Welcome to the 5th letter, with insight about a few important and relevant cybersecurity, privacy, and tech policy items. How to think about them?
Security
Russian cyberattacks. Norway says that the Russian State (GRU) cyber operator group likely behind the cyberattack on the parliament, here’s the official announcement. The attackers brute-forced user accounts, a lateral movement was also attempted. A few months ago “the Russian embassy in Norway then stated that the accusations by the Norwegian authorities against the Russian Federation were a deliberate provocation” (and the message is upheld this time, too; the Russian Embassy said that “charges without evidence are unacceptable”.). You decide!
Cybersecurity firm, hacked. One of among the renowned cybersecurity companies’ FireEye hacked, with red teaming (testing) tools stolen, so the company released their details. Unclear who is behind but they think it’s a Nation-State-sponsored group. Washington Post reported that the group responsible may be Russia's SVR foreign intelligence service, or so the rumour mill goes. “Plenty of similar companies have also been popped like this,” said a Western security official who asked not to be named. Still, this will reinforce the adage that “everything can be hacked”. Perhaps, but not everything is worth hacking. Severity: very high.
Also hacked, EMA. European Medicines Agency breached. Some documents related to vaccine registration stolen. Among them are Pfizer and BioNTech's COVID19 vaccine candidate, BNT162b2. While important and relevant. Data-wise the severity seems to be low.
Video Vulns. Very serious security bugs found in CISCO Jabber, instant messenger, and a videoconferencing solution. It was possible to access local files, among the others. Exploitability is rather easy. This core videoconference software happens to be ubiquitous at many institutions of the European Union, for example, the European Parliament. So there’s that.
New guidelines concerning telecoms and 5G security from ENISA.
UK military vs disinformation. British military enlisted to identify anti-vaccine disinformation?
Following a request for assistance last month, the army’s 77th Brigade information warfare unit has been drafted in to help officials across Whitehall to identify the most serious anti-vaxx disinformation originating from overseas so it can be managed through national security channels.
These do not work, deal with it? Ideas on cybersecurity to forget in 2021
Cyber operations do not create an existential threat
there has never been an incident that has led to escalation. The likely reasons there have been no cyber incidents that result in escalation is that states maintain careful control of their most dangerous cyber capabilities (Lukasz: here the author is not considering that more and more countries are building military cyber units and this brings specific changes to the landscape)
We are not deterring our opponents in cyberspace. The implied goal of deterrence is stability, and since our opponents do not want stability, this makes it ineffective as a strategy.
Cyber is a domain dominated by covertness and surprise. It is not the kind of thing you can parade on May Day, allowing Western observers to photograph and count. These attributes are antithetical to transparency and create a ceiling for transparency that no reasonable state will go beyond.
Obligatory grain-of-salt (not noted by the author): in cybersecurity things change fast. While indeed little evidence indicates that deterrence works indeed (why would it?), the part on escalation is less clear. As for the transparency, in fact, May Day is possible with cyber tools (“weapons”)
Privacy
Advertising standards, policy, and privacy. It's that time of the year when elections to the World Wide Web Consortium’s (W3C) Technical Architecture Group (TAG) happen. This year is curious with the candidacy from Interactive Advertising Bureau running to "work on privacy". We shall see. W3C TAG wields no formal powers but is rather influential and respected (speaking from experience; a former TAG Member). All this happens in the middle of a debate and technical changes to the web that would affect web platform with respect to privacy and ads. This is not a drill.
Cookie fines. The French data protection authority fines Google (€100 million) and Amazon (€35M). For apparent breach of ePrivacy Directive. This is about cookies and tracking. Tracking cookies used without user consent (Google changed how the mechanism is used on their site - after the inspection. Users were supposed to be informed before cookies are set.
"read and write [set/access cookie] operations must systematically be the subject of a prior consent of the user, after providing information, this constitutes a special rule with regard to the GDPR".
"no information relating to the deposit of cookies on the terminal equipment was provided at this stage to the persons concerned on this banner even though cookies with an advertising purpose had already been deposited on their terminal"
"The user is not able to understand the type of content and advertisements likely to be personalized according to his behavior".
The fine is based on local laws incorporating ePrivacy Directive and GDPR considerations, with the big level of fines.
Tech policy
Face and book. The U.S. Federal Trade Commission is asking the U.S. Court to consider breaking up Facebook. One wonders how many years such proceedings will take.
ePrivacy lobbying. Nice article arguing/outlying the role of Amazon in lobbying over ePrivacy Regulation (supposed to improve people’s privacy of online interactions) and presenting this as a success story. It’s even more interesting because Amazon was not prominently (as in, overtly) active during the many events organised.
Digital Services Act will be the next big European tech policy regulation. Not only it features 6% turnover fines for big platforms. It will requirements of transparency over how ads are displayed. For many reasons I’m interested (some reasons date to 2016 and 2014 even: 1, 2, 3). I actually wonder whether not to move this into ‘privacy’ section, considered that a few elements of the Act is clearly about privacy (and even cybersecurity - some would also classify other parts as cyber sovereignty).
Europe has rules. The French president E. Macron remarked that “The Americans have the GAFA [Google, Amazon, Facebook, Apple], the Chinese have the BATX [Baidu, Alibaba, Tencent, Xiaomi] and the Europeans have the GDPR. Insightful. Also, realistic. Europe is a ~500M market, so it is still positioned to set and export the rules.
That’s it this time, thanks!
In case you decide to forward this letter further for any reason, I’ll leave this thingy below: