News: A new era for international cybercrime

Monday, January 29, 2024

A new era for international cybercrime

Jan 29, 2024

— With help from Daniel Lippman

Driving the day

— The final negotiating session of the U.N.’s international cybercrime treaty five years in the making is upon us. It would create the first-ever standard for global cybercrime — but the draft is not without its detractors.

HAPPY MONDAY, and welcome to MORNING CYBERSECURITY! Taylor Swift is headed to the Super Bowl in her NFL rookie season. That’s how you know she’s the GOAT.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find me on X at @JGedeon1 or email me at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below.

JOIN 1/31 FOR A TALK ON THE RACE TO SOLVE ALZHEIMER’S: Breakthrough drugs and treatments are giving new hope for slowing neurodegenerative diseases like Alzheimer’s disease and ALS. But if that progress slows, the societal and economic cost to the U.S. could be high. Join POLITICO, alongside lawmakers, official and experts, on Jan. 31 to discuss a path forward for better collaboration among health systems, industry and government. REGISTER HERE.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Today's Agenda

Director of the Veteran Affairs National AI Institute Gil Alterovitz, VA chief technology officer Charles Worthington, director of the Veterans Health Administration’s information access and privacy office Stephania Griffin and others are facing the House VA’s tech modernization subcommittee on the future of data privacy and AI. 3:30 p.m.

Cyber Diplomacy

THE MOMENT HAS ARRIVED — The climax of a yearslong cybercrime saga unfolds this week, with negotiators from across the globe descending on United Nations headquarters in New York to grapple with the final steps of a historic international treaty. Here’s what to watch for during the two-week stretch.

— What’s on the table: After years of haggling, it’s the seventh (and final) session between the global negotiators working to approve a draft text meant to build a common criminal policy aimed at “the protection of society against” cybercrime and the use of information technology for criminal purposes.

That should snowball into one day adopting appropriate legislation, setting minimum standards for cybercrime laws and creating technical assistance to help countries develop the capacity to investigate and prosecute cybercrime cases.

The draft so far focuses on some of the world’s pressing cybercrimes, like stealing money and information online, preying on children and hiding dirty money.

— Context is key: The United Nations first made the decision to put together an international convention on cybercrime back in a 2019 resolution. When finished, the draft document will be provided to the General Assembly — where there is currently no legal binding consensus on international cybercrime.

— What to expect from the U.S.: A State Department official, speaking on condition of anonymity to discuss sensitive negotiations, tells Morning Cyber the U.S. will push to include “criminal statutes specific to core cybercrime offenses,” such as tougher mandates against hacking, snooping, data tampering and device misuse. The negotiating team also wants a system for sharing evidence across borders without trampling on privacy.

— Who’ll be there: Former U.S. Ambassador to Lithuania Deborah McCarthy is heading the American delegation, where the stated approach is to prioritize international cooperation and human rights. McCarthy’s team also features officials from the State and Justice departments.

Also taking part are representatives from 15 U.N. member states, including delegations from Russia and China.

But not everyone’s on board: proposals from Russia and China on protecting critical information infrastructure and personal data had been reintroduced during the last session in August — but were not met with broad consensus, the official said.

— Worldwide detractors: A coalition of human rights groups and security researchers has been raising red flags about the proposed treaty, blasting it as an overbroad, privacy-crushing weapon that could stifle dissent and empower authoritarian regimes.

More than 100 advocacy organizations and individual experts signed on to the statement in the week ahead of the negotiations urging negotiators to either narrow its scope to improve cybersecurity on the open internet — or abandon the whole thing.

“There's still not a very clear definition of what cybercrime is,” said Deborah Brown, the acting associate director and senior researcher for tech and human rights at Human Rights Watch, who has been tracking the treaty since 2019. “So that still leaves a window open and there’s also the cooperation of surveillance aspects on virtually any crime.”

“As it stands, we wouldn't support this draft at all,” Brown asserted.

DON’T MISS POLITICO’S GOVERNORS SUMMIT: Join POLITICO on Feb. 22 to dive into how Governors are wielding immense power. While Washington remains gridlocked, governors are at the center of landmark decisions in AI and tech, economic development, infrastructure, housing, reproductive health and energy. How are they setting the stage for the future of American politics, policies and priorities? How are they confronting major challenges? Explore these questions and more at the 2024 Governors Summit. REGISTER HERE.

