Cyber wrap
31 May 2017|

Image courtesy of Flickr user James Lee.

China’s new cybersecurity law enters into force this week, less than a month after the implementation of additional measures for security reviews of critical network products and services. (See here for some background on the legislation.) Some previous measures included putting in place regulations on the collection and transmission of data, requiring Chinese data to be stored in China (‘data localisation’), and prohibitions or mandated government security assessments based on the volume and nature of the data being exported.

A bunch of multinationals have repeatedly asked for a delay before the law goes into effect, arguing that it burdens foreign companies with selective requirements. However, for the most part, Chinese companies seem prepared to comply, with Chinese cloud storage providers likely to see an uptick in demand over their American counterparts as foreign companies scramble to purchase local data assets. Similarly, Microsoft has released a Chinese-government specific version of Windows 10. Compliance with the new law seems to be becoming the new normal.

Criticism remains, largely focused on overbroad language, such as the term ‘network operators’, which potentially extends onerous compliance requirements to small businesses. More general criticism has been levied at the potential implications the law has for freedom of speech and human rights. It’s not clear yet what the full impacts of the law will be, or how explicitly the framework will be implemented, but it’s clear that China’s government will have an even more hands-on approach to cybersecurity and data governance.

On the other side of the privacy debate, 31 US technology companies—including Amazon, Facebook, Google and Microsoft (but not Apple)—signed and issued a letter last Friday urging Congress to better protect privacy by revising the Foreign Intelligence Surveillance Act (FISA). FISA currently allows the NSA to collect bulk internet data on foreign citizens, but the companies argue that there’s scope to improve public trust in the program while continuing to service intelligence needs.

President Trump has asked the Department of Justice to investigate US leaks of material from the Manchester attacks after the UK police had temporarily suspended information sharing with US law enforcement. Although that relationship has since resumed, it’s indicative of the continuing problems the Trump administration is experiencing with leaks, and the corrosive effects they’re having on its international relationships.

Leaks don’t just affect information-sharing agreements and incumbent governments either—they’ve had debilitating effects on elections and democratic processes. CitizenLab has published research on Russian leaking and disinformation campaigns, which they’ve termed ‘tainted leaks’, where organisations, such as Cyber Berkut, have been found ‘tainting’—that is, selectively editing—e-mails before publishing them. They’ve also provided additional evidence linking Cyber Berkut with Fancy Bear/APT28, the organisation behind the DNC hack during the US presidential election, suggesting that such ‘tainted leaks’ are part of an intentional and wider strategy.

Russian cybersecurity firm Kaspersky has tried to distance itself from Russian cyberespionage efforts. In comments in The Australian during the course of CeBIT Australia, founder Eugene Kaspersky has hit back at US government officials who expressed concern over its potential links with Russian cyberespionage agencies.

Media coverage of the global WannaCry ransomware attack has begun winding down, but the event itself has continued to have knock-on effects. The attribution ‘whodunnit’ has been largely settled, but threat intelligence firm Flashpoint has offered a dissenting opinion, arguing that, based on linguistic analysis of ransom notes across 28 languages, the authors were likely to be Chinese. Attribution aside, one tally of the financial damage of the WannaCry attack estimates losses at US$116,542 paid in ransom, over US$1 billion in damages, and over 450,000 machines infected.

Also in response to WannaCry, hospitals in Queensland have recently taken steps to patch and update their systems. However, there have been resulting problems preventing staff log-ins, forcing hospitals to revert to paper records until the issue has been resolved. It has been suggested that the outage is from compatibility issues, demonstrating the difficulty that systems managers face balancing security patches while keeping critical applications available.

Across the pond, the University of Waikato in New Zealand and the government of Tonga have signed a memorandum of understanding for collaboration in cybersecurity capability and research, coming at the tail end of a framework for collaboration between CERT Australia and the Tonga National CERT.

And cooperation looks to be just as high on the Indian Prime Minister Modi’s agenda for his visit to Madrid on 30 May, with Indian media announcing that the South Asian giant will likely enter into cybersecurity arrangements with Germany and Spain to collectively combat cybercrime and violent extremism online.

Lastly, Australian robotics just had two hands untied from behind its back. Guidelines for driverless cars’ trial outings have been published. Similarly, the Civil Aviation Safety Authority (CASA) has released a free app which provides a map of areas in Australia where drones can be flown—check it out here.