Source article.
May 04 2021
ON THE INTERNET THE “COLD” WAR HAS TURNED HOT
America has a serious infrastructure problem.
America’s most urgent infrastructure vulnerability is largely invisible and unlikely to be fixed by the Biden administration’s $2 trillion American Jobs Plan.
I’m thinking about vulnerabilities that lurk in your garage (your car), your house (your computer), and even your pocket (your phone). Like those devices of yours, all connected to the Internet and so hackable, American businesses, hospitals, and public utilities can also be hijacked from a distance thanks to the software that helps run their systems. And don’t think that the American military and even cybersecurity agencies and firms aren’t seriously at risk, too.
Such vulnerabilities stem from bugs in the programs — and sometimes even the hardware — that run our increasingly wired society. Beware “zero-day” exploits — so named because you have zero days to fix them once they’re discovered — that can attract top-dollar investments from corporations, governments, and even black-market operators. Zero days allow backdoor access to iPhones, personal email programs, corporate personnel files, even the computers that run dams, voting systems, and nuclear power plants.
It’s as if all of America were now protected by nothing but a few old padlocks, the keys to which have been made available to anyone with enough money to buy them (or enough ingenuity to make a set for themselves). And as if that weren’t bad enough, it was America that inadvertently made these keys available to allies, adversaries, and potential blackmailers alike.
The recent SolarWinds hack of federal agencies, as well as companies like Microsoft, for which the Biden administration recently sanctioned Russia and expelled several of its embassy staff, is only the latest example of how other countries can hack basic American infrastructure. Such intrusions, which actually date back to the early 2000s, are often still little more than tests, ways of getting a sense of how easy it might be to break into that infrastructure in more serious ways later. Occasionally, however, the intruders do damage by vacuuming up data or wiping out systems, especially if the targets fail to pay cyber-ransoms. More insidiously, hackers can also plant “time bombs” capable of going off at some future moment.
ON THE INTERNET THE “COLD” WAR HAS TURNED HOT
May 04 2021
Apple Releases Update For ACE Vulnerability In WebKit
Apple has released iOS 14.5.1, which provides a memory corruption bug fix and patches an arbitrary code execution (ACE) vulnerability in WebKit — a web browser engine. Arbitrary code execution refers to an attacker executing code that they should not be able to execute.
A malicious website could theoretically execute harmful code on your iPhone, or iPad if they exploited that vulnerability. Browsers are designed to limit the ability of websites to execute code that could be harmful to your device. However, hackers do sometimes find a way around that — and this is one such case.
Apple says that the vulnerability (CVE-2021-30663) may have been actively exploited and classifies it as important (which it is). The update (iOS 14.5.1) is now available, and you can look for it by going to Settings > General > Software Update.
The vulnerability also affects Macs, Apple Watches, and Apple TVs. There are updates for those as well.
May 03 2021
Risk-based vulnerability management has produced demonstrable results
Risk-based vulnerability management
Risk-based vulnerability management doesn’t ask “How do we fix everything?” It merely asks, “What do we actually need to fix?” A series of research reports from the Cyentia Institute have answered that question in a number of ways, finding for example, that attackers are more likely to develop exploits for some vulnerabilities than others.
Research has shown that, on average, about 5 percent of vulnerabilities actually pose a serious security risk. Common triage strategies, like patching every vulnerability with a CVSS score above 7 were, in fact, no better than chance at reducing risk.
But now we can say that companies using RBVM programs are patching a higher percentage of their high-risk vulnerabilities. That means they are doing more, and there’s less wasted effort. (Which is especially good because patch management is resource constrained.)
The time it took companies to patch half of their high-risk vulnerabilities was 158 days in 2019. This year, it was 27 days.
And then there is another measure of success. Companies start vulnerability management programs with massive backlogs of vulnerabilities, and the number of vulnerabilities only grows each year. Last year, about two-thirds of companies using a risk-based system reduced their vulnerability debt or were at least treading water. This year, that number rose to 71 percent.
When a company discloses that their networks have been breached and that their data has been stolen or encrypted for ransom, there is a steady drumbeat of critics. The company, these critics contend, is somehow at fault. Its security team didn’t do EVERYTHING it could have to prevent the breach. The proof of this doesn’t lie in knowledge of what preventative steps the security team did, but in the fact that it got breached. Victim blaming was alive and well in cybersecurity.
Thankfully, this mindset is fading away. But when cybersecurity companies with risk-based approaches began entering the market, they faced headwinds from the security nihilism crowd who thought if you can’t fix everything, then “why bother?”
