Category: Writing

Categories
Links Writing

An Initial Assessment of CLOUD Agreements

The United States has bilateral CLOUD Act agreements with the United Kingdom and Australia, and Canada continues to also negotiate an agreement with the United States.1 CLOUD agreements are meant to alleviate some of the challenges attributed to the MLAT process, namely that MLATs can be ponderous with the result being that investigators have difficulties obtaining information from communication providers in a manner deemed timely.

Investigators must conform with their domestic legal requirements and, with CLOUD agreements in place, can serve orders directly on bilateral partners’ communications and electronic service providers. Orders cannot target the domestic residents of a targeted country (i.e., the UK government could not target a US resident or person, and vice versa). Demands also cannot interfere with fundamental rights, such as freedom of speech. 2

A recent report from Lawfare unpacks the November 2024 report that was produced to explain how the UK and USA governments actually used the powers under their bilateral agreement. It showcases that, so far, the UK government has used this substantially to facilitate wiretap requests, with the UK issuing,

… 20,142 requests to U.S. service providers under the agreement. Over 99.8 percent of those (20,105) were issued under the Investigatory Powers Act, and were for the most part wiretap orders, and fewer than 0.2 percent were overseas production orders for stored communications data (37).

By way of contrast, the “United States made 63 requests to U.K. providers between Oct. 3, 2022, and Oct. 15, 2024. All but one request was for stored information.” Challenges in getting UK providers to respond to US CLOUD Act requests, and American complaints about this, may cause the UK government to “amend the data protection law to remove any doubt about the legality of honoring CLOUD Act requests.”

It will be interesting to further assess how CLOUD Acts operate, in practice, at a time when there is public analysis of how the USA-Australia agreement has been put into effect.

  1. In Canada, the Canadian Bar Association noted in November 2024 that new enabling legislation may be required, including reforms of privacy legislation to authorize providers’ disclosure of information to American investigators. ↩︎
  2. Debates continue about whether protections built into these agreements are sufficient. ↩︎
Categories
Writing

Details from the DNI’s Annual VEP Report

For a long time external observers wondered how many vulnerabilities were retained vs disclosed by FVEY SIGINT agencies. Following years of policy advocacy there is some small visibility into this by way of Section 6270 of Public Law 116-92. This law requires the U.S. Director of National Intelligence (DNI) to disclose certain annual data about the vulnerabilities disclosed and retained by US government agencies.

The Fiscal Year 2023 VEP Annual Report Unclassified Appendix reveals “the aggregate number of vulnerabilities disclosed to vendors or the public pursuant to the [VEP] was 39. Of those disclosed, 29 of them were initial submissions, and 10 of them were reconsiderations that originated in prior years.”1

There can be many reasons to reassess vulnerability equities. Some include:

  1. Utility of given vulnerabilities decrease either due to changes in the environment or research showing a vulnerability would not (or would no longer) have desired effect(s) or possess desired operational characteristics.
  2. Adversaries have identified the vulnerabilities themselves, or through 4th party collection, and disclosure is a defensive action to protect US or allied assets.
  3. Independent researchers / organizations are pursuing lines of research that would likely result in finding the vulnerabilities.
  4. By disclosing the vulnerabilities the U.S. agencies hope or expect adversaries to develop similar attacks on still-vulnerable systems, with the effect of masking future U.S. actions on similarly vulnerable systems.
  5. Organizations responsible for the affected software (e.g., open source projects) are now perceived as competent / resourced to remediate vulnerabilities.
  6. The effects of vulnerabilities are identified as having greater possible effects than initially perceived which rebalances disclosure equities.
  7. Orders from the President in securing certain systems result in a rebalancing of equities regarding holding the vulnerabilities in question.
  8. Newly discovered vulnerabilities are seen as more effective in mission tasks, thus deprecating the need for the vulnerabilities which were previously retained.
  9. Disclosure of vulnerabilities may enable adversaries to better target one another and thus enable new (deniable) 4th party collection opportunities.
  10. Vulnerabilities were in fact long used by adversaries (and not the U.S. / FVEY) and this disclosure burns some of their infrastructure or operational capacity.
  11. Vulnerabilities are associated with long-terminated programs and the release has no effect of current, recent, or deprecated activities.

This is just a very small subset of possible reasons to disclose previously-withheld vulnerabilities. While we don’t have a strong sense of how many vulnerabilities are retained each year, we do at least have a sense that rebalancing of equities year-over-year(s) is occurring. Though without a sense of scale the disclosed information is of middling value, at best.

  1. A locally stored version of the document is also available. ↩︎
Categories
Links Writing

VW Leaks Geolocation Data

Contemporary devices collect vast sums of personal and sensitive information, and usually for legitimate purposes. However this means that there are an ever growing number of market participants that need to carefully safeguard the data they are collecting, using, retaining, or disclosing.

One of Volkswagen’s software development subsidiaries, Cariad, reportedly failed to adequately secure software installed in VW, Audi, Seat, and Skoda vehicles:

The sensitive information was left exposed on an unprotected and misconfigured Amazon cloud storage system for months – the problem has now been patched.

In some 466,000 of the 800,000 vehicles involved, location data was extremely precise so that anyone could track the driver’s daily routine. Spiegel reported that the list of owners includes German politicians, entrepreneurs, the entire EV fleet driven by Hamburg police, and even suspected intelligence service employees – so while nothing happened, it seriously could have been a lot worse.

This is a case where no clear harm has been detected. But it speaks more broadly of the continuing need for organizations to know what sensitive information they are collecting, the purposes of the collection, and need to establish adequate controls to protect collected and retained data.

Categories
Writing

ASD is Clearly Preparing for a Quantum Future

National cryptological organizations, such as the NSA, CSE, GCHQ, ASD, and GCSB, routinely assess the strength of different modes of encryption and offer recommendations on what organizations should be using. They make their assessments based on the contemporary strength of encryption algorithms as well as based on the planned or expected vulnerabilities of those algorithms in the face of new or forthcoming technologies.

Quantum computing has the potential to undermine the security that is currently provided by a range of approved cryptographic algorithms.1 On December 12, 2024, Australia’s ASD published a series of recommendations for what algorithms should be deprecated by 2030. What is notable about their decision is that they are proposing deprecations before other leading agencies, including the USA’s National Institute of Standards and Technology and Canada’s CSE, though with an acknowledgement that the deprecation is focused on High Assurance Cryptographic Equipment (HACE).

To-be-deprecated algorithms include:

  • Elliptic Curve Diffie-Hellman (EDHC)
  • Elliptic Curve Digital Signature Algorithm (ECDSA)
  • Module-Lattice-Based Digital Signature Algorithm 65 (ML-DSA-65)
  • Module-Lattice-Based Key Encapsulation Mechanism 768 (ML-KEM-768)
  • Rivest-Shamir-Adleman (RSA)
  • Secure Hashing Mechanisms 224 and 256 (SHA-224 and RSA-256)
  • AES-128 and AES-192

Given that the English-speaking Five Eyes agencies regularly walk in near-lockstep we might see updated guidance from the different agencies in the coming weeks and months. Alternately, policy processes may prevent countries from updating their standards (or publicly announcing changes), leaving ASD as a path leader in cybersecurity while other agencies wait until policy mechanisms eventually lead to these algorithms being deprecated by 2035.

Looking further out, and aside from the national security space, the concerns around cryptographic algorithms speak to challenges that embedded systems will having in the coming decade where manufacturers fail to to get ahead of things and integrate quantum-resistance algorithms in the products they sell. Moreover, for embedded systems (e.g., Operational Technology, Internet of Things, and related systems) where it may be challenging or impossible to update cryptographic algorithms there may be a whole world of currently-secure solutions that will become woefully insecure in the not-so-distant future. That’s a future that we need to start planning for, today, so that at least a decade’s worth of work can hopefully head off the worst of the harms associated with deprecated embedded systems’ (in)security.

  1. What continues to be my favourite, and most accessible, explanation of the risks posed by quantum computing is written by Bruce Schneier. ↩︎
Categories
Writing

Cybercrime, Advanced Persistent Threats, and Human-Centric Security

RUSI has published a compelling essay arguing that policy makers and threat intelligence groups should focus more time and attention towards the activities of cyber criminals.

Contemporary cyber criminals:

  • have many operational characteristics that parallel those of nation-state supported advanced persistent threats
  • are quickly innovating and developing new exploit processes and chains in reaction to market developments, and
  • have a real and significant impact on the lives of people around the world.

Moreover, criminals are increasingly targeting critical infrastructure, an activity-type which has characteristically been associated with nation-state supported organizations.

While it’s left unstated in the essay, Larson is also implicitly is calling for a focus on human-centric security practices. Such a focus would see policy makers and cyber practitioners work to more actively stymie the worst harms felt by individuals and communities affected by cyber operations or incidents. Such a focus might, also, see countries or organizations shift resources away from impeding nation-state supported threat actors and towards law enforcement agencies and cybersecurity bodies or, alternately, see national governments update operational guidance to prioritize targeting cyber criminals’ organizations or infrastructure using offensive cyber capacities.

Categories
Writing

The Data Broker Economy Continues to Endanger Individuals’ Privacy

Mobile advertisers and data brokers routinely collect vast amounts of sensitive information without individuals’ meaningful consent. Sometimes this collection is explicitly mentioned in the terms of service that advertisers provide. However, in many other cases, this collection is linked to “free” functionality services that developers integrate into their applications at the cost of losing control of their users’ data.

These kinds of data brokers fuel a large and mostly invisible data market. But there are times where aspects of it (accidentally) emerge from the shadows.

Recent reporting, first covered by 404 Media, reveals how Fog Reveal sells geolocation services to government agencies. Geofences can be placed around targeted persons’ friends’ and families’ homes, places of worship, doctors’ offices, and offices of a person’s lawyer. Fences can be established retroactively as well as proactively.

These same capacities, it must be noted, can and are also exploited by non-law enforcement agencies. Recent reporting has showcased how the activities of these kinds of data brokers can endanger national security, and they can also put the safety of political and business leaders, to say nothing of regular people, at risk of harm.

Fog Reveal and similar companies are offering an expansive for-sale surveillance capacity. And the capacity, which was once the thing of science fiction, has somehow become banally available for those who can convince private vendors to provide access to the data they have collected.

There remains an open question of how to remedy the current situation: should the focus be on regulating bad actors after they appear or, instead, invest the political capital required to stop the processes enabling the data collection in the first place?

Categories
Links Writing

American Telecommunication Companies’ Cybersecurity Deficiencies Increasingly Apparent

Five Eyes countries have regularly and routinely sought, and gained, access to foreign telecommunications infrastructures to carry out their operations. The same is true of other well resourced countries, including China.

Salt Typhoon’s penetration of American telecommunications and email platforms is slowly coming into relief. The New York Times has an article that summarizes what is being publicly disclosed at this point in time:

  • The full list of phone numbers that the Department of Justice had under surveillance in lawful interception systems has been exposed, with the effect of likely undermining American counter-intelligence operations aimed at Chinese operatives
  • Phone calls, unencrypted SMS messages, and email providers have been compromised
  • The FBI has heightened concerns that informants may have been exposed
  • Apple’s services, as well as end to end encrypted systems, were not penetrated

American telecommunications networks were penetrated, in part, due to companies relying on decades old systems and equipment that do not meet modern security requirements. Fixing these deficiencies may require rip-and-replacing some old parts of the network with the effect of creating “painful network outages for consumers.” Some of the targeting of American telecommunications networks is driven by an understanding that American national security defenders have some restrictions on how they can operate on American-based systems.

The weaknesses of telecommunications networks and their associated systems are generally well known. And mobile systems are particularly vulnerable to exploitation as a result of archaic standards and an unwillingness by some carriers to activate the security-centric aspects of 4G and 5G standards.

Some of the Five Eyes, led by Canada, have been developing and deploying defensive sensor networks that are meant to shore up some defences of government and select non-government organizations.1 But these edge, network, and cloud based sensors can only do so much: telecommunications providers, themselves, need to prioritize ensuring their core networks are protected against the classes of adversaries trying to penetrate them.2

At the same time, it is worth recognizing that end to end communications continued to be protected even in the face of Salt Typhoon’s actions. This speaks the urgent need to ensure that these forms of communications security continue to be available to all users. We often read that law enforcement needs select access to such communications and that they can be trusted to not abuse such exceptional access.

Setting aside the vast range of legal, normative, or geopolitical implications of weakening end to end encryption, cyber operations like the one perpetrated by Salt Typhoon speak to governments’ collective inabilities to protect their lawful access systems. There’s no reason to believe they’d be any more able to protect exceptional access measures that weakened, or otherwise gained access to, select content of end to end encrypted communications.

