GCSC Cyberstability Update, February 15th, 2019
Your weekly news updates on the GCSC, its members, and relevant developments in the field of international cyber affairs. For more information about the GCSC, please visit www.cyberstability.org.
THE GCSC IN THE NEWS:
The article by Laurens Cerulus was published in Politico, 11 February 2019
A regime for "cyber sanctions" is taking shape — and it could already hit mischievous election hackers in May. The European Union is closing in on a procedure that would allow it to sanction foreign hacker groups when they target the upcoming EU election. The measures would not only allow EU countries to slap sanctions on hacker groups that succeed in intruding into IT systems, but also those attempting to get in, like the suspected Russian intelligence officers who allegedly plotted but failed to hack into the Hague-based Organization for the Prohibition of Chemical Weapons last year. In this article, Commissioner Christopher Painter elucidates the utility and effectiveness of imposing sanctions.
This article by Derek B. Johnson was published in GCN, 4 February 2019
Cyberattacks may not meet the traditional definition of war, but they can have serious physical and financial consequences. But U.S. officials, international organizations and independent experts have so far been unable to come to consensus about where to draw that line. In a series of meetings in Geneva, the nongovernmental Global Commission on Stability in Cyberspace hashed out fundamental principles that states, non-state actors and private industry should follow in the digital domain.
This interview with Hari Sreenivasan was published in KSMQ, 12 February 2019
In this interview, Hari Sreenivasan sits down with former US Secretary of Homeland Security Michael Chertoff, who authored the USA Patriot Act which led to a massive expansion of government surveillance. He joins the program to discuss growing threats to our privacy today.
This article by Joshua Geltzer, Beth George and Jonathan Zittrain was published in Just Security, 12 February 2019
The U.S. House Committee on Homeland Security conducted a hearing on election security on Wednesday February 13th. It’s part of a series the new Democratic majority in the House is holding related to the H.R. 1 legislation on election security, campaign funding, and government ethics, entitled the “For the People Act.” Just Security asked several experts what questions they think would be fruitful for discussion at the hearing. One of these experts, Commissioner Jonathan Zittrain, stressed the precarious balance between intelligence sharing and the protection of civil liberties. Furthermore, he raised questions with regard to public-private interaction and its implications for civil liberties.
INTERNATIONAL CYBER AFFAIRS:
The article by Sean Lyngaas was published in Cyber Scoop, 6 February 2019
The Washington, D.C. area’s Metro system, in response to U.S. senators who raised security concerns about a new line of railcars, now says it will use the National Institute of Standards and Technology’s cybersecurity framework to vet software and hardware proposed for the project. The senators had expressed security concerns over the railcar procurement after reports that a Chinese state-owned manufacturing company could win the bid. They asked if Metro would consult with defense officials before allowing foreign-government-built railcars to stop at the Pentagon, which is part of the Metro system. Alluding to China, the senators wanted to know if Metro would consider a company’s ties to foreign governments with a history of industrial and cyber-espionage when assessing bids.
The article by Catalin Campanu (for Zero Day) was published in ZDNet, 11 February 2019
Russian authorities and major internet providers are planning to disconnect the country from the internet as part of a planned experiment, Russian news agency RosBiznesKonsalting (RBK) reported last week. A date for the test has not been revealed, but it's supposed to take place before April 1. The Russian government has been working on this project for years. In 2017, Russian officials said they plan to route 95 percent of all internet traffic locally by 2020.
The report by the World Economic Forum was published on their website, 13 February 2019
Cyber resilience is a challenge for all organizations, but, due to its vital role as a societal backbone, it is of particular importance for the electricity ecosystem. This report developed by the World Economic Forum in collaboration with electricity industry partners and Boston Consulting Group offers principles to help board members meet the unique challenges of managing cyber risk in the electricity ecosystem.
This article by Andrei Robachevsky was published in MANRS, 5 February 2019
In this article, Andrei Robachevsky assesses changes in routing security in 2018, compared to 2017. He thereby sketches an image of an overall move in the right direction. The overall number of incidents was reduced, but the ratio of outages vs routing security incidents remained unchanged – 62/38. In spite of the abovementioned positive development, Robachevsky calls for more awareness and attention to the issues of routing security in the network operator community.
This article by Julian E. Barnes was published in The New York Times, 12 February 2019
The Trump administration is moving closer to completing an executive order that would ban telecommunications companies in the United States from using Chinese equipment while building next-generation wireless networks, according to American officials. The executive order, which has been under discussion for months, is aimed largely at preventing Chinese telecom firms like Huawei from gaining access to the fifth-generation — or 5G — wireless networks that companies are beginning to build in the United States. American intelligence officials have grown increasingly concerned about Huawei and other Chinese telecom companies, saying their inclusion in American networks pose security risks that could jeopardize national security.
This article by Natalia Drozdiak, Nikos Chrysoloras, and Kitty Donaldson was published in Bloomberg, 11February 2019
European Union member states are considering a possible joint response to cyber attacks allegedly conducted by a Chinese state-linked hacker group after the U.K. presented evidence last month about network infiltration, according to people familiar with the matter. For any retribution against China tied to cyber attacks, the EU would need to agree unanimously that the country was responsible and not all EU members currently agree, according to one of the people familiar with the matter. The EU is developing protocols to respond to malicious cyber activities, for instance by imposing sanctions, but it can be challenging to clearly attribute actions to any individuals or nation-state.
