News for the cybersecurity community during the COVID-19 emergency: Tuesday, May 26th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
Cyber risk, contact tracing, misinformation and content moderation. Managing telework.
Cyber risk during the state of emergency.
ABC News reports that Izumi Nakamitsu, the United Nations disarmament chief, warned an informal meeting of the Security Council Friday that cybercrime had surged during the pandemic, "with a 600% increase in malicious emails during the current crisis." Many of these attacks have been directed against remote workers, and the attempts commonly use COVID-19 phishbait to attract victims. Quoting research by Darktrace, the Guardian dates the surge to January, when concerns about the virus gained widespread currency. The remote workers are sometimes the immediate targets of criminal fraud, but they're often attacked as a way into corporate or organizational networks.
Economic relief programs have been attractive targets for criminals. Most such programs have been put in place with considerable haste, and hasty deployment has meant that exploitable vulnerabilities have found their way into the online systems used to administer them. KrebsOnSecurity notes the amount of "flexing"—boasting—going on in criminal circles, but even allowing for exaggeration, concludes that many US state programs aren't succeeding in flagging as much of the fraud as one might hope. The Nigerian gang Scattered Canary has enjoyed particular success against state sites. The Daily Chronicle has an account of how Scattered Canary succeeded against Washington state's relief programs. CBS News reports that unaddressed issues from earlier breaches (mostly large password breaches) have helped criminals attack Illinois's unemployment system.
Contact-tracing technologies in the later stages of the pandemic.
Australia's Covidsafe contact-tracing app had been touted by the government as a key enabler of a return to normal life. (Including watching football. As this tweet from Health Minister Greg Hunt put it on May 1st, "Want to go to the footy? Download the app.") But the Guardian reports that the app's effects have been small at best, and that the government has quietly toned down the ballyhoo pushing downloads. Over the course of roughly a month's use, the Guardian notes, "just one person has been reported to have been identified using data from it." Covidsafe is now being sensibly represented as a possibly useful adjunct to traditional manual contact tracing.
Three issues have tended to dog contact-tracing technology where it's been considered: efficacy, adoption, and privacy. They're related. For an app to work it would require either effective geolocation or at least proximity detection. This has usually been realized by taking smartphones as surrogates for natural persons, which would be an arguably useful but admittedly imperfect association. No one can reasonably expect perfection from any system, and the high rates of smartphone use make it a reasonable approximation, but of course not everyone has a smartphone, and not all who do carry them at all times. (Singapore is considering adopting wearable devices worn on a lanyard as an alternative and more visible approach to contact tracting, ZDNet reports.)
And this approach to contact tracing would require adoption by a significant fraction of the population. Estimates naturally differ, but most of them put this number somewhere north of 40%, and many estimates place it higher. That degree of voluntary adoption has proven difficult to achieve in practice. A survey Checkmarx commissioned early this month found that 48% of American respondents said they would either be unlikely to download a contact-tracing app, or that they would flatly refuse to do so.
Why would such adoption be voluntary in the first place? Because of data privacy laws, and their surrounding culture of informed consent. In this regard people have worried more about opting into a centralized contact-tracing system like the one developed by the UK's NHSX than they have about signing onto the decentralized exposure notification system proposed by Google and Apple (although that approach hasn't seen a popular rush to adoption, either). In the case of the NHSX system, popular suspicions have been further aroused by the involvement of US big data company Palantir, itself a lightning rod for conspiracy theories. In their respectable and defensible form, such theories argue, as the New Statesman summarizes, that centralized contact tracing could prove to be the entering wedge of a larger, more intrusive, and above all permanent state surveillance apparatus. According to ComputerWeekly, privacy advocates are pressing Her Majesty's Government for information about the form such plans are assuming.
Such concerns aren't confined to the UK. Reuters reports that on Sunday the Israeli cabinet decided that plans to involve the domestic security service Shin Bet in contact tracing would be relegated to a last resort.
Updates on the delusion that 5G infrastructure is implicated in COVID-19, and other pandemic misinformation.
Over the weekend WIRED followed up on reports that the US Department of Homeland Security had warned local authorities to watch for vandalism against cellular infrastructure, and particularly against 5G towers. The crank theory that's animated vandals in northwestern Europe (and that now appears to have a beachhead in North America) comes in two varieties. The first holds that 5G electromagnetic signals actually carry the virus. The second variant, only marginally less plausible, holds that 5G electromagnetic radiation impairs the human immune system, thereby rendering populations near the towers more susceptible to infection. There's no evidence for either view, and the first in particular seems to involve folkloric thinking functionally indistinguishable from the late-nineteenth-century view of China's Boxers that telegraph wires distressed and tormented airborne spirits. Both varieties of the theory are often accompanied by far-fetched conspiracy narratives in which various global actors have quietly engineered an electromagnetically enabled pandemic in pursuit of, well, fill in your own goals here. The assault on 5G would be funny were it not for the damage done by the righteous fists.
