Srsly Risky Biz: Thursday, November 25

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Cyber Regulation with Chinese Characteristics

It's Thanksgiving week in the USA which means the news tempo has slowed a bit. That means we can dive in and look at some topics that aren't getting as much attention as they deserve. This week we're taking a look at a series of new Chinese laws designed to strengthen its cyber security over time while bolstering state control over technology companies. Come with us on this magical journey through Chinese legislation and regulation! It'll be fun, we promise!

We're looking at three distinct laws here. At the beginning of this month the Chinese government's Personal Information Protection Law (PIPL) came into effect. The PIPL is basically China's answer to the European GDPR (although more stringent) and sets rules regarding how businesses can use and share personal information.

The PIPL caps off a trifecta of laws covering personal information, protection of data (the 2021 Data Security Law or DSL) and cybersecurity in general (2017 Cybersecurity Law).

The 2017 Cybersecurity Law, focussed on network security, introduced the principle of cyberspace sovereignty and also a wide-ranging framework for internet security regulation. This year's DSL introduced obligations on data writ large, including security obligations for data processors and due-diligence requirements before transfer overseas.

Taken as a whole these laws contain a multitude of measures that could easily be present in democratic laws and some that are even innovative.

For example, the PIPL has post-mortem rights. Individuals and their close relatives get to decide what happens to their data when they die. And the DSL implements a data categorisation system where "important data" and "national core data" require stricter protections and have data localisation requirements.

Other notable features of the laws include their extra-territorial reach. From the DSL:

When data handling activities outside the mainland territory of the PRC harms national security, the public interest, or the lawful rights and interests of citizens or organisations of the PRC, legal liability is to be pursued according to the law.

There are a range of opinions on what's truly driving these laws.

Associate Professor of Law at Singapore Management University Henry Gao thinks the recent rule-making was at least partly driven by the Chinese version of the "techlash" and the need for the Chinese Communist Party (CCP) to retain control. "At the end of the day, all of these regulations are about the CCP tightening their control on every aspect of the economy," he told Seriously Risky Business. "To the extent that they have some positive side effects such as protection of privacy, these are more secondary considerations as there are extensive exemptions for government."

Others disagree.

Adam Segal, director of the Digital and Cyberspace Policy program at the Council on Foreign Relations and an expert on Chinese cybersecurity policy told Seriously Risky Business that he believed that these laws were mostly being driven by the need to strengthen consumer protections and domestic cyber security.

"There are a range of motivations. Chinese users have been the victims of massive data breaches, privacy violations, companies misusing their data, etc. The Cyber [law], DSL, and PIPL are all meant to address these. They do also increase state control over the sector, but that is not the driving motivation."

Dr Samantha Hoffman, Senior Analyst at the Australian Strategic Policy Institute, points out there are already mechanisms for the CCP to bring firms to heel when they step out of line. The IPO of Ant Group, for example, was kiboshed after its billionaire founder Jack Ma criticised the Chinese financial regulatory system.

Segal also notes that the ride-hailing app Didi was also punished. "Policy makers want to regulate the company for multiple reasons — antitrust, abusive drivers, different pricing for different customers," he says. "But they were also clearly worried about foreign access to data, and how DiDi ignored warnings from CAC (the Cyberspace Administration of China) of how it might run afoul of the cybersecurity law."

The CAC ordered Didi removed from app stores as it investigated Didi's data security practices.

Hoffmann says part of the purpose of law in China generally, is to "communicate expectations," and thinks these new regimes are genuinely intended to improve security. In China, she says, "security is a real problem" and "the data held by some of these companies is incredibly insecure".

But here's the "China gonna China" part: Hoffman points out that Article 5 of the DSL specifies that a national security body is ultimately in charge when it comes to data security:

The central leading institution for national security is responsible for: policy-making, deliberation, and coordination in national data security work; researching, formulating, and guiding the implementation of national data security strategy and related major directives and policies; comprehensively coordinating major matters and important work in national data security; and establishing a national data security work coordination mechanism.

"It's as if the National Security Council was responsible for domestic cyber security regulation in the US," Hoffman says. "It tells you who is in charge and what their priorities are."

And despite being designed to improve domestic cyber security, these laws do not protect citizens from the state. Segal says that the laws place restraints on state access to data that are "not meaningful". Chinese internet users might just have to be happy with improved protections from firms.

The PRC also engages in what Segal describes as an "open ended, iterative process of implementation unique to the PRC. We still don't know what some key terms — important data, critical information infrastructure — actually mean".

Rather than being a symptom of poor lawmaking, vague language and undefined terms show that the PRC government values ends over means, and that end goals are usually pretty clear. The CAC, for example, has published Guidance on the Governance of Internet Information Service Algorithms, where one goal is to "provide strong support for building a cyber superpower". Ideology is also important:

Establish the correct orientation for algorithms. Carry forward the socialist core values view, uphold the correct political direction, public opinion orientation, and value orientation in the application of algorithms.

In the anglosphere some worry about the power of algorithms to shape society. China wants to control them before they get out of hand and leaps to regulation. It must be easier when the "correct political orientation" is crystal clear.

These laws and regulations really do have uniquely Chinese characteristics. The CCP is simultaneously authoritarian and yet also responsive to citizen concerns so that they don't metastasise into social unrest that threatens the Party's control. These laws directly address persistent cyber insecurity and lay the foundations for further control of the technology sector. This is perfectly sensible for the CCP given the increasing importance of the internet for communication and the outsize role that technology companies are now playing.

We'll have to wait and see how the "ends over means" approach plays out over time.

