Ongoing Vulnerability from Foreign Technology

By CHHS Extern Kimberly Gainey

State bans on TikTok are all the rage, with Kentucky poised to join North Carolina, Wisconsin and at least 25 other states prohibiting use on state devices. The federal government recently expanded its ban, making it illegal to have TikTok on federal government devices, and nearly the entire US military has prohibited use on government-issued devices since 2020. Even if people comply with these bans, which may be lacking in Department of Defense personnel according to a recent Inspector General report, they may be drawing attention away from more serious, systemic vulnerabilities from foreign technology.

A recent op-ed by the CEO of CyberSheath, Eric Noonan, highlights a “pervasive and omnipresent” threat posed by China, discussing TikTok and Huawei. While not household names like TikTok, Americans should be concerned about Huawei and ZTE, another Chinese telecommunications provider. Huawei provides “information and communications technology (ICT) infrastructure and smart devices.” ZTE offers “wireless, wireline, services, devices and professional telecommunications services.” CNN reporting revealed that in 2012 Congress released a report advising people to view Huawei and ZTE “with suspicion,” and in 2013 Congress passed legislation preventing NASA and the departments of Justice and Commerce from purchasing information technology systems without approval from federal law enforcement. Further, in 2018 top officials from the CIA, NSA, FBI, and the Defense Intelligence Agency testified before the Senate Intelligence Committee about global terror threats including Huawei and ZTE. The 2019 National Defense Authorization Act prohibited executive agencies from using or procuring telecommunications equipment or services from Huawei or ZTE, which Huawei unsuccessfully fought in court. Huawei and ZTE attracted the attention of the Federal Communications Commission (FCC), which designated them as national security threats in 2020. That was a particularly bad year for Huawei, which was indicted for conspiring to violate the Racketeer Influenced and Corrupt Organizations Act (RICO) and conspiring to steal trade secrets from its’ “alleged long-running practice of using fraud and deception to misappropriate sophisticated technology from U.S. counterparts.” The following year, Huawei’s Chief Financial Officer entered into a deferred prosecution agreement (DPA) to resolve bank and wire fraud charges.

Despite these actions, Huawei represents a potential threat to sensitive military sites; CNN reported various potential threats in 2019 including:  carrying out Intelligence, Surveillance and Reconnaissance; shutting down service; sending out malign text messages; or launching a denial of service attack. Huawei’s cell phone tower technology “is widely deployed by a number of small, federally-subsidized wireless carriers . . . [and] [i]n some cases those cellular networks provide exclusive coverage to rural areas close to US military bases.” These threat concerns persist and could disrupt nuclear arsenal communications. According to CNN sources, “there’s no question the Huawei equipment has the ability to intercept not only commercial cell traffic but also the highly restricted airwaves used by the military and disrupt critical US Strategic Command communications, giving the Chinese government a potential window into America’s nuclear arsenal.”

The United States’ response to this threat is the Secure and Trusted Communications Networks Act of 2019, which requires the FCC to establish “a reimbursement program for the replacement of communications equipment or services posing [national security] risks.” The FCC received a $1.895 billion appropriation for this reimbursement program, under which small providers may apply for reimbursement for replacing covered equipment. Last July, the FCC reported a $3.08 billion funding shortfall and a plan to prorate reimbursement funding to eligible applicants in the first prioritization group, those with 2 million or fewer customers, resulting in a “pro-rata factor . . . [of] approximately 39.5% of demand.” Congress responded to the funding shortfall via the Spectrum Innovation Act of 2022 (H.R.7624), increasing funding for the Secure and Trusted Communications Networks Act from $1.9 billion to $4.98 million. The Spectrum Innovation Act passed in the House in July 2022, but stalled in the Senate Committee on Commerce, Science, and Transportation.

A few days after reporting the shortfall, the FCC announced the approved applications for the reimbursement program, citing the 2021 Supply Chain Order clarifying that the program covers communications equipment or services produced or provided by Huawei or ZTE. The FCC has drawn criticism from the Rural Wireless Association, a trade group representing many “rip and replace” program participants, for “slow progress” allocating funds. The FCC reports that, as of January 2023, just under $41 million have been approved in reimbursement claims, with participants “experiencing four main challenges in their efforts to permanently remove, replace, and dispose of covered communications equipment and services in their networks: (1) lack of funding; (2) supply chain delays; (3) labor shortages; and (4) weather-related challenges.” Perhaps if some of the political capital from the TikTok bans were applied toward Huawei and ZTE we would be able to resolve the first challenge: lack of funding.

