CyberWire Daily - A state of emergency over bulk power in the States. Beijing’s disinformation about COVID-19, and its motivation for a coverup. Hacking biomedical research. Curious Xiaomi phones.
Episode Date: May 4, 2020A US Executive Order on Securing the United States Bulk-Power System declares a state of emergency in electricity generation and distribution. China’s disinformation about COVID-19 may have begun in... the earliest stages of the pandemic. Someone’s hacking for information on British biomedical research. Xiaomi seems very interested in users of its phones. Andrea Little Limbago on global privacy trends, our guest is Mathew Newfield from Unisys with insights on cybersecurity breaches. And the Love Bug’s creator is found. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/May/CyberWire_2020_05_04.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A U.S. executive order on securing the United States' bulk power system
declares a state of emergency in electricity
generation and distribution. China's disinformation about COVID-19 may have begun in the earliest
stages of the pandemic. Someone's hacking for information on British biomedical research.
Xiaomi seems very interested in users of its phones. Andrea Little Limbago tracks global
privacy trends. Our guest is Matthew Newfield from Unisys with his insights on trends in breaches
And the Lovebug's creator is found
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 4th, 2020
with your Cyber Wire summary for Monday, May 4th, 2020.
President Trump on Friday issued an executive order on securing the United States' bulk power system.
The executive order expresses recognition
of the degree to which foreign adversaries
are interested in holding the U.S. electrical power generation
and distribution system at risk
and declares a state of emergency.
It explicitly addresses cyber threats and
vulnerabilities, but the executive order concentrates on safety and reliability engineering
and on the risk of a hostile foreign government's ability to compromise hardware supply chains
or engage in active sabotage. No companies or nations are named in the order, but it resembles
other steps the executive branch has taken with respect to information and communications technology, and these have tended to fall most heavily on Chinese companies, notably Huawei.
The Department of Energy will be the lead agency for enforcing the restrictions the executive order imposes. The Secretary of Energy will also lead a task force that will address
federal policy on securing bulk power systems. Its members will include the Secretaries of Defense,
Interior, Commerce, and Homeland Security, the Director of National Intelligence, the Director
of the Office of Management and Budget, and, quote, the head of any other agency that the
chair may designate in consultation with the Secretary of Defense and the Secretary of the Interior, end quote.
It's worth noting that many of the entirely realistic concerns about supply chain integrity have concentrated on the risk posed by counterfeit and presumably unreliable parts.
Serious as the threat of counterfeit parts may be, they're not what the present executive order is about.
It's about the ability of foreign adversaries to create and exploit vulnerabilities
in bulk power system electric equipment with potentially catastrophic effects.
That's a far more intentional threat than the introduction of slipshod components into a supply chain.
NextGov quotes a public citizen representative
who wonders whether the executive order is just a cynical attempt
to hobble the green energy sector
by keeping Huawei parts out of the hands of solar power operators,
but that view seems unlikely to gain much traction.
A bipartisan group of 10 senators in February of last year
wrote the Secretaries of Energy and Homeland Security
to ask that the government ban Huawei specifically from participating in the U.S. photovoltaic
market. Last Friday's executive order is a step in that direction.
China's COVID-19 disinformation campaign may have begun by suppressing domestic social media
comment, and it may have begun in the earliest stages of the epidemic. Wired describes how quickly and comprehensively the Chinese government
moved to suppress social media posts that dealt with the initial outbreak of COVID-19 in Wuhan.
The efforts at suppression go back at least as far as the first week of January.
How have reporters become aware of them? By following the maxim,
cover China as if you were
covering Snapchat. The posts have a brief life, so when you see something interesting, take a
screenshot before the post is squashed and the account blocked for spreading malicious rumors.
Weibo and WeChat Moments are the most commonly used platforms on which ephemeral posts appear.
Avoiding embarrassment would surely have
been a principal goal of the censorship campaign, but it may have also had a more direct practical
objective. The motivation for suppressing the news may in part have been motivated by plans to
stockpile necessary medical supplies. The AP and Politico report seeing a U.S. Department of
Homeland Security report that says in part,
quote, we further assess the Chinese government attempted to hide its actions by denying there were export restrictions
and obfuscating and delaying provisions of its trade data, end quote.
