Cyber Week in Review: July 7, 2022

Trove of Chinese Police Files Offered for Sale on the Dark Web

An unidentified hacker has listed a database for sale containing the records of over one billion Chinese citizens. The database was likely created by the Shanghai police department and contains information from 1995 to 2019 such as citizens’ names, phone numbers, birthplaces, and national ID numbers. If the leak is legitimate, it would represent one of the largest disclosures of personal information ever. The hacker posted hundreds of thousands of entries online as proof of the existence and authenticity of the database, and reporters called several people listed in the database, who confirmed their information was correct. In a sign of the severity of the leak, Chinese social media platforms began censoring hashtags such as “data leak” and “Shanghai national security database breach.” Researchers speculated that the hacker may have gained access to the data after a developer inadvertently included the login information to the database in a blog post.

Canada's National Police Force Details Use of Spyware to Hack Phones

The Royal Canadian Mounted Police (RCMP) disclosed how they use spyware to infiltrate mobile devices to collect information on serious criminal cases. The agency has admitted to using spyware in ten investigations between 2018 and 2020. RCMP admitted it has previously used spyware to collect a wide range of data including text messages, calendar entries, financial records, and even audio recordings of private conversations or photographic images of surroundings within range of a targeted device. In justifying their use of the spyware, the RCMP noted that the increased use of encrypted communication requires police departments to update their tools to remain effective in the digital era. Spyware has become a major topic in the past year, especially the NSO Group’s Pegasus spyware, which has been used improperly by numerous governments worldwide.

The United States Reveals Four Cryptographic Algorithms to Withstand Quantum Computing

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has revealed the first group of encryption tools that will be used to protect against quantum computers. Quantum computing has the potential to crack the encryption widely used in vital systems such as online banking and email software. While full-scale quantum computers are likely at least five years away, China has reportedly begun stockpiling encrypted communications in the event that quantum computers are able to decode them later. The four encryption algorithms NIST selected will become part of their post-quantum cryptographic standard that will be released in 2024. Despite the two-year timeline NIST has proposed, the agency strongly recommends that organizations start preparing for the transition immediately by following the Post-Quantum Cryptography Roadmap. Amongst other detailed recommendations, the roadmap suggests organizations take inventory of current cryptographic practices, create a plan for the transition, and alert the organization’s IT department of the upcoming transition.

European Union Passes Two Major Technology Regulations

The European Parliament formally passed two major pieces of digital policy earlier this week, the Digital Services Act, which forces the platforms to take down illegal content more aggressively, and the Digital Markets Act, which bans companies from “self preferencing” their own apps or services. The two acts are aimed specifically at companies the European Union has termed gatekeepers, large technology companies including Apple, Google, Facebook, and Microsoft, that could stifle competition and deter smaller rivals. Gatekeepers are defined several ways, including both qualitative and quantitative measures such as either €65 billion in global market capitalization, or at least 45 million active monthly users in the EU. T. The acts will also levy fines of up to 10% total worldwide revenue for the previous year, or 20% for companies that repeatedly violate either act. While some internet advocacy groups hailed the passage of the legislation, others said that the agencies tasked with enforcing the laws are still under resourced, which could blunt the effectiveness of the laws.

United States Asks Dutch Semiconductor Equipment Manager to Stop Selling to China

In an effort to thwart the growth of the Chinese microchip manufacturing industry, the U.S. government asked the Dutch government to stop ASML, one of the most prominent manufacturers of photolithographic equipment, from selling machinery to China. Photolithographic systems are essential to the production of newer microchips, and China has struggled to develop a domestic alternative to ASML’s products. ASML is already banned from selling its most advanced equipment to Chinese firms, but U.S. officials are now trying to prevent ASML from selling older generation photolithography systems to China. While restricting sales of photolithographic equipment further would deal a major blow to the Chinese microchip industry, some have argued that the Dutch are unlikely to agree to such an aggressive step, especially given the fact that sales in China account for 15 percent of ASML’s revenue and the damage such a move would do to relations between the Netherlands and China.