U.S. Antitrust Division Head Announces Division Reorganization, Creation of New Units

On August 20, Makan Delrahim, Assistant Attorney General in charge of the Antitrust Division at the U.S. Department of Justice, announced a series of changes in the Division’s structure and operational responsibilities.  Those changes fall into three categories.

First, the Division is reallocating certain “commodities” (i.e., industries it review) across its civil enforcement sections.  Prior to the reallocation, the enforcement of mergers and conduct in the financial services, banking, insurance, and credit card businesses were spread across four different sections within the Division, and media, broadcast, and telecommunications were divided between two sections.  Under the reorganization, the Division will dedicate all financial services to a single section, and combine broadcast and telecommunications in a single section.  Combining the responsibilities for broadcast and cable, in Assistant Attorney General Delrahim’s view, “reflects the integration in these industries and will streamline our enforcement and review in these sectors.”

Second, the Division has created a new office, the Office of Decree Enforcement and Compliance (ODEC).  ODEC has been given primary responsibility for enforcing judgments and settlement decrees in civil matters.  It will serve, as Delrahim put it, “as the dedicated watchdog for judgment and decree compliance,” and is charged with working with Antitrust Division attorneys, monitors, and compliance officers to ensure the effective implementation of and compliance with those civil agreements.

Third, the Division has created a Civil Conduct Task Force (CCTF) to focus full time on civil non-merger work.  The CCTF will consist of both a core group of fully dedicated attorneys and attorney designees from each of the Division’s six civil sections and three field offices.  All CCTF members are to be staffed on CCTF-lead civil conduct investigations.

The rationale for the CCTF’s creation, according to Delrahim, is “to ensure that when the Division gets busy with merger reviews with statutory deadlines, that there is still an independent group of dedicated attorneys with the mandate to execute against aggressive timelines in our non-merger cases.”  The objective is to have the CCTF “build competencies that are unique to civil conduct cases, where the key questions, and the posture of the parties under investigation, are quite different from merger investigations,” and to ensure “that these competencies are shared with the civil sections and the field offices when they lead conduct cases as well.”

Note:  Enforcement agency reorganizations and revisions ordinarily attract minimal public attention, other than from attorneys whose practices focus on those agencies.  While that is likely to be true of these Antitrust Division changes as well, antitrust practitioners should closely monitor subsequent developments stemming from the changes.

Within the next year, both Division attorneys and private practitioners should see significant benefits flowing from the consolidation of related industry sectors in a single Division section.  In contrast, it may take two or more years before the worth of the ODEC and the CCTF can be clearly established, but any measures that reduce the stop-and-start handling of certain antitrust investigations and provide more consistent oversight of antitrust decree enforcement should be welcome.

United States Seizes Iranian Petroleum Shipments, Bound for Venezuela, for Sanctions Evasion

On August 14, the U.S. Department of Justice announced “the successful disruption of a multimillion dollar fuel shipment by the Islamic Revolutionary Guard Corps (IRGC), a designated foreign terrorist organization, that was bound for Venezuela” aboard four foreign-flagged oil tankers.  These actions, according to the Department, “represent the government’s largest-ever seizure of fuel shipments from Iran.”

The genesis of these seizures was a civil forfeiture complaint that the Justice Department filed on July 2, 2020, in the U.S. District Court for the District of Columbia.  In essence, the complaint, which named the four oil tankers in question, stated, according to the Wall Street Journal, “that an Iranian businessman affiliated with the Islamic Revolutionary Guard Corps, Iran’s elite military unit designated by the U.S. as a terror group, arranged the fuel deliveries through a network of shell companies to avoid detection and evade U.S. sanctions.”

After the District Court issued the forfeiture order, unspecified U.S. forces reportedly “successfully executed the seizure order and confiscated the cargo from all four vessels, totaling approximately 1.116 million barrels of petroleum.” A senior U.S. official told the Associated Press

that no military force was used in the seizures and that the ships weren’t physically confiscated. Rather, U.S. officials threatened ship owners, insurers and captains with sanction to force them to hand over their cargo, which now becomes U.S. property, the official said.

The Justice Department credited unspecified “foreign partners” in assisting in the seizure and that the seized oil “is now in U.S. custody.”

The Department also reported that after the successful U.S. seizure, “Iran’s navy forcibly boarded an unrelated ship in an apparent attempt to recover the seized petroleum, but was unsuccessful.”  It provided a link to a short video from U.S. Central Command that it represented to be a video of the unsuccessful Iranian operation.

Note: This action by the Justice Department is noteworthy because it represents the first time that the United States has used vessel seizures to prevent Iranian oil shipments to Venezuela.  The Trump Administration undoubtedly regarded these seizures as a necessary response to the successful deliveries of gasoline to Venezuela by Iran earlier this year.  As the Journal noted, the seizure has particular force because it deprives two sanctioned regimes of much-needed resources: oil for Venezuela, and revenues for Iran.

Neither regime is likely to be deterred directly by the seizures, but the Administration undoubtedly expects that.  The key to the success of this stratagem by the United States will be whether the seizures “deter shipping companies from dealing with the Iranians and Venezuelans as tanker owners, brokers, insurers and other businesses see the risk as too costly.”  If the U.S. Government can dissuade legitimate shipping companies from future support, Iran and Venezuela will likely be forced to deal with far less reliable companies and less seaworthy vessels in continuing to evade sanctions.

Sonatype Report Highlights 430 Percent Increase in Open Source Supply Chain Attacks

On August 12, software development company Sonatype announced the issuance of its sixth annual State of the Software Supply Chain Report.  Key elements of the report included the following:

  • Cyberattack Trends: In the past 12 months, the number of next-generation cyberattacks aimed at actively infiltrating open source increased 430 percent over the number in the preceding four years. In February 2015 to June 2019, 216 such attacks were recorded; from July 2019 to May 2020, an additional 929 attacks were recorded.
  • Next-Generation Cyberattack Characteristics: The report stated that while legacy software supply chain exploits “prey on publicly disclosed open source vulnerabilities that are left unpatched in the wild,” next-generation software supply chain attacks “are far more sinister because bad actors are no longer waiting for public vulnerability disclosures” but “are taking the initiative and actively injecting malicious code into open source projects that feed the global supply chain.” As a result, this upstream focus allows bad actors to “infect a single component, which will then be distributed ‘downstream’ using legitimate software workflows and update mechanisms.”
  • Open-Source Vulnerabilities: Next-generation cyberattacks are possible for three reasons: (1) Because open-source projects “rely on contributions from thousands of volunteer developers,” determining whether community members have good or malicious intent “is difficult, if not impossible”; (2) Open source projects ‘ typical incorporation of “hundreds — if not thousands — of dependencies from other open source projects, which may contain known vulnerabilities”; and (3) The “shared trust” ethos “creates a fertile environment whereby bad actors can prey upon good people with surprising ease.”
  • Types of Next-Generation Cyberattacks: Typosquatting was the most common attack identified, and malicious code injection was identified as another common attack.
  • Responses to Legacy Software Supply Chain Attacks: The report urged organizations to “establish a ‘rapid upgrade posture’ so they can respond quickly to new zero-day disclosures by finding and fixing vulnerable open source dependencies in production applications.” A 2020 Sonatype survey of 679 development professionals, however, found that only 17 percent of organizations “become aware of new open source vulnerabilities within a day of public disclosure,” 35 percent “find out within one to seven days,” and the remaining 48 percent “become aware of new vulnerabilities after a week’s time.”  That survey also found that a majority of respondents (51 percent) “required more than a week to respond.”

The report also contained other findings, concerning the supply and demand for open source, that demonstrate the ubiquity and growth of open source use.  It projects, for example, that one trillion JavaScript packages will be downloaded in 2020, with the 10.7 million JavaScript developers around the world downloading an average of 93,457 packages.  It also provided extensive discussions of how to identify exemplary open source suppliers, how high-performance teams manage open source software supply chains, the trust and integrity of software supply chains, and the influences of social activism and government standards on open source software.

Note: For some time, the open source field has enjoyed a kind of “halo effect” because of its potential for lower hardware and software costs and its stability, flexibility, and security.  The Sonatype report, however , provides a timely reminder that information-security teams need to anticipate both legacy and next-generation cyberattacks on open source software, and to be prepared to respond immediately – not in one or two days or a week – when they become aware of zero-day disclosures.  Corporate information-security officers should therefore disseminate the report within their teams, and incorporate key findings into briefing and training materials for senior managers and executives.

INTERPOL Report Shows “Alarming” Rate of Cyberattacks During COVID-19

On August 4, the International Criminal Police Organization (INTERPOL) announced the results of its report of the impact of the COVID-19 pandemic on cybercrime.  The report found that cybercriminals – in the words of INTERPOL Secretary General Jürgen Stock – “are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.”

Key findings in the INTERPOL report included the following:

  • Volume of COVID-19 Cybercrime Activity: One of INTERPOL’s private-sector partners found that in just one four-month period, from January to April 2020, it detected approximately 907,000 spam messages, 737 incidents related to malware, and 48,000 malicious URLs, all related to COVID-19.
  • Online Scams and Phishing: The report showed that threat actors had revised their usual online scams and phishing schemes. Approximately two-thirds of INTERPOL-member countries that responded to INTERPOL’s global cybercrime survey “reported a significant use of COVID-19 themes for phishing and online fraud since the outbreak.”  Cybercriminals have been able to influence victims into providing their personal data and downloading malicious content “[b]y deploying COVID-19 themed phishing emails, often impersonating government and health authorities.”
  • Disruptive Malware (Ransomware and Distributed Denial of Service Attacks): Tyhe report commented that cybercriminals “are increasingly using disruptive malware against critical infrastructure and healthcare institutions, due to the potential for high impact and financial benefit.”  It observed that in the first two weeks of April 2020, there was a spike in ransomware attacks by multiple threat groups which had been relatively dormant for the past few months.”  It also found a noteworthy refinement in ransomware attacks: that “the majority of attackers estimated quite accurately the maximum amount of ransom they could demand from targeted organizations.”
  • Data Harvesting Malware: The report saw an increased deployment “of data harvesting malware such as Remote Access Trojan, info stealers, spyware and banking Trojans by cybercriminals,” using COVID-19 related information to infiltrate systems.
  • Malicious Domains: The report also identified “a significant increase of cybercriminals registering domain names containing keywords, such as ‘coronavirus’ or ‘COVID” to take advantage “of the increased demand for medical supplies and information on COVID-19.”, there has been. An INTERPOL private-sector partner received reports indicating that from February to March 2020, there has been a 569 per cent growth in malicious registrations, including malware and phishing, and a 788 per cent growth in high-risk registrations.
  • Misinformation: The report stated that an “increasing amount of misinformation and fake news is spreading rapidly among the public. Unverified information, inadequately understood threats, and conspiracy theories have contributed to anxiety in communities and in some cases facilitated the execution of cyberattacks.”  The INTERPOL global survey revealed that nearly 30 per cent of responding countries “confirmed the circulation of false information related to COVID-19. Within a one-month period, one country reported 290 postings with the majority containing concealed malware.”  The report also mentioned “reports of misinformation being linked to the illegal trade of fraudulent medical commodities” and “scams via mobile text-messages containing ‘too good to be true’ offers such as free food, special benefits, or large discounts in supermarkets.”

The report also identified four future areas of concern:

  • Further Cybercrime Increase: A further increase in cybercrime “is highly likely in the near future,” as cybercriminals seek to exploit vulnerabilities “related to working from home and the potential for increased financial benefit.”
  • Use of COVID-19 Themes: Threat actors “are likely to continue proliferating coronavirus-themed online scams and phishing campaigns to leverage public concern about the pandemic.”
  • Business Email Compromise (BEC) Schemes: BEC schemes “will also likely surge due to the economic downturn and shift in the business landscape, generating new opportunities for criminal activities.”
  • Availability of COVID Vaccine: “When a COVID-19 vaccination is available, it is highly probable that there will be another spike in phishing related to these medical products as well as network intrusion and cyberattacks to steal data.”

Note:  Although there has been extensive reporting with regard to the exploitation of COVID-19 for various types of cyberattacks, the report provides significant data to document how great the explosion of such cyberattacks has been during 2020.  Information-security and corporate-compliance officers in public- and private-sector entities should provide excerpts of the report’s key findings to senior executives in their organizations, and incorporate selected information into in-house information-security trainings and briefings.

Basel Institute on Governance Releases 2020 AML Index

On July 23, the Basel Institute on Governance released its 2020 AML Index.  The Index, which the Institute has published since 2012, assesses the risk of money laundering and terrorist financing (ML/TF) around the world.  It provides risk scores based on data from 16 publicly available sources, such as the Financial Action Task Force (FATF), Transparency International, the World Bank, and the World Economic Forum.

The 2020 Index’s general conclusions included the following:

  • Changes: The Index “remains unacceptably high at 5.22 out of 10, where 10 equals maximum risk.” Only six countries improved their scores by more than a single point, while 35 countries’ scores decreased.
  • Quality of AML Supervision: Of the 100 countries that have been assessed so far with the new FATF assessment methodology, one-third scored a “zero for the effectiveness of their supervisory bodies and measures designed to safeguard financial systems from abuse.”
  • Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Systems: Since the FATF moved to its fourth-round methodology, which the Institute noted “assess[es] not just the technical compliance of a country’s AML/CFT systems but their effectiveness in practice,” “most countries that undergo a fourth-round FATF evaluation rate poorly for effectiveness.”

The 2020 Index also includes a new indicator for human trafficking, the U.S. State Department’s Trafficking in Persons (TIP) Report.  The Institute stated that this change “reflects the huge and growing proceeds generated by this transnational crime and laundered through international financial systems.”

The Public Edition of the 2020 Index includes scores and rankings for 141 countries, with the proviso that the FATF has not yet assessed many of those countries with its fourth-round methodology, which limits the comparability of those scores and rankings.  (In the Index, the higher the score for a particular country, the greater the ML/TF risk, which translates to a higher ranking for that country.)

The following are some of the noteworthy data on specific countries:

  • Highest and Lowest Rankings: The five highest-ranked (i.e., riskiest) countries were (1) Afghanistan (8.16), (2) Haiti (8.15), (3) Myanmar (7.86), (4) Laos (7.82), and (5) Mozambique (7.81). The five lowest-ranked countries were (141) Estonia (2.36); (140) Andorra (2.83), (139) Finland (2.97), (138) Bulgaria (3.12), and (137) the Cook Islands (3.13),
  • Africa: In addition to Mozambique, other higher-ranked African countries included Sierra Leone (7/7.51), Senegal (8/7.3), Kenya (9/7.18), Angola (13/7.02), Nigeria (14/6.88), and Benin (15/6.85). South Africa ranked 87 (4.83), Ghana 85 (4.89), and Egypt 82(4.96).
  • Asia: In addition to Afghanistan, Myanmar, and Laos, other higher-ranked Asian countries included Yemen (10/7.12), Cambodia (11/7.1), Vietnam (12/7.02), China (18/6.76), and Kyrgyzstan (27/6.32).
  • Australia: Australia ranked 124 (3.84).
  • Europe: The five highest-ranked European countries were Turkey (41/5.76), Bosnia-Herzegovina (47/5.63), Russia (52/5.51), Malta (53/5.48), and Serbia (54/5.47).  The United Kingdom ranked 116 (4.02).
  • North America: The United States ranked 100 (4.57), Canada 94 (4.68), and Mexico 68 (5.2).
  • South America: The five highest-ranked South American countries were Nicaragua (16/6.78), Venezuela (20/6.56), Paraguay (24/6.45), Bolivia (31/6.12), and Panama (36/5.96).
  • Caribbean: After Haiti, the next highest-ranked Caribbean countries were the Cayman Islands (6/7.64), the Bahamas (25/6.43), Jamaica (34/5.99), and Barbados (40/5.87).

Note: In its release concerning the AML Index, the Institute commented that the Index “will disappoint anyone wishing for tangible progress in combating money laundering and terrorist financing (ML/TF) around the world.”  Seasoned AML/CTF observers, on the other hand, should simply make use of the Index and bear its data in mind as various authorities, such as the European Union, strive to strengthen the structure and implementation of regional and national AML/CTF frameworks.