United Kingdom National Cyber Security Centre Issues Threat Assessment for United Kingdom Universities

On September 18, the United Kingdom’s independent governmental authority on cybersecurity, the National Cyber Security Centre (NCSC) issued a threat assessment of “the current cyber security threat to UK universities and academia.”  The NCSC report noted that “[t]he threat posed to the university sector sits within the broader context of the threat to the UK as a whole,” including the threat of state-sponsored malicious cyber activity, as well as “a serious and sustained threat to the UK from organised cyber crime.”

The report presented four key judgments about the threat to universities:

  1. The key cyber threats to UK universities are highly likely to be (1) “Criminals seeking financial gain”; and (2) “Nation states looking to steal personal data and intellectual property, for strategic advantage.”
  2. Cybercrime “will probably present the most evident and disruptive difficulties for universities,” although state-sponsored espionage “is likely [to] cause greater long-term damage.” The report stated that the latter finding “is particularly true for those universities which prize innovation and research partnerships.”
  3. Likely effects of state espionage include (1) “Damage to the value of research, notably in STEM subjects”; (2) “A fall in investment by public or private sector in affected universities”; and (3) “Damage to the UK’s knowledge advantage.”
  4. “If foreign direct investment were to come under greater scrutiny or restriction, it is a realistic possibility that the cyber threat to universities would increase, as nation states sought alternative ways to gain access to sensitive research and intellectual property.”

The report also identified four potential categories of data and information of interest to a nation-state: (1) emails; (2) “bulk personal information on staff and students”; (3) “technical resources (e.g. documentation and standards)”; and (4) “sensitive research and intellectual property.”  Use of these data “will meet a wide range of state requirements,” such as “commercial advantage for the nation’s companies, advancing equivalent research efforts, military or security apparatus.”  The report also stated that sensitive research

may be targeted for its defence or commercial value, and its loss is likely the most detrimental of all to both the affected university and to the UK as a whole. Likely effects include damage to the value of impacted research and intellectual property for both individual researchers and the institution. The attractiveness, relevance and value of an impacted university as an investment partner will also be negatively affected. And at a wider scale, the knowledge advantage of the UK will suffer.

With regard to cybercriminals, the report observed that they “are likely to impact universities most often through untargeted attacks,” such as ransomware, which “brought significant loss-of-service to multiple UK universities in June 2018.”  It also noted that “[t]he use of spoofed or compromised email accounts to impersonate a university’s partners or suppliers is rising, and has led to the passing of sensitive information or funds to criminals.”

To defend against cyberattacks, the report cited widely recognized approaches, such as “good security awareness among staff and students”; “[s]ecurity-conscious policies, strict access controls and partitioning of high-value research”; and segregation within a university network of smaller, private networks, which “offers an opportunity to separate high-value or sensitive data and information, and apply a higher level of protection, without impacting the openness of the wider network.”

The report concluded with four main predictions:

  1. “State-sponsored activity will continue whilst it remains successful and the repercussions are limited.”
  2. “[S]tate espionage will continue to pose the most significant threat to the long-term health of both universities and the UK itself. There’s a realistic possibility that the threat will increase in-line with increased scrutiny of foreign direct investment and the minimising of other avenues to gain insight and advantage.”
  3. “Cyber crime too will almost certainly continue to impact universities, either as a direct target or as collateral, regardless of the reputation and success of those universities targeted.”
  4. “[S]pear-phishing and social engineering are highly likely to remain the main attack vectors,” but ransomware “is likely to be the greatest single cause of disruption to staff, students and the universities themselves.”

Note:  The NCSC report stated that its information “will be of interest to all academic and non-academic staff. It will be particularly relevant to senior leaders in universities and research institutions, members of university councils and those engaged in research.”  It should also be required reading for legal, cybersecurity, and compliance officers in United Kingdom universities and research institutions.

Because universities are accustomed to regarding themselves as bastions of academic freedom that “nurtur[e] a culture of openness, tolerance and dialogue,” it can be difficult for some university administrators to accept that their institutions can be treated simply as targets of opportunity by “state-sponsored actors . . . looking to steal data and information for strategic gain” or “cyber criminals seek[ing] to commit fraud, or monetise stolen material through sale or ransom.”