We can now say that, when it comes to vulnerability management – a complex, yet fundamental cybersecurity discipline – the risk-based approach has produced clear results. The proof is in the data.
Enterprises that use risk-based approaches to vulnerability management are getting faster and smarter at this foundational cybersecurity discipline. They are doing less work and seeing more impactful security improvements. It’s encouraging to see these year-over-year improvements and we believe this trend is likely to continue.
Risk Based Vulnerability Management
![Risk Based Vulnerability Management A Complete Guide - 2019 Edition by [Gerardus Blokdyk]](https://m.media-amazon.com/images/I/41MHiFnHHML.jpg)
May 03 2021
A battle cry for SMBs to address cybersecurity
If cybersecurity is a new concept for the business, first take the necessary steps to follow best practises, as set out by the NIST Cybersecurity framework, as a minimum. Furthermore, to enhance the organisation’s overall security maturity, there are 4 key categories that need to be addressed: cyber strategy and risk, network security, endpoint security, and threat detection and response capabilities.
What is the current level of the cyber strategy and risk?
Small business owners are focussed on running their business with cybersecurity often a secondary concern. To begin with, businesses should seek consultation from industry experts to provide an assessment of the infrastructure to determine areas of concern. This will help the business plan, adapt and grow to stay competitive. It also will provide insight into how the business’ security measures stack up to the needs of the business currently and for the future.
An assessment by an external consultant can also examine whether the business is meeting compliance and regulatory requirements, which can be weaved into the security strategy. This guidance not only helps to improve the overall security posture, but also saves costs in the long run.
The Essential Guide to Cybersecurity for SMBs
May 02 2021
How to Become a Data Protection Officer
How to Become a Data Protection Officer
The role of a Data Protection Officer (DPO) is a fairly new one in many companies. What’s more, the need to hire a DPO often comes as a response to the General Data Protection Regulations (GDPR) which were implemented back in 2018.
As such, the responsibilities, reporting and structure of the role are primarily defined by GDPR guidelines.
But though it might be a fairly new role, it can be a very exciting and rewarding one. So if you’re considering a career as a data protection officer, this guide is for you. Below, we’ll take a look at what the role entails and what you need to do to get a job as a DPO.
What is a Data Protection Officer and What Do They Do?
In a nutshell, a data protection officer is a steward for data protection and privacy within a business. They must implement effective data protection strategies and facilitate a culture of data protection throughout the company. This is to ensure companywide compliance with GDPR. The appointment of a DPO is mandatory in some businesses, particularly those in the public sector or those that process a large amount of personal data. That being said, some businesses choose to appoint a DPO even though they are not legally required to as it pays to have someone in charge of compliance and data privacy.
In the general data protection regulations, it is stated that the DPO should report directly to the highest management level. As a DPO, some of the key responsibilities include:
- Ensuring that a business applies the laws of data protection appropriately and effectively, as
well as following these regulations and legislations. - Educating and training management and all other employees about GDPR and other data protection statutes as well as about compliance and demonstrating effective measures and strategies for data handling and processing.
- Conducting regular security audits.
- Acting as the point of contact between the company and any supervisory authorities (SAs). For example, if there is a data breach, it is the job of the DPO to report this to the relevant authorities.
With this in mind, here’s how you can tailor your career path to lead to the role of a data protection officer.
In order to become a DPO, What skills you may need…
Becoming a Data Protection Officer
Certified Data Protection Officer
May 01 2021
Identifying People Through Lack of Cell Phone Use
But Faïd’s true mentors were the criminals he’d grown up idolizing onscreen. “He had a phenomenal memory,” his brother Abdeslam tells me. “And he was completely immersed in movies.” Abdeslam recalls an eight-year-old Rédoine returning home from a matinee of the 1975 French crime film Peur Sur la Ville (released in the U.S. as The Night Caller), starring Jean-Paul Belmondo, and enchanting their mother and his siblings with a scene-by-scene reenactment. “I’d seen the film,” Abdeslam says, “and his version was just as I remembered it.”
his former lawyer, Raphael Chiche, explained on French television in a documentary about Faïd. “He had to create his own methodology. What better way than movies to get inspired and learn the operational modes of criminality?”
