of risk Chinese kit poses to infrastruture.
- BATS escape blacklist.
- When regulation makes business sense.
- A counterintelligence perspective on international cyber threats.
- Vaccine passports in tension with personal privacy.
- Comment on the US State Department's cybersecurity office.
UK PM wary of Chinese influence in infrastructure.
Yesterday UK Prime Minister Johnson commented that the country “should be vigilant” about Beijing’s role in critical infrastructure and cyber systems without slipping into “Sinophobia,” Reuters reports.
Dollars beat sense in BAT decision?
After weeks of debate, the US Government has decided to continue to allow its citizens to invest in Baidu, Alibaba Group Holding, and Tencent Holdings, or “BAT,” according to the Wall Street Journal. While Pentagon, State Department, and National Security Council officials connected the firms to China’s military—the stated criterion for joining the Defense Department’s blacklist—Treasury officials won out over fears of market destabilization. Insiders revealed nine additional companies and roughly one-hundred subsidiaries were approved to join the catalogue.
The Journal says the debate displays the rift between US foreign policy concerns and Wall Street, which “continue[s] to plow money into China,” funding military initiatives and making US markets beholden to their success. The Biden Administration’s position on the ban is not yet apparent.
Please regulate us: the business advantages of standardization.
Security Week says Twitter, Google, and Amazon want the incoming Biden Administration to “enact a federal digital data law” to reduce regulatory “balkanization,” as Twitter’s data privacy director put it. This is a distinctively American issue, with states and even local jurisdictions enacting their own privacy and security laws, but it's not exclusive to the US, either. Currently over one-hundred data privacy laws complicate the international landscape. Rick Song, CEO of Persona, sent us some predictions about the direction such legislation might take:
"In 2021 and the next few years, there will be more laws and regulations regarding data privacy at a federal and state level. As they arise, businesses have to rethink their approach to ensure compliance and safety.
"Consumer protection will be at the forefront of regulation - businesses need to be prepared not only to protect consumers’ PII but also to face a greater DSAR (Data Subject Access Request) demand. As companies scale in today’s environment, data becomes more distributed and harder to track down, making fulfilling DSAR requests and protecting data difficult and time-consuming. Each state will also have different requirements based on various regulations, making compliance even more costly and nuanced. In order to comply with new privacy laws, companies will need to implement systems that enable them to quickly and securely manage and delete data as well as execute opt-outs without needing to mobilize an entire engineering team."
Threat topography.
US National Counterintelligence and Security Center Director William Evanina spoke with the Washington Post about “the most pressing intelligence concerns…on the horizon.” He highlighted these, none of which are surprising:
- Chinese and Russian attempts on the coronavirus vaccine supply chain.
- China, Russia, and Iran in general, along with ransomware and hacktivist activity.
- Supply chain and critical infrastructure vulnerabilities, especially in telecom, energy, and financial sectors.
- Ongoing Solorigate fallout.
Vaccine passports prod privacy concerns.
The Daily Mail reports Britain is trialing an optional digital vaccine passport for the next two months in the form of a free app offered to thousands of vaccinated persons, with government officials issuing inconsistent statements about the plan. A biometrics company and a cybersecurity firm collaborated on the project, which received £75 thousand in state funding. The UK’s vaccine czar has variously commented that “mandating vaccinations is discriminatory and completely wrong,” there are “absolutely no plans for vaccine passporting,” and the Government is “looking at the technology.”
Meanwhile Greece is angling for a standardized EU vaccine passport, and Politico reports that Belgium has taken the idea a step further, suggesting a global passport. Concerned parties are calling the proposals “extreme,” pointing to data protection and human rights issues. One scholar worried the passports might “create a new distinction between individuals based on their health status, which can then be used to determine the degree of freedoms and rights they may enjoy.” Greece’s Prime Minister said travel won’t be conditioned on vaccination, but other countries like Hungary, and other companies, like the Australian-flagged airline Qantas, have indicated otherwise.
Comment on the US State Department's new cyber office.
In response to the US State Department's creation of a Bureau of Cyberspace Security and Emerging Technologies (CSET) to take a leading role in diplomacy surrounding cyberspace and new technologies, Nozomi Networks' Chris Grove sent us the following comments. He thinks the Solorigate affair suggests that the Bureau has its work cut our for it:
“The creation of this bureau should advance our capabilities and effectiveness when it comes to ‘defending forward,’ which is a critical component of our entire national security strategy. The more effective this diplomatic arm is at creating pipelines for defenders, the less there will be a need for ‘trench fighting’ in our own backyards.
"At the same time, the benefits of diplomacy don’t often come quickly. It will take time for serious international diplomacy efforts to significantly impact nation-state groups interested in theft of trade secrets, intellectual property, or other secrets. And it will never be able to prevent every nation-state threat.
"The recent SolarWinds supply chain compromise is a good example. The attackers were able to sneak past the National Security Agency by conducting the entire operation within our borders, limiting our nation-state defenses capability to identify the operation. In the case of this massive breach, the new bureau most likely wouldn’t have been able to significantly reduce the risks. At the same time, I can see a time in the future when diplomacy efforts are able to establish forward operating bases on the cyber front that would allow us to detect the operation from within Russia.
"Perhaps one of the more interesting questions to ask about the Cyberspace Security and Emerging Technologies Bureau is whether or not its establishment is a sign we’re moving closer to cyber war. Historically, diplomatic efforts have been most relevant during times of war. We don’t really use diplomats internally, and for the most part business, governments and the people operate without them. However, in times of famine, strife, war, or to prevent these very things, diplomats are critical to communications between nations. If not to aid in preventing significant cyber conflicts or wars, why would we create an office of diplomats rather than add more resources to the State Department’s existing cyber coordinators office, or expand the cyber security mission statement?”