TechLetters #8 - No 2021 predictions. Some places got hacked. Flash is out. Orwell's Privacy by Design handbook is free.
Welcome to the 8th letter, and the first in 2021.
Éditorial
How will 2021 be different from 2020 with respect to cybersecurity?
Why? It’s merely a few days/months of difference for a continuous phenomenon. There is little point in asking this. It’s a slow process. I can tell the difference between the 1990s, 2000s, and 2010s. But did anyone notice any relative and substantial differences between, say, 2014 and 2015? Some differences between the arbitrary year X were noticed with respect to e.g. the year 2017 — the year of NotPetya — but that was precisely because of the fame of NotPetya happening in 2017. But it was impossible to see it coming in 2016. Similarly, it was impossible to see in 2019 that 2020 will have a substantially changed cyber risk profile due to patterns-of-work changes (i.e. more work done remotely).
Why does it matter? It can be of help. How come?
Discussing or asking questions “what will be the year X in cybersecurity” might then be seen with a potential-hypothetical suspicion flag. Think of it as a form of an alarm bell. At least warranting to enhance caution.
That’s why merit-wise there is little to be learned in discussing or asking this particular question case (unless someone really has a good idea to do this). But noticing the case being discussed is still valuable. For example, when e.g. assessing the quality of interlocutors, disputants, vendors, consultants, news stories, etc. Specialised list-takes might still be OK, but the generalist view, less so.
Security
Finland’s parliament, hacked. Systems of Finland's parliament breached in autumn. "MP's parliamentary e-mail accounts compromised". Treated as an "attack on democracy and Finnish society". This is not the first such an incident in the region. Similar happened, for example, in Norway.
Cyber sanctions and retorsions. In October 2020, European Union issued sanctions for cyberattacks on the German Parliament (Bundestag). Now Russian Federation retaliated, prohibiting the entry for certain German citizens ("officials of the German security /intelligence structures"). Such responses are standard business in diplomacy, regardless the reason.
Emotet vs Lithuania. A second wave of Emotet malware is lure-sent to some Government structures on Lithuania.
Hacking previous employers? Hacking business competitors is not recognized among the standard business practices. For this reason, Ticketmaster will pay $10 million for... indeed, hacking into the systems of competitor.
Reminders. Do not use the systems of your previous employers. Do not offer access to new employers ... This is not only unethical. In case of employees who leave your organisation, strip the access rights from such accounts... Block or remove these. Also, hope that none of your employees shared their credentials with persons who happened to leave the company… But this should be against your corporate information security policy. You do happen to have a policy, right?
Flash out. Adobe Flash contributed to the development of the web platform - web browsers. This is true. It had then-exciting new features, allowing to build games, and advanced applications, etc.
Unfortunately, Flash also had big cybersecurity problems, buth in its platform and with the apparent maintenance of the security program.
The end of 2020 is also the end of Flash. For the good.
Flash's cybersecurity problems were legendary. They effectively made it possible to hack almost arbitrary internet user, at any time, if someone so wanted. A perpetual vulnerability. Example of a system that apparently cannot be fixed. That's why it's good that this also goes away.
Hacked, again, Solarwinds. US authorities were able to declare that presidential elections in 2020 were secure, but meanwhile, unable to notice a 9-month hacking campaign intruding in agencies, institutions, businesses? At least for the general audience, this may give a feeling of a bit of a cognitive dissonance. But there is more:
Employees say that under Mr. Thompson, an accountant by training and a former chief financial officer, every part of the business was examined for cost savings and common security practices were eschewed because of their expense. His approach helped almost triple SolarWinds’ annual profit margins …
Typical supply chain puzzles. Where do you get your products from?
None of the SolarWinds customers … were aware they were reliant on software that was maintained in Eastern Europe. Many said they did not even know they were using SolarWinds software until recently.
Another proof that the General Data Protection Regulation (GDPR) is a cybersecurity regulation:
Even with its software installed throughout federal networks, employees said SolarWinds tacked on security only in 2017, under threat of penalty from a new European privacy law. Only then, employees say, did SolarWinds hire its first chief information officer and install a vice president of “security architecture.”
Privacy - differently this time
Orwell’s works like the 1984, are even further in the public domain now. This means that governments and regimes potentially interested in using the listed insight as a rulebook would not risk infringing any rights. More seriously though, after the experience of 2020 (with a view of a precedent of mandating the obligatory installations of some applications - which ultimately did not happen) we should we wiser and more cautious with ideas for the use of technologies.
Technology can often provide solutions. It’s just that these are not always the solutions we are looking for, or the actual solutions may bring surprising outcomes. This is why we would benefit from appropriate risk assessment and impact studies done preemptively.
That’s it this time, thanks!
In case you decide to forward this letter further for any reason, I’ll leave this thingy below: