Finding a fix for high-risk security bugs; false flag cyber operation targets US military spouses; France and Australia take leaps in quantum computing.
Security flaws haunt Intel chips

Microchip

Researchers appear to have discovered eight new security vulnerabilities in widely used Intel computer processing units. Intel has not confirmed the report but registered the same number of vulnerabilities; the company is expected to release patches for the four flaws categorised as high-risk later this month. The details of the flaws have not yet been made public, but they are believed to be of the same level of severity as the Spectre and Meltdown vulnerabilities announced in January. These two are variants of a security flaw present in popular computer chips made by Intel, AMD and ARM that enable attackers to access protected data.

Despite a six-month lead time before the Spectre and Meltdown variants were publicly disclosed, patching the flaws remained challenging. If the latest vulnerabilities are made public only 90 days after Intel was warned of them, finding a fix will likely be a similarly buggy process, which means serious flaws may remain exploitable in the short term.

False flag operation targets military spouses

The Associated Press recently found evidence that Russian hackers from the government-linked APT28 targeted personal social media accounts belonging to the wives of United States servicemembers in 2015. The hackers posed as Islamic State (also known as ISIS or ISIL) fighters and sent death threats to the women and their families. The Associated Press has linked the women to a ‘digital hit list’ comprised of 4,700 Gmail accounts, released by security company Secureworks last year, which included targets ranging from journalists to US government officials.

APT28, also called Fancy Bear and several other monikers, is the same group accused of interfering in the 2016 US presidential elections and stealing the emails of John Podesta, then-chair of Hilary Clinton’s presidential campaign.

Quantum leaps

French President Emmanuel Macron and Australian Prime Minister Malcolm Turnbull have formed a joint venture between their two countries for quantum computing research and development. Sydney-based Silicon Quantum Computing will collaborate with France’s Commissariat à l’énergie atomique et aux énergies alternatives to commercialise a quantum silicon integrated circuit.

According to the Director of the US Intelligence Advanced Research Projects Activity (IARPA) last month, the US remains the leader in quantum computing research as a result of federal government investment. Despite IARPA’s claim that ‘China is investing but not at the levels that the United States has’, Chinese scientists launched the world’s first quantum communications satellite in August 2016 and achieved quantum key distribution from space in 2017.

New rules for online advertising

Last week, Google announced an initiative to support election integrity through greater advertising transparency. The announcement follows Facebook’s decision in April to introduce new rules to increase transparency and accountability for electoral and political issue advertisements. Like the controversy over Russia-linked political advertising on Facebook, Google’s initiative responds to issues that arose in the run-up to the 2016 US presidential election.

Beyond making additional verification a requirement for anyone seeking to purchase an election ad on Google in the US, the company pointed to its new range of ‘Protect Your Election’ tools. One such tool focuses on protecting individuals from sophisticated phishing attacks. Such an attack likely led to the controversial leak of documents belonging to the Democratic National Committee and John Podesta’s email.

Safeguarding elections

Crowd waving US flags in front of White House. Credit: DoD/FLICKR

A local election commission in Tennessee, US announced that its systems had been taken offline by a denial-of-service attack. The attack, which took place during a mayoral election, shut down the commission’s website and delayed the publication of election results. Local officials stated the attack had only affected their web servers and had not compromised their network or impacted vote counting.

The US Department of Homeland Security has reportedly conducted risk assessments for half of the states that have requested them, as fears grow over meddling in the mid-term congressional elections. The 2018 spending bill included a US$380 million allocation to protect election infrastructure from cyber attacks, but it is unlikely that this funding will be delivered early enough for measures to be implemented before voting begins.

Hacking the games

The Russian government is reportedly strengthening cyber security measures ahead of the summer 2018 World Cup football tournament. According to a senior technical expert from Russia’s state security service (FSB), the agency is currently conducting assessments of hotels’ information and technology systems and is concerned about the security of wireless equipment – particularly whether such machines have vulnerabilities in firmware or rely on hardcoded or simple passwords.

During the last World Cup tournament, hosted by Brazil in 2014, hackers used spear-phishing campaigns, distributed denial-of-service attacks and malware to degrade the country’s digital infrastructure.

Director’s cut

Insight from Sean Kanuck, IISS Director of Cyber, Space and Future Conflict

The US is working hard – and under high scrutiny – this month to find its way forward on cyber policy, operations and strategy. White House officials are reportedly considering changes to the policy-approval process for conducting government cyber operations, and the Department of Homeland Security is preparing to release a national cyber security strategy in mid-May. US Cyber Command (CYBERCOM) has also seen more changes since it published its new command vision in March.

On 4 May, Lt. Gen. Paul M. Nakasone replaced Adm. Michael S. Rogers as Commander of CYBERCOM and Director of the National Security Agency (NSA).  CYBERCOM was contemporaneously elevated to become the tenth US unified combatant command. Furthermore, the official opening of a new Integrated Cyber Center and Joint Operations Center for CYBERCOM, NSA, other US government organisations and foreign partners is intended to enhance coordination and de-confliction of cyber operations.

Meanwhile, US Senator John McCain is advocating for retaliatory cyber operations against Russia in his new book. Purely punitive cyber attacks would constitute illegal ‘reprisals’ under international law, but McCain’s proposal to use cyber operations to expose corruption in Russia or to embarrass Putin personally might not. Finally, the Office of the Director of National Intelligence has issued its fifth annual Statistical Transparency Report detailing the government’s use of electronic surveillance authorities. Congress’s competing legislative oversight and political advocacy roles are sure to complicate matters as the Trump administration forges cyber policies under new National Security Council leadership.

Back to content list

VOICES HOMEPAGE

IISS Voices

The IISS Voices blog features timely comment and analysis on international affairs and security from IISS experts and guest writers.

armed conflict database

Armed Conflict Database

A regularly updated IISS online resource providing detailed information on more than 70 conflicts worldwide.