Big brother meets big data
Human Rights Watch warned in late February that Chinese authorities were utilising mass surveillance and big data analysis to conduct predictive policing in the western province of Xinjiang; furthermore, tens of thousands of Uyghurs and other ethnic minorities have been detained and sent to ‘political education’ centres.
In an uncommon similarity between the East and the West, it was recently revealed that artificial intelligence algorithms were used by the New Orleans Police Department in the United States to predict criminal activity. Palantir Technologies, the US firm credited with supporting the programme, received a patent in 2015 for ‘crime risk forecasting’ technologies. The Pentagon also uses Google's image recognition software to analyse drone footage as part of its AI programme Project Maven. Machine-based law enforcement or military surveillance raises legal and ethical questions about the accuracy, effectiveness, and potential biases of such strategies.
Gargantuan DDoS attacks
Software development platform GitHub was taken offline temporarily on 28 February, with intermittent service continuing for a few minutes, because of a massive distributed denial-of-service (DDoS) attack. It ‘originated from over a thousand different autonomous systems across tens of thousands of unique endpoints’ and peaked at ‘1.35Tbps [Terabits per second] via 126.9 million packets per second’.
On 5 March, NETSCOUT Arbor, a security assurance company, confirmed an even larger (1.7Tbps) attack that targeted an unnamed company, although no systems were taken offline as a result. The attackers used the same tactics employed against GitHub. The scale of these attacks may be growing, but the limited-to-no disruption of service demonstrates that improved defences may be mitigating the effects of even the largest attacks. Some DDoS attacks, however, have been accompanied by ransom demands; if companies are unable to pay for improved defences in the first place, they risk exorbitant costs in order to bring their systems back online.
Russians infiltrate German foreign ministry
A sophisticated cyber espionage group linked to the Russian government reportedly gained access to the German foreign ministry’s networks after breaching a secure government communications platform. The hackers compromised 17 computers and used malware-laden emails to steal information, some of which concerned Germany’s foreign policy towards its eastern neighbours. Germany apparently became aware of the breach only after a tip off from an allied foreign intelligence agency last December, a year after the hack began.
This marks the second significant cyber attack against the German government, after the 2015 Bundestag attack which was also attributed to Russian hacking groups. The fact that Russian state hackers are being detected with greater frequency supports US intelligence assessments that Moscow is becoming more aggressive and bolder in its cyber operations.
Ratifying the Budapest Convention
The Philippines officially acceded to the Council of Europe’s Budapest Convention on Cybercrime. Tunisia was also invited to join the convention last month and would be the first North African country to accede to the treaty. The Budapest Convention is the premier legally binding treaty for cybercrime; it supports international cooperation on this issue by facilitating extradition and mutual legal assistance agreements, and by ensuring mutual recognition of foreign judgements and police-to-police cooperation. The increasing number of ratifications underscores the scale of the cybercrime threat and the desire for more consensus.
There are, however, some notable non-signatories, including Russia, China, India and Brazil. These countries are motivated in part by disinterest in legislation that was developed principally by Western states. Russia in particular has opposed the treaty on the grounds that the provisions for giving law enforcement access to data stored on foreign soil violates national sovereignty, and has argued for an alternative convention.
Weighing the risks of foreign companies
The US gave another warning to the Australian government not to use state-owned Chinese telecommunication firm Huawei in the construction of its 5G networks. Australian Prime Minister Malcolm Turnbull was briefed last month by the director of the US National Security Agency about the risks posed by such a move. Australia had previously barred Huawei from a major broadband network infrastructure project in 2012, and earlier this year dropped Huawei as a partner to build a fibre optic cable between Sydney and the Solomon Islands. It is unclear, however, how damaging this move would be given the United Kingdom and New Zealand – two other Five Eyes intelligence allies of the US – have approved Huawei’s involvement in major infrastructure projects. Nonetheless, a decision to use Huawei products could stoke tension between Canberra and Washington.
Meanwhile, the US is mulling whether to approve a bid by Singaporean chipmaker Broadcom to acquire Qualcomm, a rival US company. A senior US Department of Treasury official wrote a letter that highlighted the department’s concerns about the potential national security implications of such a purchase.
Google provides transparency on the ‘right to be forgotten’
Google published its Transparency Report last week, which details how the company makes decisions on delisting requests. In May 2014, the European Union’s Court of Justice established the ‘right to be forgotten’ (also known as the ‘right to delist’). The landmark ruling granted European citizens the right to request search engines to remove from search results information that is ‘inaccurate, inadequate, irrelevant or excessive’. The aim of the EU court’s ruling was to give greater control over personal data online.
Between 2014 and 2017, Google received more than 2,422,000 requests for URLs to be delisted, and the number continues to grow. In addition to clarifying delisting requirements, Google’s research paper calls out the inherent tension between the right to privacy and censorship online.
Insight from Sean Kanuck, IISS Director for Cyber, Space and Future Conflict
Last week’s confirmation hearing of nominee Lt. Gen. Paul Nakasone for Director of the US National Security Agency (NSA) and Commander of US Cyber Command highlighted two critical issues. First, deterrence – including both the current inability to dissuade state-sponsored hackers in advance and to effectively hold them accountable after the attack – remains the greatest strategic challenge in cyberspace. None of the factors required for a stable security dynamic that I outlined in my 2016 lecture at Harvard Law School have been achieved yet. Accordingly, it is unsurprising to hear Nakasone state that hackers ‘do not think that much will happen to them’ and remain undeterred. Second, the next Director of the NSA will need to report to Congress on separating the NSA from US Cyber Command as well as expanding the latter’s authority. Clarity between overt military operations and clandestine intelligence activities is needed to pave the way for effective deterrence in cyberspace.