Warner Raises Questions about Cybersecurity Practices Amid Breaches Involving Sensitive Biometric Data
Sep 16 2019
WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and former tech entrepreneur, wrote to U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate but alarming incidents that impacted both entities and exposed Americans’ personal, permanently identifiable data. In a letter to CBP, Sen. Warner inquired about the information security practices of CBP contractors, in light of a June cyberattack that resulted in the theft of tens of thousands of facial images belonging to U.S. travelers. In a separate letter, Sen. Warner requested more information from Suprema HQ, the company that owns web-based biometric lock system, Biostar 2, which experienced a cyber incident in August, resulting in the exposure of permanently identifiable biometric data belonging to at least one million people worldwide.
“While all of the stolen information was sensitive and required protection, facial image data is especially sensitive, since such permanent personal information cannot be replaced like a password or a license plate number,” wrote Sen. Warner to Acting CBP Commissioner Mark Morgan. “It is absolutely critical that federal agencies and industry improve their track records, especially when handling and processing biometric data. Americans deserve to have their sensitive information secured, regardless of whether it is being handled by a first or a third-party.”
In June, CBP announced the theft of at least 100,000 traveler ID photos from a CBP subcontractor that had improperly transferred copies of these photos from CBP servers to its own company database. In addition to facial images, the cyberattack resulted in the theft of several gigabytes of data, including license plate photos, confidential agreements, hardware blueprints for security systems, and budget spreadsheets.
In the letter to CBP, Sen. Warner expressed alarm regarding the failure of federal agencies to ensure that Americans’ sensitive information is safe in the hands of contractors. He also asked CBP to provide timely answers to a series of questions regarding the information security practices of CBP contractors and subcontractors. Among these questions, Sen. Warner requested details on CBP’s third-party contractual requirements concerning database encryption, biometric data management, vulnerability management, logging data retention, and identity and access management, among other security measures.
Similarly, in his letter to Suprema HQ, Sen. Warner raised concerns about the Biostar 2 incident, which exposed permanently identifiable biometric data, including user photos.
“Unlike passwords, email addresses and phone numbers, biometric information in voices, fingerprints, and eyes are unique data that are impossible to reset. Biometric data can be used effectively for unauthorized surveillance and access to secure facilities, to steal identities, and is even valuable in developing deepfake technologies,” wrote Sen. Warner to Suprema HQ CEO James Lee. “It is my understanding that your customers use your biometric security system to provide access to secure facilities, and that the product has also been integrated into Nedap’s AEOS access control systems, which are used by at least 5,700 organizations in 83 countries, including banks and foreign law enforcement entities. Given the sensitivity of this information, it is absolutely critical that companies like yours exercise exceptional due care when collecting and securing biometric information, and when contracting with customers that collect permanent personal information.”
The Biostar 2 breach resulted in the online exposure of more than one million fingerprint records, in addition to user images, personal details, usernames and passwords, and employee security clearances. The breach also revealed that large portions of the Biostar 2 database were unprotected and unencrypted. In the letter, Sen. Warner asked Suprema HQ to list which U.S. businesses are served by the company. He also requested more information on the company’s practices regarding server security, biometric data storage security, and database encryption.
Sen. Warner has been a champion for cybersecurity throughout his career, and has been an outspoken critic of poor cybersecurity practices that compromise Americans’ personal information. In May, Sen. Warner introduced bold legislation to hold credit reporting agencies accountable for data breaches. He also introduced legislation earlier this year to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.
Washington, D.C. – Citing the vital need for a secure U.S. industrial base, U.S. Senators Mike Crapo (R-Idaho) and Mark Warner (D-Virginia) have introduced bipartisan legislation to guard against attempts by the People’s Republic of China and others to undermine U.S. national security by exploiting and penetrating U.S. supply chains. The Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property and Supply (MICROCHIPS) Act (S. 2316) would develop a national strategy to assess and prevent risks to critical U.S. technologies.
“Actions by the People’s Republic of China have contributed to an unfair and unsafe advantage in its technological race against the United States,” said Senator Crapo. “Through government investments and subsidies, as well as intellectual property theft of companies like Idaho’s Micron, China aims to dominate a $1.5 trillion electronics industry, which creates serious, far-reaching threats to the supply chains that support the U.S. government and military. The MICROCHIPS Act would create a coordinated whole-of-government approach to identify and prevent these efforts and others aimed at undermining or interrupting the timely and secure provision of dual-use technologies vital to our national security.”
“While there is a broad recognition of the threats to our supply chain posed by China, we still lack a coordinated, whole-of-government strategy to defend ourselves,” said Senator Warner. “As a result, U.S. companies lose billions of dollars to intellectual property theft every year, and counterfeit and compromised electronics in U.S. military, government and critical civilian platforms give China potential backdoors to compromise these systems. We need a national strategy to unify efforts across the government to protect our supply chain and our national security.”
Chinese companies export telecommunication technology equipment into software, hardware, and services used in the United States, and hope to export fifth generation technology (5G) to the U.S. that could potentially harm and expose both consumer and U.S. military information. Malicious chips or counterfeit parts could create backdoors enabling the monitoring or stealing of consumer data or cause broader system malfunctions. Even with high investments in cybersecurity, the United States remains vulnerable to advanced cyber attackers like Russia and China. A 2018 Government Accountability Office report stated that, despite multiple warnings since the early 1990s, cybersecurity has not been a focus of weapon systems acquisitions within the military community. The Department of Defense’s (DOD) continuous acquisition of weapons systems without making security a key priority could potentially lead to loss of U.S. intellectual property and technological advantage of the U.S. Armed Forces, contribute to unnecessary risks to human life and interfere with the ability of the Armed Forces to execute their missions.
The MICROCHIPS Act would address China’s practice of four major non-kinetic areas of warfare, including supply chain exploitation through supplying faulty software hardware and components; cyber-physical attacks on U.S. systems with real-time operating deadlines, such as missiles, aircraft and electrical grids; cyber-attacks on computer systems; and bad actors gaining sensitive information. S. 2316 contains four sections with the following main components:
- Summarizes key findings of Congress regarding supply chain security;
- Directs the Director of National Intelligence, DOD and other relevant agencies to develop a plan to increase supply chain intelligence within 180 days;
- Establishes a National Supply Chain Security Center within the Office of the Director of National Intelligence to collect supply chain threat information and disseminate it to agencies with the authority to intervene; and
- Makes funds available under the Defense Production Act for federal supply chain security enhancements.
Section two of the bill was included in the House-passed version of the Intelligence Authorization Act, and the Senate adopted section four of the bill through its version of the National Defense Authorization Act.
Jul 22 2019
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Banking Committee, issued the following statement after regulators and the credit bureau Equifax reached a $700 million settlement over a 2017 data breach that compromised the personal information of more than 145 million Americans:
“Americans don’t choose to have companies like Equifax collecting their data – by the nature of their business models, credit bureaus collect your personal information whether you want them to or not. In light of that, the penalties for failing to secure that data should be appropriately steep. While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”
Sen. Warner is the leading sponsor along with Sen. Elizabeth Warren (D-MA) of legislation that would hold Equifax and other credit reporting agencies (CRAs) accountable for data breaches. The Data Breach Prevention and Compensation Act would provide robust compensation to consumers for stolen data, impose mandatory penalties on CRAs for data breaches, and give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs. Had the bill been in effect prior to the 2017 Equifax breach, the company would have had to pay at least $1.5 billion for their failure to protect Americans’ personal information.
Companion legislation is sponsored in the House of Representatives by Reps. Elijah Cummings (D-MD) and Raja Krishnamoorthi (D-IL).
WASHINGTON – Today the Senate Homeland Security and Governmental Affairs Committee advanced bipartisan legislation written by U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-founders of the Senate Cybersecurity Caucus, to improve the cybersecurity of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would require that devices purchased by the U.S. government meet certain minimum security requirements. The bill now awaits consideration in the full Senate.
“While I’m excited about their life-changing potential, many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Warner, a former technology entrepreneur and executive and Vice Chairman of the Senate Select Committee on Intelligence. “Today the Committee took an important step forward to proactively address the risks posed by improperly secured IoT devices, by using the purchasing power of the federal government to establish some minimum security standards for IoT devices.”
“I was pleased to see further action in the Senate on this important bill and I look forward to it being swiftly signed into law. The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years,” said Sen. Gardner. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks. Agencies like the National Institute of Standards and Technology (NIST), which has a major campus in Boulder, are key players in helping establish guidelines for improved IoT security and our bill builds on those efforts.”
Last week, the House of Representatives Committee on Oversight and Reform advanced companion legislation sponsored by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX).
“This is an essential and bipartisan step toward improving our cybersecurity. We simply cannot allow IoT devices to become a backdoor for hackers and cybercriminals,” said Rep. Kelly. With the House and Senate taking action, Congress is signaling that it’s past time to address the issue of unsecure devices on federal networks.”
“Every single minute of every single day, hackers are trying to steal Americans’ information. From credit card numbers, to social security numbers, our personal information is targeted by bad actors around the globe. Internet of Things devices will improve and enhance nearly every aspect of our society, economy and everyday lives – and are growing rapidly. We must act now to ensure these devices are built with security in mind, not as an afterthought,” said Rep. Hurd. “I applaud Sens. Warner and Gardner for their hard work on moving this important, bipartisan cybersecurity bill forward in the Senate, and I’ll continue to work with Rep. Kelly and my colleagues in the House to bring this bill to the House floor.”
Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 as passed out of Committee today would:
- Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
- Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
- Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
- Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
- Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.
Warner Introduces Amendments to Improve Military Housing & Combat Tech Threats in Annual Defense Bill
Jun 18 2019
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) has introduced several amendments to the annual defense authorization bill, including one that would build on his legislation, Ensuring Safe Housing for Our Military Act, most of which was included in the base text, by adding additional measures to improve privatized military housing.
Following reports of health hazards in privatized military housing in bases across the Commonwealth and the country, Sen. Warner has advocated on behalf of servicemembers and their families, and recently introduced an amendment to establish an advisory group to help the Department of Defense strengthen accountability and oversight in military housing. The amendment was offered in the FY20 National Defense Authorization Act (NDAA), the legislative vehicle that provides support for our servicemembers and sets the national security priorities for the United States.
“Servicemembers and their families sacrifice so much for this country. That’s why we’ve got to make things right for military families who, too often, have been subjected to subpar and sometimes dangerous living conditions. This includes making sure that the health and well-being of our nation’s servicemembers and their families are part of our national security priorities,” said Sen. Warner.
The amendment would also require the Secretaries of the Navy, Air Force, and Army to issue standard mold assessments, remediation’s and procedures in their agreements with privatized housing companies. Sens. Tim Kaine (D-VA) and Dianne Feinstein (D-CA) joined Sen. Warner in introducing the amendment, which comes on the heels of Sen. Warner’s letter to Acting Secretary of Defense Patrick Shanahan, urging the Department of Defense (DoD) to establish an advisory group to address the prevalent health and environmental hazards in privatized military housing.
To protect U.S. innovation and combat technology threats, Sen. Warner filed a bipartisan amendment with Sen. Marco Rubio (R-FL) to establish an Office of Critical Technologies within the Executive Office of the President. The office would be responsible for coordinating a whole-of-government approach to protect the U.S. from state-sponsored technology theft and risks to critical supply chains. The amendment is based on the bipartisan legislation introduced by Sens. Warner and Rubio that would combat technology threats from China. Sen. Warner also introduced a bipartisan amendment with Sen. Crapo to strengthen the intelligence support to protect our supply chain from growing adversary threats.
“In the 20th century, the U.S. pioneered many groundbreaking technological advancements, and today, countries like China are using every tool in their arsenal to try to diminish U.S. leadership, set the standards for technologies like 5G, and dominate key technologies. In order to confront this challenge, the United States must push forward a coherent strategy to protect our technological edge and preserve American leadership,” continued Sen. Warner.
In a move to further defend national security and respond to emerging cyber-threats, Sen. Warner also introduced a series of amendments that would revamp the security clearance process, assess cyber threat detection and encourage the DoD to work with the Federal Communications Commission (FCC) to identify new spectrum for reallocation for 5G services.
“To ensure the U.S. can hire trusted professionals to tackle the emerging threats in cyber and technology, we must modernize our outdated security clearance system. While we’ve already seen an encouraging drop in individuals waiting on a background check, there is still more work to be done,” concluded Sen. Warner.
The security clearance reform language is based on legislation introduced by Vice Chair Warner, and unanimously approved in the Intelligence Authorization Act (IAA) for Fiscal Years 2018-2020. Text for the cyber threat assessment amendment can be found here.
Sen. Warner also introduced amendments to improve the quality in information submitted in background investigation requests, ensure DoD has the funding flexibility to perform the personnel vetting mission, and ensure the new Defense Counterintelligence and Security Agency adequately protects the millions of pieces of personally identifiable information it will hold as the government’s primary investigative service provider.
Jun 13 2019
WASHINGTON – U.S. Sens. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, and Marco Rubio (R-FL), member of the Senate Select Committee on Intelligence, expressed deep concern that the Trump Administration may concede on important national security matters related to the development of fifth-generation wireless telecommunications technology (5G) in order to achieve a favorable outcome on trade negotiations. In a letter to the U.S. Department of State and the Office of the U.S. Trade Representative, the Senators underscored the threats posed by Chinese telecommunications equipment to network security, data privacy, and economic security across the globe, and emphasized the need to keep trade negotiations separate from any changes in policy concerning national security threats posed by Huawei.
“Allowing the use of Huawei equipment in U.S. telecommunications infrastructure is harmful to our national security,” the Senators wrote. “In no way should Huawei be used as a bargaining chip in trade negotiations. Instead, the U.S. should redouble our efforts to present our allies with compelling data on why the long-term network security and maintenance costs on Chinese telecommunications equipment offset any short-term cost savings.”
Sens. Warner and Rubio reiterated their support for existing U.S. efforts to convey the long-term security risks posed by Chinese telecommunications firms to allies and partners abroad. However, the Senators expressed concern that this message is being undermined by President Trump, whose Administration reversed a seven-year ban on ZTE last year in defiance of a Commerce Department recommendation, and who in late May indicated that Huawei could be included in a future trade deal. In the letter, the Senators also emphasized that any modifications of Huawei’s Temporary General License must be pursued in a risk-based way, separate from trade negotiations, and without undermining national security.
As a former telecommunications executive who introduced bipartisan legislation on 5G, Sen. Warner continues to be a leading voice on the national security risks posed by Chinese-controlled telecom companies. In December, Sens. Warner and Rubio urged Canadian Prime Minister Justin Trudeau to reconsider Huawei’s inclusion in Canada’s fifth-generation network. In January, Sens. Warner and Rubio teamed up to introduce legislation to combat tech-specific, national security threats posed by foreign actors like China, and establish a whole-of-government strategy to protect the U.S. from technology theft. Additionally, Sen. Warner led legislation with Sen. Wicker to provide $700 million for rural telecommunications providers in order to offset the costs of removing equipment from vendors that pose a security threat, such as Huawei.
The full text of the letter appears below. A copy of the letter is available here.
Dear Secretary Pompeo and Trade Representative Robert Lighthizer:
We are writing to express our deep concern that the Administration may concede on important national security matters related to Huawei Technologies, Inc. and the adoption of fifth-generation wireless telecommunications technology (5G) in order to achieve a favorable outcome in the Administration’s trade negotiations.
As Members of the Senate Select Committee on Intelligence (SSCI), we have strongly supported efforts by our diplomats, military, and intelligence personnel to persuade allies and partners around the world that Huawei and other Chinese telecommunications firms present a long-term legitimate security threat to their network security, data privacy, and economic security. As you know, Chinese telecommunications equipment poses a threat that intelligence and military officials assess will only become more acute as energy infrastructure, transportation networks and other critical functions move to 5G networks and as millions more Internet of things (IoT) devices are connected.
Despite the best efforts of our government to convince other countries to keep Huawei components out of their 5G infrastructure, our message is being undermined by concerns that we are not sincere. For example, Europeans have publicly expressed fears that the Administration will soften its position on Huawei in the United States to gain leverage in trade talks, as the Administration did in June 2018 when the seven-year ban on ZTE was reversed and a new settlement agreement reached at the urging of President Xi over the recommendation of Commerce Department leadership. The President himself reinforced these fears in late May, stating:
“Huawei is something that’s very dangerous. You look at what they’ve done from a security standpoint, from a military standpoint. It’s very dangerous. So it’s possible that Huawei even would be included in some kind of a trade deal. If we made a deal, I could imagine Huawei being possibly included in some form of or some part of a trade deal.”
Allowing the use of Huawei equipment in U.S. telecommunications infrastructure is harmful to our national security. In no way should Huawei be used as a bargaining chip in trade negotiations. Instead, the U.S. should redouble our efforts to present our allies with compelling data on why the long-term network security and maintenance costs on Chinese telecommunications equipment offset any short-term cost savings. Any modifications to Huawei’s Temporary General License must be pursued in a risk-based way, separate from any trade negotiations, and consistent with national security considerations. Successfully identifying and mitigating these security risks requires sustained coordination and alignment with our international partners, particularly the Europeans who represent key parts of the 5G supply chain, and India, which is poised to be the single-largest telecommunications market. Conflating national security concerns with levers in trade negotiations undermines this effort, and endangers American security.
We appreciate your attention to this important matter of national security and request that you keep us apprised of your efforts.
Senate Republicans Block Warner Attempt to Immediately Pass Legislation Requiring Reporting of Foreign Elections Interference
Jun 13 2019
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, took to the Senate floor today to request immediate passage of a modified version of his Foreign Influence Reporting in Elections (FIRE) Act that would require campaigns to report to the appropriate federal authorities any contacts from foreign nationals seeking to interfere in a presidential election. Immediately after Sen. Warner requested unanimous consent, Sen. Marsha Blackburn (R-TN) objected and thereby blocked the immediate passage of this essential legislation.
Sen. Warner’s request comes on the heels of alarming comments by President Trump, who said on Wednesday that he would not alert the FBI if a foreign government tried to offer damaging information on his 2020 election opponents.
“President Trump's own FBI director and his Director of National Intelligence have said that Russia, or others, will likely be back in 2020 because their tactics in 2016 were both cheap and effective. We're now 17 months before the 2020 elections and personally, we are not prepared,” Sen. Warner said on the floor. “One of my colleagues on the other side said they don't want to re-litigate 2016. There will be other times and places to further litigate whatever happened in 2016. In terms of today, I don't want to either. I just want to make sure that we are safe from foreign intervention in 2020.”
He continued, “The mantra at our airports that the TSA and Homeland Security always try to promote is, ‘if you see something, say something.’ This is not an undue burden on our traveling public, and because of that involvement, I think airports are safer. Shouldn't we have the same de minimis standard to protect the integrity of our election system? If you see something, say something. All my legislation is requiring is if there is indications that agents of foreign governments are trying to intervene in our elections, tell law enforcement, tell the FBI.”
Sen. Warner also stressed that his legislation would not interfere with any official government activities, and urged his colleagues to work together to pass bipartisan election security legislation and to put guardrails on social media platforms like Facebook, Twitter and Google to prevent them from being used by bad actors for the widespread dissemination of misinformation.
Below are Sen. Warner’s floor remarks as originally prepared for delivery:
Mr. President, in a moment I will ask unanimous consent for the Senate to take up and pass by bill, the FIRE Act, S.1562, as amended. But before I do that, I want to address the President’s recent comments regarding foreign election interference.
We all take an oath when we get sworn into these jobs to defend the Constitution against all enemies foreign or domestic. Our own political ambitions, our partisan affiliations — that all should take a back seat to defending our democracy.
Unfortunately, this President doesn’t see it that way. His recent comments that he would once again welcome dirt on an opponent from a foreign government fly in the face of that oath.
Let me be clear. If a foreign adversary attempts to offer assistance to your campaign, you have a moral obligation to call the FBI.
And if the President, or his son-in-law, or other members of his campaign can't be trusted to do the right thing and report their foreign contacts, then we need to make it a legal requirement. That’s what this amendment is all about.
Mr. President, I am not here to re-litigate the 2016 election or second-guess the Special Counsel’s findings. This is a question of how we defend our democracy on a going-forward basis.
But I do want to recall the facts of what we learned through the Mueller investigation, as well as the Senate Intelligence Committee’s bipartisan investigation.
After two years of investigating, we now know that the Trump Campaign had a series of inappropriate and unreported contacts with the Russian government and its proxies, who were part of the Kremlin’s election interference efforts.
This should have come to light far sooner, but the Trump Campaign intentionally hid these contacts from the American people and law enforcement.
Another thing we learned through the investigation is that when then-candidate Trump made his infamous “Russia, if you’re listening” plea — on that very same day, Russian operatives began sending illegal phishing emails to members of his opponent’s campaign.
Mr. Trump’s comments this week are not trivial. These are the words of the President of the United States, spoken in the Oval Office. That still means something to the world.
And frankly, what it means here is that this President is once again giving Russia and other bad actors the greenlight to interfere in the 2020 elections.
This sends a message to the American people and foreign governments that this conduct is acceptable. Not only is this morally wrong, it also undermines the crucial counterintelligence work of our federal law enforcement agencies.
Recently, FBI Director Chris Wray testified that such attempts to offer assistance or “dirt” would be “something that the FBI would want to know about.”
He’s right. Because, the truth is, when a foreign adversary like Russia is peddling dirt on an American candidate, they are not doing it out of the goodness of their hearts. They’re trying to undermine our democracy, and the FBI is our first line of defense against that threat.
Mr. President, that is what this amendment is about — safeguarding our democracy from those who wish us harm. I ask my colleagues to take a step back, take off our Republican and Democratic hats for a minute, and support this amendment.
My bill, the FIRE Act — creates a first-of-its-kind requirement to make sure that foreign contacts during a presidential election are promptly reported to the FBI and FEC.
It would serve a vital intelligence need and make sure that all individuals involved in a presidential campaign understand both the existing law on foreign contributions and their affirmative obligation to report suspicious foreign contacts.
The FIRE Act is not about prohibiting innocent contacts or the exercise of First Amendment rights. It is about restoring Americans’ trust in the democratic process.
If a candidate is receiving or welcoming help from the Kremlin, I think the American people should have a right to know that before they head to the polls.
And in a world where campaigns are a target for foreign espionage, I think our law enforcement and counter-intelligence professionals should have the tools they need to protect the integrity of our presidential elections.
The Senate must take a stand against foreign attacks on the democratic process. This is not a Republican or Democratic issue; it is an issue of America’s national security.
And I hope the Senate can come together at this moment to send a clear message that we will defend our Democracy, even if this President won’t.
Washington, D.C. – As Congressional Republicans and Democrats continue to call on Leader McConnell to bring election security legislation up for a vote on the Senate floor, Senator Mark Warner (D-VA), the Vice Chairman of the Senate Select Committee on Intelligence, delivers this week’s Weekly Democratic Address. In the address, Warner highlights the importance of securing our elections and explains why it is critical that the Senate vote on bipartisan election security legislation. In closing, he emphasizes that the Senate must act on this issue in order to secure the 2020 elections, and cannot allow critical, bipartisan bills to protect our democracy to die in Leader McConnell’s legislative graveyard.
Senator Warner’s remarks as delivered follow:
“Hi, I’m Senator Mark Warner. I’m proud to represent Virginia in the United States Senate. I also serve as Vice Chairman of the Senate Intelligence Committee, which is conducting the only bipartisan investigation into Russia’s interference in our 2016 presidential election.
“Our intelligence community, the bipartisan Senate Intelligence Committee, and Special Counsel Robert Mueller have all concluded that Russia mounted an unprecedented attack on our democratic process. Russian intelligence conducted hacking operations against Democratic targets and then released the stolen documents to influence the election. Using an army of Internet trolls, Russia flooded social media with fake news and propaganda designed to sow discord and divide Americans through our news feeds.
“We also know that, as part of its interference campaign, the Kremlin also targeted election infrastructure in all 50 states. The Intelligence Community’s Assessment in January 2017 concluded that Russia secured and maintained access to multiple elements of U.S. state and local electoral boards. For example, in Illinois, Russian hackers were able to penetrate a voter registration database and access 90,000 voter registration records. Using spearphishing emails, Russia was able to access the network of at least one county in Florida. Now, there is no evidence that Russians were successful in changing vote totals in 2016 or in 2018 – but we can certainly expect them to try again in 2020.
“While the Department of Homeland Security has improved information-sharing with states and Congress has allocated some additional funding for election security, there is still more work to do to secure local election equipment ahead of the presidential election.
“In 2016, Russia exploited platforms like Facebook, Instagram, Twitter and YouTube to manipulate and divide Americans, to smear Hillary Clinton, and to aid Donald Trump. As we enter another presidential election cycle susceptible to foreign interference, Congress needs to put in place some commonsense guardrails on social media. We should start with the bipartisan Honest Ads Act, which I introduced, which would prevent foreign actors from purchasing online political ads, and bring much-needed transparency to the online ad ecosystem.
“There is already a bill to protect our elections systems that has strong bipartisan support. The Secure Elections Act from the last session of Congress would establish some common-sense measures to ensure the sanctity of the ballot-box.
“It would provide states with money to replace old, insecure voting machines that don’t leave a paper trail, and make sure that elections can be audited, so that Americans can have confidence in the results. It would also take several steps to improve sharing about threat information between the Department of Homeland Security, and states that administer the vote. And it would require election agencies to promptly report suspected cybersecurity incidents to proper state and federal authorities.
“The truth is the Secure Elections Act that was introduced last session were brought to the floor today for a vote, it would pass overwhelmingly. But the White House and Senate Republican leaders have been blocking a vote.
“Unfortunately, that’s just part of a pattern with a White House and a President that has shown no interest in tackling this problem. According to reports, the former Secretary of Homeland Security was instructed not to even raise the issue of election security with the President, and when she tried to convene a Cabinet-level meeting ahead of the 2018 midterms, the White House chief of staff nixed the idea.
“What happened in 2016 will happen again in 2020 if we are not prepared. In the face of White House inaction to secure the vote, Congress must work together to protect our democracy and reassure Americans that their votes will be counted in 2020. We cannot let election security become another tombstone in the Republican Senate’s legislative graveyard.”
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, wrote today to the CEO of Quest Diagnostics, asking for information on the company’s supply chain management and cybersecurity practices after the company reported on Monday that approximately 11.9 million Quest patients may have been compromised as a result of a breach to a system used by one of Quest’s contractors.
“While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third party selection and monitoring process. According to a recent report, 20 percent of data breaches in the health care sector last year were traced to third-party vendors, and an estimated 56 percent of provider organizations have experienced a third-party breach,” Sen. Warner wrote in his letter to Stephen Rusckowski, Chairman, President and CEO of Quest Diagnostics.
Earlier this year, Sen. Warner sent letters to multiple health care associations and government agencies including the Food and Drug Administration, Department of Health and Human Services, Centers for Medicare and Medicaid Services, and National Institute of Standards and Technology, seeking more information about steps being taken to reduce cyber vulnerabilities in the health care industry, which has become a growing target for cyberattackers. In the letters, Sen. Warner pointed to apparent gaps in oversight, expressed concern about the impact of cyber-attacks on the health care sector, and conveyed his desire to work alongside stakeholders to develop strategies that strengthen information security.
In today’s letter to Quest, Sen. Warner asked the company to provide additional information regarding the breach and the company’s processes for selecting and monitoring sub-contractors and vendors.
The full text of the letter appears below. A copy of the letter is available here.
Mr. Stephen H. Rusckowski
Chairman, President and Chief Executive Officer
500 Plaza Drive
Secaucus, NJ 0709
Dear Mr. Rusckowski,
On Monday June 3rd it was publicly reported that the data of an estimated 11.9 million of your customers were exposed by one of your bill collection vendors, American Medical Collection Agency (ACMA). According to your SEC filing, between August 1st 2018 and March 30th 2019, an unauthorized user had access to American Medical Collection Agency’s systems and data that included credit card numbers and bank account information, medical information, and other sensitive personal information like social security numbers. A statement by ACMA noted that the company was made aware of the breach by a security compliance firm that works with credit card companies. An internal review was then conducted by ACMA, which took down the web payments page, and notified law enforcement.
While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third party selection and monitoring process. According to a recent report, 20 percent of data breaches in the health care sector last year were traced to third-party vendors, and an estimated 56 percent of provider organizations have experienced a third-party breach. One set of major vendor breaches in the last year were caused by a third-party administrator for health insurance companies, and impacted Highmark BCBS, Aetna, Emblem Health, Humana, and United Health.
In February of this year I queried a number of health care stakeholders seeking input on how we might improve cybersecurity in the health care industry. As I work with stakeholders to develop a short and long term strategy for reducing cybersecurity vulnerabilities in the health care sector, I would like more information on your vendor selection and due diligence process, sub-supplier monitoring, continuous vendor evaluation policies, and what you plan to do about your other vendors, given the vulnerability and information security failures of this one.
Having long been an advocate for transparency and reporting of data breach information, I commend your reporting and handling of the breach notification, but I am still concerned with the third party evaluation and monitoring process.
To gain a better understanding of this situation, I would appreciate answers to the following questions:
1. Please describe your third-party vendor information security vetting process.
2. If you secure a contract with a third-party to collect information from your customers, do you have a process for evaluating the standards used by that entity, the sub-supplier, to secure their information systems?
3. What are your third-party vendor security and risk assessment requirements?
4. What are your third-party requirements for how customer information is processed and stored?
5. What are your third-party vendor requirements for data encryption?
6. How are you ensuring that your other third-party vendors like ACMA are not similarly vulnerable to point of sale malware or other information security vulnerabilities?
Thank you for your attention to this important issue. I look forward to your response in the next two weeks.
Mark R. Warner
United State Senator
Va. & Md. Senators Introduce New Legislation Reforming WMATA Safety & Renewing Federal Funding Commitment to Metro
May 23 2019
WASHINGTON – Today, U.S. Sens. Mark R. Warner and Tim Kaine (both D-VA) and U.S. Sens. Ben Cardin and Chris Van Hollen (both D-MD) introduced new legislation to renew the federal funding commitment to Metro, provide critical safety reforms, and strengthen oversight of the Washington Metropolitan Area Transit Authority (WMATA).
Recognizing that the Metro system is integral to the functioning of the federal government, for the last decade Congress has allocated $150 million annually to Metro for capital expenses, with Virginia, Maryland and the District of Columbia each providing $50 million in matching funds. However, the funding – a critical part of Metro’s budget – will expire this year unless Congress acts to renew it. The Metro Safety, Accountability and Investment Act of 2019 will provide additional federal funding for Metro while also enacting key reforms to ensure that the safety and reliability of the Metro system continues to improve.
“The federal government runs on Metro. Thousands of federal workers, contractors, and military service members take Metro every day. This is an investment in the long-term safety and reliability of the Metro system,” said Sen. Warner, a member of the Committee on Banking, Housing and Urban Affairs, which has oversight over our nation’s urban transit systems. “But recent safety problems have illustrated that Metro still has work to do, which is why this money comes with some strings attached to ensure robust oversight, accountability, and meaningful safety reforms at WMATA.”
“Maintaining a safe and reliable public transit system for the seat of the federal government is a clear national priority. We recognized 10 years ago - as we do now - that providing dedicated funding for WMATA will help keep Metro on track,” said Sen. Cardin, ranking member of the Senate Environment and Public Works Transportation and Infrastructure Subcommittee. “Maryland and Virginia's Senate delegations wholeheartedly agree on the need for critical safety reforms and strengthened oversight to ensure that WMATA becomes as safe and efficient as possible.”
“This bill provides critical funding to reduce WMATA’s backlog of work, along with strict measures to ensure riders are safe on Metro. Following the death of a Virginian on Metrorail in 2015, we made it clear that major changes were needed. Since then, we passed a tough new federal safety oversight body through Congress, encouraged business and labor to work toward mutual goals, and worked with experts to provide WMATA with a roadmap for reform. But this work will only succeed if WMATA has the resources to do the turnaround job right. With this bill, we ensure that the federal government contributes its share, while also making clear that with new money comes new requirements for safety and accountability. Metro’s challenges won’t be solved overnight, but this bill will go a long way toward unlocking progress to rebuild trust with riders,” said Sen. Kaine.
“Maryland commuters and our federal workforce rely on the Metro day in and day out. This legislation reauthorizes the Federal investment in WMATA and provides much-needed funds to modernize our system. In addition to increased funding, this bill includes crucial safety improvements and oversight reforms,” said Sen. Van Hollen, a member of the Committee on Banking, Housing and Urban Affairs. “I’m proud to join my colleagues in introducing this measure as we work to ensure safe and dependable transportation throughout the region.”
The Metro Safety, Accountability and Investment Act of 2019 will renew the federal funding commitment for WMATA capital investments by reauthorizing the funding levels from the Passenger Rail Investment and Improvement Act of 2008 for an additional ten years, at an annual level of $150 million, matched by funding from Virginia, Maryland and the District of Columbia.
In addition, in exchange for key safety, oversight, and governance reforms at WMATA, the new legislation will include an additional $50 million per year in federal funding that is not subject to local match, bringing the annual federal commitment to Metro to $200 million. In order to access the additional $50 million, WMATA will be required to: grant additional powers to Metro’s Inspector General; establish task forces on track safety and bus safety; implement policy and procedures for a new capital planning process; improve the transit asset management planning process; reinforce restrictions on the activities of alternate WMATA Board members to provide more effective Board management and oversight; and prioritize the implementation of new cyber security protections and the integration of wireless services and emergency communications networks.
The bill also prohibits WMATA from using federal funds on a contract for rolling stock from any country that meets certain criteria related to illegal subsidies for state-owned enterprises. Sens. Warner, Kaine, Cardin and Van Hollen raised concerns earlier this year regarding the possibility that Metro may award a contract to build its newest 8000-series rail cars to a Chinese manufacturing company.
“The Federal City Council applauds Sens. Warner, Cardin, Kaine, and Van Hollen for their continued commitment to WMATA and to ensuring that critically needed federal funding for the system is reauthorized this year. This funding, along with the new dedicated funding that was committed by the District of Columbia, Maryland, and Virginia in 2018 is critically needed to ensure a safe, reliable, and sustainable future for Metro,” said Tony Williams, former Mayor of the District of Columbia, current CEO and Executive Director of the Federal City Council and founding member of the MetroNow Coalition. “However, it has been the longstanding position of the Federal City Council and the MetroNow coalition that in addition to funding, Metro is also in need of a better framework to guide decision-making and increase accountability at WMATA—a critical part of the solution that has been missing, until now. With comprehensive enhancements to WMATA’s Office of the Inspector General and capital planning requirements, this legislation will help to safeguard the investment being made in this vital piece of our region’s transportation infrastructure and will inspire confidence in Metro going forward.”
“Metro is critical to those who live and work here and, equally important, it benefits those who travel here to do business, interact with the federal government, and enjoy all our region has to offer,” said Jack McDougle, President & CEO of the Greater Washington Board of Trade and founding member of the MetroNow Coalition. “Every day, we welcome visitors from around the country and the world, requiring us to maintain the safest, most reliable and world-class transit system possible. That’s why we and our partners in the MetroNow coalition urge Congress to pass this legislation.”
“The Amalgamated Transit Union (ATU) fully supports the Metro Safety, Accountability and Investment Act of 2019, renewing the federal commitment for WMATA capital investments. This is long overdue and critical, as the agency’s infrastructure, which dates back to the 1970s, has been crumbling. Riders have paid the price, as service sputtered and fares skyrocketed. Workers have been unfairly blamed for service issues when the real issue has been the generations of state and local lawmakers that until recently have financially starved the system of a critical dedicated revenue source,” said ATU International President John A. Costa. “Tragically, there have been several deadly accidents that have taken the lives of passengers as well as workers. There is no safety culture at WMATA. We thank Senators Warner, Cardin, Kaine and Van Hollen for including in the bill the ATU’s proposed labor-management safety task forces – bus and rail – to develop best principles and practices through collaboration so that we can prevent future tragedies. We are also grateful that these task forces have appropriately been named after ATU members who were killed on the job – Jeanice McMillan, the operator who was killed along with 8 passengers in the 2009 Red Line train crash at Fort Totten and was called a hero by WMATA for saving countless lives, and Keith Dodson, who was struck and killed by a tractor trailer when he exited the bus he was driving after it became disabled along southbound I-395 in Arlington County in 2007.”
May 23 2019
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and a former telecommunications executive and entrepreneur, along with Sens. Roger Wicker (R-MS), Tom Cotton (R-AR), Ed Markey (D-MA), and Dan Sullivan (R-AK), introduced legislation to establish U.S. policy for the commercial deployment and security of Fifth Generation (5G) networks. The United States 5G Leadership Act of 2019 will prioritize national security in the development of 5G by ensuring that American networks do not include equipment or services provided by Huawei, ZTE, or their affiliates. This legislation will also create a Supply Chain Security Trust Fund grant program to help rural and regional U.S. communications providers remove from their networks Chinese equipment determined to threaten national security.
“For a number of years, the federal government failed to effectively communicate the economic and national security risks of Huawei and ZTE communications equipment – and even adopted broadband grant policies that incentivized rural carriers to use this equipment because it was the cheapest around. While we’ve made enormous progress in educating the private sector of the dangers these vendors pose, we haven’t put in place policies to help resource-strapped rural carriers address and eliminate those risks. This bill ensures that on a going-forward basis we don’t make the same mistakes in allowing companies subject to extra-judicial directions of a foreign adversary to infiltrate our nation’s communications networks. And it provides significant resources to ensure that rural and regional providers can prioritize investments that eliminate this equipment from their existing networks where it poses a security threat,” said Sen. Warner. “Lastly, it builds on efforts my colleagues and I have already undertaken to engage with and educate the private sector about security risks and vulnerabilities posed to communications networks from certain foreign suppliers. We also believe this type of effort will be an important signal to international partners that we are putting resources behind this issue, and encouraging them to do the same.”
“5G networks need to be robust and secure, and not rely on equipment or services that pose a national security risk,” said Sen. Wicker. “This legislation would ensure continued American leadership in advanced wireless technology deployment. It offers relief to those providers that need to replace foreign equipment within their networks while augmenting the availability of secure 5G networks for all Americans.”
“Future U.S. security and economic prosperity will depend on 5G technology. With so much at stake, our communications infrastructure must be protected from threats posed by foreign governments and companies like Huawei,” said Sen. Cotton. “Our bill will support 5G’s deployment in the United States while defending that technology from exploitation.”
“5G wireless will revolutionize global telecommunications and connect people, information, and technology like never before. While 5G could yield enormous benefits, it also could pose significant risks if not implemented properly,” said Sen. Markey. “We have a responsibility to ensure that this next generation of telecommunications infrastructure will safely and securely connect Americans to each other and to the rest of the world.”
“We urgently need a comprehensive strategy when it comes to the very real threat that foreign actors, particularly China, pose to our communications networks,” said Sen. Sullivan. “It is clear that this problem is only going to grow with the development of next generation communications technologies without aggressive intervention. I’m pleased to partner with Chairman Wicker on this critical issue at the intersection of national security and commerce.”
Among other measures, The United States 5G Leadership Act would:
- Establish U.S. policy to promote the deployment of secure commercial 5G networks and the development of the Information and Communications Technology (ICT) sector in the U.S.
- Establish U.S. policy to identify additional spectrum for 5G, with an emphasis on promoting harmonization with global allocations;
- Establish U.S. policy that American 5G networks should not include equipment or services provided by Huawei, ZTE, or their affiliates.
- Require the Federal Communications Commission (FCC) to finalize rulemaking that would prohibit the use of Universal Service Fund subsidies to buy equipment or services from providers who pose a national security risk.
- Establish the Supply Chain Security Trust Fund grant program to help smaller U.S. communications providers remove Huawei equipment from their networks — and would make available up to $700 million from future spectrum auctions for this purpose.
- Require a report on current Federal government measures to ensure the secure deployment and availability of 5G networks.
- Establish an interagency program – led by the Department of Homeland Security – to share information regarding security, risks, and vulnerabilities with U.S. communications providers and trusted suppliers.
- Prioritize funding to enhance U.S. representation at international 5G standards-setting bodies, such as the International Telecommunications Union.
“I thank Senators Wicker, Cotton, Warner, Sullivan, and Markey for introducing the United States 5G Leadership Act of 2019. This bipartisan bill will help ensure that all carriers have the information and resources necessary to address security risks while advancing US leadership in 5G. I appreciate the Senators’ leadership on this important issue and look forward to continued work with Congress to ensure access to secure wireless networks, particularly in rural America,” said Steven K. Berry, President & CEO, Competitive Carriers Association.
Sen. Warner has been a leading voice in the Senate about the national security risks posed by Chinese-controlled telecom companies. Last week, Sen. Warner spoke out in favor of the executive order banning U.S. telecommunications firms from installing foreign-made equipment that could threaten national security. He is also the lead sponsor of the Secure 5G and Beyond Act – a bill to safeguard next-gen mobile telecommunications systems and infrastructure. Additionally, earlier this year, Sen. Warner introduced bipartisan legislation to help combat tech-specific, national security threats posed by foreign actors like China. As Vice Chairman of the Senate Intelligence Committee, Sen. Warner has been leading a bipartisan effort to educate the private sector on the economic and security risks posed by Chinese companies like Huawei.
For the full text of this legislation, click here.
Statement of Senate Intel Vice Chair Mark R. Warner on WH Executive Order to Ban Chinese Telecom Gear
May 15 2019
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, released the following statement after President Trump signed an executive order to ban American telecommunications firms from installing foreign-made equipment that could pose a threat to national security:
“This is a needed step, and reflects the reality that Huawei and ZTE represent a threat to the security of U.S. and allied communications networks. Under current Chinese security laws, these and other companies based in China are required to provide assistance to the Chinese state. This executive order places a great deal of authority in the Department of Commerce, which must ensure that it is implemented in a fair and responsible fashion as to not harm or stifle legitimate business activities. It should also be noted that we have yet to see a compelling strategy from this Administration on 5G, including how the Administration intends to work cooperatively with our allies and like-minded nations to ensure that international standards set for 5G reflect Western values and standards for security and privacy. Nor do we have a stated plan for replacing this equipment from existing commercial networks – a potentially multi-billion dollar effort that, if done ineptly, could have a major impact on broadband access in rural areas. A coherent coordinated and global approach is critically needed as nations and telecom providers move to implement 5G.”
As a former telecommunications executive and entrepreneur, Sen. Warner has been a leading voice in the Senate regarding the national security risks posed by Chinese-controlled telecom companies. He is the lead sponsor of the Secure 5G and Beyond Act – legislation to require the President to ensure the security of next-gen mobile telecommunications systems and infrastructure in the United States. He also introduced a bipartisan bill in January to help combat tech-specific threats to national security posed by foreign actors like China. Additionally, Sen. Warner called on the Trump Administration last week to promote U.S. leadership and strengthen diplomatic efforts around the development of a secure 5G architecture that challenges Huawei’s monopoly over the next generation of telecoms networks.
Warner, Klobuchar, Graham Reintroduce Bipartisan, Bicameral Senate Legislation to Protect Integrity of U.S. Elections, Improve National Security
May 08 2019
WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Select Committee on Intelligence and former telecommunications executive, along with Sens. Amy Klobuchar (D-MN) and Lindsey Graham (R-SC), reintroduced bicameral legislation to help prevent foreign interference in future elections and improve the transparency of online political advertisements. The Honest Ads Act will safeguard the integrity of our democracy by requiring large online platforms to maintain public records of advertisers who purchase political ads. Companion legislation is being introduced in the House of Representatives by U.S. Reps. Derek Kilmer (D-WA), Elise Stefanik (R-NY), and 24 other bipartisan cosponsors.
“In 2016, Russia waged widespread disinformation campaigns that exploited social media in an effort to attack our democracy and divide the American public. As we continue to grow increasingly dependent on a handful of very large platforms, there is no doubt in my mind that foreign adversaries will continue to follow in Russia’s footsteps, exploiting the scale, amplification, and lack of transparency of these platforms in order to undermine the strength of the United States and advance their own anti-American agendas,” Sen. Warner said. “Right now, our country needs strong defenses that help ward off shady online attacks by demanding increased transparency, which is why I’m proud to introduce the Honest Ads Act. By requiring large digital platforms to meet the same disclosure standards as broadcast, cable, and satellite ads, this legislation can help prevent foreign actors from manipulating the American public and interfering in our free and fair elections through the use of inauthentic and divisive paid ads.”
“Foreign adversaries interfered in the 2016 election and are continuing to use information warfare to try to influence our government and divide Americans. We must act now to protect our democracy and prevent this kind of interference from ever happening again,” Sen. Klobuchar said. “The goal of the Honest Ads Act is simple: to ensure that voters know who is paying to influence our political system. The bill would put in place the same rules of the road for social media platforms that currently apply to political ads sold on TV, radio, and in print regarding disclaimers and disclosures so that Americans know who is behind the ads they see online. I also want to commend Senator Graham for taking up the mantle of bipartisanship from our late friend, Senator John McCain. Protecting our elections isn’t about politics—it’s about national security and the future of our democracy. I look forward to working with him and Senator Warner to get the Honest Ads Act passed.”
“Hardening our electoral infrastructure will require a comprehensive approach and it can’t be done with a single piece of legislation,” Sen. Graham said. “I am cosponsoring this legislation because it’s clear we have to start somewhere. I am pleased to work with Senators Klobuchar and Warner to address the gaps that currently exist, particularly with regards to social media. Online platforms have made some progress but there is more to be done. Foreign interference in U.S. elections – whether Russia in the 2016 presidential election or another rogue actor in the future – poses a direct threat to our democracy. I intend to work with my colleagues on both sides of the aisle to bolster our defenses and defend the integrity of our electoral system.”
Prior to the 2016 presidential election, Russia attempted to influence the American electorate by using fake accounts to buy and place political ads on platforms such as Facebook, Twitter, and Google. Without greater transparency and disclosure requirements, foreign adversaries and bad actors copying their playbook can continue exploiting the opacity of large social media platforms.
The Honest Ads Act would improve disclosure requirements for online political advertisements by:
- Amending the definition of ‘electioneering communication’ in the Bipartisan Campaign Reform Act of 2002, to include paid internet and digital advertisements.
- Requiring digital platforms with at least 50,000,000 monthly visitors to maintain a public file of all electioneering communications purchased by a person or group who spends more than $500.00 total on ads published on their platform. This file would contain a digital copy of the advertisement, a description of the audience the advertisement targets, the number of views generated, the dates and times of publication, the rates charged, and the contact information of the purchaser.
- Requiring online platforms to make all reasonable efforts to ensure that foreign individuals and entities are not purchasing political advertisements in order to influence the American electorate.
The Honest Ads Act has the support of the Campaign Legal Center, the Alliance for Securing Democracy, the Brennan Center for Justice, Issue One, the Sunlight Foundation, the Center for American Progress, and the German Marshall Fund's Digital Innovation Democracy Initiative, as well as Facebook, and Twitter.
The full text of the Honest Ads Act is available here.
Warner, Warren Reintroduce Legislation to Hold Equifax, Other Credit Reporting Agencies Accountable for Data Breaches
May 07 2019
WASHINGTON – U.S. Sens. Mark R. Warner (D-VA) and Elizabeth Warren (D-MA), along with Reps. Elijah Cummings (D-MD) and Raja Krishnamoorthi (D-IL), reintroduced legislation today to hold large credit reporting agencies (CRAs) – including Equifax – accountable for data breaches involving sensitive consumer data. The Data Breach Prevention and Compensation Act will provide robust compensation to consumers for stolen data, impose mandatory penalties on CRAs for data breaches, and give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs.
“It’s been nearly two years since hackers accessed the personal information of more than 143 million Americans, yet thousands of individuals continue to grapple with the effects of this massive breach,” said Sen. Warner. “As personal data becomes more and more valuable in today’s information economy, and the scale and impact to consumers of mega-breaches increase, there needs to be increased consequences for companies like Equifax that mishandle or neglect to properly safeguard consumer data. By imposing strict penalties for data breaches and facilitating compensations for affected Americans, this legislation will increase accountability and help ensure that credit reporting agencies actively prioritize the security of sensitive consumer information.”
“It's been over a year and a half since Equifax opened to the doors to hackers who stole the personal data of more than half the adults in the country, and this new report shows that Equifax still has a long way to fix the problem it created,” said Sen. Warren. “Our bill, which would hold companies like Equifax accountable for failing to protect consumer data, would compensate consumers injured by these breaches and help ensure that they never happen again.”
In September 2017, Equifax announced that hackers had accessed and stolen sensitive personal information, including Social Security Numbers, birth dates, credit card numbers, driver's license numbers, and passport numbers, belonging to more than 143 million Americans – a number later revised up to 145.5 million people. The breach highlighted that CRAs like Equifax retain vast amounts of data on millions of Americans but often lack adequate safeguards against hackers. Since 2013, Equifax has reported at least four separate hacks in which sensitive personal information was compromised.
The Data Breach Prevention and Compensation Act would:
· Establish an Office of Cybersecurity at the FTC tasked with annual inspections and supervision of cybersecurity at CRAs.
· Impose mandatory, strict liability penalties for breaches involving consumer data, beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised per consumer. Under this bill, Equifax would have had to pay at least a $1.5 billion penalty for their failure to protect Americans' personal information.
· Ensure a robust recovery for affected consumers by requiring the FTC to use 50% of its penalty to compensate consumers.
· Increase penalties in cases of woefully inadequate cybersecurity or if a CRA fails to timely notify the FTC of a breach.
