A state of emergency over bulk power in the States. Beijing’s disinformation about COVID-19, and its motivation for a coverup. Hacking biomedical research. Curious Xiaomi phones.
Dave Bittner: [00:00:05] A US executive order on securing the United States bulk-power system declares a state of emergency in electricity generation and distribution. China's disinformation about COVID-19 may have begun in the earliest stages of the pandemic. Someone's hacking for information on British biomedical research. Xiaomi seems very interested in users of its phones. Andrea Little Limbago tracks global privacy trends. Our guest is Mathew Newfield from Unisys with his insights on trends in breaches. And the Love Bug's creator is found.
Dave Bittner: [00:00:44] It's time to take a moment to tell you about our sponsor Recorded Future, the real-time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web. It gives cybersecurity analysts unmatched insight into emerging threats. We read their dailies at the CyberWire, and you can, too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyberattacks. They watch the web, so you have time to think and make the best decisions possible for your enterprise's security. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:42] Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:07] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 4, 2020. President Trump on Friday issued an Executive Order on Securing the United States Bulk-Power System. The executive order expresses recognition of the degree to which foreign adversaries are interested in holding the U.S. electrical power generation and distribution system at risk and declares a state of emergency. It explicitly addresses cyberthreats and vulnerabilities, but the executive order concentrates on safety and reliability engineering and on the risk of a hostile foreign government's ability to compromise hardware supply chains or engage in active sabotage. No companies or nations are named in the order, but it resembles other steps the executive branch has taken with respect to information and communications technology, and these have tended to fall most heavily on Chinese companies, notably Huawei.
Dave Bittner: [00:03:04] The Department of Energy will be the lead agency for enforcing the restrictions the executive order imposes. The secretary of energy will also lead a task force that will address federal policy on securing bulk-power systems. Its members will include the secretaries of defense, interior, commerce and homeland security, the director of national intelligence, the director of the Office of Management and Budget and, quote, "the head of any other agency that the chair may designate in consultation with the secretary of defense and the secretary of the interior," end quote.
Dave Bittner: [00:03:38] It's worth noting that many of the entirely realistic concerns about supply chain integrity have concentrated on the risk posed by counterfeit and presumably unreliable parts. Serious as the threat of counterfeit parts may be, they're not what the present executive order is about. It's about the ability of foreign adversaries to create and exploit vulnerabilities in bulk-power system electric equipment with potentially catastrophic effects. That's a far more intentional threat than the introduction of slipshod components into a supply chain.
Dave Bittner: [00:04:10] Nextgov quotes a Public Citizen representative who wonders whether the executive order is just a cynical attempt to hobble the green energy sector by keeping Huawei parts out of the hands of solar power operators, but that view seems unlikely to gain much traction. A bipartisan group of ten senators in February of last year wrote the secretaries of energy and homeland security to ask that the government ban Huawei specifically from participating in the US photovoltaic market. Last Friday's executive order is a step in that direction.
Dave Bittner: [00:04:45] China's COVID-19 disinformation campaign may have begun by suppressing domestic social media comment, and it may have begun in the earliest stages of the epidemic. WIRED describes how quickly and comprehensively the Chinese government moved to suppress social media posts that dealt with the initial outbreak of COVID-19 in Wuhan. The efforts at suppression go back at least as far as the first week of January. How have reporters become aware of them? By following the maxim "Cover China as if you were covering Snapchat." The posts have a brief life, so when you see something interesting, take a screenshot before the post is squashed and the account blocked for spreading malicious rumors. Weibo and WeChat Moments are the most commonly used platforms on which ephemeral posts appear.
Dave Bittner: [00:05:32] Avoiding embarrassment would surely have been a principle goal of the censorship campaign, but it may have also had a more direct practical objective. The motivation for suppressing the news may in part have been motivated by plans to stockpile necessary medical supplies. The AP and Politico report seeing a US Department of Homeland Security report that says in part, quote, "we further assess the Chinese government attempted to hide its actions by denying there were export restrictions and obfuscating and delaying provisions of its trade data," end quote. Before informing the World Health Organization of the epidemic's outbreak, Beijing significantly cut back exports and increased imports of such basic medical equipment as face masks, gloves and gowns.
Dave Bittner: [00:06:18] Intelligence services continue to investigate the source of the outbreak. The Washington Examiner reports that a majority of the agencies in the US intelligence community now believe with high confidence that the COVID-19 pandemic originated in the Wuhan Institute of Virology. The release is believed to be accidental, and the virus is not thought to have been engineered. The alternative explanation, that the outbreak involved zoonotic transmission from Wuhan wet markets, remains a possibility, but it's losing ground. The Examiner also quotes US Secretary of State Pompeo as saying that there's "enormous evidence" of the lab's role in the initial spread of the virus.
Dave Bittner: [00:07:00] The cybersecurity team at Unisys have been tracking trends in breaches. Mathew Newfield is chief information security officer at Unisys, and he offers his perspective.