The foresight with which Faïd planned these robberies led his associates to give him a nickname—Doc, after Doc McCoy, Steve McQueen’s character in 1972’s The Getaway, a bank robber on the run who, like Faïd, has a preternatural ability to visualize how jobs will play out. McCoy also made a habit of carrying out “thoughtful hits,” Faïd explains to me. “He had to rob in a precise and neat way.” Faïd likewise stresses the neatness of his own robberies. As he puts it, he executed his hits “as gentlemanly as possible.” He wants to be known as a master thief who took careful precautions to avoid acts of violence.
In this entertaining story of French serial criminal Rédoine Faïd and his jailbreaking ways, there’s this bit about cell phone surveillance:
Apr 30 2021
The realities of working in and pursuing a career in cybersecurity
“One of the biggest challenges we have in cybersecurity is an acute lack of market awareness about what cybersecurity jobs entail,” said Clar Rosso, CEO of (ISC)². “There are wide variations in the kinds of tasks entry-level and junior staff can expect. Hiring organizations and their cybersecurity leadership need to adopt more mature strategies for building teams.
“Many organizations still default to job descriptions that rely on cybersecurity ‘all stars’ who can do it all. The reality is that there are not enough of those individuals to go around, and the smart bet is to hire and invest in people with an ability to learn, who fit your culture and who can be a catalyst for robust, resilient teams for years to come.”
Apr 29 2021
US and allies to take steps to fight a surge in ransomware attacks
A task force of more than 60 experts from industry, government, nonprofits and academia is urging the U.S. government and global allies to take immediate steps to stem a growing global crisis of cyberattacks in which hackers seize computer systems and data in exchange for a ransom.
The group, which issued a report today, says swift, coordinated action can disrupt and deter the growing threat of cyberattacks that use ransomware, a malicious software that locks up computer systems so that criminals can demand ransom in exchange for access.
“We’re seeing critical parts of the economy being hit by ransomware, including, for example, health care in particular,” says task force co-chair Megan Stifel, executive director of Americas at the Global Cyber Alliance. “When you start to see a broad scale of victims across multiple elements of the economy being hit there can ultimately, if not abated, be catastrophic consequences.”
Apr 29 2021
ATT&CK® for Containers now available!
We’re excited to announce the official release of ATT&CK for Containers! This release marks the culmination of a Center for Threat-Informed Defense (Center) research project sponsored by Citigroup, JPMorgan Chase, and Microsoft that investigated the viability of adding container-related techniques into ATT&CK. This investigation led to developing a draft of an ATT&CK for Containers matrix, which we contributed to ATT&CK. Our contribution was accepted and is now live in ATT&CK version 9.0! We want to give a special thank you to the community for all of your feedback and help in developing this content. Creating ATT&CK for Containers has been a fun journey for us, with a lot of new faces and names along the way. You’ll notice a lot of new contributors in ATT&CK with this release, which is in part a testament to how many folks helped us scope and create this new platform in ATT&CK!
For more on: Why did container-related techniques get added to ATT&CK?
Apr 29 2021
Jailbreak or Jail – Is Hacking for the Government A Crime?
After the horrific shooting in San Bernardino, California, federal law enforcement officers seized the now-dead suspect’s iPhone, and sought to examine it. However, the phone was “locked” using proprietary hardware and software from Apple. The government sought a court order (under the All Writs Act — an 18th century statute) compelling Apple to develop and implement a process to break their own security, and to provide to the FBI the unlocked and unencrypted contents of the iPhone.
After much legal wrangling, the FBI backed down. A recent report in the Washington Post indicates that the reason the FBI backed down is that they were able to turn to a “white hat” hacking company in Australia, Azimuth, to “jailbreak,” or unlock, the phone for them. Cool, cool. In fact, for the most part, that’s what is supposed to happen. Companies attempt to design and implement secure software, hardware, networks and applications, and governments (oh yeah, and hackers, too) attempt to find and exploit weaknesses in them. They put it on the bill, I tear up the bill. It’s very convenient.
It is certainly a more desirable outcome than requiring companies to deliberately crack or, even worse, weaken their security so that a government agency can bypass that security, or compelling the manufacturer or software developer to spend considerable development time and effort to undo its own security.
And that’s the problem with good security – when it works, it’s good. So, was it legal for Azimuth to jailbreak Apple’s devices, and then sell the jailbreak to a government agency? Magic 8 ball says, “Situation hazy; ask again later.” There are several statutes involved here. First and foremost is the Computer Fraud and Abuse Act (CFAA). The statute has many parts, but it makes it a federal crime to exceed authorization to access a computer and obtain information. Generally, to access a computer means to use it; to obtain information was supposed to mean to steal data, but it could also mean just to learn something. And, while a modern cell phone is certainly a “computer,” it is not clear that phone software, apart from the phone (or running on a virtual machine), is a “computer.”