  1. I have discussed these sensors elsewhere, including in “Unpacking NSICOP’s Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack”. Historical information about these sensors, which were previously referred to under the covernames of CASCADE, EONBLUE, and PHOTONICPRISM, is available at the SIGINT summaries. ↩︎
  2. We are seeing some governments introducing, and sometimes passing, laws that would foster more robust security requirements. In Canada, Bill C-26 is generally meant to do this though the legislation as introduced raised some serious concerns. ↩︎
Categories
Writing

Intelligence Commissioner Raises Concerns About Canada’s Federal Cybersecurity Legislation

Earlier this week the Intelligence Commissioner (IC) appeared at the Standing Senate Committee on National Security, Defence and Veterans Affairs on Bill C-26, along with federal Privacy Commissioner. The bill is intended to enhance the cybersecurity requirements that critical infrastructure providers must adopt.

The IC’s remarks are now public. He made four very notable comments in his opening remarks:

  1. The IC warned that the proposed amendments to the Telecom Act would allow the minister to essentially compel the production of any information in support of orders. This information could include personal information – which under broad exceptions, could then be widely disclosed.
  2. Part 2 allows for the regulators to carry out the equivalent of unwarranted searches – where again, personal information could be collected.
  3. The CSE will play a vital role and will be the holder of this information, in a technological form or otherwise, which will contain elements for which we have a reasonable expectation of privacy.
  4. In light of the invasive nature of the Bill, he asserted that it is important that meaningful safeguards be part of the legislation so that Canadians have confidence in the cybersecurity system.

His responses to comments at committee — not yet available through Hansard — made even more clear that he believed that amendments are needed to integrate appropriate oversight and accountability measures into the legislation. The IC’s comments, combined with those of the federal Privacy Commissioner of Canada and civil society representatives, constitute a clear warning to senators about the potential implications of the legislation.

It will be interesting to see how they respond.

Categories
Links Writing

Emerging Trends from Canadian Privacy Regulators and Cybersecurity Legislation?

Earlier this evening, the Office of the Privacy Commissioner of Canada (OPC) appeared before the Standing Senate Committee on National Security, Defence and Veterans Affairs on the topic of Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

While at Committee, Commissioner Dufresne recognized the value of making explicit the OPC’s oversight role concerning the legislation. He, also, reaffirmed the importance of requiring any collection, use, or disclosure of personal information to be both necessary and proportionate. And should the Standing Committee decline to adopt this amendment they were advised to, at a minimum, include a requirement that data only be retained for as long as necessary. Government institutions should also be required to undertake privacy impact assessments and consult with the OPC.

Finally, in cases of cyber incidents that may result in a material breach, his office should be notified; this could entail the OPC being notified by the Communications Security Establishment based on a real risk of significant harm standard. Information sharing agreements should also be put in place that provide minimum privacy safeguards while also strengthening governance and accountability processes.

The safeguards the OPC are calling for are important and, also, overlap with many of the Information and Privacy Commissioner of Ontario’s (written submission, Commissioner Kosseim’s oral remarks) concerning the provincial government’s Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024.

Should other Canadian jurisdictions propose their own cybersecurity legislation to protect critical infrastructure and regulated bodies it will be interesting to monitor for the consistency in the amendments called for by Canada’s privacy regulators.

Categories
Writing

Ongoing Criminal Exploitation of Emergency Data Requests

When people are at risk, law enforcement agencies can often move quickly to obtain certain information from online service providers. In the United States this can involve issuing Emergency Data Requests (EDRs) absent a court order.1

The problem? Criminal groups are increasingly taking advantage of poor cyber hygiene to gain access to government accounts and issue fraudulent EDRs.

While the full extent of the threat remains unknown, of Verizon’s total 127,000 requests for data in Q2 of 2023, 36,000 were EDRs. And Kodex, a company that is often the intermediary between law enforcement and online providers, found that over the past year it had suspended 4,000 law enforcement users and approximately 30% of EDRs did not pass secondary verification. Taken together this may indicate a concerning cyber policy issue that may seriously endanger affected individuals.

These are just some of the broader policy and cybersecurity challenges that are key to keep in mind, both as new laws are passed and as new cybersecurity requirements are contemplated. It is imperative that lawful government capabilities are not transformed into significant and powerful tools for criminals and adversaries alike.

  1. There are similar kinds of provisions in the Canadian Criminal Code. ↩︎