Va. & Md. Senators Introduce New Legislation Reforming WMATA Safety & Renewing Federal Funding Commitment to Metro
May 23 2019
WASHINGTON – Today, U.S. Sens. Mark R. Warner and Tim Kaine (both D-VA) and U.S. Sens. Ben Cardin and Chris Van Hollen (both D-MD) introduced new legislation to renew the federal funding commitment to Metro, provide critical safety reforms, and strengthen oversight of the Washington Metropolitan Area Transit Authority (WMATA).
Recognizing that the Metro system is integral to the functioning of the federal government, for the last decade Congress has allocated $150 million annually to Metro for capital expenses, with Virginia, Maryland and the District of Columbia each providing $50 million in matching funds. However, the funding – a critical part of Metro’s budget – will expire this year unless Congress acts to renew it. The Metro Safety, Accountability and Investment Act of 2019 will provide additional federal funding for Metro while also enacting key reforms to ensure that the safety and reliability of the Metro system continues to improve.
“The federal government runs on Metro. Thousands of federal workers, contractors, and military service members take Metro every day. This is an investment in the long-term safety and reliability of the Metro system,” said Sen. Warner, a member of the Committee on Banking, Housing and Urban Affairs, which has oversight over our nation’s urban transit systems. “But recent safety problems have illustrated that Metro still has work to do, which is why this money comes with some strings attached to ensure robust oversight, accountability, and meaningful safety reforms at WMATA.”
“Maintaining a safe and reliable public transit system for the seat of the federal government is a clear national priority. We recognized 10 years ago - as we do now - that providing dedicated funding for WMATA will help keep Metro on track,” said Sen. Cardin, ranking member of the Senate Environment and Public Works Transportation and Infrastructure Subcommittee. “Maryland and Virginia's Senate delegations wholeheartedly agree on the need for critical safety reforms and strengthened oversight to ensure that WMATA becomes as safe and efficient as possible.”
“This bill provides critical funding to reduce WMATA’s backlog of work, along with strict measures to ensure riders are safe on Metro. Following the death of a Virginian on Metrorail in 2015, we made it clear that major changes were needed. Since then, we passed a tough new federal safety oversight body through Congress, encouraged business and labor to work toward mutual goals, and worked with experts to provide WMATA with a roadmap for reform. But this work will only succeed if WMATA has the resources to do the turnaround job right. With this bill, we ensure that the federal government contributes its share, while also making clear that with new money comes new requirements for safety and accountability. Metro’s challenges won’t be solved overnight, but this bill will go a long way toward unlocking progress to rebuild trust with riders,” said Sen. Kaine.
“Maryland commuters and our federal workforce rely on the Metro day in and day out. This legislation reauthorizes the Federal investment in WMATA and provides much-needed funds to modernize our system. In addition to increased funding, this bill includes crucial safety improvements and oversight reforms,” said Sen. Van Hollen, a member of the Committee on Banking, Housing and Urban Affairs. “I’m proud to join my colleagues in introducing this measure as we work to ensure safe and dependable transportation throughout the region.”
The Metro Safety, Accountability and Investment Act of 2019 will renew the federal funding commitment for WMATA capital investments by reauthorizing the funding levels from the Passenger Rail Investment and Improvement Act of 2008 for an additional ten years, at an annual level of $150 million, matched by funding from Virginia, Maryland and the District of Columbia.
In addition, in exchange for key safety, oversight, and governance reforms at WMATA, the new legislation will include an additional $50 million per year in federal funding that is not subject to local match, bringing the annual federal commitment to Metro to $200 million. In order to access the additional $50 million, WMATA will be required to: grant additional powers to Metro’s Inspector General; establish task forces on track safety and bus safety; implement policy and procedures for a new capital planning process; improve the transit asset management planning process; reinforce restrictions on the activities of alternate WMATA Board members to provide more effective Board management and oversight; and prioritize the implementation of new cyber security protections and the integration of wireless services and emergency communications networks.
The bill also prohibits WMATA from using federal funds on a contract for rolling stock from any country that meets certain criteria related to illegal subsidies for state-owned enterprises. Sens. Warner, Kaine, Cardin and Van Hollen raised concerns earlier this year regarding the possibility that Metro may award a contract to build its newest 8000-series rail cars to a Chinese manufacturing company.
“The Federal City Council applauds Sens. Warner, Cardin, Kaine, and Van Hollen for their continued commitment to WMATA and to ensuring that critically needed federal funding for the system is reauthorized this year. This funding, along with the new dedicated funding that was committed by the District of Columbia, Maryland, and Virginia in 2018 is critically needed to ensure a safe, reliable, and sustainable future for Metro,” said Tony Williams, former Mayor of the District of Columbia, current CEO and Executive Director of the Federal City Council and founding member of the MetroNow Coalition. “However, it has been the longstanding position of the Federal City Council and the MetroNow coalition that in addition to funding, Metro is also in need of a better framework to guide decision-making and increase accountability at WMATA—a critical part of the solution that has been missing, until now. With comprehensive enhancements to WMATA’s Office of the Inspector General and capital planning requirements, this legislation will help to safeguard the investment being made in this vital piece of our region’s transportation infrastructure and will inspire confidence in Metro going forward.”
“Metro is critical to those who live and work here and, equally important, it benefits those who travel here to do business, interact with the federal government, and enjoy all our region has to offer,” said Jack McDougle, President & CEO of the Greater Washington Board of Trade and founding member of the MetroNow Coalition. “Every day, we welcome visitors from around the country and the world, requiring us to maintain the safest, most reliable and world-class transit system possible. That’s why we and our partners in the MetroNow coalition urge Congress to pass this legislation.”
“The Amalgamated Transit Union (ATU) fully supports the Metro Safety, Accountability and Investment Act of 2019, renewing the federal commitment for WMATA capital investments. This is long overdue and critical, as the agency’s infrastructure, which dates back to the 1970s, has been crumbling. Riders have paid the price, as service sputtered and fares skyrocketed. Workers have been unfairly blamed for service issues when the real issue has been the generations of state and local lawmakers that until recently have financially starved the system of a critical dedicated revenue source,” said ATU International President John A. Costa. “Tragically, there have been several deadly accidents that have taken the lives of passengers as well as workers. There is no safety culture at WMATA. We thank Senators Warner, Cardin, Kaine and Van Hollen for including in the bill the ATU’s proposed labor-management safety task forces – bus and rail – to develop best principles and practices through collaboration so that we can prevent future tragedies. We are also grateful that these task forces have appropriately been named after ATU members who were killed on the job – Jeanice McMillan, the operator who was killed along with 8 passengers in the 2009 Red Line train crash at Fort Totten and was called a hero by WMATA for saving countless lives, and Keith Dodson, who was struck and killed by a tractor trailer when he exited the bus he was driving after it became disabled along southbound I-395 in Arlington County in 2007.”
Statement of Senate Intel Vice Chair Mark R. Warner on WH Executive Order to Ban Chinese Telecom Gear
May 15 2019
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, released the following statement after President Trump signed an executive order to ban American telecommunications firms from installing foreign-made equipment that could pose a threat to national security:
“This is a needed step, and reflects the reality that Huawei and ZTE represent a threat to the security of U.S. and allied communications networks. Under current Chinese security laws, these and other companies based in China are required to provide assistance to the Chinese state. This executive order places a great deal of authority in the Department of Commerce, which must ensure that it is implemented in a fair and responsible fashion as to not harm or stifle legitimate business activities. It should also be noted that we have yet to see a compelling strategy from this Administration on 5G, including how the Administration intends to work cooperatively with our allies and like-minded nations to ensure that international standards set for 5G reflect Western values and standards for security and privacy. Nor do we have a stated plan for replacing this equipment from existing commercial networks – a potentially multi-billion dollar effort that, if done ineptly, could have a major impact on broadband access in rural areas. A coherent coordinated and global approach is critically needed as nations and telecom providers move to implement 5G.”
As a former telecommunications executive and entrepreneur, Sen. Warner has been a leading voice in the Senate regarding the national security risks posed by Chinese-controlled telecom companies. He is the lead sponsor of the Secure 5G and Beyond Act – legislation to require the President to ensure the security of next-gen mobile telecommunications systems and infrastructure in the United States. He also introduced a bipartisan bill in January to help combat tech-specific threats to national security posed by foreign actors like China. Additionally, Sen. Warner called on the Trump Administration last week to promote U.S. leadership and strengthen diplomatic efforts around the development of a secure 5G architecture that challenges Huawei’s monopoly over the next generation of telecoms networks.
Warner, Klobuchar, Graham Reintroduce Bipartisan, Bicameral Senate Legislation to Protect Integrity of U.S. Elections, Improve National Security
May 08 2019
WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Select Committee on Intelligence and former telecommunications executive, along with Sens. Amy Klobuchar (D-MN) and Lindsey Graham (R-SC), reintroduced bicameral legislation to help prevent foreign interference in future elections and improve the transparency of online political advertisements. The Honest Ads Act will safeguard the integrity of our democracy by requiring large online platforms to maintain public records of advertisers who purchase political ads. Companion legislation is being introduced in the House of Representatives by U.S. Reps. Derek Kilmer (D-WA), Elise Stefanik (R-NY), and 24 other bipartisan cosponsors.
“In 2016, Russia waged widespread disinformation campaigns that exploited social media in an effort to attack our democracy and divide the American public. As we continue to grow increasingly dependent on a handful of very large platforms, there is no doubt in my mind that foreign adversaries will continue to follow in Russia’s footsteps, exploiting the scale, amplification, and lack of transparency of these platforms in order to undermine the strength of the United States and advance their own anti-American agendas,” Sen. Warner said. “Right now, our country needs strong defenses that help ward off shady online attacks by demanding increased transparency, which is why I’m proud to introduce the Honest Ads Act. By requiring large digital platforms to meet the same disclosure standards as broadcast, cable, and satellite ads, this legislation can help prevent foreign actors from manipulating the American public and interfering in our free and fair elections through the use of inauthentic and divisive paid ads.”
“Foreign adversaries interfered in the 2016 election and are continuing to use information warfare to try to influence our government and divide Americans. We must act now to protect our democracy and prevent this kind of interference from ever happening again,” Sen. Klobuchar said. “The goal of the Honest Ads Act is simple: to ensure that voters know who is paying to influence our political system. The bill would put in place the same rules of the road for social media platforms that currently apply to political ads sold on TV, radio, and in print regarding disclaimers and disclosures so that Americans know who is behind the ads they see online. I also want to commend Senator Graham for taking up the mantle of bipartisanship from our late friend, Senator John McCain. Protecting our elections isn’t about politics—it’s about national security and the future of our democracy. I look forward to working with him and Senator Warner to get the Honest Ads Act passed.”
“Hardening our electoral infrastructure will require a comprehensive approach and it can’t be done with a single piece of legislation,” Sen. Graham said. “I am cosponsoring this legislation because it’s clear we have to start somewhere. I am pleased to work with Senators Klobuchar and Warner to address the gaps that currently exist, particularly with regards to social media. Online platforms have made some progress but there is more to be done. Foreign interference in U.S. elections – whether Russia in the 2016 presidential election or another rogue actor in the future – poses a direct threat to our democracy. I intend to work with my colleagues on both sides of the aisle to bolster our defenses and defend the integrity of our electoral system.”
Prior to the 2016 presidential election, Russia attempted to influence the American electorate by using fake accounts to buy and place political ads on platforms such as Facebook, Twitter, and Google. Without greater transparency and disclosure requirements, foreign adversaries and bad actors copying their playbook can continue exploiting the opacity of large social media platforms.
The Honest Ads Act would improve disclosure requirements for online political advertisements by:
- Amending the definition of ‘electioneering communication’ in the Bipartisan Campaign Reform Act of 2002, to include paid internet and digital advertisements.
- Requiring digital platforms with at least 50,000,000 monthly visitors to maintain a public file of all electioneering communications purchased by a person or group who spends more than $500.00 total on ads published on their platform. This file would contain a digital copy of the advertisement, a description of the audience the advertisement targets, the number of views generated, the dates and times of publication, the rates charged, and the contact information of the purchaser.
- Requiring online platforms to make all reasonable efforts to ensure that foreign individuals and entities are not purchasing political advertisements in order to influence the American electorate.
The Honest Ads Act has the support of the Campaign Legal Center, the Alliance for Securing Democracy, the Brennan Center for Justice, Issue One, the Sunlight Foundation, the Center for American Progress, and the German Marshall Fund's Digital Innovation Democracy Initiative, as well as Facebook, and Twitter.
The full text of the Honest Ads Act is available here.
Warner, Warren Reintroduce Legislation to Hold Equifax, Other Credit Reporting Agencies Accountable for Data Breaches
May 07 2019
WASHINGTON – U.S. Sens. Mark R. Warner (D-VA) and Elizabeth Warren (D-MA), along with Reps. Elijah Cummings (D-MD) and Raja Krishnamoorthi (D-IL), reintroduced legislation today to hold large credit reporting agencies (CRAs) – including Equifax – accountable for data breaches involving sensitive consumer data. The Data Breach Prevention and Compensation Act will provide robust compensation to consumers for stolen data, impose mandatory penalties on CRAs for data breaches, and give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs.
“It’s been nearly two years since hackers accessed the personal information of more than 143 million Americans, yet thousands of individuals continue to grapple with the effects of this massive breach,” said Sen. Warner. “As personal data becomes more and more valuable in today’s information economy, and the scale and impact to consumers of mega-breaches increase, there needs to be increased consequences for companies like Equifax that mishandle or neglect to properly safeguard consumer data. By imposing strict penalties for data breaches and facilitating compensations for affected Americans, this legislation will increase accountability and help ensure that credit reporting agencies actively prioritize the security of sensitive consumer information.”
“It's been over a year and a half since Equifax opened to the doors to hackers who stole the personal data of more than half the adults in the country, and this new report shows that Equifax still has a long way to fix the problem it created,” said Sen. Warren. “Our bill, which would hold companies like Equifax accountable for failing to protect consumer data, would compensate consumers injured by these breaches and help ensure that they never happen again.”
In September 2017, Equifax announced that hackers had accessed and stolen sensitive personal information, including Social Security Numbers, birth dates, credit card numbers, driver's license numbers, and passport numbers, belonging to more than 143 million Americans – a number later revised up to 145.5 million people. The breach highlighted that CRAs like Equifax retain vast amounts of data on millions of Americans but often lack adequate safeguards against hackers. Since 2013, Equifax has reported at least four separate hacks in which sensitive personal information was compromised.
The Data Breach Prevention and Compensation Act would:
· Establish an Office of Cybersecurity at the FTC tasked with annual inspections and supervision of cybersecurity at CRAs.
· Impose mandatory, strict liability penalties for breaches involving consumer data, beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised per consumer. Under this bill, Equifax would have had to pay at least a $1.5 billion penalty for their failure to protect Americans' personal information.
· Ensure a robust recovery for affected consumers by requiring the FTC to use 50% of its penalty to compensate consumers.
· Increase penalties in cases of woefully inadequate cybersecurity or if a CRA fails to timely notify the FTC of a breach.
· Enhance FTC enforcement by giving the FTC civil penalty authority under the Gramm-Leach-Bliley Act.
Additionally, Sens. Warren and Warner, and Rep. Krishnamoorthi, in a new analysis of Consumer Financial Protection Bureau (CFPB) consumer complaints, revealed that consumers filed more than 52,000 complaints related to Equifax in the 18 months following the announcement of the Equifax breach – nearly double the number from the same period before the breach was announced. The report shows how Equifax continues to fail affected consumers by neglecting to provide adequate responses to consumer complaints, including by refusing to remove incorrect information from credit reports. The lawmakers also sent the report to the FTC and CFPB, requesting that the agencies take action.
The Data Breach Prevention and Compensation Act is supported by cybersecurity experts and consumer groups:
"This bill requires the FTC to provide much-needed oversight of the credit bureaus for data security. It also imposes real and meaningful penalties when the credit bureaus, who hold our most sensitive financial information, fail to adequately protect that information. I commend Senator Warren, Senator Warner, and Congressmen Cummings and Krishnamoorthi for their continuing efforts to prevent another massive security failure like the Equifax data breach," said National Consumer Law Center Staff Attorney, Chi Chi Wu.
"A concrete response to a serious problem facing American consumers. The ongoing risk of data breach and identity theft have reached epidemic proportions. We clearly need more expertise in the federal government to address this challenge. We hope the Senate will more forward this important and timely effort to safeguard American consumers and Internet users,” said Electronic Privacy Information Center President and Executive Director, Marc Rotenberg
“Equifax still hasn’t paid a price two years after losing the financial DNA of 150 million Americans. That’s why U.S. PIRG commends Senator Warner, Senator Warren, and Congressmen Cummings and Krishnamoorthi for reintroducing the Data Breach Prevention and Compensation Act. The bill provides strong oversight and meaningful financial penalties to incentivize the credit bureaus to protect our data,” said U.S. PIRG Consumer Campaign Director, Mike Litt.
"Making the companies that collect and sell consumers’ personal information liable when they fail to secure it is a necessary step in ensuring our privacy rights,” said Former Chief Technologist at the FTC, Ashkan Soltani.
More statements of support are available here. More information about this bill can be found here. For text of the bill, click here.
Apr 11 2019
WASHINGTON — U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, issued the following statement regarding the arrest of Julian Assange, the founder of WikiLeaks, today in the United Kingdom:
“Julian Assange has long professed high ideals and moral superiority. Unfortunately, whatever his intentions when he started WikiLeaks, what he’s really become is a direct participant in Russian efforts to undermine the West and a dedicated accomplice in efforts to undermine American security. It is my hope that the British courts will quickly transfer him to U.S. custody so he can finally get the justice he deserves.
“I would like to thank President Moreno and the Ecuadoran government for taking the long-overdue step of withdrawing sanctuary for Mr. Assange so that he can finally face justice for his actions.”
WASHINGTON – A day ahead of the one-year anniversary of Facebook CEO Mark Zuckerberg’s congressional testimony, U.S. Sens. Mark R. Warner (D-VA) and Deb Fischer (R-NE) have introduced the Deceptive Experiences To Online Users Reduction (DETOUR) Act, bipartisan legislation to prohibit large online platforms from using deceptive user interfaces, known as “dark patterns” to trick consumers into handing over their personal data.
The term “dark patterns” is used to describe online interfaces in websites and apps designed to intentionally manipulate users into taking actions they would otherwise not take under normal circumstances. These design tactics, drawn from extensive behavioral psychology research, are frequently used by social media platforms to mislead consumers into agreeing to settings and practices advantageous to the company.
“For years, social media platforms have been relying on all sorts of tricks and tools to convince users to hand over their personal data without really understanding what they are consenting to. Some of the most nefarious strategies rely on ‘dark patterns’ – deceptive interfaces and default settings, drawing on tricks of behavioral psychology, designed to undermine user autonomy and push consumers into doing things they wouldn’t otherwise do, like hand over all of their personal data to be exploited for commercial purposes,” said Sen. Warner, a former technology executive who is Vice Chairman of the Senate Select Committee on Intelligence. “Our goal is simple: to instill a little transparency in what remains a very opaque market and ensure that consumers are able to make more informed choices about how and when to share their personal information.”
Dark patterns can take various forms, often exploiting the power of defaults to push users into agreeing to terms stacked in favor of the service provider. Some examples of such actions include: a sudden interruption during the middle of a task repeating until the user agrees to consent; a deliberate obscuring of alternative choices or settings through design or other means; or the use of privacy settings that push users to ‘agree’ as the default option, while users looking for more privacy-friendly options often must click through a much longer process, detouring through multiple screens. Other times, users cannot find the alternative option, if it exists at all, and simply give up looking.
The result is that large online platforms have an unfair advantage over users and potential competitors in forcing consumers to give up personal data such as their contacts, messages, web activity, or location to the benefit of the company.
“The tech industry has gone unchecked for far too long. Bold action is needed on a wide scale to change the incentives in Silicon Valley with our well-being in mind, especially when it comes to kids,” said Jim Steyer, CEO of Common Sense. “This bill gets to the root of the issue – the use of manipulative and deceptive design features that trick kids and other users into giving up valuable and private information, and hook them into spending more time than is healthy online. Common Sense strongly supports Senators Warner and Fischer on this bipartisan effort to hold tech companies accountable for these practices that only harm consumers.”
“Dark patterns are among the least humane design techniques used by technology companies in their scramble for growth at all costs. They use these measures to offer false choices that confuse or trap users into over-sharing personal information or driving compulsive use – especially from the most vulnerable users, including kids,” said Tristan Harris, Co-Founder of the Center for Humane Technology. “A system-wide rethinking of technology policy and design is in order, so CHT fully supports Senators Warner and Fisher in this bipartisan effort to place significant constraints around the ability to deceive users online. The creation of a special standards body is especially crucial to the protection of consumers, as they keep lawmakers more up-to-date and able to iterate laws at pace with the rapid change of technology.”
“We support Senators Warner and Fischer in protecting people from exploitive and deceptive practices online,” said Fred Humphries, Corporate Vice President of U.S. Government Affairs at Microsoft. “Their legislation helps to achieve that goal and we look forward to working with them.”
“People are ensnared by ‘dark patterns’ of manipulation on the Internet every day, and ending these practices is a key part of protecting people online. We need to better understand the systems that manipulate people online, and empower users to fight back. We applaud Senator Warner and Senator Fischer for introducing this legislation to curtail these troubling practices,” said Alan Davidson, Vice President of Global Policy, Trust and Security at Mozilla.
“EPIC appreciates Senator Warner and Senator Fischer’s important work to safeguard consumer privacy,” said Caitriona Fitzgerald, Electronic Privacy and Information Center (EPIC) Policy Director.
The Deceptive Experiences To Online Users Reduction (DETOUR) Act aims to curb manipulative dark pattern behavior by prohibiting the largest online platforms (those with over 100 million monthly active users) from relying on user interfaces that intentionally impair user autonomy, decision-making, or choice. The legislation:
- Enables the creation of a professional standards body, which can register with the Federal Trade Commission (FTC), to focus on best practices surrounding user design for large online operators. This association would act as a self-regulatory body, providing updated guidance to platforms on design practices that impair user autonomy, decision-making, or choice, positioning the FTC to act as a regulatory backstop.
- Prohibits segmenting consumers for the purposes of behavioral experiments, unless with a consumer’s informed consent. This includes routine disclosures for large online operators, not less than once every 90 days, on any behavioral or psychological experiments to users and the public. Additionally, the bill would require large online operators to create an internal Independent Review Board to provide oversight on these practices to safeguard consumer welfare.
- Prohibits user design intended to create compulsive usage among children under the age of 13 years old.
- Directs the FTC to create rules within one year of enactment to carry out the requirements related to informed consent, Independent Review Boards, and Professional Standards Bodies.
The full bill text is available here.
Sen. Warner has been raising concerns about the implications of social media companies’ reliance on dark patterns for several years. In 2014, Sen. Warner asked the FTC to investigate Facebook’s use of dark patterns in an experiment involving nearly 700,000 users designed to study the emotional impact of manipulating information on their News Feeds.
Sen. Warner is recognized as one of Congress’ leading voices in an ongoing public debate around social media and user privacy. Last year, Sen. Warner called on the social media companies to work with Congress and provide feedback on ideas he put forward in a white paper discussing potential policy solutions to challenges surrounding social media, privacy, and data security. In addition to the DETOUR Act, in the coming weeks and months, Sen. Warner will introduce further legislation designed to improve transparency, privacy, and accountability on social media.
Apr 08 2019
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) was joined today by Sen. Cory Gardner (R-CO) in reintroducing bipartisan, bicameral legislation today to encourage state, local, and tribal governments to strengthen their defenses against cybersecurity threats and vulnerabilities. The State Cyber Resiliency Act, which was also introduced in the House by Reps. Derek Kilmer (D-WA) and Michael McCaul (R-TX), would create and authorize the Department of Homeland Security (DHS) to run a grant program for states seeking to develop, revise or implement cyber resiliency measures—including efforts to identify, detect, protect, respond, and recover from cyber threats.
“As cyberattacks increase in frequency and gravity, we must ensure that our nation—from our local governments on up—is adequately prepared to protect public safety and combat cyber threats,” said Sen. Warner. “Nearly 70 percent of states have reported that they lack adequate funding to develop sufficient cybersecurity. This bill will aim to mitigate that need by providing grants to state and local jurisdictions so that they are better prepared to take on these emerging challenges.”
“It’s critical that our state and local governments invest in cyber preparedness and training, and I’m proud to work with Senator Warner and Representatives Kilmer and McCaul to create a grant program to help our communities with this effort,” said Sen. Gardner. “Colorado is at the forefront of our nation’s cybersecurity efforts and home to the National Cybersecurity Center in Colorado Springs. As the threat of cyber warfare intensifies, it’s important that local governments are properly prepared to deter and protect themselves from cyber-attacks.”
“America should dedicate far more attention and resources to combating cyber threats,” said Rep. Kilmer. “Cyber-attacks could threaten our election systems, municipally-owned water treatment facilities, local emergency responder networks, or other vital systems that impact our communities. With that in mind, building our cyber resiliency matters to employers, workers, local governments, consumers – and even to our national security. That’s why I’m proud to join my colleagues in introducing a bipartisan plan to give state, local, and tribal governments more tools to counter these cyber threats.”
“As our nation continues to face cyber threats, we must ensure all levels of government are prepared to combat the emerging attacks to our cyber networks and other critical infrastructure. The enactment of CISA last year was a positive step forward to recalibrate our federal posture on cybersecurity, however, more needs to be done on a state and local level. Despite playing a vital role in protecting our nation against cyber-attacks, state governments often do not have the vital resources they need to strengthen their cybersecurity capabilities or retain or recruit seasoned cybersecurity professionals,” said Rep. McCaul. “As a co-chair of the House Congressional Cybersecurity Caucus, I will continue to think holistically about protecting our networks on a federal, state, and local level. I am proud to join Senators Warner and Gardner, along with Congressman Kilmer, in introducing the State Cyber Resiliency Act to aid state and local governments with a new grant program to enhance their cyber defenses.”
A 2018 survey by Deloitte-National Association recently found that most state cyber budgets are inadequate, with most states allocating between zero and three percent of their overall IT budget for cybersecurity purposes. Additionally, the survey found that budget and staffing remain top barriers to an effective cyber strategy, with nearly half of all states lacking a cybersecurity budget line item, and 28 percent pointing to an inadequate availability of cybersecurity professionals as a “top barrier.” In the past year, hackers have attacked a number of local governments in states such as Colorado, Georgia, Maryland and Pennsylvania. These serious cyberattacks have cost taxpayers millions of dollars and have wreaked havoc on essential local government processes.
The State Cyber Resiliency Act also addresses the nation’s cybersecurity workforce talent gap by ensuring that participating states enhance recruitment and retention efforts. Currently, there are more than 313,000 cybersecurity job openings nationwide, including 33,500 in Virginia, 24,800 in Texas, 10,200 in Colorado, and 6,300 in Washington.
Sen. Warner, along with Sen. Gardner, is the co-founder of the bipartisan Senate Cybersecurity Caucus, and recently introduced legislation to better protect customers, increase transparency for investors, and ensure public companies prioritize cybersecurity and data privacy. He also urged the Trump Administration in February to ensure the protection of critical electricity infrastructure and consider a federal government ban on the use of Huawei inverters in the United States.
The full text of the bill is available here.
After Arrest Of Chinese National With Malware In Hand At Mar-A-Lago, Senators Warner, Schumer, and Feinstein Urge FBI To Immediately Assess National Security Risks At Trump Properties
Apr 03 2019
Washington, D.C.— Following reports of the arrest of Chinese national Yujin Zhang, who was apprehended by Secret Service after making false statements to enter Mar-a-Lago while carrying a thumb drive containing malware, Senate Democratic Leader Chuck Schumer (D-NY), Senate Committee on the Judiciary Ranking Member Dianne Feinstein (D-CA), and Senate Select Committee on Intelligence Vice Chairman Mark Warner (D-VA) today urged FBI Director Christopher Wray to assess the risks at Mar-a-Lago in light of the security vulnerabilities exposed by this latest incident. The senators asked the FBI to determine the steps needed to detect and deter adversary governments or their agents from attempting to gain access to or conduct electronic surveillance or acquire material at Mar-a-Lago or President Trump’s other properties.
According to reports, Ms. Zhang stated that she was invited to attend a non-existent event by an associate of Li “Cindy” Yang, who senior members of the congressional intelligence and judiciary committees recently asked the FBI to criminally investigate, given the credible allegations of potential human trafficking, unlawful foreign lobbying and other activities by Ms. Yang, and to assess the risks or related concerns associated with any interactions between her and the president. So far, the FBI has failed to respond. Today’s letter requests answers to the intelligence and judiciary committees’ previous letter and an assessment of the security vulnerabilities exposed by this latest incident involving Yujin Zhang.
The Senators’ letter can be found here and below:
April 3, 2019
The Honorable Christopher Wray
Federal Bureau of Investigation
935 Pennsylvania Avenue, NW
Washington, DC 20535
Dear Director Wray:
We write regarding the arrest of Yujin Zhang, a Chinese national who was apprehended by Secret Service after she allegedly made false statements to bypass security at Mar-a-Lago while carrying multiple electronic devices and a thumb drive containing malicious malware.
According to the information provided in the criminal complaint filed in the U.S. District Court for the Southern District of Florida, Ms. Zhang was allowed access to the property after security staff employed at Mar-a-Lago believed her to be a relative of a member of the club. After she passed into a restricted area and was eventually questioned by a receptionist, Ms. Zhang stated that she had been invited to Mar-a-Lago to attend a non-existent United Nations Chinese American Association event by an apparent associate of Li “Cindy” Yang, who had reportedly promoted events at the club on Chinese-language social media.
On March 15th, senior members of the congressional intelligence and judiciary committees asked the Federal Bureau of Investigation to conduct criminal and counterintelligence investigations into credible allegations of potential human trafficking, unlawful foreign lobbying and other activities by Ms. Yang as well as an assessment of the risks or related concerns associated with any interactions between her and the President. While this request came after Ms. Yang was photographed with the President and reports that she created a business that attempted to sell access to the President and his family to clients in China, Congress has not yet received a response.
This latest incident raises very serious questions regarding security vulnerabilities at Mar-a-Lago, which foreign intelligence services have reportedly targeted. The apparent ease with which Ms. Zhang gained access to the facility during the President’s weekend visit raises concerns about the system for screening visitors, including the reliance on determinations made by Mar-a-Lago employees. As the White House Communications Agency and Secret Service coordinate to establish several secure areas at Mar-a-Lago for handling classified information when the President travels there, these potential vulnerabilities have serious national security implications.
Accordingly, we ask that the FBI, in consultation with the Director of National Intelligence, assess the risks at Mar-a-Lago posed by establishment of areas for classified information at facility accessible to the public and foreign nationals. We also ask that you determine, in consultation with the Secret Service, the steps needed to detect and deter adversary governments or their agents from attempting to gain access to or conduct electronic surveillance or acquire material at Mar-a-Lago or President Trump’s other properties.
Thank you for your attention to this important matter. We ask that you provide Congress with a written response to this letter as well as the questions related to Ms. Yang that were enumerated in the March 15th letter without delay.
Senate Democratic Leader Chuck Schumer (D-NY)
Senate Committee on the Judiciary Ranking Member Dianne Feinstein (D-CA)
Senate Select Committee on Intelligence Vice Chairman Mark Warner (D-VA)
cc: The Honorable Dan Coats
Director of National Intelligence
The Honorable Randolph D. Alles
Director, U.S. Secret Service
Ranking Members Warner, Klobuchar, Reed, and Peters Press Election Equipment Manufacturers on Security
Mar 27 2019
WASHINGTON – U.S. Senator Mark R. Warner, Vice Chairman of the Senate Intelligence Committee and a member of the Senate Rules Committee with oversight jurisdiction over federal elections, joined his colleagues in sending a letter to the country’s three largest election system vendors with questions to help inform the best way to move forward to strengthen the security of our voting machines. In the U.S., the three largest election equipment vendors—Election Systems & Software, LLC; Dominion Voting Systems, Inc.; and Hart InterCivic, Inc.—provide the voting machines and software used by ninety-two percent of the eligible voting population. However, voting and cybersecurity experts have begun to call attention to the lack of competition in the election vendor marketplace and the need for scrutiny by regulators as these vendors continue to produce poor technology, like machines that lack paper ballots or audibility.
The letter was signed by Senator Mark Warner (D-VA), Vice Chairman of the Senate Intelligence Committee, Senator Amy Klobuchar (D-MN), Ranking Member of the Rules Committee, Senator Jack Reed (D-RI), Ranking Member of the Senate Armed Services Committee, and Senator Gary Peters (D-MI), Ranking Member of the Senate Homeland Security Committee.
“The integrity of our elections remains under serious threat. Our nation’s intelligence agencies continue to raise the alarm that foreign adversaries are actively trying to undermine our system of democracy, and will target the 2020 elections as they did the 2016 and 2018 elections,” the senators wrote. “The integrity of our elections is directly tied to the machines we vote on – the products that you make. Despite shouldering such a massive responsibility, there has been a lack of meaningful innovation in the election vendor industry and our democracy is paying the price.”
The full text of the letter is below:
March 26, 2019
Mr. Phillip Braithwaite
President and Chief Executive Officer
Hart InterCivic, Inc.
Mr. Tom Burt
President and Chief Executive Officer
Election Systems & Software, LLC
Mr. John Poulos
President and Chief Executive Officer
Dominion Voting Systems
Dear Mr. Braithwaite, Mr. Burt, and Mr. Poulos:
We write to request information about the security of the voting systems your companies manufacture and service.
The integrity of our elections remains under serious threat. Our nation’s intelligence agencies continue to raise the alarm that foreign adversaries are actively trying to undermine our system of democracy, and will target the 2020 elections as they did the 2016 and 2018 elections. Following the attack on our election systems in 2016, the Department of Homeland Security (DHS) designated election infrastructure as critical infrastructure in order to protect our democracy from future attacks and we have taken important steps to prioritize election security. We appreciate the work that your companies have done in helping to set up the Sector Coordinating Council (SCC) for the Election Infrastructure Subsector.
Despite the progress that has been made, election security experts and federal and state government officials continue to warn that more must be done to fortify our election systems. Of particular concern is the fact that many of the machines that Americans use to vote have not been meaningfully updated in nearly two decades. Although each of your companies has a combination of older legacy machines and newer systems, vulnerabilities in each present a problem for the security of our democracy and they must be addressed.
On February 15, the Election Assistance Commission’s (EAC) Commissioners unanimously voted to publish the proposed Voluntary Voting System Guidelines 2.0 (VVSG) Principles and Guidelines in the Federal Register for a 90 day public comment period. As you know, this begins the long-awaited process of updating the Principles and Guidelines that inform testing and certification associated with functionality, accessibility, accuracy, auditability, and security. The VVSG have not been comprehensively updated since 2005 – before the iPhone was invented – and unfortunately, experts predict that updated guidelines will not be completed in time to have an impact on the 2020 elections. While the timeline for completing VVSG 2.0 is frustrating, these guidelines are voluntary and they establish a baseline – not a ceiling – for voting equipment. Furthermore, VVSG 1.1 has been available for testing since 2015.
In other words, the fact that VVSG 2.0 remains a work in progress is not an excuse for the fact that our voting equipment has not kept pace both with technological innovation and mounting cyber threats. There is a consensus among cybersecurity experts regarding the fact that voter-verifiable paper ballots and the ability to conduct a reliable audit are basic necessities for a reliable voting system. Despite this, each of your companies continues to produce some machines without paper ballots. The fact that you continue to manufacture and sell outdated products is a sign that the marketplace for election equipment is broken. These issues combined with the technical vulnerabilities facing our election machines explain why the Department of Defense’s Defense Advanced Research Projects Agency (DARPA) is reportedly working to develop an open source voting machine that would be secure and allow people to ensure their votes were tallied correctly.
As the three largest election equipment vendors, your companies provide voting machines and software used by 92 percent of the eligible voting population in the U.S. This market concentration is one factor among many that could be contributing to the lack of innovation in election equipment. The integrity of our elections is directly tied to the machines we vote on – the products that you make. Despite shouldering such a massive responsibility, there has been a lack of meaningful innovation in the election vendor industry and our democracy is paying the price.
In order to help improve our understanding of your businesses and the integrity of our election systems, we respectfully request answers to the following questions by April 9, 2019:
- What specific steps are you taking to strengthen election security ahead of 2020? How can Congress and the federal government support these actions?
- What additional information is necessary regarding VVSG 2.0 in order for your companies to begin developing systems that comply with the new guidelines?
- Do you anticipate producing systems that will be tested for compliance with VVSG 1.1? Why or why not?
- What steps, if any, are you taking to enhance the security of your oldest legacy systems in the field, many of which have not been meaningfully updated (if at all) in over a decade?
- How do EAC certification requirements and the certification process affect your ability to create new election systems and to regularly update your election systems?
- Do you support federal efforts to require the use of hand-marked paper ballots for most voters in federal elections? Why or why not?
- How are you working to ensure that your voting systems are compatible with the EAC’s ballot design guidelines (i.e. “Effective Designs for the Administration of Federal Elections”)?
- Experts have raised significant concerns about the risks of ballot marking machines that store voter choice information in non-transparent forms that cannot be reviewed by voters (i.e. such as barcodes or QR codes), noting that errors in the printed vote record could potentially evade detection by voters. Do you currently sell any machines whose paper records do not permit voters to review the same information that the voting system uses for tabulation? If so, do you believe this practice is secure enough to be used in the 2020 election cycle?
- Do you make voting systems with Cast Vote Records (CVRs) that can be reliably connected to specific unique ballots, while also maintaining voter privacy? If not, why not? Does your company make voting systems that allow for a machine-readable data export of these CVRs in a format that is presentation-agnostic (such as JSON) and can be reliably parsed without substantial technical effort? If not, why not?
- Would you support federal legislation requiring expanded use of routine post-election audits, such as risk-limiting audits, in federal elections? Why or why not?
- What portion of your revenue is invested into research and development to produce better and more cost effective voting equipment?
- Congress is currently working on legislation to establish information sharing procedures for vendors regarding security threats. How does your company currently define a reportable cyber-incident and what protocols are in place to report incidents to government officials?
- What steps are you taking to improve supply chain security? To the extent your machines operate using custom, non-commodity hardware, what measures are you taking to ensure that the supply chains for your custom hardware components are monitored and secure?
- Do you employ a full-time cybersecurity expert whose role is fully dedicated to improving the security of your systems? If so, how long have they been on staff, and what title and authority do they have within your company? Do you conduct background checks on potential employees who would be involved in building and servicing election systems?
- Does your company operate, or plan to operate, a vulnerability disclosure program that authorizes good-faith security research and testing of your systems, and provides a clear reporting mechanism when vulnerabilities are discovered? If not, what makes it difficult for your company to do so, and how can Congress and the federal government help make it less difficult?
- How will DARPA’s work impact how your company develops and manufactures voting machines?
We look forward to your answers to these questions, and thank you for your efforts to work with us and with state election officials around the country to improve the security of our nation’s elections.
WASHINGTON- U.S. Senator John Cornyn (R-TX), along with Senate Select Committee on Intelligence Chairman Richard Burr (R-NC) and Vice Chairman Mark Warner (D-VA), introduced the Secure 5G and Beyond Act. This legislation would require the President to develop a strategy to ensure the security of next-gen mobile telecommunications systems and infrastructure in the United States, as well as to assist allies in maximizing the security of their systems, infrastructure, and software. Senators Susan Collins (R-ME), Tom Cotton (R-AR), Marco Rubio (R-FL), and Michael Bennet (D-CO) are original cosponsors.
“Our telecom systems continue to advance at a rapid rate, and it’s critical that we develop a strategy to protect potential vulnerabilities from being exploited by our adversaries,” said Sen. Cornyn. “I’m proud to partner with my colleagues on this legislation to ensure we can defend our national security interests as we develop future technologies.”
“It’s imperative we not only understand the revolutionary value of next-gen communications, but also the security measures required to ensure the deployment of safe and secure 5G networks,” said Sen. Burr. “I’m proud to work with my colleagues on this important legislation, which will bring together a variety of industry experts, further protect Americans’ privacy rights, and better equip our nation with a comprehensive strategy as we continue to be a global leader in technology.”
“5G promises to usher in a new wave of innovations, products, and services. At the same time, the greater complexity, density, and speed of 5G networks relative to traditional communications networks will make securing these networks exponentially harder and more complex,” Sen. Warner said. “It’s imperative that we have a coherent strategy, led by the President, to harness the advantages of 5G in a way that understands – and addresses – the risks.”
Background on the Secure 5G and Beyond Act:
- Requires the President to create an inter-agency strategy to secure 5th generation and future generation technology and infrastructure in the United States and with our strategic allies.
- Designates NTIA as the Executive Agent to coordinate implementation of the strategy in coordination with: the Chairman of the FCC, the Secretary of Homeland Security, the Director of National Intelligence, the Attorney General, and the Secretary of Defense.
- Ensures that the strategy does not include a recommendation to nationalize 5th generation deployment or future generations of mobile telecommunications infrastructure in the United States.
Bipartisan Legislation to Improve Cybersecurity of Internet-of-Things Devices Introduced in Senate & House
Mar 11 2019
WASHINGTON – Bipartisan legislation to improve the cybersecurity of Internet-connected devices will be introduced today in the Senate and the House of Representatives. The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would require that devices purchased by the U.S. government meet certain minimum security requirements.
The legislation is being introduced in the Senate by U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner(R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT), while Reps. Robin Kelly (D-IL) and Will Hurd (R-TX) are introducing companion legislation in the House of Representatives.
“While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Warner, a former technology entrepreneur and executive and Vice Chairman of the Senate Select Committee on Intelligence. “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.”
“The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years,” Sen. Gardner said. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks. Agencies like the National Institute of Standards and Technology (NIST), which has a major campus in Boulder, are key players in helping establish guidelines for improved IoT security and our bill builds on those efforts. As co-chairs of the Senate Cybersecurity Caucus, Senator Warner and I remain committed to advancing our nation’s cybersecurity defenses.”
“As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure. Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices,” said Rep. Kelly. “It’s estimated that by 2020 there will be 30 million internet-connected devices in use. As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks.”
“Internet of Things devices will improve and enhance nearly every aspect of our society, economy and our day-to-day lives. This is groundbreaking work and IoT devices must be built with security in mind, not as an afterthought,” said Rep. Hurd, former computer science major, cybersecurity entrepreneur and Chair of the House Subcommittee on Information Technology. “This bipartisan legislation will make Internet of Things devices more secure and help prevent future attacks on critical technology infrastructure.”
“With everything from LED lights to thermostats connected to the internet, we need to act swiftly to step up security for ‘internet of things’ devices to prevent hackers from disrupting our economy and threatening public safety,” Sen. Hassan said. “By requiring the federal government to only purchase devices that meet certain cybersecurity standards, this bill will help protect federal agencies against hackers who are seeking to exploit internet of things devices in order to steal critical national security information and the private data of Granite Staters and Americans.”
“As the Internet of Things landscape grows – we must ensure that Montanan’s information is safe and the security of our critical infrastructure is protected,” said Sen. Daines. “This bill helps establish proper safeguards that balance the need to protect Montanan’s privacy and our national security with the growing tech economy and high-paying jobs it provides.”
