Good article by lawyer, legal journalist and fellow Temple Law alum Amaris Elliott-Engel. The law, or lack of it, as it relates to cyber warfare is near the top of my list of legal interests. 

Google apologists like myself often answer concerns that the search-and-advertising giant can scan your email with something like “yes, but they’re doing it with robots and scrubbing it clean of all identifying information.”

China, however, is not so concerned with your privacy or its own image. In fact, monitoring otherwise-harmless civilians probably proves valuable to the renegade nation by illustrating the best means of tricking US netizens into installing backdoor viruses on their systems.

The most important point this article makes, in my view, is that China is playing the long game on cyberespionage efforts. As David Feith reports in the Wall Street Journal piece linked to above:

The essence of China’s thinking about cyber warfare is the concept of shi, he says, first introduced in Sun Tzu’s “The Art of War” about 2,500 years ago. The concept’s English translation is debated, but Mr. Thomas subscribes to the rendering of Chinese Gen. Tao Hanzhang, who defines shi as “the strategically advantageous posture before a battle.”

They’re not going to take down any infrastructure any time soon, but if and when they want to, their current efforts will probably go a long way to helping them learn how to do it.

This stuff is not just a headline: it’s been happening for some time, is still happening, and is likely only to increase. Mr. Feith’s article at the Journal is well worth reading.

These look a lot like “feeler” operations, meant to gauge the reaction attackers can expect from victim institutions and nations. The United States (read: Congress) must act immediately to ensure that we’re ready when attackers stop slowing down or blocking bank websites and start trying to steal customer data en masse.

Patrick Gray, writing at The Register:

Jack also warned of a worst-case scenario in which a worm could infect multiple devices, spreading from patient to patient, re-flashing the devices with malicious code as it foes. This code could be programmed to deliver fatal shocks to patients implanted with vulnerable implants at a scheduled time.

So many lives depend upon the safe operation of a device like a pacemaker, including some of my dearest family. The good news here is that the researcher who discovered the vulnerability is ready and willing to work with manufacturers to design around the security weaknesses in these devices.

But perhaps more importantly, what about devices that have already been implanted in patients? I hope the corrections can be made via a software update so that even current patients can receive the fixes.

As an aside, this technology could also be used in the cyberwarfare arena for exceptionally clandestine assassinations.

Joseph Menn, quoting an anonymous source for Reuters:

We knew certain parts of government really wanted” evidence of active spying, said one of the people, who requested anonymity. “We would have found it if it were there.

I don’t know enough about this specific issue and the problem of cyberwarfare threats generally. My time in International Law this semester and previous courses like Cyberlaw and Cyberprivacy are coalescing in my mind into a strong area of interest, though, so I expect to follow this and similar issues closely and (hopefully) develop more substantive opinions about them over the next two months.

Kim Zetter, writing at Wired:

The researchers don’t know if the attackers used the bank component in Gauss simply to spy on account transactions, or to steal money from targets. But given that the malware was almost certainly created by nation-state actors, its goal is likely not to steal for economic gain, but rather for counterintelligence purposes.

It’s worth thinking about: state-sponsored cyberespionage has been around for a while, but modern advancements in malware are giving such snooping tools a new level of automation and scale.

PS: I’m going to keep an eye on this story with the hopes that Kaspersky, the Russia-based security lab researching Gauss, eventually cracks the encryption on the mysterious payload.