Arrested security researcher’s case takes a turn

The security researcher who helped block a recent global ransomware campaign on Monday pleaded not guilty to charges of creating banking malware, and a federal judge allowed him to keep using the internet while he awaited trial. Marcus Hutchins, who is accused of coding and advertising the Kronos banking trojan, will be allowed to live in Los Angeles and continue using a computer and accessing the internet — an unusual arrangement for a defendant in a cybercrime case, according to former federal prosecutors.

“‘Unusual’ is putting it lightly,” said Ed McAndrew, who spent seven years handling cyber cases as an assistant U.S. attorney in Delaware. McAndrew, now a partner at Ballard Spahr, said he suspected that the government believed it couldn’t convince the judge of the need to keep the 23-year-old security researcher offline. “They may have just decided that they’re fighting a losing battle and they’re not going to push too hard,” he told MC.

Hutchins’ work as a security researcher may have contributed to that atypical outcome, said Michael Zweiback, a former assistant U.S. attorney who led the cyber crime team at the U.S. Attorney’s Office for the Central District of California for 18 years. The arrangement is “not that unusual when you’re dealing with someone who may have legitimate purposes for being online,” Zweiback told MC. “He obviously has some very recent conduct with respect to WannaCry, which demonstrates that he is in fact someone who fashions himself to be in the security research community.” Zweiback said he has prosecuted several alleged cyber criminals who claimed that they did legitimate research and needed to stay online during the trial phase. “Judges,” he said, “typically are sympathetic in those circumstances, absent some belief or evidence that there’s an ongoing threat.”

While Hutchins can use the internet (which he did on Monday), the court forbade him from accessing the internet service with which he temporarily plugged up, or “sinkholed,” the WannaCry ransomware campaign that spread around the world in May. McAndrew said the stipulation “made me chuckle,” because “I don’t know how that would actually be enforced.” “I don’t know that they would have any way of knowing whether he’s actually accessed that or not,” he said. “He’s way beyond them, light-years beyond them, in terms of his ability to use computers.”

Critics of the government’s prosecution of Hutchins have suggested that this major concession — and a government lawyer’s admission, at Monday’s hearing, that Hutchins’ crime was “historic” rather than ongoing — point to prosecutors holding weak evidence. Independent journalist Marcy Wheeler, who attended the hearing, noted Hutchins’ lawyer’s promise that he would be vindicated and wrote, “A dramatic change in the tone of the government suggested that might well be the case.” But Zweiback cautioned against reading too much into what has happened so far. “The standards for prosecution in the Department of Justice are that they have a reasonable belief that they will be successful at trial,” he said.

HAPPY TUESDAY and welcome to Morning Cybersecurity! Fear the immortal fruitcake. Send your thoughts, feedback and especially tips to, and be sure to follow @timstarks, @POLITICOPro, and @MorningCybersec. Full team info below.

HUD, FDIC FINISH CYBER RISK REPORTS — More federal agencies have confirmed that they submitted cybersecurity reports to the White House as part of President Donald Trump’s cyber executive order. Under the presidential directive, agencies had until last Wednesday to respond to the Office of Management and Budget’s assessments about their cyber risks. And as of late last week, MC reported that 24 agencies and departments had filed their responses. That number had risen to 36 as of Monday evening. Agencies joining the list on Monday included the Department of Housing and Urban Development, the Consumer Product Safety Commission, the CFTC and the FDIC. The Office of Government Ethics and the National Transportation Safety Board also confirmed their submissions late last week. One agency, the Appalachian Regional Commission, said Monday that it was “working with OMB on appropriate compliance.” OMB will use agencies’ submissions to compile a report for Trump on government-wide cyber risks and how to address them.

TAKING AIM AT CHINA Trump took what he promised was “just the beginning” of steps to crack down on Chinese trade secrets theft when he signed an executive memorandum Monday directing the U.S. trade representative to consider options for confronting Beijing.The executive memo also targets so-called forced technology transfers, where China insists that foreign firms hand over tech (like source code under its new cybersecurity law) as a condition for entering its markets.

Senate Finance Chairman Orrin Hatch, who regularly chastised former President Barack Obama for not doing enough to fight Beijing’s digital theft of American trade secrets, praised the move. “Theft of American intellectual property in China is a persistent and serious problem,” Hatch said. “Indeed, there is no doubt the Chinese government bears responsibility for the forced transfer of technology from American businesses and rampant theft of trade secrets, and our nation must take stronger action.” Some industry groups and officials praised the memo. “We appreciate the president’s focus on this grave issue, and support his escalated stance on dealing with those who would try to perpetuate these crimes,” said Roger Krone, president and CEO of Leidos. “Safeguarding our intellectual property against nation-state sponsored cyber theft is key to protecting our national security, economy, and our ability to innovate though technological breakthroughs.”

Continue reading…