Facebook has moved against a range of misinformation about COVID-19. When BuzzFeed asks why it hasn't done the same with respect to anti-vaccine viewpoints or climate change dissent (BuzzFeed suggesting, at least hypothetically, that one might consider censorship in both cases) Facebook drew a distinction in terms of the immediacy of the risk the misinformation posed. Thus the platform seems to be drawing the line at the familiar place Justice Holmes placed it in Schenk v. the United States: "falsely shouting fire in a theatre and causing a panic." COVID-19 misinformation that poses an immediate threat to public safety goes; other claims that might fail rigorous fact-checking but that didn't present such an immediate risk might well stay. It's a difficult question. “'Public health is squishy by definition,' Kenneth Bernard, an epidemiologist who’s served in the WHO and set up the NSC’s health security office, told BuzzFeed News. 'We don't have enough information and we're dealing with biological organisms that have a variety of responses. Different opinions can exist.'” Monika Bickert, head of global policy management at Facebook, told BuzzFeed News that “We decided we would remove content that directly contradicted [the WHO] and could contribute to risk of imminent physical harm.” So claims that "social distancing doesn't work" are out, as are posts to the effect that "wearing a mask can make you sick."
An anti-vaccine animus seems to underlie much of the conspiracy thought that doesn't, so far, pose that kind of clear and immediate risk. Another BuzzFeed piece outlines the form the imagined conspiracies are taking in sections of the popular imagination. It's a familiar shape: wealthy forces operating behind the scenes are manipulating world events with a hidden hand for their own malign purposes. Historically the conspiracy has usually involved the Illuminati or the Rothschilds, but in this case the malign force the theorists perceive is Microsoft co-founder Bill Gates (who's held by many to be lashed up with the traditional bugaboos).
Security when telework becomes the norm.
Facebook is the most prominent example so far of a major corporation moving as much of its workforce toward telework. CEO Mark Zuckerberg expects half of its employees to be working from home by 2030, Forbes writes. And Google's Sundar Pichai, while publicly more cautious about the extent to which the company will continue remote work, has also made it clear in an interview with WIRED that he expects the experience of the pandemic to permanently reshape the way Google does business.
It's worth remembering that most jobs in any economy won't be done from home, and the sectors that do easily accommodate remote work should bear in mind that they can't easily generalize from their own situations. But the COVID-19 pandemic has in any case rendered remote work a realistic option for many organizations. There are some considerations worth bearing in mind as companies consider making telework a permanent option. Mat Newfield, Chief Information Security Officer at Unisys, sent us five tips for companies considering virtual operations:
- "Large scale work from home shifts require a significant amount of upfront work to ensure corporations are not introducing unnecessary risks to their companies.
- "Topics such as training and ongoing education around the risks employees can introduce through their home networks must be incorporated. Do employees patch their personal equipment? Do they have the basic security components on their personal machines such as Anti-Virus? Do they regularly reboot their home internet devices to ensure they are not infected?
- "What plans do your corporation have to ensure availability with your WFH staff? Most people do not have redundant power or internet from their homes, so how will you ensure delivery continuity if people have a power outage or an internet outage.
- "How will companies ensure that they will have the ability to quickly patch WFH systems? If they require people to connect to the VPN to do so, what risks will they be introducing?
- "Education and communication is going to be key. Working from home is very new for so many people in the world. Acceptable Use, as an example, is something most employees do not think about. It will become very important the employees are trained well so that they can comply."
Remote work involves exposure to some forms of legal risk. The Information Commissioner's Office in the UK has offered guidance on how it intends to treat data protection regulations during periods of widespread remote work. ComputerWeekly's gloss on that guidance is simple: "In practice, this means that remote working is not an excuse to implement less stringent security measures than you would have otherwise had in place. The standard remains that organisations must ensure that an appropriate level of security is applied to the personal data that they process."
So what's everybody been doing with all those hours at home? Spending time with the family? Improving themselves through edifying reading? Learning a new craft? Scrapbooking? Watching cooking shows for recipes that would help them prepare a nice amuse bouche for the loved ones with whom they're sheltered? Tending a victory garden? Probably not, at least if the Telegraph is to be believed. Mostly they're "consuming" adult content (consumption rates up a whopping 292%), streaming TV (up as much as 179% on some services), and, of course, playing online games (up 98%). That's in the UK, of course, and based on observations of people who use Gener8's browser add-on, but it seems reasonable to assume that things aren't much different elsewhere. Organizations may have to deal with some less-than-seemly habits that have developed during the period of self-isolation. We have it on the good authority of Baltimore sports talk radio that people are actually so out of whack that there's a brisk betting traffic in Russian ping pong, and trust us, the Illuminati have nothing to do with that.