Tracking Cybersecurity: Laying the groundwork for tougher regulations post-COVID 19

Technology is helping the world cope up with unprecedented disruptions caused by COVID-19 pandemic and is facilitating business continuation, delivery of essential services as well as dissemination of critical information to the general public. But the increase in time spent online, combined with the sense of confinement leading to anxiety and fear, has made people and institutions vulnerable to cybercriminals. This seismic change in user behavior and reliance on the internet has prompted a proliferation of cybercrimes.

The US Federal Trade Commission's data on COVID-19 complaints show that Americans have lost over $45 million to coronavirus scams since January – with almost 62,000 incidents reported so far this year. Meanwhile, a total of £3,534,983 has been reportedly lost by 1,713 victims due to coronavirus-related scams in the UK, according to the British Government’s Action Fraud. 

Even the World Health Organization, the UN agency that is coordinating multilateral action against the COVID-19 pandemic, has seen a “dramatic” increase in cyberattacks directed at its staff in the past few months. The number of cyberattacks is now more than five times the number directed at the WHO in the same period last year and the organization has also expressed concern about scammers impersonating WHO in emails to target the general public and channel donation to fictitious funds.

Technology will undoubtedly play a crucial role in fighting the COVID-19 pandemic but the increased reliance means cybersecurity is more important than ever. To automate a human-intensive process of contact-tracing, almost every major country has launched or plan to launch mobile apps meant to track and identify suspected patients but these apps have been mired in controversies particularly due to inadequate regulatory structure around privacy protections. A mobile application proposed to the Dutch government as a means to track COVID-19 has already fallen short of acceptable security standards by leaking user data. The mobile app's source code was published online for scrutiny as the government decides which solution to back but it was not long before developers realized that the source files contained user data and the code was pulled down.

Operating as per adequate security standards should also be the 'new normal', not a temporary normal and the pandemic might pave the way for precise regulations. As discussed earlier in a report titled "Cybersecurity post-COVID 19: More internet means more threats" by COE-EDP, the pandemic or rather the ‘infodemic’ has made governments kickstart the largest-ever and multilateral campaign against fake news nuisance. The increase in reliance on technology has revealed its potential but also the risks that it poses to the 21st-century population. Until now, cybersecurity legislation has been vague in most countries, allowing tech companies to leverage loopholes to adopt substandard security practices for the sake of reducing costs, which has led to data breaches being normalized. As the pandemic forces governments to utilize the latest technologies to disseminate information and fight against coronavirus, it is also allowing them to acknowledge the risks and need for precise regulations to protect citizens in the better-connected world.

Australia

Australia’s Department of Home Affairs has recently said that the country is likely to be the next qualifying foreign government to enter into an agreement with the United States under its Clarifying Lawful Overseas Use of Data Act (CLOUD Act). The act allows law enforcement to go directly to tech companies based in the other country to access electronic data, instead of going through the traditional and tedious Mutual Legal Assistance (MLA) process between governments.

"This has been recognized as a significant shift towards a new paradigm, which supports efficient and effective cross-border access to the electronic data needed to combat serious crime while safeguarding the privacy and human rights," Home Affairs wrote in a preliminary submission to the review of Telecommunications Legislation Amendment (International Production Orders) Bill 2020 being inquired by Parliamentary Joint Committee on Intelligence and Security (PJCIS).

The legislation lays the groundwork for Australia to enter into an agreement with the US under the CLOUD Act, which would facilitate expedited data sharing between jurisdictions.

Australia has also passed a new law to deal with a range of sticky legal and privacy concerns arising from its contact-tracing app called COVIDSafe. The law, which amends the Privacy Act 1988, addresses some of the most pressing concerns about the app that collects personal information and stores it in a central database that is accessible to local health authorities. The data includes names, age ranges, phone numbers, postcodes, and phone models.

Improperly disclosing data is punishable by up to five years in prison, according to the new law. It's also an offense to upload data from the app without consent. And crucially, employers cannot make use of the app a requirement for returning to work.

United States

US Attorney-General William P. Barr has urged the public to report suspected fraud schemes related to COVID-19 and directed all Attorneys to prioritize the investigation and prosecution of such cases. DoJ along with several private companies has disrupted hundreds of websites that tried to exploit the current COVID-19 pandemic. Apart from these, the FBI has set up an operation to identify and shut down malicious campaigns following a wave of complaints.

Lawmakers are also pushing for the inclusion of cybersecurity measures in the upcoming annual National Defence Authorization Act (NDAA). Senator Ron Johnson, the chairman of the Senate Homeland Security and Governmental Affairs Committee, has even said that he hopes to include a provision to create a federal national cybersecurity leadership position in the NDAA.