The Thwarted Baltimore Grid Attack is a Wake-Up Call on U.S. Grid Cybersecurity

By CHHS Extern Peter Scheffel

On Monday, February 6, 2023, two individuals were arrested by the FBI on criminal complaints of conspiracy to destroy an energy facility in connection with a plot to attack multiple substations in the Baltimore area. While this physical attack (the individuals intended to shoot the targeted substations) was thwarted, it highlights a growing trend in planned and carried out attacks on the U.S. electrical grid. One such attack occurred in December of 2022 in Washington state, where two individuals who were later arrested shot at four electrical substations in Pierce County. This event left more than 15,000 people without power. Likewise, North Carolina experienced a targeted physical attack in December 2022 on their energy infrastructure (also by way of gunfire), as individuals damaged two substations in Moore County. The North Carolina attack arguably led to the most dramatic response in which due to the high number of people affected (100,000 residents in Moore County, tens of thousands of which without power), schools were closed and a curfew was imposed.

Both the carried-out attacks in Washington State and North Carolina as well as the attempted attack in Baltimore indicates an increasing awareness by malicious actors of the U.S. power grid’s importance and its vulnerability to both physical and cyber-based attack. Thus, these attacks should serve as a harsh reminder of not only the need to increase preventative measures against physical attacks on the U.S. grid, but also to remind that the grid remains vulnerable to cyber-attacks. In the often-hasty rush to secure the physical aspects of the grid post physical attack, a danger exists in overlooking the equally necessary cyber-related vulnerabilities present. As the grid continues to be modernized and as we continue to electrify cars, replace furnaces with electric heat pumps, and connect substations to the internet, a more comprehensive preventative strategy is needed.

One of the main areas of risk are grid distribution systems, which often take the form of a pole near homes and businesses and serve as the final stage of the electrical grid, distributing electricity to homes, industry, and other end users from transmission systems (large structures often seen beside interstates and other roads which carry the high voltage electricity to the distribution systems). Grid distribution systems have become more vulnerable to cyberattack chiefly because they are increasingly allowing remote access and connections to the internet. This leaves open the potential for malicious actors to enter the system and create problems. According to the Director of National Intelligence’s 2022 Annual Threat Assessment, both nation-states and criminals are the greatest cyber threats to the U.S.’s critical infrastructure, including the electrical grid, and their capacity to attack successfully continues to increase. The U.S. Government Accountability Office (GAO) in 2021 even found that the federal government lacked sufficient awareness and understanding of the severity in scale of potential attacks on distribution systems, which are not subject to the Federal Energy Regulatory Commission (FERC). The absence of FERC regulatory authority over distribution systems results in a less cohesive strategy which fosters an environment susceptible to exploitation at a crucial stage of energy reliance: distribution to end users. An earlier GAO report, in 2019, also highlighted the need for changes to increase cybersecurity measures within the grid. These recommendations are not yet fully implemented, thus leading to continued vulnerability in the grid. While it is important for FERC to prioritize the first two aspects of the grid over which it has authority: generation and transmission, working with state partners is equally important to better protect distribution systems.

One stark example of the risks of an unprotected grid is the Russian-linked attacks just before Russia’s invasion of Ukraine last year. Hackers connected to Russia got incredibly close to taking out a large piece of the U.S. power grid through cyberattacks using malware during the first few weeks of Russia’s invasion of Ukraine. The attack included the use of malware called PIPEDREAM to take down up to twelve U.S. electric and liquid natural gas sites. The potential success could have been devasting, leading to possible loss of life. In addition, such a large and successful attack on U.S. critical infrastructure could have been seen as the “9/11” of the cyber-sphere, leading to sweeping changes to U.S. law and policy in response. Thankfully, these attacks were not successful (though the coalition of U.S. government and cyber industry groups which prevented the attack did not disclose how it was prevented). According to experts, this was the closest the U.S. has ever been to having its infrastructure go offline from a cyberattack.

Encouragingly, when combined with the spate of recent physical attacks, this now disclosed attempted cyberattack on the U.S. power grid may have spurred action that could and should continue in order to prevent such attacks. As of January of 2023, FERC is working towards developing new cybersecurity rules. These include the U.S. Department of Energy funding next-generation cybersecurity research and development projects, a software bill of materials (an ingrained inventory or list of ingredients that make up software components) required for certain energy vendors or other grid related services, and required disclosure of what components go into grid software. While a good start, distribution systems remain vulnerable as they are not subject to FERC authority. In order to better protect distribution systems, state legislative policy is needed. States must understand their role in protecting distribution systems and should prioritize increased grid cybersecurity within their borders. A great example of such measures is via the state of New York, which recently adopted legislation that will require utilities to prepare for cyberattacks in their annual emergency response plans. To implement this legislation, the New York Public Service Commission was given enhanced auditing powers so that critical infrastructure and customer data would be secured. The commission is also directed under the law to provide necessary rules and regulations, and operates under a mandate to provide a report to elected officials, reviewing compliance and providing recommendations to the legislature on if additional measures are needed.

Grid cybersecurity is often seen as an afterthought and becomes a response to an attack instead of a tool of prevention. As the grid continues to modernize and gain connectivity to the internet, cybersecurity must be prioritized as much as better physical fencing and concrete barriers. Should a successful attack go through such as the one Russia-affiliated hackers attempted, waiting to respond will prove costly beyond monetary value alone. In order to remain resilient despite ever growing reliance, the U.S. power grid must prospectively implement sound policy and continue to pursue actionable measures at both the state and federal level.

Spring 2023 CHHS Newsletter Now Available!

CHHS is proud to present the Spring 2023 edition of our newsletter.

This edition includes:

  • Director’s Message from CHHS Founder and Director Michael Greenberger
  • An overview of our recent work on cybersecurity
  • Information on CHHS externs and research assistants
  • A description of our facilitation of a variety of trainings and exercises
  • And much more!

 

 

What the FAA Ground Stoppage Reveals about Cybersecurity

By CHHS Extern Kimberly Gainey

The Federal Aviation Administration (FAA) garnered significant negative attention last month after an overnight outage of its Notice to Air Missions (NOTAM) system grounded early morning domestic flight departures for approximately 90 minutes on Wednesday January 11, 2023. This nearly unprecedented nationwide stop in air traffic, the first in over 20 years, led to thousands of flight delays and cancellations. The FAA attributes the outage to a database file “damaged by personnel who failed to follow procedures.” Despite the FAA’s not so veiled attempt to place the blame on human error, public attention remains focused on outdated technology. A government source indicated that the applicable software is approximately 30 years old, with updates not planned for another six years.

Recent scrutiny reverberates sentiments expressed by airlines about FAA funding constraints, staffing limits, and outdated technology. United Airlines CEO Scott Kirby indicated that the FAA needs both “more funding” and “more investment for technology.” The CEO of the US Travel Association, Geoff Freeman, described the “catastrophic system failure [a]s a clear sign that America’s transportation network desperately needs significant upgrades.”

In spite of FAA assurances that there was no evidence of a cyber attack, people were quick to question the agency’s cybersecurity. Congressman Ritchie Torres (D-NY) expressed concern regarding the “cyber vulnerabilities of the antiquated systems that undergrid modern air travel” and requested a joint review by the Cybersecurity and Infrastructure Security Agency and the Department of Transportation. Transportation Secretary Pete Buttigieg welcomed attention from Congress given the upcoming FAA reauthorization bill, which will provide the agency with funding and direction for next five years. The FAA’s budget estimate for 2023 includes the need to “eliminate the failing vintage hardware that currently supports . . . the national airspace system.” Senator Ted Cruz (R-Texas) called for Congress to “enact reforms” in the impending legislation, describing the “FAA’s inability to keep an important safety system up and running [a]s completely unacceptable and just the latest example of dysfunction within the Department of Transportation.” The House of Representatives responded, passing the NOTAM Improvement Act of 2023to strengthen the reliability and effectiveness of the FAA’s NOTAM system.”

This myopic focus on the NOTAM system is a missed opportunity to discuss the multifaceted nature of cybersecurity, which attempts to manage and mitigate dynamic threats across an expansive threat landscape. The FAA extolls its efforts “to be increasing proactive and vigilant when it comes to cyber threats,” highlighting “a cybersecurity workforce that protects our aerospace assets” comprised of “unsung heroes, because this cyber battle is being fought behind the scenes, 24/7/365.” These efforts implement a 2021 Executive Order on Improving the Nation’s Cybersecurity, requiring “agencies to enhance cybersecurity and software supply chain integrity.” However, whether the FAA’s cybersecurity actions are laudable or deficient is an open question that one seems to be asking. The continued reactive focus on the NOTAM system involved with the ground stoppage misses a larger problem. Our leaders need to adjust their perspective and pivot to a proactive assessment of risk from older systems, which may merit updating. It is not enough to figure out what went wrong last month; we need to look for other vulnerabilities and remediate them.

Inspector General Report Highlights Department of Defense’s Questionable Cybersecurity Practices

by CHHS Extern Cat Sarudy

The Inspector General recently released a report that audited the Department of Defense’s (DoD) cybersecurity policies as they relate to the control of government-issued phones. The two biggest issues from the report were that the audit revealed “that DoD personnel are conducting official business on their DoD mobile devices using mobile applications in violation of Federal and DoD electronic messaging and records retention policies.” Further, the report revealed that personnel were downloading applications that “could pose operational and cybersecurity risks to DoD information and information systems.”

Part of the report focused on an investigation into the DoD’s own app store, the “Personal Use Mobile Application” from which personnel can download apps. Their findings were that their employees are able to download any apps that are available to them from a normal app store like Apple’s App Store to bypass any restrictions the Personal User Mobile Application may have. While these applications are against DoD guidelines, employees were still able to download the unmanaged apps. “Managed” applications are apps that are “approved by DoD Components for official DoD business.” The next level of apps is those that are “authorized unmanaged” which are apps that the DoD Components have authorized “for personal use on DoD devices” Lastly, there are “unauthorized unmanaged” which are apps that are “downloaded from public application stores and cannot be used to conduct official DoD business or for personal use on DoD mobile devices.”

The Inspector General report detailed a number of apps that were downloaded onto work devices that were not authorized, such as dating or cryptocurrency apps. As the Inspector General report points out, the potential danger these apps can do, especially when it revealed many of these apps required access to a user’s location data, contacts, and photos. While the report had information relating to the name of the apps and the number of apps it found redacted, it did not shy away from hinting at the applications it found such as “applications for the creation of short-form videos.” While not releasing the name of the application that creates “short form videos,” one cannot help but assume this could be a reference to TikTok, which is app that’s most prominent feature is its ability to create and view short videos by other users. TikTok has been under fire in the US since 2020 when Former President Donald Trump threatened to ban the app from US platforms. The Federal Communications Commission, the Federal Bureau of Investigation and the National Security Agency (to name a few) have all highlighted the cybersecurity risk that TikTok presents given the data it collects and China’s ability to request that data from the app’s owner, Byte Dance Ltd. Further, President Joe Biden banned the use of TikTok on federal government issued devices this past December.

Further, the Inspector General noted there were communications apps that were used by violent extremist groups and apps used to live stream crimes. The Inspector General noted that apps that are not managed by the DoD specifically “pose operational and cybersecurity risks and could result in users inadvertently revealing sensitive DoD information or introducing malware to DoD information systems.” Further, even if the cybersecurity implications of this were not blatant, the report said that the lack of policy dealing with strictly unmanaged applications pose a risk of cyber espionage given that applications could have malicious code and the DoD Chief Information Officer does not require regular cybersecurity assessments of unmanaged applications.

Further, the report showed that there were personnel who had been using unmanaged and unsecured messaging applications to conduct official DoD business, which is against DoD policy. The current DoD policy is that “government-owned communication systems and equipment (including mobile devices) should be for official use and authorized purposes only.” This is problematic because personnel can use the unauthorized applications, like messaging apps, and the DoD then loses its ability to track and retain that information. The Inspector General noted that the unmanaged apps “create(s) the opportunity for DoD personnel to conceal communications and circumvent the creation of official DoD records, sheltering them from scrutiny or oversight.” The lack of control over retaining messaging records does not come as a surprise after the still missing text messages relating to the January 6th insurrection. The report addressed the missing messages and further reported that after the text messages couldn’t be found, the Deputy Secretary of Defense issued a memo directing that “DoD information service providers are to capture and save the data resident on DoD-provisioned mobile devices when they are returned by their users.” However, this only protects the records of apps from managed messaging applications, meaning that any messages sent over unmanaged messaging applications cannot be retained, directly against DoD policy and federal retention laws. This is even scarier given that the Inspector General found that there had been unmanaged unauthorized messaging applications which had “end-to-end encryption and automatic message deletion capabilities.”

While the DoD does supply training on the proper use of apps on government devices, the report found glaring holes in this training, such as the fact that the trainings do not teach users “the difference between managed, authorized unmanaged, and unauthorized unmanaged applications” or “how to identify applications approved for official DoD business.” Further, the trainings did not teach the cybersecurity risks associated with authorized unmanaged and unauthorized unmanaged applications and did not provide training on how to protect “sensitive DoD information on mobile devices.” This is perhaps one of the most shocking parts of the report given that the most basic advice  for employers is to have cybersecurity trainings. While the report made specific recommendations to the DoD based on the audit, one can only hope that all other government agencies take a hard look at their internal cybersecurity practices and make necessary changes.

Sign-Up Opens Soon: Long-Term Care Facility Tabletop Exercise!

UPDATE: Registration for this event will begin Sept. 1st, 2022. If you have any questions, please contact Trudy Henson at thenson@law.umaryland.edu. 

On Wednesday, September 21st, 2022, CHHS will host a free tabletop exercise at the University System of Maryland, Hagerstown, for long term care facilities in the Hagerstown/Washington County area. The half-day tabletop, from 8:30 a.m. to noon, will bring together LTCFs from across the community to discuss facility response measures, including topics such as evacuation, infection control, and communication. The tabletop is designed by CHHS’ HSEEP-certified COOP Program Director Eric Oddo and Public Health Program Director Trudy Henson and will be free.

Registration is free and facilities are encouraged to bring up to three staff to participate; registration is required, and space is limited. Anyone interested should contact thenson@law.umaryland.edu.

Concerns over Digital Surveillance Surge in the Wake of Overturning Roe v. Wade

By CHHS Extern Quinn Conlan 

Photo Credit: Getty Images 

Since the landmark decision Dobbs v. Jackson Women’s Health Organization was released on June 24, 2022, everyone, from Congress to the FTC to the White House, is talking about data privacy and digital surveillance. Reproductive health and wellness apps track a person’s menstruation cycle and ovulation windows as well as predict upcoming cycles. With no constitutional right to an abortion, can the data in these apps be used to prosecute a person for seeking an abortion?

Certain sensitive information is protected by law, such as private health information, which is protected by HIPAA. HIPAA, however, only protects health information that is held by a party subject to the law including healthcare providers, insurance companies, and research labs. In the broader marketplace, health information is only protected to that extent that is agreed between the user and the data-gathering entity. For example, the only protection available to an app user is the app developer’s privacy policy and nothing more. (And as we’ve seen before, privacy policies can be abused by corporations, including reproductive health apps, or compromised by a cyberattack).

With no legal protection for information given to a non-health care provider app (such as a period tracking app), the data collected by the app can be sold, transferred, or subpoenaed, per the privacy policy of that app’s developer or parent company. This collected data can range from what you enter voluntarily (such as the date of your last period) or information you did not willingly supply (such as your location). Legal redress for an app developer surrendering your wellness data to law enforcement is minimal or very unlikely because your health data in the app is not protected by HIPAA, and sometimes even protected health information can be subpoenaed under the right conditions.

The current landscape of protections for health data ultimately leads to the conclusion that the best way to protect your reproductive health data is to not digitize it. Free-to-use apps make their profit off of user data, consequently that data is their most valuable asset. Beyond digital-free tracking with pen and paper, each user must assess the risk of using a period tracking app for themselves.

Some companies have introduced “Anonymous Mode”  where the person who input the data cannot be identified by the company. Therefore, if the company is subpoenaed, they are unable to truthfully tie the data to any individual. (Though anonymized data is not as anonymous as you think.)

Other companies are relying on their jurisdiction to protect their users’ data. EU based companies are subject to EU privacy laws, even for their US users, but this does not mean that a US subpoena would be unable to reach that app’s collected data. EU companies are subject to treaty agreements and may have to comply with US criminal investigations. Further, if the EU company uses a US-based processor than that processor will have to comply with a criminal investigation. (See Section 6.1 of this privacy policy, for example which states this to be the case for an EU based company).

