At a glance.
- Two senior Greek officials resign over Predator spyware scandal.
- Rip-and-replace may be easier said than done.
- Update on cyber provisions of the US NDAA.
Resignations in Greece over "mistaken actions found during lawful wiretapping."
Haaretz reports that the chief of Greece's intelligence service, Panagiotis Kontoleon, and Grigoris Dimitriadis, general secretary of the prime minister’s office, resigned Friday during the ongoing scandal in which the opposition PASOK party claimed the government abused Cytrox's Predator intercept tool to spy on its leaders. A statement from the office of Prime Minister Kyriakos Mitsotakis said the resignations were offered "following mistaken actions found during lawful wiretapping procedures." According to Deutsche Welle, "Athens says authorities don't use the Predator spyware, which was reportedly deployed against members of the European Parliament, and that the Greek government does not deal with businesses that sell it." Noting the political difficulties this presents Prime Minister Mitsotakis, POLITICO says that there may have been two distinct operations that compromised the PASOK leader's phone: "In a complex twist of the case, there appear to be potentially two separate taps of Androulakis's phone. In addition to the hack with Predator, some officials say he was also legally tapped by Greek intelligence agents after requests from an allied state."
Rip-and-replace may be "easier said than done."
The Times of London reports that excluding Huawei from a nation's network may be a more difficult and complicated task than many initially envisioned. Focusing on the British experience, the Times writes:
"In February, the government pushed back the deadline for reducing Huawei’s market share in the less sensitive, “non-core”, parts of the mobile network to 35 per cent; citing “the difficulties providers have faced during the pandemic”, it gave the industry until July 2023 — six more months. In June, BT, which has said the process will cost it £500 million, sought a similar delay to the deadline for taking Huawei kit out of the most sensitive “core”, where data monitoring and routing happens. Nadine Dorries, Dowden’s replacement, is said to have made positive noises but not any promises.
"Meanwhile, the industry still awaits a formal notice, known as a designated vendor direction, from the government on the Huawei ban. The Department for Digital, Culture, Media & Sport said it had carried out a 'targeted consultation” and would “announce the outcome ... once final decisions have been taken'.
"An industry source said: '“There has generally been paralysis across government — they’ve had a huge amount on their plate. They are genuinely alive to concerns the industry’s got about the speed it has to do this at, and are trying to square keeping the lights on for customers [with] the change-out programme.'
More on the financial sector's reluctance with respect to cyber information sharing.
We discussed last week some of the problems the financial services sector saw in a proposed amendment to the US House's version of the National Defense Authorization Act (NDAA). Nextgov reports that the sector in general feels itself to be at least adequately regulated. The amendment in question, offered by Representative James Langevin (Democrat of Rhode Island, and a member of the Cyberspace Solarium Commission) contains, among provisions, mandate the identification and designation of "systematically important entities," the following language:
‘‘(1) IN GENERAL.—Not later than two years after the date of the enactment of this section, the Secretary [of Homeland Security], acting through the Director [of an agency designated to provide oversight], in consultation with the National Cyber Director, Sector Risk Management Agencies, the CISA Cybersecurity Advisory Committee, and relevant government and non9 government entities, shall establish reporting requirements for systemically important entities.
‘‘(2) REQUIREMENTS.—The requirements established under subsection (a) shall directly support the Department’s ability to understand and prioritize mitigation of risks to national critical functions and ensure that any information obtained by a systemically important entity pursuant to this section is properly secured.
‘‘(3) REPORTED INFORMATION.—The requirements under paragraph (2) may include obligations for systemically important entities to—
"(A) identify critical assets, systems, sup22 pliers, technologies, software, services, processes, or other dependencies that would inform the Federal Government’s understanding of the risks to national critical functions present in the entity’s supply chain;
‘‘(B) associate specific third-party entities with the supply chain dependencies identified under subparagraph (A);
‘‘(C) detail the supply chain risk management practices put in place by the systemically important entity, including, where applicable, any known security and assurance requirements for third-party entities under subparagraph (B); and
‘‘(D) identify any documented security controls or risk management practices that third party entities have enacted to ensure the continued delivery of critical services to the systemically important entity."
Resistance to these and related provisions in the proposed legislation are perceived as resistance to key elements of the Cyberspace Solarium Commission's recommendations.