The Trump administration currently lacks a central lead since the White House cybersecurity coordinator position was eliminated in 2018. Cyber threats are currently addressed by the departments of Defence and Homeland Security (DHS), along with the intelligence community and the FBI.

The push for a national federal leader for cybersecurity is also in line with the recommendations of the US Cyberspace Solarium Commission (CSC), which is also reportedly planning to update its recommendations in light of the COVID-19 pandemic.

China

The Cyberspace Administration of China (CAC), together with 11 other authorities, has jointly issued the Measures for Cybersecurity Review aimed at ensuring the safety of critical information infrastructure. The measures require operators who seek to procure network products and services to undergo a national security review if such products and services may affect national security. Coming into effect on June 1, 2020, the measures are likely to impact both domestic and overseas suppliers.

Taiwan

The Executive Yuan's Department of Cyber Security (DCS) has formally issued an advisory to all government organizations and specific non-government agencies to avoid using the Zoom video communication service, which has been used by several governments across the world over the past few weeks. Several other governments have also issued advisories against Zoom now and the company has put in place several measures to address concerns but such advisories are particularly important as this is the first time for many countries to view tech companies with such scrutiny, which shows how the mindset is changing at the top brass.

India

The Indian government has also issued advisories against using Zoom and its Centre for Development of Telematics (C-DoT) is also developing a “secure” video conferencing platform, which can be used by government officials, judiciary and public. The move by C-DoT is aimed to reduce India’s reliance on third-party platforms like Zoom, Microsoft, and Google to conduct day-to-day business operations through video conferencing. The platform will reportedly be hosted on the government of India server for the use of government and a separate version will be released for public use.

Indian stock exchange BSE has also announced a penalty structure for brokers who fail to make timely submission of cybersecurity and cyber resilience audit report and said prolonged non-compliance will result in the disablement of trading terminals. Brokers need to submit a quarterly report on incidents of cyberattacks and threats.

Changing business landscape

Information security and technologies that speed up the cloud and content delivery remain relatively strong sectors even during the disruptions that have shuttered numerous businesses. Recently released quarterly earnings reports suggest an increase in demand although many companies working in these sectors are far from perfect, demonstrating the need for precise regulations in the sector growing at a steady pace.

But the impact would not be limited to cybersecurity companies and even the major tech companies could witness an overhaul as the world adjusts to new normal. With tech giants like Google, Facebook, Amazon, and others exerting so much influence over information, culture, and the economy, and daily lives, analysts have long argued that governments must become more involved. The ‘Big Tech vs Governments’ argument became especially stronger during the pandemic due to disputes over access to data in a matter of public health.

As several governments aimed to track the spread of COVID-19 by deploying their own smartphone apps, Apple and Google are undercutting features and imposing conditions for building the tools, advocating for the privacy of their users.

Commenting on the matter, France’s minister for digital technology, Cedric O has said, “Apple could have helped us make the application work even better on the iPhone. They have not wished to do so. I regret this, given that we are in a period where everyone is mobilized to fight against the epidemic, and given that a large company that is doing so well economically is not helping out a government in this crisis.”

“We will remember that when the time comes,” the minister added.

Few other governments have also claimed that the tech companies are providing a restrictive framework that would strain contact-tracing efforts. Going around Apple and Google by building its own apps is easier said than done as Apple, in particular, makes it difficult for third-party apps to keep Bluetooth enabled in its operating system.

The companies have, however, jointly rolled out a COVID-19 exposure notification system, essentially a unified programming interface that will allow public health departments to create their own contact tracing applications but with several restrictions that bar authorities using their technology from collecting and storing GPS location data or requiring users to enter personal data.

But some governments have argued that contact-tracing efforts would be more effective if they could store users' locations to identify hotspots and notify suspected patients about possible exposure through calls or texts, rather than generic push notification.

The bottom line

The changes indicate that the tech industry is moving towards a paradigm shift over how it operates and, more importantly, how it is regulated. The disagreement between Big Tech and governments over contact-tracing apps has shown the relevance of these companies but also proves that they have become larger than any one country, which undermines the regulatory powers of governments. Analysts argue that technology companies providing services over the internet have been under-regulated for years and have been left to regulate their own content. But the COVID-19 pandemic can be the turning point that makes governments acknowledge and multilaterally address cybersecurity risks with adequate regulations.

Centre of Excellence on Emerging Development Perspectives (COE-EDP) is an initiative of VisionRI and aims to keep track of the transition trajectory of global development and works towards conceptualization, development, and mainstreaming of innovative developmental approaches, frameworks, and practices.