A win for Biden administrations cyber agenda in court - The Washington Post
2023-08-23 06:27 (EST) - Tim Starks
Share Comment on this story Comment
Welcome to The Cybersecurity 202! Was having a discussion with some pals on this … who are the greatest hard-rock bands ever? Let me know. Was this forwarded to you? Sign up here. Wp Get the full experience. Choose your plan ArrowRight Below: Regulators approve an auto repair law after previous car-hacking concerns, and a state court says police can’t hide their social media monitoring policy. First:
Judge rules favorably on Treasury sanctions of crypto service
The Treasury Department was within its rights to levy sanctions against the cryptocurrency service provider Tornado Cash as part of its battle against North Korean hackers seeking to launder stolen funds, a federal judge recently ruled.
Western District of Texas Judge Robert Pitman granted a summary judgment for the department to avoid going to trial over claims from six people that the sanctions — which barred Americans from carrying out transactions with Tornado Cash — violated First Amendment and Fifth Amendment protections.
Advertisement
Treasury’s Office of Foreign Assets Control has alleged that Tornado Cash, which pools digital assets to obscure their ownership, has helped launder more than $7 billion since it was founded in 2019, including hundreds of millions stolen by the notorious North Korean hackers the Lazarus Group.
The ruling is a victory for the overarching Biden administration approach toward cybersecurity and disrupting malicious hackers.
The case and ruling
Pitman handed down his ruling last week, but it didn’t become more widely noticed until this week.
Coinbase Global, a crypto exchange, backed the lawsuit. Among the litigants’ major claims:
Due to its decentralized nature and other structural mechanisms, Tornado Cash is not the kind of entity that the Treasury Department has the authority to sanction under the International Emergency Economic Powers Act.
The sanctions prevent people from using Tornado Cash to make donations to important causes and chilled the publication of source code, raising a First Amendment claim. (The Electronic Frontier Foundation also indicated its support for this part of the suit in a friend-of-the-court brief .)
Plaintiffs were unable to access their cryptocurrency after the sanctions, raising a Fifth Amendment claim about the taking of property.
Pitman rejected the first two arguments, and said the plaintiffs had abandoned the third argument.
One of the governance structures of Tornado Cash is a “decentralized autonomous organization” or DAO. Pitman wrote that despite the name, “the actual governance authority of DAOs is often highly concentrated,” and Tornado Cash’s DAO combined with other governance structures made it function like the kind of entity that is subject to Treasury sanctions.
Advertisement
“Utilizing this structure, Tornado Cash has been able to place job advertisements, maintain a fund to compensate key contributors, and adopt a compensation structure for relayers, among other things,” he wrote. “Substantial evidence supports the argument that founders, developers, and DAO constitute ‘[a] body of persons who have combined to execute [the] common purpose’ of developing, promoting, and governing Tornado Cash.”
And while the First Amendment guarantees the right to donate to causes of one’s choosing, Pitman wrote, “it does not protect the right to do so through any particular bank or service of their choosing, and Plaintiffs do not cite any case to the contrary.”
What they’re saying and where it fits
“We are pleased with the Texas District Court’s opinion upholding Treasury’s vital work protecting U.S. national security,” said a Treasury spokeswoman, who spoke on the condition of anonymity due to the sensitivity of sanctions implementation. “At a time when North Korea is increasing its reliance on virtual currency heists and other cybercrime, it’s critical to continue disrupting the regime’s ability to generate revenue for its ballistic missiles and weapons of mass destruction programs.”
Advertisement
Paul Grewal, chief legal officer at Coinbase, tweeted that the company would continue to support the suit on appeal.
Rights are rarely secured on a path that is always ⬆️ and ➡️. We continue to believe Plaintiffs challenge to OFACs Tornado Cash action is right. We’ve always known that Fifth Circuit review is required to resolve these issues, and we continue to support them on appeal. 1/4 pic.twitter.com/Tz8FkFCSf2 — paulgrewal.eth (@iampaulgrewal) August 17, 2023
The Biden administration has prioritized disruption of ransomware gangs and other attackers, as indicated in its National Cybersecurity Strategy. Sanctions like the ones the Treasury Department issued against Tornado Cash are part of that effort.
