Senate report warns of glaring cybersecurity holes at federal agencies

Several US federal agencies are unprepared to protect the personal information of everyday Americans should they become the target of a cyberattack, according to a new report put together by the Senate Homeland Security Committee. The panel found that out of eight federal bodies, including the departments of State, Transportation and Education, only Homeland Security complied with the Federal Information Security Modernization Act (FISMA), an Obama-era law Congress passed to enable the US government to better respond to online threats.

"All agencies failed to comply with statutory requirements to certify to Congress they have implemented certain key cybersecurity requirements including encryption of sensitive data, least privilege and multi-factor authentication," the report said.

As The Record points out, one of the more glaring oversights the panel found was that the State Department left thousands of employee accounts on its classified and unclassified networks active even after those individuals left the agency. In another particularly worrisome example, the Department of Agriculture had vulnerabilities on its websites that it wasn't aware of. What's more, at least seven of the eight agencies the panel audited were using outdated and unsupported IT systems, leaving them vulnerable to attacks. "It is clear that the data entrusted to these eight agencies remains at risk," the report said.

"From SolarWinds to recent ransomware attacks against critical infrastructure, it's clear that cyberattacks are going to keep coming," Senator Rob Portman, the panel's top Republican, said on Twitter. "It is unacceptable that our own federal agencies are not doing everything possible to safeguard America's data. I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade — the American people deserve better."

Among other recommendations, the report highlights the need for a single agency to oversee federal cybersecurity. To that end, the panel suggests Congress update the Federal Information Security Modernization Act to make the law better reflect current cybersecurity practices and establish the Cybersecurity and Infrastructure Security Agency as the federal lead for those types of issues. It also recommends amending FISMA to require agencies to notify both CISA and, in some instances, Congress when they become entangled in a major incident.

Senate bill would create exception to Section 230 to limit health misinformation

A week after Surgeon General Dr. Vivek Murthy declared health misinformation an "urgent threat" to the US public, Senators Amy Klobuchar of Minnesota and Ben Ray Luján of New Mexico have introduced new legislation that would modify Section 230 of the 1996 Communications Decency Act to strip liability protections from technology companies if their platforms help spread misinformation during a health crisis.

If passed, the Health Misinformation Act of 2021 would create an exception to Section 230 that would see social media platforms like Facebook and Twitter "treated as the publisher or speaker of health misinformation" when their platforms algorithmically amplify misleading health content. What falls under the definition of health-related misinformation would be decided by the Secretary of Health and Human Services. The exception would only apply during a public health crisis, which the HMS Secretary would have to declare beforehand.

In establishing a rationale for the change, the bill cites a joint report from the Center for Countering Digital Hate and Anti-Vax Watch that found that as much 73 percent of vaccine misinformation on Facebook can be linked to a group of 12 individuals known as the "disinformation dozen." White House Press Secretary Jen Psaki recently referenced that same report, saying that many of those individuals are still active on the social network.

"For far too long, online platforms have not done enough to protect the health of Americans. These are some of the biggest, richest companies in the world and they must do more to prevent the spread of deadly vaccine misinformation," Senator Klobuchar said in a statement. "The coronavirus pandemic has shown us how lethal misinformation can be and it is our responsibility to take action."

The bill's introduction also follows a recent statement made by President Joe Biden. He said platforms like Facebook were "killing people" by not doing more to stop vaccine- and health-related misinformation. "We will not be distracted by accusations which aren't supported by facts," a spokesperson for Facebook told Engadget after Biden made his comments. "The facts show that Facebook is helping save lives. Period." The president later walked back his statement, noting the people using the platform to spread their misinformation were the ones doing harm but reiterated his belief that Facebook could do more to combat what was happening.

"We have long supported common industry standards and section 230 reform," Kevin Martin, vice-president of public policy at Facebook said after the news broke. "We believe clarification on the difficult and urgent questions about health-related misinformation would be helpful and look forward to working with Congress and the industry as we consider options for reform."

Update 10:54PM ET: Added comment from Facebook. 

FTC votes to fight back against right to repair restrictions

The US Federal Trade Commission has voted unanimously to tackle unlawful repair restrictions. In a policy statement published on Wednesday, the agency said it plans to devote additional resources to enforcing existing laws, such as the Magnuson-Moss Warranty Act, that protect small businesses and consumers from companies that would prevent them from fixing on their own products they purchased. In doing so, the FTC will take a five-part approach to the problem that will involve it collecting comments and complaints from the public, as well as working more closely with state law enforcement and policymakers to update existing regulations.     

