News for the cybersecurity community during the COVID-19 emergency: Thursday, May 14th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
Espionage during the pandemic. Contact-tracing and relief fraud. And the new Righteous and Harmonious Fists.
Espionage during the pandemic.
Yesterday's joint statement by the US FBI and CISA warning that Chinese intelligence services are engaged in a far-reaching campaign to collect against COVID-19 research has elicited the foreseeable response from officials in the People's Republic. It's "slander," Reuters quotes a Foreign Ministry spokesman as saying. Spokesman Zhao Lijian also said that any interference with research ought to be condemned.
The joint warning is interesting for the way the Bureau and CISA connect espionage with damage to the research itself. "The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options." Thus the risk appears to be more than the usual competitive threat to intellectual property that the US has typically complained of in connection with Chinese espionage.
Scam poses as a message from the UK's contact tracing system.
Britain's Chartered Trading Standards Institute (CTSI) has warned, Computing reports, that bogus messages purporting to come from the NHS's contact-tracing app are in circulation. The baited message reads, "Someone who came in contact with you tested positive or has shown symptoms for Covid-19 & recommends you self-isolate/get tested." Judging from CTSI's account, it's a straightforward smishing scam. The victims receive a message with a link that takes them to a site that asks them to enter personal information, which the criminals in turn can use for various forms of fraud. CTSI advised victims in England and Wales to report scams to Action Fraud. In Scotland, they should call Police Scotland on 101.
Otherwise, how's that centralized contact-tracing system working out?
The NHSX-sponsored contact-tracing app is now undergoing a closed beta trial on the Isle of Wight. Gizmodo says that the Isle's MP, Bob Seely, has offered a generally optimistic appraisal of how the app's doing. He notes that it's “throwing up lots of really good information." Of course it's only to be expected that any application developed and deployed under emergency conditions would experience problems, and this one is no different. Preliminary reports from users complain that the app is a battery hog, and that the permissions it asks for are confusing. Researchers who've looked at the system say that they've found other issues, in particular problems with iOS-Android interoperability.
Privacy concerns also persist. The app probably runs afoul of GDPR, for one thing. WIRED writes that the data are not fully anonymized (or not anonymous, "but extra information would be needed to work out who you are," in WIRE's formulation). The difficulty of giving meaningful consent to tracing might in itself be sufficient to constitute a GDPR violation.
Pandemic stimulus funds draw fraud.
The US Government is stepping up oversight to reduce the amount of fraud seeking to take advantage of emergency stimulus funds, the Wall Street Journal reports. Congress has appropriated nearly $3 trillion in relief, and small businesses in particular, the Washington Business Journal warns, should pay close attention to the official guidelines under which they apply for aid.
The Righteous and Harmonious Fists, 21st century edition, make an appearance Stateside.
The luddites and crazies who've been trashing cell towers in the UK, Belgium, and the Netherlands because they've heard that 5G causes coronavirus have inspired their conspiracy-minded soulmates in the States to take similar action, and all we can do is wonder why it took everybody so long. There have now been incidents reported in the US, and the Washington Post says the US Department of Homeland Security is working on an advisory and a plan to help telcos protect their equipment.
The Post mentions disinformation in their coverage, but this seems likelier to be a case of misinformation. It also provides a discouraging case study of rumor convergence, the strange bedfellows passionate commitment to a cause can make, the reach of influencers, and the sad futility of much rumor control.
One wonders how much the use of "virus" for both a class of pathogen and a kind of malware have contributed to the popular mania. “It is physically impossible that electromagnetic fields transfer particles like viruses,” the Post quotes Eric van Rongen, of the International Commission on Non-Ionizing Radiation Protection. But of course, they coulda maybe transferred them computer viruses yinz read about in the Google, right? Lest that last sentence suggest there's a class or a geographical angle to these new Righteous and Harmonious Fists, it's worth noting that someone could equally well ask whether late-stage capitalism doesn't interrogate a praxis of hermeneutics that unmasks the 5G problematic. Hey—stands to reason; do your own research, sheeple. And so on.
Some of the attacks, sources say, may have been acts of ecotage taking opportunistic advantage of the pandemic to damage counter-to-nature infrastructure. And there's been no shortage of celebrity influencers sharing the dope that 5G causes COVID-19: the light-welterweight boxer and philanthropist Amir Khan, the singer Anne-Marie ("Ciao Adios" and "Rockabye," among other hits), and the actor Woody Harrelson (known for Cheers and Zombieland) have been particularly mentioned in dispatches. (For our part we're going with Mr. van Rongen over Mr. Harrelson.) And it's dismaying if not unexpected to see how the impulse to do damage like this can be well beyond the reach of rumor control. The Federal Emergency Management Agency and others have tried, but with apparently indifferent success. It's as difficult to persuade the Righteous and Harmonious Fists in the Twenty-First Century as it was in the Nineteenth and Twentieth.