H-ISAC Hacking Healthcare 7-7-2020

July 8, 2020

TLP White: This week, Hacking Healthcare begins by providing a brief overview of how a major European law enforcement operation, made possible by cracked encryption, is likely to further fuel the long simmering encryption debate within the United States. We then wrap up by exploring the FCC’s decision to formally name Chinese firms Huawei and ZTE as national security threats and how the trickle-down effects may impact healthcare.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

1. With Encryption Cracked, Law Enforcement Scoops Up Criminals.

A coalition of European law enforcement authorities claimed a major success last week when they arrested 746 individuals, and seized $67 million in cash, as well as drugs and firearms.[i] They claim that the key to the operation was the successful cracking of encrypted messaging service EncroChat. Such a significant bust is likely to add more fuel to the contentious debate between law enforcement officials and privacy advocates over encryption and the need for purpose-built hardware and software backdoors.

According to the law enforcement authorities involved, the secure mobile phone messaging service EncroChat boasted around 60,000 users worldwide and has been a target for the U.K.’s National Crime Agency since at least 2016.[ii] An apparent breakthrough in April allowed law enforcement authorities to install a surveillance tool to monitor communications on the platform and share them amongst each other.[iii] Dutch authorities claimed that this allowed them to read over 20 million messages and eventually coordinate the mass arrests across several countries.[iv] No agency involved has specified exactly how they managed to crack or circumvent the platform’s encryption.

Action & Analysis

** H-ISAC Membership required**

2. FCC Declares Huawei and ZTE are National Security Threats.

On June 30^th, the Federal Communications Commission (“FCC”) released an announcement that formally declared Chinese technology companies Huawei and ZTE to be national security threats.[v] Ajit Pai, the FCC’s Chairman, stressed that both companies’ close relationship with the Chinese Communist Party and their obligation to laws requiring cooperation with Chinese intelligence authorities were major factors in the decision.

Citing the need “to protect U.S. communications networks from security risks,” the announcement means that both companies and their parents, affiliates, and subsidiaries are now subject to the FCC’s ban on the use of universal service support to purchase equipment or services.[vi] In effect, the announcement means that telecom companies cannot use money provided to them from the FCC’s $8.3B Universal Service Fund on “equipment or services produced or provided by these suppliers.”[vii]

Much of Huawei and ZTE’s appeal thus far has been the relative availability and affordability of their products. Cash strapped communications organizations with limited budgets for IT infrastructure may not have a suitable alternative at the ready. This issue is further compounded by the economic damage being inflicted by the COVID-19 pandemic.

Within the United States, the decision is a significant blow with terrible timing for smaller, often rural, Internet Service Providers (ISPs). The Rural Wireless Association (“RWA”), “a trade association representing rural wireless carriers who each serve fewer than 100,000 subscribers,” quickly released a statement that they were “stunned” by the decision.[viii]^{, [ix]} In their statement, the RWA outlined how their members “will now lack the ability to support their critical networks that are serving hundreds of thousands of rural Americans and those traveling through rural America.”[x] Although waivers for this announcement are possible, there is some resentment at the lack of time given to submit them before the decision went into effect.

Congress has not been blind to the plight of smaller domestic ISPs that could be affected by such a decision. The Secure and Trusted Communications Networks Act of 2019 promised to “make reimbursements to providers of advanced communications service to replace covered communications equipment or services.“[xi] However, FCC Commissioner Geoffrey Starks was keen to point out that as of June 30^th, Congress “still has not appropriated funding for replacements.”[xii]

Action & Analysis

**H-ISAC membership required**

Congress –

Tuesday, July 7th:

– House – Committee on Appropriations – Subcommittee on the Departments of Labor, Health and Human Services, Education, and Related Agencies: Markup of FY 2021 Departments of Labor, Health and Human Services, Education, and Related Agencies Subcommittee Markup

Wednesday, July 8th:

– House – Committee on Financial Services: Task Force on Artificial Intelligence: Exposure Notification and Contact Tracing: How AI Helps Localities Reopen Safely and Researchers Find a Cure

Thursday, July 9th:

– No relevant hearings