from Net Politics and Digital and Cyberspace Policy Program

Cyber Week in Review: Dec 13, 2019

Customers use computers at an internet cafe in Taiyuan, Shanxi province
Customers use computers at an internet cafe in Taiyuan, Shanxi province REUTERS/Stringer

GitHub to open subsidiary in China; Chinese public institutions to replace foreign computer equipment; Senate Judiciary Committee holds hearing on encryption; NIAC calls cyber threats to critical infrastructure an “existential threat”; and Cyberattack strikes Iranian banks.

December 13, 2019

Customers use computers at an internet cafe in Taiyuan, Shanxi province
Customers use computers at an internet cafe in Taiyuan, Shanxi province REUTERS/Stringer
Blog Post
Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.

GitHub to Open Subsidiary in China

GitHub, the world’s largest repository of open-source software that allows developers to collaborate on projects, is looking to open a subsidiary in China, which is the firm’s most important market after the United States and one of its fastest growing developer communities. The foreign-owned subsidiary will explore joint ventures and the possibility of hosting GitHub content in China, which will allow Chinese developers access to open-source software that would ideally remain exempt from U.S. sanctions. However, GitHub content hosted in China may be vulnerable to Chinese censorship. In the past, China has deployed its powerful DDoS tool, the “Great Cannon,” against GitHub pages that provided tools for circumventing China’s Great Firewall.

More on:

China

Cybersecurity

Chinese public institutions to replace foreign computer equipment

In its most far-reaching effort yet, China has ordered all government offices and public institutions to remove foreign computer equipment and software within three years. The ban seems to mirror the Trump administration’s restrictions on the use of Chinese technology in the United States. In response to these restrictions, China has increasingly aimed to become technologically self-sufficient and reduce its technological reliance on the United States. An estimated twenty to thirty million pieces of hardware will need to be replaced beginning next year, with substitutions occurring at a “3-5-2” pace: 30 percent in 2020, 50 percent in 2021, and 20 percent the year after. However, it will be difficult to become completely self-sufficient, as many “domestically made” products have components made by foreign companies, and most software vendors develop products for popular U.S.-made operating systems.

Senate Judiciary Committee Holds Hearing on Encryption

The long debate between law enforcement and the technology industry over the legitimate use of encryption [PDF] continued this Tuesday during a Senate Judiciary Committee hearing. One of the U.S. government’s most vocal critics of encryption, Manhattan district attorney Cy Vance, testified in favor of requiring “lawful access” to encrypted data on mobile devices through back doors to help law enforcement. Representatives from Apple and Facebook have opposed this on the grounds that back doors intended for law enforcement would also be accessible to hackers and other states, like Russia and China. Although efforts by the U.S. government to mandate access to encrypted data, such as Senator Dianne Feinstein’s proposed 2016 bill, have failed to come to fruition, Australia successfully passed a bill in 2018 requiring tech companies to provide law enforcement and security agencies with access to encrypted communications. U.S. Senators at Tuesday’s hearing warned that if technology companies failed to impose policies to grant law enforcement access to encrypted data, lawmakers will “impose their will” on them.

NIAC Calls Cyber Threats to Critical Infrastructure an “Existential Threat”

More on:

China

Cybersecurity

This week, the National Infrastructure Advisory Council (NIAC) published a draft report addressed to President Donald Trump stating that cyber threats to critical infrastructure pose an “existential threat” to national security. To confront this challenge, the report urges President Trump to establish a Critical Infrastructure Command Center to facilitate the sharing of classified information between government agencies and companies at risk of cyberattack. It also proposes an executive order to create a Federal Cybersecurity Commission as an independent U.S. government entity to mitigate cyber risks to critical infrastructure whose disruption would severely impact national security. The report strikes an alarming note, stating that “it is not a matter of if, but when, an attack will happen. Our window of opportunity to thwart a cyber 9-11 attack before it happens is closing quickly,” and lists China, Russia, and Iran as the most likely states to launch a major attack on U.S. critical infrastructure.

Cyberattack Strikes Iranian Banks

In the aftermath of the recent protests in Iran, details of fifteen million Iranian debit cards have been distributed on the messaging app Telegram, constituting the most serious banking security breach in the country’s history. With three separate banks targeted, the number of affected accounts represents close to a fifth of Iran’s population. While Iran’s information and telecommunications minister, Mohammad Javad Azari Jahromi, blamed the breach on a disgruntled employee, outside cybersecurity experts believe that it was likely the work of a powerful state actor. Regardless of who was responsible, the breach represents another blow to Iran’s economy, which has been struggling amid U.S. sanctions and domestic civil unrest. It also reflects the poor state of cybersecurity in many Iranian entities. Despite the country’s impressive offensive capabilities in cyberspace, one expert describes the state of cybersecurity at most government entities and banks as “in shambles.”

Creative Commons
Creative Commons: Some rights reserved.
Close
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) License.
View License Detail
Close