The Internet of Things, the term used to describe the growing network of Internet-connected devices and sensors, is expected to include over 20 billion devices by 2020. While these devices and the data they collect and transmit present enormous benefits to consumers and industry, the relative insecurity of many devices presents enormous challenges. Sometimes shipped with factory-set, hardcoded passwords and oftentimes unable to be updated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack. IoT devices have been used by bad actors to launch devastating Distributed Denial of Service (DDoS) attacks against websites, web-hosting servers, and internet infrastructure providers.
At a hearing of the Senate Armed Services Committee last year, the Director of the Defense Intelligence Agency, Lt. General Robert Ashley, described exploitation of insecure IoT devices as one of the two “most important emerging cyber threats to our national security.” Last May, the Departments of Commerce and Homeland Security published a report highlighting the IoT market forces that reward low-price and convenience at the expense of security. The signature recommendation of the May 2018 report was that the Federal government should “lead by example” by requiring the acquisition of more secure and resilient products and services, particularly IoT. The IoT Cybersecurity Improvement Act will address both this market failure and the supply chain risk to the federal government stemming from insecure IoT devices by establishing light-touch, minimum security requirements for procurements of connected devices by the government.
Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would:
- Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
- Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
- Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
- Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
- Require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.
“BSA applauds Senators Warner and Gardner for their leadership in securing the IoT, and calls on Congress to act swiftly to advance this important legislation,” said Tommy Ross, Senior Policy Director, BSA | The Software Alliance. “As IoT devices increasingly bring greater productivity and quality of life to consumers and businesses across sectors, we must be proactive in addressing the unique security considerations they bring.”
“Internet-aware devices raise deep and novel security issues, with problems that could arise months or years after purchase, and spill over to people who aren't the purchasers. This bill leverages the government procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ basic security measures in their products,” said Jonathan Zittrain, Co-Founder of Harvard University’s Berkman Klein Center for Internet & Society.
“Insecure and unsecured IoT devices are a risk we must address, and it will only happen if the government and the private sector both step up. I'm glad that Senators Warner and Gardner and Representatives Kelly and Hurd are continuing to push this issue,” said Jeff Greene, Vice President of Global Government Affairs & Policy at Symantec.
“Weak IoT security with little oversight puts the American public at risk, particularly as these devices become more and more common in our offices and in our homes. We need a coordinated approach. Empowering NIST to set standards for the development and management of these devices, as the IoT Cybersecurity Improvement Act of 2019 proposes, will help secure the sensitive data held by the government and the private information shared within our homes,” said Alan Davidson, Vice President of Global Policy, Trust, and Security at Mozilla.
“The proliferation of insecure Internet-connected devices presents an enormous security challenge. The risks are no longer solely about data; they affect flesh and steel. The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests. I applaud Senator Warner and his cosponsors for nudging the market in the right direction by establishing thorough, yet flexible, security requirements for connected devices purchased by the government,” said Bruce Schneier, Fellow and Lecturer at Harvard Kennedy School of Government.
“Cloudflare applauds Senators Warner and Gardner, Representatives Kelly and Hurd, and their cosponsors for their continued efforts to address the risks posed by improperly secured IoT devices with the introduction of this latest bill. Using the government procurement process to encourage security research and innovation will make the U.S. Government a leader in this area, and should open up a robust discussion of these issues. Cloudflare looks forward to continuing to work with them as this bill moves forward,” said Doug Kramer, General Counsel, Cloudflare Inc.
“IoT device insecurity is a serious problem that needs to be addressed. Although much must be done to address this problem, the longest journey begins with a single step—and this bill is just such a step in moving the ball forward on IoT security for government procurements,” said Dr. Herb Lin, senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University.
"Billions of devices connect our world and in the coming years we will see billions more. Each device adds to an expanding and elastic attack surface that creates a massive gap in the ability to truly understand cyber risk at any given time. The Internet of Things (IoT) Cybersecurity Improvement Act, introduced by Representatives Robyn Kelly (D-IL) and Will Hurd (R-TX), tasks NIST with developing security guidelines to address critical vulnerabilities in the development of IoT devices that the federal government purchases. This legislation will help the government better manage its cyber risks, and provide a strong example for other organizations. We also strongly support the call for NIST to develop a report that addresses Cyber Exposure considerations related to the increasing convergence of IT, IoT, and OT devices, networks and systems, as the modern enterprise must manage risk across all these environments," said James Hayes, Vice President of Global Government Affairs at Tenable.
“We applaud Senators Warner and Gardner and Representatives Kelly and Hurd for introducing the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The wireless industry is committed to ensuring the security of IoT devices and we look forward to working with the sponsors of the legislation on policies that will help protect consumers,” said Kelly Cole, Senior Vice President for Government Affairs at CTIA.
Similar legislation was previously introduced in the 115th Congress.
Sen. Warner wrote to the Federal Trade Commission (FTC) in July 2016 raising concerns about the security of children’s data collected by Internet-connected “Smart Toys.” In May 2017, the Senator wrote a follow-up letter to Acting FTC Chairwoman Maureen Ohlhausen reiterating his concerns following comments by the Chairwoman that the risks of IoT devices are merely speculative. In response to the Senator’s concerns, the FTC issued updated guidance on protecting children’s personal data in connected toys. Immediately in wake of October’s devastating DDoS attack on the nation’s internet infrastructure by the Mirai botnet, Sen. Warner wrote the FCC, FTC, and NCCIC to raise concerns about the proliferation of botnets composed of insecure devices. Sen. Warner also wrote to Office of Management and Budget Director Mick Mulvaney and Secretary of Homeland Security John Kelly in May 2017 asking what steps the Federal Government had taken to defend against WannaCry ransomware.
Sen. Warner, the Vice Chairman of the Senate Select Committee on Intelligence and former technology executive, is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus and a leader in Congress on security issues related to the Internet of Things (IoT).
Bill text is available here.
Warner, Rubio Ask Intelligence Community for Public Report Detailing Chinese Participation in 5G Standard-Setting
Mar 01 2019
Washington – U.S. Sens. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, and Marco Rubio (R-FL), a member of the Senate Select Committee on Intelligence, urged Director of National Intelligence Dan Coats to issue a comprehensive and unclassified report on China’s participation in the international standard-setting bodies (ISSBs) for fifth-generation wireless telecommunications technologies (5G). This report would allow companies in the U.S. to fully assess any existing threats to fair competition and push back against them.
“In 2012, the House Permanent Select Committee on Intelligence’s study on Huawei and ZTE drew attention globally to the security concerns associated with certain Chinese telecommunication and information technology companies,” wrote the Senators.“Similarly, we believe Chinese influence in our ISSBs is not fully appreciated, and the IC can play an essential role in filling the publicly available information gap—a necessary first step to countering this trend.”
American companies do not currently have access to crucial information regarding China’s alleged use of political influence in ISSBs or other anti-competitive practices, such as the state-directed coordination of large Chinese telecommunications firms. These practices can undermine fair competition, hinder the ability of us companies to sell and scale their technologies, and raise serious economic and security concerns for U.S. networks and future generations of wireless technologies.
Prompted by a series of anecdotal concerns raised to the Senate Select Committee on Intelligence (SSCI) regarding China’s attempt to politically influence the ISSBs, the Senators urged Director Coats to issue a report detailing:
1. Overall trends in the ISSBs over the past decade and the implications of politicization of ISSBs;
2. Specific examples of attempts by China and other foreign adversaries to exert pressure or political influence within the ISSBs or at major telecommunication conferences to secure standards that are favorable to Chinese companies and patent holders, or that might introduce deficiencies into 5G networks; and,
3. How Chinese-led standards for 5G technologies will affect U.S. economic and security interests, including efforts by U.S. companies to sell and scale its technologies, the ability of the U.S. to position itself for future generations of wireless technology, and to protect against cyber intrusions and security vulnerabilities.
They concluded, “We hope that this report will be part of an ongoing effort to share more timely and relevant information with U.S. companies and our allies. The U.S. cannot tackle this issue alone and must work closely with our international partners—including the European Union, Great Britain, Korea, Japan, Australia, New Zealand, and Canada—on how we may collectively strengthen security standards, supply chain management, and market share of critical technologies. To the greatest extent possible, we urge the IC to declassify relevant information.”
Sens. Warner and Rubio are the lead sponsors of bipartisan legislation to help combat tech-specific threats to national security posed by foreign actors like China. Sen. Warner, a former telecommunications executive and entrepreneur, has long expressed concerns about the risks to our national security posed by Chinese-controlled telecom companies. On October 12, 2018, Sen. Warner and Sen. Rubio sent a letter to Canadian Prime Minister Justin Trudeau urging his country to reconsider Huawei’s inclusion in any aspect of Canada’s 5G development, introduction, and maintenance. Warner has also urged the Administration to work with our allies to combat these technology threats. Sens. Warner and Rubio are also the authors of bipartisan legislation to enforce full compliance by ZTE with all probationary conditions of a U.S. Commerce Department’s deal struck with the company last year that ended U.S. imposed sanctions.
