Best Infosec-Related Long Reads of the Week, 7/15/23

Undersea cable firm's outsized surveillance role, Real-time surveillance centers, AI's doom-and-gloom, The state of cybersecurity in Malaysia, US chip bans against China, Threads' privacy posture

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long-form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

Inside the subsea cable firm secretly helping America take on China

Reuters’ Joe Brock profiles SubCom, a small-town New Jersey cable manufacturer playing an outsized role in the tech race between the United States and China, as one of the world’s most prominent developers of undersea fiber-optic cables for telecom firms and tech giants like Alphabet’s Google, Amazon, Microsoft, and Meta Platforms, but also an exclusive undersea cable contractor to the US military, laying a web of internet and surveillance cables across the ocean floor.

SubCom is owned by Cerberus Capital Management, a New York-based private equity firm that has invested in defense contractors and national security assets. Last year, Cerberus paid $300 million for a Philippine shipyard on a former U.S. Navy base close to the South China Sea, beating out Chinese competitors for control of a strategic site in a region where Beijing has been flexing its military muscle.

Cerberus is headed by Stephen Feinberg, a billionaire political donor whom former President Donald Trump drafted onto the President’s Intelligence Advisory Board, which counsels the commander-in-chief on U.S. foreign intelligence matters.

SubCom, Cerberus and Feinberg did not respond to requests for comment.

Presented with Reuters’ findings, a spokesperson for the U.S. Navy’s Pacific Fleet confirmed the existence of a new high-speed undersea internet cable to Diego Garcia. It was the first official acknowledgement of that cable.

“The resiliency, redundancy, and security of our communication infrastructure represents a top priority for U.S. Pacific Fleet,” the spokesperson said in an emailed statement.

The Quiet Rise of Real-Time Crime Centers

Zac Larkham in Wired delves into real-time crime centers (RTCCs), video surveillance fusion centers where law enforcement can analyze and gather masses of intelligence from one city that first started in New York City but now spreading across the US.

Each RTCC is slightly different, but their function is the same: gather surveillance data across a city and use that to build a live picture of crime in the city. Police departments have an array of technologies available to them that span from CCTV, gunshot sensors, and social media monitoring to drones and body cameras. In Ogden, Utah, police even floated the idea of a 30-foot “crime blimp.” In many cases, images that police systems collect are run through facial recognition technology, and the data gathered is often used in predictive policing. In Pasco County, Florida, which operates an RTCC, the sheriff’s office’s predictive policing system encouraged officers to continuously monitor and harass residents for minor code violations such as missing mailbox numbers and overgrown grass.

Erik Lavigne is a detective at the Fort Worth Police Department in Texas and communications director at the National RTCC Association. He says there has been a boom in RTCCs over the past year because officers believe they help with more precise policing. He likens the scattered approach to policing in previous years to throwing out a fishnet and hoping to catch something. “For what we had at the time, that worked. But what inevitably happens is, you end up alienating the community because you're not just stopping the bad guys, you're also stopping innocent people that are just trying to live their lives,” he says. “A real-time crime center is a scalpel. We aren't catching the wrong people anymore.”

Lavigne says RTCCs are also a cheaper alternative to hiring more boots on the ground because each camera becomes, in effect, a stationary officer keeping watch over an area. Lavigne says this has proved so effective that analysts at RTCCs have been recording more crime than they can deal with, and the Fort Worth RTCC has significantly helped decrease vehicle thefts.

Inside the White-Hot Center of A.I. Doomerism

New York Times's Kevin Roose explores safety-focused AI start-up Anthropic, one of the world’s leading AI research labs focused on averting the emerging technology's more dangerous existential risks.

One Anthropic worker told me he routinely had trouble falling asleep because he was so worried about A.I. Another predicted, between bites of his lunch, that there was a 20 percent chance that a rogue A.I. would destroy humanity within the next decade. (Bon appétit!)

Anthropic’s worry extends to its own products. The company built a version of Claude last year, months before ChatGPT was released, but never released it publicly because employees feared how it might be misused. And it’s taken them months to get Claude 2 out the door, in part because the company’s red-teamers kept turning up new ways it could become dangerous.

Mr. Kaplan, the chief scientist, explained that the gloomy vibe wasn’t intentional. It’s just what happens when Anthropic’s employees see how fast their own technology is improving.

“A lot of people have come here thinking A.I. is a big deal, and they’re really thoughtful people, but they’re really skeptical of any of these long-term concerns,” Mr. Kaplan said. “And then they’re like, ‘Wow, these systems are much more capable than I expected. The trajectory is much, much sharper.’ And so they’re concerned about A.I. safety.”

What’s going on with cyber security in Malaysia?

In Tech Wire Asia, Muhammad Zulhusni offers a special report on cybersecurity in Malaysia sparked by a recent breach of Telekom Malaysia (TM), one in a string of incidents that raises questions about Malaysia’s approach to minimizing cyberattacks.

The issue hinges on understanding cybersecurity in the environment, social, and governance framework. However, confusion arises due to the presence of two cybersecurity agencies, leaving many unclear about who handles what.