· Enhance FTC enforcement by giving the FTC civil penalty authority under the Gramm-Leach-Bliley Act.
Additionally, Sens. Warren and Warner, and Rep. Krishnamoorthi, in a new analysis of Consumer Financial Protection Bureau (CFPB) consumer complaints, revealed that consumers filed more than 52,000 complaints related to Equifax in the 18 months following the announcement of the Equifax breach – nearly double the number from the same period before the breach was announced. The report shows how Equifax continues to fail affected consumers by neglecting to provide adequate responses to consumer complaints, including by refusing to remove incorrect information from credit reports. The lawmakers also sent the report to the FTC and CFPB, requesting that the agencies take action.
The Data Breach Prevention and Compensation Act is supported by cybersecurity experts and consumer groups:
"This bill requires the FTC to provide much-needed oversight of the credit bureaus for data security. It also imposes real and meaningful penalties when the credit bureaus, who hold our most sensitive financial information, fail to adequately protect that information. I commend Senator Warren, Senator Warner, and Congressmen Cummings and Krishnamoorthi for their continuing efforts to prevent another massive security failure like the Equifax data breach," said National Consumer Law Center Staff Attorney, Chi Chi Wu.
"A concrete response to a serious problem facing American consumers. The ongoing risk of data breach and identity theft have reached epidemic proportions. We clearly need more expertise in the federal government to address this challenge. We hope the Senate will more forward this important and timely effort to safeguard American consumers and Internet users,” said Electronic Privacy Information Center President and Executive Director, Marc Rotenberg
“Equifax still hasn’t paid a price two years after losing the financial DNA of 150 million Americans. That’s why U.S. PIRG commends Senator Warner, Senator Warren, and Congressmen Cummings and Krishnamoorthi for reintroducing the Data Breach Prevention and Compensation Act. The bill provides strong oversight and meaningful financial penalties to incentivize the credit bureaus to protect our data,” said U.S. PIRG Consumer Campaign Director, Mike Litt.
"Making the companies that collect and sell consumers’ personal information liable when they fail to secure it is a necessary step in ensuring our privacy rights,” said Former Chief Technologist at the FTC, Ashkan Soltani.
More statements of support are available here. More information about this bill can be found here. For text of the bill, click here.
Apr 11 2019
WASHINGTON — U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, issued the following statement regarding the arrest of Julian Assange, the founder of WikiLeaks, today in the United Kingdom:
“Julian Assange has long professed high ideals and moral superiority. Unfortunately, whatever his intentions when he started WikiLeaks, what he’s really become is a direct participant in Russian efforts to undermine the West and a dedicated accomplice in efforts to undermine American security. It is my hope that the British courts will quickly transfer him to U.S. custody so he can finally get the justice he deserves.
“I would like to thank President Moreno and the Ecuadoran government for taking the long-overdue step of withdrawing sanctuary for Mr. Assange so that he can finally face justice for his actions.”
WASHINGTON – A day ahead of the one-year anniversary of Facebook CEO Mark Zuckerberg’s congressional testimony, U.S. Sens. Mark R. Warner (D-VA) and Deb Fischer (R-NE) have introduced the Deceptive Experiences To Online Users Reduction (DETOUR) Act, bipartisan legislation to prohibit large online platforms from using deceptive user interfaces, known as “dark patterns” to trick consumers into handing over their personal data.
The term “dark patterns” is used to describe online interfaces in websites and apps designed to intentionally manipulate users into taking actions they would otherwise not take under normal circumstances. These design tactics, drawn from extensive behavioral psychology research, are frequently used by social media platforms to mislead consumers into agreeing to settings and practices advantageous to the company.
“For years, social media platforms have been relying on all sorts of tricks and tools to convince users to hand over their personal data without really understanding what they are consenting to. Some of the most nefarious strategies rely on ‘dark patterns’ – deceptive interfaces and default settings, drawing on tricks of behavioral psychology, designed to undermine user autonomy and push consumers into doing things they wouldn’t otherwise do, like hand over all of their personal data to be exploited for commercial purposes,” said Sen. Warner, a former technology executive who is Vice Chairman of the Senate Select Committee on Intelligence. “Our goal is simple: to instill a little transparency in what remains a very opaque market and ensure that consumers are able to make more informed choices about how and when to share their personal information.”
Dark patterns can take various forms, often exploiting the power of defaults to push users into agreeing to terms stacked in favor of the service provider. Some examples of such actions include: a sudden interruption during the middle of a task repeating until the user agrees to consent; a deliberate obscuring of alternative choices or settings through design or other means; or the use of privacy settings that push users to ‘agree’ as the default option, while users looking for more privacy-friendly options often must click through a much longer process, detouring through multiple screens. Other times, users cannot find the alternative option, if it exists at all, and simply give up looking.
The result is that large online platforms have an unfair advantage over users and potential competitors in forcing consumers to give up personal data such as their contacts, messages, web activity, or location to the benefit of the company.
“The tech industry has gone unchecked for far too long. Bold action is needed on a wide scale to change the incentives in Silicon Valley with our well-being in mind, especially when it comes to kids,” said Jim Steyer, CEO of Common Sense. “This bill gets to the root of the issue – the use of manipulative and deceptive design features that trick kids and other users into giving up valuable and private information, and hook them into spending more time than is healthy online. Common Sense strongly supports Senators Warner and Fischer on this bipartisan effort to hold tech companies accountable for these practices that only harm consumers.”
“Dark patterns are among the least humane design techniques used by technology companies in their scramble for growth at all costs. They use these measures to offer false choices that confuse or trap users into over-sharing personal information or driving compulsive use – especially from the most vulnerable users, including kids,” said Tristan Harris, Co-Founder of the Center for Humane Technology. “A system-wide rethinking of technology policy and design is in order, so CHT fully supports Senators Warner and Fisher in this bipartisan effort to place significant constraints around the ability to deceive users online. The creation of a special standards body is especially crucial to the protection of consumers, as they keep lawmakers more up-to-date and able to iterate laws at pace with the rapid change of technology.”
“We support Senators Warner and Fischer in protecting people from exploitive and deceptive practices online,” said Fred Humphries, Corporate Vice President of U.S. Government Affairs at Microsoft. “Their legislation helps to achieve that goal and we look forward to working with them.”
“People are ensnared by ‘dark patterns’ of manipulation on the Internet every day, and ending these practices is a key part of protecting people online. We need to better understand the systems that manipulate people online, and empower users to fight back. We applaud Senator Warner and Senator Fischer for introducing this legislation to curtail these troubling practices,” said Alan Davidson, Vice President of Global Policy, Trust and Security at Mozilla.
“EPIC appreciates Senator Warner and Senator Fischer’s important work to safeguard consumer privacy,” said Caitriona Fitzgerald, Electronic Privacy and Information Center (EPIC) Policy Director.
The Deceptive Experiences To Online Users Reduction (DETOUR) Act aims to curb manipulative dark pattern behavior by prohibiting the largest online platforms (those with over 100 million monthly active users) from relying on user interfaces that intentionally impair user autonomy, decision-making, or choice. The legislation:
- Enables the creation of a professional standards body, which can register with the Federal Trade Commission (FTC), to focus on best practices surrounding user design for large online operators. This association would act as a self-regulatory body, providing updated guidance to platforms on design practices that impair user autonomy, decision-making, or choice, positioning the FTC to act as a regulatory backstop.
- Prohibits segmenting consumers for the purposes of behavioral experiments, unless with a consumer’s informed consent. This includes routine disclosures for large online operators, not less than once every 90 days, on any behavioral or psychological experiments to users and the public. Additionally, the bill would require large online operators to create an internal Independent Review Board to provide oversight on these practices to safeguard consumer welfare.
- Prohibits user design intended to create compulsive usage among children under the age of 13 years old.
- Directs the FTC to create rules within one year of enactment to carry out the requirements related to informed consent, Independent Review Boards, and Professional Standards Bodies.
The full bill text is available here.
Sen. Warner has been raising concerns about the implications of social media companies’ reliance on dark patterns for several years. In 2014, Sen. Warner asked the FTC to investigate Facebook’s use of dark patterns in an experiment involving nearly 700,000 users designed to study the emotional impact of manipulating information on their News Feeds.
Sen. Warner is recognized as one of Congress’ leading voices in an ongoing public debate around social media and user privacy. Last year, Sen. Warner called on the social media companies to work with Congress and provide feedback on ideas he put forward in a white paper discussing potential policy solutions to challenges surrounding social media, privacy, and data security. In addition to the DETOUR Act, in the coming weeks and months, Sen. Warner will introduce further legislation designed to improve transparency, privacy, and accountability on social media.
Apr 08 2019
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) was joined today by Sen. Cory Gardner (R-CO) in reintroducing bipartisan, bicameral legislation today to encourage state, local, and tribal governments to strengthen their defenses against cybersecurity threats and vulnerabilities. The State Cyber Resiliency Act, which was also introduced in the House by Reps. Derek Kilmer (D-WA) and Michael McCaul (R-TX), would create and authorize the Department of Homeland Security (DHS) to run a grant program for states seeking to develop, revise or implement cyber resiliency measures—including efforts to identify, detect, protect, respond, and recover from cyber threats.
“As cyberattacks increase in frequency and gravity, we must ensure that our nation—from our local governments on up—is adequately prepared to protect public safety and combat cyber threats,” said Sen. Warner. “Nearly 70 percent of states have reported that they lack adequate funding to develop sufficient cybersecurity. This bill will aim to mitigate that need by providing grants to state and local jurisdictions so that they are better prepared to take on these emerging challenges.”
“It’s critical that our state and local governments invest in cyber preparedness and training, and I’m proud to work with Senator Warner and Representatives Kilmer and McCaul to create a grant program to help our communities with this effort,” said Sen. Gardner. “Colorado is at the forefront of our nation’s cybersecurity efforts and home to the National Cybersecurity Center in Colorado Springs. As the threat of cyber warfare intensifies, it’s important that local governments are properly prepared to deter and protect themselves from cyber-attacks.”
“America should dedicate far more attention and resources to combating cyber threats,” said Rep. Kilmer. “Cyber-attacks could threaten our election systems, municipally-owned water treatment facilities, local emergency responder networks, or other vital systems that impact our communities. With that in mind, building our cyber resiliency matters to employers, workers, local governments, consumers – and even to our national security. That’s why I’m proud to join my colleagues in introducing a bipartisan plan to give state, local, and tribal governments more tools to counter these cyber threats.”
“As our nation continues to face cyber threats, we must ensure all levels of government are prepared to combat the emerging attacks to our cyber networks and other critical infrastructure. The enactment of CISA last year was a positive step forward to recalibrate our federal posture on cybersecurity, however, more needs to be done on a state and local level. Despite playing a vital role in protecting our nation against cyber-attacks, state governments often do not have the vital resources they need to strengthen their cybersecurity capabilities or retain or recruit seasoned cybersecurity professionals,” said Rep. McCaul. “As a co-chair of the House Congressional Cybersecurity Caucus, I will continue to think holistically about protecting our networks on a federal, state, and local level. I am proud to join Senators Warner and Gardner, along with Congressman Kilmer, in introducing the State Cyber Resiliency Act to aid state and local governments with a new grant program to enhance their cyber defenses.”
A 2018 survey by Deloitte-National Association recently found that most state cyber budgets are inadequate, with most states allocating between zero and three percent of their overall IT budget for cybersecurity purposes. Additionally, the survey found that budget and staffing remain top barriers to an effective cyber strategy, with nearly half of all states lacking a cybersecurity budget line item, and 28 percent pointing to an inadequate availability of cybersecurity professionals as a “top barrier.” In the past year, hackers have attacked a number of local governments in states such as Colorado, Georgia, Maryland and Pennsylvania. These serious cyberattacks have cost taxpayers millions of dollars and have wreaked havoc on essential local government processes.
The State Cyber Resiliency Act also addresses the nation’s cybersecurity workforce talent gap by ensuring that participating states enhance recruitment and retention efforts. Currently, there are more than 313,000 cybersecurity job openings nationwide, including 33,500 in Virginia, 24,800 in Texas, 10,200 in Colorado, and 6,300 in Washington.
Sen. Warner, along with Sen. Gardner, is the co-founder of the bipartisan Senate Cybersecurity Caucus, and recently introduced legislation to better protect customers, increase transparency for investors, and ensure public companies prioritize cybersecurity and data privacy. He also urged the Trump Administration in February to ensure the protection of critical electricity infrastructure and consider a federal government ban on the use of Huawei inverters in the United States.
