Hillicon Valley — Industry groups want more time to report cybersecurity incidents

by Maggie Miller - 09/01/21 9:21 PM ET

Today is Wednesday. Welcome to Hillicon Valley, detailing all you need to know about tech and cyber news from Capitol Hill to Silicon Valley. Subscribe here: digital-staging.thehill.com/newsletter-signup.

Leaders from multiple key industry groups pushed for Congress to consider giving certain critical organizations a longer time period to report cybersecurity breaches as part of proposed mandatory reporting legislation.

Meanwhile, a new report tracks a concerning rise in governments worldwide shutting down the internet in the first half of 2021, while the Federal Trade Commission has banned one company from operating in the surveillance industry after labeling its app “stalkerware.”

Follow The Hill’s cyber reporter, Maggie Miller (@magmill95), and tech team, Chris Mills Rodrigo (@millsrodrigo) and Rebecca Klar (@rebeccaklar_), for more coverage.

Let’s jump in.

Clock’s ticking

The U.S. Capitol is seen from the East Front Plaza at sunset on June 7

Key industry groups on Wednesday pushed to give organizations at least three days to report cybersecurity incidents to the federal government, effectively opposing Senate legislation that would give them 24 hours to report breaches.

The industry concerns come amid bipartisan efforts in both the House and Senate to put forward legislation attempting to stem the tide of major cybersecurity incidents, such as the SolarWinds hack discovered in December.

Context: The breach of SolarWinds, carried out by Russian government-linked hackers, led to the compromise of nine federal agencies and 100 private sector groups, including cybersecurity group FireEye. The company’s decision to come forward and publicize the incident was not required by law, but cited by many officials as a key reason the larger espionage effort was uncovered.

“Cyberattacks are often complex and require sophisticated analysis to fully understand the full scope of compromise,” Ron Bushar, vice president and Global Government Chief Technology Officer at FireEye Mandiant, testified as part of prepared remarks to the House Homeland Security Committee’s cybersecurity subcommittee Wednesday.

“Allowing for a reasonable amount of time to properly assess the situation before requiring reporting will limit false positives, and redundant or contradictory information and prevent unnecessary data collection,” Bushar noted.

Competing efforts: The concerns were raised during a hearing on a new draft bill put forward by Rep. Yvette Clarke (D-N.Y.), chair of the House Homeland Security Committee’s cybersecurity subcommittee, and Rep. John Katko (R-N.Y.), ranking member of the full committee.

Among many provisions, the draft bill would ban the Cybersecurity and Infrastructure Security Agency (CISA) from requiring critical organizations from reporting cybersecurity breaches until at least 72 hours after the incident occurs.

In contrast, bipartisan legislation introduced in the Senate in July by almost all members of the Senate Intelligence Committee would give certain critical groups 24 hours to report a cybersecurity incident to CISA.

Read more here.

Internet shutdown advisory

State actors across the world are increasingly resorting to shutting down access to the internet, according to a new report out Wednesday.

The groups behind the report — the digital rights nonprofit Access Now and Google’s research unit Jigsaw — hope it will help bring attention to what they call a growing human rights threat.

“We wanted to share this research in part because this has become a worryingly common occurrence across the world,” Dan Keyserling, chief operating officer at Jigsaw, told The Hill.

Some background: Between 2011 — when the Egyptian government famously closed off access to the web for nearly the whole country — and 2019, intentional disruptions grew from a handful to 213 recorded cases, according to Access Now. While cases of internet shutdowns dipped to 155 in 2020, their combined duration rose 49 percent.

Access Now documented 50 internet shutdowns across 21 countries in the first five months of 2021.

Reasoning: Governments choose to disrupt access to apps, individual sites or the whole web for a variety of reasons, including perceived national security risks and stopping the spread of misinformation.

Regardless of the efficacy of shutdowns to address concerns like terrorist attacks, they have serious material effects.

EVERY BREATH YOU TAKE, EVERY MOVE YOU MAKE

The Federal Trade Commission (FTC) on Wednesday barred an app alleged to be used as “stalkerware” and banned the company’s CEO from the surveillance industry following allegations that the company had collected and shared data to enable stalking.

As part of the order from the FTC, approved unanimously by commissioners, SpyFone and its CEO Scott Zuckerman were banned from operating in the surveillance business. The FTC further ordered the company to delete data taken from user devices through the SpyFone app, including location information and information on online activities.

The FTC alleged SpyFone sold access to this information in real time, enabling stalkers, domestic abusers and other malicious individuals to follow the movements of those targeted. The FTC also raised concerns that SpyFone lacked basic cybersecurity measures, further exposing individuals with targeted devices.

“SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information,” Samuel Levine, acting director of the FTC’s Bureau of Consumer Protection, said in a statement. “The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security.”

Read more here.

GOODBYE, WALLET

Apple announced on Wednesday that eight U.S. states have agreed to allow users to add their driver’s licenses to their digital wallets on their Apple devices.

According to the tech company’s announcement, Arizona, Connecticut, Georgia, Iowa, Kentucky, Maryland, Oklahoma and Utah have all agreed to roll out a feature that will allow Apple users to add their driver’s license or state ID to their device’s Apple Wallet.

Arizona and Georgia will be the first states two roll out this feature.

The Apple Wallet app allows those with iPhones or Apple Watches to keep digital copies of their credit cards, loyalty cards and gift cards that can be used in lieu of the physical cards themselves.

Read more here.

BITS AND PIECES

An op-ed to chew on: Unsecure at any speed?

Lighter click: We feel personally attacked

Notable links from around the web:

Amazon, Google, Microsoft, and other tech companies are in a ‘frenzy’ to help ICE build its own data-mining tool for targeting unauthorized workers (Business Insider / Caroline Haskins)

Anti-Porn Crusaders Are Going After Twitter Next (Motherboard / Samantha Cole)

Andy Jassy overruled AWS recommendation a senior exec be fired for discrimination, sources say (Protocol / Joe Williams)

One last thing: McCarthy’s message to social media companies

House Minority Leader Kevin McCarthy (R-Calif.) says Republicans “will not forget” if telecom companies turn phone and email records over to the House committee investigating the Jan. 6 attack on the Capitol.

The comment follows the panel sending letters to 35 companies Monday asking them to preserve a number of records — something McCarthy argues “would put every American with a phone or computer in the crosshairs of a surveillance state run by Democratic politicians.”

The letters do not reveal whose information is being sought but specifically ask for the records of those involved in rallies to protest the certification of election results — a group that includes lawmakers.

Read more here.

That’s it for today, thanks for reading. Check out The Hill’s technology and cybersecurity pages for the latest news and coverage. We’ll see you Thursday.

Tags John Katko Kevin McCarthy Yvette Clarke