Month: October 2019

On October 15, The Economist published an article reporting on its October 13 interview of South African President Cyril Ramaphosa,  In the interview, President Ramaphosa – fully aware of the impatience that big business and the general public in South Africans have with the pace of change after former President Jacob Zuma was forced from office – likened the state of affairs to a scene in the World War II movie Force 10 from Navarone.  In that scene, Allied saboteurs are initially disappointed that the charges they exploded to blow up a dam did not immediately result in the dam’s collapse.  The team’s demolitions expert, however, assures them that the explosion fatally compromised the dam’s structural integrity.  In President Ramaphosa’s retelling, “Once the fuse has been lit, there is no going back.”

For President Ramaphosa, as the Economist correspondent commented,

that fuse is the National Prosecuting Authority of South Africa [NPA], one of several institutions he has sought to revive after their evisceration by Mr Zuma. The spectacular results people want may take time, but the process Mr Ramaphosa has set in motion “is irrevocable”, he says. Arrests will happen.

President Ramaphosa, however, was careful to temper expectations about the speed with which the fuse would burn.  As he told The Economist, “’People are asking when are you going to arrest people? When are you going to put people into jail?’ But it is not his job to arrest people, he argues, correctly. It is to ‘strengthen the institutions that must do their work’.”  When asked whether law enforcement would “be able to go after powerful people,” such as African National Congress Secretary-General Ace Magashule, who is widely considered to be deeply involved in corruption, President Ramaphosa carefully replied, “Once the institutions are strengthened, they should be able to go after anybody—including the president.”

President Ramaphosa was also cautious about committing to other specific measures to address the numerous challenges facing South Africa, including its economic growth rate, “horrifically high unemployment,” and flawed educational system.  In the face of these challenges, he admitted that “’It’s a difficult one. It’s a tough job…being the president of South Africa at this time…I wish had come in when the economy was better’.”

N.B.: One reason for President Ramaphosa’s cautionary notes regarding anti-corruption efforts is the sheer magnitude of the corruption that pervaded the Zuma administration, when, as one writer termed it, “the government’s law enforcement arm become as ineffective as a gangrenous limb.”  In an October 14 speech, he reported that corruption under Zuma likely cost South Africa more than R500 billion ($34 billion).  Another likely reason is the knowledge that the person at the center of that institutionalized corruption, Zuma, is so far succeeding in delaying the start of his long-delayed corruption trial – so to speak, lengthening the fuse that the NPA only recently relit.

Nonetheless, it is not merely desirable, but necessary, that the NPA and the Judicial Commission of Inquiry into Allegations of State Capture show progress over the next few months in their pursuit of corruption, if President Ramaphosa’s promises of reform are to gain credibility.

On October 9, the European Union Agency for Law Enforcement Cooperation (Europol) issued its Internet Organised Crime Threat Assessment (IOCTA) for 2019.  The IOCTA contains six categories of findings:

• Cyber-Dependent Crime
  • With regard to cyber-dependent crime, which Europol defies as “any crime that can only be committed using computers, computer networks or other forms of information communication technology (ICT),” ransomware remains the principal threat. Even though “the overall volume of ransomware attacks has declined as attackers focus on fewer but more profitable targets and greater economic damage,” the number of victims “is still high.”
  • “Phishing and vulnerable remote desktop protocols (RDPs) are the key primary malware infection vectors.” The IOCTA noted that according to some reports, as many as 65 percent of groups “rely on spear-phishing as their primary infection vector.”
  • “Data remains a key target, commodity and enabler for cybercrime.” The IOCTA observed that data compromise “represents the second-most prominent cyber-threat [after ransomware] tackled by European cybercrime investigators.”
  • After the increase in destructive ransomware, “there is a growing concern within organisations over attacks of sabotage.”
  • “Continuous efforts are needed to further synergise the network and information security sector and the cyber law enforcement authorities to improve the overall cyber resilience and cybersecurity.”
• Child Sexual Exploitation Online
  • The amount of CSEM that law enforcement and the private sector has detected “continues to increase, putting considerable strain on law enforcement resources.” The IOCTA stated that at least 18 EU Member States received referrals from the United States through Europol, and that all Member States received referrals from Canada through Europol.
  • “The online solicitation of children for sexual purposes remains a serious threat with a largely unchanged modus operandi.” Sexual offenders “generally use the open web . . . using a variety of social media services.”
  • Self-generated explicit material (SGEM) – also known as “sexting” — “is more and more common, driven by growing access of minors to high quality smartphones and a lack of awareness of the risks.” The IOCTA stated that “[a]lthough sexual coercion and extortion of minors also happens for financial gain, in the majority of cases the aim is to obtain new CSEM.”
  • Commercial CSE remains limited, but the “notable exception” of live distant child abuse.
• Payment Fraud
  • Card Not Present (CNP) fraud “continues to be the main priority within payment fraud and continues to be a facilitator for other forms of illegal activity.” Fraud relating to the purchase of physical goods is the leading type of CNP fraud, but “CNP is increasingly moving into other sectors such as travel (hotels, car rentals, etc.) postal services, giftcards, etc.”
  • Card “skimming”, as the second priority for investigators, continues to evolve, as criminals “continuously adap[t] to new security measures.” The IOCTA added the remarkable observation that “[t]he ongoing threat of skimming is the direct result of the fact that not all payment terminals and ATMs in Europe contain the necessary anti-skimming measures.”
  • “Jackpotting” attacks – also known as “black-box attacks,” which are designed to cash out ATMs – “is the most widespread type of logical ATM attack” and “are becoming more accessible and successful.”
• The Criminal Abuse of the “Dark Web”
  • The “dark web” – defined as “encrypted online content that is not indexed by conventional search engines” – “remains the key online enabler for trade in an extensive range of criminal products and services and a priority threat for law enforcement.”
  • Recent coordinated law enforcement activities, together with extensive Distributed Denial of Service (DDoS) attacks, “have generated distrust in The onion router (Tor) environment.” At the same time, while “there is evidence that administrators are now exploring alternatives,” it appears that “the user-friendliness, existing market variety and customer-base on Tor makes a full migration to new platforms unlikely just yet.”
  • Europol observed “increases in single-vendor shops and smaller fragmented markets on Tor,” including those catering to specific languages. “Some organised crime groups (OCGs) are also fragmenting their business over a range of online monikers and marketplaces, therefore presenting further challenges for law enforcement.”
  • “Encrypted communication applications enhance single-vendor trade on the dark web, helping direct users to services and enabling closed communications. Although there is no evidence of a full business migration, there is a risk the group functions could become increasingly used to support illicit trade.”
• The Convergence of Cyber and Terrorism
  • The broad array of online service providers (OSPs) that terrorist groups exploit “presents a significant challenge for disruption efforts.” As the IOCTA put it, “the sheer number of OSPs exploited for terrorist purposes presents a challenge for disruption efforts. These include forums, file-sharing sites, pastebins, video streaming/sharing sites, URL shortening services, blogs, messaging/broadcast applications, news websites, live streaming platforms, social media sites and various services supporting the creation and hosting of websites (including [domain name] registries and registrars).”
  • “Terrorist groups are often early adopters of new technologies, exploiting emerging platforms for their online communication and distribution strategies.”
  • “With sufficient planning and support from sympathetic online communities, terrorist attacks can rapidly turn viral, before OSPs and law enforcement can respond.”
• Cross-Cutting Crime Factors
  • “Phishing remains an important tool in the arsenal of cybercriminals for both cyberdependent crime and non-cash payment fraud (NCPF).” The IOCTA characterized phishing as “a core attack method for all cybercrime.”
  • “While cryptocurrencies continue to facilitate cybercrime, hackers and fraudsters now routinely target crypto-assets and enterprises.” Crypto investigations, according to the IOCTA, “ are now a core part of daily business for law enforcement. As a result, investigators require training to ensure they have the appropriate skills to handle such investigations.”

