Today at a glance.
- Britain's compromise on Huawei draws dissatisfaction from both sides.
- State laws against cybercrime risk criminalizing research.
- Russia blocks encrypted mail services.
Both sides express dissatisfaction with the British government's decision on Huawei.
We've heard vigorous criticism of the Johnson government's decision to allow Huawei into "non-core" aspects of its 5G infrastructure from both US officials and Tory security hawks, a sample of which may be seen in this summary published by the Hill. But the presumed beneficiaries of the presumed wet policy aren't that happy, either. Consider BT, the UK's largest telecommunications company and a big Huawei customer. BT complains, Computing writes, that it will cost them £500 million over five years to remove Huawei equipment from its EE mobile network. The Prime Minister has been more concerned to mollify the hawks than the doves, arguing according to the Telegraph that the policy is actually a step toward purging Huawei from the British system. Or in other words, wait'll 6G.
Maryland considers making possession of ransomware a crime.
The US state of Maryland's legislature is considering a law that would make possession of ransomware a crime. As written, Naked Security reports, the proposed law would make possession of ransomware a misdemeanor punishable by up to ten years in prison and fines of up to $10 thousand. But there's some support in the Senate for a harsher bill, one that would make the crime a felony. The bill may have intent to commit extortion with the ransomware as an element of the offense, but that's not immediately clear, and on a reasonable reading the bill does seem to criminalize simple possession. What this would do to vulnerability research or responsible disclosure can be easily imagined. The bill's language does contain the sentence, "THIS PARAGRAPH DOES NOT APPLY TO THE USE OF RANSOMWARE FOR RESEARCH PURPOSES" (capitals in the original, presumably for reassurance) around the more disturbing portions of the text, but on the whole the legislation seems ill-considered and ill-conceived, more an intention to signal "we're serious about security, and you can take if from us because look at this law" than a well-framed effort to control cybercrime.
Ars Technica also has an extended discussion of the proposed measure. It quotes passages that would make it a crime "to access 'all or part of a computer network, computer control language, computer, computer software, computer system, computer service, or computer database; or copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed.' It also would criminalize under Maryland law any act intended to 'cause the malfunction or interrupt the operation of all or any part' of a network, the computers on it, or their software and data, or "possess, identify, or attempt to identify a valid access code; or publicize or distribute a valid access code to an unauthorized person.'"
Is there a Federal exemption? We're just asking, because, of course, US Cyber Command and NSA are both based in Maryland. We hear they might do some of this stuff to hostile systems overseas (or so we hear). How about for NSA or Cyber Command contractors? We're just asking.
Russian government blocks ProtonMail and StartMail.
If you’re a Russian citizen interested in keeping your online communication private, you’ve now got fewer options than formerly. Moscow has blocked both ProtonMail and StartMail, Computing reports, as the Russian government clamps down on encrypted communications. ProtonMail, a Swiss-American company, and Netherlands-based StartMail were called out by authorities for their use by people who made bomb threats. StartMail said that the reason the Roskomnadzor regulators gave for the ban was a need "to protect the Russian segment of the Internet from disseminating inaccurate socially significant information, distributed under the guise of reliable messages."