TechLetters #6 - biggest cyberattack/intrusion in 2020 (via SolarWinds & co). Digital Services Act. New cybersecurity roads. On encryption as a problem. GDPR fines.
Welcome to the 6th letter, with extended view on the supply chain intrusion via SolarWinds.
Security
The biggest hack/cyberattack of 2020 (?). SolarWinds IT management systems are installed in many important places, by many institutions, governments, and companies. It turns out there was a supply chain campaign that led to a compromise of the auto-updated software. This means the threat actor responsible had access to some really prominent targets, for a long time. The way it worked was that a trojanized version of SolarWinds software was pushed via an auto-updater. This in turn allowed the attackers to infect the victims (the unfortunate SolarWind users). There are so many potential victims here that the attacker obviously had to prioritise accordingly - it was infeasible to hack and steal from all. Supply chain attacks introduce this interesting property.
Interesting links:
Generic vulnerability description
Excellent overview from FireEye
Microsoft explains how the backdoor works using the Kill Chain
U.S. Dept. of Homeland Security cybersecurity agency demands all public institutions shutdown the affected systems.
The password to SolarWinds update servers was solarwinds123, and access to their systems was auctioned on multiple underground forums
Microsoft calls the cyberattacks “effectively an attack on the United States and its government and other critical institutions, including security firms”. That said, Microsoft is not the U.S. Department of State.
“U.S. government has no principled basis to complain about the Russia hack, much less retaliate for it with military means, since the U.S. government hacks foreign government networks on a huge scale every day. Indeed, a military response to the Russian hack would violate international law” (here). Even if the cyberattack exceeds the ordinary espionage campaign, it’s not grounds for an “act of war”.
Proposal for a new cyber norm based on actual State practice:
This is what the 2019 ICRC Report on Humanitarian Consequences of Cyberoperations tells on the topic of supply chain attacks:
“the majority of the computer devices in the world are only one or two steps away from a trusted system that a determined attacker could compromise.“
Still fresh. This is exactly how such intrusions happen.
How to fix? Patching SolarWinds/Orion package is one thing. But if an entity got hacked with this, simply patching is not magically addressing the fact of being totally breached. This will require a lot of work, and time.
NIS2. European Union/Commission presented new ideas on improving cybersecurity. My analysis. This time, non-compliance costs 10M EUR or 2% turnover.
Curious part. It suggests access to end-to-end encrypted communication
The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime.”
Privacy
GDPR fine for Twitter. €450,000 for failure to timely notify about a data breach. A software bug in 'protected account'. Affected 88,726 people. This amount will be controversial. The huge decision is here.
Leaking AI models. Recovering private information Machine Learning models is possible, and simpler than many imagine.
Tech policy
DSA-DMA. European Union/Commission unveiled its proposal for the Digital Services Act and Digital Markets Act. My analysis of technology, cybersecurity, and privacy angles. I like the risk/impact assessment part, but its effects will depend on how this works in practice. If it’s simply a legalistic checkbox thing, it won’t deliver much. Ads transparency if also of great help
obligation of informing that something is an ad, as well as including the trace information explaining what is the nature of the ad.
Who directed it (its source), and who the ad was targeted to.
Targeting transparency, so how the user was targeted (for example programmatically?) with particular ads content or messaging.
For example, the fact that real-time bidding technology introduced unprecedented ways of impacting on societies, dividing or polarising the public opinion, or sometimes introducing “poisoned” elements to the public debate. Or in other words, how to hack elections (note that this article is from Summer 2016, sometime before this topic emerged to the interest of the public opinion). It was possible to see this and other misuses in advance, but there was no motivation to do so. Will there be now?
It was possible to predict such misuses in advance, but the interest to do so was not existent.
Despite encryption? Council of the European Union adopted its official approach to encryption: “security through encryption and security despite encryption”. I explained the risks here.
That’s it this time, thanks!
In case you decide to forward this letter further for any reason, I’ll leave this thingy below: