Dipping Through Geometries

On any given day, some five billion people worldwide use the Internet.  Only a vanishingly small fraction of those people is even aware of, let alone understands the importance of, a critical component of Internet use: the Domain Name System (DNS).  The DNS system has been defined as “a hierarchy of duplicated database servers worldwide” that begin with so-called “root servers” for top-level domains such as .com, .net, .and org and converts alphabetic names into numeric Internet Protocol (IP) addresses.

Because the DNS system is so critical to the effective operation of the Internet and Internet communications, DNS has become “an increasingly targeted threat vector for attackers.”  Cyberattackers routinely use a variety of techniques to exploit the DNS system and gain unauthorized access to command-and-control systems and exfiltrate large volumes of sensitive data. 

On March 4, the U.S. National Security Agency (NSA) and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released a joint information sheet that provides guidance on selecting a protective Domain Name System (PDNS) service “as a key defense against malicious cyber activity.”  As the information sheet explains, the DNS “is central to the operation of modern networks”, but “was not built to withstand abuse from bad actors intent on causing harm.”  It explains that a PDNS is “different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.”

The information sheet makes clear that it provides an assessment of several commercial PDNS providers based on reported capabilities, but that that assessment “is meant to serve as information for organizations, not as recommendations for provider selection.”  It advises that users of these services “must evaluate their architectures and specific needs when choosing a service for PDNS and then validate that a provider meets those needs.”

Chief Information Security Officers at companies and government agencies need to peruse the NSA-CISA guidance closely and give serious consideration to acquiring some form of PDNS.  Because DNS-based attacks are highly likely to increase during 2021, particularly from hostile state actors and professional cybercrime organizations, every enterprise must take seriously the need to protect itself from such attacks.

Over the past year, hospitals in multiple cities and towns across France have been the target of ransomware attacks by unknown adversaries.  Within the last ten days, two more French hospitals – the Villefranche-sur-Saône hospital complex in the Southwest Landes Département, and the Dax hospital in the eastern Rhone Département – suffered ransomware attacks, and a third hospital in the Dordogne Département preemptively broke connections with an information technology provider.

Neither of the two most recent cyberattacks appeared to have resulted in any harm to patients.  The French Ministry of Health, however, stated that the attack on the Dax hospital had “paralysed . . . almost all information systems” in the hospital, and the Villefranche hospital reported that the attack on it “strongly impact[ed]” three of its locations.

This recent spate of ransomware attacks in the French healthcare sector may constitute a significant change in targeting by ransomware criminal groups.  As recently as December 2020, the German Federal Office of Information Security and the French National Agency for the Security of Information Systems (ANSSI) issued a joint report stating that “the overall threat level for a cyber-attack on the healthcare sector has not risen above levels observed before the COVID-19 pandemic.”

In response to the latest cyberattacks, on February 18 French President Emmanuel Macron publicly stated that the attacks had put the hospitals in a position of “vulnerability.”  He called cybersecurity a “priority,” and promised to accelerate cyberdefense measures that reportedly include “boosting police and judicial cooperation, earmarking around €500 million ($600 million) to help companies and public authorities boost their cyber defences, and funding research and development.”  He also noted that later in 2021 he would open a new cyberdefense center in Paris’s financial district, to be staffed by 1,500 researchers and others working for private firms or for the government.

These latest reports should come as no surprise to information security officers in the healthcare sector.  Last October, the New York Times reported that Russian hackers had been trading a list of more than 400 hospitals that they planned to target.  Even before the latest French hospital attacks, the Wall Street Journal reported this month that hackers “are increasing their attempts to break into health-care companies.”

While COVID-related financial pressures may have made it exceedingly difficult for many hospitals to fund cybersecurity improvements, it is imperative for hospitals to bolster their cyberdefenses, particularly for ransomware attacks, while they can.  Although no hospital patient has yet died as a direct result of ransomware-caused loss of electricity or system functionality, hospitals need to understand that ransomware groups are indifferent to the possibility that their attacks may one day result in such deaths.

Since his electoral campaign in 2018, Brazilian President Jair Bolsonaro has repeatedly and publicly demonstrated his commitment to the issue of corruption.  That commitment, however, has devolved from rooting out corruption to rooting out law enforcement officials and agencies dedicated to combating corruption.

After selecting Judge Sérgio Moro – a national hero for overseeing the multiyear anticorruption investigation known as Operation Lava Jato (Car Wash) — as his Attorney General, Bolsonaro proceeded in 2020 to fire Maurício Valeixo, the chief of the Brazilian national police, as investigators reportedly were investigatng a number of Bolsonaro’s supporters, including Bolsonaro’s son, Senator Flavio Bolsonaro.  Valeixo’s firing precipitated the resignation of Judge Moro, as well as charges by Moro that Bolsonaro was seeking improperly to politicize the Ministry of Justice.

Despite the political and popular outcry that followed, Bolsonaro has remained resolute in undermining Brazilian law enforcement’s efforts to uncover corruption.  In October 2020, even while he himself was under investigation by the Brazilian Supreme Court for alleged misconduct, Bolsonaro stated that he had “ended” Lava Jato, declaring, “There isn’t any more corruption in the government.”

Although the Lava Jato team evidently tried to continue its investigative work, on February 3 it “announced its termination after several of its investigators were seconded to another federal anti-organised crime task force.”  Moro’s successor as Attorney General, Augusto Aras – who had once said that Moro’s allegations against Bolsonaro, if true, “would reveal the practice of illegal actions” – dismissed the disbanding of the task force as amounting to no more than a change of name.

Risk and compliance officers at companies doing business in Brazil should not underestimate the significance of Bolsonaro’s latest action.  By snuffing out the Car Wash investigation altogether, he has not only eliminated the most effective anti-corruption force in Brazil, but signaled to his supporters and to other Brazilian politicians that corruption carries no consequences – at least if they continue to support or remain silent about his and his administration’s malversations.  As Bolsonaro has another two years in his current term of office, and is likely to seek reelection in 2022, it is equally likely that Brazil will return to the levels of pervasive corruption in Brazilian government and business that preceded Bolsonaro’s election.

Since 2015, the United Kingdom Modern Slavery Act 2015 has provided government agencies with a wide array of authority to combat human trafficking, slavery, servitude, and forced or compulsory labor.  That authority includes criminal offenses with substantial terms of imprisonment, confiscation of assets, judicially imposed slavery and trafficking reparation orders, prevention orders, and risk orders, as well as various protections for slavery or trafficking victims.

Recently, Dame Sara Thornton, the United Kingdom Independent Anti-Slavery Commissioner (IASC), reportedly called for the United Kingdom Parliament to enact legislation that would authorize the “naming and shaming” of firms “if slavery or criminal labour exploitation is uncovered at any stage in their supply chain.”  In an interview with The Times, Thornton argued that “[e]vidence from around the world shows that naming and shaming can have a real impact on business practices. The upcoming Employment Bill provides a timely opportunity for parliament to consider how to incentivise business to do the right thing.”

Thornton and Matthew Taylor, the former United Kingdom director of Labour Market Enforcement, made clear that they “want companies named and shamed as a deterrent, even if they were unaware of mistreatment. They said that this would encourage businesses to check what was happening at every stage of their chain.”  Taylor added that

“Everyone would be outed — no one is suggesting that the companies at the top of the supply chain are involved [in illegal practices]. But that it has taken place in their supply chain almost certainly means that they could have done more.

“Maybe they’re two or three steps removed. The point is it is not good enough to look at the next step in the supply chain, they need to be sure of what is happening all the way through.”

The prospects for inclusion of Thornton’s and Taylor’s proposals in the Employment Bill are not clear.  Nonetheless, companies doing business in the United Kingdom should take the opportunity to review their Modern Slavery Act compliance programs, with particular attention to the robustness of their oversight and internal controls relating to supply chain relationships.

It is unfortunate that, as the IASC stated in her most recent report, “prosecutions for offences under the Modern Slavery Act remain low and have been decreasing.”  Nonetheless, no company can afford to risk reputational damage if it becomes publicly associated with supply-chain partners’ forced-labor practices that it could have detected with reasonable diligence.

One of the more baffling performances by a financial regulator in recent years has been the response by the German financial supervisory agency Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) to media reports about financial irregularities associated with the German fintech company Wirecard.  Beginning in early 2019, a series of articles, principally by the Financial Times, identified multiple instances of potential wrongdoing within Wirecard.  Those instances included forging and backdating of contracts to inflate revenues and attributing half of its worldwide revenue to three shell firms with virtually no evidence of genuine business activity that could generate such revenue.

When Wirecard’s share price plunged in response to media reports, BaFin’s response was not to open an inquiry into possible fraud or other violations of law at Wirecard.  Instead, it imposed a temporary ban on short-selling of Wirecard stock, opened a market-manipulation investigation, and filed a complaint with the Munich public prosecutor, who opened a criminal market-manipulation investigation in which the lead Financial Times reporter was named as a suspect.

Not until the spring of 2020 did BaFin show active interest in Wirecard itself, filing a criminal complaint with the Munich prosecutor alleging market manipulation by Wirecard senior leadership.  Shortly before Wirecard’s complete collapse in June 2020, BaFin President Felix Hufeld finally termed the Wirecard scandal “a complete disaster” and “a shame” for Germany, as a market that “should be governed by quality and reliability.”

On January 29, after six months in which the European Securities and Markets Authority, investors, and others took BaFin to task for its failures in supervising Wirecard, German Finance Minister Olaf Scholz announced that Hufeld was being replaced as head of BaFin.  While Scholz reportedly thanked Hufeld for his years of service at BaFin, a Finance Ministry statement pointedly did not identify a successor for Hufeld, but stated that BaFin “needs a reorganization to fulfill its supervisory role more effectively.”

Both the Finance Ministry and the German Parliamentary committee tasked with investigating the Wirecard scandal will undoubtedly have much to say about how that reorganization should proceed.  At a minimum, if it is to regain public confidence as a national financial regulator, BaFin will need to redefine its mission and purpose and persuade the government and the public that it is committed to vigorous regulation rather than corporate protectionism.