This month in security: December 2019
China bans deepfakes, New Zealand introduces a new data privacy Bill, hackers make off with $1 million and O365 disruptions plague APAC.
China leads the charge against deepfakes by banning unauthorised deepfakes altogether, even though it’s getting harder and harder to identify them. We share our thoughts on the Chinese initiative and the deepfake menace as a whole.
New Zealand is levelling up its data privacy laws to bring them in line with a more interconnected world and the globalised nature of business today.
Meanwhile, we discuss a million-dollar heist carried out over email between a hacker and two unsuspecting companies.
China slaps a ban on unauthorised deepfakes
As reported by Reuters, the Chinese government is taking steps to regulate the use of deepfakes by enacting a set of anti-deepfake laws. The new regulations make it clear that any content created with AI or VR must be clearly and prominently labeled as such. The Cyberspace Administration of China pointed to the potential misuse of deepfake technology, noting it could “endanger national security, disrupt social stability, disrupt social order and infringe upon the legitimate rights and interests of others”.
The threat from deepfakes is quite real. The underlying AI and machine learning technologies are advancing pretty quickly and creating convincing deepfakes is getting easier by the day. Some deepfake generators need only four seconds of voice samples to create a convincing fake. It’s easy to see how a few well-made deepfakes can spread like wildfire and influence public opinion on a massive scale. Though there are technological countermeasures available, and many more in development, the problem goes beyond just technology and so must its solution. We’re going to need both human awareness and technology to tame this particular beast.
New Zealand is proposing a new Privacy Bill to upgrade the country’s 1993 Privacy Act. Taking a cue from the European General Data Protection Regulation (GDPR) act, the new policy intends to strengthen the rules around data privacy and modernise regulations for businesses operating in and out of the country.
The new privacy bill could have big ramifications for overseas companies operating with NZ partners. The rules make it very clear that offshore companies can’t claim that New Zealand privacy laws do not apply to them. Given their recent tussles with Facebook and Google, it stands to reason the NZ government would put in some framework in place for local and foreign data companies using their citizens’ data. This means NZ companies will need to do their due diligence to make sure they’re compliant. It’s a difficult process to be sure, but a necessary one given how much of our data is in the hands of private businesses.
O365 disruptions impact businesses across APAC
Microsoft Office O365 experienced its fifth outage this year, disrupting a number of businesses across various locations in the APAC region. Many businesses expressed annoyance as their O365 email service encountered unexpected queuing and delivery problems.
Email isn’t really something most people worry too much about, that is until it goes down and cuts you off from work. Outages like this are a reminder of how operational dependency on any one environment is just asking for trouble. Any email service disruption, however big or small, can cost millions of dollars in lost productivity. Cyber resilience emerged for a reason and situations like this highlight why a cyber resilient approach might be a necessity for certain types of organisations.
An Israeli startup and Chinese VC firm scammed out of $1 million
An Israeli startup and Chinese VC firm lost $1 million in seed money to Chinese hackers who used spoofed emails and fake domains to trick representatives in both companies into carrying out a fraudulent wire transfer.
Incidents like this show how easy it can be to trick people into giving up sensitive information. Even though both parties exchanged multiple emails, no one noticed or questioned anything out of the ordinary. All the technology in the world can’t help if it doesn’t take into account the end-user, their level of awareness and their behaviour. Any effective cybersecurity measures need to be supported by a company’s culture: it’s got to be ingrained in the way they work. That means investing in staff training and education. In the long run, that will save you and your company a lot more money than it would cost. Like a $1 million more.