What a week to be reporting on security news. It’s hard to believe the world kept spinning while one event held the entire country’s captive attention and caused the world to collectively hold its breath. One of the biggest issues facing Donald Trump and the country in the next administration is cybersecurity. As threats continue to mount and become more advanced and attacks continue to slam both small and large companies like waves relentlessly breaking over rocks, the weight of the future of security will rest heavily on the leader of the free world. It will be interesting to see how that plays out over the course of the next four years. But more on that later.
China on Monday passed a rigorous new cybersecurity law that makes it legal for the Chinese government to demand and obtain technical information from high-tech equipment makers and software developers. The justification? National security. Preventing cybercrime. Thwarting terrorism. Prohibiting activity aimed at "overthrowing the socialist system.” You know, that sort of thing.
According to The Wall Street Journal, the new law is intended to tighten and “centralize” state control over information flows. Understandably, this has foreign companies worried about their operations in China. U.S. tech firms, for example, aren’t too thrilled at the prospect of having to give up their code or other intellectual property.
"The new cyber-security law tightens the authorities' repressive grip on the internet," said Patrick Poon, a China researcher for Amnesty International, in a statement. "It goes further than ever before in codifying abusive practices, with a near total disregard for the rights to freedom of expression and privacy."
Further, human rights groups aren’t too pleased either, reports The New York Times. “The already heavily censored internet in China needs more freedom, not less,” one Chinese human rights activist, Sophie Richardson, wrote in a statement. “Despite widespread international concern from corporations and rights advocates for more than a year, Chinese authorities pressed ahead with this restrictive law without making meaningful changes.”
Back in August of this year, an association of business groups warned that the proposed law might be in violation of Beijing's World Trade Organization commitments. According to CNBC, these groups have surfaced that Beijing is seemingly using these regulations to try and nudge foreign competitors out of the ring, blocking them from promising industries.
"We believe this is a step backwards for innovation in China that won't do much to improve security," said James Zimmerman, chairman of the American Chamber of Commerce in China, in a statement. He said it will "create barriers to trade and innovation." The law's demands regarding national security reviews and data sharing will "unnecessarily weaken security and potentially expose personal information," continued Zimmerman. He said some measures "seem to emphasize protectionism rather than security."
China adamantly denies these claims, and has actively attempted to quell any doubts or concerns regarding hampering foreign vendors. ”Any company that wants to come in, as long as they obey Chinese laws, serve the interests Chinese consumers, we welcome them to come in, and to prosper together," said Zhao Zeliang, director-general of the cybersecurity bureau of the Cyberspace Administration of China. Experts and spokespeople involved with or in favor of the law stress that as long as everyone plays fair, there shouldn’t be any problems. Sounds simple enough, right? Right?
Next up, “SOMEONE is learning how to take down the internet.” This rather sinister statement is actually the title of a recent blog post written by noted cyber-security expert Bruce Schneier. In keeping with the ominous message, not long after the blog post was written, the Dynamic Network Services (Dyn) was disrupted by the DDoS attack that inundated and incapacitated popular sites like Netflix, Twitter and PayPal. The attack was just one in a string of similar incidences. Not long before that, Brian Krebs, an American journalist who reports on internet criminals, was the victim of one of the largest DDoS attacks ever recorded. The server where he hosts his blog became the target of one of the largest DDoS attacks on record. Krebs' site was flooded with an amount of data equal to almost half a percent of the internet’s entire capacity.
Perhaps one of the most disturbing things about these recent attacks was their clever accuracy. It’s as if the attackers “were looking for the exact point of failure,” Mr. Schneier wrote in his blog post. All of these attacks utilized the same software called Mirai, which hunts the internet for webcams, digital recorders and home routers with easy passwords (for those of you with the password”12345” or “password”) or factory-set passwords. Once located, the software can flood those devices with requests and make them do its bidding. This is what happened with the attack on Dyn, causing XiongMai Technologies, one of the biggest webcam technology makers in the world, to recall some of its products and beef up security with software updates. Experts suspect the culprits of the attacks are either Chinese or Russian.
There was some speculation that a DDoS attack may rear its ugly head surrounding the election. It’s a scary thought, thinking of an “internet takedown” during one of the most important events in history. This “takedown” could have meant several things - an attack could have struck the online media, both for individuals and the government which, during one of the most tense events, would have incited chaos. That whisper of the election being “rigged” would not have been just speculation.
This segues nicely into our last topic on what experts were worried could happen during the election. Thankfully, nothing did happen (at least, as far as well know) but according to an article by The New York Times, here are a few things that cybersecurity experts were fretting over and preparing for during the event.
Interfering With Voter Registration Rolls
The cause for concern here was the ability of hackers to find vulnerabilities in central voter registration databases, exploit them, and cause chaos on Election Day. Voter databases are not treated as “critical infrastructure” by the federal government due to the fact that very few people pause to consider that a foreign hacker could mess with things just enough to cause doubt and chaos. “We’ve thought in terms of structures,” Adm. Michael S. Rogers, the director of the National Security Agency, said recently. “Data is taking on a much larger value in and of itself.” But he noted that “it’s the states’ responsibility.”
Manipulating the Count Reported to News Organizations
This one is obvious, and isn’t as far-fetched as it sounds. During the election Tuesday night, news networks and organizations were constantly giving “unofficial” results so they can call and report on the races in swing states. If hackers could potentially sabotage such “data in motion,” they could alter the first call, even if unofficial. If there was even a hint of numbers manipulation, cries of foul play would be heard ‘round the world.
Tinkering with Voting Machines
This was unlikely, but not impossible. Any wireless connection is potentially vulnerable. Election experts feared that these vulnerabilities could be exploited - while it’s true that most voting machines aren’t connected to the internet while voting is happening, they are often connected before Election Day in order to conduct necessary updates. Any such vulnerability, particularly with regard to the machines that store and count such valuable information, could be a target for information manipulation.
Even though none of these scenarios played out (again, at least as far as we know), it's worth thinking about what this presidential election might mean to the solution provider channel. In a climate of so much unrest and uncertainly, business could take a hit, negatively impacting channel folks and service providers. Not to mention the issue of cybersecurity being brought to the forefront in a way it never has before. The new administration has a long road ahead of it in terms of addressing and working to fix the issues associated with security, and it’s going to be a bit of a wild ride for the channel as well. Fasten your seatbelt, everyone...
This article was published originally here on The VAR Guy.