8 March 2023

More Signal. Less Noise.


The Retail & Hospitality ISAC Podcast joins CyberWire Network.

We’re very pleased to announce that the Retail & Hospitality ISAC Podcast has joined the CyberWire Podcast Network. Join host Luke Vander Linden for chats with members of the InfoSec community to discuss the latest challenges, opportunities, and best practices unique to cybersecurity in the retail and hospitality industry. 

At a glance.Nations struggle to define “act of war” in the digital age.
The battle for Section 702.
New Chinese regulation on data exports.
China-linked hackers attack ASEAN member nations.
Nations struggle to define “act of war” in the digital age.

Modern day warfare now readily includes cyber operations, and governments are struggling to find their footing in a digital territory that has no clear rules. As Forbes notes, the definition of an “act of war” in cyberspace is murky at best. Efforts have been made to determine global norms and regulations for digital disputes, but so far an international consensus like the Bretton Woods Agreement has been unattainable due the inherent complexities of cyber warfare. While intelligence gathering missions have largely been deemed permissible acts of espionage, destructive cyber attacks that can cripple a nation’s critical infrastructure would seem to be another matter entirely.

Still, even if it were easy to determine what constitutes an act of war, attribution remains difficult, and there are few rules regulating state-level cyber responses even when attribution is clear. The Hill argues that cyber wars should be handled like conventional military encounters. This of course raises the possibility that there could be cyber war crimes. The Ukrainian government is currently working to convince the International Criminal Court (ICC) in The Hague to investigate whether some of the cyber attacks conducted by Russia during its invasion of Ukraine should be considered war crimes. It’s proving to be a difficult task, given that cyber attacks are not explicitly defined as war crimes under the Geneva Conventions or the Hague Rules, or under the international laws of armed conflict generally. Those were formulated long before digital warfare was even fathomable. But should any cyber activities come to be considered war crimes, they would probably fall under provisions of international law requiring discrimination between military and civilian targets, or forbidding disproportionate harm.
The battle for Section 702.

US lawmakers have an important decision to make regarding the nation’s spy agencies’ most powerful intelligence-gathering tool. Section 702 of the Foreign Intelligence Surveillance Act, which grants the Federal Bureau of Investigation (FBI) and the National Security Agency the authority to gather electronic data from US tech firms without a warrant, expires at the end of the year, and there is an intense debate mounting over whether or not it should be renewed.

As the Washington Post reports, the Biden administration says Section 702 is essential to national security and has mounted a campaign to prove its merit to Congress. Assistant Attorney General Matthew Olsen stated during a speech on Tuesday at the Brookings Institution, “Without 702, we will lose indispensable intelligence for our decision-makers and warfighters, as well as those of our allies. And we have no fallback authority that could come close to making up for that loss.” Attorney General Merrick Garland and Director of National Intelligence Avril Haines also submitted a letter to Congress pushing for reauthorization of the law. However, many officials on both sides of the aisle say Section 702 is a violation of privacy. In a recent article, Brennan Center for Justice’s Elizabeth Goitein argued the "only way to fully protect Americans’ Fourth Amendment rights and prevent abuses is to require the government to obtain a probable-cause court order before performing U.S. queries.”

In the end, a compromise might be 702’s only saving grace. On Monday and Tuesday, proponents of 702 reminded Congress that reforms were made in 2021 requiring the FBI to provide written justifications before accessing 702 data, and the Biden administration has confirmed they are willing to work with Congress on further modifications to enhance privacy protections.
New Chinese regulation on data exports.

The Cyberspace Administration of China (CAC) has announced new regulations controlling the export of personal citizen data. The new rules state that “non-critical information infrastructure operators” moving the data of fewer than 1 million people must sign a contract with the CAC before exporting that data. Cybersecurity Connect explains that the contract will mandate that companies conduct risk and sensitivity assessments to confirm the necessity and legality of exporting the data, then file those assessments with local provincial authorities in China. The regulations go into effect on June 1 and any violations of the established contract will be treated as a crime.
China-linked hackers attack ASEAN member nations.

According to a recent cybersecurity alert, threat actors backed by the Chinese government conducted a cyberespionage operation in February in which they hacked into mail servers operated by the Association of Southeast Asian Nations (ASEAN), stealing more than ten thousand emails and other sensitive data from member countries. Furthermore, the alert notes that this was the third time ASEAN – an intergovernmental body composed of ten Southeast Asian countries including Singapore, Malaysia, and Thailand – had been compromised since 2019. Wired explains that the attack is further evidence that China is targeting nations in the region in an effort to gain political and economic intel. The notice, which was sent to cybersecurity agencies, foreign affairs ministries, and other governmental organizations in the ASEAN member countries, states that the incident “impacts all ASEAN members due to correspondence that was compromised.” In recent years UK and US leaders have taken notice of the espionage threat from China. In February the European Union Agency for Cybersecurity issued a public advisory naming six hacking groups linked to China, and last year, US President Joe Biden invited ASEAN member nations to the White House and promised them monetary support to fight such attacks.

No comments: