Cyber Week in Review: March 20, 2020

TSMC Considers New U.S. Plant

Taiwan Semiconductor Manufacturing Co. (TSMC), the world’s largest chipmaker, is considering building an advanced chip facility in the United States in response to pressure from Washington. TSMC chips are used in U.S. military platforms, like the F-35 fighter jet, and policymakers fear that the company’s supply chains could be disrupted or tainted. Bringing supply chains of critical components for military equipment within the United States’ borders would address these threats, but building a new plant would cost TSMC more than $24 billion. The company will likely struggle to profit without U.S. government help, due to the relatively higher costs of operating in the United States than in Taiwan. If TSMC follows through on building a new chip facility in the United States, it will be another example of a multinational company adjusting its business strategy in response to geopolitical tensions between Washington and Beijing.

Coronavirus Testing Website Launch Hindered by Confusion

Project Baseline, a website created by Verily, Alphabet’s life sciences company, and first unveiled by President Trump during a March 13 press conference, quickly ran into issues after its pilot launch on Sunday evening. Intended to direct high-risk individuals to coronavirus testing locations in two San Francisco Bay Area counties, the website was unable to schedule any appointments only a few hours after it went live because it had reached capacity. Those who were able to use the website reported that after selecting certain answers on its survey, they were told that the program “is not the right fit” and were recommended to seek medical help. Users were also suspicious after they discovered that they had to sign into their Google account to access Project Baseline’s services. Recent reporting in the Wall Street Journal has documented Google’s push to acquire and analyze the health data of millions of people without their knowledge or consent, and privacy experts worry that the virus screening looks like an attempt to access even more data.

Ransomware Gangs Pledge to Avoid Targeting Healthcare System During Pandemic

Following the infection of the Champaign-Urbana Public Health System in Illinois with ransomware last week, hacker groups have pledged to not target health care systems during the coronavirus pandemic. Moreover, multiple ransomware operators promised to provide free decryption to health systems that accidentally fall victim to ransomware infections. This frequently occurs when hackers mistakenly target health systems that disguise their identity to deter attacks, according to the group behind DoppelPaymer ransomware. In addition to hackers promising to refrain from targeting health systems, cybersecurity companies Emisoft and Coveware have announced that they will offer their ransomware decryption and negotiation services for free to healthcare providers during the coronavirus outbreak. In response to concerns that threat actors could target U.S. health systems during the pandemic, many experts have called on the U.S. government to implement clear policies for responding to cyberattacks, with some recommending the adoption of legal measures and others calling for kinetic military action against perpetrators of cyberattacks that cause the death of COVID-19 patients.

United States and UK Weigh Deploying Tracking Technology

While Israeli officials announced they were already using anti-terror tech to counter the virus, policy makers in the United States and the UK have been weighing the deployment of tracking technology to monitor and control the spread of the coronavirus. In the United States, the technologies under consideration include geolocation tracking, facial recognition, and social media account scraping aimed at predicting where serious outbreaks will occur. Meanwhile, health officials and scientists in the UK are developing a smartphone app that will alert people when they have come into contact with someone infected with the virus. Unlike Alipay Health Code, the Chinese smartphone tracking system from which it is adapted, the UK’s project plans to rely entirely on voluntary participation and citizens sharing information out of a sense of civic duty. The efforts of both countries highlight the struggle of technology companies and government officials to balance privacy concerns and human rights with the need to monitor the spread of the virus. Some technology company executives have argued that they can protect individual privacy by aggregating personal data that they collect. However, as Georgetown Law professor Matt Blaze reminds us, “something that seems anonymous, more often than not, is not anonymous, even if it’s designed with the best intentions.”

Surveillance Campaign Against Libyans Uses Fake COVID-19 Tracking Map

Mobile security firm Lookout has discovered a spyware campaign targeting Libyans that exploits people’s fear of coronavirus. While the spyware, SpyMax, has been known to Lookout for almost a year, since March the company has observed that a threat actor has been hiding it in a mobile application mimicking an interactive map created by Johns Hopkins University that tracks the spread of COVID-19. Once downloaded, SpyMax allows its operator to exfiltrate call and text logs and remotely activate microphones and cameras on smartphones. Kristin Del Rosso, Lookout’s security research engineer, called it the most invasive mobile malware that she had seen taking advantage of COVID-19 fears. Libya’s health authorities have maintained that there are no cases of COVID-19 in the country. However, given the lack of stable governance in the country, which has been fractured by civil war, Libyans have turned to technology for answers on the virus’ spread, making them prime targets for cybercriminals.