Full text of the letter is below and a copy can be found here.
Director Dan Coats
Director of National Intelligence
1500 Tysons McLean Drive
McLean, VA 22102
Dear Director Coats:
We are writing to request an unclassified report on the participation of China and other adversarial nations in the international standard-setting bodies (“ISSBs”) for fifth-generation wireless telecommunications technologies (“5G”). Over the past year, the Senate Select Committee on Intelligence (“SSCI”) has heard anecdotal concerns that China is attempting to exert pressure or political influence in the ISSBs, which have historically functioned as technological meritocracies. Not only does political influence undermine fair competition, it also raises serious economic and security concerns for 5G and future generations of wireless technologies.
Currently, U.S. companies do not have access to critical information about the nature of this threat, and the degree of state-directed coordination amongst large Chinese telecommunication firms seeking to gain a critical edge in wireless technologies. Without adequate information, U.S. companies cannot effectively push back against this behavior, nor can the United States coordinate with our allies to deter anticompetitive practices in the ISSBs.
Specifically, we request a detailed and unclassified report, to the extent possible, from the Intelligence Community (“IC”) on the following items:
1. Overall trends in the ISSBs over the past decade and the implications of politicization of ISSBs, if there is evidence of such trends;
2. Specific examples and case studies of attempts by China and other foreign adversaries to exert pressure or political influence within the ISSBs or at major telecommunication conferences to secure standards that are favorable to Chinese companies and patent holders, or that might introduce deficiencies into 5G networks; and,
3. Implications of Chinese-led standards for 5G technologies and how that will affect U.S. economic and security interests, including efforts by U.S. companies to sell and scale its technologies, the ability of the U.S. to position itself for future generations of wireless technology, and to protect against cyber intrusions and security vulnerabilities.
In 2012, the House Permanent Select Committee on Intelligence’s study on Huawei and ZTE drew attention globally to the security concerns associated with certain Chinese telecommunication and information technology companies. Similarly, we believe Chinese influence in our ISSBs is not fully appreciated, and the IC can play an essential role in filling the publicly available information gap—a necessary first step to countering this trend.
We hope that this report will be part of an ongoing effort to share more timely and relevant information with U.S. companies and our allies. The U.S. cannot tackle this issue alone and must work closely with our international partners—including the European Union, Great Britain, Korea, Japan, Australia, New Zealand, and Canada—on how we may collectively strengthen security standards, supply chain management, and market share of critical technologies. To the greatest extent possible, we urge the IC to declassify relevant information.
We appreciate your attention to this important matter.
WASHINGTON, DC – In an effort to better protect customers, increase transparency for investors, and ensure public companies are prioritizing cybersecurity and data privacy, U.S. Senators Jack Reed (D-RI), Susan Collins (R-ME), Mark Warner (D-VA), John Kennedy (R-LA), and Doug Jones (D-AL) are introducing S. 592, the Cybersecurity Disclosure Act of 2019. Congressman Jim Himes (D-CT), who serves on the House Financial Services Committee and the House Permanent Select Committee on Intelligence, will be introducing the companion legislation in the House of Representatives.
The Reed-Collins-Warner-Kennedy-Jones legislation would require publicly traded companies to include in its Securities and Exchange Commission (SEC) disclosures to investors information on whether any member of the company’s Board of Directors is a cybersecurity expert, and if not, why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the company. The legislation does not require companies to take any actions other than to provide this disclosure.
Cyberattacks on companies and business continue to increase in their sophistication, exposing customers and data to risk. Indeed, according to the Identity Theft Resource Center, the number of records, containing personally identifiable information, exposed by data breaches in the business industry grew from 181,630,520 in 2017 to 415,233,143 in 2018, and in the medical and health care industry from 5,302,846 in 2017 to 9,927,798 last year. Across all industries, the number of records containing personally identifiable information exposed by data breaches rose 126%, from 197,612,748 in 2017 to 446,515,334 in 2018.
Deloitte’s 11th Global risk management survey of financial institutions found that “sixty-seven percent of respondents named cybersecurity as one of the three risks that would increase the most in importance for their business over the next two years, far more than for any other risk. Yet, only about one-half of the respondents felt their institutions were extremely or very effective in managing this risk.” And according to the 2018-2019 National Association of Corporate Directors Public Company Governance Survey, only 52 percent of directors “are confident that they sufficiently understand cyber risks to provide effective cyber-risk oversight,” and 58 percent “believe their boards collectively know enough about cyber risk to provide effective oversight.”
“Cybersecurity is one of the most significant and enduring challenges that all businesses, across industries, face and should be accounted for as part of the corporate risk management process. With growing cyber threats, we must be proactive in bolstering our nation’s cybersecurity. This legislation advances that goal by encouraging publicly traded companies to be more transparent about whether and how their Boards of Directors and senior management are prioritizing cybersecurity,” said Senator Reed, the Ranking Member of the Senate Armed Services Committee and a senior member of the Senate Banking Committee. “As our economy becomes ever more dependent on technology and the Internet, our economic security is indeed a matter of national security. Through the simple disclosure called for by this bipartisan legislation, we can strengthen cybersecurity oversight.”
“As cyberattacks become increasingly common, Congress must take action to better protect Americans from hackers attempting to steal sensitive data and personal information,” said Senator Collins, a member of the Senate Intelligence Committee. “This bipartisan bill strengthens our nation’s cybersecurity by requiring companies to disclose to the public the basic steps they are taking to prevent cyberattacks.”
“Every day, determined cyberattackers target publicly traded companies in attempts to steal data. When successful, these attacks can be extremely damaging, which is why consumers and shareholders deserve to know whether companies’ boards have cyber expertise,” said Senator Warner, Vice Chairman of the Senate Select Committee on Intelligence and Ranking Member of the Senate Banking Subcommittee on National Security and International Trade and Finance. “This legislation will help inform consumers and shareholders by increasing transparency, and will serve as a tool to urge more reliable strategies to counter cyberattacks.”
“As our society increasingly relies on technology, businesses across all sectors of the economy must prioritize cybersecurity. A single cyberattack can cripple even the most sophisticated firms, and the public has a right to know whether companies are focused on preventing cybersecurity threats. This bipartisan legislation will greatly increase transparency and accountability, and will ultimately help cybersecurity resilience across our economy,” said Senator Jones.
The bipartisan Cybersecurity Disclosure Act of 2019 is supported by consumer advocates, investors, and securities law experts, including the North American Securities Administrators Association; the Council of Institutional Investors; the National Association of State Treasurers; the California Public Employees’ Retirement System; the Bipartisan Policy Center; Massachusetts Institute of Technology Professor Simon Johnson; Harvard Law Professor John Coates; Columbia Law Professor Jack Coffee; K&L Gates LLP; and the Consumer Federation of America.
WASHINGTON—U.S. Senator John Cornyn (R-TX), along with Senators Richard Burr (R-NC), Mark Warner (D-VA), Jim Risch (R-ID), Dianne Feinstein (D-CA), Marco Rubio (R-FL), Tom Cotton (R-AR), Angus King (I-ME), Susan Collins (R-ME), Ben Sasse (R-NE), and Mitt Romney (R-UT), today sent a letter to the Secretary of Energy, Rick Perry, and the Secretary of Homeland Security, Kirstjen Nielsen, urging them to protect our electrical systems and critical infrastructure from potential cyberattacks by banning the use of inverters made by the Chinese-owned company, Huawei Technologies Co., Ltd.
“Huawei has recently become the world’s largest maker of inverters - the sophisticated control systems that have allowed the rapid expansion of residential and utility scale energy production. Both large-scale photovoltaic systems and those used by homeowners, school districts, and businesses are equally vulnerable to cyberattacks. Our federal government should consider a ban on the use of Huawei inverters in the United States and work with state and local regulators to raise awareness and mitigate potential threats,” the Senators wrote.
“We urge you to work with all federal, state and local regulators, as well as the hundreds of independent power producers and electricity distributors nation-wide to ensure our systems are protected. We stand ready and willing to provide any assistance you need to secure our critical electricity infrastructure.”
The signed letter is here, and full text is below.
February 25, 2019
The Honorable Rick Perry
U.S. Department of Energy
1000 Independence Avenue SW
Washington, DC 20585
The Honorable Kirstjen Nielsen
U.S. Department of Homeland Security
800 K Street NW
Washington, DC 20528
Dear Secretaries Perry and Nielsen:
We write to express our concern over the national security threat products manufactured by Huawei Technologies Co., Ltd. (Huawei) pose to our nation’s critical energy infrastructure. We understand that Huawei, the world’s largest manufacturer of solar inverters, is attempting to access our domestic residential and commercial markets. Congress recently acted to block Huawei from our telecommunications equipment market due to concerns with the company’s links to China’s intelligence services. We urge similar action to protect critical U.S. electrical systems and infrastructure.
