Project Pegasus to Facebook’s whistleblower: The tech crises that defined 2021
The Pegasus spyware, Facebook’s whistleblower crisis, zero-day exploits that threaten user safety, outages for popular websites, a supply chain shortage that refuses to go were some of the crises that defined most of 2021 for the tech world. There’s no doubt that as our lives become more enmeshed with the internet and everything digital, it was also evident that not all was perfect. We take a look at the top crises that defined this year gone by
The SolarWinds hack and Microsoft
The SolarWinds crisis might have started in December but its full impact became clearer only in 2021. The SolarWinds cyberattack is one of the world’s largest supply-chain-based cyberattacks, where Russian state-sponsored attackers are believed to have directly hacked and spied on the US government. The hackers made use of a vulnerability in a product made by Texas-based SolarWinds Corp, whose software was popular with many enterprises and a backdoor flaw gave these hackers full access to the computer systems.
But as Microsoft revealed in January 2021, its internal source code was likely viewed by the attackers, a much more serious problem. The company revealed at the time that the account that viewed the source code did not have “permissions to access the code, to modify it, nor was it authorised to access the engineering systems.”
This was worrying because source code for a software product if compromised could mean new unknown risks and hackers might potentially exploit any new flaws or existing flaws, which have not been discovered so far. Typically source code for its key products is not something that most tech companies, including Microsoft, would want to share.
In fact, Microsoft has been keeping a tab on the Russian nation-state actor Nobelium, which it stated was responsible for SolarWinds, and said that the player was changing its tactics for cyberattacks by focusing on “resellers and other technology service providers that customise, deploy and manage cloud services and other technologies on behalf of their customers.”
More importantly, the Solarwinds cyberattack and its consequent revelations showed that global politics will define how cyber warfare plays out and that many of these attacks are not just limited to government networks.
Project Pegasus and its revelations
If SolarWinds revealed how IT software could be used to hack into enterprise and government networks, Project Pegasus only confirmed our worst fears: that our smartphones could be weaponised easily.
Pegasus is a spyware by Israeli-based NSO Group, and one with a high cost, licensed only to governments. But what made Pegasus special was its ability to hack into any phone, Android, or iPhone with relative ease, and give the attacker complete access and control.
The Project Pegasus revelations began in July this year, with Paris-based Forbidden Stories and 17 media organisations, including The Wire in India, revealing how the spyware was being used by governments across the world to stifle dissent.
Lists of potential Pegasus targets included names of journalists, (including those from The Indian Express), opposition leaders, ministers, constitutional authorities, among others. Globally, investigations by Amnesty International revealed how the iPhones of several journalists, activists were hacked and infected with Pegasus.
The Pegasus revelations also dented the image of Apple’s iPhone as a more private and secure device given the ease with which the spyware infiltrated iPhones and the latest iOS 14 at the time. But it should also be noted that Apple’s iPhones were the only ones that had traces of the spyware, on Android, the evidence usually disappeared after a year as the phone did not store logs. Apple has now sued NSO Group as well.
Interestingly, all the spotlight on Pegasus has not proved to be great publicity for NSO Group, which now might disband the spyware unit entirely.
Apple vs Epic Saga
This fight officially began in 2020, but it was in May this year that the court case between Apple and Epic Games, the creator of Fortnite, took place. The Apple vs Epic fight is a major tipping point in the world of tech, which represents what millions of app developers have been arguing for years: That Apple and Google have a ‘monopolistic’ approach and that 30 per cent commission they charge for in-app purchases, etc is unfair.
For context, Epic Games in particular tried to side-step this rule by trying to bypass Apple’s payment systems in the Fortnite app in 2020. As a result, Apple pulled the app. It was later pulled from Google Play Store as well.
The trial saw Apple’s top executives appearing in court as the iPhone maker went all out to defend itself. In the end, though, Epic Games won a key victory. While the judge refused to say Apple was a monopoly, he did rule that Cupertino will have to let developers allow third-party payments on the App Store. The order noted that Apple cannot stop developers “from including in their apps and their metadata buttons, external links or other calls to action that direct customers to purchasing mechanisms,” which is exactly what Epic wanted.
And Apple was supposed to comply by December this year, but it has won a last-minute reprieve as it was granted a request to pause the order. Apple’s argument is that any changes will come with privacy and security risks for customers and could disrupt the user experience on the App Store. The fight as we know is clearly far from over.
South Korea’s ‘anti-Google’ law
While the Apple vs Epic saga took place in the US, regulators around the world were taking note of the Apple vs Google dominance of app developers. South Korea in particular passed a new law, dubbed as ‘anti-Google’ which states that app developers cannot be forced to stick with Apple or Google’s payment methods.
In India too, app developers were hopeful that the South Korean law will set a new precedent. They have been vocal about Google’s upcoming proposal which will force all apps to implement the Play Store billing system. The deadline has been extended for Indian developers to October 2022, while for the rest of the world, it remains March 2022.
Apple is also facing an antitrust case in India over the issue of in-app payments, which was filed this year by a Rajasthan-based NGO. It should be noted that Apple has made some sort of concession this year, for reader apps wherein streaming services, news services, magazine apps, etc will be allowed to have links to their own website, payment systems, thus bypassing the 30 per cent commission.
