Huawei loses ground in Germany? Ransomware and sanctions violation. Energy sector security. State VDPs.

By the CyberWire staff

At a glance.

European governments weigh risks of Huawei participation in 5G buildout.
Ransomware payments may violate sanctions.
Four energy sector security bills clear the US House.
Iowa joins Ohio in adopting a state-level vulnerability disclosure program.

Europe weighs excluding Huawei.

Germany plans to shut out Huawei from their 5G infrastructure, according to GizmoChina. A “new security law” will block the “leading telecommunications based equipment provider in the world” via a process that looks at the politics and reliability of participating companies as well as the soundness of their parts. Several countries suspect the Chinese company of espionage, as the CyberWire has discussed.

Meanwhile, US Secretary of State Mike Pompeo reminded Rome that Beijing’s telecommunications tech risks residents’ privacy and national security, Reuters reports. Chinese businesses are required to assist government intelligence operations. Huawei Italian envoy Luigi De Vecchis commented, “We will open our insides, we are available to be vivisected to respond to all of this political pressure.” Unlike other Washington allies, Rome has not yet barred the company, and in fact cozied up to Beijing last year by engaging in their global infrastructure initiative. A functionary reportedly expressed to Reuters that preparations to take a stronger stance were underway.

And Reuters reports that the UK's Huawei oversight board has reported that the company's products showed an unacceptably high number of vulnerabilities: “These findings are about basic engineering competence and cyber security hygiene that give rise to vulnerabilities that are capable of being exploited by a range of actors.” Huawei sees it differently: “The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities.”

Treasury warns that paying ransom may violate sanctions.

Pay ransom; risk penalties. Yesterday the US Treasury Department's Office of Foreign Assets Control (OFAC) issued a friendly reminder that companies involved in ransomware payouts risk transgressing OFAC regulations and incurring “civil penalties.” The notice specifically names “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.” Looping in law enforcement is encouraged and counts as good behavior in any assessment of penalties. OFAC added that such payments “can undermine the national security and foreign policy objectives of the United States.”

CEO of ransomware response company Coveware Bill Siegel told BleepingComputer, "The payment of a ransom IS the revenue line item for the cyber extortion economy and should be avoided by all means by any victim." Insurance Journal notes that underwriters are likely to close-read Treasury's letter.

Charles Carmakal, SVP & CTO at FireEye Mandiant shared some thoughts with us on the Treasury letter. He thinks it well-intentioned but ill-advised, because in his view the warning is likely to contribute to confusion:

"Today, the U.S. Department of the Treasury issued advisories through the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) on ransomware on the risks of paying extortion demands by ransomware operators. The OFAC advisory is well-intentioned, but it will certainly add more pressure and complexity to victim organizations already challenged recovering after a security incident.

"OFAC already provides a list of sanctioned entities. Victim organizations are required to check the list prior to paying extortion demands. However, the true identity of the cyber criminals extorting victims is usually not known, so it’s difficult for organizations to determine if they are unintentionally violating U.S. Treasury sanctions. Sometimes victims pay threat actors before they are sanctioned. For example, many victims have paid the 'SamSam' ransomware operators in the past, not knowing they were based in Iran at the time.

"In recent months, the individuals (referred to as 'EvilCorp') involved with the Dridex banking malware have been connected with the WastedLocker ransomware family. Some extortion payment organizations have decided that they would not pay extortion demands associated with WastedLocker incidents out of fear of violation U.S. Treasury sanctions.

Carmakal added some general considerations on the ransomware threat, lest anyone be inclined to minimize it.

"Ransomware is the most significant and prevalent cybersecurity threat facing corporations today. Most threat actors choose to monetize their intrusions by stealing data, deploying ransomware, shaming, and extorting victims. Some threat actors have specifically targeted hospitals in an attempt to make millions of dollars, a line that many threat actors refuse to cross.

"Today’s ransomware and extortion problem is unbearable. Mandiant is aware of over 100 organizations in which ransomware operators had network access to in September alone, more than double what we were aware of in September of the previous year.

"Many ransomware operators steal a large volume of sensitive data from organizations prior to deploying encryptors and locking organizations out of their systems and data. Threat actors may ask for money for a decryption tool, a promise to not publish the stolen data, and a walkthrough of how they broke into the network. These extortion demands are in the 6-figure range for smaller companies and 7-8 figures for larger companies. We are aware of several victim organizations that paid extortion demands between $10M and $30M."

