Cyber Week in Review: September 7, 2018

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

1. A long rap sheet. The U.S. Department of Justice filed a criminal complaint alleging North Korean state-sponsored actors compromised Sony Pictures Entertainment (SPE), stole $81 million from Bangladesh's central bank, launched the WannaCry ransomware, and targeted U.S. defense contractors between 2014 and 2017. North Korea was widely believed to have been behind all four cyber operations for some time--the U.S. government sanctioned it over the SPE incident in 2015 and publically callout out Pyongyang over WannaCry last year. Nevertheless, it is the first time that the U.S. government has charged North Korean actors in the same way it has done with others from China (theft of intellectual property), Russia (compromise of the Democratic National Committee), and Iran (the denial of service attacks against U.S. financial institutions). The 172-page complaint lays out in detail the infrastructure, shell companies, email accounts, and aliases North Korean actors used to conduct their activities, though only one defendant is named--Park Jin-hyok. Park, as well as the company he worked for, Chosun Export Joint Venture, were also sanctioned by the Treasury Department. As with the charges against other state-sponsored actors, the charges and sanctions are part of a broader U.S. strategy to publicly attribute malicious actors, hinder their ability to recruit talent, and set norms for responsible state behavior in cyberspace. That approach is not without its critics, and some have speculated that calling Park by name may put his life in jeopardy given the brutal nature of the North Korean regime. 

2. Social media in front of Congress, again. Facebook Chief Operations Officer Sheryl Sandberg and Twitter CEO Jack Dorsey testified before the Senate Select Committee on Intelligence about the steps their platforms were taking to limit state-backed disinformation campaigns on their platform. Both executives recognized their respective companies were initially slow in addressing the challenge, but pointed to the steps they have taken since the 2016 election. Sandberg highlighted the efforts Facebook has made to remove Internet Research Agency content and changes to its process of selling political advertising, whereas Dorsey flagged efforts to remove bots and establish new teams to track them. The committee, however, seemed unconvinced that voluntary actions would be enough and hinted that regulation might be forthcoming. Writing in the New York Times, Farhad Manjoo explains the challenges of the regulatory path, noting that none of the congressional discussion thus far has wrestled with the thorny constitutional issues, namely that of free speech, that regulation would entail. 

3. The uneasy tech relationship between India and China. Chinese cellphone make Xiaomi announced that it will store data generated from Indian users in India—a practice known as data localization—to improve user experience and data protection. As more Indians connect to the digital economy, New Delhi has expressed concerns that Indians' private data may be put at risk if it is held outside of the country's borders or managed by foreign firms. Although India has yet to mandate data localization, the central government has expressed a desire to do so with respect to cell phone manufacturers and online payment data, according to Beijing business daily Caixin. Xiaomi's announcement comes a week after India's Sunday Guardian newspaper reported that senior intelligence officials were "closely watching" developments related to Australia's effective banning of Huawei from building that country's 5G network. Indian government officials believe that approximately 60 percent of the country's telecom gear is from Huawei or ZTE. 

4. “All your cyber sh*t.” It’s no secret that President Trump has a rudimentary understanding of cybersecurity. The president has repeatedly questioned the intelligence community’s assessment that Russia hacked the Democratic National Committee and related organizations, and as a candidate claimed it could have been a random “400-pound hacker” or China. Bob Woodward’s new tell-all book, however, reveals the true depths of Trump’s apathy towards cybersecurity issues. In an anecdote from book, Trump brushes off former homeland security advisor Tom Bossert, who wanted to talk to the president about cybersecurity. “I want to watch the Masters," Trump said, referring to a golf tournament. "You and your cyber ... are going to get me in a war—with all your cyber sh*t." Bossert no longer works at the White House as a result of a staff reorganization National Security Advisor John Bolton initiated when he began his position. That same reorganization also eliminated the post of White House cybersecurity coordinator, compounding concerns that cyber issues fail to get enough visibility in the highest echelons of government.