Cyber Week in Review: January 31, 2020
The United Kingdom Won’t Ban Huawei
Under pressure from both the United States and China, on Tuesday the United Kingdom announced it would not ban Huawei equipment from its 5G networks. While the British government did say it would limit what network infrastructure “high-risk” vendors are allowed to provide, Democrats and Republicans both lambasted the move and called into question the future of U.S.-UK intelligence sharing. Experts disagree about the risk that allowing Huawei into non-critical network segments poses. U.S. officials argue that any Huawei equipment could allow China to eventually compromise UK networks, while the UK digital secretary argued the decision “paves the way for secure and resilient networks.” The UK is one of the United States’ closest intelligence sharing partners and a member of the Five Eyes alliance along with Canada, Australia, and New Zealand. Australia has moved to ban Huawei from their 5G networks, but Canada is still weighing the decision. The UK’s move could drive Canada to reject the United States’ advice as well.
Major UN Hack Revealed
A leaked report shows that the United Nations was the victim of a major breach beginning in July 2019. Dozens of servers at the UN offices in Geneva and Vienna and the Office of the High Commissioner for Human Rights (OHCHR) were compromised. Some experts have suggested that the relative precision of the attack is likely indicative of espionage. An OHCHR spokesman claimed that nothing confidential was compromised, and a UN spokesman claimed that the damage to the organization as a whole had been contained. However, much about the breach is still unknown, including who performed it, what the primary target was, and how much data was actually stolen. While the international organization’s status as a diplomatic entity means it is under no obligation to report any breach, the United Nations was criticized for not informing its staff or the public about the breach before the report was leaked.
“SeaTurtle” DNS Hijacking Campaign Reportedly Aligned With Turkish Government
On Monday, Reuters released a report attributing the “SeaTurtle” DNS hijacking campaign to hackers aligned with the Turkish government. Three “senior Western security officials” cited claim that the identities of the victims, similarities to previous attacks, and other confidential assessments led them to believe the campaign was a state-backed cyber espionage operation to advance Turkish interests. The campaign, first reported by Cisco Talos in April 2019, targeted the Cypriot and Greek governments, the Iraqi government’s national security advisor, Albanian state intelligence, and civilian organizations in Turkey, among others. Some of the targeted Turkish organizations had been accused by Turkish media of having links to exiled cleric Fethullah Gulen. The campaign used DNS hijacking to redirect victims from the website they intended to access to one controlled by the attackers. After unsuspecting victims tried to log in to the attacker’s website, their credentials were stolen. While DNS hijacking is not a new technique, the size and sophistication of this campaign are unique, and the attackers possibly were able to intercept all of the internet traffic to some countries.
Department of Interior Grounds Drone Fleet
On Wednesday, the U.S. Department of the Interior (DOI) formally grounded its entire fleet of drones, all of which were either made in China or have Chinese parts, citing “cybersecurity, technology, and domestic production concerns.” The order formalizes a temporary grounding in place since October. Though no evidence has been made public, the grounding follows warnings from the Department of Homeland Security in 2017 and 2019 about the risks of Chinese-made drones to U.S. security interests. The order allows flights to continue in emergencies and the agency says it has performed twelve emergency flights since the initial grounding in October. DOI normally uses drones for routine tasks like habitat monitoring and geological surveys and says those tasks will now be done by plane or helicopter instead. DOI says it is working with the Department of Defense and members of the intelligence community to review the drones, and it is unclear when or if the order will be lifted. Chinese drone manufacturer DJI claimed the decision was politically motivated and that its products have been validated by DOI and the Department of Homeland Security.
Facebook Settles Facial Recognition Lawsuit
On Wednesday, Facebook agreed to pay $550 million to settle a lawsuit brought against it for its use of facial recognition technology. The lawsuit alleged that the company violated Illinois’ Biometric Information Privacy Act by using face-matching software to identify people in users’ photos without their consent. Illinois has the strictest biometric privacy laws in the country—companies must get written permission before collecting any identifying biological data from users and can be sued for up to $5,000 per violation. Facebook has used “Tag Suggestions” to identify individuals in photos they aren’t tagged in since 2010, but the system has been controversial since its inception. Facebook deactivated it in Europe in 2012 after pressure from regulators.