cybersecurity

US bolsters digital security with the ROUTERS Act to counter foreign cyber threats

The United States is making a pivotal move to bolster its digital security by introducing the ROUTERS Act, a bill specifically designed to address vulnerabilities in consumer internet routers and wireless infrastructure. Since these devices are crucial in connecting users to the internet, they have increasingly become prime targets for cyberattacks, particularly by foreign adversaries such as China.

Consequently, the legislation, which has already passed the House of Representatives, focuses on hardware developed or manufactured by companies based in countries of concern, including China, Iran, Russia, North Korea, and Venezuela. Notably, Chinese-made routers, such as those from TP-Link, are widely used in American households and even government agencies, presenting significant security risks.

To counter these threats, the ROUTERS Act mandates that the Department of Commerce conduct a study to assess the national security dangers posed by these devices. This crucial step could pave the way for future legislative actions to mitigate the vulnerabilities that threaten the US’s digital infrastructure.

Furthermore, the United States has already experienced the damaging effects of cyberattacks, particularly from Chinese-backed hacker groups exploiting router vulnerabilities to infiltrate networks and conduct espionage. Various reports and investigations have consistently highlighted the dangers posed by outdated and insecure routers, particularly those from manufacturers like TP-Link, which remain used by consumers and critical government agencies, including the Department of Defense.

As a result, the ROUTERS Act seeks to address these threats by requiring a comprehensive study of the national security risks posed by such devices, particularly those originating from adversarial nations. As the Senate prepares to review the bill, there is bipartisan support to strengthen it further by designating the National Telecommunications and Information Administration (NTIA) as the lead agency overseeing the study.

Given its expertise in managing digital infrastructure and cybersecurity threats, the NTIA is well-positioned to ensure a thorough evaluation of the risks. Ultimately, this would enable the United States to coordinate better efforts across federal agencies to secure its digital infrastructure and safeguard against foreign cyber threats.

MoneyGram faces challenges amid cybersecurity outage

MoneyGram has acknowledged that its recent multiday outage is due to a cybersecurity issue, and the firm is progressing in restoring its services. The company revealed on X that it had identified the problem affecting certain systems and launched an investigation after users reported disruptions beginning on 20 September.

The Dallas-based financial services company stated that it took immediate protective measures, including taking some systems offline to address the connectivity issues. MoneyGram is collaborating with law enforcement and external cybersecurity experts to mitigate the impact of the breach. In a follow-up post on 24th September, the firm announced that it is successfully restoring some key transactional systems.

Although MoneyGram has assured users that pending transactions will be processed once systems are back online, it has not disclosed details about the nature of the cybersecurity issue, including whether any sensitive data may have been compromised. Additionally, there is no timeline yet for when full service will be resumed.

This incident occurs amid a notable increase in crypto-related ransomware attacks, with reports indicating a significant rise in ransom payments this year. MoneyGram, a major player in money transmission, recently ventured into the crypto space, launching fiat exchange services and partnering with CEX.io to offer fiat-to-stablecoin options.

Microsoft ramps up cybersecurity efforts following critical review

Microsoft has made significant strides in enhancing its security culture following critical feedback from the United States Cyber Safety Review Board. The company launched its Secure Future Initiative (SFI) in late 2023, leading to the involvement of 34,000 engineers dedicated to cybersecurity efforts. CEO Satya Nadella has prioritised security across the organisation, even tying employee performance reviews to security goals in recent months.

Microsoft has implemented several changes to its security processes, including improvements to its Entra ID and Microsoft Account systems, reducing inactive tenants, and enhancing network tracking for better compliance. The company has also introduced stricter controls, such as limiting personal access tokens and eliminating SSH access for internal engineering repositories.

In its push for greater transparency, Microsoft is now publishing CVEs even when customer action is not required. It has also introduced new standards with a ‘Start Right, Stay Right, and Get Right’ approach to ensure that security protocols are integrated throughout its projects.

To oversee its cybersecurity efforts, Microsoft has established a Cybersecurity Governance Council and appointed several new deputy CISOs. The company has also launched a security skilling academy for employee training, reinforcing its long-term commitment to building a robust security culture.

ENISA set to develop cybersecurity certification scheme for EU’s digital ID wallets

The European Commission has tasked the EU Agency for Cybersecurity (ENISA) with developing a cybersecurity certification scheme for the EU Digital Identity (EUDI) wallets. That move aims to standardise and comprehensively secure digital identity wallets across EU member states.

ENISA will create harmonised requirements to support national certification schemes, involving the establishment of reference standards, procedures, and specifications crucial for security and privacy protection. The certification process will align with the Cybersecurity Act and ensure that EUDI Wallets are secure, protecting users’ privacy and personal data while allowing cross-border usability throughout the EU.

The European Digital Identity Framework, effective since May, requires EU member states to start providing EUDI Wallets within two years of adopting their implementing acts. The EC concluded its collection of input on the cybersecurity certification scheme earlier this month, with feedback highlighting the importance of preventing excessive consumer data sharing. ENISA will consider existing certification schemes, such as the European Cybersecurity Certification Scheme on Common Criteria while developing the new framework.

Why does it matter?

ENISA’s ongoing collaboration with the eIDAS Expert Group and the Certification Subgroup, alongside recommendations from its Digital Identity Standards report and current EUDI Wallet pilot projects, will significantly influence the development of the certification scheme, ensuring a robust and trustworthy digital identification system across Europe.

Quad leaders set principles for Digital Public Infrastructure

The Quad leaders, comprising the United States, India, Japan, and Australia, outlined principles to guide the development and deployment of Digital Public Infrastructure (DPI) during their 6th Quad Leaders’ Summit in Wilmington, Delaware. Recognising the transformative power of digital technologies, they emphasised the need for DPI to foster inclusivity, ensure security, and promote scalability while respecting privacy and human rights.

The principles aim to provide a blueprint for governments and private sectors to collaborate on creating secure, interoperable digital systems. These systems would offer equitable access, support public service delivery, and drive sustainable development by addressing key challenges such as digital divides, privacy concerns, and cybersecurity risks. They focus on creating an inclusive, safe, and transparent digital ecosystem that can adapt to evolving demands, especially in pursuit of the UN 2030 Agenda for Sustainable Development.

Among the core principles are:

Inclusivity: Governments should strive to close digital divides by eliminating barriers that hinder access and ensuring no erroneous biases are embedded in digital systems.

Interoperability: DPI should be based on open standards that ensure compatibility across systems, balancing legal and technical requirements.

Scalability: Infrastructure should be designed to accommodate growing demand without significant disruptions.

Security and Privacy: DPI must integrate privacy-enhancing technologies and cybersecurity features to protect users’ data and ensure system resilience.

Collaboration: A culture of openness is encouraged by involving community actors and innovators throughout the DPI’s lifecycle.

Human Rights and Governance: DPI must respect human rights and be governed transparently to maximise public trust and benefit.

Sustainability: DPI should be built with sustainability in mind, ensuring long-term financial and technological viability.

These principles highlight the Quad’s commitment to ensuring that digitalisation leads to equitable, reliable, and sustainable outcomes for societies, strongly emphasising maintaining democratic values and human rights.

Snapchat’s balance between user safety and growth remains a challenge

Snapchat is positioning itself as a healthier social media alternative for teens, with CEO Evan Spiegel emphasising the platform’s different approach at the company’s annual conference. Recent research from the University of Amsterdam supports this view, showing that while platforms like TikTok and Instagram negatively affect youth mental health, Snapchat use appears to have positive effects on friendships and well-being.

However, critics argue that Snapchat’s disappearing messages feature can facilitate illegal activities. Matthew Bergman, an advocate for social media victims, claimed the platform has been used by drug dealers, citing instances of children dying from fentanyl poisoning after buying drugs via the app. Despite these concerns, Snapchat remains popular, particularly with younger users.

Industry analysts recognise the platform’s efforts but highlight its ongoing challenges. As Snapchat continues to grow its user base, balancing privacy and safety with revenue generation remains a key issue, especially as it struggles to compete with bigger players like TikTok, Meta, and Google for advertising.

Snapchat’s appeal lies in its low-pressure environment, with features like disappearing stories and augmented reality filters. Young users, like 14-year-old Lily, appreciate the casual nature of communication on the platform, while content creators praise its ability to offer more freedom and reduce social pressure compared to other social media platforms.

Canada pauses CBDC project after public disinterest

Canada’s central bank has halted its plans to develop a Central Bank Digital Currency (CBDC), focusing instead on research as other nations like China and Nigeria press ahead. The Bank of Canada initially launched the project in 2017 to explore the potential of a digital Canadian dollar. However, after years of investigation and public consultations, the bank has decided to rethink its approach due to low public interest and security concerns.

