from Net Politics and Digital and Cyberspace Policy Program

Cyber Week in Review: October 12, 2018

The building of the Organization for the Prohibition of Chemical Weapons (OPCW) is pictured in The Hague, Netherlands on October 4, 2018. Piroschka van de Wouw/Reuters

This week: Questioning the Bloomberg SuperMicro story, giving the EU authority to sanction in response to cyber operations, Google drops out of JEDI, intelligence sharing to counter China. 

October 12, 2018

The building of the Organization for the Prohibition of Chemical Weapons (OPCW) is pictured in The Hague, Netherlands on October 4, 2018. Piroschka van de Wouw/Reuters
Blog Post
Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

1. Small chips, even smaller credibility. A Bloomberg report alleging that the Chinese military secretly placed microchips in SuperMicro motherboards destined for U.S. technology companies is drawing scrutiny from the cybersecurity community. Both Apple and Amazon have released statements questioning the factual basis of the report. Government officials have also been skeptical. Homeland Security Secretary Kirstjen Nielsen has said that those “at the DHS do not have any evidence that supports the article,” while senior NSA official Rob Joyce expressed his “worry that we’re chasing shadows” in attempting to substantiate the story. Meanwhile, one of the story’s sources, hardware security expert Joe Fitzpatrick, has come forward on the podcast Risky Business to say that the hacking approach detailed in the report, though possible, “doesn’t make any sense” and that the information he gave was published “out of context.” Still, Bloomberg has not only refused to clarify the story, but has doubled-down on its central claims. In a follow-up report, the two authors of the original story interview a hardware security experts that recounts an unrelated supply chain attack against a U.S. telecom company similar to the one outlined in the original article. Time will tell if Bloomberg’s story holds water, but for the moment it’s looking pretty leaky.

More on:

Cybersecurity

Digital Policy

2. Let's get this done already! The United Kingdom, the Netherlands, and a handful of Eastern European states are urging the EU expand its sanctions regime to allow for sanctions against individuals and organizations responsible for cyberattacks against member states. The push follows a press conference held by UK and Dutch authorities last week accusing Russian military intelligence of attempting to hack the Organization for the Prohibition of Chemical Weapons, headquartered in The Hague. A proposal under consideration would allow for sanctions, ranging from travel bans to asset freezes, in cases of election interference, intellectual property theft, and other cyber operations on behalf of a foreign government. The group of countries is pressing to get the rest of the EU to formally agree to and adopt a sanctions authority next week during a meeting of the European Council, which represents EU heads of state and government. The EU has been considering the use of sanctions for malicious cyber activity, in one form or another, since 2015. 

3. The force is strong with you young Google, but you are not a JEDI yet. Google has dropped out of a bid to build the Department of Defense’s cloud computing infrastructure, citing concerns about potential conflict with its AI values and a lack of the necessary government certifications. The ten billion dollar initiative, known as the Joint Enterprise Defense Infrastructure (JEDI), seeks to transition the Pentagon to a single commercial cloud system that would be responsible for hosting all classifications of information and enabling advancements in warfighting capabilities. Google’s decision not to pursue the bid comes after its June announcement that it would no longer provide AI tools to assist the U.S. military analyze drone footage, following intense employee backlash. Google's decision to back out of U.S. government-related work, but its seeming desire to re-enter the Chinese search market has raised eyebrows, particularly on Capitol Hill. 

4. The club is accepting new members, sort of. Reuters reports that the Five Eyes intelligence alliance (Australia, Canada, New Zealand, the United Kingdom, and the United States) have agreed to share classified intelligence products related to China's foreign influence and investment activities with like-minded countries, such as Japan, Germany, and to a lesser extent, France. The news comes after increasing scrutiny of China's assertiveness. In the last year, the United States and Germany have implemented new legislation aimed at restricting foreign investment, and Australia adopted new campaign finance and foreign influence rules aimed at curbing Beijing's influence. Although the Five Eyes already share intelligence with non-member countries on an ad-hoc basis as necessary, the Reuters report suggests that sharing with Germany and others will become routine specifically to monitor Chinese investment and influence activities. The news of the expanded sharing comes the same week that the cybersecurity agencies in the five countries released a joint report on commonly-used hacking tools, some of which have been used by Chinese threat actors. 

More on:

Cybersecurity

Digital Policy

Creative Commons
Creative Commons: Some rights reserved.
Close
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) License.
View License Detail
Close