Cyber Week in Review: July 16, 2020

United Kingdom Bans Huawei from 5G Networks

Months after deciding that it would allow Huawei to play a limited role in its 5G network, the United Kingdom reversed course on Tuesday and said it would ban the Chinese telecommunications firm altogether. The announcement specified that buying Huawei 5G equipment would be banned after December 31, 2020 and that all Huawei equipment must be removed from 5G networks by the end of 2027. Digital Secretary Oliver Dowden, speaking to the House of Commons, added that, “By the time of the next election we will have implemented in law an irreversible path for the complete removal of Huawei equipment from our 5G networks.” The decision is a major victory for the Trump administration, which has been trying to block the international expansion of Huawei—especially in Europe. Britain’s original decision to allow Huawei to form part of its 5G infrastructure provided other EU nations, notably France and Germany, diplomatic cover to avoid banning the Chinese firm. The sudden reversal, likely due to a combination of U.S. sanctions against Huawei and deteriorating UK-China relations, will place increasing pressure on European countries to follow suit. In a statement, Huawei said Britain’s announcement was a “disappointing decision” which "threatens to move Britain into the digital slow lane, push up bills and deepen the digital divide."

Germany Calls for First-Ever Use of EU Cyber Sanctions Against Russian Hackers

On Sunday, the German government officially proposed that the European Union impose sanctions against Russian individuals who conducted the 2015 Bundestag hack, which stole an estimated 16 gigabytes of documents from Germany’s lower house of parliament and shut down its computer systems for days. The proposal, following a May decision by Germany’s attorney general to issue an arrest warrant for Russian citizen Dmitry Badin, calls for the first-ever use of the EU Cyber Diplomacy Toolbox, a framework developed in 2017 for joint EU diplomatic responses to malicious cyber activities. While the German government has asserted that it believes Russian military intelligence, also known as the GRU, was involved in the Bundestag hack, it reiterated that applying EU cyber sanctions was aimed “at individuals or groups, not states.” Berlin included a package of evidence based on its investigation of the 2015 hack when sending its proposal to other EU member states. A decision from the bloc is pending.

EU Court Sides with Apple on Tax Dispute 

The EU General Court sided with Apple on Wednesday, saying the U.S. tech giant would not have to pay Ireland 13 billion euros in what the European Commission claimed were unpaid taxes between 2003 and 2014. The ruling [PDF] undermines European Commission Executive Vice President Margrethe Vestager’s efforts to crack down on multinational tech companies using individual EU nations’ tax codes to avoid, in Vestager’s words “paying your fair share of tax.” While the decision could cast doubts on the Commission’s similar ongoing taxation case against Amazon, it will also likely give ammunition to Vestager and her allies in international talks to create a global tax system for taxing tech companies based on the location of their customers. Responding to both the EU General Court’s decision and the larger political context, an Apple spokesman said, “This case was not about how much tax we pay, but where we are required to pay it. We’re proud to be the largest taxpayer in the world as we know the important role tax payments play in society.”

The United States, UK, and Canada Accuse Russian Cyber Actors of Trying to Steal COVID-19 Vaccine Research

In a joint advisory released on Thursday, cybersecurity agencies from the United States, UK, and Canada accused Russian cyber group APT 29 of targeting their medical research and development organizations in a campaign to acquire COVID-19 vaccine information. A press release on the advisory noted that "APT29's campaign of malicious activity is ongoing, predominantly against government, diplomatic, think tank, healthcare and energy targets to steal valuable intellectual property." The UK National Cyber Security Centre added that the hackers behind APT 29 "almost certainly operate as part of Russian Intelligence Services." After the accusations were announced, British Foreign Secretary Dominic Raab denounced the group’s activity, saying that it was “completely unacceptable” that Russian intelligence was targeting those developing a vaccine.

European Court of Justice Strikes Down EU-U.S. Data Privacy Shield

On Thursday, the European Court of Justice (ECJ) struck down the EU-U.S. Privacy Shield, a major agreement governing the transfer of EU citizens’ data to the United States, saying that the agreement insufficiently protected EU citizens from U.S. surveillance law. Created in 2016, the agreement allowed companies to commit to uphold higher privacy standards before transferring data to the United States and enabled transatlantic digital trade for more than 5,300 companies. The case against Privacy Shield was initially sparked by a complaint filed against Facebook by Austrian privacy advocate Max Schrems, who argued that the agreement did not protect his data from U.S. intelligence collection. This is the second major win for Schrems, who also successfully challenged the transatlantic "Safe Harbor" data agreement, which was subsequently invalidated by the ECJ in 2015, directly leading to the passage of the EU-U.S. Privacy Shield to replace it. It is currently unclear if the United States and EU will try and form a new agreement. U.S. Secretary of Commerce Wilbur Ross said his department was “deeply disappointed” by the decision but that he hoped to “limit negative consequences” to transatlantic trade.

Twitter Falls Victim to Bitcoin Scam Targeting Famous Accounts

On Wednesday, the Twitter accounts of several prominent politicians, celebrities, and tech executives were hacked, causing the social media platform to close down parts of its service, including the ability of verified users to send tweets. The compromised accounts, which included those belonging to Barack Obama, Kim Kardashian, and Elon Musk, posted tweets asking users to send $1,000 in bitcoin to a bitcoin wallet, promising to reward the sender with $2,000 in the cryptocurrency. By Wednesday evening, the bitcoin wallets promoted in the tweets had received over $100,000. Twitter's investigation into the breach revealed that employees with access to internal systems had been compromised by a social-engineering attack that tricked them into giving up their credentials. The hackers then used these to send tweets from the high-profile Twitter accounts. The FBI is currently investigating the incident, and cybersecurity experts worry that it could mask a much larger breach affecting the personal communications of the world's most powerful people.