News for the cybersecurity community during the COVID-19 emergency: Monday, April 27th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
Disinformation and the EU. Contact tracing, phishing, and regulation.
The European assessment of China's disinformation efforts was arguably harsher than public statements suggested.
The European External Action Service's internal memorandum on disinformation efforts surrounding the COVID-19 pandemic reported substantially the same conclusions as the US State Department: Russia, China, and Iran have engaged in "highly harmful disinformation" that's "gone viral," especially in smaller media markets.
The assessment linked above is the EEAS internal report. According to the New York Times, EU officials under pressure from Beijing and desiring to achieve more amicable relations delayed publication of the report from Tuesday until Friday, and softened the harsher conclusions about China before rendering their public statement. In the Times' judgment the original report "was not particularly strident: a routine roundup of publicly available information and news reports." The Times reports that Chinese government protests to EU officials were responsible for the delay in publication.
For its part EEAS has denied modifying its report under Chinese pressure. “We have never bowed to any alleged external political pressure,” an EEAS spokesperson told EURACTIV yesterday. Differences between the two drafts are of the purely editorial sort that commonly arise when an internal document is revised for public distribution. “As is the case for all publications, there are internal procedures in place to ensure the appropriate structure, quality and length and particular attention is paid to ensure that the phraseology is unassailable,” the spokesperson said. Indeed, the public report does retain most of the internal memorandum's charges against Beijing.
In the meantime, the BBC reports that China has also rejected an Australian-led call for an investigation into the origins of COVID-19, dismissing it as "politically motivated" efforts that "would serve nobody any good." As the BBC paraphrased Chen Wen, a senior diplomat in China's mission to the UK, "there were lots of rumours about the origins of the virus but such misinformation was dangerous, she claimed, and said it was like a political virus and as dangerous as coronavirus itself, if not even more so." A British official speaking with the BBC on condition of anonymity said there was "nervousness" about confronting China, since relations with Beijing are presently "delicate."
"China always opposes the fabrication and spread of disinformation by any person or institution," Chinese Foreign Ministry spokesperson Geng Shuang said at a regular press briefing this morning, Beijing-headquartered CGTN reports. The Foreign Ministry's position is that there's no reason to think the virus originated in China, and that, insofar as disinformation is concerned, China is more sinned against than sinning. (In fact, in Beijing's view, it's not sinning at all: they're the real victims here.)
For a summary of Chinese active disinformation about the coronavirus, see the EU's External Action Service's original internal report, especially pages 7 and 8.
Contact-tracing app updates.
Android Police describes how Apple and Google intend to make their contact-tracing technology more private, and more acceptable. One change is in branding: they now refer to their technology as an "exposure notification apparatus," which the companies believe better captures the tech's purpose, and which in their view sounds less intrusive and not so threatening. A device with the app installed would use Bluetooth Low Energy to ping other Android or iOS devices within, roughly, ten to fifteen feet (about three to four-and-a-half meters). The entire process is voluntary: not only would users have to opt-in, but they'd also have to self-report any positive COVID-19 diagnosis. Bluetooth metadata would be encrypted, and the generation of ID keys will be completely randomized. The apparatus is expected to become available in mid-May.
With Apple refusing to budge on privacy standards, Reuters reports that Germany yesterday abandoned its plans for a centralized approach to contact tracing. Berlin had through Friday at least strongly favored the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) system. The reversal means Germany is likely to adopt the exposure notification apparatus Apple and Google have been working on.
The UK's National Health Service (NHS) is working to build trust in its own version of a Bluetooth Low Energy contact-tracing system, according to ComputerWeekly. NHSX, the Service's "digital innovation unit" hopes to field its app, which is based on work done by Oxford University’s Nuffield Departments of Medicine and Population Health, soon. It's being tested at a Royal Air Force facility in Yorkshire.
Indonesia has also deployed its own version of a Bluetooth Low Energy based proximity tracer, PeduliLindungi, the Jakarta Post writes. Concerns being expressed locally, at least according to the Post, are more about security than privacy: people are being warned to keep their Bluetooth devices up-to-date.
