News for the cybersecurity community during the COVID-19 emergency: Monday, April 13th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
Baking in contact tracking.
Apple and Google are engaged in joint development of Bluetooth tracking functionality that would notify mobile device users if they’ve been in proximity to someone who’s been infected with the coronavirus. As the Wall Street Journal describes it, the contact-tracking system would be enabled by opt-in, and both parties would have to opt-in. It also depends upon self-reporting on the part of infected individuals, which means that, for the system to be effective, it would have to attract widespread opt-in as well as inspire a willingness on users’ parts to keep their status up-to-date.
The Verge offers an explainer of how such a system might work. Moxie Marlinspike has a Twitter thread that’s also useful, and offers a skeptical take about the difficulties of preventing abuse. Much of that potential abuse, interestingly enough, could be on the part of people goofing around for the lulz, telling friends, family, neighbors, and complete strangers that they too had just been exposed. Sometimes Little Brother is to be feared as much as Big Brother.
There are of course concerns about large-scale, Big-Brotherish privacy abuses, too. CNBC has a discussion of how information-sharing would need to be limited to avoid this. False positives are one problem, as the Verge points out, but concerns about the implications of entrusting governments with such tools have also arisen. The UK’s National Health Service is closely involved with the joint Apple-Google project, according to the Times, and the NHS has also shown, as the Guardian reports, a strong interest in deploying big data tools from Palantir and others against the pandemic.
Motherboard thinks it sees signs that lawful intercept brokers (and NSO Group is named in dispatches, here) see the increased government interest in tracking contacts as an opportunity for increased market penetration.
COVID-19-themed scams continue unabated.
Phishing attacks and phone scams continue to use COVID-19 fears as bait, the South Florida Times reports, and that’s no surprise. Other criminal activity concentrates on the newly expanded remote-work attack surface, with Zoom representing a favorite avenue of approach. Forbes says that “Zoom-related threats” have increased by 2000% since the pandemic began to force social distancing and telework. There’s a thriving black market in Zoom vulnerabilities as criminals race against the teleconferencing provider’s efforts to upgrade its security.
It’s not just criminals who see opportunity. Time has an account of warnings from US counterintelligence services that espionage organizations are active in much the same way.
Still, it’s not all blue sky for the crooks either. Chainalysis says that the pandemic “has wiped out 33% of cryptocurrency scammers’ revenue.”
China's COVID-19 disinformation campaigns.
The Wall Street Journal has an overview of the shape, scope, and probable objectives of the Chinese government’s disinformation campaign concerning the coronavirus pandemic. The efforts’ goals seem to be at least threefold. First, deflect any blame for mishandling the epidemic away from the Chinese government. This would include misleading accounts about the epidemic’s emergence and subsequent development as well as disinformation about its recent progress (like, for example, the claim that none of Hubei Province’s 42,000 healthcare workers were infected with COVID-19, a claim contradicted by earlier Journal reporting).
That first objective is related to the second: fix any blame there might be for the emergence of the virus somewhere else. That somewhere else has usually been the United States, China’s principal international rival, and the blame has either taken the form of contentions that the virus was a US biowar project gone (arguably) wrong, or that US personnel were somehow the initial infection vectors in Wuhan. These claims tend to be stronger than that the natural disaster or epidemic has been made worse by official missteps or bungling: they often carry the implication of conspiracy. (And if there have been missteps or bungling, they weren’t made by the Chinese Communist Party.)
The fixation on an American origin story hasn’t prevented the development of domestic policies that focus on Africans resident in China as infection vectors. Quartz notes that a wave of evictions has pushed African migrants out of housing and denied them alternative accommodations. The governments of Ghana, Nigeria, Kenya, and Uganda have summoned Beijing’s ambassadors and demanded explanations.
And third, there’s a broader effort to portray China as a good international citizen, a reliable and technologically savvy provider of humanitarian aid. A contrast is generally drawn to the United States, with the Americans depicted as the opposite: unreliable, inept, and unfeeling. This would be a move toward displacing, where it can, the US from exercising this kind of soft power. (That messaging is undercut by evictions of African migrants, but those evictions are for domestic consumption.)