Mathew Newfield: [00:07:10] One of the things we're really focused on is what is the work-from-home experience going to be like moving forward? One of the things that is coming up a lot in the conversations I have with CIOs and CISOs around the world is they do not expect to go back to the way things were as recently as January, with the amount of people that will be coming into offices.
Mathew Newfield: [00:07:35] And there is a interesting focus on the new norm for working from home. And it's interesting for a couple of reasons. First, there are rules that a lot of organizations thought must be in an office to be successful. Everything from being a coding engineer to an IT administrator to service desk, help desk employees - they're all working from home now, and a lot of organizations are seeing not only success with that but improved performance, improved efficiencies and improved morale where there are areas that may have heavy commute times.
Mathew Newfield: [00:08:16] One of the interesting things that's also happening is around that, a lot of financial executives are looking at the cost per employee to keep them in an office as compared to keeping them at home. So I think you're going to see not the number stay where it is now, which is that 90 to 100% work from home, but I don't think we're going to get back to that 13 to 17% where, you know, there's been this huge push over the last few years to really get people into offices.
Dave Bittner: [00:08:48] You know, as a leader in the industry, as someone in a high-level position such as the one you're in, how are you going about checking in on your people? How are you handling the human side? As people are working from home, you might not have the direct contact, you know, those water cooler conversations that you used to have. How do you make sure that people are doing OK in the midst of an anxiety-inducing event like this?
Mathew Newfield: [00:09:16] It's a great question, and I think this is actually the most important thing all leaders can do for the people they work with, the people they work for and the people that work for them. I set aside a significant amount of my time every day to make phone calls, to make video calls to the people I work with just to check in on them. I would tell your listeners one of the things you need to be aware of is if you're doing that from a business perspective, you have to communicate with your employees on what platforms are acceptable for business conduct as compared to personal conduct.
Mathew Newfield: [00:09:55] And let's be honest - a lot of people are really concerned about what does this continuing situation - what is it going to do to my job? What's it going to do to me personally? And by having regular communications, you can stamp down that fear, that level of anxiety so that people can focus on the job at hand.
Dave Bittner: [00:10:15] That's Mathew Newfield from Unisys.
Dave Bittner: [00:10:19] Sources at the National Cyber Security Centre have told journalists that Russian and Iranian intelligence services are seeking to infiltrate the networks of medical research programs working on COVID-19, the Telegraph reports. The Telegraph story suggests that these efforts are part of the same campaign U.S. counterintelligence authorities discussed last week with the BBC. That attribution isn't universally accepted, and the evidence is still being developed. The report in the Guardian, which quotes extensively from statements by NCSC, indicates that the hackers could have been a criminal gang as easily as they could have been a nation-state, although those lines are, in such cases, often blurry. A report from ZDNet this morning adds China to the rogues' gallery of suspected states.
Dave Bittner: [00:11:08] Chinese device and accessory manufacturer Xiaomi is tracking ostensibly private information collected from users of its phones and of its Mi and Mint browsers, Forbes reports. Researcher Gabi Cirlig told Forbes that the data he observed being collected from his own device included all the websites he visited, search engine queries - and those included queries with either Google or DuckDuckGo - and everything viewed in a Xiaomi news feed. The folders he opened, his movements among screens and the songs played on the Xiaomi music app were also being followed. The data were sent to servers in Singapore and Russia to domains registered in Beijing. The collection occurred even when the researcher moved to a private incognito mode. Xiaomi has denied any impropriety or illegality.
Dave Bittner: [00:11:58] And finally, remember the Love Bug infestation that circulated around the Internet in 2000? The BBC has tracked the author down to a repair shop in Manila. He's sorry. He says he was only trying to steal a few passwords to get free Internet. And let those who haven't wanted free Internet cast the first stone, we guess.
Dave Bittner: [00:12:26] And now a word from our sponsor KnowBe4. Corporate privacy concerns are more paramount than ever before. Organizations are being forced to maneuver a new world of security and privacy issues related to a remote workforce, evolving hardware and software needs and employee access policies. Kevin Mitnick knows this world well. In fact, that's the topic of his new book, "The Art of Invisibility." Kevin Mitnick has a new webinar, and a few topics include privacy concerns around employees using personal devices for business purposes, security issues with various operating systems, mobile devices and the internet of things, the reality of deep privacy and how tied together devices, systems and surveillance really are and why new-school security awareness training is more critical than ever before. Plus, Kevin shares some shocking new demonstrations that will change the way you think about privacy. Go to knowbe4.com/artofinvisibility to watch the webinar. That's knowbe4.com/artofinvisibility, and we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:13:41] And I am pleased to welcome back to the show Andrea Little Limbago. Andrea, it's always great to have you back. I wanted to touch base with you today on some of the things that I know you're tracking when it comes to privacy, some of the initiatives that are making their way through various organizations around the world. What can you share with us today?
