Cyber Week in Review: October 28, 2016

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

1. Fallout from the Dyn denial of service incident. In the wake of last Friday’s attack on Dyn, a Chinese electronics firm issued a recall of all webcams containing its circuit boards. The company, Hangzhou Xiongmai, says that the issue is that users haven’t changed the (often unchangeable) default passwords on their devices, allowing hackers to take control of them for nefarious purposes. The real issue is that security considerations are often an afterthought in internet of things (IoT) devices, and unlike car or other manufactures, software and hardware companies are often not liable should a product malfunction. The European Union is preparing to issue new regulations on IoT devices that may help mitigate future incidents, and the U.S. government is looking to issue guidance for IoT manufacturers. By contrast, China is threatening legal action against those who make “false claims” about the integrity of Chinese-manufactured devices. Director of National Intelligence James Clapper stated on Tuesday that last week’s attack was likely carried out by a nonstate actor, and Dyn has confirmed that the attackers exploited the same Mirai malware that has been used in many of the recent DDoS incidents, including the one that targeted Brian Krebs’ website.

2. U.S. director of national intelligence on Russia and Dyn incident. James Clapper sat down for a Q&A session with Charlie Rose at the Council on Foreign Relations where he talked about the Dyn incident and responding to Russian cyber activities, among other things. On Russia, Clapper stuck to the script of the official statement he and the secretary of homeland security released three weeks ago. However, he did mention the challenges associated with responding, noting challenges associated with revealing U.S. intelligence capabilities, controlling escalatory activity, and ensuring the legality of a response. The recent compromise of e-mail accounts of people close to Russian President Vladimir Putin has led to speculation that the Obama administration has begun responding. Putin continues to deny that the accusations are anything more than anti-Russian propaganda.

3. Well that was fast. The Privacy Shield agreement that governs the transfer of personal information between the European Union and the United States is facing a legal challenge from the privacy advocate group Digital Rights Ireland on the grounds that its privacy protections are insufficient. The online case filing is sparse, detailing only the parties, date of filing, and that the subject concerns an “area of freedom, security and justice.” Privacy Shield, which has only recently begun to actually be implemented, has attracted criticism on privacy grounds since the draft text was first released.

4. Law enforcement access to data. Microsoft, which owns Skype, was fined €30,000 by Belgium yesterday for failing to assist investigators in 2012 by intercepting users’ communications over the messaging service, a request the company says was impossible to fulfill. There has been a trend in certain jurisdictions with courts fining or banning messaging providers for failing to hand over data they don’t have, as was the case in Brazil four times over the last two years with WhatsApp. In related law enforcement news, Yahoo released their newest transparency report, which indicated a slight decline in law enforcement requests for user data. The Yahoo transparency report is an outlier given that most tech companies are seeing law enforcement requests rise.