This Week In Security - 04/20/2020

UK Introduces Controversial COVID-19 Tracing App

Last week, UK health minister, Matt Hancock announced the release of a new NHS app for contact tracing. Anyone with symptoms of the coronavirus can inform the app of their condition and it will then notify other app users who that person has been in contact with so they “can act accordingly”.

Hancock assured the British public that “All data will be handled according to the highest ethical and security standards, and would only be used for NHS care and research”, but such guarantees have done little to curb concerns over the app’s potential impact on user privacy.

Ross Anderson, a professor of security engineering at Cambridge University said, “I recognize the overwhelming force of the public-health arguments for a centralized system, but I also have 25 years’ experience of the NHS being incompetent at developing systems and repeatedly breaking their privacy promises when they do manage to collect some data of value”.

Other concerns include the government’s potential unwillingness to part with its new surveillance powers and the fact that the app lacks the necessary security to prevent misuse. A draft memo also suggests that the app could use device IDs “to enable de-anonymization if ministers judge that to be proportionate”.

Pentagon in Dirty Water Over Cyber Hygiene

A Government Accountability Report released earlier this week criticizes the Department of Defense’s “cyber hygiene”, saying its failure to implement basic cybersecurity practices leaves it facing “an enhanced risk of successful attack”.

The report revealed that the DOD had yet to implement all the tasks laid out in the 2016 Cybersecurity Culture and Compliance Initiative (DC3I), even though the deadline has long since passed.

According to the report, “the seven remaining DC3I initiatives weren’t completed because the DoD’s Chief Information Officer’s office didn’t take steps to ensure their implementation”, leading to a situation where “the confidentiality, integrity, and availability of mission-critical information” are at risk.

Some basic cybersecurity practices, like “disabling links in emails and ensuring cyber incident response plans are documented” have yet to be implemented while the department is still struggling to fully adopt the 2018 Cyber Awareness Challenge Training.

The report identified a lack of monitoring and reporting as a major stumbling block, while noting that, although the department has identified “177 cyberattack techniques used by adversaries”, it “doesn’t know the extent to which they are used”.

The report concluded with a series of seven recommendations that included the implementation of the three existing cybersecurity initiatives.

US Warns of North Korean Cyber Threats

The Department of Homeland Security, the FBI, and the Departments of State and Treasury have issued a joint advisory highlighting the gravity of the threat posed by cybercriminals in the Democratic People’s Republic of Korea (DPRK).

According to the report, US and UN sanctions have caused the country to rely increasingly on “illicit activities – including cybercrime – to generate revenue for its weapons of mass destruction and ballistic missile programs”.

The devastating WannaCry ransomware attack of 2017 has been widely attributed to North Korean cybercriminals, while current “malicious cyber activities” emanating from the country “pose a significant threat to the integrity and stability of the international financial system”.

The public announcement comes after two years of efforts by the Trump administration to “slow the North’s nuclear production” and appears to acknowledge the fact that these efforts have yielded minimal results.

The interagency report called on the public, the international community and “network defenders” to “work together to mitigate the cyber threat posed by North Korea”. The Department of State’s Reward for Justice program has also offered an award of up to $5 million to anyone with “information about illicit DPRK activities in cyberspace, including past or ongoing operations”.

Limited Cash Stimulus for Election Cybersecurity

The $2.2 trillion coronavirus stimulus bill includes a paltry $400 million “to protect elections during the pandemic”, despite calls from the Democrats to dedicate $4 billion to the cause.

Since the 2016 election “was marred by a Russian hacking and disinformation operation”, there has been pressure on the government to “mandate changes such as paper ballots, post-election audits, and cybersecurity reviews”.

The decision has left election security hawks warning “that not only Russia but other U.S. adversaries are likely to try to undermine the 2020 election and sow doubts about its legitimacy”.

Voters are even more vulnerable to disinformation now than in 2016, with the coronavirus pandemic causing unprecedented anxiety and uncertainty. As a result, election security expert, Alex Halderman believes, “if even one state suffers a major election security breach, that’s likely to cause votes across the country to lose confidence”.

The money allocated from the stimulus fund will go some way towards “adapting elections to reflect coronavirus challenges”.

In an ideal world, that could mean mail-in voting but with President Trump’s reluctance to consider such reforms, it seems Americans might, to some extent, “have to choose between protecting their health and exercising their right to vote”.