The IOCTA also provides numerous recommendations for each of those categories, including:

• Cyber-Dependent Crime
  • Because “(s)uccessfully tackling major crime-as-a-service providers can have a clear and lasting impact,” law enforcement “should continue focusing its concerted efforts into tackling such service providers.
  • Enhanced cooperation and improved data sharing between law enforcement, computer security incident response teams (CSIRTs), and private partners “will be the key to tackling complex cyberattacks, and allow the private sector to take the necessary preventative security measures to protect themselves and their customers.”
  • “In response to major cross-border cyberattacks, all cooperation channels should be explored, including Europol’s and Eurojust’s support capabilities as well as legal instruments designed for closer cross-border cooperation (such as Joint investigation Teams (JITs) and spontaneous exchange of information) in order to share resources and coordinate.”
  • Collaboration between the network and information security sector and cyber law enforcement authorities should be further enhanced, by involving those law enforcement authorities “latter in cyber resilience-related activities such as cyber simulation exercises.”
  • “Low-level cybercrimes such as website defacement should be seen as an opportunity for law enforcement to intervene in the criminal career path of young, developing cybercriminals.”
• CSEO
  • “Coordinated action with the private sector and the deployment of new technology, including Artificial Intelligence, could help reduce the production and distribution of online CSEM, facilitate investigations, and assist with the processing of the massive data volumes associated with CSEM cases.”
  • “A structural educational campaign across Europe to deliver a consistent high-quality message aimed at children about online risks is of the utmost importance to reduce the risks derived from SGEM such as sexual coercion and extortion.”
  • Because “much CSEM, particularly that arising from LDCA, originates from developing countries, it is essential that EU law enforcement continues to cooperate with, and support the investigations of, law enforcement in these jurisdictions.”
  • “Fighting CSE is a joint effort between law enforcement and the private sector and a common platform is needed to coordinate efforts and prevent a fragmented approach and duplicated efforts.”
  • In order to prevent child sex offenders from traveling to third countries to abuse children sexually, European Union (EU) law enforcement “should make use of passenger name record (PNR) data accessible through the Travel Intelligence team within Europol.”
• Payment Fraud
  • Public-private sector cooperation – both between and within the sectors – “is crucial to come to fruitful results.” On this point, the IOCTA stated that “speedy and more direct access to and exchange of information from the private sector is essential for Europol and its partners.”
  • Organisations must ensure they train their employees and make their customers aware of how they can detect social engineering and other scams.”
• The Criminal Abuse of the “Dark Web”
  • More coordinated investigation and prevention actions targeting the phenomenon are required, demonstrating the ability of law enforcement and deterring users from illicit activity on the dark web.”
  • The ability to maintain an accurate real-time information position is necessary to enable law enforcement efforts to tackle the dark web. The capability needs to enable the identification, categorisation, collection and advanced analytical processing, including machine learning and AI.”
  • “An EU-wide framework is required to enable judicial authorities to take the first steps to attribute a case to a country where no initial link is apparent due to anonymity issues, thereby preventing any country from assuming jurisdiction initiating an investigation.”
  • Improved coordination and standardisation of undercover online investigations are required to de-conflict dark web investigations and address the disparity in capabilities across the EU.”
• The Convergence of Cyber and Terrorism
  • “Limiting the ability of terrorists to carry out transnational attacks by disrupting their flow of propaganda and attributing online terrorism-related offences requires continued and heightened counterterrorism cooperation and information sharing across law enforcement authorities, as well as with the private sector.”
  • “Any effective measure to counter terrorist groups’ online propaganda and recruitment operations entails addressing the whole range of abused OSPs, especially start-ups and smaller platforms with limited capacity for response.”
  • “Cross-platform collaboration and a multi-stakeholder crisis response protocol on terrorist content online would be essential to crisis management [is] the aftermath of a terrorist attack.”
  • “A better understanding of new and emerging technologies is a priority for law enforcement practitioners. Upcoming policy debates and legislative developments should take into account the features of these technologies in order to devise an effective strategy to prevent further abuse.”
• Cross-Cutting Crime Factors
  • “Law enforcement and the judiciary must continue to develop, share and propagate knowledge on how to recognise, track, trace, seize and recover cryptocurrency assets.”
  • “Law enforcement must continue to build trust-based relationships with cryptocurrency-related businesses, academia, and other relevant private sector entities, to more effectively tackle issues posed by cryptocurrencies during investigations.”
  • Despite the gradual implementation of the Fifth Anti-Money Laundering Directive across the EU, “investigators should be vigilant concerning emerging cryptocurrency conversion and cash-out opportunities and share any new information with Europol.”

