Welcome to Hillicon Valley, The Hill’s newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you don’t already, be sure to sign up for our newsletter with this LINK.
Welcome! Follow the cyber team, Olivia Beavers (@olivia_beavers) and Maggie Miller (@magmill95), and the tech team, Harper Neidig (@hneidig) and Emily Birnbaum (@birnbaum_e).
HOUSTON, WE HAVE A PROBLEM: Several federal agencies failed to update system vulnerabilities over the course of the last two administrations and left Americans’ personal information open and vulnerable to theft, a report released Tuesday by the Senate Homeland Security and Governmental Affairs Subcommittee on Investigations found.
The report, spearheaded by subcommittee Chairman (R-Ohio) and ranking member (D-Del.) and put together after a 10-month investigation, reviewed data compiled over the last decade by the inspector general on federal information security standards for eight agencies.
These agencies were the departments of State, Homeland Security, Health and Human Services, Transportation, Education, Agriculture, and Housing and Urban Development, as well as the Social Security Administration.
Of these agencies, the report found that seven had failed to provide adequate protection for personal information in their systems and that six of the agencies had not installed system patches in a timely way to protect against cyber vulnerabilities. All eight agencies were found to use “legacy systems,” or those not supported by the original manufacturer anymore, resulting in further cyber vulnerabilities.
Specific agency findings included that Homeland Security, Transportation, Agriculture, and Health and Human Services failed to address some cybersecurity weaknesses identified by the inspector general over a decade ago, while the Social Security Administration was found to have severe cybersecurity vulnerabilities that risked the exposure of the personal information of more than 60 million Americans who receive Social Security benefits.
Another major security flaw found by the investigation was that the Education Department has been consistently unable to prevent unauthorized devices from connecting to its network since 2011. While the agency has limited this access to under 90 seconds, the inspector general reported that this was enough time for a malicious actor to launch an attack.
TALK TO YOU LATER: State and federal officials on Tuesday announced a major crackdown on illegal robocallers across the country, claiming the joint effort has targeted the operations responsible for over 1 billion robocalls.
The Federal Trade Commission (FTC), state attorneys general and local officials have taken 94 enforcement actions against a slew of illegal robocalling operations as part of their ongoing efforts to stave off the scourge of billions of robocalls dialing up U.S. consumers every year, according to the announcement.
The FTC is filing charges against multiple companies and individuals, including an array of defendants who the agency says ran a “maze of interrelated operations that used illegal robocalls to contact financially distressed consumers” — largely senior citizens.
And agencies across 25 states announced they have brought 87 enforcement actions against robocalling companies in states including Colorado, Indiana, Michigan, Ohio and more.
“We’re all fed up with the tens of billions of illegal robocalls we get every year,” Andrew Smith, director of the FTC’s bureau of consumer protection, said in a statement. “Today’s joint effort shows that combating this scourge remains a top priority for law enforcement agencies around the nation.”
POTENTIAL PERSUASION: Lawmakers expressed disbelief on Tuesday when a Google executive told a Senate panel that the company does not use persuasive techniques targeted at its users.
Maggie Stanphill, Google’s director of user experience, during a Senate Commerce technology subcommittee hearing, told the panel, “No, we do not use persuasive technology at Google.”
At issue before the panel was how algorithms used by companies like Google, Facebook and others might influence their users.
But Stanphill’s statement prompted pushback from senators who had been scrutinizing the company over its content decisions on platforms like YouTube.
“You don’t want to clarify that a little further?” Sen. asked. “Either I misunderstand your company or I misunderstand the definition of persuasive technology.”
Stanphill responded by saying “dark patterns and persuasive technology are not core to our design.”
“We build our products with privacy, security and control for the users,” she continued. “And ultimately this builds a lifelong relationship with the user, which is primary. That’s our trust.”
“I don’t understand what any of that meant,” Schatz said.
A skeptical Sen. Richard Blumenthal (D-Conn.) said that Stanphill’s answer was hard to accept given that persuasion appeared to be baked into Google’s business model.
“On the issue of persuasive technology, I find, Ms. Stanphill, your contention that Google does not build systems with the idea of persuasive technology in mind somewhat difficult to believe, because I think Google tries to keep people glued to its screens, at the very least,” Blumenthal says.
Many on the panel took Google and other internet platforms to task for the lack of transparency in their algorithms and how those technologies influence their users’ behavior.
Sen. (R-S.D.), the chairman of the subcommittee, suggested that he was considering a bill that would tackle the issue and called for greater transparency from the industry.
WARREN HAS A PLAN: Sen. (D-Mass.), a presidential candidate, released a plan Tuesday to secure elections against cyber threats and foreign interference, as well as to end voting suppression.
Warren’s plan, which was published in an article in Medium, would have the federal government replace every voting machine in the nation with “state-of-the-art equipment,” specifically machines that will allow for hand-marked, voter-verified paper ballots.
