- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
Department of Justice Blames Chinese Military Hackers for 2017 Equifax Attack
On Monday, the U.S. Department of Justice (DOJ) indicted [PDF] four members of the Chinese People’s Liberation Army, alleging they stole the personal information of over one hundred million Americans in a 2017 attack on credit monitoring company Equifax. In the 2017 breach the hackers stole names, birth dates, social security numbers, and, in some cases, credit card information and driver’s license numbers. Security researchers originally suspected that the attack was the work of cybercriminals, but the fact that the information never appeared for sale fed suspicion that a state actor was involved. The indictment contained specific details about the attackers’ actions, but no details about how the U.S. acquired them. This is not the first time China has been accused of stealing Americans’ personal information—over the past few years it stands accused of hacking the Office of Personnel Management, the Marriott hotel chain, and Anthem health insurance in search of sensitive data. U.S. Attorney General William Barr alleged that China could use the information it acquired to target American officials.
As part of Trump administration pressure on China, this week the DOJ also charged Huawei and two of its U.S. subsidiaries with racketeering and the theft of trade secrets. The new indictment builds on allegations the U.S. leveled in January 2019 accusing Huawei of financial fraud and violating U.S. sanctions on Iran and accuses the company of selling equipment to North Korea. Federal prosecutors said the new charges related to a decades-long effort by Huawei and its subsidiaries in the U.S. and China to steal intellectual property from U.S. technology companies. The companies aren’t listed, but the indictment mirrors previous lawsuits by Cisco and Motorola against the Chinese company. If convicted of racketeering or fraud, Huawei could be excluded from the U.S. financial system, which would make it much harder for it to do business around the world. Analysts expect Huawei to try to negotiate a plea deal.
Personal Data of all Israeli Voters Leaked
A mobile app used by Prime Minister Netanyahu and his Likud party contained a serious security flaw that exposed the names, addresses, and identity card numbers of all 6.5 million eligible Israeli voters. The flaw allowed anyone to easily download the entire voter registry, which the government distributes to political parties before elections. The parties all commit to protect the privacy of individuals in the register by not duplicating and deleting it when the election is over. According to Haaretz, the app’s home page contained usernames and passwords which would allow anyone to log in and download the registry. Though cybersecurity experts have long cautioned about the security risks created by the use of new technology by political parties, the company that developed the app claimed it was a “one-off incident that was immediately dealt with.”
Iran Partially Shuts Down Internet to Thwart Cyberattack
On Saturday, the NetBlocks internet observatory noticed a significant disruption to internet service in Iran. The country’s connectivity was reduced by up to 25 percent for almost seven hours, which the Iranian Ministry of Information and Communications Technology claimed was the result of deliberate shutdown to thwart a distributed denial of service attack. Following the shutdown, Iran postponed a major satellite launch, which was scheduled for the same time that the attack hit Iranian networks. The Iranian government did not confirm a connection between the attack and the postponement. Aside from this incident, in the past few months Iran has had two major disruptions in internet service: one was likely the result of a technical issue, while the other was intentional by the Iranian government amid widespread protests.
UK to Empower Regulator to Enforce Rules on Online Content
On Wednesday, the UK government announced that it plans to give its media regulator Ofcom the power to penalize companies that fail to remove illegal content, such as child pornography from their platforms. The proposal also requires companies to enforce their own rules on harmful content in a consistent and transparent way. Details on enforcement were sparse but a proposal circulated by the government in the past suggested that a regulator could take a wide array of actions, including fines and making executives individually liable for what appears on their sites. The UK has failed in its attempts to regulate online content before and abandoned its goal of enforcing age requirements to access internet pornography last year.
Federal Trade Commission Expands Big Tech Antitrust Review to Include Smaller Acquisitions
On Tuesday, the U.S. Federal Trade Commission (FTC) announced it would expand its antitrust investigation of major technology companies to include smaller acquisitions that don’t meet the threshold for mandatory review. Under the current law, acquisitions of less than $94 million do not need to be approved by regulators. The FTC said it was probing whether tech companies “are making potentially anticompetitive acquisitions of nascent or potential competitors” that may fall below the threshold. The investigation could potentially lead to the forced reversal of past purchases by the companies. Opponents of the investigation argue that the potential payoff that comes with acquisition can actually spur investment and innovation in small companies.