Cyber Week in Review: May 1, 2020

Commerce Department Tightens Restrictions on Technology Exports

On Monday, the U.S. Department of Commerce announced the introduction of new export controls on U.S.-made technologies, aiming to thwart Chinese, Russian, and Venezuelan efforts to circumvent older restrictions. The new regulations increase the range of products, particularly in the semiconductor and aerospace industries, that need to be reviewed by national security officials before they can be shipped overseas. In recent years, U.S. officials have become increasingly concerned about “military-civilian fusion,” a strategic initiative to more closely link the commercial sector and defense innovation base, which has reportedly included Chinese leaders pressuring private companies to acquire foreign technology for the People’s Liberation Army. Semiconductor Industry Association CEO John Neuffer worried that while military-civil fusion requires a U.S. response, overly broad controls will “create further uncertainty for our industry during this time of unprecedented global economic turmoil.”

Australia Debuts Coronavirus Tracing App

On Sunday, Australia announced “COVIDSafe,” a coronavirus tracking app. The app is voluntary, and within a few hours of its debut, it had already been downloaded over a million times. Australian Prime Minister Scott Morrison said restrictions could be eased if enough people use the app. The Australian government says that for maximum effectiveness, an estimated 40 percent of the population (approximately ten million people) would need to download it. In an effort to assuage privacy concerns, Australia’s health minister said that only health authorities would use the data, and the police wouldn’t be able to access it, even with a court order. The latter restriction is yet to be codified into law, however. As with most contact-tracing proposals that have emerged recently, the app uses Bluetooth to track who an individual has been in contact with and does not keep track of users’ locations.

Amazon Bought Thermal Cameras From Blacklisted Chinese Firm

According to a Reuters report released Wednesday, Amazon bought thermal cameras to check warehouse workers’ temperatures from Dahua, a firm that the Trump administration has blacklisted due to its products being used by the Chinese government in its repression of Uighurs. Amazon’s purchase was legal because the blacklist applies only to government contracts and exports and occurs amid U.S. warnings of thermal camera shortages. While Dahua also offers optional facial recognition features in their cameras, supposedly to check who an infected individual has come into contact with, Amazon said none of its imaging devices have network connectivity or store any personally identifiable information. Senator Marco Rubio (R-FL) said the equipment posed a “massive security risk” to companies and argued that the United States needs to become less reliant on Chinese technology.

U.S. Patent and Trademark Office Rejects AI Inventor

This week, the U.S. Patent and Trademark Office (USPTO) announced that artificial intelligence (AI) systems cannot be considered inventors in patent applications. The two applications in question were for a food container that robots could easily grasp and a difficult-to-ignore warning light, both created by an AI program called DABUS. The inventions were submitted as part of the Artificial Inventor Project, which worries that inventions created without human involvement could become impossible to patent. The group also argues that highlighting contributions made by AI inventors by crediting them in patents will spur innovation.

Report Reveals Vietnamese Hackers’ Targeting of Google Play Store

On Tuesday, cybersecurity company Kaspersky released a report detailing a sophisticated hacking campaign by OceanLotus/APT 32, a suspected Vietnamese state-sponsored threat group, that distributed malware via apps on Google’s Play Store. The campaign infected hundreds of devices in at least ten countries, including Vietnam, India, Bangladesh, and Indonesia. The attackers seemed to be especially focused on Vietnam, suggesting that OceanLotus conducts domestic espionage, as well as foreign spying. Using fake profiles and license agreements, the group first acquired approval for seemingly benign apps and later updated them to include their malicious code. These malicious apps were capable of collecting call logs, text messages, and location data, and—unusually for mobile malware—were tailored for specific devices. Kaspersky says the campaign is ongoing.