The methods the Chinese services have adopted depend strongly on state-run media gaining access to social media audiences through advertising, with subsequent amplification in other social media posts. Researchers at the Stanford Internet Observatory told the Wall Street Journal that Beijing has purchased over two-hundred political ads on Facebook since the end of 2018. More than a third of those, however, were bought within the past two months, and those for the most part “focused on trying to shape global perception around China’s handling of the coronavirus outbreak.” China’s Facebook political advertising has drawn roughly forty-five-million views since February 15th, which in volume at least exceeds the reach the Internet Research Agency, that active Russian troll farm, achieved around the US 2016 elections.
Facebook said last October that it would label ads purchased by state media, and Twitter says it’s banned advertising by state media. Chinese government operators, however, have proved able to run ads (unlabeled) on both platforms.
The method of the Chinese disinformation surrounding coronavirus has been compared to Russian disinformation operations, and they do have in common an effort to darken counsel and induce doubt. But whereas Russian operations have tended to be purely disruptive, the Chinese disinformation is organized to serve positive--positive from the Chinese government’s point of view--goals. It’s also made more use of advertising.
Two techniques are noteworthy. There’s a tendency to pick up casual posts along the lines of “you know, I had a funny cold a couple of months ago; wonder if it was coronavirus.” These are amplified to suggest that the virus had its origins outside of China. There’s also a tendency to communicate by insinuation. Thus the claim that COVID-19 is the product of a US biowar program is typically made not by assertion, but by posing a question: Was COVID-19 an American weapon? Inquiring minds want to know. Shouldn’t this be investigated? We’re not saying it’s so, but it sure sounds suspicious. And so on.
Other actors, mixing disinformation and delusion.
Such conspiracy mongering gains traction with repetition. The intended audience is Southeast Asia, Eastern Europe, and Africa. Much of the Chinese disinformation has been picked up, opportunistically, by Russian and Iranian services.
It’s also been picked up by non-state actors, extremists of various varieties or unwitting agents of influence adopting various elements of the Chinese line. The agents of influence have tended to focus on isolated pieces of Chinese disinformation. The extremists who are retailing bogus conspiracy theories, mostly Islamist and far-right, according to the Washington Post, have been more independent if not particularly original. Their work has most often been a variation on an anti-Semitic theme, with calls for radicalization and incitement to action. One depressing social media post was from an Islamist extremist who said he was infected with COVID-19 and so was volunteering his services as a biological weapon. He was interested in hearing suggestions concerning targeting.
Research that isn’t really, at least not yet, finished, so caveat lector.
This may be seen in a simulation by researchers at the Eindhoven University of Technology, published as a gif showing how “droplets” might be spread in the “slipstream” of runners, cyclists, and others exercising out of doors. It’s been widely disseminated by people cautioning one another about the dangers of being out of doors at all, with so many COVID-19 vectors out there cropdusting away as they try to get some exercise.
The lead researcher complains, as quoted in Vice, that “people should read and not misread my tweets and texts,” but in this case the researchers have written so little that perhaps people should be forgiven for not reading what’s not really there. It’s often said that “data” is not the plural of “anecdote,” and it might be worth adding another useful rule-of-thumb: a gif is not a report of research.
Anyone familiar with the difficulties of simulating and predicting downwind hazards is unlikely to be taken in, but those who aren’t (and that’s most of us) may find the gif frightening and convincing. After all, there it is, in all the animated colors of the rainbow. Lead researcher Bert Blocken, a professor of aerodynamics, again according to Motherboard, “I have never and nowhere discouraged people from walking, running, or cycling. Rather the opposite. Maybe people should read more, and react less.”
But he did speak with Laatste Nieuws in order to warn people of the danger of getting too close to joggers, because after all, as he tweeted, it’s an emergency. So which is it? You can read the news articles and the tweets as closely as possible, with all the hermeneutical skill in the world, and without some extratextual knowledge you’d be spooked, too.
The pandemic's economic effects on the tech sector.
Crunchbase reports that startups have been hard-hit by the pandemic, with many of them forced to lay off workers. Big Tech, however, is hiring, and they're looking in particular for cybersecurity talent. Facebook alone, the Wall Street Journal reports, plans to hire ten-thousand people during 2020. And the Silicon Valley Business Journal reports that Big Tech is also taking some measures to sustain their small business supply chain.