Beyond the data stored within the apps themselves, there are many other ways your privacy is at risk digitally. For example, through “geofencing”, where police can identify all cellphones in a given area at a given time. This poses a serious threat to people seeking an abortion because they can be geographically tracked to a clinic, health care provider, or other pro-abortion site even when they are not physically seen entering or leaving the facility. Other data, such as search engine history or unencrypted text messages (like your phone’s SMS messaging) could also put a person at risk of prosecution for seeking an abortion; or even in some States, helping someone find safe medical resources for an abortion.

One immediate legislative solution to protect users’ data would be for Congress to pass a law that protects app users’ health and wellness data from investigation. In June, the My Body, My Data Act was introduced in Congress by Rep. Sara Jacobs of California. The bill tasks the FTC with enforcing privacy protections for reproductive and sexual health apps. Another bill introduced in June by Sen. Elizabeth Warren of Massachusetts, the Health and Location Data Protection Act, would ban the sale or transfer of health data with some limited exceptions. Until these introduced bills become law, however, health and wellness data in apps continues to be at risk of sale, transfer, or subpoena.

Surveillance concerns in the US have only intensified since Edward Snowden’s infamous leak of NSA activity in 2013, and the overturning of Roe v. Wade by the Supreme Court will be seen as yet another evolution in Americans’ fight for privacy. Privacy has continued to erode as more and more Americans data is collected digitally, sometimes for no planned purpose. While this decision raises health and wellness data privacy concerns specifically, it should also act as a warning to Americans that data privacy and protection in general is paramount to upholding liberty.

The Data Privacy Implications of FTC’s Penalty Against Twitter

By CHHS Extern Quinn Conlan 

On May 25, 2022, the Federal Trade Commission (FTC) released a statement announcing a $150 million penalty against Twitter for deceptively collecting user data to sell to advertisers. This is not the first time Twitter has been in the FTC hot seat for inadequate data security. Back in March 2011, the FTC alleged that Twitter had failed to use reasonable and appropriate security measures, and failed to honor consumers’ privacy choices, in violation of FTC Act §5.

As a result, the FTC issued the “2011 Order”, an injunction prohibiting Twitter from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers” for 20 years. In other words, Twitter was not allowed to misrepresent their security systems and privacy policies. The 2011 Order also required the company to establish and maintain a comprehensive information security program, which would be assessed by an independent auditor.

The 2011 Order is legally significant. While it is a settlement, and therefore not an admission of guilt, it carries the force of law for Twitter’s future actions since the company agreed to change its practices for the next 20 years. Which brings us to the FTC settlement against Twitter today, in 2022. The FTC alleges that Twitter collected personal information from its users, including email addresses and phone numbers, claiming it was for security purposes but then discreetly sold that data to advertisers. This misrepresentation is a violation of the 2011 Order.

As a result, Twitter is settling with the FTC for $150 million in civil penalties and an extension of the injunctions first levied against it in 2011. Twitter is now required to “create and implement a privacy and security program that includes privacy risk assessments, detailed privacy reviews for new or modified products, documentation, data access controls, technical measures to monitor unauthorized access, training, and certifications.” This new program would be periodically reviewed by an independent auditor. The 2022 Settlement also requires stricter security measures to protect user data and includes a prohibition from collecting data under the guise of security but really using it for targeted advertising.

While this is certainly more accountability than has previously been exercised by the FTC, is it enough? Many criticize the FTC for punishing big corporations too rarely. Among the general criticisms, these settlements do not hold the executives responsible, the monetary penalty is merely the “cost of doing business” and the settlements do not do enough to deter future bad behavior. Additionally, no total restrictions or bars are placed on how companies can manipulate user data.

The FTC acknowledged these criticisms in their statement and argued that the $150 million civil penalty and directive to create a privacy program will have lasting effects on how large corporations treat user data. In other words, it sets an example. It further emphasized that FTC orders are valuable because they demonstrate the government’s expectations for companies’ adherence to federal regulations. The FTC closed their statement by reiterating its commitment to improving policy over time and adapting to privacy concerns as the digital landscape continues to evolve.

