Cyber Week in Review: December 7, 2018

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

1. When will it end? Huawei is facing yet another tough week. Its Chief Financial Officer Meng Wanzhou, who is also the daughter of its founder, was detained in Canada. She faces extradition to the United States, where she has been charged with fraud for misrepresenting Huawei subsidiary Skycom as a separate company to dupe U.S. banks into conducting business with Iranian telecommunications companies in violation of U.S. sanctions. Separately, BT Group, the UK’s largest provider of mobile services, announced that it will remove Huawei equipment from the core of its 3G and 4G networks. BT has also confirmed that it will not be considering Huawei as a vendor for core infrastructure equipment for its 5G network. BT’s move comes amid heightened scrutiny over the use of Huawei equipment in critical infrastructure by the national security community. For its part, Huawei has pledged $2 billion to transform its software systems, in an effort to address security concerns raised in a report authored by the U.K.’s intelligence agency. That's unlikely to mollify concerns, especially as a senior EU official called European countries to be weary of Huawei kit and Japan considers banning it from building its 5G network.

2. Encryption down under. Australian legislators have approved a controversial bill that, among other things, empowers Australian security and law enforcement agencies to compel tech firms or individuals to provide them with access to end-to-end encrypted communications. Under the new law, Australian authorities will have the ability to issue three types of requests to tech companies: a technical assistance notice, requiring a company to use its existing data interception capabilities—if it has them—to provide data to the government; a technical capability notice, requiring a company to build an interception capability; and a technical assistance request, where government asks for assistance and the tech company voluntarily complies. The government contends that these measures are necessary to fight terrorism and organized crime, and that they were required before Christmas. Tech companies and privacy advocates pushed back, arguing the bill was rushed through Parliament, lacks “minimum safeguards” such as “judicial oversight and a warrant-based system,” and effectively requires companies served with notices to undermine the cybersecurity of their products by building backdoors. The fight over the "going dark" problem has been around in some form or another for thirty years, with opponents on both sides talking past each other. Australia's effort to solve the problem might make for a good case study as to its effectiveness. 

3. But their emails! The National Republican Congressional Committee (NRCC) suffered a compromise that exposed thousands of sensitive emails from four senior aides in the run up to this year's midterm election. According to Politico, the breach was discovered in April and the NRCC notified the FBI at the time, but did not disclose it to House members for fear of compromising the inquiry. Though no suspect has been identified, party officials reportedly believe that the instigator was a foreign actor. Unlike the DNC compromise of 2016, none of the compromised information from the NRCC was made public—suggesting that the hackers were more interested in espionage than using the emails for a disinformation campaign. 

4. Not a club you want to join. Marriott International announced that its Starwood reservation system had been breached, potentially revealing information such as the credit card and passport numbers of up to 500 million guests. The compromise, which enabled what the company called an “unauthorized party” to copy and encrypt guest information from the Starwood system, began in 2014, around the same time personal data was also stolen from U.S. health insurers and the Office of Personnel Management—both believed to have been the work of Chinese state-sponsored actors. Since none of the Marriott data stolen by the hackers has been found on the dark web yet, it is believed that the theft may have been the work of a state intelligence agency. The Marriott compromise is believed to be one of the largest breaches of personal information in history.