Andrea Little Limbago: [00:14:01] You know, in many cases, people thought, you know, when GDPR went through, that that was the year of privacy, but I think, really, what we're seeing is the continuation of what happened in 2018, that with GDPR coming into effect, with, you know, Cambridge Analytica really sparking much greater awareness amongst the public of what data was being collected and monetized. And then as we keep seeing high-profile cyberattacks go on, the momentum continues to build from 2018 through now. And I think it will be throughout this year. And so what we're seeing as a two-level game - is what we call it in international relations - what's going on domestically and what's going on internationally.
Andrea Little Limbago: [00:14:33] And so internationally, Brazil is probably one of the bigger ones to keep an eye on for this year. And so they're passing the LGPD privacy law that bears a lot of similarities to the GDPR. And so just as, you know, I think in the past, we've talked about digital authoritarian models spreading, the GDPR model is also spreading to other countries as far as data protection and individual data rights. You know, sort of a good anecdote along that is Ecuador last year - towards the end of last year experienced a data compromise where data on almost all their citizens was exposed online. In a week, they went to - were trying to push through a law that bore a lot of resemblances to the GDPR.
Andrea Little Limbago: [00:15:10] So when countries start to take privacy seriously and start understanding what needs to be done, the model they're looking to right now is the GDPR. And so I would keep an eye on that, on which countries are starting to try and do similar kinds of policies and laws. And even, you know, India - and India's going through a very big debate right now that highlights, I think, that the push-and-pull tension that's going on with privacy - because on the one hand, they want to - India is very much ingrained in the SMR encryption debate going on, and they want the government-mandated backdoor access. And so you've got that going on, on one hand.
Andrea Little Limbago: [00:15:47] At the same time, India has a big push for individual data rights and data control that they're pushing through and are trying to create an organization to oversee it and help provide that greater data access and control, given, you know, they've got the database of about, you know, over a billion people. So there's a push and pull going on there, and that will be an interesting tension to see which, you know, which movement really wins out. And so we see a lot of that going on globally.
Andrea Little Limbago: [00:16:11] Still continue to see, though, you know, the various surveillance states and more and more data being, you know, gobbled up across the globe by governments in the U.S. at the domestic level, absent any federal policy right now for privacy and data protection, which, you know, I don't foresee that coming this year. The states are taking the lead, and Hawaii was just the most recent one, I think, to jump onto that, and we're seeing a lot of basically following on the trail of, you know, of what the CCPA did - the California Consumer Privacy Act. You know, that came into effect in January, and other states are taking parts of that for data protection and privacy. They're customizing it to their own. And really what we're getting - we're getting a patchwork where, very similar to data breach notification laws, where we now have 54 differentiated breach notification laws in the U.S...
Dave Bittner: [00:16:57] Right.
Andrea Little Limbago: [00:16:57] We're getting to the point where the - at least if I were to guess where the trends and trajectories are going, we're going to end up with 50 different data protection laws. And that - before we get to that point, I imagine businesses and so forth will force the issue at the federal level for harmonization because it's becoming - it's going to increasingly become hard to figure out what laws apply where and to what extent.
Dave Bittner: [00:17:19] Now that we've been living with the GDPR for a little while, as other nations look to spin up their own versions and are looking at that, are there any lessons that they've learned, any lessons on what not to do, any unintended consequences?
Andrea Little Limbago: [00:17:37] Yes, I think for sure, and that's - yeah. We could - you know, it's almost nice to be getting the second-mover advantage so learning what was the first mover has done and, you know, build upon what they did right and, you know, and learn lessons from what they did wrong. And I would argue that perhaps the biggest one on the GDPR is really just the resources required. And - you know, because once it came into effect, you know, there were so many cases that were brought forth that it's really been hard to go through, and without precedent for any of them, you know, they're basically have to - having to build the legal precedent now so that down the road, I think they'll be faster in looking at the violations and the fines and figuring that out, but right now, they're basically establishing precedent in relatively new areas and don't necessarily have all the resources required, the personnel to do it, to actually handle all the different complaints being brought in.
Andrea Little Limbago: [00:18:25] And I think that's true both at the government level and then we also see it at the corporate level as far as, you know, right of access and making sure that when an individual does ask for all the data on them, whether corporations are actually prepared to return that in a timely manner. And I think we're seeing, again, that those resources may not quite be there yet. And so - that's almost where I would argue one of the bigger areas is. And then I think also just thinking about how we define, you know, personal data, thinking about the timely responses and so forth, I think, is an area - another area that I think we're going to learn some lessons from.
Dave Bittner: [00:19:00] All right. Well, Andrea Little Limbago, thanks for joining us.
Andrea Little Limbago: [00:19:03] Great. Thank you for having me.
Dave Bittner: [00:19:10] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com, and for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker too. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed.
Dave Bittner: [00:19:54] And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. Every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:20:07] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
