At a glance.
- Pressure on Chinese companies continues in the Five Eyes.
- Vault 7 case ends in mistrial.
- US Department of Health and Human Services establishes new patient data rules.
- New York State may bar towns from paying ransom.
- The US Defense Department's view of laws governing conflict in cyberspace.
Pressure on Huawei (and other Chinese companies) continues.
Gizmodo reports that Australia's government has ruled out Huawei's participation in the country's 5G infrastructure, and that Huawei has concluded that its attempts to find a place in that market are effectively dead. Canada continues to deliberate whether, and to what extent, it might be willing to allow the Chinese company into its own telecommunications infrastructure, and Reuters says that senior US officials are currently in Ottawa to lay out the American case that Huawei is not to be trusted. In the UK, which has announced plans to allow the company to play a restricted role in 5G, and that under close scrutiny, the Guardian reports that Government is trying to mollify dissident members of the governing Conservative Party who would prefer that Huawei be completely excluded from the national infrastructure.
In-Q-Tel, the CIA's venture capital arm, is backing Parallel Wireless, a company it hopes will successfully compete with Huawei in 5G markets, according to the Washington Times reports. There are other, similar initiatives being mooted in Congress and elsewhere in the US Executive Branch, but the Intelligence Community isn't waiting for them.
Mistrial in the Schulte case.
The trial of former CIA employee Joshua Schulte on charges connected to WikiLeaks' Vault 7 ended in New York yesterday with convictions on the minor counts of perjury and contempt, but with a hung jury on the eight far more serious charges of improperly disclosing classified information. The jurors could not agree that the Government met its burden of proof, and presiding Judge Paul Crotty declared a mistrial. The Washington Post says the Government will in all likelihood seek a retrial. A conference scheduled for March 26th is expected to outline the next steps.
The Post also writes that the acquittal represents a setback for the US Intelligence Community, which in recent years has worked with some success to secure the indictment and successful prosecution of leakers. It's also a setback because of the way in which the jurors decided that the Government hadn't shown beyond a reasonable doubt that Mr. Schulte had done what they accused him of, apparently because they were unconvinced by whatever audit trail of classified information handling the CIA was able to present the prosecutors. This, the Post suggests, does little for public confidence in the Intelligence Community's ability to safeguard data. As Mr. Schulte's counsel put it in closing argument, “The bottom line is this … because the system was insecure, because the system was poorly monitored, the government cannot know, and it certainly cannot prove to you which of the many people with access to this information committed this crime, when they committed it, or how they did it.” But the prosecution will have another opportunity, and they may fare better the second time around.
US Department of Health and Human Services establishes two rules for securing patient information.
The Hill reports that the US Department of Health and Human Services has promulgated two new rules that touch upon protecting healthcare information:
- The ONC rule implements portions of the 2016 21st Century Cures Act. It will require healthcare providers to give patients electronic access to their health data, to do so without charge, and to take certain measures to secure the information.
- The Centers for Medicare and Medicaid Services have established an “Interoperability and Patient Access” rule that requires that exchange of health information among providers be secure, and requires third-parties to adequately outline their data privacy policies before healthcare providers can share patient information with them.
The new rules will, it is hoped, serve to encourage both more secure practices and a more expansive view of patient rights. They will also contribute to the growth of the compliance industry and its allied professions that the Wall Street Journal describes.
Paying ransom may soon no longer be an option for New York State local governments.
According to StateTech, similar bills pending in the New York State legislature, one Republican-sponsored, the other the work of Democrats, would, if enacted by Albany, prohibit city, town, and county governments in New York State from paying money demanded by ransomware extortionists. The idea is to incentivize local governments to protect their systems against ransomware attack, and to disincentivize the criminals from attempting the attacks in the first place (since they won't be able to count on being paid).
Law west of the Potomac: the legalities of cyber conflict as seen from the Pentagon.
A speech last week by Department of Defense General Counsel Paul C. Nye, Jr., outlined how the US sees "the domestic and international law considerations that inform the legal reviews that DoD lawyers conduct as part of the review and approval process for military cyber operations." Lawfare finds several particularly interesting features in the interpretation the speech outlines. First, it's been known for some time that President Trump's National Security Presidential Memorandum 13 (NSPM-13) delegated the Defense Department some discretion to conduct some cyber operations ("actions that fall below the 'use of force'" or that would not cause "death, destruction or significant economic impacts"). The speech narrows the scope of such delegation, confining it to cases that are "time sensitive."
Second, the Computer Fraud and Abuse Act (CFAA) specifically exempted “lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States … or of an intelligence agency of the United States.” When the CFAA was drafted and passed in 1986, Congress didn't anticipate the possibility of military action in what subsequently came to be understood as cyberspace, but the General Counsel's speech makes it clear that the Defense Department understands military action also exempted from the Act.
Third, cyber operations do not count as "covert operations," and so don't enmesh the Department in laws restricting covert operations.
And, finally, it's the US position that international law does apply in cyberspace.