Tag Archives: CFIUS

Security News for the Week Ending April 3, 2020

DoD Concerned Covid Will Cause US IP Loss

In an interesting analysis, Ellen Lord, DoD’s top acquisition official, is concerned that foreign interests (including unfriendly foreign interests) will buy or invest in small U.S. defense subs and steal our tech.  In theory CFIUS and FRRMA should make that harder as the government has the right to nix buyouts if they think they will hurt us, but first they have to know about it.  With Covid potentially impacting the stability of these small companies, the government has its work cut out for it.  Source: Defense Systems

Violating a Web Site’s Terms of Service: Hacking or Not?

The Computer Fraud and Abuse Act (CFAA) was written long before the Internet, but leave it to aggressive prosecutors and companies to use it in a way that was never intended.  But the various federal courts can’t seem to figure out how to interpret it.  The DC federal court has just ruled that using a web site with a legally obtained user account in a way that may violate the web site owner’s terms of service is not hacking and cannot be prosecuted under the CFAA.  Since about half of the federal courts have ruled in each direction on this issue, it is likely to make it up to the Supremes.  This is important both for web site operators and security researchers. Source: Ars Technica

Zoom Does Not Support End to End Encryption, Despite Claims that it Does

In some of Zoom’s documentation, as well as in the client, Zoom says that it supports end to end encryption, but in fact, it does not, at least when video is involved.  I am sure now that it has come out that they lied on their web site, they will likely get sued.  If you think about it, given that they have the ability to record your call, there is no way that it can be end to end encrypted.  The video is encrypted between their data center and you, which is probably good enough for 99% of the planet.  This also means that the fuzz can listen into your call.  Moral of the story, if you are doing something illegal. Or classified.  Don’t discuss it on a public video conference (or audio) service.  There are ways to really do end to end encryption and I have set them up before, but they are neither cheap nor simple.  Source: The Intercept

DoJ Inspector General Says FISA Court Requests Are Suspect

The Department of Justice’s Inspector General says that the FBI has not followed the rules when applying for secret FISA warrants over the last five years.  Given that the whole process is secret, it is not surprising that it is flawed.  Any time the government operates outside the light of day, the opportunity for abuse is there and now, the DoJ IG is questioning 700 warrant requests made over the last 5 years.  The court is basically a rubber stamp since there is no “other side” to any request.  This came to light when Carter Page, a Trump campaign advisor, was the subject of a FISA court wiretap.  This is also at the core of the fight between the House and Senate over the renewal of certain parts of FISA that expired last month.  Source: The Register

California AG Revises CCPA Regulations Again

As the deadline set by the legislature for the enforcement of CCPA lurches closer (July 1), the AG has revised the proposed regulations again.  Among the changes are a re-expansion of the definition of personal information, privacy notice guidance, instructions on responding to data subject requests, clarification/restriction of service provider use of information and a minor clarification of the definition of financial incentives.   See the assessment from law firm ReedSmith here and a copy of the again revised regs here.

Trump Considers Executive Order Declaring National Security Emergency

President Trump is considering signing an executive order asserting a national security emergency using the International Emergency Economic Powers Act (IEEPA).

While every president since Jimmy Carter has used the IEEPA to impose sanctions on governments that we don’t like, no president has ever used it to tell private companies who they should buy parts from and who they should do business with.

This is all based on concerns from some people on both sides of the aisle that Chinese components (and Chinese products) have the potential to present national security issues.  Trump used national security as the reason to impose tariffs on imported steel and aluminum.  While that argument has drawn a lot of critics, it seems likely that IF the president decides to try and force businesses to stop buying parts and products and stop foreign investment in U.S. businesses, there may be less complaints.

Except, that is, for companies that have to shut down, lay off workers and go out of business because the only source for the components that they use to make their products has been banned or the money that they need to keep operating is no longer available.

That is the challenge that the president has to sort out.

Very few chips that are the guts of everything from dishwashers to computers are made in the United States.  Many are made in China, but others are made in Japan, Korea and a small number of other countries.

In general, there is very little overlap.  A chip that is made in China is likely not made elsewhere, so for companies building products that use those chips, they will have stop building and selling those products and also, possibly more importantly, possibly stop fixing ones that people have already bought.  They likely could re-engineer those products, source new and different parts, rework the assembly lines and then restart production.  For large companies, that is possible.  Smaller companies will just go bankrupt and layoff all of their employees.  Since most American companies are small businesses, it could, possibly, have significant impact on the U.S. workforce, depending.

It is also not clear whether this is like the tariffs in the sense that products that are made outside the U.S. would be banned because they contain Chinese parts.  None of this has been sorted out yet, but it is likely that if that happens, those countries would retaliate and ban U.S. products.  That would turn the U.S. into an island.

The whole thing is a bit of a mess.

The government also considered using this same law to implement restrictions on foreign investment in the United States, but instead used a different law, CFIUS, to achieve the same goals.  In both cases, the result is that U.S. businesses that want to expand and create more jobs won’t be able to do that – at least not with certain foreign investments.  This EO could further restrict foreign investment in the U.S. above and beyond what is possible with CFIUS.

Interestingly, two companies that the EO would target are Huawei and ZTE, both of whom are the subject of major Department of Commerce sanctions right now. Trump has been trying to negotiate a deal where ZTE pays the U.S. a lot of money and would then be no longer considered a national security threat.  You can’t have it both ways.  Either they are or they are not.  To be continued.

This is at the same time that Facebook admitted to sharing information on users with 52 companies, including Chinese companies like Huawei, Lenovo, Alibaba and Qualcom.  One assumes that in Facebook’s case, it was a matter of money – probably not direct cash, although it may have included some of that, but rather to lock those vendors into the Facebook Kool-Aid in one way or another.

In light of admitting to doing this, likely illegally since they did not get user’s permission to share the data, Facebook now says that they have ended 38 of those relationships and will end the rest of them soon.

Facebook says that it forgot to mention these data sharing relationships because they had shifted to sharing data using a different method – the way they shared data with Cambridge Analytica.  I am not sure that is any better, but who knows.

All in all, there are some real issues here, but also, given the global economy, it is not clear that there is an easy answer.  We have already seen that some of the countries that we have hit with tariffs on Steel and Aluminum have imposed their own tariffs, and all that has not played out yet.

Information for this post came from The Washington Post and The Hill.