The full text of the bill is available here.
After Arrest Of Chinese National With Malware In Hand At Mar-A-Lago, Senators Warner, Schumer, and Feinstein Urge FBI To Immediately Assess National Security Risks At Trump Properties
Apr 03 2019
Washington, D.C.— Following reports of the arrest of Chinese national Yujin Zhang, who was apprehended by Secret Service after making false statements to enter Mar-a-Lago while carrying a thumb drive containing malware, Senate Democratic Leader Chuck Schumer (D-NY), Senate Committee on the Judiciary Ranking Member Dianne Feinstein (D-CA), and Senate Select Committee on Intelligence Vice Chairman Mark Warner (D-VA) today urged FBI Director Christopher Wray to assess the risks at Mar-a-Lago in light of the security vulnerabilities exposed by this latest incident. The senators asked the FBI to determine the steps needed to detect and deter adversary governments or their agents from attempting to gain access to or conduct electronic surveillance or acquire material at Mar-a-Lago or President Trump’s other properties.
According to reports, Ms. Zhang stated that she was invited to attend a non-existent event by an associate of Li “Cindy” Yang, who senior members of the congressional intelligence and judiciary committees recently asked the FBI to criminally investigate, given the credible allegations of potential human trafficking, unlawful foreign lobbying and other activities by Ms. Yang, and to assess the risks or related concerns associated with any interactions between her and the president. So far, the FBI has failed to respond. Today’s letter requests answers to the intelligence and judiciary committees’ previous letter and an assessment of the security vulnerabilities exposed by this latest incident involving Yujin Zhang.
The Senators’ letter can be found here and below:
April 3, 2019
The Honorable Christopher Wray
Federal Bureau of Investigation
935 Pennsylvania Avenue, NW
Washington, DC 20535
Dear Director Wray:
We write regarding the arrest of Yujin Zhang, a Chinese national who was apprehended by Secret Service after she allegedly made false statements to bypass security at Mar-a-Lago while carrying multiple electronic devices and a thumb drive containing malicious malware.
According to the information provided in the criminal complaint filed in the U.S. District Court for the Southern District of Florida, Ms. Zhang was allowed access to the property after security staff employed at Mar-a-Lago believed her to be a relative of a member of the club. After she passed into a restricted area and was eventually questioned by a receptionist, Ms. Zhang stated that she had been invited to Mar-a-Lago to attend a non-existent United Nations Chinese American Association event by an apparent associate of Li “Cindy” Yang, who had reportedly promoted events at the club on Chinese-language social media.
On March 15th, senior members of the congressional intelligence and judiciary committees asked the Federal Bureau of Investigation to conduct criminal and counterintelligence investigations into credible allegations of potential human trafficking, unlawful foreign lobbying and other activities by Ms. Yang as well as an assessment of the risks or related concerns associated with any interactions between her and the President. While this request came after Ms. Yang was photographed with the President and reports that she created a business that attempted to sell access to the President and his family to clients in China, Congress has not yet received a response.
This latest incident raises very serious questions regarding security vulnerabilities at Mar-a-Lago, which foreign intelligence services have reportedly targeted. The apparent ease with which Ms. Zhang gained access to the facility during the President’s weekend visit raises concerns about the system for screening visitors, including the reliance on determinations made by Mar-a-Lago employees. As the White House Communications Agency and Secret Service coordinate to establish several secure areas at Mar-a-Lago for handling classified information when the President travels there, these potential vulnerabilities have serious national security implications.
Accordingly, we ask that the FBI, in consultation with the Director of National Intelligence, assess the risks at Mar-a-Lago posed by establishment of areas for classified information at facility accessible to the public and foreign nationals. We also ask that you determine, in consultation with the Secret Service, the steps needed to detect and deter adversary governments or their agents from attempting to gain access to or conduct electronic surveillance or acquire material at Mar-a-Lago or President Trump’s other properties.
Thank you for your attention to this important matter. We ask that you provide Congress with a written response to this letter as well as the questions related to Ms. Yang that were enumerated in the March 15th letter without delay.
Senate Democratic Leader Chuck Schumer (D-NY)
Senate Committee on the Judiciary Ranking Member Dianne Feinstein (D-CA)
Senate Select Committee on Intelligence Vice Chairman Mark Warner (D-VA)
cc: The Honorable Dan Coats
Director of National Intelligence
The Honorable Randolph D. Alles
Director, U.S. Secret Service
Ranking Members Warner, Klobuchar, Reed, and Peters Press Election Equipment Manufacturers on Security
Mar 27 2019
WASHINGTON – U.S. Senator Mark R. Warner, Vice Chairman of the Senate Intelligence Committee and a member of the Senate Rules Committee with oversight jurisdiction over federal elections, joined his colleagues in sending a letter to the country’s three largest election system vendors with questions to help inform the best way to move forward to strengthen the security of our voting machines. In the U.S., the three largest election equipment vendors—Election Systems & Software, LLC; Dominion Voting Systems, Inc.; and Hart InterCivic, Inc.—provide the voting machines and software used by ninety-two percent of the eligible voting population. However, voting and cybersecurity experts have begun to call attention to the lack of competition in the election vendor marketplace and the need for scrutiny by regulators as these vendors continue to produce poor technology, like machines that lack paper ballots or audibility.
The letter was signed by Senator Mark Warner (D-VA), Vice Chairman of the Senate Intelligence Committee, Senator Amy Klobuchar (D-MN), Ranking Member of the Rules Committee, Senator Jack Reed (D-RI), Ranking Member of the Senate Armed Services Committee, and Senator Gary Peters (D-MI), Ranking Member of the Senate Homeland Security Committee.
“The integrity of our elections remains under serious threat. Our nation’s intelligence agencies continue to raise the alarm that foreign adversaries are actively trying to undermine our system of democracy, and will target the 2020 elections as they did the 2016 and 2018 elections,” the senators wrote. “The integrity of our elections is directly tied to the machines we vote on – the products that you make. Despite shouldering such a massive responsibility, there has been a lack of meaningful innovation in the election vendor industry and our democracy is paying the price.”
The full text of the letter is below:
March 26, 2019
Mr. Phillip Braithwaite
President and Chief Executive Officer
Hart InterCivic, Inc.
Mr. Tom Burt
President and Chief Executive Officer
Election Systems & Software, LLC
Mr. John Poulos
President and Chief Executive Officer
Dominion Voting Systems
Dear Mr. Braithwaite, Mr. Burt, and Mr. Poulos:
We write to request information about the security of the voting systems your companies manufacture and service.
The integrity of our elections remains under serious threat. Our nation’s intelligence agencies continue to raise the alarm that foreign adversaries are actively trying to undermine our system of democracy, and will target the 2020 elections as they did the 2016 and 2018 elections. Following the attack on our election systems in 2016, the Department of Homeland Security (DHS) designated election infrastructure as critical infrastructure in order to protect our democracy from future attacks and we have taken important steps to prioritize election security. We appreciate the work that your companies have done in helping to set up the Sector Coordinating Council (SCC) for the Election Infrastructure Subsector.
Despite the progress that has been made, election security experts and federal and state government officials continue to warn that more must be done to fortify our election systems. Of particular concern is the fact that many of the machines that Americans use to vote have not been meaningfully updated in nearly two decades. Although each of your companies has a combination of older legacy machines and newer systems, vulnerabilities in each present a problem for the security of our democracy and they must be addressed.
On February 15, the Election Assistance Commission’s (EAC) Commissioners unanimously voted to publish the proposed Voluntary Voting System Guidelines 2.0 (VVSG) Principles and Guidelines in the Federal Register for a 90 day public comment period. As you know, this begins the long-awaited process of updating the Principles and Guidelines that inform testing and certification associated with functionality, accessibility, accuracy, auditability, and security. The VVSG have not been comprehensively updated since 2005 – before the iPhone was invented – and unfortunately, experts predict that updated guidelines will not be completed in time to have an impact on the 2020 elections. While the timeline for completing VVSG 2.0 is frustrating, these guidelines are voluntary and they establish a baseline – not a ceiling – for voting equipment. Furthermore, VVSG 1.1 has been available for testing since 2015.
In other words, the fact that VVSG 2.0 remains a work in progress is not an excuse for the fact that our voting equipment has not kept pace both with technological innovation and mounting cyber threats. There is a consensus among cybersecurity experts regarding the fact that voter-verifiable paper ballots and the ability to conduct a reliable audit are basic necessities for a reliable voting system. Despite this, each of your companies continues to produce some machines without paper ballots. The fact that you continue to manufacture and sell outdated products is a sign that the marketplace for election equipment is broken. These issues combined with the technical vulnerabilities facing our election machines explain why the Department of Defense’s Defense Advanced Research Projects Agency (DARPA) is reportedly working to develop an open source voting machine that would be secure and allow people to ensure their votes were tallied correctly.
As the three largest election equipment vendors, your companies provide voting machines and software used by 92 percent of the eligible voting population in the U.S. This market concentration is one factor among many that could be contributing to the lack of innovation in election equipment. The integrity of our elections is directly tied to the machines we vote on – the products that you make. Despite shouldering such a massive responsibility, there has been a lack of meaningful innovation in the election vendor industry and our democracy is paying the price.
In order to help improve our understanding of your businesses and the integrity of our election systems, we respectfully request answers to the following questions by April 9, 2019:
- What specific steps are you taking to strengthen election security ahead of 2020? How can Congress and the federal government support these actions?
- What additional information is necessary regarding VVSG 2.0 in order for your companies to begin developing systems that comply with the new guidelines?
- Do you anticipate producing systems that will be tested for compliance with VVSG 1.1? Why or why not?
- What steps, if any, are you taking to enhance the security of your oldest legacy systems in the field, many of which have not been meaningfully updated (if at all) in over a decade?
- How do EAC certification requirements and the certification process affect your ability to create new election systems and to regularly update your election systems?
- Do you support federal efforts to require the use of hand-marked paper ballots for most voters in federal elections? Why or why not?
- How are you working to ensure that your voting systems are compatible with the EAC’s ballot design guidelines (i.e. “Effective Designs for the Administration of Federal Elections”)?
- Experts have raised significant concerns about the risks of ballot marking machines that store voter choice information in non-transparent forms that cannot be reviewed by voters (i.e. such as barcodes or QR codes), noting that errors in the printed vote record could potentially evade detection by voters. Do you currently sell any machines whose paper records do not permit voters to review the same information that the voting system uses for tabulation? If so, do you believe this practice is secure enough to be used in the 2020 election cycle?
- Do you make voting systems with Cast Vote Records (CVRs) that can be reliably connected to specific unique ballots, while also maintaining voter privacy? If not, why not? Does your company make voting systems that allow for a machine-readable data export of these CVRs in a format that is presentation-agnostic (such as JSON) and can be reliably parsed without substantial technical effort? If not, why not?
- Would you support federal legislation requiring expanded use of routine post-election audits, such as risk-limiting audits, in federal elections? Why or why not?
- What portion of your revenue is invested into research and development to produce better and more cost effective voting equipment?
- Congress is currently working on legislation to establish information sharing procedures for vendors regarding security threats. How does your company currently define a reportable cyber-incident and what protocols are in place to report incidents to government officials?
- What steps are you taking to improve supply chain security? To the extent your machines operate using custom, non-commodity hardware, what measures are you taking to ensure that the supply chains for your custom hardware components are monitored and secure?
- Do you employ a full-time cybersecurity expert whose role is fully dedicated to improving the security of your systems? If so, how long have they been on staff, and what title and authority do they have within your company? Do you conduct background checks on potential employees who would be involved in building and servicing election systems?
- Does your company operate, or plan to operate, a vulnerability disclosure program that authorizes good-faith security research and testing of your systems, and provides a clear reporting mechanism when vulnerabilities are discovered? If not, what makes it difficult for your company to do so, and how can Congress and the federal government help make it less difficult?
- How will DARPA’s work impact how your company develops and manufactures voting machines?
We look forward to your answers to these questions, and thank you for your efforts to work with us and with state election officials around the country to improve the security of our nation’s elections.
WASHINGTON- U.S. Senator John Cornyn (R-TX), along with Senate Select Committee on Intelligence Chairman Richard Burr (R-NC) and Vice Chairman Mark Warner (D-VA), introduced the Secure 5G and Beyond Act. This legislation would require the President to develop a strategy to ensure the security of next-gen mobile telecommunications systems and infrastructure in the United States, as well as to assist allies in maximizing the security of their systems, infrastructure, and software. Senators Susan Collins (R-ME), Tom Cotton (R-AR), Marco Rubio (R-FL), and Michael Bennet (D-CO) are original cosponsors.
