Friday Brief for 17 December 2021
What you need to know about Log4j; The U.K.'s new cyber strategy; and Chinese tech is in the crosshairs
This is the last Friday Brief for 2021
We’ll be back in 2022 and it’s gonna be great! In the meantime, I’ll be pushing out one or two more podcasts and — don’t forget — you can always gift a subscription to this newsletter for that certain someone special!
Enjoy the holidays and happy New Year.
Firewall — Firewall software is used to block unauthorized access to a computer system. All incoming and outgoing network traffic is monitored through a firewall so that it can block suspicious activity that does not abide to a defined set of security rules.
Log4j: What You Need To Know
What’s New: A vulnerability in a popular open-source logging tool has had security researchers and response teams surging for more than a week.
Why This Matters: The Log4j “logger” is widely used and hackers all over the world are aggressively exploiting this vulnerability.
Java is a programming language and computing platform that powers a huge portion of internet apps and services.
Log4j is a Java-based “logger” — a program that records most of the activity when a service or app is running, allowing programmers to go back and to fix bugs and failures.
“Log4j is a very popular logging package for Java. It is very powerful and flexible and, even from my own experience, is used in almost every Java application that I have ever encountered ... The exploit is actually unbelievably simple — which makes it very, very scary at the same time," Bojan Zdrnja, senior instructor at SANS Institute, told Vice.
To completely take over a vulnerable system, an attacker simply sends a short code string that is logged by Log4j. Then it’s owned.
The Check Point cybersecurity group claims hackers from around the world are scanning the internet for vulnerable systems and have already conducted nearly 1 million attacks on companies since last Friday.
Most of the attacks appear to be aimed at using compromised systems for cryptocurrency mining. Chinese state-backed groups, however, have also been observed using the exploit.
What I’m Thinking:
This is gonna be tricky. The sheer scope of the problem makes this hard enough. Complicating things even further is the challenge of “intermingling.” A lot of companies build custom software that runs on top of base code like Log4j, which means a lot of companies will need to deploy custom patches that could fix one application while “breaking” another one. Even more, if something does go wrong a user could lose their logging ability precisely when they need it most to keep watch for bad guys who may have infiltrated their networks.
The U.K.’s New Cyber Security Strategy
What’s New: Our cousins across the pond have a new Cyber Security Strategy out this week.
Why This Matters: The 2022 strategy picks up where the previous 2016 strategy left off, emphasizing the country’s need to remain “confident, capable and resilient in this fast-moving digital world; and that we continue to adapt, innovate and invest in order to protect and promote our interests in cyberspace.”
The strategy begins by laying out the U.K. government’s view of the world:
“Exponential advances in technology combined with decreasing costs have made the world more connected than ever before, driving extraordinary opportunity, innovation and progress … The scale and speed of this change – often outpacing our social norms, laws, and democratic institutions – is also unleashing unprecedented complexity, instability and risk … The transnational nature of cyberspace means these challenges cannot be addressed without international collaboration, but it is also an increasingly important arena of systemic competition and the clash of competing interests, values and visions of our global future.”
It then lays out a vision for how the government will use “cyber power in support of national goals.”
“Cyber power is the ability to protect and promote national interests in and through cyberspace. Countries that are best able to navigate the opportunities and challenges of the digital age will be more secure, more resilient and more prosperous in future … As we forge a new role for the UK in a more competitive age, strengthening our cyber power will enable us to lead the way for industry and other countries, get ahead of future changes in technology, mitigate threats and gain strategic advantage over our adversaries and competitors … Our vision is that the UK in 2030 will continue to be a leading responsible and democratic cyber power, able to protect and promote our interests in and through cyberspace in support of national goals.”
These four overlapping goals for the U.K. are as follow:
“A more secure and resilient nation, better prepared for evolving threats and risks and using our cyber capabilities to protect citizens against crime, fraud and state threats;
An innovative, prosperous digital economy, with opportunity more evenly spread across the country and our diverse population;
A Science and Tech Superpower, securely harnessing transformative technologies in support of a greener, healthier society; and,
A more influential and valued partner on the global stage, shaping the future frontiers of an open and stable international order while maintaining our freedom of action in cyberspace”
Finally, the strategy is built on five pillars: (1) Strengthening the U.K. cyber ecosystem; (2)Building a resilient and prosperous digital U.K.; (3) Taking the lead in technologies vital to cyber power; (4) Advancing U.K. global leadership and influence for a more secure, prosperous and open international order; and (5) Detecting, disrupting and deterring our adversaries to enhance U.K. security in and through cyberspace.
What I’m Thinking:
I think the Brits get it. There has been a marked evolution in the U.K.’s cyber posture over the last several years. They’ve become more serious and clear in their rhetoric which suggests the same evolution is occurring in their thinking, planning, and doctrine. Initiatives like their new National Cyber Security Center (NCSC) and National Cyber Force (NCF) also give reason for optimism. One thing that got my attention is just how frankly the U.K. government talks about the NCF, unapologetically stating in the strategy that the Center will be used to “influence individuals and groups, disrupt online and communications systems and degrade the operations of physical systems.” I’m reminded of what A.P. Herbert once said: "The Englishman never enjoys himself except for a noble purpose.” Well, I might dare say the British appear to be enjoying themselves as they get about the noble work of securing their nation and countrymen in cyberspace. Bully for them!
Chinese Tech Companies In The Crosshairs
What’s New: The Biden administration is placing eight Chinese tech companies on the “Chinese Military-Industrial Complex Companies” list, and has listed dozens more on the U.S. Entities List.
Why This Matters: The new listings are part of a broader U.S. effort to reduce U.S. outbound investments that directly facilitate Beijing’s military capabilities or its violation of human rights.
The new listings formally identify the companies as having Chinese military links and bars Americans from trading in their securities.
According to research by Georgetown’s CSET (discussed last month), Goldman Sachs and Sequoia Capital are among those who are funding companies like 4Paradigm — a company who is directly providing AI-enabled battlefield command software to the Chinese military.
Shenzhen-based DJI — the global leader in commercial unmanned systems with more than 70% of the global market — is among those being culled for their “biometric surveillance and tracking” of Uyghers.
In light of the tightening environment in the United States and because of domestic politics in China, a growing number of Chinese tech giants listed on Wall Street are also listing in Hong Kong — including Alibaba, Baidu, NetEase, and Weibo — in an effort to minimize the impact of possibly being removed from U.S. trading.
“I think for a lot of Chinese companies listed in U.S. markets, it’s essentially game over,” David Loevinger, managing director for emerging markets sovereign research at TCW Group, told CNBC Wednesday. “This is an issue that’s been hanging out there for 20 years — we haven’t been able to solve it.”
What I’m Thinking:
The new listings are a good development. More please. Every one of these companies deserves the scrutiny they’re getting. There are dozens of others worthy of the same treatment. Beyond limiting U.S. investment in these companies, companies like DJI should be prevented from doing business in the United States at all. There’s simply no way to trust Chinese-made drones and the software that runs them. Their ability to collect and transmit huge volumes of data makes our continued allowance of them in our domestic skies one of the most truly foolish mistakes in this new tech confrontation with China. Also, while Tuya isn’t yet on this list, it deserves to be and I hope readers in a position to do something about it will take them on next.
Outbound investment is a key priority. The investments by Goldman Sachs and Sequoia Capital were not illegal. They were immoral. 4Paradigm’s relationship with the Chinese military was easily knowable and it strains belief that this relationship was not uncovered during pre-investment investigations. This suggests a certain comfort within the U.S. investment community when it comes to supporting companies that are working in direct contradiction to U.S. security and interests. That’s unfortunate; but, as Loevinger said in the story above, “it’s essentially game over” for this type of unethical behavior and I’m happy for this screw to be turned tight.
Let’s Get Visual
That’s it for this Friday Brief. Thanks for reading, and if you think someone else would like this newsletter, please share it with your friends and followers. Have a great weekend!