At a glance.
- Canada announces ban of Huawei tech for 5G.
- US Justice Department to allow good-faith research under CFAA.
- US Representative urges White House to select new cybersecurity bureau chief.
- Data breach reporting regulations for banks.
- CISA's alert on the VMware vulnerability.
- Chinese espionage attends to the Russian aerospace sector.
Canada announces ban of Huawei tech for 5G.
The Canadian government officially declared yesterday that wireless carriers in the country won’t be allowed to install equipment made by Huawei Technologies Co. Ltd. or ZTE Corp. in their high-speed 5G networks. Industry Minister François-Philippe Champagne stated, “We are announcing our intention to prohibit the inclusion of Huawei and ZTE products and services in Canada’s telecommunications systems.” Reuters notes that Canadian wireless companies will be required to remove Huawei 5G gear by June 2024 and will not be reimbursed. Companies using Huawei’s 4G equipment must remove it by the end of 2027. “There are many hostile actors who are ready to exploit vulnerabilities in our defenses,” Canadian Public Safety Minister Marco Mendicino said. Canada is following in the footsteps of its partners in the Five Eyes intelligence alliance, as the US, Britain, Australia, and New Zealand have already banned Huawei equipment. The Wall Street Journal adds that a US State Department representative welcomed the decision, stating “The United States supports efforts to ensure countries, companies, and citizens can trust their wireless networks and their operators.” The long-awaited move has been anticipated since Canada announced in 2018 it would be evaluating Huawei as a threat to security, but the decision was stalled due to political tensions involving the arrest of Huawei Chief Financial Officer Meng Wanzhou in Canada and the subsequent arrest of two Canadians in China under suspicion of espionage.
China has condemned Canada’s decision, saying it’s a form of political manipulation and is in violation of free-market principles. Huawei spokesman Alykhan Velshi said, “We’re disappointed but not surprised. We’re surprised it took the government so long to make a decision. We see this as a political decision, one born of political pressure primarily from the United States.” In a statement on its website, the Chinese Embassy said, “China will comprehensively and seriously evaluate this incident and take all necessary measures to safeguard the legitimate rights and interests of Chinese companies.” The AP News notes that China has made such statements in the past without taking any recourse.
US Justice Department to allow good-faith research under CFAA.
In a revision to its Computer Fraud and Abuse Act (CFAA), the US Department of Justice (DOJ) announced it will no longer charge good-faith security research, or ethical hacking carried out solely for purposes of good-faith testing, investigation, or correction of a security flaw or vulnerability. Until now, such activity fell into a legal gray area, but Deputy Attorney General Lisa O. Monaco explained, “Computer security research is a key driver of improved cybersecurity. The Department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.” That said, Bleeping Computer notes, the revision will not allow hacking under the pretense of conducting security research when that research is used to extort companies, and federal prosecutors will review all cases to assess the actor's intentions.
Alex Rice, CTO and Co-founder of HackerOne, completely approves of the Justice Department's move:
“For well over a decade now cybersecurity leaders have recognized the critical role of hackers as the internet’s immune system. We enthusiastically applaud the Department of Justice for codifying what we’ve long known to be true: good faith security research is not a crime. This update also further establishes bug bounty and vulnerability disclosure as best practices for all organizations, so there’s one more reason for hackers to engage in good-faith research and one less reason for organizations to hesitate about launching a disclosure policy. The Department of Justice is driving us towards a more transparent and collaborative security culture for organizations and hackers to build a safer internet for everyone.”
Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network, gives the Justice Department's decision generally positive reviews:
"This is a historical moment for many security researchers whose voices were silenced by vendors and organizations threatening to file criminal complaints for CFAA violation. The decision will certainly bolster security innovation and research, helping to fortify software and hardware security, particularly of the innumerable insecure-by-design IoT devices that now start handling critical data. On the other side, the DoJ may unwittingly open a Pandora's box: the definition of “good faith” could vary broadly among security researchers. Eventually, the DoJ will have to either break its own policy and press criminal charges for overbroad, albeit sincere, interpretation of good faith, or let creative cybercriminals off the hook. We should wait for a couple of years to monitor the evolution of the CFAA enforcement. Importantly, cybersecurity researchers shall also bear in mind that, apart from the CFAA, they may face civil lawsuits, namely for breach of contract or intellectual property infringement. Moreover, due to the international nature of many tech vendors, criminal charges may be brought in other jurisdictions. Therefore, security research remains a shark-infested area.”
