Welcome to The Cybersecurity 202! Back in the saddle. Thanks to Ellen and David for keeping the beat going while I was gone.
Was this forwarded to you? Sign up here.
Below: A key cyber nominee remains stalled after military holds lift, and AI-generated Russian propaganda isn’t finding an audience. First:
You can tell from the frenzy of activity this week that we’re nearing the endgame for Congress to act on renewing robust but divisive surveillance powers set to expire at year’s end.
Just look at everything happening this week on the eavesdropping program known as Section 702, which allows bulk warrantless snooping on foreign targets — an authority national security officials say is essential to defending against cyberattacks and more, but that critics worry about how it treats Americans communicating with those foreign targets:
- On Monday, two national security officials wrote a letter to key lawmakers making its case for renewal that includes some changes but not all of those favored by privacy advocates.
- On Tuesday, FBI Director Christopher A. Wray emphasized the usefulness of the program even as some lawmakers challenged him on how best to overhaul it.
- Legislation co-sponsored by the top members of the House Judiciary Committee introduced the latest of several proposals for reauthorization, this one more up the alley of civil liberties groups. Today, the panel will take up that legislation in a markup session.
- The House Intelligence Committee, meanwhile, is slated to consider its leaders’ own version of the renewal legislation.
- All the while, House and Senate leadership are trying to figure out options for a possible short-term extension.
“There is no way to replicate Section 702’s speed, reliability, specificity, and insight, and every day it helps protect Americans from a host of new and emerging threats to include weapons of mass destruction, malicious cyber activity, illicit international fentanyl trafficking, hostile state behavior from China and Russia, and more,” Carlos Felipe Uriart, assistant attorney general, and Matthew Rhoades, assistant director of national intelligence, wrote Monday to a list of lawmakers in both the House and Senate who hold power over the fate of Section 702.
- “Though perhaps less evident, the loss of Section 702 would have an equally devastating impact on the ability of U.S. diplomats to advance and promote American interests and values in the world,” wrote Brett Holmgren, the Assistant Secretary of the State Department’s Bureau of Intelligence and Research, in Semafor.
Like Uriart and Rhoades did in their letter, Wray argued before the Senate Judiciary Committee on Tuesday that the warrant requirement for querying the communications of Americans — a much-desired addition to the program for privacy hawks — would inhibit the program’s effectiveness, including on cybersecurity.
“702 allowed the FBI to alert more than 300 victims in every state and countries around the world” about a cyberattack, he testified as one example. “Many of those crucial victim notifications were made possible by our ability to conduct U.S. person queries of our existing 702 collection.”
The FBI declined to provide further information on that cyberattack.
Wray’s message was not well-received by Sen. Mike Lee (R-Utah), who evoked parallels to other warrant requirements for U.S. communications and took particular umbrage to Wray saying a warrant requirement for U.S. person queries would amount to “unilateral disarmament.”
“You have a lot of gall, sir,” Lee said. “This is disgraceful. The Fourth Amendment requires more than that and you know it.” (On the other side, 702’s boosters say warrants aren’t required for 702, and they point to a federal judge’s opinion from earlier this year on the Fourth Amendment implications.)
Senate Judiciary Chairman Richard J. Durbin (D-Ill.) left things somewhat more ambiguous on where he stood, only saying that he wouldn’t support a reauthorization of Section 702 without undescribed “significant reforms” to protect “innocent Americans from warrantless surveillance.”
The bipartisan leaders of the Senate Intelligence Committee offered legislation last week that stopped short of the warrant requirement for U.S. person queries, leaving national security officials open to the proposal but program skeptics still, well, skeptical.
Now a bill backed by the likewise-bipartisan leaders of the House Judiciary Committee is on the table, too, and that measure notably does include such a warrant requirement. It also includes provisions tied to other Fourth Amendment concerns, such as seeking to prevent feds from being able to purchase Americans’ data from tech companies without a warrant.
- “America’s intelligence community continues to conduct a warrantless, mass surveillance campaign on innocent citizens,” said lead sponsor Rep. Andy Biggs (R-Ariz.), pointing to past abuses under the existing law. “My legislation addresses numerous loopholes in federal law to end this unconstitutional practice and to ensure rogue agents are held accountable.”
Prominent privacy and civil liberties groups praised the legislation, as did Hill sponsors of an earlier, similar measure. Today, the Judiciary panel will consider what to do with the bill.
Following quickly on the House Judiciary panel’s heels, the House Intelligence Committee is slated to take up another version of the bill on Thursday. The legislation is expected to be closer to the Senate Intelligence Committee’s bill, including on how it handles warrants.