On the Hill

GRILLING VA ON AI — The House Veterans Affairs Committee tech modernization subcommittee is putting the heat on the VA over how it handles vets' sensitive health and benefits information — and how it's preparing for a future filled with AI.

— History of breaches: It’s the first hearing in nearly two years since lawmakers last scrutinized the VA’s data practices. The department has seen at least seven breaches compromising more than 4,000 vets since then, according to VA reporting shared by a staffer with knowledge of the committee’s work.

And remember, the VA announced a massive data breach back in 2020 affecting about 46,000 veterans.

— The VA wants to be an AI champion: The agency was one of the very first federal departments to create an official AI strategy back in 2021 and several internal bodies to spearhead innovation — like the VA National Artificial Intelligence Institute.

That includes launching some pilot projects aimed at tasks like automating medical note-taking to reduce clinician burnout.

But past breaches ranging from record theft to contractors mishandling data is raising serious concerns about the department's ability to safeguard veterans' personal information.

— Problems abound: The VA will face pressure at the afternoon hearing to explain how it will update policies to account for AI's potential risks to sensitive data. That includes the committee digging into its policies on contractors and technology partners’ use of data and how AI comes into play.

— Bias in the system: Expect lawmakers to press the VA on how it would balance innovation with vets’ privacy rights, including questions from ranking member Sheila Cherfilus-McCormick (D-Fla.) on the need to ensure the tech doesn’t “perpetuate systemic inequities,” the staffer said.

For its part, the VA has acknowledged it would tread carefully on bias in AI systems, according to a briefing document provided to committee staff detailed exclusively to Morning Cyber.

The International Scene

TAIWAN’S SUCCESSFUL EFFORTS — Taiwan beat back a Chinese disinformation campaign targeting its Jan. 13 election with a rapid response mobilizing all levels of society.

According to the Associated Press, it’s something Atlantic Council researcher Kenton Thibaut calls a “whole of society response” — which relies on government, media and civil society working together. And it offers lessons for democracies facing information warfare in 2024, when more than 50 countries will hold elections.

— How they crushed it: When baseless claims of voter fraud went viral, the Taiwanese election commission held press conferences rebutting accusations in the moment. Influencers debunked rumors on social media and media literacy efforts raised public awareness, while independent fact checkers proved deepfakes were edited.

Behind the scenes, the government identified and refuted false narratives before they spread. Taiwan’s deputy minister of foreign affairs Roy Chun Lee told Maggie at the Halifax International Security Forum in November that Taiwan had developed what he called a “triple two” approach to disinformation:

Respond to fake news within two hours of discovery.
Respond with truth in under 200 words.
Use at least two pictures or diagrams to support the truth.

— How bad was it?: Cyberattacks designed to overwhelm and crash networks in Taiwan reached new levels in the final quarter of 2023, spiking 3,370 percent — a more than 30-fold increase — since the previous year, according to a threat report from Cloudflare.

People on the Move

Jeff Rothblum is now director of cyber policy and plans in the Office of the National Cyber Director at the White House. He most recently was senior professional staff member for the Senate Homeland Security and Governmental Affairs Committee.

Tweet of the Day

Speaking of the VA …

Source: https://twitter.com/todayininfosec/status/1751367510362931476

Quick Bytes

CHILD ABUSE ONLINE — The proliferation of online child sexual abuse material continues to worsen despite decades of efforts to eliminate it, and Congress wants to know why. Get the details from the Washington Post’s Will Oremus and Cristiano Lima-Strong.

GOOD NEWS FOR ONCE — D.C. theater GALA Hispanic lost $250,000 to an elaborate bank hack, but luckily got the funds back thanks to having cyber risk insurance, writes Jonathan Greig for The Record.

I FORECAST A HACK — Pro-Ukrainian hackers reportedly wiped 2 petabytes of data from a vital Russian research center, potentially crippling weather forecasting, disaster prediction and support for military and civilian sectors, writes Bleeping Computer’s Bill Toulas.

Chat soon.

Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Heidi Vogt (hvogt@politico.com).