A recent survey revealed that 87% of Canadians said they would never use a digital currency, with 92% expressing a preference for traditional payment methods. Major concerns included cybersecurity threats and the privacy of digital transactions. Despite this, the central bank had maintained that the digital dollar would not replace paper currency but serve as a simplified way to make online payments.

While Canada shifts away from its CBDC project, other countries are making progress. China’s digital yuan pilot, for example, has already facilitated nearly $986 billion in transactions, making it the largest initiative worldwide. Global efforts to introduce CBDCs continue to grow, driven in part by geopolitical events and changing payment technologies.

Digital Skills Forum in Bahrain highlights global need for digital education, unveils new toolkit

The International Telecommunication Union (ITU) recently hosted the Digital Skills Forum in Manama, Bahrain, addressing the pressing need for digital skills in today’s technology-driven society. With nearly 700 participants from 44 countries, the forum emphasised urgent calls to action aimed at bridging the digital skills gap that affects billions around the globe.

‘Digital skills have the power to change lives,’ asserted Doreen Bogdan-Martin, ITU Secretary-General, highlighting the union’s dedication to fostering an inclusive digital society. In response to this challenge, ITU introduced the ‘Digital Skills Toolkit 2024,’ a comprehensive resource to support policymakers and stakeholders in crafting effective national strategies to close digital skills gaps.

That toolkit seeks to empower diverse sectors, including private enterprises and academic institutions, by providing essential insights and resources within an ever-evolving technological landscape. Furthermore, the forum underscored the importance of lifelong learning and continuous upskilling, particularly in advanced fields such as AI and cybersecurity. ‘Addressing the digital skills gap requires strong partnerships and a commitment to investing in digital education,’ emphasised Cosmas Luckyson Zavazava, Director of ITU’s Telecommunication Development Bureau.

Bahrain’s leadership in promoting digital skills was prominently featured, reflecting its dedication to international cooperation and innovation. Young entrepreneurs showcased their innovative approaches to digital education, demonstrating the transformative potential of technology in shaping the future.

UK’s National Cyber Security Centre leads international effort against botnet threat

The NCSC has collaborated with cybersecurity agencies from the United States, Australia, Canada, and New Zealand to effectively address the global botnet threat. That joint effort underscores the importance of international cooperation in tackling cyber threats that span multiple countries.

By combining their expertise and resources, these agencies have been able to produce a comprehensive advisory that provides detailed information on the botnet’s operation, its impact, and the types of devices it targets. Consequently, this collaboration ensures a robust and unified response to the threat, reflecting the global commitment to enhancing cybersecurity.

Moreover, the advisory issued by these agencies details how the botnet, managed by Integrity Technology Group and used by the cyber actor Flax Typhoon, exploits vulnerabilities in internet-connected devices. It includes technical information on the botnet’s activities, such as malware distribution and Distributed Denial of Service (DDoS) attacks, and offers practical mitigation strategies.

Therefore, it underscores the need for updating and securing devices to prevent them from becoming part of the botnet, providing crucial guidance to individuals and organisations seeking to protect their digital infrastructure. In addition, this international collaboration serves to promote proactive security measures and raise awareness about cybersecurity best practices. The joint advisory encourages users to safeguard their devices and avoid contributing to malicious activities immediately.

China releases sensitive data guidelines

China’s National Information Security Standardization Technical Committee (TC260) introduced new guidelines titled ‘Cybersecurity Standard Practice Guidelines – Sensitive Personal Information Identification.’ These guidelines establish clear criteria for what constitutes sensitive personal information. Specifically, personal data is deemed sensitive if its unauthorised disclosure or misuse could harm an individual’s dignity, jeopardise their safety, or threaten their property.

In addition, the guidelines outline several key categories of sensitive personal information, such as biometric data, religious beliefs, specific identity details, medical and health information, financial account details, movement tracking data, and personal information of minors. Each category is illustrated with examples to assist organisations in effectively identifying and managing sensitive data.

Furthermore, the TC260 emphasises the necessity of evaluating individual data points and their combined effects when determining the sensitivity of personal information. That comprehensive approach ensures a nuanced understanding of the potential impacts of data breaches or misuse. By considering both isolated pieces of information and their possible cumulative effects, the guidelines provide a robust framework for assessing the risk levels associated with different data types.

Moreover, the TC260 underscores existing laws and regulations in China that may also define sensitive personal information. This reinforces the importance of organisations remaining informed about legal requirements and adhering to all relevant standards for safeguarding sensitive data.

Diplo chatbot can make mistakes. Consider checking important information.