Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Image: Getty Images
Following the steps of its Five Eyes partners, Canada has moved to ban Huawei and ZTE from its telco networks. “The government of Canada is ensuring the long term safety of our telecommunications infrastructure. As part of that, the government intends to prohibit the inclusion of Huawei and ZTE products and services in Canada’s telecommunications systems,” Minister of Innovation, Science and Industry François-Philippe Champagne said. “As a result, telecommunications companies that operate in Canada would no longer be permitted to make use of designated equipment or services provided by Huawei and ZTE. As well, companies that already use this equipment installed in their networks would be required to cease its use and remove it.” Citing many of the same reasons that Australia used to ban Huawei in 2018, the Canadian government said the interconnectedness and interdependence of 5G networks makes exploitation much more significant. “The government of Canada has conducted an extensive examination of 5G wireless technology and the various technical, economic, and national security aspects of 5G implementation. The examination made clear that while this technology will bring significant benefits and economic opportunities, the technology will also introduce new security concerns that malicious actors could exploit,” it said. “In 5G systems, sensitive functions will become increasingly decentralised and virtualised in order to reduce latency, and the number of devices they will connect will also grow exponentially.” Canadian telcos will be banned from purchasing any new 5G or 4G equipment or managed service from Huawei and ZTE from the start of September, and have until 28 June 2024 to rip out any existing 5G equipment, and until the end of 2027 to remove any LTE equipment. See also: How Vodafone Australia changed its 5G plans after the Huawei ban The government also referenced US moves to restrict semiconductor supply to the companies. “Canada believes that evolving international supply chain dynamics have further implications due to growing restrictions on access to certain components,” it said. “Shifts from well-known inputs to others have implications for Canada’s ability to conduct assurance testing. This changing supply chain environment toward other components will make it increasingly difficult for Canada to maintain a high level of assurance testing for certain network equipment from a number of potential suppliers.” In 2020, the Canadian telcos that made use of Huawei 4G equipment, Bell and Telus, said they would not continue to make use of Huawei equipment for 5G. Bell said it was moving to Ericsson, while Telus said it would go with a combination of Ericsson and Nokia. In September 2021, the three-year saga involving the extradition lawsuit of Huawei CFO Meng Wanzhou ended. Meng was allowed to return to China after she reached an agreement with United States prosecutors to admit to misleading global financial institutions and did not plead guilty to the various fraud charges imposed against her. Without even trying to hide its hostage diplomacy tactics, Beijing subsequently released two Canadians who were detained shortly after Meng’s arrest and kept in Chinese prisons. By contrast, Meng was able to live under house arrest in one of her two Vancouver homes. The US Federal Communications Commission laid out in September the rules for small carriers that are applying to access a pot of $1.9 billion to rip out and replace Huawei and ZTE network equipment and services among smaller carriers. Related Coverage More

The UK’s cybersecurity agency has set out advice for companies considering taking out insurance against hacking and ransomware attacks.
Cyber insurance can help businesses to recover after a ransomware attack or data breach by providing financial support to put the damage right, and can also help with legal and regulatory headaches after an incident.

More on privacy

But as the National Cyber Security Centre (NCSC) notes in its new guidance, this insurance will not fix your security issues, and won’t prevent a breach or attack taking place. “Just as homeowners with household insurance are expected to have adequate security measures in place, organisations must continue to put measures in place to protect what they care about,” it said.
SEE: Network security policy (TechRepublic Premium)    
Almost half of UK firms reported a cyberattack over the past year, but take-up of cyber insurance by businesses still remains low. Cyber insurance might not be right for everyone and it can never replace good security practice, said Sarah Lyons, NCSC deputy director for economy and society engagement.
NCSC poses seven questions for senior execs at organisations considering cyber insurance:
What existing cybersecurity defences do you already have in place?
How do you bring expertise together to assess a policy?
Do you fully understand the potential impacts of a cyber incident?
What does the cyber-insurance policy cover (or not cover)?
What cybersecurity services are included in the policy, and do you need them?
Does the policy include support during (or after) a cybersecurity incident?
What must be in place to claim against (or renew) your cyber-insurance policy?
The NCSC said most insurance offered covers the immediate effects of an attack on an organisation by working to quickly restore network systems and data, while seeking to minimise losses from business interruption. With data breaches there might be legal action from customers or others affected, and defending or settling those claims would also normally be covered. 
SEE: Cisco alert: Four high-severity flaws in routers, switches and AnyConnect VPN for Windows
However, it also said potential buyers should make sure of what is excluded: for example, some insurance policies will not cover money lost through business email compromise fraud. As cyberattacks are constantly evolving all of the time, companies should also check that new types of cyberattack are covered. It’s also worth investigating what services the insurer provides in the immediate response to an incident to help manage recovery and improve resilience – and to learn what went wrong.
Some aspects of cyber insurance are more controversial; in a number of cases, insurers have paid the ransoms demanded by ransomware gangs, which critics have said will encourage more attacks in the future. Insurers argue that such payouts are made at the request of their clients who are often faced with a tricky choice between paying off the criminals or a long and complicated job of restoring their computer systems or building the network again from scratch – which might be far more expensive. More