But here’s a little breakdown: Two central bodies govern cybersecurity in Malaysia: the National Cyber Security Agency (NASCA) and CyberSecurity Malaysia (CSM). NASCA, instituted in 2017, is entrusted with bolstering Malaysia’s cyber-resilience by consolidating the country’s top resources and expertise. The agency is also involved in formulating cybersecurity policies, safeguarding critical infrastructures, and leading awareness campaigns.

CSM, established as a governmental agency in 2007, fosters a secure cyber ecosystem through quality services, cyber knowledge, and nurturing talent. Often the first point of contact for regional cyber incidents, CSM consistently issues advisories and encourages preventive measures for cyber safety.

Both NASCA and CSM recognize the country’s limitations in enforcing data breach laws, particularly the lack of legal requirement for organizations to report data breaches or cyber incidents. This issue has been repeatedly stressed as a primary concern in the cybersecurity sphere. The hope is that an upcoming cybersecurity bill will encourage stricter adherence to cyber safety protocols and improve overall cybersecurity in Malaysia.

There’s a noticeable lack of tangible progress despite extensive discussions about Malaysian cybersecurity laws. While Malaysia was among the early adopters of a data protection act, the country has struggled to keep pace with the likes of Singapore, mainly due to differences in implementation and enforcement.

‘An Act of War’: Inside America’s Silicon Blockade Against China

In the New York Times Magazine, Alex Palmer dives deep into the Biden administration’s efforts to sanction China by cutting off its access to computer chips leveraging the Commerce Department ostensibly to aim at the Chinese surveillance and security state but in reality aiming for China’s advanced technology ecosystem.

By squeezing on the industry’s natural choke points, the Biden administration aims to block China from the future of chip technology. The effects will go far beyond cutting into Chinese military advancements, threatening the country’s economic growth and scientific leadership too. “We said there are key tech areas that China should not advance in,” says Emily Kilcrease, a senior fellow at the Center for a New American Security and a former U.S. trade official. “And those happen to be the areas that will power future economic growth and development.” Today, scientific advances are often made by running simulations and analyzing huge amounts of data, rather than through trial-and-error experiments. Simulations are used to discover new lifesaving drugs, to model the future of climate change and to explore the behavior of colliding galaxies — as well as the physics of hypersonic missiles and nuclear explosions.

“The person with the best supercomputer can do the best science,” Jack Dongarra, founding director of the Innovative Computing Laboratory at the University of Tennessee, told me. Dongarra runs a program called the TOP500, which offers a biannual ranking of the fastest supercomputers in the world. As of June, China claims 134 spots, compared with 150 for the U.S. But the picture is incomplete: Around 2020, China’s submissions plummeted in a way that suggested to Dongarra a desire to avoid attracting unwanted attention. Rumors of new supercomputers leak out in scientific papers and research announcements, leaving observers to guess at the true state of the competition — and the size of China’s presumed lead. “It’s striking because in 2001 China had no computers on the list,” Dongarra says. “Now they’ve grown to the point that they dominate it.”

Yet beneath China’s strength is a crucial vulnerability: Nearly all the chips that power the country’s most advanced projects and institutions are inexorably tied to U.S. technology. “The entire industry can only function with U.S. inputs,” Miller says. “In every facility that’s remotely close to the cutting edge, there’s U.S. tools, U.S. design software and U.S. intellectual property throughout the process.” Despite decades of effort by the Chinese government, and tens of billions of dollars spent on “indigenous innovation,” the problem remains acute. In 2020, China’s domestic chip producers supplied just 15.9 percent of the country’s overall demand. As recently as April, China spent more money importing semiconductors than it did oil.

How Threads’ Privacy Policy Compares to Twitter’s (and Its Rivals’)

Wired’s Reece Rogers offers a good overview of the privacy policy of the hottest entrant in social media, Meta’s Threads, and compares how comfortable users can feel about their privacy on Threads to other social media.

Threads (Android, Apple) potentially collects a wide assortment of personal data that remains connected to you, based on the information available in Apple’s App Store, from your purchase history and physical address to your browsing history and health information. Apple’s privacy labels for the App Store were first introduced in 2020. While the exact meaning of what’s collected remains murky, it's a decent gauge of how data collection varies between apps.

“Sensitive information” is also listed as a type of data collected by the Threads app. Some information this could include is your race, sexual orientation, pregnancy status, and religion as well as your biometric data.

Threads falls under the larger privacy policy covering Meta’s other social media platforms. Want to see the whole thing? You can read it for yourself here. There’s one caveat, though. The app has a supplemental privacy policy that’s also worth reading. A noteworthy detail from this document is that while you’re able to deactivate your Threads account whenever, you must delete your Instagram if you fully want to delete your Threads account.

Below is all the data potentially collected by Threads that’s mentioned in the App Store. Do you have the Facebook or Instagram app on your phone? Keep in mind that this data collection by Meta is comparable to the data those apps collect about you.

For Android users, the Google Play Store doesn’t have the same app labels as Apple. Take a look under Data Safety to see what data Threads wants to collect on Android.