Cyber Week in Review: May 20, 2022

Biden administration drafts executive order limiting foreign data transfers 

The Biden administration has drafted an executive order which would give the U.S. Department of Justice control over the ability of foreign countries to access Americans’ personal data. The order would specifically target biometric and health data transfers. The U.S. government has warned about efforts by the Chinese government to acquire large amounts of Americans’ genomic data in the past. The executive order, as drafted, would give Attorney General Merrick Garland significant oversight to block transactions involving Americans’ personal data if the transaction runs counter to U.S. national security interests. 

Chinese hackers target Russian defense sector 

Chinese-linked hackers launched a series of spearphishing attacks against a group of research institutes run by Rostec, a Russian state-owned defense conglomerate. The attacks focused on Rostec’s research into satellite communications and electronic warfare. The attackers used a variety of spearphishing lures to spread malware throughout Rostec systems, although it is unclear what they were able to steal in the ten months they had access to the defense firm’s servers. Chinese hackers have been especially active in the networks of Russia and North Atlantic Treaty Organization (NATO) members since Russia’s invasion of Ukraine in February. 

EU proposes scanning end to end encrypted messages 

The European Commission may require technology companies to scan end to end encrypted messages for child abuse content. If companies detect child abuse or exploitation on their platforms, the legislation would require them to delete the image and report it to authorities. The move would effectively create a point at which the encryption is broken and the messages are scanned, introducing a vulnerability that others could potentially exploit. The legislation has been criticized for its effect on online privacy and has drawn comparisons to demands from the FBI that Apple insert a backdoor into its products in the wake of a mass shooting in 2015.  

U.S. Department of Justice will no longer prosecute “good faith” hackers 

The U.S. Department of Justice (DOJ) announced that it was changing its policy on how prosecutors should charge hackers for violations of the Computer Fraud and Abuse Act to separate hacking with good intent from hacking with malicious intent. The policy will give security researchers greater legal protections, but whether hacking was done in “good faith” is still largely a decision for prosecutors to make. The change comes in the wake of the case of Josh Renaud, a Missouri-based reporter who disclosed a vulnerability in a state website which revealed the social security numbers of thousands of Missouri school system employees. Renaud was attacked by Governor Mike Parson and other state officials, and was nearly criminally charged. 

Chinese leadership pledges support for digital economy 

On May 17, the Chinese People's Political Consultative Congress (CPPCC) held a special meeting on “promoting the sustainable and healthy development of the digital economy.” Officials affirmed support for private tech companies and committed to supporting tech companies in efforts to list in domestic and international capital markets. Some have seen these developments as a reversal of a period of heightened regulatory scrutiny of China’s technology giants, which has brought notable disruption to financial markets. They also come following COVID-related challenges that have led to tech companies’ slowed growth in the first quarter. Still, the government will continue balancing the need for digital growth with the desire to guide the firms to supporting larger social and political goals.