Search Results for: us v microsoft

A Look at the European Commission’s Amicus Brief in United States v. Microsoft Corp

December 15, 2017 by Zarine Kharazian Leave a Comment

On December 13, 2017, the European Commission filed an amicus brief in the United States v. Microsoft Corp case set to go before the U.S. Supreme Court in the 2018 term. The case concerns the U.S. Justice Department’s access to an individual’s private emails stored at Microsoft’s Dublin data center. In December 2013, the DOJ served Microsoft a warrant compelling it to disclose the private communications of an individual the government had reason to believe was engaged in criminal drug activity. When Microsoft turned over the account information stored on its U.S. servers, but refused to disclose the information stored at its Dublin center, the legal battle ensued.

At Issue: The Extraterritorial Application of the Stored Communications Act’s Warrant Provisions

The Stored Communications Act (SCA) – which is part of the broader Electronic Communications Privacy Act (ECPA) of 1986 – allows the government to require that an electronic communications provider disclose information about a particular communication upon being served a probable-cause-based warrant. At issue in this case is whether the warrant provisions of the Stored Communications Act (SCA) apply extraterritorially, such that they compel Microsoft, an electronic service provider, to produce private electronic communications stored on servers in Ireland for the United States government.

The European Commission’s Brief

While the Commission stresses that the EU takes “no position on the ultimate question of the Stored Communication Act’s proper construction under U.S. law,” it nevertheless implores that the Supreme Court consider EU data protection laws, particularly the General Data Protection Regulation (GDPR) set to go into effect in May 2018, when making its decision. The Commission argues that the GDPR applies in this case because the actions Microsoft must take to fully comply with the Justice Department’s warrant constitutes data “processing” to and from the European Union.

Chapter 5 of the GDPR explicitly addresses the transfer of data from the EU to a non-member state. The GDPR specifies two main circumstances under which personal data may be transferred from the European Union to a non-member state:

Article 47 allows transfers in cases in which the Commission has ruled that the third party’s data protection laws provide an “adequate level of protection.” In determining the adequacy of a particular data protection regime, the Commission examines the third party’s rule of law and the presence and functioning of relevant regulatory authorities, among other elements.
In the absence of the provisions in Article 47 being satisfied, Article 48 allows transfers to a third party if the data controller or processor has ensured “appropriate safeguards,” which many include standard data protection clauses, binding enforcement authority, and legal recourse for data subjects, among other guarantees.

In cases that do not resemble either of the above circumstances, Article 49 outlines “derogations for specific situations.” In its brief, the Commission identifies two provisions that are most relevant to the case at hand:

When a transfer is “necessary for important reasons of public interest;” and
When a transfer is “necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interest or rights and freedoms of the data subject.”

With regards to the first provision, the Commission concedes that the Justice Department’s request for data generally would be seen as meant to further an “objective general interest:” the “fight against serious crime, a well as “criminal law enforcement and international cooperation in that respect.”

With regards to the second provision, however, the Commission is vaguer. It remains an open question whether the interests, however legitimate, underlying the Justice Department’s request for data override “the interests or rights and freedoms of the data subject.” Thus, while the Commission abstains from siding with either party explicitly, its implication is clear: should the Court rule in favor of the U.S. Justice Department, the U.S. may run afoul of the EU data protection regime, and face EU states’ national regulatory authorities’ ire.

The Commission’s brief: European Commission Amicus Brief in Support of Neither Party

Justice Department and Microsoft Set to Square Off Before Supreme Court In Landmark Data Privacy Case

October 18, 2017 by Zarine Kharazian 2 Comments

Yesterday, the Supreme Court granted the Department of Justice’s petition for a writ of certiorari in its dispute with Microsoft over access to private emails stored at Microsoft’s Dublin, Ireland data center. At issue is whether the warrant provisions of the Stored Communications Act (SCA) apply extraterritorially, such that they compel Microsoft, an electronic service provider to produce private electronic communications stored on servers in Ireland for the United States government.

Background

In December 2013, the Justice Department served a warrant to Microsoft, compelling the company to disclose information pertaining to a user’s email account. The government asserted that it had probable cause to believe that the account was being used to facilitate criminal drug activity.

In response to the warrant, Microsoft turned over the information pertaining to the account stored on its U.S. servers, such as the user’s address book. The company refused, however, to turn over the information stored in Dublin. Microsoft assigns accounts to particular data centers based on their proximity to users’ country of residence. The account in question had been assigned to Microsoft’s Dublin center, and thus all of the account’s email content – the subject lines as well as content of emails – was stored solely in Dublin, not in the United States.

Microsoft argued that the U.S. government could not invoke the Stored Communications Act to compel the production of data stored in a foreign country. Instead, the company stated that the U.S. government had to obtain the consent of the Irish government first, by utilizing an alternate channel established for obtaining such communications: the United States’ Mutual Legal Assistance Treaty (MLAT) with Ireland.

A district court, however, affirmed the magistrate judge’s ruling on de novo review, and held Microsoft in contempt for failing to comply with the warrant.

The case then came before the Second Circuit Court of Appeals. In a unanimous decision, the Second Circuit reversed the district court’s ruling, reasoning that the lower court “lacked authority to enforce the Warrant against Microsoft,” on the grounds that “[n]either explicitly nor explicitly does the statue envision the application of its warrant provisions overseas.”

Now, the case is set to go before the Supreme Court during its 2017-2018 term.
Modernizing Data Privacy Protections: The Role of Congress or the Courts?

In a blog post posted on October 16, 2017, Microsoft’s President and Chief Legal Officer, Brad Smith, argued data privacy laws in the United States should be modernized. “The current law, ECPA, was enacted in 1986 when the World Wide Web was still a few years away from being invented and no one conceived of conducting most work and personal business online,” Smith writes. “A world connected by cloud services simply didn’t exist. The ways in which we communicate have radically changed over the past three decades — but the laws governing those communications haven’t. Current laws don’t adequately support the needs of law enforcement anywhere in the world or protect our rights.”

Smith stresses, however, that it is Congress, not the courts, who should take the helm in this effort. “We believe that rather than arguing over an old law in court, it is time for Congress to act by passing new legislation, such as the International Communications Privacy Act (ICPA) of 2017.”

Smith’s argument here – that data privacy laws should be modernized by passing new legislation in Congress, rather than by challenging existing statutes in the courts – echoes the argument put forth in Microsoft’s opposition brief. “Congress alone has the authority and the institutional competence to craft a new legislative scheme for a world not anticipated in 1986,” Microsoft’s counsel writes. “And it has remedial options simply not available to this Court.” Microsoft argues that the courts, in interpreting the Stored Communications Act, have traditionally employed an “all-or-nothing” approach with regards to the question of extraterritoriality–either law enforcement may compel production of all communications stored abroad, or it may demand none of it. This approach thus risks disrupting “the ‘harmony’ between nations that is ‘particularly needed in today’s highly interdependent commercial world.’”

Interestingly, the digital privacy groups that submitted a joint amicus curiae brief in support of Microsoft’s petition before the Second Circuit veered away from Microsoft’s choice-of-forum argument. Rather than supporting Microsoft’s assertion that it is the job of Congress, not the Court, to modernize the SCA, the privacy groups – namely, the Brennan Center for Justice, the American Civil Liberties Union, the Constitution Project, and the Electronic Frontier Foundation – make a different argument altogether. They state in their brief:

Modern technology has dramatically expanded the reach of the doctrine far beyond records of bank transactions and telephone calls. The Supreme Court recognized this problem in Riley, reasoning that Fourth Amendment privacy protection must account for this new technological reality. There, in holding that cell phones may not be searched under the search-incident-to -arrest warrant exception, the court noted that modern cell phones—just like cloud-based email—are capable of storing a vast amount of personal information and thus deserve the highest privacy protections.

Here, the amici curiae apply a Fourth Amendment analysis – an amendment that Microsoft does not even mention in its brief — to the question of whether the SCA applies extraterritorially. It remains to be seen whether the Supreme Court will be sympathetic to Microsoft’s and the supporting amici curiae’s arguments. Whether or not the Justices side with Microsoft, the line of reasoning they choose to privilege in their opinions –either the choice-of-forum or the Fourth Amendment analysis – will have implications for how similar legal quandaries are framed in the future.

Take a look at the case filings here.

U.S. Department of Justice Publishes White Paper on the Cloud Act

April 12, 2019 by Bruce Zagaris Leave a Comment

On April 10, 2019 the U.S. Department of Justice announced the public release of a white paper on the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). Enacted in March 2018, the Act updates the legal framework for how law enforcement authorities may request electronic evidence required to protect public safety from service providers while respecting privacy and foreign sovereignty.

Deputy Attorney General Rod Rosenstein promises the DOJ will be proactive in working, both in the U.S. and abroad, to promote greater understanding and appreciation of what the CLOUD Act does.

The CLOUD Act has two distinct parts. First, the Act authorizes the U.S. to enter into bilateral agreements to facilitate the ability of trusted foreign partners to obtain the electronic evidence they required to fight serious crime. To qualify under the Act, a partner country must adhere to baseline rule-of-law, privacy, and civil liberties protections. Through bilateral agreements, each country would agree to lower the legal barriers that prevent their communication service providers from complying with qualifying lawful orders for electronic data issued by the other country. By lowering legal barriers, each country could serve its legal process, such as search warrants, directly on the providers of the other country, significantly increasing the speed and efficiency compared with existing methods of transferring electronic evidence.

Second, the CLOUD Act sets forth in U.S. law the principle – longstanding in both the U.S. and in many foreign countries, that a company subject to U.S. jurisdiction can be required to produce data within its custody and control, regardless of where it chooses to store that data at any point in time. This was a key issue in United States v. Microsoft Corporation, No. 17-2, a case argued before the Supreme Court on February 27, 2018 This provision simply codified what had been the law and practice prior to the 2016 Microsoft decision by a court of appeals, and ensured that the U.S. continued to be in compliance with its obligations under the Budapest Cybercrime Convention, which requires all member states to have the power to compel providers in their territory to disclose electronic data in their control, no matter where stored. The CLOUD Act provision did not change whether or not a provider is subject to U.S> jurisdiction, nor did it provide U.S. law enforcement any new authority to acquire data.

The Act formalizes the process for companies to challenge a law enforcement request. The Act imposes certain limits and restrictions on law enforcement requests to address privacy and civil liberty concerns.

The DOJ compiled the white paper with the input of components cross the DOJ, including attorneys from the Criminal Division and the National Security Division. The white paper discusses the interests and concerns that prompted the enactment of the CLOUD Act and provides a distillation of the effect, scope, and implications of the Act, as well as answers to frequently asked questions.

On April 5, 2019, Deputy Assistant Attorney General Richard W. Downing delivered remarks at the Academy of European Law Conference on “Prospects for Transatlantic Cooperation on the Transfer of Electronic Evidence to Promote Public Safety” in London, United Kingdom He said at the start of his remarks that, since it was enacted last March 2018, the CLOUD Act has, unfortunately, been the subject of many misconceptions, and is viewed by some with suspicion. That may not be surprising, given the complexity and technicality of some of the issues involved. Downing continued that “one particularly inaccurate statement about the Act being made in some circles is that it is a U.S.-centric law designed solely to serve U.S. interests and U.S. needs. “ Downing said that in fact the impetus for the CLOUD Act came from our foreign law enforcement partners, who expressed a need for increased speed in obtaining evidence held by U.S. providers – evidence which is normally obtained through the Mutual Legal Assistance Treaty – or “MLA” – process.

The current issue of the IELR will have additional discussion of the white paper on the CLOUD Act and its implications.

U.S. Sits Out Paris Cyber Accord, Along with China, Russia, and North Korea

November 15, 2018 by Zarine Kharazian Leave a Comment

The United States, along with China, Russia, and Iran, has refused to sign a new cybersecurity pact supported by over 50 countries and a host of technology industry leaders this week.

French President Emmanuel Macron introduced the initiative, called The Paris Call for Trust and Security in Cyberspace, at UNESCO’s annual Internet Governance Forum in Paris on November 12, 2018.

The Terms

The accord’s signatories agree to collaborate in order to:

Prevent and recover from cyber attacks that threaten individuals, institutions, or critical infrastructure;
Prevent activity that attempts to damage the free and fair flow of information on the Internet;
Strengthen capacity to prevent election interference by foreign adversaries through malicious cyber attacks;
Prevent theft of intellectual property, including trade secrets;
Prevent the proliferation of malicious ICT tools;
Fortify the security of digital products and services;
Encourage the adoption of “advanced cyber hygiene”for all actors;
Stop non-State actors from “hacking-back,” and
Promote international norms and confidence-building measures in cyberspace.

While the Paris Call is not legally binding, it nonetheless serves as a symbol of adherence to diplomatic norms and principles in cyberspace. In a post on Microsoft’s blog, Microsoft President and Chief Legal Officer Brad Smith praised the accord for furthering both state and non-state actors’ commitment to digital peace. “The Paris Call is an important step on the path toward digital peace, creating a stronger foundation for progress ahead,” Smith wrote. “It calls for strong commitments in support of clear principles and strong norms to protect citizens and civilian infrastructure from systemic or indiscriminate cyber attacks. Similarly, it calls for governments, tech companies and nongovernmental organizations (NGOs) to work together to protect our democracies and electoral processes from nation-state cyber threats.”

In Bad Company

The United States’ absence from the agreement is notable – most U.S. allies, including all European member states, signed on to the Paris Call. Most members of the Five Eyes signals intelligence network – the United Kingdom, New Zealand, and Canada – also signed on (Australia and the United States are the exceptions). In addition, more than 200 companies, many of them large multinationals based in the United States as well as NGOs, have also supported it. Among these non-state signatories are Microsoft, Google, Facebook, Accenture, Salesforce, MasterCard, Visa, Citigroup, Deutsche Bank, and Nestle.

By refusing to sign the Paris Call, the United States finds itself in the company of several repressive regimes, as well as states with active cyberwar programs. Russia, China, Iran, North Korea, Saudi Arabia, and Israel have yet to sign the agreement. The United States has not revealed its reason to abstain from the Call thus far, but also has not ruled out supporting it.

OFAC Provides New Designations for Violations of Russian Sanctions

September 5, 2018 by Farhad Mirzadeh Leave a Comment

During August 2018, the United States strengthened sanctions against Russia for multiple violations of U.S. and international law. The U.S. continued to apply pressure on August 21^st when the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) designated entities and individuals for circumventing both North Korean-related sanctions and cyber-related sanctions.[1]

The United States has been active in punishing violators of North Korean-related sanctions. On August 15th, OFAC announced designations against Russian and Chinese shipping companies for circumventing North Korean-related sanctions. [2] The August 21 designations target two Vladistok-based shipping companies, Primorye Martime Logistics and Gudzon Shipping Co., which were engaged in ship-to-ship transfers of refined petroleum products with North Korean flagged vessels, a violation of US sanctions against North Korea.

The designations for circumventing North Korea-related sanctions coincide with designations for violations of cybercrime-related sanctions.[3] St. Petersburg-based Vela-Marine Ltd. and Lacno S.R.O. were responsible for providing equipment to Russian Intelligence Agency, F.S.B., which has been sanctioned for its interference in the 2016 U.S. presidential election.

The continued pressure from the United States has created both opportunities and complications. On the one hand, the sanctions are being felt in Russia as access to credit tightens for Russian oligarchs and restricts the ability to freely conduct business. For example, Credit Suisse froze 5 billion Swiss francs linked to Russia.[4] On the other hand, Russian groups are now targeting institutions and individuals that have called for increased pressure on Russia. According to a report released by Microsoft, Russian groups—including a group of hackers formerly known as the G.R.U. have targeted conservative think-tanks and organizations in retaliation for supporting continued sanctions.[5]

Sanctions strain the US-Russian relationship and have placed policymakers in Washington at odds with each other. The Trump Administration seeks to lower tensions with Moscow and to try and use the sanctions as a bargaining chip to seek Russian concessions on Syria and Ukraine.[6] Congress, however, introduced a bipartisan bill that seeks to widen the scope of sanctions and make them more punitive.[7]

With respect to North Korean sanctions, on August 4, the North Korea government said the US was acting with “alarming” impatience on the issue of denuclearization, after Secretary of State Mike Pompeo stressed the need to maintain full sanctions pressure on Pyongyang.[8] Since the meeting with President Trump on June 12 in Singapore, Kim Jung-On has started a diplomatic offense, reaching out to China and South Korea to show his good faith in trying to deal with the U.S. Clearly, North Korea is seeking Chinese and Russian support in the U.N. Security Council and elsewhere with respect to obtain relief on sanctions.

* The George Washington University Law School, J.D., 2018.

[1] Treasury Targets Russian Shipping Companies for Violations of North Korea-related United Nations Security Council Resolutions, Aug. 21, 2018, https://home.treasury.gov/news/press-releases/sm463; Treasury Targets Attempted Circumvention of Sanctions, August 21, 2018, https://home.treasury.gov/news/press-releases/sm462.

[2] Bruce Zagaris, U.S. Treasury Designates 4 Persons for Violating U.N. Shipping Sanctions against N. Korea, 34 Int’l Enforcement L. Rep. 445 (2018).

[3] See U.S. imposes fresh sanctions for Russian cyber-related activity, Reuters (Aug. 21, 2018), https://www.reuters.com/article/us-usa-russia-sanctions-treasury/us-imposes-fresh-sanctions-for-russian-cyber-related-activity-idUSKCN1L61FB.

[4] See Breanna Hughes Neghaiwi and John O’Donnell, Credit Suisse freezes $5 billion of Russian money due to U.S. sanctions, Reuters (Aug. 22, 2018), https://www.reuters.com/article/us-credit-suisse-gp-sanctions/credit-suisse-freezes-5-billion-of-russian-money-due-to-us-sanctions-idUSKCN1L71LR.

[5] See David E. Sanger and Sheera Frenkel, “New Russian Hacking Targeted Republican Groups, Microsoft Says, N.Y. Times (Aug. 21, 2018), https://www.nytimes.com/2018/08/21/us/politics/russia-cyber-hack.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=first-column-region&region=top-news&WT.nav=top-news.

[6] John Hudson, Trump administration seeks to ease tensions with Moscow as new sanctions loom, Wash. Post (Aug. 29, 2018), https://www.washingtonpost.com/world/national-security/trump-administration-seeks-to-ease-tensions-with-moscow-as-new-sanctions-loom/2018/08/29/d6e902f9-f932-4fe2-b084-d7288aaf8258_story.html?noredirect=on&utm_term=.ff26bee1b4aa).

[7] Nicholas Fandos and Catie Edmondson, Facing New Russian Hacking, Senators Signal They Are Ready to Act, N.Y. Times (Aug. 21, 2018), https://www.nytimes.com/2018/08/21/us/politics/russia-sanctions-microsoft-hacking.html.

[8] Sam Reeves and Martin Abbugao, North Korea criticizes ‘alarming’ US impatience on denuclearization, Times of Israel (Aug. 4, 2018).

The Latest on U.S. v Microsoft: Microsoft Files Respondent Brief, Still More Amici Curiae Weigh In

January 22, 2018 by Zarine Kharazian Leave a Comment

On Thursday, January 11, Microsoft filed its brief in the U.S. v Microsoft case set to go before the Supreme Court in the 2017-2018 term. The central question in the case is whether the Stored Communications Act allows the U.S. government to compel an electronic services provider, through a probable-cause-based warrant, to disclose electronic communications stored abroad. For further background on this case, see our past coverage on the IELR Blog here and here.

Microsoft argues that Congress did not envision the Stored Communications Act to apply overseas. In 1986, when the statute was enacted, it was unimaginable that one day governments could secure data from overseas rapidly and inexpensively. Under the presumption against extraterritoriality established by Supreme Court precedent, legislation does not apply extraterritorially unless Congress clearly states or intends otherwise. Thus, the SCA has no extraterritorial application.

According to Microsoft, a warrant that compels the copying and importation of electronic communications stored overseas is an impermissible application of the SCA. The government argues that it is seeking a domestic application of the warrant, because the ultimate disclosure of the emails would occur in the U.S. But the SCA protects the security of “communications in electronic storage,” not “disclosure.” Thus, the Court should interpret the statute to apply to “domestically stored communications,” not “domestic disclosures of communications.” It follows that a warrant seeking to compel the disclosure of communications stored abroad (regardless of where they are ultimately disclosed) is extraterritorial.

Microsoft then scrutinizes the Government’s claim that “a person who complies with a subpoena [cannot] become a government agent simply by collecting and producing evidence in its possession.” Microsoft denounces the claim as misleading; the act of copying and disclosing the email content to the Government would involve the execution of a warrant, not a subpoena.

Interestingly, Microsoft cites the “international discord” over the case as confirmation” that “the warrant entails an impermissible extraterritorial application of the SCA.” Indeed, U.S. v. Microsoft is unusual for the amount of interest and input it has generated from foreign governments, companies, non-profits, and individuals. In a blog post published on January 19, 2018, Microsoft’s President and Chief Legal Officer, Brad Smith, noted that thus far 23 amicus briefs by 289 entities and from 37 countries have been submitted in support of Microsoft. Even more striking is the sheer range of political ideologies among the supporters. U.S. Senators Orrin Hatch (R-UT) and Christopher Coons (D-DE), the Chamber of Commerce, the ACLU, Vox Media and Fox News are among the domestic supporters.

See the full list of signatories here.

The Latest on WannaCry: North Korea Decries Accusations; U.S. Comments on Marcus Hutchins’ Arrest

December 27, 2017 by Zarine Kharazian Leave a Comment

At a White House press briefing on December 19, 2017, President Donald Trump’s Homeland Security Advisor Tom Bossert publicly attributed the destructive WannaCry cyberattack to North Korea.

