Emerging security threats at the half-year mark

The 5G race is on, and China holds an ominous advantage

5G is going to touch every company and person in the next year or two, as service providers drive new high-bandwidth offerings.  But currently, as discussed in a Beltway conference a few weeks ago – raising the anxiety of the audience – China is the only country that manufactures the full stack of 5G solutions, from chips and handsets to core infrastructure. This is a troubling situation, as in particular there are many security concerns around Chinese technology providers.  For example, tech heavyweight Huawei, the world’s largest telecom supplier and second largest phone supplier, has long been suspected of providing products that compromise customer security and privacy. These issues could impact the adoption of 5G in the U.S. and internationally, while also creating a new set of vulnerabilities that affect our corporate and national security. 

Huawei has a very close relationship with the Chinese government, which has raised red flags in the security world. As recently summarized by the Recorded Future team, Huawei’s wide range of technologies and products and its enormous global customer base has put it in a position to access vast quantities of information on organizations, governments, and people worldwide. Huawei’s obligations to the Chinese government under various national security statutes puts that data at risk of interception and compromise.

In addition,  the company’s CFO, and also daughter of the founder, Meng Wanzhou, was arrested in Canada last year after the US government alleged that she was helping the Company circumvent US sanctions on Iran.

To protect U.S. interests, a ban has been put in place that prevents the U.S. 5G network providers and government agencies from buying products from Chinese companies, and U.S. technology providers like Google from supplying Chinese providers like Huawei with technology. In the Google case, Huawei will need to develop its own operating system since the company will no longer have access to the full Android system.

If the world wants to be operating on 5G quickly and cost-effectively, there will be a dependency on China and vendors like Huawei. That could result in getting devices and infrastructure that are already compromised with backdoors for eavesdropping. The U.S. might prevent business with Huawei, but that doesn’t mean all of our allies will, and as confidential US data – government or corporate – flows through their networks, this could have a devastating impact on our national security and IP protection.

Singapore data theft

Another China related security story that hasn’t quite made the headlines like Huawei has also involves data theft. Chinese hackers broke into Singapore’s government health database and stole more than a million records. This happened last summer, but the story has spilled over into this year, as the hacking group responsible has been uncovered. According to The New York Times, a second hack involved medical records for thousands of HIV positive Singapore residents, which were disclosed online. While I’m not certain what the motivation of an attack like this was, it does demonstrate the ease of breaking into supposedly secure medical data. And just think of the consequences had the goal been to actually cause physical harm – or even death – by changing the records instead of just disclosing them.    

Facial recognition bans

Biometrics are supposed to add an extra layer of security, but we are starting to see some pushback about privacy concerns surrounding the use of some biometrics. Large cities like San Francisco and Oakland in California – as well as smaller communities like Somerville, Massachusetts – have banned the use of facial recognition software by police and other local government agencies. On Capital Hill, a bill was introduced to ban the use of commercial facial recognition that would allow businesses to track customers without their consent. Those who support the ban worry about privacy of citizens but also of racial profiling, with concerns that the technology is too new and lacks ethical guidelines for its use. Opponents of the ban worry that it could hamper investigations. Expect the tension between each side to only strengthen, as biometrics become more ubiquitous in our everyday lives. Facial recognition in theory is going to keep people safer, but of course it’s going to breach privacy. How and by when will we find a balance?

Google’s data privacy problems

Google and its Android mobile operating system being kicked off Huawei devices may be the least of its problems right now. For being such a large, superpower tech company, it has struggled lately with basic security and data privacy protections. The problems began at the end of 2018, when Google admitted a bug in the Google+ API exposed more than 50 million accounts, resulting in Google shutting down the application. In May, it was revealed that the passwords of millions of G Suite users were stored in plaintext. You’d think a company as tech-savvy as Google would be better at security. It was likely an accident, of course, rather than malicious intent, but Google’s problems show that maintaining good security practices is hard for even the most tech-savvy companies.

EternalBlue attacks

A breaking security story as we move into the mid-year is the EternalBlue cyberattack, which exploits a software vulnerability in Windows. EternalBlue isn’t new; it’s been around for a couple of years, developed by the NSA. The code was stolen and used in the WannaCry and NotPetya ransomware attacks. In May, EternalBlue resurfaced, this time in a ransomware attack on Baltimore’s city government. The problem is that many computers continue to use outdated Windows operating systems – estimates are over 1 million — and hackers are taking advantage. Baltimore’s ransomware is a high-profile case, with city business all but halted and officials refusing to pay the ransom. But it is just one in an escalating number of EternalBlue attacks, all because organizations haven’t updated their operating systems or applied patches that were made available.

These security concerns focus on some very specific situations and incidents, but they represent the larger security landscape as a whole. Hackers continue to use both new sophisticated forms of attacks or take advantage of old attacks, organizations continue to have sloppy security habits, and society continues to struggle with the balance of new technologies and privacy. We’ll see in December how these particular issues and the overall trends play out over the rest of 2019.