Welcome to Hillicon Valley, The Hill’s newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you don’t already, be sure to sign up for our newsletter with this LINK.
Welcome! Follow the cyber team, Maggie Miller (@magmill95), and the tech team, Emily Birnbaum (@birnbaum_e) and Chris Mills Rodrigo (@chrisismills).
APPLE, BARR CLASH: Apple is pushing back at Attorney General William Barr‘s claim that the company has not given federal investigators “any substantive assistance” in its investigation into a December shooting at a Pensacola, Fla., military base that left three dead.
But the company also reiterated its stance on protecting encrypted devices following Barr’s push for law enforcement to gain access to the gunman’s iPhone communications.
What Barr said: Barr leveled the accusations against the Silicon Valley giant during a press conference Monday in which he detailed the findings of an investigation into the massacre, which was carried out by a member of the Royal Saudi Air Force who had enrolled in the Naval Air Station Pensacola training program.
Lt. Mohammed Saeed Alshamrani killed three U.S. sailors and wounded eight others after entering the naval station grounds on Dec. 6. Barr said that shooting qualified as an “act of terrorism” and that Alshamrani was motivated by a “jihadist ideology.”
He pleaded with Apple to help investigators learn more about the gunman’s communications ahead of the incident.
“It is very important to know with whom and about what the shooter was communicating before he died,” Barr said, noting that the two Apple iPhones Alshamrani carried during the attack were “virtually impossible” to access.
Apple’s response: Challenging Barr’s comments, Apple said in a statement Tuesday that it has offered investigators a variety of information since the attack. The company said it provided iCloud backups, account information and transactional data for multiple accounts in response to six legal requests in December.
An Apple spokesperson added that the company wasn’t notified until Jan. 6 that federal investigators needed assistance with respect to the iPhones. The spokesperson said that Apple would continue to work with the FBI, but stressed the company’s stance on safeguarding encryption.
“We have always maintained there is no such thing as a backdoor just for the good guys,” the spokesperson said. “Backdoors can also be exploited by those who threaten our national security and the data security of our customers. Today, law enforcement has access to more data than ever before in history, so Americans do not have to choose between weakening encryption and solving investigations. We feel strongly encryption is vital to protecting our country and our users’ data.”
THERE’S ANOTHER WAY ON 5G: A group of bipartisan senators on Tuesday introduced legislation to help create alternatives to Chinese firm Huawei in the rollout of 5G wireless technology, amid administration pressure on the telecommunications company.
The Utilizing Strategic Allied (USA) Telecommunications Act, sponsored by lawmakers including Senate Intelligence Committee Chairman Richard Burr (R-N.C.) and ranking member Mark Warner (D-Va.), would promote research into new U.S. 5G alternatives by requiring the Federal Communications Commission (FCC) to set aside $750 million for a research and development fund.
The legislation would also create a $500 million “Multilateral Telecommunications Security Fund” at the Treasury Department, with the funds available for ten years to help encourage the adoption of “trusted and secure equipment” worldwide.
“The widespread adoption of 5G has the potential to transform the way we do business, but also carries significant national security risks,” Burr said in a statement on Tuesday. “Those risks could prove disastrous if Huawei, a company that operates at the behest of the Chinese government, military, and intelligence services, is allowed to take over the 5G market unchecked.”
Warner, who co-founded wireless group Nextel prior to serving in the Senate, said in a separate statement that “every month that the U.S. does nothing, Huawei stands poised to become the cheapest, fastest, most ubiquitous global provider of 5G, while U.S. and Western companies and workers lose out on market share and jobs.”
MORE FROM WARNER: Sen. Mark Warner (D-Va.) on Tuesday strongly urged the State Department to take measures to protect itself and embassies against cyberattacks in light of increasing tensions between the U.S. and Iran.
In a letter to Secretary of State Mike Pompeo, Warner expressed “deep concern” around the State Department’s ability to defend itself against potential Iranian cyberattacks launched in response to the killing of Iranian Gen. Qassem Soleimani. He also requested that Pompeo produce a plan for how his agency will defend against cyberattacks.
Warner, who serves as the top Democrat on the Senate Intelligence Committee, pointed to past breaches of State Department systems — including an attack in 2014 by Russian hackers which involved the National Security Agency “fighting for control” of the agency’s network — as evidence of potential cyber vulnerabilities that Iran could exploit.
The senator also referenced a report compiled by the State Department’s Office of Inspector General in 2019, which found that a hiring freeze on the agency in 2018 was detrimental to the State Department’s overall cybersecurity posture.