Over a period of several days in May 2017, the WannaCry ransomware crippled hundreds of thousands of personal and corporate computer networks in over 150 countries, until a UK computer security researcher, Marcus Hutchins, inadvertently discovered a “kill-switch” in the malware’s code that disabled the attack. Until Tuesday, the attack had not been publicly attributed to any particular state or non-state actor.

“After careful investigation, the United States is publicly attributing the massive WannaCry cyberattack to North Korea,” Bossert said during the briefing. “We do not make this allegation lightly. We do so with evidence, and we do so with partners.”

Bossert went on to praise corporate partners, in particular Microsoft and Facebook, for their role in disabling North Korean hacking and cyber operations directed towards the U.S. “Last week, Microsoft and Facebook and other major tech companies acted to disable a number of North Korean cyber exploits and disrupt their operations as the North Koreans were still infecting computers across the globe. They shut down accounts the North Korean regime hackers used to launch attacks and patched systems.”

Bossert then introduced Jeanette Manfra, Assistant Secretary for the Office of Cybersecurity for DHS. Bossert and Manfra went on to repeatedly stress the importance of public-private sector cooperation in cybersecurity matters. “In many ways, WannaCry was a defining moment and an inspiring one,” Manfra said. “It demonstrated the tireless commitment of our industry partners, a moment that showed how the government and private sector got it right; that our preparation, our investments in cybersecurity, keeping our systems up to date, and sharing information paid off.”

The Assistant Secretary also called for strengthening international cooperation with regards to cyber: “To prevent another attack like WannaCry, we are calling on all companies to commit to the collective defense of our nation. And this commitment does not end on our borders… it is only through international partnerships that the United States had time to prepare.”

On December 26, 2017, North Korea’s envoy in charge of U.S. affairs at the UN, Pak Song Il, demanded that the U.S. prove that the North Koreans were behind WannaCry. North Korea’s state-controlled media denounced the U.S.’s allegations as “reckless.”

Comments on the Recent Indictment of Marcus Hutchins

During the briefing, a reporter asked Bossert for comments on the recent DOJ indictment of Marcus Hutchins on unrelated computer fraud charges in early August. The DOJ has charged Hutchins for his alleged involvement of the Kronos banking Trojan, which experts believe was created in 2014 and distributed via the now-defunct cryptocurrency exchange AlphaBay. Hutchins is currently awaiting a court date, and has pleaded not guilty to the charges.

Bossert declined to comment on the ongoing criminal prosecution. He did acknowledge Hutchins’ role in disabling WannaCry, saying that “we… had a programmer that was sophisticated, that noticed a glitch in the malware, a kill-switch, and then acted to kill it. He took a risk, it worked, and it caused a lot of benefit. So we’ll give him that.”

Bossert did not give Hutchins all, or even most, of the credit, however. “[I]t wasn’t luck — it was preparation,” he clarified. [I]t was partnership with private companies, and so forth.”

Hutchins’ indictment had come as a shock to the cybersecurity community, which considered him somewhat of a hero for his role in disabling WannaCry. Immediately following his arrest, many of his colleagues took to Twitter to voice their skepticism of the charges. In September, however, Brian Krebs, an American investigative reporter and cybersecurity blogger, published an in-depth investigative piece titled, “Who is Marcus Hutchins” on his popular cybersecurity blog, KrebsonSecurity. In intricate detail, complete with screenshots of his process as well as a mindmap of his data points, Krebs excavates the dozens of online pseudonyms, email addresses, and posts in hacker forums linked to Hutchins’ early online accounts. He manages to link Hutchins to several online personas involved in selling malicious software on hacker forums.

Cryptocurrency Creates Potential Opportunity for both Ransomware Attacks and Agency Seizures

June 10, 2021 by Bruce Zagaris Leave a Comment

By Austin Max Scherer[1]

On June 7, the Justice Department seized much of the ransom that a major U.S. pipeline operator had paid last month to a Russian hacking collective.[2] This resulted from investigators tracing more than 75 Bitcoins worth as the money moved through a “maze” of at least 23 different electronic accounts belonging to DarkSide, the hacking group.[3] DarkSide operated by providing ransomware to affiliates. Iin exchange, DarkSide reaped a cut of the affiliates’ profits.[4] DarkSide began as an affiliate for another Russian hacking group called REvil, the group that recently used ransomware to try to extort money from JBS, one of the world’s largest meat processors.[5] Law enforcers viewed this seizure as a warning to cybercriminals that the United States would go after the hackers’ profits, which typically derive from cryptocurrencies.[6] In addition, law enforcement now hope this recent action will encourage victims of ransomware attacks to notify the authorities to help recover ransoms.[7] The Federal Bureau of Investigation (FBI) actively discourages ransom payments; however, ransom payments are still legal and they are even tax deductible![8]

Seizure of Ransom Payments

Law enforcement has found a breakthrough due to the fact that, “bitcoin transactions are available on a publicly distributed ledger, in many cases law enforcement can trace bitcoin payments and track stolen funds.”[9] Furthermore, the FBI was able to obtain the private key for the hackers’ accounts, the key essentially serves as a password which enabled the FBI to move bitcoin out of the wallet.[10] The seizure itself yielded $2.3 million worth of bitcoin.[11] The Special Prosecutions Section and Asset Forfeiture Unit of the U.S. Attorney’s Office for the Northern District of California is handling the seizure, with significant assistance from the Department of Justice Criminal Division’s Money Laundering and Asset Recovery Section and Computer Crime and Intellectual Property Section.[12] The task force stated they would prioritize the disruption, investigation, and prosecution of ransomware and digital extortion.[13] Conversely, the ransomware attacks are generally unsophisticated.[14] “Hackers often use phishing and send employees emails containing suspicious links or attachments.”[15]

This coincided with President Biden’s first foreign trip, as he is expected to discuss the issue with Russian President Vladimir Putin.[16] Senior Biden administration officials deemed ransomware, as a national threat. Secretary of State, Antony Blinken stated the following, “states cannot be in the business of harboring those who are engaged in these kinds of attacks.”[17] FBI Director Christopher Wray further emphasized this complaint by stating, “if the Russian government wants to show that it’s serious about the issue, there’s a lot of room for them to demonstrate some real progress that we’re not seeing.”[18] Antony Blinken and Christopher Wray’s concerns are supported by the fact that, according to Chainalysis, a firm that tracks cryptocurrency payments, victims paid at least $412 million in cyber ransom attacks last year.[19]

Biden Administration Responses

In response to the series of ransomware incidents, the Biden administration, “announced that it would require pipeline companies to report significant cyberattacks that the government would create 24 hour emergency centers to handle serious hackings.”[20] However, even these efforts may not be enough as the FBI emphasized that all government agencies, private sectors, and, “even the average American.”[21] It would be quite the optimistic approach for the government to believe that all players in the cryptocurrency world will partake in dismantling these ransomware attacks, so a wait and see approach is best suited for now.

Several government officials have called for action against the ransomware attackers and the foreign states that harbor these attackers. Senator Mark Warner stated the following, “We must make clear to Russia-and any other adversaries-that they will face consequences for this and any other malicious cyberactivity.”[22] In addition, Microsoft reported, “the goal of the hackers was not to go after the aid agency itself, instead, its motivation appeared to be to use emails purporting to be from the U.S. government to get inside groups that have revealed Russian disinformation campaigns, anti-corruption groups and those who have protested the poisoning, conviction and jailing of Russia’s best-known opposition leader, Alexie A. Navalny.”[23] Furthermore, government officials have taken the position that the U.S. response to SolarWinds, a software supply, should have been harsher. The question then becomes, how does the U.S. implement a harsher response, and with sanctions applied to Russia already substantial, how much of a role can sanction play? One answer is that to be effective, sanctions must be multilateral and well-coordinated. The last four years the U.S. has not coordinated its sanctions. President Biden’s trip to Europe should provide some insight to these inquiries. Another response to ransomware attacks and cybercrimes has been prosecution of the perpetrators.

The current issue of the IELR will have a more comprehensive discussion of the ransomware attacks, the seizure, and implications.

[1] Rising third year law student, Washington College of Law, American University; M.S., Finance, American Univ; B.A., George Washington Univ.

[2] Katie Benner and Nicole Perlroth, Seizing Money, U.S. Retaliates For Cybercrime, N.Y. Times, Jun. 8, 2021, at A1.

[3] Id.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

[8] Id.

[9] Sadie Gurman, David Uberti, and Dustin Volz, Pipeline Ransom Money Seized By U.S., Wall St. J., Jun. 6, 2021, at A1.

[10] Ellen Nakashima, Authorities recover about $2 million paid in ransom to pipeline hackers, Wash. Post, Jun. 8, 2021, at A18.

[11] Id.

[12] For Immediate Release: Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside, Dept. of Justice, Jun. 7, 2021, https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside (last visited Jun. 10, 2021).

[13] Id.

[14] Rachel Lerman, Meat supplier JBS paid $11 million in ransom after hackers targeted plants, Wash. Post, Jun. 10, 2021, at A22.

[15] Id.

[16] Nakashima, supra note 10.

[17] Benner and Perlroth, supra note 2.

[18] Id.

[19] Nakashima, supra note 10.

[20] Benner and Perlroth, supra note 2.

[21] Id.

[22] Nicole Perlroth and David E. Sanger, Calls for Action Against Russia for Cyberattack, N.Y. Times, May. 29, 2021, at A1.

[23] Id.

Former IT Employee Sentenced to Prison for Damaging Company’s Computer Network

October 2, 2020 by Jonathan J. Rusch Leave a Comment

Information security professionals today are awash in overwhelming, and constantly replenished surges of information about cyberthreats. Because so much of this cyberthreat intelligence concerns external threats of increasing sophistication and complexity, from organized criminal networks to state actors, it can be easy for information security teams to overlook the possibility that disgruntled insiders may pose a risk to their organization’s networks and data.

Insider attacks, however, are a genuine and persistent dimension of the cyberthreat environment. The Ponemon Institute’s 2020 Cost of Insider Threats Report found that in only two years the number of insider threats has increased 47 percent — from 3,200 in 2018 to 4,716 in 2020 – while the cost of such incidents has increased 31 percent, from $8.76 million in 2018 to $11.45 million in 2020. In addition, careless or negligent employees account for 62 percent of incidents, leading to an average cost of $307,111 per incident, while incidents involving malicious insiders or credential thieves lead to an average cost of $871,686 per incident.

One recent case provides concrete examples of the damage that a single disaffected employee can cause within an organization. On September 24, the U.S. District Court in Maryland sentenced Shannon Stafford, a former information technology (IT) manager for a global company identified only as “Business A,” to a year and a day in federal prison and restitution of $193,258.10 for illegally accessing and damaging Business A’s computer network.

According to the U.S. Department of Justice, Stafford was employed in Business A’s information technology department from 2005 to 2015. As part of his duties, he had access to other employees’ system login credentials “and was authorized to use them in the course of performing his technical support duties.” He also was responsible for disabling network access credentials company users at the end of their employment.

Although Stafford was promoted in 2014 to a managerial role, as technical site lead for the company’s Washington office, he was demoted in March 2015 to an IT support role because of performance issues in his management position. After his performance issues continued, Stafford was fired on August 6, 2015.