Last but not least, a short-term extension of Section 702 might be on deck while everyone undertakes the likely-messy work of trying to reconcile all these different ideas. For weeks, how such legislation might become law — Attached to a bill to prevent a federal government shutdown? Hitching a ride on the annual defense policy bill? — has been the subject of speculation and rumors (and maybe “trial balloons” to see what would be workable). The latest: A potential showdown on the House floor, Politico reports.
Foreign governments have been demanding information on users’ smartphone push notifications, Sen. Ron Wyden (D-Ore.) said in a letter to the Justice Department, as reported by Reuters’s Raphael Satter.
Most push notifications travel on Apple and Google servers. The companies are “in a unique position to facilitate government surveillance of how users are using particular apps,” Wyden said. He asked the Justice Department to “repeal or modify any policies” that restricted such surveillance from being discussed publicly.
- “Wyden’s letter cited a ‘tip’ as the source of the information about the surveillance,” Satter writes. “His staff did not elaborate on the tip, but a source familiar with the matter confirmed that both foreign and U.S. government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.”
- Wyden’s source didn’t identify the governments that made the requests, but “described them as democracies allied to the United States,” Satter writes. “The source said they did not know how long such information had been gathered in that way.”
- In a statement to Reuters, Apple said that “In this case, the federal government prohibited us from sharing any information,” and added that “Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”
- The Justice Department didn’t respond to Reuters’ requests for comment on the surveillance or whether it restricted Apple or Google from discussing it. Google didn’t respond to Reuters’ requests for comment.
Sen. Tommy Tuberville’s (R-Ala.) lift on blanket military holds announced yesterday is giving a temporary sigh of relief for key Pentagon nominations, though at least one key cyber post still faces hurdles.
The 10-month holds imposed by Tuberville in protest of the Defense Department’s abortion care policies threw a wrench on hundreds of military nominations, with a handful of them falling on cybersecurity positions.
- Reactions poured in from various lawmakers, as well as President Biden, who called the decision “long overdue” and said the delay was “pointless.”
But the lifts do not cover all nominees. Tuberville said around 10 promotions at the four-star rank would still remain held. That means Lt. Gen. Timothy Haugh, who was tapped to lead the NSA and Cybercom, appears to remain in limbo. Gen. Paul Nakasone, the incumbent, is due to leave as the longest-serving leader of Cyber Command and said he would depart as soon as Haugh gets confirmed.
- But even if rankings did not factor in, Haugh still would have faced an ongoing hold recently imposed by Sen. Ron Wyden (D-Ore.) over whether the Pentagon publicly acknowledges whether the NSA buys Americans’ location data from data brokers.
The blocks have created a pileup of lower-ranking cybersecurity nominees in both Cybercom and the NSA, as the Record’s Martin Matishak reported.
An AI-generated Kremlin propaganda campaign aimed at swaying online discourse on Russia’s war in Ukraine and other geopolitics is failing to substantially reach an audience, CyberScoop’s Elias Groll reports, citing research from Recorded Future.
As Groll writes, the Russian propaganda group dubbed “Doppelganger” appears to have “stood up a fake news outlet and used generative AI to write articles with a generally anti-Western, pro-Russian slant.”
- CyberScoop adds: “Dubbed Election Watch, the website poses as an English-language news outlet and summarizes negative news articles featuring President Joe Biden, such as his struggles to convince Congress to provide additional funding for Ukraine and his dropping levels of support among Arab Americans amid his staunch support of Israel’s military campaign against Hamas.”
Measuring the exact reach of the site is hard to do, but Recorded Future Insikt Group analyst Brian Liston said the reach of that content is “negligible.”
- Social media accounts shared and posted content from the site, but “at most we were only seeing a handful or so of views per post … and even fewer engagements,” Liston said.
Groll later adds: “While nation states are indeed embracing AI-generated content, getting that content to break through to mainstream audiences is another challenge all together. Doing so probably requires gaining traction on platforms with large audiences. But those platforms, such as Facebook, have grown more sophisticated at monitoring state-backed propaganda campaigns.”
- Meta recently said it removed thousands of Facebook accounts in what it deemed to be a Chinese foreign influence campaign that was impersonating Americans on headline-making election issues like health care and abortion.
- But as our colleagues recently reported, the company and other social platforms have stopped receiving warnings from the U.S. government on foreign influence matters as the Supreme Court is expected to decide whether the Biden administration ran afoul of the First Amendment by communicating with social media about removing posts online.
- The Intelligence and National Security Alliance convenes a discussion on AI use cases in the intelligence community at 8 a.m.
- The House Judiciary Committee considers a bill to amend warrant requirements in Section 702 of FISA at 10 a.m.
- The Atlantic Council holds a discussion on global election misinformation risks in 2024 at 3 p.m.
- The Institute of World Politics holds a seminar on cyber critical infrastructure at 6 p.m.
Thanks for reading. See you tomorrow.