Image: Harrison Broadbent According to new research published today, modern RAM cards are still vulnerable to Rowhammer attacks despite extensive mitigations that have been deployed by manufacturers over the past six years. These mitigations, collectively referred to as Target Row Refresh (TRR), are a combination of software and hardware fixes that have been slowly added […] More

The United States, European Union, ex-EU member the United Kingdom, and 32 other nations have committed to the Declaration for the Future of the Internet [PDF], an agreement to strengthen democracy online by agreeing to not undermine elections by running online misinformation campaigns, or illegally spy on people, the White House said on Thursday. The declaration also commits to promote safety, particularly among young people and women, and the equitable use of the internet. Further, the countries have agreed to refrain from imposing government-led shutdowns and committed to providing affordable and reliable internet services.Although not legally binding, the declaration states that the principles should be used “as a reference for public policy makers, as well as citizens, businesses, and civil society organizations”.In a statement the White House claimed it would work together with partner nations to promote the declaration’s principles, but that a mutual respect should be held for each individual nation’s regulatory autonomy. So far, 60 countries have endorsed the declaration, and according to the European Commission, more are expected to join in the coming weeks.Notable omissions include India, China, and Russia. Their absence is hardly surprising given that Ukraine is a signatory, and that the declaration calls on countries to refrain from using social score cards, a transparent criticism of China’s social credit score. Meanwhile, a senior Biden administration official responded to India’s absence by claiming “the hope remains that time isn’t fully passed yet for India to join”.Google responded in support of the declaration, but made clear that the private sector must also play an important role in furthering internet standards when faced with global crisis.”Since Russia’s invasion in Ukraine, our teams have been working around the clock to support people in Ukraine through our products, defend against cybersecurity threats, and surface high-quality, reliable information,” said Google in a statement.Microsoft president and vice chair Brad Smith shared this sentiment as he claimed in a blog post that governments cannot manage the global challenges facing the management of the internet alone.”We need new and innovative internet initiatives that bring governments together with NGOs, academic researchers, tech companies and many others from across the business community,” said Smith.Signatories beyond the US, UK, and 27 EU members include: Albania, Andorra, Argentina, Australia, Cabo Verde, Canada, Colombia, Costa Rica, Dominican Republic, Georgia, Iceland, Israel, Jamaica, Japan, Kenya, Kosovo, Maldives, Marshall Islands, Micronesia, Moldova, Montenegro, New Zealand, Niger, North Macedonia, Palau, Peru, Senegal, Serbia, Taiwan, Trinidad and Tobago, Ukraine, and Uruguay.Related Coverage More

Microsoft looks to be close to launching a preview of a version of its Microsoft Defender for Windows security product for consumers interested in protecting a ‘family’ group of devices. This version of Defender, codenamed “Gibraltar,” as BleepingComputer.com reported last year, has been in testing inside Microsoft for a number of months. A placeholder for the preview has been in the Microsoft Store for a while, but the actual Defender preview itself is now available in the Microsoft Store for U.S.-based users to download and install. (Thanks to @ALumia_Italia on Twitter for the heads up.)The new Defender app is meant to offer “your personal defense against cyberthreats.” More from the Store description: “Easily manage your online security in one centralized view, with industry-leading cybersecurity for you, your family, and your devices. Stay safer with real-time notifications, security tips, and recommend steps that help keep you ahead of hackers and scammers for your peace of mind.” The Store page notes that no subscription is required for the Microsoft Defender app during preview; users can download and log in using their personal Microsoft account. However, in the future, this version of Defender will require a Microsoft 365 Family or Personal subscription, the page adds. The Defender preview will provide consumers with a centralized view for managing and monitoring their online security status. They’ll be able to see the status of their Windows PC plus up to four additional devices (as long as they are signed in using the same personal Microsoft account), including phones and Macs. Users will be able to add or remove devices and view malware protections on all covered devices. The app will also provide recommendations for ensuring better data, computer and phone protection, delivering security tips, and providing real-time security alerts. I think Microsoft’s addition of a consumer-focused version of Microsoft Defender could play into its MetaOS strategy, about which I’ve written in the past. As part of MetaOS, Microsoft seems to be making sure it has consumer-focused versions of key apps and services, including Teams and Lists, that it will market alongside the existing business versions of those same apps. Also, in case you’re confused about Microsoft branding (and who isn’t?), Microsoft has been rebranding more and more of its security products with Defender as part of the name over the past few years. Products already in the Defender family include Microsoft 365 Defender (previously Microsoft Threat Protection); Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection); Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection); Microsoft Defender for Cloud (formerly known as Azure Security Center and Azure Defender); and Microsoft Defender for Identity (previously Azure Advanced Threat Protection).Simultaneously, Microsoft has been rebranding a number of products from Windows-something to Microsoft-something (example: Windows Store is now Microsoft Store). Microsoft Defender is not the rebrand of Windows Security — which, to add further to the confusion, was formerly known as Windows Defender. For now, the Defender antivirus product is part of the Windows Security app that is built into Windows 10 and 11. More