Saturday, 23 January 2021

A Timely Reinforcement of Points from My Post on SolarWinds

Funny I always thought it was ἀνάμνησις. 
At least that's what I remember.
 

A while back I wrote about the underlying factors that make hacking “events” like SolarWinds possible and weaken information security. If you missed that “gem”, you’ll find it here.

Part of that post dealt with the risks posed by companies with offices in “risky” foreign countries that 

  1. might expose them to local government pressure to disclose information;
  2. allow local employees—whether pressured or not and one would expect the pressure a local government could exert on its citizens would probably extend to more than a concern for profit—to engage in activities that breached security of information; or
  3. provide a local access point for those foreign governments or other malign actors in those countries to penetrate the companies’ security systems and access information without inside co-operation.
In last Wednesday’s FT, Tom Mitchell wrote about the US Department of Justice’s complaint against a PRC national resident in the PRC and formerly employed by Zoom.

Before going further, it’s important to note that at this point the DoJ has only made allegations against the individual as stated in its press release.

The charges in the complaint are allegations, and the defendant is presumed innocent unless and until proven guilty. If convicted of both charged conspiracies, Jin faces a maximum sentence of ten years in prison.
Two other points to note:

  1. Companies are subject to the laws of the jurisdictions in which they operate, particularly, where they have offices.
  2. The complaint does not allege hacking or surveillance of other than residents of the PRC.
You can read the DoJ press release here.

Here is the accompanying statement by an FBI Special Agent as part of the request for an arrest warrant. The “bits” about the “rectification plan” and involvement of the former employee and other officers of the company are quite “interesting”.

And to round out the picture, Zoom’s perspective on the DoJ complaint.

I think the lessons here are clear. 

On a corporate level, if you are concerned—as well you should—about the security of your corporate information and communications, or if you are worried about the security of your own internal systems: 

  1. it’s a wise idea to avoid dealing with companies that have offices in jurisdictions of “risk”
  2. in that regard you cannot rely only on the registration or domicile of the company but have to look deeper into shareholding, management as well as location of its network of offices. Not every company in the USA is pure as the driven snow. Nor every company in Switzerland.
On a personal level, if you are using the services of a company with exposure in a jurisdiction of risk, and are concerned about human rights, including your own, it may be equally a wise idea not to use that provider. 

Equally, you might be well advised to inquire whether the provider of a free service/app routinely sells the personal information, contacts, location history, or other aspects of its customers’ life to others. 

There are no truly “free” services, just like there is no free lunch.

It is probably not a good idea to rely on the kindness or conscience of strangers, particularly those focused on their own profitability.

No comments: