December 2018 Legal Report

Strategic Security
December 2018 Legal Report
 

​Judicial Decisions​

Cybercrime. A Russian national pleaded guilty to his role in operating one of the largest botnets on the Internet that infected at least 50,000 computers.

Botnets are networks of computers that have been infected with malicious software that gives third parties the ability to control the network without the knowledge—or consent—of the computer owners.

Peter Yuryevich Levashov, 38, of St. Petersburg, Russia, pleaded guilty to one count of causing intentional damage to a protected computer, one count of conspiracy, one count of wire fraud, and one count of aggravated identity theft.

“Since the late 1990s until his arrest in April 2017, Levashov controlled and operated multiple botnets, including the Storm, Waledac, and Kelihos botnets, to harvest personal information and means of identification (including email addresses, usernames and logins, and passwords) from infected computers,” according to the U.S. Department of Justice (DOJ). “To further the scheme, Levashov disseminated spam and distributed other malware, such as banking Trojans and ransomware, and advertised the Kelihos botnet spam and malware services to others for purchase in order to enrich himself.” Kelihos, one of the Internet’s largest botnets, infected at least 50,000 computers.

 Levashov also moderated and participated in online forums where stolen identities, credit card numbers, malware, and other cybercrime tools were traded and sold.

He participated in this activity until apprehended by Spanish authorities in April 2017 and extradited to the United States. His sentencing is scheduled for September 6, 2019. (U.S. v. Levashov, U.S. District Court for the District of Alaska, No. 3:17-cv-00, 2018)

Corruption. Former manager of a U.S.-based logistics and freight forwarding company Juan Carlos Castillo Rincon, 55, pleaded guilty to a foreign bribery charge for his role in a scheme to secure contracts and extensions for Venezuela’s state-owned and state-controlled energy company.

Castillo pleaded guilty to one count of conspiracy to violate the Foreign Corrupt Practices Act (FCPA) for conspiring with others between 2011 and 2013 to bribe a Petroleos de Venezuela S.A. (PDVSA) official, Jose Orlando Camacho, 46.

 In exchange for the bribe, Camacho helped Castillo’s company obtain PDVSA contracts, contract extensions, and favorable terms. Camacho also gave Castillo inside information about the PDVSA bidding process and supported Castillo’s company in meetings on purchasing decisions.

Camacho also pleaded guilty to conspiracy to commit money laundering, admitting in his plea that he conspired with Castillo to launder the proceeds of their bribery scheme.

The two men’s guilty pleas led to additional charges by the DOJ against 18 individuals—14 have pleaded guilty—as part of a larger ongoing investigation into PVDSA. (U.S. v. Castillo, U.S. District Court for the Southern District of Texas Houston Division, No. 18-cr-200, 2018) ​

Regulations

Elections. U.S. President Donald Trump signed an executive order that allows the United States to issue sanctions in the event of foreign interference in a U.S. election.

“Although there has been no evidence of a foreign power altering the outcome or vote tabulation in any United States election, foreign powers have historically sought to exploit America’s free and open political system,” Trump said in the order. “In recent years, the proliferation of digital devices and Internet-based communications has created significant vulnerabilities and magnified the scope and intensity of the threat of foreign interference, as illustrated in the 2017 Intelligence Community Assessment.”

Under the executive order, the U.S. federal government must create a process to assess the extent of foreign interference after every U.S. election. The order requires the U.S. director of national intelligence to assess information indicating whether a foreign government—or individual acting on that government’s behalf—acted with the intent to interfere in an election. 

The director then must deliver the assessment to the president, the U.S. attorney general, and the secretaries of state, treasury, defense, and homeland security, who will analyze the information and make recommendations about responsive actions the U.S. government can take in response.

This includes blocking any property or interests of those involved in interfering with an election, along with additional economic sanctions against businesses in a country whose government authorized or directed interference in an election. ​

“In the Untied States, primary responsibility for managing elections resides with state, territory, and local authorities,” Trump said. “The federal government, however, plays an essential role in identifying and deterring foreign interference and supporting state and local officials to secure election infrastructure.”


Legislation

United States
Disclosure. The U.S. House of Representatives Homeland Security Committee passed a bill that would require the U.S. Department of Homeland Security (DHS) to create a vulnerability disclosure process.

Under the bill (H.R. 6735), DHS would be required to create a vulnerability disclosure policy for outside researchers to report weaknesses they uncover in DHS’s websites or information systems.

 To create this system, DHS’s secretary will consult the attorney general, the secretary of defense, the administrator of general services, and nongovernmental security researchers. The policy would then be made publicly available.

DHS would then be required to report to Congress the number of unique security vulnerabilities reported through the process, the number of previously unknown security vulnerabilities mitigated or remediated, the number of unique parties that reported security vulnerabilities, and the average length of time between the reporting of the vulnerability and its remediation.

U.S. Representative Kevin McCarthy (R-CA) sponsored the legislation, which has three Republican cosponsors. 

Terrorism. U.S. President Donald Trump signed legislation into law that imposes sanctions on individuals who assist in terrorism.

The law (P.L. 115-272) amends the Hizballah International Financing Prevention Act of 2015 to allow the United States to impose sanctions on foreign individuals who knowingly assist or provide support for fund raising or recruitment efforts for the terrorist organization Hizballah. The law also allows the United States to impose sanctions on foreign government agencies that provide Hizballah with arms, financial support, or other assistance, and Hizballah itself.

Additionally, the law creates reporting requirements for foreign individuals who knowingly assist or provide support for those aiding Hizballah; financial institutions that are owned or organized under the laws of state sponsors of terrorism; Hizballah’s racketeering activities; and more.

U.S. States
California. California Governor Jerry Brown, signed legislation into law that for the first time in the United States sets standards for privacy and data security for Internet of Things (IoT) devices.

The law (formerly S.B. 327) requires connected devices manufacturers to equip them with a “reasonable security feature or features” that are “appropriate to the nature and function of the device”; “appropriate to the information the device may collect, contain, or transmit”; and are “designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification, or disclosure.”

Devices are considered to have a reasonable security feature if they have a unique password and require users to generate a new means of authentication before accessing the device for the first time.

A California Senate Floor Analysis said the law is needed due to the amount of sensitive data that IoT devices collect that can be vulnerable to data breaches. 

The analysis also stressed that many IoT devices “can be directly hacked into, allowing strangers to conduct surreptitious surveillance on homes or to communicate through devices directly.”

Representation. California Governor Brown also signed legislation that requires companies to have more women on their boards.

Under the law (formerly S.B. 826), domestic general corporations or foreign corporations that are publicly held whose principal executive offices are in California are required to have one female board member by the end of 2019. 

By 2021, these same companies must have two female directors if they have five directors total—or three female directors if they have six or more directors on the board.

“More women directors serving on boards of directors of publicly held corporations will boost the California economy, improve opportunities for women in the workplace, and protect California taxpayers, shareholders, and retirees…” according to the law. “Yet studies predict that it will take 40 or 50 years to achieve gender parity, if something is not done proactively.”

To ensure compliance, the California secretary of state will publish reports on corporations in compliance. The secretary may also impose fines on those not in compliance, beginning with $100,000 and increasing to $300,000 for repeat violations.

Tennessee. Tennessee enacted a new amendment that allows employers to limit the ability of employees and others to carry concealed firearms at work.​

Under the amendment (formerly Public Charter No. 823), if employers want to limit concealed carry on their property, they must post prohibitions in prominent locations—including at all entrances—and include the following information: the phrase “NO FIREARMS ALLOWED” in a specified size, the words “As authorized by T.C.A. § 39-17-1359,” and a graphic of a firearm in a circle with a slash symbol.


ELSEWHERE IN THE COURTS​

Hacking. Peteris Sahurovs, 29, was sentenced to 33 months in prison for participating in a “scareware” hacking scheme targeting visitors to the Minneapolis Star Tribune’s website, according to the U.S. Department of Justice. Sahurovs was convicted of conspiracy to commit wire fraud for registering domain names, providing hosting services, and giving technical support to a “scareware” scheme using fake ads for a hotel on the Star Tribune’s website. The ads would infect visitors’ computers with malware, causing slow system performance, unwanted pop-ups, and total system failures, and later demand payment for an antivirus service to fix the problems for $49.95. (U.S. v. Sahurovs, U.S. District Court for the District of Minnesota, No. 0:11-cr-00177, 2018)

Maintenance. A resident filed suit against NiSource Inc. and its subsidiary, Columbia Gas of Massachusetts, after three communities it services experienced blasts and large-scale evacuations due to problems with gas services. The lawsuit alleges that the system Columbia Gas used to provide gas services was “poorly maintained, antiquated, obsolete, and highly dangerous.” It also accuses the company of failing to implement “reasonable safety and leak prevention practices,” and seeks damages on behalf of residents affected by the system. (Acosta v. NiSource Inc., Essex County Superior Court, 2018)

Excessive force. Former Veterans Affairs Medical Center Police Department Officer Michael Kaim, 28, was sentenced to one year in prison and a fine of $1,000 for depriving a patient of his civil rights. Kaim shoved and repeatedly punched the patient, whom he was arresting outside of a medical center. The patient, who was not identified, sustained bodily injuries due to the incident. “Any law enforcement official who uses excessive force against an arrestee violates the Constitution, which is designed to protect the civil rights of all individuals, including veterans who sacrifice their lives for our freedoms,” said Acting Assistant Attorney General John Gore in a statement. (U.S. v. Kaim, U.S. District Court for the Southern District of Indiana, No. 1:18-cr-00012, 2018)