One takeaway from the Wall Street Journal's coverage: if you do pay, don't keep ransomware payments quiet. It's a bad look, and it will land you in hot water.

Comment on the US energy security bills.

The Cyber Sense Act, the Enhancing Grid Security Through Public-Private Partnerships Act, the Energy Emergency Leadership Act, and the Grid Security Research and Development Act all cleared the US House of Representatives this week by voice vote, and with strong bipartisan support. The four measures now go to the Senate for further action.

Andrea Carcano, co-founder of Nozomi Networks approves of the legislation, and hopes it bears fruit:

“We applaud these legislative efforts that underscore our own efforts to enable critical infrastructure organizations to improve cyber resiliency. Many utilities, for example, are evaluating options for augmenting the cyber security of their industrial networks. One fundamental security best practice is having real-time visibility into cyber security attacks, risks and incidents. Previously, the technology to provide such visibility for large, heterogeneous, high availability (HA) industrial systems, did not exist.

"Increasing cyber threats, management concerns and government policies are driving power generation, substation and electric grid operations to improve the resiliency of their systems with enhancements to cyber security programs. An important part of this effort is the implementation of innovative solutions that improve OT and IoT network visibility, cyber resiliency and availability. Without network and device visibility, it’s difficult to stay on top of what’s happening at the grid or substation level. One small change or networking issue can impact reliability, safety and revenue.

"While a fast response to threats and anomalies is critical, spotting issues requires real-time visibility into assets, connections, communications and more. Unfortunately, these are capabilities that many power transmission and distribution systems lack. Security gaps related to people, processes and technology can have a big impact on operational resiliency too. For example, the traditional divide between IT and OT, at time when power grid networks are increasingly connected with business networks, can lead to cyber security blind spots. But, with a focus on training, best practices and the right technology, power grid operators can improve reliability and resiliency.”

Iowa inaugurates VDP.

Although Vulnerability Disclosure Programs (VDPs) are a cybersecurity best practice, only two US states have them, StateScoop reports: Ohio, and now Iowa. Yesterday Iowa announced that it will be working with white-hat hackers at Bugcrowd to test state-operated election, business, and victim outreach websites for vulnerabilities. The crowdsourcing security company has already uncovered multiple minor issues.

Huawei to be excluded from Germany’s 5G rollout: Report (GizmoChina) A new crackdown in Germany is set to have the government adopt new regulations that would effectively exclude Huawei from the country’s plan of rolling out 5G networking.

Israel Says Data Transfers To US Can't Rely On Privacy Shield (Law360) Israel's Privacy Protection Authority has announced that data transfers from Israel to the United States can no longer rely on the Privacy Shield pact, after the European Court of Justice invalidated the popular EU-U.S. data transfer mechanism in July.

Section 230 will be on the chopping block at the next big tech hearing (TechCrunch) It looks like we’re in for another big tech CEO hearing. The Senate Commerce Committee voted Thursday to move forward with subpoenas for Twitter’s Jack Dorsey, Facebook’s Mark Zuckerberg and Sundar Pichai, the CEO of Alphabet. The unusual decision to subpoena the social media chie…

Senate committee votes to subpoena CEOs of Facebook, Google and Twitter to testify (CNBC) The Senate Commerce Committee voted Thursday on a bipartisan basis to subpoena the CEOs of Facebook, Google and Twitter to testify.

Long-Awaited Bill for State and Local Cyber Support Passes House (Meritalk) Federal legislation to help strengthen the cybersecurity of state and local governments through a Department of Homeland Security grant program passed the House of Representatives on Sept. 30 – with impetus for the legislation coming from across the U.S. in the form of numerous ransomware and other attacks in recent years.

Lawmakers introduce bill targeting foreign disinformation on social media (TheHill) Reps. Abigail Spanberger (D-Va.) and John Katko (R-N.Y.) on Thursday introduced legislation intended to cut down on foreign disinformation on social media ahead of the election.

FBI cyber strategy maximizes deterrence through agency partnerships (Federal News Network) FBI Deputy Assistant Director Clyde Wallace said much of the bureau’s new strategy focuses on its leadership of the National Cyber Investigative Joint Task Force.

Iowa launches vulnerability disclosure program for election-related sites (StateScoop) Under the policy, security researchers can report flaws in websites related to voter registration, election results and other programs run by the secretary of state.

Secretary of State Pate announces election cyber security initiative (KWWL) Called a Vulnerability Disclosure Program (VDP), the initiative is in partnership with Bugcrowd and invites private sector security researchers to test the state's current system.

Oklahoma Launches Statewide Cyber Threat Sharing Platform (GlobeNewswire) Anomali-Powered ISAC Makes Critical Information About Election Security, Pandemic-Related Fraud, and Attacks on Remote Workers Available to Agencies Across the State

Britain says Huawei security failings pose long-term risk: govt report (Reuters) China's Huawei Technologies has failed to convince British security officials that the security risks of using its products in UK national infrastructure can be adequately managed, according to a government report released on Thursday.

Huawei 'failed to improve UK security standards' (BBC News) Officials raise fresh concerns about firm's ability to tackle engineering problems with its products.

Britain found ‘critical’ weakness in Huawei equipment (South China Morning Post) Chinese telecoms giant made to fix flaws that could have put security of British networks at risk, government agency says.

US govt warns of sanction risks for facilitating ransomware payments (BleepingComputer) The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) today said that organizations that assist ransomware victims to make ransom payments are facing sanctions risks as their actions could violate OFAC regulations.

Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (US Department of the Treasury) The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is issuing this advisory to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.

Treasury Warns Against Keeping Ransomware Payments Quiet (Wall Street Journal) Victims of ransomware schemes and financial institutions could violate sanctions or anti-money-laundering rules—and face stiff penalties—if they facilitate or make payments to attackers, the U.S. Treasury Department said in a pair of advisories.

U.S. Treasury Warns Cyber Insurers Against Paying Ransomware Demands (Insurance Journal) The U.S. Treasury Department is warning that individuals or businesses that help facilitate ransomware payments may be violating anti-money laundering and

()

Recent arrests and high-profile convictions: What does it mean for the cyber threat landscape? (Digital Shadows) In the wonderful world of cyber threat intelligence and research, we often analyze the impact that cybercrime or nation-state activity has on the cyber threat landscape. Digital Shadows' latest

CFTC, Department of Justice file charges against owners of crypto derivatives exchange BitMEX (The Block) The Commodity Futures Trading Commission (CFTC) has filed charges against crypto derivatives exchange BitMEX and its owner-operators, including co-founder and CEO Arthur Hayes.

9 discarded ballots weren't fraud, state election chief says (AP NEWS) It appears that an election worker’s decision to throw out nine military ballots in Wilkes-Barre, Pennsylvania, amounted to a mistake and not “intentional fraud,” the...

AG Nessel Files Felony Charges Against Jack Burkman, Jacob Wohl in Voter-Suppression Robocalls Investigation (State of Michigan) Michigan Attorney General Dana Nessel has filed charges today against two political operatives for allegedly orchestrating a series of robocalls aimed at suppressing the vote in the November general election.

Border Phone Searches Don't Need Warrant, US Tells 1st Circ. (Law360) Border officials should be able to confiscate and search a traveler's smartphone or laptop without probable cause and a warrant, U.S. government lawyers told the First Circuit, asking the court to reverse a finding that basic device searches require reasonable suspicion.

Six-Year Surveillance Operation by Iranian Hackers Targeted Dissidents, Tracked Locations and Stole Personal Information (CPO Magazine) A six-year surveillance operation tied to state-sponsored Iranian hackers appears to have scooped up personal documents and tracked the phone location data of dissidents.

Election poses historic test for what Reagan called the US 'miracle' (Atlantic Council) 2020 is an important year for the US democratic process to run smoothly, with China leading an authoritarian post-COVID swing.

U.S. state, local election computer networks still vulnerable to hacks (NBC News) "A lot of good stuff has been done," said one expert. "But let's face it, we've got 54 states and territories. The risk landscape is pretty broad."

DOD, DHS expose hacking campaign in Russia, Ukraine, India, Malaysia (CyberScoop) "Sophisticated" hackers are launching cyberattacks against targets in India, Kazakhstan, Kyrgyzstan, Malaysia, Russia, and Ukraine, DOD and DHS say.