IISS Cyber Report: 30 November to 6 December

Companies hit by massive data breaches; reviewing software vulnerabilities disclosure; Chinese synergies in outer space and cyberspace.

Companies hit by massive data breaches

The Marriott hotel chain suffered a data breach that may have affected over 500 million guests. Hackers accessed information from the guest reservation database of the hotel group’s subsidiary, Starwood. The company revealed that compromised data included personal guest information and encrypted credit card numbers. Although Marriott hotels did not acquire Starwood until 2016, hackers may have been accessing data for at least four years. Even with cyber security insurance, the breach could cost the company up to US$3.5m in expense and losses.

Online question-and-answer site Quora also faced a data breach, affecting about 100m users. The site responded by alerting users of the breach and remotely logging out of all possibly affected accounts. Due to the design of the linked account feature, speculatorsbelieve that some users, including those affected, have even created Quora accounts via Google, Facebook or Twitter without active knowledge.

Global approaches to the vulnerabilities equity process

GCHQ, the United Kingdom’s signals intelligence agency, released details about how the department assesses the software vulnerabilities it finds in order to determine whether it should exploit them or disclose them to vendors so that they can be patched. In November 2017, the US government made public the contours of its own policies around vulnerabilities, which is known as the vulnerabilities equity process (VEP).

The Global Commission on the Stability of Cyberspace (in which IISS experts Sean Kanuck and Nigel Inkster participate) has proposed a norm for VEP: ‘States should create procedurally transparent frameworks to assess whether and when to disclose not publicly known vulnerabilities or flaws they are aware of in information systems and technologies. The default presumption should be in favour of disclosure.’

Spearphishing emails use politics as lure

Microsoft released a report about a cyber operation, providing additional context to a series of spearphishing attacks using emails impersonating the US State Department. Microsoft found that the attackers targeted organisations globally, but focused on those within the US, with 48% of those affected located in Washington DC and 36% in New York. Organisations involved in policy formation and politics were the prime targets of the attack, with think tanks, non-profits and government organisations comprising 94% of all targets. Although Reuters linked the attack to APT29, the threat actor associated with Russia’s domestic intelligence agency, Microsoft determined that there was not enough evidence to definitely attribute the campaign.

In another recent spearphishing campaign, APT28 – a group linked to Russia’s military intelligence agency, the GRU – used a Brexit-themed lure document. The group timed the release of fake content to the UK government’s announcement of its initial draft withdrawal agreement with the European Union.

More countries join Paris cyber agreement

Ghana, Rwanda and Kenya are set to become the latest states to sign the Paris Call for Trust and Security in Cyberspace, launched by French President Emmanuel Macron in November. The agreement outlines, inter alia, goals for combating malicious cyber activity and establishing international norms relating to cyber warfare.

More than 100 nations and 450 signatories have demonstrated support for the initiative. Some of the most influential cyber powers – such as China, Israel, Russia and the US – have not yet signed the agreement. Australia initially declined to sign, but subsequently pledged support.

NATO runs cyber defence exercise

NATO’s major cyber defence exercise Cyber Coalition is currently underway in Tartu, Estonia. The exercise aims to strengthen coordination between member states in the cyber domain by improving information sharing and situational awareness, and clarifying decision-making processes.

US justice department indicts more hackers for cyber crimes

The US Department of Justice (DOJ) indicted seven Russian nationals and one Kazakh national, charging them with perpetrating widespread digital advertising fraud that caused more than US$30m in damages. The accused used both malware and botnets as part of the scheme.

In a separate indictment, the DOJ charged two Iranian citizens for their role in a 32-month-long ‘international computer hacking and extortion scheme involving the deployment of sophisticated malware’ to extort healthcare and public institutions.

Director’s cut

Insight from Sean Kanuck, IISS Director of Cyber, Space and Future Conflict

UK Prime Minister Theresa May confirmed that the UK will not use the EU’s Galileo system for defence or critical national infrastructure after Brexit. Instead of using secure aspects of the Galileo satellite constellation for sensitive positioning, navigation and timing (PNT) applications, the UK aims to develop its own global navigation satellite system (GNSS), while continuing to access the United States’ global positioning system (GPS). Some critics argue that the UK will face considerable hurdles in fully replacing Galileo – such as obtaining new frequency spectrum allocations from the International Telecommunication Union for its own GNSS constellation.

It is worth highlighting how dependent cyberspace – and therefore almost every aspect of modern life – is on PNT services provided from space. For example, making cellular telephone calls, timestamping financial transactions, running power grids and facilitating emergency responders all rely on the precision time synchronisation and locational data that GPS enables. The accuracy of these PNT functions is so important that leading chipset manufacturers design their products to receive signals from not only GPS and Galileo satellites, but also from the Russian GLONASS and Chinese BeiDou constellations.

On 3 December, the IISS Cyber, Space and Future Conflict programme hosted an expert panel discussion on ‘Next generation space policy’ in Washington DC. Among the key takeaways from that event was the critical dependence of terrestrial information and communication technology networks on space-borne assets. Accordingly, leveraging the synergies between outer space and cyberspace will only become increasingly important in future conflicts. China – which co-located both capabilities in its Strategic Support Force – will likely be well-served by that organisational model.