"These types of restrictions can significantly raise costs for consumers, stifle innovation, close off business opportunity for independent repair shops, create unnecessary electronic waste, delay timely repairs, and undermine resiliency," recently confirmed FTC Chair Lina Khan said. "The FTC has a range of tools it can use to root out unlawful repair restrictions, and today’s policy statement would commit us to move forward on this issue with new vigor." 

The policy statement follows a July 9th executive order in which President Biden directed the FTC to tackle "unfair anti-competitive restrictions on third-party repair or self-repair of items" imposed by "powerful manufacturers" in the farming and technology industries. With Wednesday's announcement, the FTC didn't name any specific companies it will target as part of any enforcement action. However, a company like Apple is likely to be top of mind for the agency. The tech giant has consistently lobbied against state-level right to repair legislation, claiming those laws would put consumers at risk.        

Right to repair advocates were quick to praise the announcement. "The FTC sets the tone for the nation’s commerce. For too long, manufacturers have been bullying consumers and driving local repair shops out of business," iFixit CEO Kyle Wiens said in a blog post the company published following the policy announcement. "This landmark new policy changes that. There’s a new sheriff in town."

White House blames China for Microsoft Exchange cyberattacks

The Biden administration isn't hesitating to blame China for a string of Microsoft Exchange cyberattacks. The White House has declared "with a high degree of confidence" that hackers linked to China's Ministry of State Security (MSS) were responsible for a digital espionage campaign using the Exchange vulnerabilities. Officials have confronted senior Chinese leadership with this and "broader" hostile online activity, the White House said.

The US further accused China of running an intelligence operation that relied on "contract hackers" who frequently launched attacks meant solely for profit, such as ransomware schemes and crypto jacking. The Chinese government's reported unwillingness to tackle these abuses is believed to hurt businesses, governments and infrastructure with "billions of dollars" in damage, the White House said.

Accordingly, the Justice Department has revealed indictments of four MSS-affiliated Chinese men for allegedly conducting an extended hacking campaign meant to steal intellectual property and trade secrets, including health research. The initiative, which ran between 2011 and 2018, reportedly saw Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin and Wu Shurong compromise comptuers worldwide to grab information ranging from autonomous vehicle technology and chemical formulas through to research on Ebola, AIDS and other diseases.

Biden's administration has already taken multiple actions in response to attacks, including "proactive network defense actions" like deleting backdoors on compromised Exchange servers. It added private companies to its Unified Coordination Group to bolster its security incident response. CISA, the FBI and the NSA also released an advisory outlining China's strategy for compromising US and ally networks using the Exchange holes and other methods.

This comes on top of stricter security rules for pipeline companies as well as a pilot to tackle vulnerabilities in sectors like electricity and water supply.

China has historically denied involvement in attacks like these, and it's doubtful the country will have a change of heart after this. The White House effort is more of a warning — the US will not only pin attacks on China, but respond to them in kind.

White House blames China for Microsoft Exchange cyberattacks

The Biden administration isn't hesitating to blame China for a string of Microsoft Exchange cyberattacks. The White House has declared "with a high degree of confidence" that hackers linked to China's Ministry of State Security (MSS) were responsible for a digital espionage campaign using the Exchange vulnerabilities. Officials have confronted senior Chinese leadership with this and "broader" hostile online activity, the White House said.

The US further accused China of running an intelligence operation that relied on "contract hackers" who frequently launched attacks meant solely for profit, such as ransomware schemes and crypto jacking. The Chinese government's reported unwillingness to tackle these abuses is believed to hurt businesses, governments and infrastructure with "billions of dollars" in damage, the White House said.

Accordingly, the Justice Department has revealed indictments of four MSS-affiliated Chinese men for allegedly conducting an extended hacking campaign meant to steal intellectual property and trade secrets, including health research. The initiative, which ran between 2011 and 2018, reportedly saw Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin and Wu Shurong compromise comptuers worldwide to grab information ranging from autonomous vehicle technology and chemical formulas through to research on Ebola, AIDS and other diseases.

Biden's administration has already taken multiple actions in response to attacks, including "proactive network defense actions" like deleting backdoors on compromised Exchange servers. It added private companies to its Unified Coordination Group to bolster its security incident response. CISA, the FBI and the NSA also released an advisory outlining China's strategy for compromising US and ally networks using the Exchange holes and other methods.

This comes on top of stricter security rules for pipeline companies as well as a pilot to tackle vulnerabilities in sectors like electricity and water supply.

China has historically denied involvement in attacks like these, and it's doubtful the country will have a change of heart after this. The White House effort is more of a warning — the US will not only pin attacks on China, but respond to them in kind.

California’s upcoming open fiber network could make fast broadband more accessible

California might soon make it practical for small internet providers to deliver speedy broadband, not just well-heeled incumbents. Ars Technicareports that the state Assembly and Senate have unanimously passed legislation that will create a statewide open fiber network that promises truly fast internet access from smaller ISPs, particularly in rural or otherwise underserved areas.

The strategy will devote $3.25 billion to the construction of a "middle-mile" network that won't directly connect customers, but should make it much easier for ISPs to launch or upgrade their service. Another $2 billion will help those providers establish last-mile connections to users.

Governor Newsom has yet to sign the legislation into law, but that's considered a formality when he made agreements on details with legislators.

The network met resistance from larger ISPs that lobbied to block the reach of the open fiber network. It might have a significant impact on internet access in the state, however. While state and federal governments have pushed for improved rural broadband coverage for years, the focus has usually been on merely offering service rather than upgrading quality. This could bring truly competitive speeds to underserved areas and ensure they can access the same services as people subscribed to major broadband companies.

Senate appoints former NSA official as head of US cybersecurity agency

A former NSA and White House official has been appointed to lead the Cybersecurity and Infrastructure Security Agency (CISA) at a time when ransomware and other kinds of cyberattacks are on the rise. The Senate has named Jen Easterly as the second person to head up the DHS agency, according to Politico. CISA provides cybersecurity tools and incident response services to government networks, and it also offers security advice to infrastructure operators and businesses. 

Politico previously reported that CISA has been struggling to handle one cybercrisis after another and that the agency is understaffed and overworked. It had to face multiple intrusions in the middle of the pandemic as bad actors attacked the healthcare industry with ransomware, forcing them to pay up to prevent delays that could cost lives. CISA also had to respond to the massive SolarWinds hack that the government is blaming on Russia, as well as the ransomware attacks on Colonial Pipeline, software giant Kaseya and meat supplier JBS

Easterly doesn't only have to lead response efforts to ongoing cyberattacks, it now also falls upon her shoulders to make sure CISA gains the ability to counter new threats as they come up. Before being named as the new CISA head, Easterly spent years as the number 2 official in the NSA's counterterrorism division and was also the National Security Council's senior director for counterterrorism under former President Barack Obama.

Biden’s wide-ranging executive order covers Big Tech, net neutrality and more

The movement to get the FCC to restore net neutrality just gained some serious traction. The White House just announced that president Joe Biden will be signing a new executive order today that will establish a "whole-of-government effort to promote competition in the American economy." In other words, it's targeting anticompetitive practices across a wide range of industries, including internet services and tech. 

The order contains 72 proposals and actions, among which it specifically says "the President encourages the FCC to restore Net Neutrality rules undone by the prior administration." It also asked the agency to consider limiting early termination fees and prevent internet service providers from making deals with landlords that limit tenant choices. In addition, it urged the FCC to revive the Broadband Nutrition Label that was developed under the Obama administration that would offer greater price transparency.

The order also looked at how "dominant tech firms are undermining competition and reducing innovation," and announced an administration policy of greater scrutiny of mergers. It would focus on "dominant internet platforms," especially around "the acquisition of nascent competitors, serial mergers, the accumulation of data, competition by “free” products, and the effect on user privacy."

As part of its crackdown on Big Tech, the order called on the Federal Trade Commission to "establish rules on surveillance and the accumulation of data," along with banning "unfair methods of competition on internet marketplaces" and "anticompetitive restrictions on using independent repair shops or doing DIY repairs of your own devices and equipment." 

In other industries, like banking and personal finance, the order similarly asked for more robust scrutiny of mergers. It also urged the Consumer Financial Protection Bureau (CFPB) to "issue rules allowing customers to download their banking data and take it with them." 