But, assuming that the phone is somehow “accessed” and “information” (like a vulnerability) is “obtained,” we are left with trying to parse what it means to “exceed authorization.” That’s where we get into Apple’s terms of service and terms of use. You know, the hundreds of pages of license agreements you find if you go to Settings -> General -> About -> Legal and Regulatory -> Legal Notices -> License. You know, the stuff you always do when you use the phone, amirite?
You see, you don’t actually own your phone. Well, you kinda own part of it, but the software that makes it work is licensed to you by Apple and others subject to the software license agreement (SLA). Violate the SLA, and you are using (accessing) your own phone “in excess of authorization.”
Ten Commandments To Secure Your iphone!
![Ten Commandments To Secure Your Iphone! (gavrielhani) by [Gavriel Hani]](https://m.media-amazon.com/images/I/41l95MQM2mL.jpg)
Apr 28 2021
The next big thing in cloud computing?
For some time, the public cloud has actually been able to offer more protection than traditional on-site environments. Dedicated expert teams ensure that cloud servers, for example, maintain an optimal security posture against external threats.
But that level of security comes at a price. Those same extended teams increase insider exposure to private data—which leads to a higher risk of an insider data breach and can complicate compliance efforts.
Recent developments in data security technology—in chips, software, and the cloud infrastructure—are changing that. New security capabilities transform the public cloud into a trusted data-secure environment by effectively locking data access to insiders or external attackers
This eliminates the last security roadblock to full cloud migration for even the most sensitive data and applications. Leveraging this confidential cloud, organizations for the first time can now exclusively own their data, workloads, and applications—wherever they work.
Even some of the most security-conscious organizations in the world are now seeing the confidential cloud as the safest option for the storage, processing, and management of their data. The attraction to the confidential cloud is based on the promise of exclusive data control and hardware-grade minimization of data risk.
What is the confidential cloud?
Over the last year, there’s been a great deal of talk about confidential computing—including secure enclaves or TEEs (Trusted Execution Environments). These are now available in servers built on chips from Amazon Nitro Enclaves, Intel SGX (Software Guard Extensions), and AMD SEV (Secure Encrypted Virtualization).
Apr 28 2021
Microsoft Defender uses Intel TDT technology against crypto-mining malware
Microsoft announced that Microsoft Defender for Endpoint, its commercial version of Windows 10 Defender antivirus, implements a new mechanism that leverages Intel’s Threat Detection Technology (TDT) to block cryptojacking malware using
Cryptojacking malware allows threat actors to secretly mine for cryptocurrency abusing computational resources of the infected devices.
The Intel TDT technology allows sharing heuristics and telemetry with security software that could use this data to detect the activity associated with a malicious code. Intel TDT leverages machine learning to analyze low-level hardware telemetry produced by the CPU performance monitoring unit (PMU) and uses it to detect the malware code execution “fingerprint” at runtime. TDT is currently implemented in Intel Core processors and any Intel CPU series that supports Intel vPro technologies, 6th Generation or later.
“Today, we are announcing the integration of Intel Threat Detection Technology (TDT) into Microsoft Defender for Endpoint, an addition that enhances the detection capability and protection against cryptojacking malware.” reads the announcement published by Microsoft. “TDT leverages a rich set of performance profiling events available in Intel SoCs (system-on-a-chip) to monitor and detect malware at their final execution point (the CPU). This happens irrespective of obfuscation techniques, including when malware hides within virtualized guests, without needing intrusive techniques like code injection or performing complex hypervisor introspection. TDT can further offload machine learning inference to the integrated graphics processing unit (GPU), enabling continuous monitoring with negligible overhead.”
Microsoft Defender uses Intel TDT technology against crypto-mining malware
Apr 28 2021
Ransomware: don’t expect a full recovery, however much you pay
When it comes to all the various types of malware out there, none has ever dominated the headlines quite as much as ransomware.
Sure, several individual malware outbreaks have turned into truly global stories over the years.
The LoveBug mass-mailing virus of 2000 springs to mind, which blasted itself into hundreds of millions of mailboxes within a few days; so does CodeRed in 2001, the truly fileless network worm that squeezed itself into a single network packet and spread worldwide literally within minutes.
There was Conficker, a globally widespread botnet attack from 2008 that was programmed to deliver an unknown warhead on April Fool’s Day, but never did. (Conficker remains a sort-of unsolved mystery: no one ever figured out what it was really for.)
