Cyber Week in Review: December 4, 2020

EU Proposes Transatlantic Partnership

On Saturday, the Financial Times reported that the European Union (EU) has drafted a broad transatlantic partnership proposal in hopes of cooperating with the Biden administration to counter China’s growing influence and technological dominance. In addition to collaborating on COVID-19 and environmental policy, the draft plan proposes a joint approach to digital regulation, including antitrust enforcement, standards for emerging technologies such as 5G, data protection, foreign investment, and cybersecurity. One European Commission official characterized the efforts as “low-hanging fruit,” yet differences on how to regulate firms remain an unresolved tension that threatens to derail the partnership. In pursuit of “digital sovereignty,” the EU has long aimed to curb big tech, while American lawmakers have resisted comprehensive data privacy regulation and often consider the EU’s tech policies to be unfair and protectionist.

New Zealand Debuts Views on International Law in Cyberspace

On Tuesday, New Zealand debuted its views on the application of international law in cyberspace. Particularly notable were New Zealand’s stands on collective countermeasures and sovereignty—two areas that frustrated the UN Group of Governmental Experts’ effort to reach a consensus on cyber norms in 2016-17, leading to a patchwork of policies and new proposals from participating states. New Zealand expressed a broad and controversial willingness to explore collective countermeasures in the “collective interest in the observance of international law,” citing the “potential asymmetry between malicious and victim states.” Although Estonia maintains a similar position, France recently rejected [PDF] collective countermeasures, while Finland has avoided the matter altogether. New Zealand also affirmed its belief that foreign cyber operations could violate a state’s sovereignty, echoing previous condemnations against Russian cyberattacks for violating Georgian sovereignty.

North Korean Hackers Target Vaccine Makers, State Department Launches North Korea Bounty Program

On Wednesday, the Wall Street Journal reported that at least six COVID-19 vaccine companies in the United States, the United Kingdom, and South Korea have been targeted by North Korean hackers, known colloquially as Kimsuky, since August. At AstraZeneca, where researchers recently announced promising late-stage trial results, hackers masquerading as recruiters approached staff with job offer documents containing malware. None of the six companies have disclosed whether or not the hackers successfully exfiltrated critical data. Given that North Korea’s vaccine manufacturing capabilities are limited, watchdogs are concerned that, if successful, North Korea would sell vaccine blueprints to China. Alternatively, hackers could attempt to impede vaccine makers with ransomware.

On Tuesday, the State Department launched a rewards program offering up to $5 million in exchange for information on North Korea’s cyber operations, money laundering operations, weapons programs, and broader efforts to circumvent sanctions. In addition to justifying more sanctions related to North Korea, the State Department hopes to implicate China: “The overwhelming number of those middlemen, bank accounts, and money launderers operate within the borders of China,” said Alex Wong, the State Department’s deputy assistant secretary for North Korea.

China Drafts Guidelines on Personal Data from Mobile Apps

On Tuesday, the Cyberspace Administration of China (CAC) introduced draft rules limiting the breath of data that mobile apps can collect from users. In a statement, the CAC voiced its frustration that mobile apps currently require “personal information beyond their scope, and users cannot install and use them if they refuse to agree.” Under the new rules, ride-hailing apps, for example, would only be allowed to collect required information such as names, phone numbers, and location. The draft rules reflect increasing demands from users for privacy protections as well as China’s growing efforts to curb technology companies. In addition to proposing new anti-monopoly rules and halting Ant Group’s widely-anticipated IPO last month, China has prepared online lending rules designed to target fintech behemoths.

DHS Under Investigation by Inspector General, NSO’s Circles Sells Location Data to Twenty-Five Countries

On Wednesday, the Wall Street Journal reported that the Office of Inspector General will investigate the Department of Homeland Security’s (DHS) practice of purchasing and utilizing mobile phone location data for law-enforcement operations without a warrant. For years, DHS has solicited access to location information gathered by private data brokers from everyday smartphone apps. Given that the location data is publicly available for purchase, DHS lawyers maintain that a 2018 ruling limiting the warrantless use of location information derived from cell towers doesn’t apply. Senator Ron Wyden, who is leading one of several congressional investigations into the use of data for domestic surveillance and law enforcement, said, “If federal agencies are tracking American citizens without warrants, the public deserves answers and accountability.”

On Tuesday, researchers at the University of Toronto’s Citizen Lab published a report concluding that twenty-five countries including Mexico, Thailand, Denmark, Belgium, and the United Arab Emirates deployed spyware from Circles, a surveillance company that merged with NSO Group in 2014. Circles’ technology, which is allegedly sold to nation-states exclusively, is able to “track any phone number from any country and anywhere in the world." In the report, Citizen Lab noted that Circle’s customers generally have a “dismal record of abuses of human rights and technical surveillance capabilities,” including surveilling human rights defenders and reporters at home and abroad.