Cyber Week in Review: June 10, 2022

Privacy bill emerges from congressional committees 

Key congressional leaders released a draft bill on June 3rd that would set national standards for what data a company can collect from an individual and how that data can be used. The bill, titled the “American Data Privacy and Protection Act,” would limit data collection practices for companies to what is necessary for business functions and prevent them from charging users to access data privacy measures. The bill would preempt state laws, barring a few exceptions, and limit individuals’ rights to sue for monetary damages if a company violates their privacy. The bill will also set up a new bureau under the Federal Trade Commission to enforce the new regulations. While the bill has bipartisan support, prominent Democrats have registered their disapproval, Sen. Maria Cantwell (D-Wash), chair of the Senate Commerce Committee, has said the bill has too many loopholes to properly protect consumers, and Sen. Brian Schatz (D-HI), who has previously been a leader on privacy legislation, said negotiations around the bill were falling short of what he hoped for.  

Chinese threat actors target U.S. telecommunications providers 

The Cybersecurity and Infrastructure Security Agency (CISA) released an alert this week on the activities of Chinese-linked threat actors and exploits they frequently used. The alert builds on two other alerts, issued in 2020 and 2021, which provided an overview of Chinese threat actors tactics, techniques, and procedures, along with the industries most at risk. The threat actors in the most recent alert were detected targeting telecommunications companies and network service providers to use their servers either for command and control or as proxy servers to launch attacks on other networks. CISA identified and listed widely available exploits attackers used to compromise systems and networks at a wide array of companies. Chinese cyber groups have become increasingly focused and professionalized over the past five years, as the military and Ministry of State Security’s approach to cyberspace has matured.  

FBI seizes dark web personally identifiable information marketplace 

The FBI announced the seizure of the SSNDOB Marketplace, a dark web mecca for buying and selling personally identifiable information (PII), including names, social security numbers, dates of birth. SSNDOB had facilitated the sale of the PII of over twenty four million U.S. citizens for nearly $22 million in cryptocurrency since 2015. The FBI collaborated with the Internal Revenue Service, U.S. Justice Department, and authorities in Cyprus and Croatia to take down servers used to host the marketplace. Authorities in Europe and the United States have been active in taking down nation-state and criminal malware in the past months, as European authorities last week took down the FluBot malware, and U.S. authorities disrupted the Cyclops Blink botnet in early April. 

Senators propose new cryptocurrency regulations 

Cryptocurrency markets have struggled in recent months, as Bitcoin has lost 40 percent of its value, and the stablecoin Terra collapsed completely. Cryptocurrency firms and acolytes got a welcome piece of news when Sen. Kirsten Gillibrand (D-NY) and Sen. Cynthia Lummis (R-WY) introduced the Responsible Financial Innovation Act on June 7. The bill redefines digital assets as “ancillary assets” or intangible, fungible assets that are treated as commodities rather than securities. As a result, cryptocurrencies will fall under the authority of the Commodity Futures Trading Commission (CFTC) rather than the Securities Exchange Commission (SEC) as they historically have been. While Gillibrand and Lummis argue that their bill would create certainty and encourage innovation in the growing industry, skeptics note that the CFTC is the smallest financial regulator and is persistently underfunded, making it difficult to execute even its current responsibilities. Moreover, Crypto skeptics and some academics fear that the bill would leave cryptocurrencies largely unregulated and continue to allow cybercrime and cryptocurrency scams to flourish. 

China signs Data Security Cooperation Initiative with Central Asian countries 

From June 6-9, China’s Foreign Minister Wang Yi met with foreign ministers of five Central Asian countries—Kyrgyzstan, Tajikistan, Turkmenistan, and Uzbekistan. The so-called “C+C5” meeting discussed matters related to security and economic cooperation, among other topics. Notably, the countries jointly issued a new Data Security Cooperation Initiative based on Beijing’s Global Initiative on Data Security. The signatories agreed to data sovereignty principles and opposed the use of backdoors to obtain user data, mass surveillance on countries, and damaging information infrastructure and data theft. China also signed bilateral agreements with Turkmenistan and Uzbekistan pledging to strengthen cooperation in cybersecurity and other security issues. These developments follow a spike of Chinese diplomatic efforts to increase cyber and data cooperation, which were a common theme in China’s meetings with Pacific Island nations last month.