And, there was Stuxnet, discovered in 2010 but probably secretively active for years before that, carefully orchestrated to spread via hand-carried USB drives in the hope of making it across security airgaps and into undislosed industrial plantrooms (allegedly Iran’s uranium enrichment facility at Natanz).
But none of these stories, as dramatic and as alarming as they were at the time, ever held the public’s attention as durably or as dramatically as ransomware has done since the early 2010s.
Apr 27 2021
The hybrid office will create great opportunities—for companies and cybercriminals
Spring is always a time of renewal, but never more so than this year. After our long winter of forced isolation, the increased accessibility of safe and effective vaccines has many looking forward to shutting off Zoom, putting on some real pants, and emerging to see friends and colleagues in person for the first time in more than a year. Normality, it seems, is just around the corner.
Yet the world has been irrevocably changed by the past year, and the businesses, schools, and other workplaces that we enter back into won’t be the same as the ones we left last March.
The pandemic accelerated long-standing trends in workplaces across sectors as companies quickly embraced remote work and stood up infrastructure to enable their employees to remain productive while working from home.
Today we are finding that many of these developments are pretty good—enabling employees to work and be productive from anywhere without the headaches of a commute or a noisy office. And so, as the economy begins to reopen, many are looking for ways to make these temporary solutions more permanent and merge them with more “traditional” forms of working to create a sort of hybrid work environment.
These new hybrid workplaces will create new opportunities for businesses and will allow us to create organizations that are more flexible, productive, and accessible than ever before. But they can also open up new avenues of uncertainty that could threaten every organization. And make no mistake—cybercriminals know this and are finding ways to take advantage of these vulnerabilities.
Visit Fortune for the full post.
Apr 27 2021
When AIs Start Hacking
If you don’t have enough to worry about already, consider a world where AIs are hackers.
Hacking is as old as humanity. We are creative problem solvers. We exploit loopholes, manipulate systems, and strive for more influence, power, and wealth. To date, hacking has exclusively been a human activity. Not for long.
As I lay out in a report I just published, artificial intelligence will eventually find vulnerabilities in all sorts of social, economic, and political systems, and then exploit them at unprecedented speed, scale, and scope. After hacking humanity, AI systems will then hack other AI systems, and humans will be little more than collateral damage.
Okay, maybe this is a bit of hyperbole, but it requires no far-future science fiction technology. I’m not postulating an AI “singularity,” where the AI-learning feedback loop becomes so fast that it outstrips human understanding. I’m not assuming intelligent androids. I’m not assuming evil intent. Most of these hacks don’t even require major research breakthroughs in AI. They’re already happening. As AI gets more sophisticated, though, we often won’t even know it’s happening.
AIs don’t solve problems like humans do. They look at more types of solutions than us. They’ll go down complex paths that we haven’t considered. This can be an issue because of something called the explainability problem. Modern AI systems are essentially black boxes. Data goes in one end, and an answer comes out the other. It can be impossible to understand how the system reached its conclusion, even if you’re a programmer looking at the code.
In 2015, a research group fed an AI system called Deep Patient health and medical data from some 700,000 people, and tested whether it could predict diseases. It could, but Deep Patient provides no explanation for the basis of a diagnosis, and the researchers have no idea how it comes to its conclusions. A doctor either can either trust or ignore the computer, but that trust will remain blind.
Apr 27 2021
Organizations can no longer afford to overlook encrypted traffic
Whether you’re a small business operating out of a single office or a global enterprise with a huge and distributed corporate network, not inspecting the encrypted traffic entering and leaving can be a costly mistake, as cybercriminals are increasingly using TLS (Transport Layer Security) in their attacks.
Case in point: in Q1 2020, 23 percent of malware detected by Sophos used TLS to disguise malicious communications. Only a year later, that percentage has nearly doubled (45%)!
TLS encryption: For better and for worse
The widespread use of TLS encryption prevents criminals to steal or tamper with sensitive data and to impersonate legitimate organizations online. Unfortunately, it can also allow malware to fly under the radar and hide from enterprise IT security teams and the tools they use.
“A large portion of the growth in overall TLS use by malware can be linked in part to the increased use of legitimate web and cloud services protected by TLS—such as Discord, Pastebin, Github and Google’s cloud services—as repositories for malware components, as destinations for stolen data, and even to send commands to botnets and other malware,” noted Sean Gallagher, Senior Threat Researcher at Sophos.
“It is also linked to the increased use of Tor and other TLS-based network proxies to encapsulate malicious communications between malware and the actors deploying them.”