N.B.:  Information-security teams and law enforcement cybercrime teams should closely review the IOCTA, as it draws on an extensive range of data from structured surveys and feedback sessions involving 26 Member States and European third-party members, as well as other EU government entities, as well as open-source research and private-sector input.  For their part, EU leadership should closely review the IOCTA recommendations, with a view to enhancing Europol’s roles in intelligence-sharing and public-private collaboration to combat cybercrime.

On October 11, the South African High Court in Pietermaritzburg dismissed the applications of former South African President Jacob Zuma and French aerospace and defense manufacturer Thales for a permanent stay of prosecution in the long-running corruption case against them.  The High Court reportedly took less than five minutes to dismiss the applications and to impose litigation costs on the applicants.

In addition, the High Court granted the application of the National Prosecuting Authority (NPA) to strike certain allegations that Zuma had made against the NPA, including an allegation that an NPA prosecutor was motivated by hatred against him.  The High Court concluded that Zuma’s claims “were scandalous and vexatious.”

The pending case, which includes 16 charges against Zuma such as corruption, fraud, racketeering, and money laundering, stems from R30 billion ($2.5 billion) in arms sales, dating back to the 1990s, involving naval vessels, submarines, fighters, and other equipment by European countries to South Africa for modernization of the South African armed forces.  Though the South African government under then-President Nelson Mandela made that deal, the deal reportedly “led to what is considered the single biggest instance of public corruption in the history of post-apartheid South Africa.”  In particular, Zuma, who was Deputy President when the arms deal was made final in 1999, is accused of accepting a R500,000 per year bribe from Thales.

N.B.: The speed with which the High Court ruled on this application stands in dramatic contrast to the glacial pace with which the case against Zuma has moved.  Although Zuma and Thales were originally indicted in 2007, the South African Prosecutor General dropped the case in 2009.  Years later, South African courts ruled that that decision was “irrational,” and in 2018 the South African chief prosecutor – though reportedly close to Zuma —  decided to reinstate the case against Zuma and Thales.

At this stage of the proceedings, Zuma has no incentive to resolve the case in any manner.  Under an agreement between African National Congress (ANC) leaders and Zuma, South Africa has been paying Zuma’s legal fees “because the case relates to actions taken when he was in government,” with the proviso that Zuma would have to repay them if he is ultimately found guilty.

Given the availability of unlimited funds until a guilty verdict, his attorneys have “hewed to a strategy of delaying his trial as long as possible — what analysts have called the ‘Stalingrad strategy’.”  Accordingly, while Zuma is now scheduled to return to court on October 15 to face the charges against him, he can appeal this latest decision by the High Court within the next 15 days, and ultimately take his challenge to the South African Constitutional Court.  In addition, Zuma’s continuing popularity with many ANC supporters is likely to buoy his confidence for some time to come.  For Zuma, justice delayed is not justice denied, but a strategic objective in his war of attrition against the case and the prosecutors.

On October 2, the Federal Bureau of Investigation (FBI) issued a Public Service Announcement (PSA) on ransomware attacks that expands on, and in important respects diverges from, its longstanding guidance to victims of ransomware attacks.  Since 2016, the FBI’s public guidance on ransomware attacks has been that it

does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.

The 2016 guidance also stated that it requested victims to contact their local FBI office and/or file a complaint with the Internet Crime Complaint Center, at http://www.IC3.gov, with certain ransomware infection details, and that it urged victims “to report ransomware incidents regardless of the outcome.”

The new PSA now states that the FBI “does not advocate paying a ransom” (rather than “does not support”), for the reasons stated above, and that “[r]egardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement.”  (Emphasis supplied)  The  new language, without disavowing or replacing the 2016 guidance, subtly signals to ransomware victims that the FBI will not treat ransomware victims’ complaints less seriously if they choose to pay and then report to the FBI.

The new guidance is less clear on when the FBI would like victims to report (e.g., before or after they pay a ransom).  Because it mentions in passing that reporting to law enforcement “provides investigators with the critical information they need to track ransomware attackers” (emphasis supplied), it should be construed to mean that the FBI would prefer victims to report before any payment.  So long as the FBI can encourage more victims to do so, it improves the chances of its successfully investigating and apprehending the cyberextortionists responsible.

On October 7, the Israeli business journal Globes reported that the Israeli Ministry of Justice is not opposing a compromise settlement that was reached between Israeli pharma company Teva Pharmaceuticals and a Teva shareholder, who had filed a petition in Tel Aviv District Court stemming from the resolutions that Teva had reached with U.S. and Israeli authorities regarding foreign bribery.

In December 2016, Teva and its Russian subsidiary agreed with U.S. authorities to criminal and civil resolutions requiring them to pay criminal and civil penalties totaling nearly $520 million, in connection with schemes involving the bribery of government officials in Russia, Ukraine, and Mexico in violation of the U.S. Foreign Corrupt Practices Act (FCPA).  Thereafter, in January 2018, Teva agreed to pay the Israeli State Attorney’s Office NIS 75 million ($22.1 million) in fines relating to the same types of foreign-bribery activity, without being required to plead to criminal charges.

The Teva shareholder’s petition sought documents that would allow him to bring a derivative shareholder action.  Teva subsequently set up an independent claims committee and reached a compromise settlement with the shareholder.  Under the terms of the proposed settlement, the insurance companies for the Teva company officers against whom the shareholder sought to file his derivative action would pay $50 million “in exchange for final and absolute removal of all claims by the company against its officers and directors in connection with the bribery affair.”  The settlement also set legal fees for the lawyers representing the shareholder at $1.6 million.

Under Israeli law, Globes reported, the Attorney General’s opinion “is legally required before any compromise in class action and derivative proceedings can be reached.”  In this case, however, the Israeli Ministry of Justice took a highly deferential position with regard to the potential settlement, stating that

[i]t can be argued that the result of the settlement, in which the company will be responsible for defending the officers in the event of a future proceeding against them in the affair for which the derivative lawsuit was filed, involves a difficulty.

The Ministry went on to state that if the Tel Aviv District Court, which has jurisdiction of the shareholder action, “finds that in this case, exceptional and special circumstances existed in this case justifying the indemnification conditions in the settlement, it may not be unreasonable to refrain from intervention in the considerations of the company and the independent committee.”

With regard to the payment of legal fees, the Ministry responded:

It appears that the requested legal fees meet the criteria established in judicial rulings, but on the high side. It should be kept in mind that the sum is fairly high considering the efforts made by the lawyer in the proceeding. For this reason, the Ministry of Justice leaves the judgment on the legal fees to the court.

A number of public shareholders have already stated that they oppose the proposed settlement.  The judge hearing the case reportedly will have to weigh their objections and concerns, and has the authority to require the parties to make further changes to the settlement before he would approve it.

N.B.: This latest action is a reminder that even if public enforcement authorities seek to coordinate their resolutions of foreign-bribery cases, the ripple effects of such resolutions can last for years afterward.  In addition to Teva’s resolution of the U.S. and Israeli law enforcement investigations, earlier this year former Teva management officials and directors agreed to return a sum of $50 million to Teva, as part of a compromise agreement to compensate Teva for fines and damages that it incurred to settle the foreign-bribery charges.  No date has apparently been set for the judge’s decision regarding the settlement.