This article by Hannah Ellis-Petersen was published in The Guardian, 13 February 2019
The editor of an online newspaper in the Philippines has been arrested on charges of cyber-libel as part of what the country’s journalists’ union said was a campaign of intimidation against voices critical of President Rodrigo Duterte. The charges against Ressa relate to a story published on Rappler’s website in May 2012 that alleged ties between a Philippine businessman, Wilfredo D Keng, and a high court judge. The controversial cyber-libel law under which she is being prosecuted, was enacted four months after the story was written.
This article by Peter Bright was published in ARS Technica, 12 February 2019
Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code. As well as making malware in general harder to examine, bad actors could use this protection to, for example, write ransomware applications that never disclose their encryption keys in readable memory, making it substantially harder to recover from attacks.
This article by Vindu Goel in The New York Times, 14 February 2019
India’s government has proposed giving itself vast new powers to suppress internet content, igniting a heated battle with global technology giants and prompting comparisons to censorship in China. The new rules could be imposed by Prime Minister Narendra Modi’s government anytime after the public comment period ends on Thursday night. The administration has been eager to get them in place before the date is set for this spring’s national elections, which will prompt special pre-election rules limiting new policies.
This article by Yarno Ritzen in Al Jazeera, 14 February 2019
Facebook's automated ad approval system can be tricked fairly easily, making it possible to buy ads to spread misinformation and fake news in advance of the Nigeria elections, an Al Jazeera investigation has found. Last month, Facebook said it would temporarily disallow political ads targeting Nigeria from being purchased outside the country in an attempt to prevent foreign influence in the February 16 elections.
The article by Raphael Satter was published in AP News, 11 February 2019
When mysterious operatives lured two cybersecurity researchers to meetings at luxury hotels over the past two months, it was an apparent bid to discredit their research about an Israeli company that makes smartphone hacking technology used by some governments to spy on their citizens. The Associated Press has now learned of similar undercover efforts targeting at least four other individuals who have raised questions about the use of the Israeli firm’s spyware. The details of these covert efforts offer a glimpse into the sometimes shadowy world of private investigators, which includes some operatives who go beyond gathering information and instead act as provocateurs. The targets told the AP that the covert agents tried to goad them into making racist and anti-Israel remarks or revealing sensitive information about their work in connection with the lawsuits.
This article by Yiannis Mouratidis was published in Forbes, 10 February 2019
To address the issue of cybersecurity effectively, the European Union Agency for Network and Information Security (ENISA) recently took a big step in terms of efficient European cooperation. ENISA has taken the opportunity to work closely with its partner organizations: the European Defense Agency EDA, the European Union Agency for Law Enforcement Cooperation Europol, and the Computer Emergency Response Team for the E.U. Institutions, Agencies and Bodies CERT-EU. In this regard, ENISA has signed a memorandum of understanding, which establishes a framework promoting cooperation on cybersecurity and defense.
This article by Lily Hay Newman was published in WIRED, 10 February 2019
Two weeks out from the longest government shutdown in United States history—and with the possibility of another still looming—government employees are still scrambling to mitigate impacts on federal cybersecurity defenses. And the stakes are high. The effects of the shutdown extend even to agencies that were funded throughout, like the military and intelligence community, thanks to interdependencies and network connections between agencies. The only potential silver lining? The risk management firm SecurityScorecard suggests that threats like spearphishing may have been less effective during the shutdown, since furloughed employees literally weren't in the office to check their email. Though government employees and contractors who were furloughed have now spent more than two weeks rebuilding from the shutdown, it will be months or even years before the full toll of the incident is understood. And if another shutdown comes next week, count on erasing whatever little progress has been made.
This article by Robert Morgus and Justin Sherman in New America, 11 February 2019
In 2017, the Trump administration eliminated the position of cybersecurity coordinator at the White House and closed the cyber coordinator office at the State Department. This was a decision that undoubtedly harmed the United States’ ability to preserve a global and open internet and promote democratic norms around technology writ large. But now, the State Department is reportedly standing up a new cybersecurity bureau. The exact details and timeline are still unclear, but a spokesperson has at least clarified it will be run by “an ambassador-at-large for cyberspace security and emerging technologies.” Leaders of the House Foreign Affairs Committee have also introduced a Cyber Diplomacy Act that would create a cyber diplomacy office at State, slightly modifying a bill from last year. This article outlines four opportunities for the new bureau moving forward.
On the 6th of March, the Danish Institute for International Studies (DIIS) will be hosting a seminar on Europe’s role in promoting responsible behavior in cyberspace.
Since the UN Group of Governmental Experts on Information Security failed to reach agreement in 2017, the global, multilateral efforts to promote responsible behavior in cyberspace have tried to regain the political momentum. However, several initiatives have been introduced at both state, non-state and intergovernmental level. The EU has introduced a cyber diplomatic toolbox, Microsoft continues to promote a digital Geneva Convention, the Global Commission on the Stability of Cyberspace proposed six cyber norms, and Denmark has introduced the world’s first Tech Ambassador.