While the FTC’s holding Twitter accountable for its abuse of users’ data for profit is a step in the right direction, there is still much to be concerned about when it comes to consumer data. The FTC orders are purely reactionary, and while the long term goal is a change in corporate culture, the order does not prevent data misuse before it happens. Additionally, the fact that Twitter is a repeat offender demonstrates that these FTC orders are worth breaching if Twitter can make a large enough profit margin off of the advertising sales. Due to frustrations with the federal government’s inability or unwillingness to fight these large companies directly, data privacy law has moved down to the State level with multiple bills being introduced to protect users’ privacy. Only time will tell if agency regulations, State legislation, or Federal legislation will become the foundational legal protection for user data.

 

Why Critical Infrastructure Sectors Should Provide Data to the Government during the CIRCIA Rulemaking Process

By CHHS Extern Jacquelyn Creitz

More than one year ago, Colonial Pipeline, America’s largest fuel pipeline, which carries 100 million gallons of fuel a day, paid a ransom of nearly $5 million in cryptocurrency. The May 2021 cyberattack that led to the ransom caused Colonial Pipeline to stop operations for 5 days, creating mass fuel shortages along the East Coast. The ransomware attack encrypted Colonial Pipeline’s data, disabling their computer network. Ultimately, Colonial Pipeline paid ransom to the DarkSide ransomware actors in exchange for a decrypting tool that should have allowed the Pipeline to regain access to their data and restart operations. However, the decrypting tool was not fast enough, resulting in Colonial Pipeline using their own data backups to restore their networks, causing the shutdown to last longer than anticipated. Due to the multi-day shutdown, Washington D.C. and 17 states issued emergency declarations, and the federal government, along with state governments and the public, acknowledged the immediate need for law to address how critical infrastructure sectors should handle cyberattacks, specifically ransomware.

Ransomware is a type of malware that encrypts device files, forcing file owners to pay a ransom in exchange for the decryption of their data. According to Homeland Security and Government Affairs Committee Chairman Gary Peters (D-MI), “ransomware attacks have caused significant disruptions to daily life and impose serious economic costs.” According to the FBI’s Internet Crime Report, in 2020 there were 2,474 ransomware complaints from the American public resulting in over $29.1 million in losses. As a result of the increase in ransomware attacks, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was drafted and signed by President Biden in March 2022.

Originally authored in October 2021 by Senator Peters and Senator Rob Portman (R-OH), CIRCIA is a direct response to the uptick in ransomware attacks, including the 2021 Colonial Pipeline attack. CIRCIA requires covered entities to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after the entity “reasonably believes the incident occurred” and 24 hours after the entity pays a ransomware payment. CIRCIA also directs CISA to define “covered entities” such that the definition includes the 16 critical infrastructure sectors, as stated in Presidential Policy Directive/PPD-21. Since CIRCIA rulemaking by CISA is ongoing, it is likely the CIRCIA will not go into effect for at least a year. However, entities should provide information as requested by the government to ensure CISA appropriately defines and creates rules to prevent ransomware attacks and lessen the threats they pose.

To highlight CISA’s need for entities to provide information to them and to fully comprehend the threat of ransomware attacks, Chairman Peters held a committee hearing on June 7th, 2022. The committee hearing’s purpose was to discuss the need for better data from industry and stakeholders as well as obtain valuable information from industry experts to assist in the quick and efficient execution of CIRCIA.

Expert witnesses at the hearing included Megan Stifel, Chief Strategy Officer for the Institute for Security and Technology, Bill Siegel, Chief Executive Officer for Coveware, and Jacqueline Burns Kovenn, Head of Cyber Threat Intelligence for Chainalysis. All three witnesses applauded the new CIRCIA reporting requirements while also emphasizing the need for consistent data collection from reported ransomware attacks. They also acknowledged the unique nature of ransomware attacks since they are usually financially motivated but may also stem from geopolitical objectives and can pose national security risks. To combat the risks of ransomware attacks, as Ms. Stifel states, “scope and quality of information about ransomware incidents must improve” because this “will better equip governments and stakeholders in developing [an] international strategy to reduce ransomware on a global scale.” Specifically, information obtained from entities reporting ransomware attacks is essential while the CIRCIA is undergoing the rulemaking process. This information will be used by CISA to help create rules and definitions for the implementation of CIRCIA.