For those reasons, University legal, cybersecurity, and compliance officers should coordinate their efforts to inform university administrators about the report’s findings, and use it as an opportunity to reassess the state of their own institutions’ cybersecurity programs.

China Reportedly Conducted Cyberattack on Australian Parliament, Political Parties Before 2019 Election

On September 17, The Times reported that the Chinese government “was responsible for a cyberattack on Australia’s national parliament and the three biggest political parties” before the May 2019 general election.  According to a report by Australian’s national signals-intelligence and cryptologic agency, the Australian Signals Directorate (ASD), the cyberattack

was orchestrated by China’s Ministry of State Security although the attackers used sophisticated techniques to try to conceal their identity. It was suspected that the attackers were looking for information that could prove useful if they were trying to influence or compromise members of parliament.

The ASD report was shared with at least the United States and the United Kingdom, according to Reuters sources.  Previously, in February 2019 Australian Prime Minister Brian Morrison had delivered a statement to the Australian House of Representatives reporting on “a malicious intrusion into the Australian Parliament House computer network” and that “the networks of some political parties – Liberal, Labor and the Nationals – have also been affected.”  But in the aftermath of the ASD report, the Reuters sources said, the Australian Government had decided “not to publicly blame China, as it was concerned it could hurt Australia’s commercial interests.”

Note:  Although China has long been recognized for its use of cyber espionage to support its strategic development goals, Russia thus far has received the lion’s share of global publicity for online efforts to interfere with other countries’ elections.  The Times report, however, provides further evidence — along with prior reports of Chinese interference in the 2018 Taiwan election (through social media, disinformation, and funding of candidates), and use of fake accounts in 2019 to foment political discord in Hong Kong — that China has chosen to emulate Russia in incorporating interference in foreign elections as a legitimate strategy to advance its foreign-policy and strategic interests, at least in the Asia-Pacific region.

Moreover, those prior efforts involved territories over which China has long asserted jurisdiction.  There is no comparable justification for it to interfere in other sovereign nations’ electoral processes.  Countries in and beyond the Asia-Pacific region should therefore regard further electoral interference — whether by state agencies or purportedly non-state actors — as a basis for concerted responses in multiple diplomatic and multilateral channels.

Netherlands Proposes Consolidated Organization to Monitor Payment Transactions for Anti-Money Laundering Purposes

On September 13, the Nederlandse Vereniging van Banken (NVB, or Dutch Banking  Association) issued a press release (in Dutch and English) that announced a banking-industry initiative to enhance cooperation in the fight against money laundering.  The release stated that five Dutch banks — ABN AMRO, ING, Rabobank, Triodos Bank, and de Volksbank—are seeking “to set up an organisation that will monitor payment transactions: Transaction Monitoring Netherlands (TMNL).”

The NVB prefaced its comments about this initiative by recognizing that “[i]n their gate-keeping role, Dutch banks have an important function in protecting the integrity of the Dutch financial system,” and that “the banks are continually monitoring customer transactions with the aim of combating money laundering and the financing of terrorism.”  It noted that this initiative, which “the banks are actively supporting,” stems from the Money Laundering Action Plan that Dutch Minister of Finance Wopke Hoekstra and Minister of Justice and Security Ferdinand Grapperhaus outlined in July 2019.

Over the next six months, the NVB explained, it and the five banks will study whether the TMNL “is feasible given the technical and legal challenges involved.”   In light of the 68,000 unusual transactions that the banks reported to the Dutch Financial Intelligence Unit (FIU) in 2018 – 15,000 of which the FIU deemed suspicious – it stated that

[t]he banks are determined not to cooperate in money laundering in any way whatsoever. As part of their social responsibility, the banks are actively working on improving the effectiveness of their transaction monitoring in order to significantly increase the return from identification, detection, prosecution and conviction of criminal conduct. The combining of transactions effected by the various banks is expected to make it easier to spot flows of criminal funds.

The NVB also made clear that in connection with this initiative, the participating banks “are specifically looking for cooperation” with the FIU, the Dutch Openbaar Ministerie (Public Prosecution Service),  the Dutch Fiscale Inlichtingen- en Opsporingsdienst (FIOD, or Fiscal Information and Investigation Service),   and ministries.

Note:  This initiative is one that authorities across Europe and beyond – especially the United States – should follow closely over the next six months.  The financial sector is well aware that the current global regime for monitoring transactions for anti-money laundering and terrorist financing (AML/TF) basically consists of tens of thousands of unconnected  “stovepipes,” in which financial institutions review only their internal transactions without reference to potentially relevant transactions that other financial institutions are identifying.  The joint initiative between the NVB and Dutch banks offers a promising opportunity to see whether a more coherent approach to AML/TF transaction monitoring can be devised in conformity with national and European Union legal requirements.

StarKist Co. Sentenced to $100 Million Fine in Criminal Price-Fixing Case

On September 11, Judge Edward Chen of the U.S. District Court in San Francisco sentenced StarKist Co. to a criminal fine of $100 million – the statutory maximum — and a 13-month term of probation for its role in a criminal conspiracy to fix prices for canned tuna in the United States.  StarKist also agreed to cooperate in the U.S. Department of Justice’s continuing investigation of canned-tuna price-fixing.

In October 2018, StarKist pleaded guilty to a one-count information, charging it with a criminal violation of the Sherman Act.  The information stated that from at least November 2011 through at least December 2013, StarKist and others conspired to fix, raise, and maintain canned-tuna prices by “engag[ing] in conversations and discussions and attend[ing] meetings with representatives of other major packaged-seafood-producing firms,” “agree[ing] and reach[ing] mutual understandings during these conversations, discussions, and meetings, to fix, raise, and maintain the prices of packaged seafood sold in the United States,” and “negotiat[ing] prices with customers and issu[ing] price announcements for packaged seafood in accordance with the agreements and mutual understandings reached.”

StarKist had sought a reduction in the fine on the basis of its financial circumstances.  The Justice Department’s Antitrust Division opposed that reduction, and Judge Chen found “that StarKist had not proven that its financial circumstances justified a lower criminal fine.”  StarKist issued a release in which StarKist President and CEO Andrew Choe stated that the company has cooperated with the Department during the course of its investigation and accepts responsibility, and that “[w]e have addressed the necessary actions required in this agreement and we will continue to strengthen related compliance best practices.”

Note: This sentence should provide corporate compliance officers with an opportunity to remind senior executives in their companies that compliance with antitrust laws needs to be treated as seriously as compliance with other high-visibility financial crimes laws, such as the Foreign Corrupt Practices Act and money laundering.  Under the Sherman Act, price-fixing, bid-rigging, and other conspiracies in restraint of trade can be criminally prosecuted, with sentences as high as fines of $100 million per violation for companies and sentences of up to 10 years’ imprisonment and $10 million fines for individuals.

The fine against StarKist is by no means the highest in Sherman Act corporate prosecutions.  As of June 12, according to an Antitrust Division list, 146 corporate cases involving Sherman Act violations had resulted in criminal fines of $25 million or more, including 32 cases with fines of $100 million or more.

Moreover, the Antitrust Division’s pursuit of criminal Sherman Act violations is not limited to a few industries.  Its record shows that it has prosecuted cases in dozens of industries over the years, including air and marine transportation, bread, capacitors, construction, explosives, fine arts auctions, foreign currency exchange, industrial diamonds, and vitamins.  Every company and financial firm therefore needs to have an antitrust-compliance program that can pass muster under the Department’s new Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations.

Securities and Exchange Commission Chairman Criticizes Other Nations for Failure to Enforce Anti-Corruption Laws

On September 9, U.S. Securities and Exchange Commission (SEC) Chairman Jay Clayton gave a speech at the Economic Club of New York.  While some of his remarks addressed recent SEC initiatives and current market issues that the SEC is monitoring, Clayton also cited “the undesirable effects of a continuing lack of global coordination and commitment” in combating foreign corruption.  In particular, he charged that “many other countries, including those that have long had similar offshore anti-corruption laws on their books, do not enforce those laws.”

