Cyber Week in Review: October 2, 2020
from Digital and Cyberspace Policy Program and Net Politics

Cyber Week in Review: October 2, 2020

Putin calls for cyberspace “truce;” Ransomware attack hits Las Vegas school district; The Department of Commerce imposes export licensing requirement for SMIC; Judge temporarily blocks TikTok ban; Universal Health Services suffers ransomware attack; and U.S. Treasury Department releases advisory regarding ransomware payments.
Russian President Vladimir Putin addresses the audience during Moscow City Day celebrations.
Russian President Vladimir Putin addresses the audience during Moscow City Day celebrations. Sputnik/Alexei Druzhinin/Kremlin via REUTERS

Putin Calls for Cyberspace “Truce”

Last Friday, Russian President Vladimir Putin called for a cyberspace “truce” between Russia and the United States that would provide “guarantees of nonintervention into the internal affairs of each other, including into electoral processes.” Putin’s unexpected proposal follows recent reports from Microsoft and Facebook that Russia is again meddling in the upcoming U.S. presidential election—claims that the Kremlin has vehemently denied. Although neither Moscow nor Washington appear to be taking the proposal seriously, Andrei Kortunov, who leads the Russian International Affairs Council, hypothesized that Russia “is preparing for a Democratic administration that could be even tougher toward Russia than a Republican one.”

Ransomware Attack Hits Las Vegas School District

On Tuesday, private information including grades, Social Security numbers, and addresses belonging to students from the Clark County School District in Las Vegas, which serves over 320,000 students, were publicly released following the district’s refusal to pay a ransom to hackers. Three weeks prior, local news outlets reported that Clark County School District’s employee data had been encrypted through a ransomware attack. Although schools are common targets for hackers, the pandemic has made ransomware attacks significantly more lucrative. Without in-person classes, school districts and universities are wholly reliant on online infrastructure and educational tools. Educators are divided about whether or not to pay ransoms. King R. Davis, superintendent of a Texas school district that paid a ransom of over $200,000 to a hacker in March, argued that it was easier for the school to pay the ransom than rebuild servers and allow learning to be put on hold.

The Commerce Department Imposes Export Licensing Requirement for SMIC

More on:

Russia

China

Cybersecurity

Economic Statecraft

Public Health Threats and Pandemics

Last Friday, the U.S. Department of Commerce declared that exports to Semiconductor Manufacturing International Corporation (SMIC), a top chipmaker crucial for Chinese tech companies’ products and China’s plans to build a domestic semiconductor industry, posed an “unacceptable risk” of military use. Going forward, American suppliers seeking to sell chipmaking equipment and software to SMIC will require export licenses. While SMIC has not been added to the Department of Commerce’s blacklist, which currently includes telecoms giant Huawei, SMIC will struggle to meet market demand and remain competitive without easy access to the latest American technology. These latest restrictions targeted at another Chinese tech company have furthered fears that Beijing will retaliate. Paul Triolo, geo-technology practice head at Eurasia Group, said that in a “worst-case” scenario, “this would be a tipping point for US-China.”

Following the Commerce Department’s announcement, on Wednesday Nikkei Asian Review reported that SMIC has been stockpiling chip-making equipment in anticipation of U.S. restrictions since early 2020. Previously, SMIC Co-CEO Zhao Haijun denied claims of elevated equipment purchases despite the company’s unusually high capital expenditure projections. In addition to sharing a central warehouse of stockpiled equipment with other Chinese chipmakers, SMIC has also been attempting to reduce its reliance on U.S suppliers and plans to eliminate U.S. equipment from its 40-nanometer chip production lines. Nonetheless, American equipment is still essential to producing its high-performance chips, and Johnson & Johnson CIO Jonah Cheng suggested that “SMIC's clients will have to start looking elsewhere” due to the new export license requirement.

Judge Temporarily Blocks TikTok Ban

On Sunday, Judge Carl Nichols of the U.S. District Court in Washington, D.C. granted ByteDance a preliminary injunction temporarily blocking President Trump’s order to remove TikTok from app marketplaces. ByteDance, which successfully argued that it had not been given sufficient time to defend itself, now has a reprieve as it continues to negotiate a potential sale of TikTok’s U.S. operations to Oracle and Walmart. However, Judge Nichols denied a motion by ByteDance regarding a second component of the ban from the Committee on Foreign Investment in the United States that will fully outlaw TikTok if ByteDance does not divest itself of the company by November 12. The decision marks the second challenge to President Trump’s proposed bans of Chinese apps, as a San Francisco federal magistrate, citing First Amendment concerns, blocked the Trump administration's WeChat ban two weeks ago.

Universal Health Services Suffers Ransomware Attack

On Sunday, Universal Health Services (UHS) suffered a ransomware attack that hobbled its U.S. computer networks and led the hospital chain to take medical record, laboratory, and pharmacy systems offline. UHS has not disclosed details about the ransomware, but UHS employees have reported behavior that resembles Ryuk, a malware associated with Russian hackers. Although no data appears to have been leaked and patient services have continued, emergency wait times have grown longer and staff are struggling to meet COVID-19 testing demand. Throughout the week, UHS Clinicians and technicians have expressed growing concern for patients, underscoring the potential impact of cyberattacks on hospitals. "It is a life-or-death situation," said one technician, while John Riggi, a cybersecurity adviser for the American Hospital Association, said, "We believe any cyberattack against any hospital or health system is a threat-to-life crime and should be responded to and pursued as such by the government."

U.S. Treasury Department Releases Advisory Regarding Ransomware Payments

On Thursday, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) released [PDF] guidelines for companies whose ransomware payments could violate U.S. sanctions. The department warned that a firm, “including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response,” could face penalties and criminal investigation, “even if it did not know or have reason to know” that it was paying a sanctioned ransomware gang. OFAC also stated that in exchange for self-reporting a ransomware attack, companies can reduce their risk of being held liable for paying a ransom to a sanctioned entity, and that they will review proposals by victims to pay ransomware gangs “on a case-by-case basis with a presumption of denial.” Charles Carmakal, CTO at Mandiant, warned, “this announcement is absolutely going to cause significant waves and push companies to reconsider whether paying is an option.” Meanwhile, Karen Sprenger, COO at LMG Security, suggested that in response to OFAC’s announcement, more U.S. firms could be tempted to “approach third parties overseas to make ransomware payments on their behalf” to avoid detection by U.S. authorities.

More on:

Russia

China

Cybersecurity

Economic Statecraft

Public Health Threats and Pandemics

Creative Commons
Creative Commons: Some rights reserved.
Close
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) License.
View License Detail