The Fun Times Keep Rolling at NSO

Apple is suing NSO for damages and to prevent it from using any Apple software, services or products on the basis that it broke US laws and Apple's Terms of Service. We are not convinced that Apple has a strong case against NSO, but it could still cause significant reputational damage that will compound other difficulties NSO is having.

WhatsApp is also suing NSO and earlier this month a US court ruled that NSO, despite being used by governments, didn't deserve the protections that foreign governments get in US courts.

Things are not looking good for NSO — it has USD$500m in debt and it's not clear that it will be able to pay it off. These court cases won't help by scaring away potential investors.

These Clouds are Soft and Fluffy

We have a one-word reaction to a couple of recently announced Google Cloud bugs, and that word is "yikes".

The first, discovered by researcher Cameron Vincent in 2018 but only disclosed earlier this month, allowed a user to become a Google Workspace super admin — for any domain — by modifying a couple of http POSTs. Just throw in someone else's Workspace domain and their corresponding customer ID, and Robert's your mother's brother, as they say.

The second, fixed just recently, is a server-side request forgery (SSRF) bug discovered by David Schütz, that allowed access to internal Google resources by bypassing a url allowlist by adding '\@' within a url. This ultimately earned Schütz over USD$10k:

Schütz has published a reaction video and walkthrough of this bug discovery based on screen recordings he made at the time.

Three Reasons to be Cheerful this Week:

1. Ransomfreude: The Conti ransomware gang's operations were monitored for weeks by Swiss security firm Prodaft after it owned Conti's payments site. Conti described this as "Looks like Europeans have also decided to abandon their manners and go full-gangsta simply trying to break our systems". Prodaft was able to identify incoming SSH connections — presumably the admins, but all through Tor exit nodes — and identify the server's real IP address in Ukraine.
2. Insurers are reducing ransomware coverage: Cyber insurers are struggling with the level of payouts and are reducing coverage and raising premiums. Seriously Risky Business has described cyber insurance for ransomware as "the equivalent of insuring glass houses — and then paying the people who throw rocks at them." So this is good news because we'll be paying rock throwers a bit less.
3. US Charges Two Iranians involved in election interference: The pair sent threatening emails and fake election fraud videos, and hacked vote-related websites. They are now on the FBI Most Wanted list with USD$10m rewards for information about their activities.

Shorts

A Real Evil Maid!

The Israeli Defence Minister's house cleaner has been arrested after leaking the minister's personal details and photos to Iranian hackers. Omri Goren Gorochovsky contacted Iranian hacker group Black Shadow on Telegram in an effort to make money. He offered to install malware via USB and to prove his bona fides Gorochovsky sent photos from inside the minister's house. It can be hard to trust walk-ins, so these photos were subsequently published on the website of the Moses Staff hacking group (mentioned in last week's newsletter).

We are amazed that Gorochovsky, who it turns out was previously convicted of bank robbery and burglary, somehow managed to be employed as the Defence Minister's house cleaner.

So Terrible

GoDaddy's managed WordPress hosting service was breached and 1.2m customers affected. Depending upon the customer the attacker could've stolen a customer's email address, sftp or database credentials, WordPress admin password and/or SSL private keys.

GoDaddy's disclosure was hardly forthright. The incident was buried in an SEC filing, and while a press release appears on GoDaddy's website, Brian Krebs (and this newsletter) couldn't find a link through to it from the rest of the website.

Just Make a Better Soft Serve Machine

The Taylor ice cream machines used in US McDonald's stores are so unreliable that at any given time between 5-15% of them are not working. Kytch, a start-up, reverse-engineered the ice cream machine and created a Raspberry Pi-based device that interfaces with them to provide diagnostics over the internet. It turns out that rather than making more reliable machines, Taylor has been copying Kytch to produce their own version of the diagnostic device. Kytch is suing Taylor in response and the subsequent legal discovery documents make McDonald's and Taylor both look petty.

Turtles All The Way Down

According to Crowdstrike, North Korean hackers are attempting to hack Chinese hackers, presumably so that North Koreans can steal Chinese exploits so they can do better hacking. North Korea has targeted security researchers before, but a focus on China is interesting. They were detected by Google's TAG last time, so perhaps we'll see a similar write-up on these guys from the equivalent Tencent team eventually. Lol.

You Like Content? We Have!

CyberCX, a corporate sponsor of this newsletter, is hosting a webinar on how to defend, deter and disrupt cybercrime. It will feature Ciaran Martin (former head of the UK's NCSC, now at the University of Oxford), Alastair MacGibbon, (former head of the ACSC and now Chief Strategy Officer at CyberCX) and Katherine Mansted (Cyber CX's Director Cyber Intelligence and Public Policy). Should be good. Register here for 10 am Sydney time 9 December.

Martin recently spelt out his position on end-to-end encryption — it's an interesting and very readable perspective from a former government intelligence professional.

I Helped Criminals on the Dark Web and All I Got Was this T-Shirt

The Tor project is offering hoodies, T-shirts and stickers to volunteers who run bridge nodes. Bridges are entry points to the Tor network, but can end up getting blocked over time, so the project "need[s] a constant trickle of new bridges that aren't blocked anywhere yet".

The Need for Speed

Regulators have decided that banks must report "major" cyber security incidents to federal officials within 36 hours. Think of the overtime!

Of Course the Biologists Called it "Tardigrade"

Malware dubbed Tardigrade has been targeting biomanufacturing facilities. It is sophisticated, polymorphic and has some autonomous behaviour. Without C2 it will "decide on lateral movement based on internal logic" and will also infect and transmit via USB devices. Curiously, the first detection was associated with "halfhearted" ransomware deployment, although BIO-ISAC, the Bioeconomy ISAC that analysed it believe it is also involved with intellectual property theft. We have no idea if that's true.