News for the cybersecurity community during the COVID-19 emergency: Friday, May 15th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
Discourse power, and the pandemic as analogy. Why we can't have nice data.
"Discourse power" during the pandemic.
Chinese doctrine has, under the Communist Party's current leadership, emphasized the importance of "discourse power," roughly speaking positive propaganda, and an insistence on that propaganda's receiving an international hearing. An essay in Foreign Affairs describes how Beijing has sought to apply discourse power during the COVID-19 pandemic. It sees China as pursuing traditional influence by, for example, posing as a reliable partner and a valued source of friendship and humanitarian aid during a difficult time. But it also argues that Chinese influence operations have been "more aggressive" than usual, and that Beijing has "even experiment[ed] with tactics drawn from Russia’s more nihilistic information operations playbook." "Negative" might be better than "nihilistic," however, because even as they go negative, Chinese operators have been more interested in persuasion than in generating confusion and doubt, which have been the typical goals of Russian influence operations (and those might fairly be described as nihilistic).
The pandemic as analogy: how a medical emergency can inform preparation for a cyber emergency.
The US Cyberspace Solarium Commission, whose report led with an introductory work of fiction that imagined Washington laid low by a massive cyberattack against infrastructure, the Capital reduced to a hellscape that could be safely viewed from no closer than Reston, sees lessons in preparation from the pandemic. The co-chairs of the Commission, Senator Angus King (Independent of Maine) and Representative Mike Gallagher (Republican, Wisconsin 8th), are ready to talk to Congress as the COVID-19 emergency begins to abate, and they hope, according to the Washington Post, that legislators get the lesson that it's important to prepare for a disaster before it hits.
“I think covid has taken public attention away [from cybersecurity], but for policymakers it’s underlined the importance of having a comprehensive strategy in place and really strengthened the case for the actions we recommended,” Senator King told the Post. “We’re in the middle of a crisis that has shaken people to say we can’t go back to business as usual.” And there are some signs that Congress may be willing to listen, at least a little. Two of the Commission's recommendations—creation of a national lead for cybersecurity in the White House with a significant budget and staff, and both planning and spelling out clearly the consequences adversaries will face should they mount a serious cyberattack against the US—appear to have gained traction with lawmakers over the past month. That second recommendation is reinforced by the emergence of a more hawkish consensus about China that's emerged during the pandemic.
The Post quotes Representative Gallagher on both points. “You look back on the 9/11 Commission and you realize how much good work was being done [before the attack] but it was all siloed at different agencies. We want someone who’s in charge and coordinating efforts across the government, forcing discussions across agencies about different scenarios and how we can prepare for an attack.” He also said, “I think if nothing else when the dust settles on coronavirus, it will harden the hawkish consensus on China and add energy to this effort to wean ourselves off our dependency on certain things produced in China.”
The Cyberspace Solarium Commission is expected to release by the end of this month a follow-on report summarizing the lessons it's drawn from the COVID-19 emergency.
Contact tracing in the UK and elsewhere.
At the end of a week in which NHSX's contact-tracing system faced skepticism about both its legality and its efficacy, NHS gets some good news from the pilot being conducted on the Isle of Wight: the Telegraph reports that more than half the people there with smartphones have downloaded the app. 50% has generally been regarded as representing the floor of adoption rates that might actually make a difference in controlling the spread of the disease.
The Telegraph also has an overview of the various technical adjuncts to traditional quarantine and contact tracing various nations have tried. The approaches fall on spectra of voluntariness and intrusiveness: Bluetooth-based exposure notification to GPS-based movement tracking, thermal cameras in public places to nearly ubiquitous facial recognition surveillance, and so on,
There are also questions about the amount of public resistance to tracing and tracking authorities can expect. A Washington Post-University of Maryland poll taken at the end of April concluded that most Americans would be either unable or unwilling to install contact tracing apps voluntarily. (And if most of the noncompliant don't fall into the "unwilling" category, then we don't know Arkansaw.)
Contact tracing is not a dating app.
So why would anyone object to sharing a little personal information, even if there's any chance at all it might help control the epidemic?
Here's why: giving someone your contact information can sometimes amount to inviting nemesis into your life. Take this case from New Zealand, as reported by Newshub. A woman in Auckland wanted to buy a sandwich from Subway (as anyone might) and in doing so responsibly filled out a contact form the restaurant presented her (as any restaurant might, during a pandemic emergency). "I had to put my details on their contact tracing form which I didn't think anything of. It asked for my name, home address, email address and phone number so I put all those details down," she told Newshub. The guy who served her gave her the sandwich, but also favored her with lots of unwanted attention via text, Facebook, Instagram, and Facebook Messenger, which made the customer feel "pretty gross." Subway fired the unhappy suitor. And that's why we can't have nice things.
Can we all agree that criminals don't in fact have the common good at heart?
Still think there's public-spirited honor among thieves? Then consider this: the Wall Street Journal reports that Europol has warned of criminals increasing the rate of ransomware attacks against hospitals providing urgent care during the pandemic. This is as economically rational as it is morally depraved: the hospitals are more needed than ever, and the reliability and availability of their data are more important than ever, which the criminals calculate will make them all the more likely to pay a hefty ransom.
The underworld is also paying attention to how it crafts its phishbait. Proofpoint has found a number of templates in circulation that help criminals craft more convincing spoofs of government messages, especially messages involving the emergency relief programs so many of those in economic trouble find themselves hoping to use for a leg up, out of their difficulties. The templates are most often used in credential-harvesting scams.