New International Laws Pose New IoT Security Questions
In effect since May 2018, General Data Protection Regulation (GDPR) has forced companies across the world to rethink their approach to data governance. In the past year, the law has drawn fines from companies like British Airways and Google. The legislation has also had a range of IoT-related ramifications related to data storage on devices ranging from surveillance cameras to smart speakers.
Four recent laws have a similar global impact. Russia passed the Sovereign Internet Law to create an independent Russian web while also requiring internet providers to install devices to filter traffic. A new law in Vietnam requires companies to submit user data to the government when asked. It also stipulates that international companies doing business there open a local office. In addition, recent Chinese legislation also would require network operators to turn over data to the government upon request. Finally, an anti-encryption law in Australia also requires entities in Australia to hand over data if asked or face a fine of A$10 million (roughly $7.3 million USD) for noncompliant institutions.
“All of these nations are creating new laws to control the flow of data within their borders. And as a result, we see huge global implications,” said Charity Wright, cyber threat intelligence analyst at IntSights Cyber Intelligence. “I compare it to tectonic plates. As these laws are changing, so is the broader cyber threat landscape,” added Wright, a former NSA and U.S. Army cyber threat intelligence analyst.
In the following Q&A, Wright discusses this new legislation and its potential IoT security ramifications, along with the impact of governments censoring the internet and bringing it under government control.
What can you tell me about what is happening in Vietnam in terms of cybersecurity?
Vietnam is quite an interesting nation to watch right now, especially with so much economic growth and government activity.
The regime in Vietnam is an adversary of China, but I think they’re mimicking China’s method of economic growth and how to develop a cyber operations group.
In June 2018, the Vietnamese National Assembly passed a new cybersecurity law requiring tech companies to open offices in Vietnam. It also stipulates they store local user data in Vietnam, and hand over any information that the government requests. Finally, it also enforces censorship of social media. They’ve given internet companies a year to comply. We’re watching to see what big tech companies, ISPs and social media giants do. Are they going to stay in Vietnam and abide by the rules, or will they try to negotiate the rules, or are they just going to leave?
A big part of this cyber law in Vietnam is they have created this big cyber offensive unit called Force 47. And rumor has it that it’s over 10,000 members strong. Their job is to combat views that go against the government and anything the communist regime thinks is inappropriate or toxic.
We think that Force 47 might be OceanLotus, which is a major Vietnamese advanced persistent threat group that has been very active in the past year. Force 47 has conducted cyber-espionage campaigns that serve to the benefit of the Vietnamese government.
So one example of that is last year, Toyota was attacked with a cyber espionage campaign. [The Vietnamese private automotive startup manufacturer] VinFast is due to present its first vehicle this year. Many researchers are guessing that OceanLotus stole industry secrets because of the economic growth that it will bring to Vietnam.
Other than the creation of Force 47, one of the implications we’ve seen is the business risk for foreign companies operating inside Vietnam. They have to weigh the risks and benefits of operating within Vietnam. Continuing business operations in the country may result in a data compromise. Such a compromise could potentially relate to internal proprietary data and also customer data, which can be subpoenaed by the government and taken at any time.
What would you recommend to foreign businesses interested in doing business in Vietnam?
Consider the cost of increasing data storage in the country. It’s going to be a great cost for infrastructure. Another consideration is: Will I be forced to install back doors on applications that our customers or employees are using?
Companies should communicate clearly with legal counsel in Vietnam who understand this new law and understand the regime, and what will be expected of them.
I would caution them to be very careful about what third parties are doing business with because the Vietnamese government has many adversaries in that region. They don’t play games when it comes to doing business with foreigners. I’d recommend paying attention to the geopolitical climate. It’s important to be cautious about third-party risk. It may increase the likelihood of the Vietnamese regime asking for data, or subpoenas of certain information for intelligence purposes.
And the third recommendation I would make would be to always be cautious with what you post on social media. It is going to be censored by the government. Never speak out against them.
Can you shed some light on the quote “If you open the window, both fresh air and flies will be blown in” from Deng Xiaoping, Chairman Mao’s successor? How does that relate to China’s most recent cybersecurity laws?