But as is evident from regulators around the world, both Apple and Google will face increased scrutiny around their payments rules for developers. This is a crisis that will continue well into the next year.
Facebook and the whistleblower
Facebook’s — or rather Meta’s as it is now called — poor run continued well into 2021 with whistleblower Frances Haugen tattering whatever reputation was left for the social media giant. She revealed key internal documents which showcased how the company had failed to stop the spread of misinformation and hate speech across the world.
Haugen had worked at the company for two years as a product manager and left in May this year with a trove of internal documents. She testified before the US Senate in October this year.
She revealed that Facebook was making online hate speech worse, it was not protecting children, and it has very little means and inclination to monitor all of this hate speech. She leaked the documents to the Wall Street Journal, which published a series of reports on how Facebook and even Instagram were struggling with content moderation.
With Instagram, it appeared that the app was having a negative impact on teens, especially girls, and causing them to develop body image issues. Facebook later issued a statement countering these claims. However, Instagram has for now decided to suspend its app for kids, which it was working on.
In India, Facebook did not have the correct tools to monitor much of the hate speech, the Indian Express reported. For instance, Facebook’s own reports showed that it did not have the right tools to monitor Hindi, Bengali content and they were unable to tackle hate speech in the country. As The Indian Express revealed in July 2020, an internal document pointed to a “marked increase” in “anti-Muslim” rhetoric on the platform in the preceding 18 months in India, but Facebook had instead cut down on its review team. Further, it was revealed that three memos flagged polarising content in India as worrisome between 2018 to 2020, but the company said it was not a problem.
Plus Facebook’s own memos showed that ‘borderline’ content– which was problematic but does not violate community rules outright– was getting more traction on the platform.
While Zuckerberg called the leaked files an attempt to construct a false narrative around the company, there’s no doubt that the scrutiny on Meta and its social media apps will continue well into 2022.
The global chipset shortage
This crisis continued to spill over from 2020. It began with the Covid-19 pandemic, as shutdowns of crucial chip-making facilities in China, Japan, and Korea, triggered the problem. Increased demand for gadgets, given the growing dependence on these as education, work moved entirely online, made it even worse.
This year the popular ‘Black Friday’ sale in the US was also impacted with supplies of PS5, iPhones, and other devices being in short supply. In India too, the global chipset supply chain crisis has meant an increase in prices of phones, especially budget devices, with many of the popular variants from Redmi, Realme, etc remaining out of stock in the second half of the year. The chipset shortage means that companies put priority on the higher-end chipsets, thus impacting supply for budget phones.
In October, Apple said it lost $6 billion to chip shortage and that the loss would continue in the crucial December quarter. Nintendo also revised its sales forecast because of the crisis, while Sony’s PS5 remains in short supply since it launched in November 2020.
Given the current conditions and the rise of a new Omicron variant, which might once again result in new lockdown measures, the shortages could well continue in 2022 as well.
Global internet service outages
The year also saw several internet service outages. In June, there was the ‘Fastly outage’ which affected major news, streaming websites, and even Amazon. Sites such as Financial Times, the Guardian, the New York Times, CNN, Hulu, HBO Max, Quora, PayPal, Vimeo, and Shopify were also down. The reason: a content delivery network (CDN) run by Fastly, which is a cloud computing services provider.
CDNs allow customer websites to store data such as images and videos on various mirror servers so it is closer to customers and loads faster. But as the Fastly experience showed the CDN outage had led to most of the websites being inaccessible. It also revealed just how the entire internet could go down if one of the major providers faced an issue.
There was the great Facebook outage of October, when all three of the company’s services: Facebook, Instagram and WhatsApp were down for nearly six hours. This one in particular hit hard given how dependent the world is on Facebook’s apps and services. Facebook later blamed the issue on a major DNS failure. A “faulty configuration change” was the official reason.
In a statement, Facebook said, “During one of these routine maintenance jobs, a command was issued with the intention to assess the availability of global backbone capacity, which unintentionally took down all the connections in our backbone network, effectively disconnecting Facebook data centres globally.”
Essentially, it was a Border Gateway Protocol (BGP) routing issue. BGP routing allows networks to connect with each other, and given the configuration change, there were no BGP routes to Facebook’s networks, thus causing the massive outage.
And in November, Google’s services were down for users in Europe, Asia, and the US, and took some time to resolve. Google, however, did not give clear reasons on what caused the outage.
Discovered in the month of December, Log4j or Log4shell vulnerability has sent major tech companies scrambling to ensure that they are updated against the flaw. The vulnerability, discovered in one of the most used logging libraries, pretty much impacts most major services from Microsoft’s Minecraft to Apple iCloud to Twitter to enterprise products such as those from VMWare, Cisco, etc.
The open-source logging library can allow hackers to take over an application or computer system easily. Exploits for this already exist and are being used to run crypto-mining scams. Experts also state that the flaw can allow for leakage of sensitive data, which poses more threats to bigger institutions such as banks, financial services, enterprise services.
There’s no doubt that the Log4j is a critical flaw that most companies are worried about and trying to install the latest patch quickly. It is also another reminder of how cybersecurity flaws will continue to haunt the tech world and the risks that they bring once exposed.