Before informing the World Health Organization of the epidemic's outbreak,
Beijing significantly cut back exports and increased imports of such basic medical
equipment as face masks, gloves, and gowns. Intelligence services continue to investigate
the source of the outbreak. The Washington Examiner reports that a majority of the agencies
in the U.S. intelligence community now believe with high confidence that the COVID-19 pandemic
originated in the Wuhan Institute of Virology.
The release is believed to be accidental, and the virus is not thought to have been engineered.
The alternative explanation, that the outbreak involved zoonotic transmission from Wuhan wet markets,
remains a possibility, but it's losing ground.
The examiner also quotes U.S. Secretary of State Pompeo as saying that there's
enormous evidence of the lab's role in the initial spread of the virus.
The cybersecurity team at Unisys have been tracking trends in breaches. Matthew Newfield
is chief information security officer at Unisys, and he offers his perspective.
One of the things we're really focused on is what is the work
from home experience going to be like moving forward? One of the things that is coming up a
lot in the conversations I have with CIOs and CISOs around the world is they do not expect to
go back to the way things were as recently as January with the amount of people that will be coming into offices.
And there is an interesting focus on the new norm for working from home. And it's interesting for
a couple of reasons. First, there are roles that a lot of organizations thought must be in an office
to be successful. Everything from being a coding engineer to an IT administrator to service
desk, help desk employees, they're all working from home now. And a lot of organizations are seeing
not only success with that, but improved performance, improved efficiencies, and improved morale where there are areas that may have heavy commute times.
One of the interesting things that's also happening is around that a lot of financial
executives are looking at the cost per employee to keep them in an office as compared to keep
them at home. So I think you're going to see not the numbers stay where it is now,
which is that 90 to 100% work from home. But I don't think we're going to get back to that 13
to 17% where there's been this huge push over the last few years to really get people into offices.
As a leader in the industry, as someone in a high-level position such as the one you're in, how are you going about checking in on your people?
How are you handling the human side?
As people are working from home, you might not have the direct contact, those water cooler conversations that you used to have.
How do you make sure that people are doing okay in the midst of an anxiety-inducing event like this?
It's a great question.
And I think this is actually the most important thing all leaders can do for the people they work with, the people they work for, and the people that work for them.
I set aside a significant amount of my time every day to make phone calls, to make video calls to the people I work with just to check in on them.
I would tell your listeners one of the things you need to be aware of is if you're doing that from a business perspective, you have to communicate with your employees on what platforms are acceptable for business conduct as compared to personal conduct. And let's be honest, a lot of people are really concerned about what does this continuing
situation, what is it going to do to my job? What's it going to do to me personally? And by
having regular communications, you can stamp down that fear, that level of anxiety, so that people can focus on the job at hand.
That's Matthew Newfield from Unisys.
Sources at the National Cybersecurity Center have told journalists that Russian and Iranian intelligence services
are seeking to infiltrate the networks of medical research programs working on COVID-19, the Telegraph reports.
The Telegraph's story suggests that
these efforts are part of the same campaign U.S. counterintelligence authorities discussed last
week with the BBC. That attribution isn't universally accepted, and the evidence is
still being developed. The report in The Guardian, which quotes extensively from statements by NCSC,
indicates that the hackers could have been a criminal gang
as easily as they could have been a nation-state,
although those lines are in such cases often blurry.
A report from ZDNet this morning adds China to the rogues' gallery of suspected states.
Chinese device and accessory manufacturer Xiaomi
is tracking ostensibly private information
collected from users of its phones and of its Mi and Mint browsers, Forbes reports.
Researcher Gabi Seerlig told Forbes that the data he observed being collected from his own device
included all the websites he visited, search engine queries,
and those included queries with either Google or DuckDuckGo,
and everything viewed in a Xiaomi news feed. The folders he opened, his movements among screens,
and the songs played on the Xiaomi music app were also being followed.
The data were sent to servers in Singapore and Russia to domains registered in Beijing.
The collection occurred even when the researcher moved to a private incognito mode.
Xiaomi has denied any impropriety or illegality.
And finally, remember the love bug infestation that circulated around the internet in 2000?
The BBC has tracked the author down to a repair shop in Manila.
He's sorry. He says he was only trying to steal a few passwords to get free internet.
And let those who haven't wanted free internet cast the first stone, we guess.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I am pleased to welcome back to the show Andrea Little-Limbago.
Andrea, it's always great to have you back.