A spokesperson for the State Department told The Hill that “the Department routinely responds to requests by Congressional oversight committees and Members of Congress. We always work closely and cooperatively with Member and committee offices and seek to be as timely and responsive as possible to their requests for information. As a general matter, we don’t comment publicly on our congressional engagements.”
JUST FYI: The National Security Agency (NSA) found and notified Microsoft of what it called a serious vulnerability in the company’s Windows 10 operating system that could potentially expose computer users to significant breaches, surveillance or disruption, officials announced Tuesday.
The public disclosure is unlike the NSA’s usual approach of using such flaws to build hacking tools that allow the agency to spy on adversaries’ networks, according to The Washington Post. Rather, officials released a fix.
“This is … a change in approach … by NSA of working to share, working to lean forward, and then working to really share the data as part of building trust,” Anne Neuberger, director of the NSA’s Cybersecurity Directorate, which was launched in October, told the Post.
The NSA discovered an error in the Microsoft code that verifies digital signatures, which could enable a hacker to forge the signature and breach a computer.
“The patch is the only comprehensive means to mitigate the risk,” the NSA’s statement read. “While means exist to detect or prevent some forms of exploitation, none of them are complete or fully reliable.”
Microsoft said it addressed the flaw promptly and released a security update Tuesday.
That led to…
A DHS ORDER TO AGENCIES: The Department of Homeland Security’s (DHS) cybersecurity agency ordered all federal agencies to patch critical Microsoft vulnerabilities made public by the National Security Agency (NSA) on Tuesday.
The vulnerabilities, which Microsoft announced it had released a security update for on Tuesday, included those that could expose a system to a significant breach or to surveillance, such as a Microsoft code flaw that could enable a hacker to forge a digital signature and hack a system.
DHS’s Cybersecurity and Infrastructure Security Agency (CISA) subsequently released an emergency directive on Tuesday afternoon requiring all agencies to implement Microsoft’s patch by Jan. 29, with CISA “strongly recommending” that all agencies begin patching “immediately.”
CISA noted in the directive that while it is “unaware of active exploitation of these vulnerabilities, once a patch has been publicly released, the underlying vulnerabilities can be reverse engineered to create an exploit.”
The directive also requires federal agencies to submit an initial status report to CISA by the end of this week on the progress of patching, and a completion report within ten days.
GET OUT OF MY FACE: Digital rights organization Fight for the Future and college group Students for Sensible Drug Policy on Tuesday co-launched a campaign urging higher education institutions to ban the use of facial recognition technology on campuses.
The push comes amid growing use of — and backlash to — facial recognition software, which scans faces for the purposes of identifying individuals.
There are few known cases of the controversial technology being used at colleges and universities, but the two groups are warning that without outright bans it may become more common.
“Facial recognition surveillance spreading to college campuses would put students, faculty, and community members at risk. This type of invasive technology poses a profound threat to our basic liberties, civil rights, and academic freedom,” Evan Greer, deputy director of Fight for the Future, said in a statement.
Some elementary, middle and high schools have entertained using the software to identify flagged individuals, like sex offenders, or weapons entering school grounds.
“Students should not have to trade their right to privacy for an education, and no one should be forced to unwittingly participate in a surveillance program which will likely include problematic elements of law enforcement,” Erica Darragh, board member at Students for Sensible Drug Policy, said in a statement, noting similar studies. “This automation of racial and political profiling threatens everyone, especially students, faculty, and campus guests of color.”
The groups are pressing universities and colleges to clarify what their current policies on facial recognition are, if any, and to take a strong stance on not using facial recognition technology on students going forward.
“This is an issue that I think will really activate a broad range of student groups. It’s clearly not a partisan issue,” Greer told The Hill, pointing to civil rights and racial justice groups as potential allies.
MULLER AIDE TALKS ELECTION SECURITY: Robert Mueller‘s former chief of staff from his time at the FBI says Washington isn’t doing nearly enough to secure U.S. election systems in the wake of the special counsel report on Russian interference in 2016.
John Carlin, who now chairs the law firm Morrison & Foerster’s global risk and crisis management group and co-chairs its national security practice group, told The Hill in a recent interview that foreign threats against elections are “here and present,” adding that he “absolutely” expects Moscow to attempt to interfere in this year’s vote.
“The overall message that the seriousness of what they found in terms of the Russian government interfering in our elections in a sweeping and systematic action, you would hope that this is the type of report that would drive in a bipartisan way all Americans to see what we can do to prevent it from occurring again,” said Carlin. “I wish there would be more of a bipartisan focus on what Russia did and holding them [to] account.”
Carlin noted that while “there have been improvements” from the federal government to address election security concerns — most notably the $425 million Congress designated to states for election security as part of the recent appropriations cycle — the ongoing “plague” of ransomware attacks poses a new threat.
“The two are linked when you see the disruption of services caused in some of the ransomware attacks,” Carlin said of ransomware strikes, which involve an attacker locking a system and demanding money to unencrypt it. “If you had someone who wasn’t doing it for money but was doing it to cause maximum disruption around Election Day, I guess you have the two issues marry up.”
Carlin is calling for all 50 states to move to voting systems with paper ballot backups, which multiple ones do not currently use, and also for keeping one eye on the horizon in terms of addressing future threats to elections, such as ongoing disinformation campaigns on social media.
SANDERS GETS SCRAPPY: Sen. Bernie Sanders (I-Vt.) on Tuesday criticized Facebook and Senate Republicans in response to reports of Russia hacking the Ukrainian gas company at the center of the impeachment inquiry into President Trump.
“The 2020 election is likely to be the most consequential election in modern American history, and I am alarmed by new reports that Russia recently hacked into the Ukrainian gas company at the center of the impeachment trial, as well as Russia’s plans to once again meddle in our elections and in our democracy,” the 2020 presidential candidate said in a statement.
Cybersecurity firm Area 1 Security on Monday released a report claiming that hackers affiliated with Russia’s military began a phishing campaign against Burisma Holdings in November.
The efforts to steal email credentials coincided with the House’s investigation into a phone call where Trump pressured Ukrainian President Volodymyr Zelensky to investigate former Vice President Joe Biden and his son Hunter, a former Burisma board member.
The hackers were affiliated with the GRU, the military intelligence unit that used phishing methods to obtain usernames and passwords of Democratic National Committee staff in 2016, according to Area 1.
CFIUS SHAKEUP: The Treasury Department is restricting investments in U.S. companies in an effort meant to protect critical technology, data and infrastructure from foreign sabotage.
A Treasury panel will ban foreign investors and businesses from acquiring stakes in U.S. firms involved in industries deemed essential to national security, the department announced on Monday. The regulations were issued under a 2018 law that drastically expanded the power of a Treasury panel, called the Committee on Foreign Investment in the U.S. (CFIUS).
The committee was created in 1975 to block foreign acquisitions of U.S. companies that put the country at a competitive disadvantage to international rivals or threaten national security. The panel is chaired by the Treasury secretary and has been central to President Trump’s battle against China’s push to dominate global technology.
“These regulations strengthen our national security and modernize the investment review process,” said Treasury Secretary Steven Mnuchin.
“They also maintain our nation’s open investment policy by encouraging investment in American businesses and workers, and by providing clarity and certainty regarding the types of transactions that are covered.”
CFIUS was initially only empowered to block foreign takeovers of U.S. firms. But a bipartisan bill signed by Trump in 2018 expanded the panel’s authority to block deals even if they don’t give foreign investors control of an American company.
Under the new regulations, the committee can block foreign investors from acquiring a stake in certain U.S. companies if the investor would be involved in the firm’s board of directors or have access to nonpublic information.
Companies covered under the new regulations include U.S. computer technology firms; telecommunications, utilities, energy and transportation companies; and firms that use a wide range of personal financial and biographical data.
NO COOKIES FOR YOU: Google on Tuesday announced it would begin phasing third-party cookies out of its Chrome web browser, following in the steps of competitors Safari and Firefox.
However, unlike those two companies that banned cookies outright, Google will phase out their support for cookies “within two years,” Justin Schuh, director at engineering for Chrome, wrote in a blog post.
“Some browsers have reacted to these concerns by blocking third-party cookies, but we believe this has unintended consequences that can negatively impact both users and the web ecosystem,” he continued.
Google cited user concerns about cookies including privacy and data collection, pledging to replace them with new technical solutions.
Cookies allow companies to track patterns of specific users and are often used for targeted advertising.
A LIGHTER CLICK: Important thread
AN OP-ED TO CHEW ON: Make no mistake: Iran remains a powerful threat to the U.S.
NOTABLE LINKS FROM AROUND THE WEB:
Russia, China plan to adjust their tactics to hack, influence 2020 elections (Roll Call / Gopal Ratnam)
Amazon: We want to stop Microsoft working on JEDI contract (ZDNet / Liam Tung)