Uniform ballots across all election jurisdictions would also be required as well in order to prevent “hanging chad” issues — referring to the 2000 presidential election recount in Florida when a confusing ballot became the subject of intense scrutiny.
“Our elections should be as secure as Fort Knox,” Warren wrote. “But instead, they’re less secure than your Amazon account.”
The plan comes just months after special counsel spelled out how Russia interfered in the 2016 election.
Warren’s plan also includes replacing the current Election Assistance Commission with the “Secure Democracy Administration,” an agency that would be tasked with managing election cybersecurity and developing security procedures for election administrators.
The proposals would likely entail a large investment from the federal government in state elections, with Warren writing that “the federal government will pay the entirety of a state’s election administration costs, as long as the state meets federal standards in its state and local elections and works to make voting more convenient.”
Beyond securing the election, Warren’s plan also calls for creating “binding federal standards for federal elections” that would mandate automatic voter registration and same-day registration, along with banning vote roll purges and making Election Day a national holiday.
Further, Warren advocates for an end to gerrymandering, with states required to use “independent redistricting commissions” that would be tasked with drawing congressional districts in a fair way.
“Enough is enough,” Warren wrote. “It is time to make high-quality voting in the greatest democracy in the world easy, convenient, and professional. It’s time to secure our elections from all threats, foreign and domestic. It’s time to address election security, administration problems, and voter suppression.”
DROPPED CALL: Hackers have reportedly accessed the systems of more than 12 global telecommunications firms and taken personal and corporate data.
Researchers from U.S.-Israeli cyber security firm Cybereason reported the hacks of companies in more than 30 countries.
The researchers said the goal of the hackings was to collect information on people working in government, law enforcement and politics.
Cybereason’s chief executive, Lior Div, told Reuters that the hackers used tools that have been connected to other attacks ascribed to China.
“For this level of sophistication it’s not a criminal group. It is a government that has capabilities that can do this kind of attack,” he said.
“We managed to find not just one piece of software, we managed to find more than five different tools that this specific group used,” he told the news service.
Cybereason declined to say which companies specifically were affected, according to Reuters, but people familiar said that China was increasingly going after telecommunications firms in Western Europe.
NOT SO FAST: A group of experts on Tuesday warned a House panel that artificial intelligence is not capable of sweeping up the full breadth of online extremist content — in particular posts from white supremacists.
At a House Homeland Security subcommittee hearing, lawmakers cast doubt on claims from top tech companies that artificial intelligence, or AI, will one day be able to detect and take down terrorist and extremist content without any human moderation.
Rep. (D-N.Y.), the chairman of counterterrorism subcommittee holding the hearing, said he is fed up with responses from companies like Google, Twitter and Facebook about their failure to take down extremist posts and profiles, calling it “wanton disregard for national security obligations.”
“We are hearing the same thing from social media companies, and that is, ‘AI’s got this, it’s only gonna get better,’ ” Rose said during his opening remarks. “Nonetheless … we have seen egregious problems.”
“We’ve been looking at this problem for months now,” he continued. “We’ve been approached by the social media companies with this libertarian, technocratic elitism that’s highly, highly disturbing and it centers around the claim that AI can accomplish everything.”
The lineup of experts, including Facebook’s former chief security officer and current Stanford academic Alex Stamos, agreed that AI is not ready to take on the complicated issues of terrorist content — and raised questions over whether it ever will be able to.
Stamos said the “world’s best machine learning resembles a crowd of millions of preschoolers.”
“No number of preschoolers could get together to build the Taj Mahal,” he explained.
He also raised concerns about the variety of fringe platforms, such as 8chan and Gab, that seek to host white supremacist groups and ideologies.
“These white supremacist groups have online hosts who are happy to host them,” Stamos said. “That is not true for the Islamic state.”
The House Homeland Security Committee has kicked its investigation of online extremist content into high gear over the past several months, following the livestreamed and viral mass shooting of worshippers in a Christchurch, New Zealand, mosque.
APPLE IN THE TRADE WAR: Apple is finding itself on the front lines of ‘s trade war as the U.S. considers imposing tariffs on virtually all goods from China, including on popular iPhones and Mac computers.
The tech giant — along with a range of other companies that manufacture products for U.S. consumers in China — will be closely watching the Group of 20 summit this week, where Trump and Chinese President Xi Jinping will try to reach an agreement to stave off the U.S. plans to impose tariffs of 25 percent on another $300 billion in Chinese imports.
But if the two leaders can’t come to a deal, Apple is facing a worst-case scenario that would likely force the company to increase prices for customers and even move some of its manufacturing business away from China.
Daniel Ives, an equity analyst with Wedbush Securities, described it as a “white-knuckle period” for Apple and its investors.
“There’s no gray area,” Ives said. “There’s either breakthrough, talks, and the [proposed tariff] doesn’t happen, or it starts to spiral,” Ives said. “In that situation, it really becomes a quagmire both for Apple as well as their investors.”