Given that most of the decentralized systems are opt-in, how many people are actually opting in? About 1.9 million in Indonesia (a country of 268 million) according to the Jakarta Post. Norway's Smittestop system has done better: Forbes says more than 1.4 million Norwegians have downloaded the app, which for a country of less than 5.4 million isn't that bad.
For an account of some recent work on contact tracing, see the CyberWire's Research Saturday for 4.25.20.
Not precise enough to trace contacts, but good enough to tell where you've been?
Norway's Smittestop uses both Bluetooth Low Energy proximity tracing and smartphone geolocation, and, as Forbes points out, that's aroused controversy over the privacy of people's movements. The app could in principle lead to close geotracking of individuals.
Some privacy advocates have objected to what they see as a fundamental issue with geolocation. Law360 reports that cellphone geolocation data aren't capable of achieving accuracies much better than fifty meters. That's close enough to tell people what place of worship, saloon, or social club you're heading for, but it falls well short of the generally accepted two-meter social distancing standard. Thus mobile device geolocation data are too coarse for proper epidemiological use, but quite suitable for various projected forms of social control.
But this concern seems wayward, at least insofar as it might be thought to apply to the sorts of decentralized tracing tools Apple, Google, and many governments have in mind. Those tools don't depend upon geolocation the way a strongly centralized system might, but rather on proximity. Thus a device would be notified if it came within a few meters of a device that had reported an exposure. Where those devices might be, from Timbuktu to Kalamazoo, wouldn't necessarily matter at all.
Where geolocation does come into play is with quarantine enforcement. In that case where on earth you are—whether you're self-isolating at your apartment in Chelyabinsk or under your in-laws' care at their bungalow in Ho-Ho-Kus—is relevant. The BBC reports that South Korea and Hong Kong have both been using tracking wristbands to keep track of people who've been placed under quarantine, and that Bulgaria is beginning a trial of a similar system.
It's of course possible that such decentralized tracing systems could be abused, or designed in a fashion that lent itself to abuse, but that form of geolocation doesn't appear to be a necessary feature of their design. Nonetheless the involvement of some intelligence services in contact tracing, as Pakistan's ISI, according to Eurasian News, is involved in that country's efforts, gives observers pause.
The state of COVID-19-themed cybercrime.
Tripwire's useful roundup of what's going on with COVID-19-related cybercrime shows that three trends continue. First, COVID-19 figures prominently in the phishbait criminals are using to distribute malware or steal user credentials. Second, attacks are impersonating well-known and authoritative official or corporate sites. And third, the fraudulent online sale of bogus cures, defective masks, and so on, continues apace.
As usual, current events shape the form fraud takes. The US Small Business Administration's (SBA) disbursement of emergency relief funds provides an opportunity for scammers. IBM's X-Force reports that emails representing themselves as coming from the SBA are in fact bearing attachments whose payload is the Remcos remote access Trojan.
New York State financial regulators advise companies to take due notice of COVID-19-related cyber risks.
JDSupra sums up guidance just issued by the New York Department of Financial Services (DFS): "It is clear that the NYDFS views COVID-19 related cyber risks as a direct call to action to regulated entities."
The Department of Financial Services wrote in a letter dated April 13th of this year that it "has identified several areas of heightened cybersecurity risk as a result of this crisis. As called for by DFS’s cybersecurity regulation, 23 NYCRR Part 500, regulated entities should assess the risks described below and address them appropriately." The pandemic has increased risk, DFS says, in three areas:
- Remote Working
- Increased Phishing and Fraud
- Third-Party Risk
"We also remind all regulated entities that, under 23 NYCRR Section 500.17(a), covered Cybersecurity Events must be reported to DFS as promptly as possible and within 72 hours at the latest. Prompt reporting will enable DFS to respond quickly to new threats as DFS works to protect consumers and the financial services industry in these difficult times."
Another well-known conference series goes virtual.
SINET, which like so many other conference series has decided for reasons of safety to postpone in-person events until the pandemic abates, has begun to offer instead a series of webinars. The next one, "A CISO’s Perspective on Dealing with the Current Crisis," will be held on May 5th.