At a glance.
- IoT security bill clears the US House of Representatives.
- ByteDance wants to set up a new US TikTok company, with Oracle as a minority partner.
- Updates on Huawei and national 5G infrastructure.
- Imposition of costs by Federal indictment.
The Internet of Things Cybersecurity Improvement Act of 2020 clears the US House.
The Internet of Things Cybersecurity Improvement Act of 2020, co-sponsored by Representatives Will Hurd (Republican, Texas 23rd) and Robin Kelly (Democrat, Illinois 2nd) cleared the House of Representatives in a bipartisan voice vote held yesterday, FCW and the Federal News Network report. It now goes to the Senate, where a similar version introduced by Senator Mark Warner (Democrat of Virginia) has been under consideration. The measure is intended to impose a set of baseline security standards that any IoT device would have to meet before it could be purchased by the Federal Government. The bill requires the National Institute of Standards and Technology to set best practices for device security, and tasks the Office of Management and Budget with creating and issuing guidance for agencies to meet or exceed NIST's standards. The sponsors hope that the measure, should it become law, would drive higher security standards in the commercial IoT market as well.
ByteDance wants to set up a new US TikTok company, with Oracle as a minority partner.
ByteDance’s deal with Oracle has grown clearer. According to the Wall Street Journal, TikTok’s American operations will be incorporated as a US company, with Oracle holding a significant but still minority stake in the new company. ByteDance will retain majority ownership. The Washington Post thinks the reorganization is likely to meet with US regulatory approval, as does CNBC, but that's based largely upon suppositions about Oracle's influence with the White House and the presumed success of Chinese lobbying. US regulatory agencies have yet to weigh in. The proposal has been coldly received by Congress, TheHill reports, with Republican Senators notable for their disapproval.
Updates on Huawei and national 5G infrastructure.
Huawei has failed to gain the necessary security clearance that would enable participation in Czech Republic tender offers, according to Expats. The company itself has withdrawn its application from consideration by the National Security Office (NBU) when it became convinced that any decision was likely to go against it.
Canada's slow motion toward excluding Huawei from its telecommunications infrastructure may not, Reuters reports, extend to compensating the country's telcos for whatever rip-and-replace they may have to do.
US indictments and the imposition of costs.
The US Justice Department has unsealed two indictments that display the Department's understanding of how it can help "impose costs" on foreign nationals involved with cyberattacks. The indictments cover a mix of cyberespionage, financially motivated crime, and apparent patriotic hacktivism.
Yesterday the Department unsealed its indictment of two Iranians in connection with their alleged defacement of websites in response to the US drone strike that killed Iranian General Suleimani during his activities in Baghdad. The two men charged, Behzad Mohammadzadeh, an Iranian national, and Marwan Abusrour, believed to be "a stateless national of the Palestinian Authority," are accused of what would appear to be patriotically motivated cyber vandalism. The two are charged with conspiring to commit intentional damage to a protected computer and with intentionally damaging a protected computer. The first charge carries a sentence of up to five years in prison, three years of supervised release and a fine of $250,000 or twice the gain or loss, whichever is greater. The second charge provides for a sentence of up to ten years in prison, three years of supervised release and a fine of $250,000 or twice the gain or loss, whichever is greater.
Joseph R. Bonavolonta, Special Agent in Charge of the FBI Boston Division, pointedly said in the Justice Department press release that the two are now effectively unable to travel outside the Islamic Republic or the Palestinian authority without risking arrest and extradition. Denial of free travel is one of the costs commonly imposed on criminal hackers outside the reach of the US Government, even when they’re the sort of low-level talent Mssrs. Mohammadzadeh and Abusrour appear to be,
The other US indictment covered seven individuals accused of international cybercrime. Two defendants have been arrested in Malaysia, and the remaining five remain at large in China. The seven are alleged to have stolen source code, software code signing certificates, customer account data, and what the Justice Department characterizes as “valuable business information.” The intrusions through which the theft was accomplished facilitated other criminal activity as well, particularly ransomware and cryptojacking.
The two Malaysian nationals in custody, Wong Ong Hua and Ling Yang Ching, face twenty-three counts of racketeering, conspiracy, identity theft, aggravated identity theft, access device fraud, money laundering, violations of the CFAA, and falsely registering domain names. The Chinese nationals still at large are Zhang Haoran, Tan Dailin, Jiang Lizhi, Qian Chuan, and Fu Qiang. The first two of these, Zhang and Tan, are charged with twenty-five counts of conspiracy, wire fraud, aggravated identity theft, money laundering, and violations of the Computer Fraud and Abuse Act. They targeted companies, but they also had a side hustle going in the form of a “Video Game Conspiracy” in which they stole and resold in-game currencies and commodities. They also sought to get the gaming companies to ban various criminal competitors.
The remaining three Chinese nationals, Jiang, Qian, and Fu, face nine counts of racketeering conspiracy, conspiracy to violate the CFAA, substantive violations of the CFAA, access device fraud, identity theft, aggravated identity theft, and money laundering. The alleged racketeering conspiracy pertains to their operation of Chengdu 404 Network Technology, a Chinese company through which they engaged in a range of racketeering that affected more than a hundred companies.
One at least of the individuals under indictment is said to have boasted of his connection with Chinese security and intelligence services. Indeed the activity seems to have some connection with APT41, also known as Wicked Panda, and some of the targets were government networks where the defendants appear to have been collecting intelligence. Thus the activity would indicate that China’s government is willing to let its contractors make some money on the side, as long as their activities benefit Beijing and are consistent with national policy.