At a glance.
- A look at Pakistan's cyber deterrent.
- US Cyber Command plans to defend space operations.
- Unknown actors deploy spyware against the European Commission.
- Battlespace preparation along the Sino-Indian border.
- US-EU data negotiations.
Pakistan looks toward cyber-deterrence.
Despite ranking 79th in the Global Cybersecurity Index, Pakistan has suffered its share of recent cyberattacks, particularly in the banking and energy sectors, and there are reports that the US and India have been targeting government officials for cyberespionage. The Express Tribune notes that Pakistan’s National Cybersecurity Policy 2021 says “[It] will regard a cyberattack on Pakistan CI/ CII as an act of aggression against national sovereignty and will defend itself with appropriate response measures.” The policy, however, emphasizes “deterrence by denial,” or denying the attacker any benefit, and does not mention retaliatory measures. Other global leaders’ cybersecurity plans, like the US Department of Defense’s 2018 Cyber Strategy, include retaliatory tactics in the name of cyber-deterrence. One possible path to full cyberdeterrence for Pakistan could lie in the nation’s IT exports, which are expected to reach $50 billion in the next few years.
US Cyber Command plans for defending space organizations.
As part of the Future Years Defense Program, a five-year budget projection for the Department of Defense, US Cyber Command will be investing in defensive and offensive teams to support space entities, including newly established space organizations like Space Command. “We continue to contribute to the persistent defense of US pace-based assets and capabilities with a dedicated Cyber Protection Force (CPF) team; however we are adding to that capability in the Future Years Defense Program (FYDP),” an Air Force spokesperson told FedScoop. Through Joint Force Headquarters-Cyber (JFHQ-C), various branches that provide planning, targeting, intelligence, and cyber capabilities combatant commands, the 16th Air Force/Air Forces Cyber is responsible for supporting Space Command.
Over the next two years, FYDP will be taking a phased approach to investments for defensive cyber protection teams, combat mission teams, and cyber support teams, which provide intelligence, mission planning and other necessary support work for combat mission teams. The Air Force spokesperson added, “In order to support USSPACECOM, our Cyber Protection Force will establish necessary command and control links and planning relationships through JFHQ-C Air Force. Additionally, the force will work with USSPACECOM to understand their priorities for defense. The systems that USSPACECOM depends upon to perform its mission have existed before this newest combatant command was created. Therefore, the knowledge necessary to defend these systems will further enable the forces that will protect them.”
Spyware tools used to spy on members of European Commission.
New reports concerning the abuse of controversial surveillance tools continue to surface. The latest apparent targets are senior officials of the European Commission. Reuters reports that European Justice Commissioner Didier Reynders and at least four other Brussels-based commission staffers were hacked using the surveillance software. The commission learned of the incidents in November after receiving messages issued by Apple notifying thousands of iPhone owners they were "targeted by state-sponsored attackers.” It’s unclear who is behind the hacks, but the news comes on the heels of the European Parliament’s announcement that it will be launching an inquiry investigating the use of surveillance software in European member states, a response to reports that Polish senior opposition politicians and Hungarian investigative journalists were targeted with spyware. NSO Group has denied that it was possible for its products to be abused in this way.
Battlespace preparation along the Sino-Indian border?
Indian authorities say they successfully stopped a cyber operation by Cicada, the Chinese threat actor also known as Stone Panda or APT10. The attacks, described by Recorded Future, were concentrated in the disputed Sino-Indian border around Ladakh. The Deccan Herald quotes Power Minister R.K. Singh as saying, "Two attempts by Chinese hackers were made to target electricity distribution centres near Ladakh but were not successful."
Chris Clements, VP of Solutions Architecture, Cerberus Sentinel, commented on the continuing risk of cyberattacks against power grids:
"Cyberattack has become a favorite tool for nations to use against their geopolitical adversaries. It’s a powerful means of accomplishing wide-ranging goals from intelligence-gathering and espionage to disrupting critical infrastructure through sabotage. It’s also a compelling combination of relatively low cost and low risk to carry out cyber operations compared to more traditional human-based espionage or warfare which carry a much higher price tag and potential casualties. It’s also true that cyberattacks have the advantage of deniability, especially since many nation-state backed groups purposefully mimic the tools and techniques of more common ransomware and cybercrime gangs.
"The power grid attacks here are concerning, and I agree with the report that it’s not exactly clear what are the perpetrators' goals; however, there is some comfort in the relatively low sophistication with which the initial access footholds were gained through publicly exposed DVR and IP camera systems. Embedded devices like security cameras, DVR systems, and other IoT devices are notorious for their poor security and are regularly targeted by hackers to build massive botnets.
"By targeting those easy-to-exploit devices, a nation-state can deflect blame by claiming it may have been less advanced actors such as cybercrime groups. In contrast, if you utilize a sophisticated piece of malware like the notorious Stuxnet worm that not only contains multiple unknown zero-day exploits but also narrowly targets very specific systems for compromise, you’ve tipped your hand that some very expensive R&D went into development that’s likely out of reach to non-state sponsored actors. By exploiting simple issues like insecure base configurations or default passwords, it’s not only much cheaper to accomplish the same goals, but you muddy the waters between 'Advanced Persistent Threat' and 'Advanced Persistent Teenager.'
"To protect themselves from similar initial access attacks, organizations should immediately take steps to identify their public attack surface, especially with regard to any internet-exposed embedded or IoT devices like IP camera and DVR systems. While this is an important first step, it’s nowhere near enough to be genuinely resilient to cyberattacks. To do that, an organization has to start with a true culture of cybersecurity taken seriously from the highest levels of executive leadership down to the individual line of business operations. Effective defensives have to be informed by a clear-eyed understanding of modern cybersecurity risks and strategies for prevention, detection, and rapid response at all levels."
Privacy Shield's successor.
The US and the EU continue to work on a modus vivendi with respect to data handling and privacy protection. A preliminary agreement was reached at the end of March, Mondaq reports, but concerns over mass surveillance have continued, the Daily Dot says, and negotiations are likely to continue.
John Dermody, counsel in the Washington, D.C. office of international law firm O’Melveny & Myers and member of the firm’s Data Security & Privacy Group, commented on the progress of negotiations:
"As companies continue to grapple with the European Union’s strict data privacy laws, EU and U.S. leaders are touting a new preliminary deal that would allow companies to more easily transfer personal data to the United States. And while the deal is being hailed as important step forward, several hurdles still remain for companies with trans-Atlantic operations.
“Just as with prior agreements, this new version will be challenged by European privacy advocates who believe that U.S. laws insufficiently protect the data of EU residents. Chief among their concerns is the ability of U.S. national security agencies to compel companies to turn over data, and the lack of redress for EU residents. It remains to be seen whether the new features of this agreement will bridge the gap between EU and U.S. privacy protections, or merely be deck chairs on the Titanic in the face of an eventual challenge by European privacy advocates.”
As the agreement continues to take shape, Dermody recommends paying close attention to the Standard Contractual Clauses (SCCs) used in international data transfers. “The steps that the SCCs require companies to take to resist data requests from U.S. national security agencies will most certainly play a role in the final agreement between the U.S. and EU."