News for the cybersecurity community during the COVID-19 emergency: Monday, May 11th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
Biomedical espionage. Contact tracing, economic consequences, and conspiracy theories.
Reports: intelligence services attempt to steal vaccine and treatment research.
The New York Times reports that the US Department of Homeland Security and FBI are preparing to issue a warning that China's intelligence services are engaged in a widespread crash campaign of cyberespionage designed to steal research into COVID-19 vaccines and treatments. In the Times' account, the warning is said to include the charge that China is attempting to obtain “valuable intellectual property and public health data through illicit means related to vaccines, treatments and testing,” and that the espionage effort includes "activation" on "nontraditional actors," that is, students and researchers already in place in universities and research organizations. The US and the UK last week issued a joint warning of espionage targeting research organizations, but stopped short of calling out specific nations. That is now expected to change in the next few days.
China's intelligence services may not be the only ones engaged in such espionage. Researchers at ClearSky have told Reuters that they've seen indications that Iranian operators are also conducting such a campaign. In this case their target is more specific: Gilead Sciences, a pharmaceutical company engaged in phase 3 trials of the effectiveness of the Remdesivir antiviral drug against severe cases of coronavirus. ClearSky says that the efforts included a spearphishing campaign against Gilead executives. Gilead has not commented, and it's not known whether the attempts were successful. Iran has said, through its mission to the United Nations, that it has no involvement in the incident: “The Iranian government does not engage in cyber warfare,” spokesman Alireza Miryousefi said. “Cyber activities Iran engages in are purely defensive and to protect against further attacks on Iranian infrastructure.”
Contact tracing apps continue to face rocky adoption.
An essay in Foreign Policy describes how Germany's push to deploy a contact-tracing app has flagged. A symptom-tracking app produced by the Robert Koch Institute achieved gratifyingly high rates of initial voluntary adoption before falling from favor after researchers belonging to the Chaos Computer Club (an association of independent researchers) reported that the app ran large quantities of private data through centralized servers and data repositories. The German-led Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) initiative was also initially well-received, but it too fell out of favor after a mid-April open letter from a group of scientists and researchers made a general criticism of contact-tracing apps and their susceptibility to mission creep against the background of European privacy rules. The current position is to default to decentralized exposure notification systems like those jointly developed by Apple and Google. Thus there's a dilemma: the original, domestic systems touched national sensitivities about surveillance grounded in the experience of both the National Socialist period and the more recent East German Communist social control regime. And defaulting to Apple and Google hands tech leadership over to foreign companies.
In the US state and Federal public health agencies have been reluctant to adopt too many technological adjuncts to the traditional contact tracing practiced during epidemics. The states, WIRED reports, have shown divergent willingness to automate contact tracing, with Utah being most interested in doing so, but with New York, California, and Massachusetts having turned down offers of automated tools. These decisions seem to be based more on varying judgments of effectiveness than on concerns about privacy or security. Manual ("analogue") approaches are familiar and proven. Automated contact tracing is not.
There's also a sense that the success stories circulated about automated contact tracing in Singapore and South Korea may have been overstated. Singapore, for one, has found that voluntary adoption rates have been too low for effectiveness. The country will move to a more directive system tomorrow, when, according to ZDNet, a check-in system will become mandatory for access to locations "including workplaces, schools, supermarkets, and healthcare facilities." Australia's contract-tracing app, based on the system piloted by Singapore, has also, the Sydney Morning Herald reports, failed to achieve desired rates of adoption. Privacy advocates continue to warn against the app's implications.
The British government is considering requiring people to install two contact-tracing apps before they're permitted to cross the border between Northern Ireland and the Republic of Ireland, the Telegraph reports. One app is the one developed by the UK's NHSX app, the other an app under development in the Republic.
Tech sector not immune to economic consequences of the pandemic.
A series of articles in the Wall Street Journal offer a dour appreciation of the economic effects of COVID-19. The general effects are well-known: the US Bureau of Labor Statistics reported that the nation's unemployment rose to 14.7% during April. Payrolls fell by "a historic 20.5 million workers." The economic damage of the pandemic has been severe. And the tech sector, about which optimistic hopes had been entertained, has not proven to be immune to that damage. The Journal quotes CompTIA to the effect that the IT sector lost 112,000 jobs last month, "erasing a year's worth of hiring gains." There's been more spending on cloud services, but most enterprises have placed a temporary hold on digital transformation initiatives.
Corporate IT staffs are also being reduced. A poll reported by Information Security Buzz says that a third of the companies surveyed reported reductions in IT staff. Half of them said they'd cut IT budgets. And a story in MeriTalk says that most firms are not adding cybersecurity training during the pandemic emergency.
Social media and conspiracy theories.
For all their efforts at deplatforming conspiracy theorists, the ability of social media accounts to monetize their content by maximizing clicks, views, and other engagement has outrun the ability of the social media to moderate content and exclude fringe theories from their services. MIT Technology Review sees conspiracy theory as being especially deeply rooted in "YouTube culture."