“Our telecom systems continue to advance at a rapid rate, and it’s critical that we develop a strategy to protect potential vulnerabilities from being exploited by our adversaries,” said Sen. Cornyn. “I’m proud to partner with my colleagues on this legislation to ensure we can defend our national security interests as we develop future technologies.”
“It’s imperative we not only understand the revolutionary value of next-gen communications, but also the security measures required to ensure the deployment of safe and secure 5G networks,” said Sen. Burr. “I’m proud to work with my colleagues on this important legislation, which will bring together a variety of industry experts, further protect Americans’ privacy rights, and better equip our nation with a comprehensive strategy as we continue to be a global leader in technology.”
“5G promises to usher in a new wave of innovations, products, and services. At the same time, the greater complexity, density, and speed of 5G networks relative to traditional communications networks will make securing these networks exponentially harder and more complex,” Sen. Warner said. “It’s imperative that we have a coherent strategy, led by the President, to harness the advantages of 5G in a way that understands – and addresses – the risks.”
Background on the Secure 5G and Beyond Act:
- Requires the President to create an inter-agency strategy to secure 5th generation and future generation technology and infrastructure in the United States and with our strategic allies.
- Designates NTIA as the Executive Agent to coordinate implementation of the strategy in coordination with: the Chairman of the FCC, the Secretary of Homeland Security, the Director of National Intelligence, the Attorney General, and the Secretary of Defense.
- Ensures that the strategy does not include a recommendation to nationalize 5th generation deployment or future generations of mobile telecommunications infrastructure in the United States.
Bipartisan Legislation to Improve Cybersecurity of Internet-of-Things Devices Introduced in Senate & House
Mar 11 2019
WASHINGTON – Bipartisan legislation to improve the cybersecurity of Internet-connected devices will be introduced today in the Senate and the House of Representatives. The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would require that devices purchased by the U.S. government meet certain minimum security requirements.
The legislation is being introduced in the Senate by U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner(R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT), while Reps. Robin Kelly (D-IL) and Will Hurd (R-TX) are introducing companion legislation in the House of Representatives.
“While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Warner, a former technology entrepreneur and executive and Vice Chairman of the Senate Select Committee on Intelligence. “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.”
“The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years,” Sen. Gardner said. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks. Agencies like the National Institute of Standards and Technology (NIST), which has a major campus in Boulder, are key players in helping establish guidelines for improved IoT security and our bill builds on those efforts. As co-chairs of the Senate Cybersecurity Caucus, Senator Warner and I remain committed to advancing our nation’s cybersecurity defenses.”
“As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure. Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices,” said Rep. Kelly. “It’s estimated that by 2020 there will be 30 million internet-connected devices in use. As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks.”
“Internet of Things devices will improve and enhance nearly every aspect of our society, economy and our day-to-day lives. This is groundbreaking work and IoT devices must be built with security in mind, not as an afterthought,” said Rep. Hurd, former computer science major, cybersecurity entrepreneur and Chair of the House Subcommittee on Information Technology. “This bipartisan legislation will make Internet of Things devices more secure and help prevent future attacks on critical technology infrastructure.”
“With everything from LED lights to thermostats connected to the internet, we need to act swiftly to step up security for ‘internet of things’ devices to prevent hackers from disrupting our economy and threatening public safety,” Sen. Hassan said. “By requiring the federal government to only purchase devices that meet certain cybersecurity standards, this bill will help protect federal agencies against hackers who are seeking to exploit internet of things devices in order to steal critical national security information and the private data of Granite Staters and Americans.”
“As the Internet of Things landscape grows – we must ensure that Montanan’s information is safe and the security of our critical infrastructure is protected,” said Sen. Daines. “This bill helps establish proper safeguards that balance the need to protect Montanan’s privacy and our national security with the growing tech economy and high-paying jobs it provides.”
The Internet of Things, the term used to describe the growing network of Internet-connected devices and sensors, is expected to include over 20 billion devices by 2020. While these devices and the data they collect and transmit present enormous benefits to consumers and industry, the relative insecurity of many devices presents enormous challenges. Sometimes shipped with factory-set, hardcoded passwords and oftentimes unable to be updated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack. IoT devices have been used by bad actors to launch devastating Distributed Denial of Service (DDoS) attacks against websites, web-hosting servers, and internet infrastructure providers.
At a hearing of the Senate Armed Services Committee last year, the Director of the Defense Intelligence Agency, Lt. General Robert Ashley, described exploitation of insecure IoT devices as one of the two “most important emerging cyber threats to our national security.” Last May, the Departments of Commerce and Homeland Security published a report highlighting the IoT market forces that reward low-price and convenience at the expense of security. The signature recommendation of the May 2018 report was that the Federal government should “lead by example” by requiring the acquisition of more secure and resilient products and services, particularly IoT. The IoT Cybersecurity Improvement Act will address both this market failure and the supply chain risk to the federal government stemming from insecure IoT devices by establishing light-touch, minimum security requirements for procurements of connected devices by the government.
Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would:
- Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
- Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
- Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
- Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
- Require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.
“BSA applauds Senators Warner and Gardner for their leadership in securing the IoT, and calls on Congress to act swiftly to advance this important legislation,” said Tommy Ross, Senior Policy Director, BSA | The Software Alliance. “As IoT devices increasingly bring greater productivity and quality of life to consumers and businesses across sectors, we must be proactive in addressing the unique security considerations they bring.”
“Internet-aware devices raise deep and novel security issues, with problems that could arise months or years after purchase, and spill over to people who aren't the purchasers. This bill leverages the government procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ basic security measures in their products,” said Jonathan Zittrain, Co-Founder of Harvard University’s Berkman Klein Center for Internet & Society.
“Insecure and unsecured IoT devices are a risk we must address, and it will only happen if the government and the private sector both step up. I'm glad that Senators Warner and Gardner and Representatives Kelly and Hurd are continuing to push this issue,” said Jeff Greene, Vice President of Global Government Affairs & Policy at Symantec.
“Weak IoT security with little oversight puts the American public at risk, particularly as these devices become more and more common in our offices and in our homes. We need a coordinated approach. Empowering NIST to set standards for the development and management of these devices, as the IoT Cybersecurity Improvement Act of 2019 proposes, will help secure the sensitive data held by the government and the private information shared within our homes,” said Alan Davidson, Vice President of Global Policy, Trust, and Security at Mozilla.
“The proliferation of insecure Internet-connected devices presents an enormous security challenge. The risks are no longer solely about data; they affect flesh and steel. The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests. I applaud Senator Warner and his cosponsors for nudging the market in the right direction by establishing thorough, yet flexible, security requirements for connected devices purchased by the government,” said Bruce Schneier, Fellow and Lecturer at Harvard Kennedy School of Government.
“Cloudflare applauds Senators Warner and Gardner, Representatives Kelly and Hurd, and their cosponsors for their continued efforts to address the risks posed by improperly secured IoT devices with the introduction of this latest bill. Using the government procurement process to encourage security research and innovation will make the U.S. Government a leader in this area, and should open up a robust discussion of these issues. Cloudflare looks forward to continuing to work with them as this bill moves forward,” said Doug Kramer, General Counsel, Cloudflare Inc.
“IoT device insecurity is a serious problem that needs to be addressed. Although much must be done to address this problem, the longest journey begins with a single step—and this bill is just such a step in moving the ball forward on IoT security for government procurements,” said Dr. Herb Lin, senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University.
"Billions of devices connect our world and in the coming years we will see billions more. Each device adds to an expanding and elastic attack surface that creates a massive gap in the ability to truly understand cyber risk at any given time. The Internet of Things (IoT) Cybersecurity Improvement Act, introduced by Representatives Robyn Kelly (D-IL) and Will Hurd (R-TX), tasks NIST with developing security guidelines to address critical vulnerabilities in the development of IoT devices that the federal government purchases. This legislation will help the government better manage its cyber risks, and provide a strong example for other organizations. We also strongly support the call for NIST to develop a report that addresses Cyber Exposure considerations related to the increasing convergence of IT, IoT, and OT devices, networks and systems, as the modern enterprise must manage risk across all these environments," said James Hayes, Vice President of Global Government Affairs at Tenable.
“We applaud Senators Warner and Gardner and Representatives Kelly and Hurd for introducing the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The wireless industry is committed to ensuring the security of IoT devices and we look forward to working with the sponsors of the legislation on policies that will help protect consumers,” said Kelly Cole, Senior Vice President for Government Affairs at CTIA.
Similar legislation was previously introduced in the 115th Congress.
Sen. Warner wrote to the Federal Trade Commission (FTC) in July 2016 raising concerns about the security of children’s data collected by Internet-connected “Smart Toys.” In May 2017, the Senator wrote a follow-up letter to Acting FTC Chairwoman Maureen Ohlhausen reiterating his concerns following comments by the Chairwoman that the risks of IoT devices are merely speculative. In response to the Senator’s concerns, the FTC issued updated guidance on protecting children’s personal data in connected toys. Immediately in wake of October’s devastating DDoS attack on the nation’s internet infrastructure by the Mirai botnet, Sen. Warner wrote the FCC, FTC, and NCCIC to raise concerns about the proliferation of botnets composed of insecure devices. Sen. Warner also wrote to Office of Management and Budget Director Mick Mulvaney and Secretary of Homeland Security John Kelly in May 2017 asking what steps the Federal Government had taken to defend against WannaCry ransomware.
Sen. Warner, the Vice Chairman of the Senate Select Committee on Intelligence and former technology executive, is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus and a leader in Congress on security issues related to the Internet of Things (IoT).
Bill text is available here.
Warner, Rubio Ask Intelligence Community for Public Report Detailing Chinese Participation in 5G Standard-Setting
Mar 01 2019
Washington – U.S. Sens. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, and Marco Rubio (R-FL), a member of the Senate Select Committee on Intelligence, urged Director of National Intelligence Dan Coats to issue a comprehensive and unclassified report on China’s participation in the international standard-setting bodies (ISSBs) for fifth-generation wireless telecommunications technologies (5G). This report would allow companies in the U.S. to fully assess any existing threats to fair competition and push back against them.
“In 2012, the House Permanent Select Committee on Intelligence’s study on Huawei and ZTE drew attention globally to the security concerns associated with certain Chinese telecommunication and information technology companies,” wrote the Senators.“Similarly, we believe Chinese influence in our ISSBs is not fully appreciated, and the IC can play an essential role in filling the publicly available information gap—a necessary first step to countering this trend.”
American companies do not currently have access to crucial information regarding China’s alleged use of political influence in ISSBs or other anti-competitive practices, such as the state-directed coordination of large Chinese telecommunications firms. These practices can undermine fair competition, hinder the ability of us companies to sell and scale their technologies, and raise serious economic and security concerns for U.S. networks and future generations of wireless technologies.
Prompted by a series of anecdotal concerns raised to the Senate Select Committee on Intelligence (SSCI) regarding China’s attempt to politically influence the ISSBs, the Senators urged Director Coats to issue a report detailing:
1. Overall trends in the ISSBs over the past decade and the implications of politicization of ISSBs;
2. Specific examples of attempts by China and other foreign adversaries to exert pressure or political influence within the ISSBs or at major telecommunication conferences to secure standards that are favorable to Chinese companies and patent holders, or that might introduce deficiencies into 5G networks; and,
3. How Chinese-led standards for 5G technologies will affect U.S. economic and security interests, including efforts by U.S. companies to sell and scale its technologies, the ability of the U.S. to position itself for future generations of wireless technology, and to protect against cyber intrusions and security vulnerabilities.
They concluded, “We hope that this report will be part of an ongoing effort to share more timely and relevant information with U.S. companies and our allies. The U.S. cannot tackle this issue alone and must work closely with our international partners—including the European Union, Great Britain, Korea, Japan, Australia, New Zealand, and Canada—on how we may collectively strengthen security standards, supply chain management, and market share of critical technologies. To the greatest extent possible, we urge the IC to declassify relevant information.”
Sens. Warner and Rubio are the lead sponsors of bipartisan legislation to help combat tech-specific threats to national security posed by foreign actors like China. Sen. Warner, a former telecommunications executive and entrepreneur, has long expressed concerns about the risks to our national security posed by Chinese-controlled telecom companies. On October 12, 2018, Sen. Warner and Sen. Rubio sent a letter to Canadian Prime Minister Justin Trudeau urging his country to reconsider Huawei’s inclusion in any aspect of Canada’s 5G development, introduction, and maintenance. Warner has also urged the Administration to work with our allies to combat these technology threats. Sens. Warner and Rubio are also the authors of bipartisan legislation to enforce full compliance by ZTE with all probationary conditions of a U.S. Commerce Department’s deal struck with the company last year that ended U.S. imposed sanctions.
