At a glance.
- US Intelligence Community priorities.
- Threats to submarine cables.
- Possible US budgetary windfall for CISA, FTC cyber programs.
- Implications of a deferred prosecution agreement.
IC priorities: China, terrorism, technology, and hiring.
ClearanceJobs recaps Intelligence Community (IC) priorities as described by agency leadership in a 2021 Intelligence and National Security Summit panel. The FBI is focused on counterterrorism, cybersecurity, and recruiting mission-oriented talent, and the Defense Intelligence Agency is concerned with China, emerging technologies, and workforce development and retention. The National Geospatial-Intelligence Agency is retooling terrorism talent for China assignments while juggling the Afghanistan issue. CIA priorities include disruptive technology, recruitment, and partnerships. NSA’s focus is cybersecurity and boosting collaboration with former employees, and the National Reconnaissance Office’s attention is directed towards innovation and coordination with the Space Force.
IC leadership also emphasized Iran, Russia, and North Korea, and the renewed threat of terrorism given Afghanistan’s collapse and Al-Qaeda’s likely re-emergence.
Submarine cable (in)security.
Defense One argues that authoritarian regimes, remote management systems, and data sensitivity pose increasing risks to the underwater cables that transmit Internet traffic between coasts, and the US should ramp up cybersecurity investments, oversight authorities, and domestic and international cooperation and capacity building efforts in response.
The cables convey in excess of ninety-five percent of intercontinental traffic, including personal, academic, commercial, and government communications. Public and private sector shifts to cloud computing have made the data flows more tempting targets for APTs and cyber gangs, while cable operators’ drift towards remote solutions has made them easier targets. Authoritarian governments like Russia and China, meanwhile, have demonstrated the will and capacity to seize communications infrastructure, bully tech companies, surveil and censor online information, shut down access, and manipulate investments for strategic ends.
CISA, FTC poised for budgetary windfall, politics pending.
BankInfoSecurity reports signs of hope for CISA and FTC cyber projects in House negotiations over President Biden’s $3.5 trillion spending plan. The Homeland Security Committee earmarked $865 million for CISA, with $400 million to support the cybersecurity Executive Order, and the Energy and Commerce Committee approved $1 billion for a new FTC data protection bureau. The bill has several more hurdles to clear in the House and Senate to become law, at which point the funding would be distributed over the next decade.
The purpose of CISA’s payout, commented former DHS official Mike Hamilton, “seems to be ensuring that CISA can bring on the workforce it's going to need to have a prayer of completing [the tasks it’s been assigned], some of which seem very open-ended.”
A deferred prosecution agreement, and its implications for the cybersecurity sector.
The deferred prosecution agreement the US Justice Department entered into with three US Government alumni who went on to work for the Emirati cybersecurity firm DarkMatter provides an instructive look at how US Federal prosecutors intend to handle activities that contravene a range of laws that cover cyber operations and exports. The statutes the Government alleges the three men (Marc Baier, Ryan Adams, and Daniel Gericke) violated were 18 U.S.C. § 371 (Conspiracy), 22 U.S.C. § 2778 (Arms Export Control Act), 22 C.F.R. Parts 120-130 (International Traffic in Arms Regulations), 18 U.S.C. § 103 (Fraud and Related Activity in Connection with Computers), and 18 U.S.C. § 1029 (Access Device Fraud).
Official comments in Justice's press release provide a clear picture of how they view such activity:
“'This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States,' said Acting Assistant Attorney General Mark J. Lesko for the Justice Department’s National Security Division. 'Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct.'
“'Left unregulated, the proliferation of offensive cyber capabilities undermines privacy and security worldwide. Under our International Traffic in Arms Regulations, the United States will ensure that U.S. persons only provide defense services in support of such capabilities pursuant to proper licenses and oversight,' said Acting U.S. Attorney Channing D. Phillips of the District of Columbia. 'A U.S. person’s status as a former U.S. government employee certainly does not provide them with a free pass in that regard.'
“'The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity,' said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. 'This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company – there is risk, and there will be consequences.'”
Former Government personnel shouldn't count on prosecutors cutting them any slack. They should know better. Their regular training includes plenty of warnings:
“'Today’s announcement shines a light on the unlawful activity of three former members of the U.S. Intelligence Community and military,' said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office. 'These individuals chose to ignore warnings and to leverage their years of experience to support and enhance a foreign government’s offensive cyber operations. These charges and the associated penalties make clear that the FBI will continue to investigate such violations.'”
The three individuals charged are expected, under the agreement, to assist the Government with its ongoing investigation. Security companies who do business internationally should also be aware of how their products might run afoul of the law. MIT Technology Review has an account of what the three individuals bought and whom they bought it from.
Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network, thinks the way the deferred prosecution agreement involved clawing back wages is a good lesson the security community should bear in mind:
“The $1.6 million DPA is a good reminder to the US penetration testing community that many offensive operations in digital space are now regulated. The US has a compelling national interest to prevent advanced cyber arms, such as 0day RCE vulnerabilities in iOS, from leaving the country and serving foreign interests. The problem is that in the future the thin line between mere provision of penetration testing services and the development of cyber arms will blur even more, making some of the most skilled cybersecurity professionals restricted to work for foreign entities unless authorized under ITAR. Other Western countries will probably enforce similar regimes to prevent hostile foreign nations from exploiting their cyber knowledge base and talent.”