Trump has initiated three other rounds of tariffs on Chinese goods since he came into office, but the latest proposal specifically targets consumer products including cameras, ink and toner cartridges, laptop computers, mobile phones and much more. The other rounds targeted technology parts and components, but this time “directly consumer-facing” items would be affected.
Apple has become a poster child for the tech industry’s battle against the escalating trade war, assuming responsibility as one of the largest and most influential companies that would take a hit if the administration greenlights the tariffs.
Last week, Apple asked the Office of the U.S. Trade Representative to exclude its products from Trump’s tariff hit list, arguing the cost would harm Apple’s ability to compete with Chinese companies such as Huawei and chip away at Apple’s ability to contribute to the U.S. economy.
“We urge you not to proceed with these tariffs,” the company concluded.
And Apple has an important leg up over other companies railing against the proposed tariffs: company CEO Tim Cook’s close ties to Trump.
Just last week, Cook met privately with the president to discuss “trade” and “U.S. investment,” among other topics, a White House spokesperson confirmed to The Hill.
THROW THE BOOK AT ‘EM: YouTube’s critics are pushing the Federal Trade Commission (FTC) to impose strict penalties for the streaming service’s handling of children’s data after it was reported the agency was in the late stages of an investigation.
Sen. (D-Mass.) and a pair of advocacy groups — the Campaign for a Commercial Free Childhood and the Center for Digital Democracy — both sent letters to the FTC on Tuesday calling for severe penalties for what they see as years of children’s privacy law violations.
“Companies of all types have strong business incentives to gather and monetize information about children,” Markey wrote. “Personal information about a child can be leveraged to hook consumers for years to come, so it is incumbent upon the FTC to enforce federal law and act as a check against the ever increasing appetite for children’s data.”
Critics had alleged that YouTube’s handling of child viewers violated the Children’s Online Privacy Protection Act’s (COPPA) restrictions on collecting data of children under 13.
Last week, The Washington Post reported that the FTC had launched an investigation after complaints from consumer groups. The paper reported that the agency was nearing the end of the probe, meaning that the two sides could be nearing a settlement; the exact status of the investigation and its scope are unclear.
A NEW ELECTION SECURITY BILL: Sens. (D-Minn.) and (D-Va.) introduced legislation on Tuesday aimed at preventing foreign nationals from purchasing political advertisements, the latest move by Senate Democrats pushing for election security legislation.
The Preventing Adversaries Internationally from Disbursing Advertising Dollars (PAID AD) Act would amend federal campaign finance laws to ban foreign nationals from purchasing ads that name a political candidate and appear on broadcast, cable, satellite or digital platforms.
The legislation would also make it illegal for a foreign government to purchase “issue advertisements” during an election year.
The senators argued that the Federal Election Campaign Act (FECA), first passed in 1972, should be expanded beyond its current “narrow” definition of what constitutes “electioneering communication.” The law currently prohibits a foreign national from contributing to political campaigns, making independent expenditures or buying electioneering communication, but the senators want it to go further.
DNA TESTING COMPANIES JUMP INTO PRIVACY DEBATE: Genetic testing companies are forming a new coalition on best practices for handling DNA information and to promote the industry in Washington as lawmakers put more scrutiny on their privacy practices.
Three companies — Ancestry, 23andMe and Helix, which provide DNA testing and analysis — formed the Coalition for Genetic Data Protection, first reported by The Hill.
“Given the high focus that data privacy has currently in Congress, it was important for companies who are doing right by their customers on data privacy make their voice heard,” said Steve Haro, a principal at Mehlman Castagnetti Rosen & Thomas, who is serving as executive director of the coalition.
Haro said the coalition would allow the industry to “let Congress know what the best practices are for protecting customers’ data and also to show their customers that they’re deserving of their trust.”
The move comes as genetic data companies are becoming increasingly popular in the U.S., with consumers turning to the tests to learn more about their family history. But the companies are also under the microscope on what they do with the vast amounts of DNA data they collect.
As of January, more than 26 million consumers have added their DNA to the four leading commercial ancestry and health databases, believed to be Ancestry, 23andMe, MyHeritage and Family Tree DNA, according to MIT Technology Review.
AN OP-ED TO CHEW ON: U.S. Postal Service: Delivering the goods
A LIGHTER CLICK: Cool, thanks for clearing that up.
NOTABLE LINKS FROM AROUND THE WEB:
Google warns its employees that Pride protests are against the company’s code of conduct. (The Verge)
Krebs on Security digs into which phone vendor is possibly responsible for supply chain attack on Google. (Krebs on Security)
FedEx sues Commerce Department over mandate to monitor shipments tied to Huawei. (Engadget)
They turn to Facebook and YouTube to find a cure for cancer — and get sucked into a world of bogus medicine. (The Washington Post)