Clayton first cited the SEC’s substantial record in enforcing the Foreign Corrupt Practices Act, noting that it “has brought nearly 80 FCPA cases in the past five years alone, involving alleged misconduct in more than 60 countries.”  But he cautioned that

we must face the fact that, in many areas of the world, our work may not be having the desired effect.  Why?  In significant part, because many other countries, including those that have long had similar offshore anti-corruption laws on their books, do not enforce those laws.

Clayton also contrasted the “unique enforcement posture” of the United States with two observations: (1) “the fact that U.S. jurisdiction generally is limited to areas where U.S. and U.S.-listed companies do business”; and (2) “the reality that there are countries where the business opportunities are attractive but corruption is endemic, and the potential for undesirable results becomes clear.”  He cited game-theory economists in identifying “the strong incentives for other countries not to enforce vigorously offshore corruption laws against their companies.”  For “a hypothetical country with business promise, but endemic corruption,” Clayton argued,

when this cooperative, anti-corruption strategy is being pursued by others, the benefits of playing a non-cooperative strategy are great, particularly if your company is the only one who is “cheating”—your company “wins” the lucrative offshore business with no competition.

Clayton commented that “the response to this observation has long been to acknowledge the need for greater international cooperation and cite a few isolated indicia of improvement,” but added that “[s]peaking for myself, I have not seen meaningful improvement.”

Clayton assured the audience that he does not intend to change the SEC’s FCPA enforcement posture.  At the same time, he stated that “[w]e should . . . recognize that we are acting largely alone and other countries are incentivized to play, and I believe some are in fact playing, strategies that take advantage of our laudable efforts.”  He said that when he engages with his international counterparts “on matters where common, cooperative enforcement strategies are essential,” he is mindful that “globally-oriented laws, with no, limited or asymmetric enforcement, can produce individually unfair and collectively suboptimal results.”

Note: Clayton’s remarks on anti-corruption are unusually critical for a senior U.S. official, whose agency constantly depends on smooth and harmonious relationships with its counterparts around the world, to make publicly.  Since the SEC has not previously publicized its dissatisfaction or frustration with the general state of foreign countries’ commitment to combating corruption, Clayton’s remarks may be surprising in some quarters – which may have been precisely the effect he intended.

Those remarks, however, do not indicate how Clayton thinks that state of affairs might be changed.  It is interesting to note that elsewhere in his speech, as he was advocating increasing the attractiveness of public capital markets, Clayton cited a seminal article by Professor George Akerlof, The Market for Lemons.  In that article, as Clayton noted,

Akerlof explained why, for a long time, the used car market included mostly bad used cars—or “lemons.”  Because you could not tell a good used car from a bad used car, buyers assumed all used cars were bad and priced them accordingly.  In turn, because buyers offered only “bad car” pricing, sellers offered mostly bad used cars.  This problem has been partially solved by incentive alignment and information gap bridging techniques, including enforceable used car guarantees.

One could argue that Akerlof’s analysis could be applied to countries with endemic corruption.  If key executives and legislators in those countries are themselves beneficiaries of that corruption, they have no incentive other than to stymie meaningful anti-corruption laws or to offer only weak laws and withhold enforcement resources from the agencies that could enforce those laws.  As Akerlof observed, “The presence of people in the market who are willing to offer inferior goods tends to drive the market out of existence . . . .”

One general approach that Akerlof offered to counteract the effects of quality uncertainty was “counteracting institutions.”  While Akerlof’s citations of such institutions – which included seller guarantees, brand-name goods, and licensing of professionals – were most pertinent to the used-car market, it is not difficult to conceive of other kinds of “counteracting institutions” that could be directed at the market for anti-corruption laws.

Ordinarily, as Akerlof stated, “the difficulty of distinguishing good quality from bad is inherent in the business world.”  Today, however, the information costs associated with finding examples of sound anti-corruption regimes are negligible.  Numerous countries have adopted and implemented comprehensive anti-corruption laws that can serve as models for other countries.

The greater problem is the identification or creation of “counteracting institutions” that can directly address the other asymmetries in the “market” for anti-corruption laws.  To counteract the effects of quality uncertainty in regimes afflicted with high-level endemic corruption, it is clear that those counteracting institutions must include other countries willing to exert sustained pressure on those regimes.  Whether the United States is willing to undertake such an effort, by itself or with like-minded countries, is far from clear at the moment.