I wanted to touch base with you today
on some of the things that I know you're tracking when it comes to privacy, some of the initiatives
that are making their way through various organizations around the world. What can you
share with us today? Yeah, in many cases, people thought when GDPR went through with that, that
was a year of privacy. But I think really what we're seeing is the continuation of what happened in 2018 that with GDPR coming into effect, with New Cambridge Analytica really sparking much greater
awareness amongst the public of what data was being collected and monetized. And then as we
keep seeing high profile cyber attacks go on, the momentum continues to build from 2018 through now,
and I think it will be throughout this year. And so what we're seeing, I would say, a two-level game is what we call an international relations, what's going on domestically and what's
going on internationally. And so internationally, Brazil is probably one of the bigger ones to keep
an eye on for this year. And so they're passing the LGPD privacy law that bears a lot of similarities
to the GDPR. And so just as, you know, I think in the past we've talked about digital authoritarian
models spreading, the GDPR model is also spreading to other countries as far as data protection and individual data rights.
You know, sort of a good anecdote along that is Ecuador last year, towards the end of last year, experienced a data compromise where data on almost all their citizens was exposed online.
In a week, they went to, were trying to push through a law that bore a lot of resemblances to
the GDPR. So when countries start to take privacy seriously and start understanding what needs to be
done, the model they're looking to right now is the GDPR. And so I'd keep an eye on that, on which
countries are starting to try and do similar kinds of policies and laws. And even, you know, India,
India is going through a very big debate right now
that highlights, I think,
that the push and pull tension
that's going on with privacy.
Because on the one hand,
they want to,
India is very much ingrained
in a similar encryption debate going on.
And they want the government
being mandated backdoor access.
And so you've got that going on
on one hand,
at the same time,
India has a big push for individual data rights and data control that they're pushing through,
and are trying to create an organization to oversee it and help provide that greater data
access and control, given they've got the database of over a billion people.
So there's a push and pull going on there, and that will be an interesting tension to see which
movement really wins out. And so we see a lot of that going on globally, still continuing to see the various surveillance states and more and more data being gobbled up across the globe by governments.
In the U.S., at the domestic level, absent any federal policy right now for privacy and data protection, which I don't foresee that coming this year, the states are taking the lead.
And Hawaii was just the most recent one, I think, to jump onto that.
And we're seeing a lot of basically falling on the trail of, you know, with the CCPA to the California Consumer Privacy Act.
You know, that came into effect in January.
And other states are taking parts of that for data protection and privacy.
They're customizing it to their own.
for data protection and privacy.
They're customizing it to their own.
And really what we're getting,
we're getting a patchwork where very similar to data breach notification laws
where we now have 54 different
data breach notification laws in the US.
We're getting to the point where
at least if I were to guess
and look at where the trends and trajectories are going,
we're going to end up with 50 different
data protection laws.
And that, before we get to that point,
I imagine businesses and so forth
will force the issue at the federal level for harmonization because it's becoming it's going to increasingly become hard to figure out what laws apply where and to what extent.
Now that we've been living with the GDPR for a little while, as other nations look to spin up their own versions and are looking at that, are there any lessons that they've learned?
Any lessons on what not to do?
Any unintended consequences?
Yes, I think for sure.
And that's, yeah, it's almost nice to be getting the second mover advantage.
So learning what the first mover has done and build upon what they build upon what they did right and, you know, learn lessons from what they did wrong. And I would argue that perhaps the biggest one on the GDPR is really just the resources required.
You know, because once it came into effect, you know, there were so many cases that were brought forth that it's really been hard to go through.
And without precedent for any of them, you know, they're basically having to build the legal precedent now.
So that down the road, I think they'll be faster in looking at the violations and the fines and
figuring that out. But right now, they're basically establishing precedent in relatively new areas
and don't necessarily have all the resources required, the personnel to do it, to actually
handle all the different complaints being brought in. And I think that's true both at the government
level, and then we also see it at the corporate level as far as your right of access and making sure that when an individual does ask for all the
data on them, whether corporations are actually prepared to return that in a timely manner.
And I think we're seeing, again, that those resources may not quite be there yet. And so
that's almost where I would argue one of the bigger areas is. And then I think
also just thinking about how we define personal data, thinking about the timely responses and so
forth, I think is another area that I think we can learn some lessons from.
All right. Well, Andrea, a little embargo. Thanks for joining us.
Great. Thank you for having me. Cyber threats are evolving every second and staying ahead is more than just a
challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity
solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thank you. back here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.