News for the cybersecurity community during the COVID-19 emergency: Wednesday, May 6th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
Update: investigation into COVID-19's origins.
The Chairman of the US Joint Chiefs of Staff, US Army General Mark Milley, yesterday offered an assessment of where the ongoing US investigation into the origins of COVID-19 stands. As the Hill reports, General MIlley told reporters, "The weight of evidence — nothing’s conclusive — the weight of evidence is that it was natural and not man-made. The second issue is, was it accidentally released, did it release naturally into the environment or was it intentional? We don’t have conclusive evidence in any of that, but the weight of evidence is that it was probably not intentional.” He called upon China to cooperate with international investigators.
So the current state of the question seems to be that the virus was not artificially engineered, but rather emerged naturally, and was not intentionally released. Whether the outbreak originated in human contact with infected animals (more widely believed, as CNN reports in an account of views prevailing in the other four of the Five Eyes intelligence services) or in an accident at a Wuhan laboratory (possible, but with evidence inconclusive) remains undetermined.
Cyberespionage directed against COVID-19 researchers expected to continue.
Attempts by state-directed hackers to obtain the results of research into COVID-19, especially work toward a vaccine, are continuing. The Week has a summary of the password-spraying campaigns that represent the general approach the attackers are taking. While both US and British services, specifically CISA and the NCSC, have issued warnings about the threat, the hostile intelligence services appear to have been especially active in the UK.
Britain's Foreign Minister, Dominic Raab, said yesterday that he expects the attacks ("dangerous and venal") to continue even after the pandemic subsides. “There are various objectives and motivations that lie behind these attacks, from fraud on one hand to espionage, but they tend to be designed to steal bulk personal data, intellectual property and wider information that supports those aims,” Reuters quotes the Foreign Minister as saying. “They’re often linked with other state actors, and we expect this kind of predatory criminal behaviour to continue and to evolve over the coming weeks and months ahead, and we’re taking a range of measures to tackle that threat.”
Contact tracing apps.
As contact tracing apps begin to roll out, they face two principal challenges: privacy and efficacy. Centralized tracing systems (like the one currently being piloted in the UK on the Isle of Wight) have drawn more concern than decentralized exposure notification systems like that developed by Apple and Google.
In the UK, the National Health Service is working to address privacy concerns about its app. NHS intends to form an ethics board to oversee use of the data it collects, and, the Guardian adds, NHS is mulling the establishment of a sunset clause that would lead to deletion of the data once they're no longer needed. But concerns remain about the security of the information that will be held in the central data repository however long NHS needs to retain it.
India's government has denied that its own contact tracing system, the Aarogya Setu App, has a vulnerability that exposes the data it collects to compromise. Outlook India reports that the government evaluated the claims of a French white hat hacker to having found that Aarogya Setu would expose sensitive personal information. The government's answer to the research points out that much of the information the researcher complained about, including certain forms of geolocation, were already public, and that in other respects the data were properly secured.
The second issue is that of efficacy. SecurityWeek lists various points of skepticism, especially those that suggest the possibility of high false positive rates. Forbes discusses a more basic problem. If, as has generally been the case, the contact tracing and exposure notification apps are intended to be installed voluntarily, and if the system depends upon self-reporting of symptoms or diagnoses, they'll depend upon widespread public cooperation. But to be effective that cooperation needs to extend to about 60% of the population. Narrowed to smart phone users, who of course are the ones being tracked and notified, that fraction rises to 80%. That's about the best market penetration WhatsApp has achieved during its best years. It seems unlikely that a contact tracing app will quickly beat WhatsApp with consumers.
Work life after the pandemic.
Most of the discussion of the effects of the pandemic on cybersecurity have focused on the vulnerabilities widespread adoption of telework have exposed to attackers. But those who expect a swift return to the pre-pandemic workplace may be disappointed. In an interview with the CyberWire, Unisys CISO Mathew Newfield said that resumption of ways of doing business that prevailed as recently as January may be unlikely. "A lot of organizations are seeing not only success with that but improved performance, improved efficiencies and improved morale where there are areas that may have heavy commute times," he said, adding that "one of the interesting things that's also happening is that, a lot of financial executives are looking at the cost per employee to keep them in an office as compared to keeping them at home. So I think you're going to see not the number stay where it is now, which is that 90 to 100% work from home, but I don't think we're going to get back to that 13 to 17%" that prevailed before the COVID-19 emergency.
The expectation that social distancing practices may prove surprisingly enduring are not confined to the US. The Financial Express says that social distancing is expected to linger in India, and similar persistence may be found elsewhere as well.
In the workplace or in the home office, the Wall Street Journal predicts that enhanced surveillance adopted to enable businesses to reopen are unlikely to go away once they've accomplished that mission. These security measures are for the most part designed to track employee health and infection transmission, and they may well be retained to deal with future epidemics.