“Coordinated efforts by Federal and non-Federal entities have proven effective in frustrating the malicious cyber activity of foreign government, criminal, and other threat actors,” the strategy reads. “The Federal Government has increased its capacity to respond to cyber incidents; arrested and successfully prosecuted transnational cybercriminals and state-sponsored actors; imposed sanctions on malicious cyber actors, including bans on travel and denying access to money service providers; and deprived threat actors of access to digital infrastructure and victim networks.”
The keys
Regulators okay auto-repair law after previous car-hacking concerns
The National Highway Traffic Safety Administration (NHTSA) on Tuesday approved a Massachusetts measure that would require automakers to share vehicle data with independent repair shops, marking a reversal after the regulator previously warned the directive could make vehicles vulnerable to hacking, David Shepardson reports for Reuters.
Advertisement
The 2020 initiative was designed to allow consumers to seek out car repair options outside of dealerships, but NHTSA said in June last year that automakers should not comply on grounds that it could allow hackers to manipulate critical functions of cars.
Now, after discussions between state and agency officials, automakers can “safely share diagnostic data with independent shops using short-range wireless technology, but warned that using long-range wireless signals could potentially let hackers send dangerous commands to moving vehicles,” according to the report, which later adds that a White House competition council official was also involved in the talks.
Across the pond, Europol last year busted a keyless car hacking ring, though experts told your Cybersecurity 202 host that keyless functionality is not the only potential cyber vulnerability that autos can face.
Researchers have performed car hijackings several times, a theme that’s become more prominent as consumer vehicles come with more sensors and interconnected components. One group, for instance, remotely controlled several physical systems on a Tesla vehicle, including its lights and infotainment interface, at a security conference in March.
The U.S. has not pushed the needle on car cybersecurity as far as the U.N. or Europe, though the 2021 bipartisan infrastructure law included a measure to establish a cybersecurity coordinator at the Federal Highway Administration.
Pennsylvania court says police can’t hide social media monitoring policy
The Pennsylvania Supreme Court on Monday ruled that state police are not allowed to hide from the public how it monitors social media, Mark Scolforo reports for the Associated Press.
“All four Democratic justices supported the majority decision, which said the lower Commonwealth Court went beyond its authority in trying to give the state police another attempt to justify keeping details of the policy a secret,” Scolforo writes.
Advertisement
Under the ruling, police must provide an unredacted copy of their social media monitoring guidelines to the state’s American Civil Liberties Union chapter.
State law enforcement representatives have argued that fully disclosing how it uses software to monitor online activities could risk public safety and make investigations less effective. A state police spokesperson said law enforcement officials are reviewing the decision.
Share this article Share
Civil liberties advocates applauded the move. The ruling “sort of puts law enforcement on the same playing field as all government agencies,” Andrew Christy, a lawyer with the ACLU of Pennsylvania, told the AP. “If they have a legal justification to keep something secret, then they have to put forth sufficient evidence to justify that.”
Previously unknown hacker cell targets Hong Kong firms in supply chain cyberattacks
A previously unknown hacker group has been targeting unnamed Hong Kong companies and others in Asia through supply chain attacks, CyberScoop’s AJ Vicens reports, citing analysis from Broadcom’s Symantec Threat Hunter Team.
The researchers “dubbed the unknown actors behind the campaign ‘Carderbee’ and said the group compromised a Cobra DocGuard software update file with the goal of deploying the Korplug (also known as PlugX), a widely used piece of malware,” Vicens writes.
Advertisement
Chinese affiliation is probable, according to the researchers.
“The Korplug back door is usually used by China-linked APT groups,” Brigid O. Gorman, a senior intelligence analyst with Symantec, told the outlet. “In addition to this, the targeting is in line with what we’ve seen from China-linked groups in the past.”
Software supply chain attacks — where hackers compromise a software vendor’s product before it is purchased by customers to allow for infiltration of customers’ systems — have become prevalent this year amid several high-profile incidents that have continued to wreak havoc on organizations.
Government scan
Hill happenings
Securing the ballot
Industry report
Advertisement
National security watch
Global cyberspace
Cyber insecurity
Encryption wars
Privacy patch
Daybook
The Institute of World Politics convenes an event on cyber critical infrastructure and artificial intelligence tomorrow at 6 p.m.
Secure log off
Thanks for reading. See you tomorrow.