The company has also witnessed an increase in TLS use in manually deployed ransomware attacks, partly because the attackers use modular offensive tools (e.g., Metasploit, Cobalt Strike) that leverage HTTPS.
Apr 26 2021
Bye Bye Emotet, law enforcement pushed the uninstall code via the botnet
European law enforcement has conducted an operation aimed at performing a mass-sanitization of computers infected with the infamous Emotet Windows malware.
European law enforcement agencies automatically wiped the infamous Emotet malware from infected systems across the world as part of a mass sanitization operation.
Early this year, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action.
This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.
The law enforcement agency was able to take over at least 700 servers used as part of the Emotet botnet’s infrastructure.
The authorities started pushing out a 32-bit payload named “EmotetLoader.dll” to clean up the infected systems, the process was set to trigger itself automatically on April 25, 2021 as confirmed by researchers at Malwarebytes.
Bye Bye Emotet, law enforcement pushed the uninstall code via the botnet
Apr 26 2021
Connected medical devices brought security loopholes mainstream
Connected medical devices are proving essential amidst today’s new normal, but their mainstream adoption has also brought security loopholes to the fore. Fragmented systems have given rise to information silos and unencrypted devices, with hackers increasingly targeting health organizations and hospitals as a result.
It is worth considering what cybersecurity leaders can do as data security shapes up to be the health industry’s next battlefront.
The story so far: Coronavirus and healthtech
Medical connected devices have become a cornerstone defense for patients and healthcare workers over the past 12 months. The ability for devices to supply socially distanced medical information at a time when personal space and health insight are needed most has resulted in their astronomical rise.
From wearable IoT devices like smartwatches that provide a patient’s heart rate and blood oxygen level, to personal medical devices like hearing aids that can be calibrated remotely, these devices have proven vital for both patients and healthcare providers.
Smart devices have also played a key role in the fight against the pandemic. The integration of IoT devices with smart sensors and algorithms in the medical field, connected to an application via the cloud and other connected devices, have been very helpful in contact tracing.
Personal medical care and health data interoperability were already major hot topics in medicine before the pandemic, and now they are only growing with the expansion of medical connected devices. This is evident as a greater awareness and acceptance of newer technologies and higher spending on healthcare services is expected to see medical connected devices grow to $260 billion by 2027.
Connected medical devices brought security loopholes mainstream
Cybersecurity for Connected Medical Devices
Apr 24 2021
UK spy chief says warns West faces ‘moment of reckoning’ over tech
LONDON — Western countries risk losing control of technologies that are key to internet security and economic prosperity to nations like China and Russia if they don’t act to deal with the threat, one of the UK’s top spy chiefs warned Friday.
“Significant technology leadership is moving east” and causing a conflict of interests and values, Jeremy Fleming, director of government electronic surveillance agency GCHQ, said in a speech.
Singling out China as a particular threat, he said the country’s “size and technological weight means that it has the potential to control the global operating system.”
China is an early adopter of emerging technologies but it also has a “competing vision for the future of cyberspace,” and it’s playing an influential role in the debate around international rules and standards, he said.
He raised the possibility of countries with “illiberal values” like China building them into technical standards that the world ends up relying on, and using their state power to control and dominate technology markets, turning them into arenas of geopolitical competition.
Russian hacking and other nefarious online activity, meanwhile, poses the most acute threat to the UK but, like a smartphone app vulnerability, could be avoided.
China’s Foreign Ministry blasted the remarks, saying they were “totally groundless and unreasonable.”
“Western countries, such as the UK and US, are actually the true empires of hacking and tapping,” ministry spokesman Zhao Lijian said at a briefing in Beijing.
Left unchecked, foreign adversaries could threaten the design and freedom of the internet, Fleming said. He citied as examples the security for emerging technologies like “smart city” sensors used to manage services more efficiently or digital currencies, saying they could be hardwired for data collection or other intrusive capabilities that go against open and democratic societies.
Britain and other Western countries face “a moment of reckoning,” Fleming said.
“The rules are changing in ways not always controlled by government,” Fleming said in his speech at Imperial College London. “And without action it is increasingly clear that the key technologies on which we will rely for our future prosperity and security won’t be shaped and controlled by the West.”
Britain should not take its status as a cyber power for granted, and it should work on developing “sovereign technologies” such as high-speed quantum computing and cryptographic technology to protect sensitive information, Fleming said.
China’s focus on establishing information dominance as a key component of its military efforts.
« Previous Page — Next Page »