Full text of the letter is below and a copy can be found here.
Director Dan Coats
Director of National Intelligence
1500 Tysons McLean Drive
McLean, VA 22102
Dear Director Coats:
We are writing to request an unclassified report on the participation of China and other adversarial nations in the international standard-setting bodies (“ISSBs”) for fifth-generation wireless telecommunications technologies (“5G”). Over the past year, the Senate Select Committee on Intelligence (“SSCI”) has heard anecdotal concerns that China is attempting to exert pressure or political influence in the ISSBs, which have historically functioned as technological meritocracies. Not only does political influence undermine fair competition, it also raises serious economic and security concerns for 5G and future generations of wireless technologies.
Currently, U.S. companies do not have access to critical information about the nature of this threat, and the degree of state-directed coordination amongst large Chinese telecommunication firms seeking to gain a critical edge in wireless technologies. Without adequate information, U.S. companies cannot effectively push back against this behavior, nor can the United States coordinate with our allies to deter anticompetitive practices in the ISSBs.
Specifically, we request a detailed and unclassified report, to the extent possible, from the Intelligence Community (“IC”) on the following items:
1. Overall trends in the ISSBs over the past decade and the implications of politicization of ISSBs, if there is evidence of such trends;
2. Specific examples and case studies of attempts by China and other foreign adversaries to exert pressure or political influence within the ISSBs or at major telecommunication conferences to secure standards that are favorable to Chinese companies and patent holders, or that might introduce deficiencies into 5G networks; and,
3. Implications of Chinese-led standards for 5G technologies and how that will affect U.S. economic and security interests, including efforts by U.S. companies to sell and scale its technologies, the ability of the U.S. to position itself for future generations of wireless technology, and to protect against cyber intrusions and security vulnerabilities.
In 2012, the House Permanent Select Committee on Intelligence’s study on Huawei and ZTE drew attention globally to the security concerns associated with certain Chinese telecommunication and information technology companies. Similarly, we believe Chinese influence in our ISSBs is not fully appreciated, and the IC can play an essential role in filling the publicly available information gap—a necessary first step to countering this trend.
We hope that this report will be part of an ongoing effort to share more timely and relevant information with U.S. companies and our allies. The U.S. cannot tackle this issue alone and must work closely with our international partners—including the European Union, Great Britain, Korea, Japan, Australia, New Zealand, and Canada—on how we may collectively strengthen security standards, supply chain management, and market share of critical technologies. To the greatest extent possible, we urge the IC to declassify relevant information.
We appreciate your attention to this important matter.
WASHINGTON, DC – In an effort to better protect customers, increase transparency for investors, and ensure public companies are prioritizing cybersecurity and data privacy, U.S. Senators Jack Reed (D-RI), Susan Collins (R-ME), Mark Warner (D-VA), John Kennedy (R-LA), and Doug Jones (D-AL) are introducing S. 592, the Cybersecurity Disclosure Act of 2019. Congressman Jim Himes (D-CT), who serves on the House Financial Services Committee and the House Permanent Select Committee on Intelligence, will be introducing the companion legislation in the House of Representatives.
The Reed-Collins-Warner-Kennedy-Jones legislation would require publicly traded companies to include in its Securities and Exchange Commission (SEC) disclosures to investors information on whether any member of the company’s Board of Directors is a cybersecurity expert, and if not, why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the company. The legislation does not require companies to take any actions other than to provide this disclosure.
Cyberattacks on companies and business continue to increase in their sophistication, exposing customers and data to risk. Indeed, according to the Identity Theft Resource Center, the number of records, containing personally identifiable information, exposed by data breaches in the business industry grew from 181,630,520 in 2017 to 415,233,143 in 2018, and in the medical and health care industry from 5,302,846 in 2017 to 9,927,798 last year. Across all industries, the number of records containing personally identifiable information exposed by data breaches rose 126%, from 197,612,748 in 2017 to 446,515,334 in 2018.
Deloitte’s 11th Global risk management survey of financial institutions found that “sixty-seven percent of respondents named cybersecurity as one of the three risks that would increase the most in importance for their business over the next two years, far more than for any other risk. Yet, only about one-half of the respondents felt their institutions were extremely or very effective in managing this risk.” And according to the 2018-2019 National Association of Corporate Directors Public Company Governance Survey, only 52 percent of directors “are confident that they sufficiently understand cyber risks to provide effective cyber-risk oversight,” and 58 percent “believe their boards collectively know enough about cyber risk to provide effective oversight.”
“Cybersecurity is one of the most significant and enduring challenges that all businesses, across industries, face and should be accounted for as part of the corporate risk management process. With growing cyber threats, we must be proactive in bolstering our nation’s cybersecurity. This legislation advances that goal by encouraging publicly traded companies to be more transparent about whether and how their Boards of Directors and senior management are prioritizing cybersecurity,” said Senator Reed, the Ranking Member of the Senate Armed Services Committee and a senior member of the Senate Banking Committee. “As our economy becomes ever more dependent on technology and the Internet, our economic security is indeed a matter of national security. Through the simple disclosure called for by this bipartisan legislation, we can strengthen cybersecurity oversight.”
“As cyberattacks become increasingly common, Congress must take action to better protect Americans from hackers attempting to steal sensitive data and personal information,” said Senator Collins, a member of the Senate Intelligence Committee. “This bipartisan bill strengthens our nation’s cybersecurity by requiring companies to disclose to the public the basic steps they are taking to prevent cyberattacks.”
“Every day, determined cyberattackers target publicly traded companies in attempts to steal data. When successful, these attacks can be extremely damaging, which is why consumers and shareholders deserve to know whether companies’ boards have cyber expertise,” said Senator Warner, Vice Chairman of the Senate Select Committee on Intelligence and Ranking Member of the Senate Banking Subcommittee on National Security and International Trade and Finance. “This legislation will help inform consumers and shareholders by increasing transparency, and will serve as a tool to urge more reliable strategies to counter cyberattacks.”
“As our society increasingly relies on technology, businesses across all sectors of the economy must prioritize cybersecurity. A single cyberattack can cripple even the most sophisticated firms, and the public has a right to know whether companies are focused on preventing cybersecurity threats. This bipartisan legislation will greatly increase transparency and accountability, and will ultimately help cybersecurity resilience across our economy,” said Senator Jones.
The bipartisan Cybersecurity Disclosure Act of 2019 is supported by consumer advocates, investors, and securities law experts, including the North American Securities Administrators Association; the Council of Institutional Investors; the National Association of State Treasurers; the California Public Employees’ Retirement System; the Bipartisan Policy Center; Massachusetts Institute of Technology Professor Simon Johnson; Harvard Law Professor John Coates; Columbia Law Professor Jack Coffee; K&L Gates LLP; and the Consumer Federation of America.
WASHINGTON—U.S. Senator John Cornyn (R-TX), along with Senators Richard Burr (R-NC), Mark Warner (D-VA), Jim Risch (R-ID), Dianne Feinstein (D-CA), Marco Rubio (R-FL), Tom Cotton (R-AR), Angus King (I-ME), Susan Collins (R-ME), Ben Sasse (R-NE), and Mitt Romney (R-UT), today sent a letter to the Secretary of Energy, Rick Perry, and the Secretary of Homeland Security, Kirstjen Nielsen, urging them to protect our electrical systems and critical infrastructure from potential cyberattacks by banning the use of inverters made by the Chinese-owned company, Huawei Technologies Co., Ltd.
“Huawei has recently become the world’s largest maker of inverters - the sophisticated control systems that have allowed the rapid expansion of residential and utility scale energy production. Both large-scale photovoltaic systems and those used by homeowners, school districts, and businesses are equally vulnerable to cyberattacks. Our federal government should consider a ban on the use of Huawei inverters in the United States and work with state and local regulators to raise awareness and mitigate potential threats,” the Senators wrote.
“We urge you to work with all federal, state and local regulators, as well as the hundreds of independent power producers and electricity distributors nation-wide to ensure our systems are protected. We stand ready and willing to provide any assistance you need to secure our critical electricity infrastructure.”
The signed letter is here, and full text is below.
February 25, 2019
The Honorable Rick Perry
U.S. Department of Energy
1000 Independence Avenue SW
Washington, DC 20585
The Honorable Kirstjen Nielsen
U.S. Department of Homeland Security
800 K Street NW
Washington, DC 20528
Dear Secretaries Perry and Nielsen:
We write to express our concern over the national security threat products manufactured by Huawei Technologies Co., Ltd. (Huawei) pose to our nation’s critical energy infrastructure. We understand that Huawei, the world’s largest manufacturer of solar inverters, is attempting to access our domestic residential and commercial markets. Congress recently acted to block Huawei from our telecommunications equipment market due to concerns with the company’s links to China’s intelligence services. We urge similar action to protect critical U.S. electrical systems and infrastructure.
Huawei has recently become the world’s largest maker of inverters - the sophisticated control systems that have allowed the rapid expansion of residential and utility scale energy production. Both large-scale photovoltaic systems and those used by homeowners, school districts, and businesses are equally vulnerable to cyberattacks. Our federal government should consider a ban on the use of Huawei inverters in the United States and work with state and local regulators to raise awareness and mitigate potential threats.
We urge you to work with all federal, state and local regulators, as well as the hundreds of independent power producers and electricity distributors nation-wide to ensure our systems are protected. We stand ready and willing to provide any assistance you need to secure our critical electricity infrastructure.
Thank you for your attention to this important matter of national security.
Warner Asks Agencies for Recommendations on Reducing Cybersecurity Vulnerabilities in Health Care Industry
Feb 25 2019
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, wrote today to the leaders of four federal agencies and departments, seeking details on any measures being taken by the federal government to reduce vulnerabilities in the health care sector. In the letters, Sen. Warner pointed to apparent gaps in oversight, expressed concern about the impact of cyber-attacks on the health care industry, asked for strategic recommendations, and conveyed his desire to work alongside federal agencies and health care entities to develop strategies that strengthen information security. Sen. Warner also sent letters last week to major health care entities, including the American Hospital Association, American Medical Association, Virginia Hospital and Healthcare Association, and others.
“The increased use of technology in health care certainly has the potential to improve the quality of patient care, expand access to care (including by extending the range of services through telehealth), and reduce wasteful spending. However, the increased use of technology has also left the health care industry more vulnerable to attack,” said Sen. Warner. “As we welcome the benefits of health care technology we must also ensure we are effectively protecting patient information and the essential operations of our health care entities.”
According to the Government Accountability Office, more than 113 million care records were stolen in 2015. A separate study conducted that same year estimated that the cost of cyberattacks would cost our health care system $305 million over a five-year period. Furthermore, a 2017 report by Trend Micro found that over 100,000 healthcare devices and systems were exposed directly to the public internet, including electronic health record systems, medical devices, and network equipment.
Sen. Warner concluded the letters by noting that he would like to work with the agencies “to develop a short- and long-term strategy reducing cybersecurity vulnerabilities in the health care sector…It is my hope that with thoughtful and carefully considered feedback we can develop a national strategy that improves the safety, resilience, and security of our health care industry.”
The sensitive nature of medical information makes the health care industry a lucrative target for criminals seeking to profit from personally identifiable information. Medical records often contain private information, including a patient’s social security number, address, and health history. When stolen, this information can be used to conduct identity theft. The importance of continued availability of health data also makes health care organizations lucrative targets for ransomware attacks.
In order to gauge existing risks and gather facts to develop a long- and short-term security strategy, Sen. Warner asked the following questions of each agency and department:
- To date, what proactive steps has your Department/Agency taken to identify and reduce cyber security vulnerabilities in the health care sector?
- How has your Department/Agency worked to establish an effective national strategy to reduce cybersecurity vulnerabilities in the health care sector?
- Has your Department/Agency engaged private sector health care stakeholders to solicit input on successful strategies to reduce cybersecurity vulnerabilities in the health care sector? If so, what has been the result of these efforts?
- Has your Department/Agency worked collaboratively with other federal agencies and stakeholders to establish a federal strategy to reduce cybersecurity vulnerabilities in the health care sector? If so, who has led these efforts and what has been the result?
- Are there specific federal laws and/or regulations that you would recommend Congress consider changing in order to improve your efforts to combat cyberattacks on health care entities?
- Are there additional recommendations you would make in establishing a national strategy to improve cybersecurity in the health care sector?