Deng Xiaoping was the leader of China until his retirement in 1992. And he was one of the main political figures who was responsible for opening up China in many ways, especially economically. That quote about fresh air applied to the economy. But it’s very much how the Communist Party has managed their internet as well. They understand the internet is a primary source for economic growth relating to doing business and managing the data flowing in and out of their businesses.
The Made in China 2025 initiative seeks to establish China as a leader in advanced industries such as the health care and aerospace fields. What is the risk to industries targeted by the Chinese government?
I don’t have much of an opinion about their economic moves right now. They do, however, use cyber espionage as their primary source for technological development. They have never been great at developing their own or getting ahead of the competition with their technology. So they tend to steal secrets from around the world, and then they try to introduce the technology in question to the market before the competition.
China has a plethora of engineers and science and engineering graduates, so it will be interesting to see how domestic engineering evolves as the country invests in advanced manufacturing.
Yes, it’s incredible. China has so many very intelligent people and organizations.
Made in China 2025 is an interesting concept in its aim to produce higher quality, premium products. I’d be interested to see if they will work to make brand names stand out. In the past, they have tended to prefer highlighting the country rather than a single person or brand. That’s part of their culture.
A theme related to IoT security is China’s use of video surveillance and facial recognition. What’s your take on the use of those technologies in the country?
China has the most advanced facial recognition software in the world right now. And they’re using it specifically for securing the state. They’re saying the reason is to prevent terrorism and criminal activity. But it’s also being used to enforce laws and this new social credit system that they’ve created.
What can you tell me about China’s social credit system?
The social credit system is a lot like our credit system, except it has to do with following the rules. They’re using the facial recognition to track their citizens and recognize who’s following the laws and who’s not. It is very futuristic.
From what I’ve heard, the citizens tend to have a positive outlook on this, because they feel that it will secure them as a society, and it will deter crime. But they’re also using technology for anti-terrorism efforts and to monitor the activity of certain groups of people — like minorities near the border of Xinjiang. Recently, just a couple weeks ago, they started having tourists who cross the border in Xinjiang download spyware to their phones. They’re forced to put this malware on their phone, which then scans their phone for up to 73,000 different types of files that the Chinese government finds objectionable. And they are forcing people to delete these files, give up their phones, and cease and desist that behavior by use of malware, which is unheard of really around the world.
So they’re stepping up their surveillance efforts. And although they’re saying it’s in the name of security, and it’s enabling their law enforcement, it’s also enabling their intelligence capability. Imagine millions of cameras, all around China, monitoring everybody’s moves. Imagine tracking where they’re going, what they’re doing, if they’re showing up to work, if they’re jaywalking. They’re transmitting this data to law enforcement and the intelligence apparatus in China.
What are the most important considerations of Russia’s new Sovereign Internet Bill Putin signed into law on May 1, 2019?
Russia is very connected, and they always have been. The internet is a huge part of their lifestyle despite some pretty high levels of poverty there.
Russians came up with the dark web in 1997, with a website called hackzone.ru. The website exploit.in, now one of the most prominent dark web forums in the world was created after that.
As far as dark web users in the country, the Russian government doesn’t really care about that. Unless they’re using it for a malicious purpose against Russia, or a CIS country, then they don’t care. They almost encourage cybercrime against adversary nations by turning a blind eye to it.
The government recruits the best hackers in their country to work on their behalf to disrupt political situations. It is a very complicated current, you know.
One thing I was wondering about from an IoT security perspective relates to the Russian internet giant Yandex, which has developed a smart speaker known as Alice. What are your thoughts about that as a potential portal for surveillance?
Well, there’s a reason that the U.S. government doesn’t use Kaspersky products anymore — they found some back doors that were installed in the software. My prediction is that the Russian government will use a similar strategy within their own country as they focus on the sovereign internet. If you want to have your own internet structure within your borders, you are more likely to seek to maintain control by installing back doors into hardware. That seems to be the trend among countries that are taking more control of their internet.
What’s your take on Australia’s anti-encryption law that passed late last year?
This really took everyone by surprise. It was passed very quickly and without a lot of detail or explanation. The Australian government can request data to be handed over. They can approach an individual. They can ask a single data engineer or an admin to provide them certain information. And they will hold that individual accountable with prison time. And companies will be held responsible with huge fines exceeding $7 million in U.S. dollars. Everyone is wondering: “What do we need to do to comply? And what does that mean for us doing business in Australia?”