US Representative urges White House to select new cybersecurity bureau chief.
On Wednesday senior House Republican Michael McCaul voiced his concerns that US President Joe Biden has not yet nominated a leader for the Bureau of Cyberspace and Digital Policy, a new State Department bureau focused on setting international norms for cybersecurity. At a Washington Post Live event, McCaul, who co-founded the House Cybersecurity Caucus, stated, “We really need to appoint that ambassador position.” The Record by Recorded Future notes that McCaul has also called the Senate to pass the Cyber Diplomacy Act, which would make the diplomatic post and office a matter of law.
Data breach reporting regulations for banks.
As of May 1, three US bank regulators – Federal Deposit Insurance Corp., Federal Reserve Board, and Office of the Comptroller of the Currency – began requiring banks to report cybersecurity incidents within thirty-six hours. Jorge Rey, chief information security officer for accounting firm Kaufman Rossin, explained, “Ultimately, what all these regulators are trying to do is promote information sharing.” The regulation joins the Cybersecurity and Infrastructure Security Agency’s 72-hour cybersecurity incident reporting rule, established by Congress in March but not yet fully written, and the Securities and Exchange Commission’s recently implemented data breach reporting regulations for banking institutions. The motivation behind the new rules, American Banker notes, is a widely held belief that cybersecurity incidents are underreported, as a recent survey conducted by international professional IT governance association ISACA showed three in four cybersecurity professionals believe that cybersecurity incidents are not fully disclosed.
CISA's alert on the VMware vulnerability.
VMware Wednesday addressed issues in several of its products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. That these are more significant than the ordinary run of patches may be seen by the way the US Cybersecurity and Infrastructure Security Agency (CISA) has discussed them. Alert (AA22-138B), "Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control" warns that "malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination." The Alert adds, "CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. In response, CISA has released, Emergency Directive (ED) 22-03 Mitigate VMware Vulnerabilities, which requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates in VMware Security Advisory VMSA-2022-0014 or remove the affected software from their network until the updates can be applied." US Federal civilian agencies have until next Tuesday to identify and remediate the issues.
Torsten George, Cybersecurity Evangelist at Absolute Software, commented on the significance of this particular issue:
“Reports about vulnerabilities in a variety of VMware products that increase the risk for authentication bypass and local privilege escalation are a stark reminder that systems and process failures by third parties can have catastrophic reputational and operational consequences for an organization. As a result, it is no longer sufficient to simply implement procedures for managing vendors and the risk they may expose to the organization. Instead, organizations need to also safeguard against third-party related control failures. This typically equates to running penetration tests, implementing end-to-end vulnerability management, and enforcing risk-based patch management. An often-overlooked aspect is to harden the environment (e.g., endpoints) and assure the efficacy of the security applications themselves. Ultimately, companies need confidence that mission-critical applications remain installed, healthy, and effective to counteract human error, malicious actions, software collisions, and normal decay.”
The limitations of an alliance of convenience.
China has generally supported Russia's invasion of Ukraine, but that support has limits, and Chinese cyberespionage against Russian targets has continued. Security Affairs reports that a cyberespionage group, “Space Pirates,” is targeting the Russian aerospace industry. Active since at least 2017, the group is believed to be associated with China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27. Positive Technologies discovered the attacks in 2019 targeting a Russian aerospace enterprise. They've seen the malware reappear in 2020 against Russian government organizations, and again in 2021 against another Russian enterprise. Positive Technologies stops short of directly attributing the activity to Beijing, but circumstantial evidence points in that direction.
Check Point has also observed the activity, and they're not reticent about either attribution or identifying victims. A report yesterday "details a targeted campaign that has been using sanctions-related baits to attack Russian defense institutes, part of the Rostec Corporation. The investigation shows that this campaign is part of a larger Chinese espionage operation that has been ongoing against Russian-related entities for several months. CPR researchers estimate with high confidence that the campaign has been carried out by an experienced and sophisticated Chinese nation-state APT." They think the activity bears significant similarities to earlier campaigns by Twisted Panda. The goal is evidently theft of intellectual property, and the choice of sanctions as phishbait shows "once again how quickly Chinese espionage actors adapt and adjust to world events, using the most relevant and up-to-date lures to maximize their chances of success."