News for the cybersecurity community during the COVID-19 emergency: Wednesday, April 29th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
Spyware and contact tracing apps. Avoiding distraction.
Update on COVID-19 origin disinformation.
CNN reported earlier this week that a US Army Reservist who participated in last October's World Military Games in Wuhan has been falsely identified as the source of infection. The Reservist, Sergeant First Class Maatje Benassi, who competed in the games as a cyclist, has become the focus of conspiracy theories about the origins of the virus. The story began as Chinese government disinformation but was subsequently picked up and distributed by a gaggle of YouTubers fascinated by bogus conspiracy theories.
The US Army is providing Sergeant First Class Benassi with support against the attention. Colonel Sunset R. Belinsky told the Army Times, “The Army is providing support to help Sgt. 1st Class Benassi with the public attention. As a matter of policy, the Army would neither confirm nor deny any safety or security measures taken on behalf of an individual; however, as we would with any soldier, the Army will work with the appropriate authorities to ensure that she and her family are properly protected.”
Senators ask intelligence and counterintelligence leaders not to get distracted.
Two US Senators, Margaret Wood Hassan (Democrat of New Hampshire) and James Lankford (Republican of Oklahoma) wrote Acting Homeland Security Secretary Wolf, Acting Director of National Intelligence Grennell, and FBI Director Wray "to express concern over continued terrorist threats and to request information about the United States government’s counterterrorism capabilities amid our nation’s struggle with the COVID-19 pandemic."
The Senators note two issues. First, intelligence, counterintelligence, and law enforcement personnel are working under the same pandemic-induced stress the rest of the country is experiencing, and therefore certain obstacles to effective collection and action against terrorist groups may have inevitably arisen. As the letter puts it, "However, due to social distancing measures, many federal employees have been assigned to telework or have been instructed to work in limited shifts. Additionally, key state and local law enforcement partners face their own reduced capacity thanks in part to their battle against COVID-19. For instance over 1,400 employees and officers of the New York Police Department have tested positive for COVID-19, and on one day in April, 17% of the force called out sick."
Second, both domestic violent extremists and foreign terrorist groups appear to see COVID-19 as presenting them with a heightened opportunity for attacks that further their cause. "The continuation of existing terrorism threats combined with the prospect of groups like ISIS attempting to exploit the COVID-19 crisis therefore puts a high priority on the federal government maintaining an uninterrupted counterterrorism posture during our response to the pandemic." Some groups might seek to infect targeted populations with the coronavirus, others might mount disinformation campaigns around the pandemic, and increased social isolation might render vulnerable individuals more susceptible to radicalization.
Senators Hassan and Lankford pose twelve specific questions that cover such matters as preparation, public communication, and observed terrorist incidents.
Contact-tracing apps and lawful intercept.
Vendors of lawful intercept tools ("spyware," in popular jargon, and when misused) are offering their products to governments as a quick approach to scaling COVID-19 contact tracing. Israel-based Cellebrite has, according to Reuters, offered its product to police in India as an aid to tracking people who may have been exposed to infection. Cellebrite is best known for a tool that law enforcement agencies have used to gain access to iPhones in the course of criminal investigations. Cellebrite points out that it's long offered its product to law enforcement, and that it recommends that participation in such contact tracing should be voluntary. The Israeli government is said to be working with NSO Group (whose Pegasus intercept tool has gained notoriety) to develop similar capabilities. Cyprus-based Intellexa and New York-based Verint have also offered their products to governments interested in contact tracing.
Observers suggest that surveillance tools of this kind are too imprecise for contract tracing purposes. For that to be done effectively, it would need to be able to determine proximity within ten meters or less, and ideally to within two meters. Bluetooth-based apps may be able to do that, but the geolocation provided by surveillance tools are generally thought by critics to be too coarse for such purposes.
Governments aren't alone in their desire to obtain a contact-tracing capability. Corporations are, too, as the Washington Post notes. Their motives range from a desire to serve a government market (as in the four companies Reuters mentions), to an interest in employee health and workplace safety, to something indistinguishable from public spirit.
Contact-tracing apps may work, but voluntary participation remains well below what epidemiologists believe necessary.
Many of the Bluetooth-based contact tracing apps, like those under development by Apple and Google, are both voluntarily installed and decentralized. Treating mobile devices as proxies for persons is of course imperfect (not everyone has a device, and not everyone who does carries it around with them), but the simplifying assumption that the presence of a phone more-or-less equals the presence of a person should still have considerable utility.
A study conducted at Oxford University estimated that, to stop an epidemic, a population would have to participate at rates of about 60%, although even lower levels of participation could be expected to have a positive effect. The Oxford researchers offer survey data they regard as encouraging: they've collected "feedback from over 6000 potential app users in 5 countries, which suggest that 84.3% of users would definitely or probably install a contact tracing app for coronavirus in the UK after lockdown, and between 67.5% - 85.5% in France, Germany, Italy and the USA."
But that seems, now, to be over optimistic. Even the success stories fall below half the population, and in most cases they're lower than the 40% participation rate the Conversation says authorities in Australia (to take one example) would be happy with. The Washington Post reports that most Americans are either unwilling or unable to use even the relatively nonintrusive, voluntary, and decentralized contact-tracing apps. A Washington Post-University of Maryland poll finds widespread reluctance among Americans to install such an app, and concludes that skepticism about Big Tech's reliability as a steward of personal data forms the principal basis of that reluctance.