Beginning on the evening of August 6, Stafford engaged in a series of actions directed at damaging Company A’s network:

August 6: That evening, Stafford “repeatedly attempted to remotely access Business A’s computer networks from his residence,” using the laptop that the company had provided to him. He unsuccessfully tried to access Company A’s network approximately 10 times, using his own credentials and those of a former co-worker whom he had previously assisted.
August 8: In the early morning, Stafford successfully used the former co-worker’s credentials and the company laptop to access, without authorization, the computer that had been located under his desk in the Washington office. He “used the Washington IT computer to execute demands to delete all of the file storage drives used by the Washington office, then changed the password to access the storage management system.” The deletion of those files
- caused a severe disruption to the company’s operations and the loss of some customer and user data. Changing the password hindered the company’s efforts to determine what happened and restore access to its remaining files. As a result of the deletion of the network file storage drives, Washington users were unable to access their stored files for approximately three days, until the data could be restored from backups. Customer and user data that was not included in the most recent backup prior to Stafford’s deletion of the files was permanently lost.
August 11: Stafford “unsuccessfully attempted to remotely access the company’s computer network from his home approximately 13 times, using credentials that were not his.”
August 13: A Company A representative “spoke to Stafford and demanded that he cease and desist his attempts to unlawfully access Business A’s computer systems.
August 21 – September 9: Despite Company A’s demand, between August 21 and September 9, Stafford “attempted to access the company’s network from his home approximately 17 times, using credentials that were not his.”
September 14: Stafford “used the credentials of another former co-worker to access a network file storage system computer that he had been responsible for maintaining in the IT department of the company’s Baltimore office, intending to cause the same type of damage he did when he deleted the Washington office’s stored files.” That attempt failed “because Business A had changed the password after Stafford’s attack on the Washington files.”

The actual loss to Business A that resulted from Stafford’s damage and attempted damage to its computer systems, including the costs of restoration of the deleted systems, investigation of the events, and response to the intrusion was at least $38,270. In addition, Business A incurred legal fees of $133,950.60 and a fee of $21,037.50 for a forensic investigation.

Ultimately, a federal grand jury indicted Stafford in 2017 on two computer damage-related charges: one for the August 8 damage to the files in Company A’s Washington office, and the other for Stafford’s damage attempts between August 21 and September 9. Stafford was convicted after a four-day trial.

***

In one sense, Stafford’s case is unremarkable because it did not involve the use of any sophisticated hacking techniques. Yet it is precisely the simplicity of his conduct and the ease with which he caused harm to his company that should be of concern to chief information security officers (CISOs) and chief compliance officers (CCOs) in all types of companies around the world. What Stafford did can easily be mimicked by other disgruntled IT staffers in other countries – as United Kingdom law enforcement has seen on several occasions (here, here, and here).

For that reasons, CISOs and CCOs should make use of the Stafford case in two ways. First, they should cite it in briefing senior executives in their organizations and remind them of the risks of internal computer sabotage. Those risks certainly include the immediate costs of lost business and repairing the damage. But CCOs and CISOs can also join forces with their businesses’ legal officers to point out the potential for regulatory enforcement action based on the organization’s failure to maintain adequate information security.

Second, they should make sure that their organizations’ internal procedures include certain minimum procedures in place when it appears that it may be necessary to terminate or demote an IT manager or employee whose workplace conduct includes serious indications of hostility or anger.

Based on Stafford’s and other insider sabotage cases, those procedures should include the following.

First, if an organization decides to terminate an IT employee, or receives a resignation letter with immediate effect from that employee, it should not accept the employee’s representations that he will return a company-issued computer. Rather, the company should take immediate lawful action to obtain custody of that computer. Under no circumstances should the company rely on the employee’s promises to return company property in due course. As Stafford’s and other insider-sabotage cases have shown, even one or two days after separation of that employee can be enough to allow the employee to use the company computer to cause damage.

Second, if an IT employee is about to be separated from the organization, even before, and during, the formal actions to inform the employee of his termination and escort him from the premises, the organization should review the employee’s outgoing emails for indications of intent to retaliate against the company and determine what levels of administrator access that employee may have.

In one insider-sabotage case, an IT help desk employee, even after his termination, was able to access an administrator account and shut down his company’s email server and application server and delete systems files essential to restoring computer operations. Even though the employee’s access rights reportedly had been revoked as he left the building, the company’s IT director found that the employee had emailed himself a list of network access codes and passwords for various company IT subsystems.

Third, with respect to IT administrators, the organization should have a second person, whether inside that organization or in an external information security firm, who has system privileges and access equivalent to or greater than those of the IT administrator. No organization should be totally reliant on a single individual who, if threatened with demotion or termination, could be tempted to retaliate against the organization’s networks or files.

Accordingly, if the organization has made the decision to terminate that administrator, it should direct the backup administrator to take all necessary steps to block the primary administrator’s access to the enterprise’s systems immediately before, or during, the organization’s notifying the disgruntled administrator of his termination, before that administrator can take action against the organization.

None of these measures are guaranteed to prevent a disaffected IT employee from lashing out at his organization by using what IT skills he has. All of them, however, can reduce the chances that such an employee will succeed in his destructive mission, and can be accomplished at minimal cost to the organization. The potential risks of operational shutdowns and loss of key files and processes, and of regulatory sanction for failure to maintain adequate cybersecurity measures, are too substantial to ignore.

OU Launches Global Risks & Threats Leadership Forum June 6

May 21, 2020 by Bruce Zagaris Leave a Comment

Please see here for more information and to sign up.

The University of Oklahoma is launching a four-part OU Global Risks & Threats Series on Saturday, June 6, with leaders from the intelligence, finance, law enforcement, corporate and cyber sectors. The other three virtual events will occur in late June, July and August.

The subject of the first of the four forums is The Pandemic Threat: Risks and Impacts of COVID-19, and will focus on the latest threats, trends and strategies on how to address the most critical issues of the pandemic. The forum is scheduled 10 a.m. to 2 p.m. Central Time (USA). There will be a break halfway through.

Over the four sessions, attendees will gain knowledge of real-world solutions, with valuable insights from decision makers in the public and private sectors about their experience handling today’s most complex global challenges. Because of the pandemic, the series will take place as easily accessible virtual forums, presented online via Zoom. Questions for the speakers can be sent in before the forums.

Registration for the first event is US$30. Additional information, including a full agenda and presenter bios, is available online at price.ou.edu/GRTS, and the registration website is price.ou.edu/GRTSregistration.

Adriana Sanford, J.D., dual LL.M, the founding director of OU GRTS, Senior Fellow at the OU Center for Intelligence and National Security, and Assistant Director of Executive Education Programs at the Gene Rainbolt Graduate School of Business, will be the lead-off speaker at the events and preside throughout the series.

The lineup for the COVID-19 virtual event on Saturday, June 6, is:

Special Guest Speaker

Honorable Eduardo Aninat, Former Finance Minister of Chile, former Chairman of the Board of Governors and member of the Development Committee of the World Bank and the IMF

Keynotes and Featured Speakers

Adriana Sanford, J.D., dual LL.M., Former Fortune 500 Senior Counsel, Global Threats Expert, and International Television Commentator
Lou Bladel, former Chief of the FBI’s Counterespionage Section and current Managing Director of Assurance Services at Ernst & Young
Tom Finan, former FBI Assistant General Counsel and current Cyber Growth Leader at Willis Towers Watson
Cheemin Bo-Linn, ED.D., former Vice President of IBM and current Board of Director Member and Global Risk and Recovery Expert
Bruce Zagaris, global anti-corruption and anti-money laundering expert
Ross S. Delston, former FDIC regulator and global AML pundit
Scott B. MacDonald, global economist and former OCC International Economic Adviser
Jeff Schermerhorn, complex cyber risk expert at Willis Towers Watson

Future speakers include:

Spotify’s Head of Global Affairs and Chief Legal Officer and former Microsoft General Counsel and Corporate Vice President for Legal Affairs, Horacio Gutierrez
Chief Commercial Officer for Aon Intellectual Property Solutions, and former Chief Intellectual Property Officer at Philips and IBM Vice President of IP and Licensing, Brian Hinman
Former Drug Enforcement Administration Special Agent and CIA Operations Officer (Narco-Terrorism and Global Security Threats), Matt Addington
Group Chief Risk Officer for Coca-Cola HBC, Gerold Knight

OU GRTS is a collaborative effort between the Michael F. Price College of Business and the OU Center for Intelligence and National Security, consistent with the University’s initiative “to solve real-world problems in ways that both build human knowledge and improve the communities that we serve.”

“The OU Global Risks & Threats Series provides a unique opportunity to leverage the insights of a diverse, talented group of international experts to better understand the risks and opportunities created by the COVID-19 pandemic and other major global concerns,” said James L. Regens, Ph.D., Regents Professor and director of the Center for Intelligence and National Security – an Intelligence Community Center of Academic Excellence.

OU GRTS maintains a cross-industry speaker ecosystem of world-renowned experts, visionaries, strategic decision-makers, and industry leaders that provide guidance, direction and insights.

“We think it is important to share our work and our vision with the global community and to help shape the next generation of world leaders, decision-makers, senior executives and skilled students,” said Wayne Thomas, interim dean of the Price College of Business. “By bringing world experts together, we can better understand the threats that have political, economic and social implications on all of us, and we can advance real-world solutions and work together on a multilateral basis,” he added.

About the University of Oklahoma

Founded in 1890, the University of Oklahoma is a public research university located in Norman, Oklahoma. OU serves the educational, cultural, economic and health care needs of the state, region and nation. More information is online at www.ou.edu.

About the Michael F. Price College of Business

The Michael F. Price College of Business has experienced significant growth over the past five years in the number of faculty, staff and students and has become OU’s second-largest college, with more than 4,900 students. The College offers undergraduate, master’s, executive and doctoral programs across six academic divisions in Accounting, Entrepreneurship and Economic Development, Finance, Management and International Business, Management Information Systems, and Marketing and Supply Chain Management. The College’s Gene Rainbolt Graduate School of Business is a 27,000-square-foot facility located in the heart of Oklahoma City’s Innovation District and is home to the College’s full-time and professional MBA programs, as well as the Executive MBA in Aerospace and Defense and the Graduate Certificate in Aerospace and Defense.

The Price College of Business’s website is price.ou.edu and the Gene Rainbolt Graduate School of Business’s website is ou.edu/price/mba.

About the Center for Intelligence and National Security

As an Intelligence Community Center of Academic Excellence, the University of Oklahoma Center for Intelligence and National Security conducts interdisciplinary research on key intelligence and national security challenges. The Center also offers a robust academic program spanning science, technology, engineering and mathematics (STEM), the social and behavioral sciences, and critical languages. The academic program embraces experiential learning to build valuable foundational capacities in problem-solving, critical thinking and adaptability. Through its study abroad opportunities, OU CINS provides students pursuing undergraduate and graduate degrees a variety of cultural enrichment experiences.

The Center for Intelligence and National Security’s website is www.ou.edu/cins.