Similar notions of price transparency, consumer rights, increased scrutiny of mergers and prevention of excessive fees were prevalent across the other industries covered. Under agriculture, for example, the order also highlighted the need to give consumers the right to repair their tractors and equipment. 

Proposals for the healthcare sector include allowing for hearing aids to be sold over the counter, supporting price transparency rules, preventing surprise hospital billing and standardizing plan options in the National Health Insurance Marketplace for easier comparison shopping. In the transportation section, airlines were the focus of the suggestions. The order called for rules around greater transparency and disclosure over baggage, change and cancellation fees, as well as better guidelines on when a company must issue refunds over delayed baggage or non-working services (like in-flight WiFi or entertainment).

After the order is signed later today, the administration will have plenty of work to do to get these initiatives moving. It's not a guarantee that all the suggestions announced here will eventually happen, but it's a clear sign that the Biden team is paying attention to the issues of anticompetition, a lack of transparency in multiple industries and other unfair practices. 

President Biden will order the FTC to draft ‘right to repair’ rules

After years of advocacy work, the right to repair movement in the US could soon see a significant breakthrough. According to Bloomberg, President Joe Biden will “in the coming days” direct the Federal Trade Commission (FTC) to draft new regulations to empower consumers to repair their devices on their own and at independent shops.

While there aren’t many details on the executive order just yet, it will reportedly mention phone companies as a possible target of regulation. However, farmers are expected to be the primary beneficiary. During Tuesday's White House briefing, Press Secretary Jen Psaki said the order would give them "the right to repair their own equipment how they like.” White House economic adviser Brian Deese said on Friday that the order is broadly designed to drive “greater competition in the economy, in service of lower prices for American families and higher wages for American workers.”

Over the years, states across the US have tried to pass right to repair legislation. However, companies like Caterpillar, John Deere, and Apple have consistently lobbied against those efforts, claiming they would put consumers at risk by compromising the security and safety of their devices. And to date, no state has passed legislation that makes it easier for consumers to repair their products independently. As Motherboard notes, Biden’s order will mark the first time a president has weighed in on the issue.

"Big tech has been taking advantage of consumers for too long, at the expense of local small businesses. We're very encouraged that the Biden administration is planning to use the rulemaking power of the FTC to restore competition," a spokesperson for iFixit told Engadget when we reached out to the company to ask about the order. 

The move comes as support for the right to repair movement builds in other parts of the world. In 2020, the European Commission said it would introduce legislation to push manufacturers to create products that are easier to repair and reuse. That same year, the European Parliament voted to direct the Commission to develop and introduce a mandatory labeling system that assigns a reparability score to products.

We’ve reached out to the Consumer Technology Association, which represents electronics manufacturers, for comment. 

Update 6:00PM ET: Added comment from iFixit.

Federal judge blocks Florida’s social media ‘deplatforming’ law

Florida's social media 'deplatforming' law that would've taken effect on Thursday has been temporarily blocked by a federal court. US District Judge Robert Hinkle has granted a preliminary injunction to stop "the parts of the legislation that are pre-empted or violate the First Amendment" from being enforced, according to AP and The New York Times. The law would give the state the right to fine social media companies like Facebook up to $250,000 a day if they ban or remove the account of a statewide political candidate. They could also be fined up to $25,000 a day for banning a local office candidate.

Florida Governor Ron DeSantis proposed the law shortly after Facebook, Instagram and Twitter banned former President Donald Trump. Republican politicians have long accused mainstream social media platforms of having an anti-conservative bias. After the bill successfully went through Florida's legislative house and senate, DeSantis signed it into law back in May. While the law targets the world's biggest social networks, the authors made sure Disney+ won't get caught up in it by making an exemption for theme park owners. As AP notes, the Walt Disney World located outside Orlando is one of the state's biggest employers. 

The entities that filed the lawsuit to challenge the legislation were NetChoice and the Computer & Communications Industry Association — lobbying groups that represent Facebook, Google and other tech giants. Judge Hinkle explained that the plaintiffs would likely win the lawsuit on their claim that the new law violates the First Amendment if the case went to trial.

According to Hinkle:

"The legislation compels providers to host speech that violates their standards — speech they otherwise would not host — and forbids providers from speaking as they otherwise would...

The legislation now at issue was an effort to rein in social-media providers deemed too large and too liberal. Balancing the exchange of ideas among private speakers is not a legitimate governmental interest."