Huawei has recently become the world’s largest maker of inverters - the sophisticated control systems that have allowed the rapid expansion of residential and utility scale energy production. Both large-scale photovoltaic systems and those used by homeowners, school districts, and businesses are equally vulnerable to cyberattacks. Our federal government should consider a ban on the use of Huawei inverters in the United States and work with state and local regulators to raise awareness and mitigate potential threats.
We urge you to work with all federal, state and local regulators, as well as the hundreds of independent power producers and electricity distributors nation-wide to ensure our systems are protected. We stand ready and willing to provide any assistance you need to secure our critical electricity infrastructure.
Thank you for your attention to this important matter of national security.
Warner Asks Agencies for Recommendations on Reducing Cybersecurity Vulnerabilities in Health Care Industry
Feb 25 2019
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, wrote today to the leaders of four federal agencies and departments, seeking details on any measures being taken by the federal government to reduce vulnerabilities in the health care sector. In the letters, Sen. Warner pointed to apparent gaps in oversight, expressed concern about the impact of cyber-attacks on the health care industry, asked for strategic recommendations, and conveyed his desire to work alongside federal agencies and health care entities to develop strategies that strengthen information security. Sen. Warner also sent letters last week to major health care entities, including the American Hospital Association, American Medical Association, Virginia Hospital and Healthcare Association, and others.
“The increased use of technology in health care certainly has the potential to improve the quality of patient care, expand access to care (including by extending the range of services through telehealth), and reduce wasteful spending. However, the increased use of technology has also left the health care industry more vulnerable to attack,” said Sen. Warner. “As we welcome the benefits of health care technology we must also ensure we are effectively protecting patient information and the essential operations of our health care entities.”
According to the Government Accountability Office, more than 113 million care records were stolen in 2015. A separate study conducted that same year estimated that the cost of cyberattacks would cost our health care system $305 million over a five-year period. Furthermore, a 2017 report by Trend Micro found that over 100,000 healthcare devices and systems were exposed directly to the public internet, including electronic health record systems, medical devices, and network equipment.
Sen. Warner concluded the letters by noting that he would like to work with the agencies “to develop a short- and long-term strategy reducing cybersecurity vulnerabilities in the health care sector…It is my hope that with thoughtful and carefully considered feedback we can develop a national strategy that improves the safety, resilience, and security of our health care industry.”
The sensitive nature of medical information makes the health care industry a lucrative target for criminals seeking to profit from personally identifiable information. Medical records often contain private information, including a patient’s social security number, address, and health history. When stolen, this information can be used to conduct identity theft. The importance of continued availability of health data also makes health care organizations lucrative targets for ransomware attacks.
In order to gauge existing risks and gather facts to develop a long- and short-term security strategy, Sen. Warner asked the following questions of each agency and department:
- To date, what proactive steps has your Department/Agency taken to identify and reduce cyber security vulnerabilities in the health care sector?
- How has your Department/Agency worked to establish an effective national strategy to reduce cybersecurity vulnerabilities in the health care sector?
- Has your Department/Agency engaged private sector health care stakeholders to solicit input on successful strategies to reduce cybersecurity vulnerabilities in the health care sector? If so, what has been the result of these efforts?
- Has your Department/Agency worked collaboratively with other federal agencies and stakeholders to establish a federal strategy to reduce cybersecurity vulnerabilities in the health care sector? If so, who has led these efforts and what has been the result?
- Are there specific federal laws and/or regulations that you would recommend Congress consider changing in order to improve your efforts to combat cyberattacks on health care entities?
- Are there additional recommendations you would make in establishing a national strategy to improve cybersecurity in the health care sector?
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, issued the following statement on President Trump’s Executive Order artificial intelligence (AI):
“AI holds enormous promise, with diverse applications across almost every imaginable sector and an array of implications in the national security context, as well. Our strategic competitors fully understand the stakes and have devoted enormous resources to outpacing the U.S. in this area. At the same time, if we’ve learned anything from the last two years, it’s that U.S. policy should be much more thoughtful in the consideration of emerging technologies – particularly in modeling their misuse. I applaud a number of aspects of the Executive Order, such as the proposal – mirroring the white paper I released last summer – to open federal data-sets to non-federal entities.
“Overall, however, the tone of this Executive Order reflects a laissez-faire approach to AI development that I worry will have the U.S. repeating the mistakes it has made in treating digital technologies as inherently positive forces, with insufficient consideration paid to their misapplication. As I raised in my white paper, there are early indications that AI may contribute towards ‘winner-take-all markets’ – making it all the more important that our AI policies catalyze and sustain long-term competition and innovation. Similarly, the Administration’s Executive Order treats the impact of AI on the American workforce almost as an after-thought – relegating consideration of upskilling and retraining to existing federal programs.
“Lastly, while the Executive Order explicitly references the activities of strategic competitors and adversarial nations, it offers little concrete guidance on how the U.S. should respond to adversarial and malicious uses of AI technologies by state and non-state actors alike, nor does it address instances where American technology companies are working in and with adversary nations in ways that undermine civil liberties, privacy, and American leadership.”
Warner, Rubio, Van Hollen, Colleagues Re-Introduce Bill to Enforce Commerce Deal with Chinese Telecom Firm ZTE
Feb 05 2019
Washington, D.C. – U.S. Senators Marco Rubio (R-FL), Chris Van Hollen (D-MD), Susan Collins (R-ME), Mark Warner (D-VA), Jerry Moran (R-KS), Elizabeth Warren (D-MA), and Doug Jones (D-AL) today re-introduced the ZTE Enforcement Review and Oversight (ZERO) Act, a bipartisan bill to enforce full compliance by ZTE, a Chinese state-directed telecommunications firm that repeatedly violated U.S. laws, with all probationary conditions in the Commerce Department’s July 2018 deal to lift the denial order’s seven-year ban against the export of U.S. parts and components to ZTE. If the Commerce Secretary cannot regularly certify ZTE’s full compliance with the deal and with relevant U.S. export controls and sanctions laws, the denial order’s crippling punishments will be reinstated against ZTE.
“When it comes to violating U.S. sanctions and deceiving our government, ZTE is a repeat offender. Companies like ZTE threaten our security and compromise American interests but this administration has failed to hold them accountable. This much-needed legislation will force the telecom firm to play by the rules by imposing punitive measures if ZTE once again violates trade restrictions or its agreement with the U.S,” said Senator Warner, Vice Chairman of the Senate Select Committee on Intelligence.
“I am proud to reintroduce this bipartisan bill to hold the Chinese state-directed telecoms company, ZTE, accountable for repeated violations of U.S. exports controls and sanctions laws," Senator Rubio said. “China’s communist government continues to threaten our national security interests through state-directed actors and, while it was a mistake to strike a ‘deal’ with ZTE in the first place, this bill would ensure ZTE is held accountable if and when it cheats again.”
“ZTE’s actions represent a threat to our national security. While we work on a broader strategy to combat China’s theft of advanced U.S. technology and brazen violation of U.S. law, we must act to ensure ZTE is not able to violate the current agreement with the Department of Commerce or break our laws. This bipartisan legislation will help hold their feet to the fire and should be considered without delay,” Senator Van Hollen said.
“Having continuously violated American sanctions on Iran and North Korea, ZTE’s disregard for U.S. laws undermines our national security interests and cannot be tolerated,” Senator Collins said. “Our bipartisan bill would require the Department of Commerce to monitor ZTE and effectively put ZTE out of business if they are found to be noncompliant, ensuring the safety of our economy and national security.”
“ZTE – with the support of the Chinese government – has repeatedly violated U.S. sanctions, and they must be held accountable for their actions,” Senator Moran said. “The bipartisan ZERO Act would authorize the Commerce Department to monitor ZTE and make certain they are not violating the current trade agreement. I urge my colleagues to support this legislation to protect our national security interests from bad actors and ensure ZTE faces severe penalties if they break the law again.”
“ZTE must be held accountable for violating our sanctions laws and threatening U.S. national security interests, not given a slap on the wrist and allowed to do business in the United States,” Senator Warren said. “I’m glad to work with Senators in both parties on a bill to ensure that this company faces severe penalties if it breaks the law again or violates its settlement agreement.”
Jan 29 2019
WASHINGTON— Today, the Vice Chairman of the Senate Select Committee on Intelligence Sen. Mark R. Warner (D-VA) and Committee member Sen. Marco Rubio (R-FL) announced that their bipartisan legislation to help combat tech-specific threats to national security posed by foreign actors like China has picked up four new bipartisan Senate co-sponsors. Sens. Michael Bennet (D-CO), Roy Blunt (R-MO), Chris Coons (D-DE) and Susan Collins (R-ME) have co-sponsored Warner and Rubio’s legislation to create an Office of Critical Technologies & Security at the White House responsible for coordinating across agencies and developing a long-term, whole-of-government strategy to protect against state-sponsored technology theft and risks to critical supply chains.
Companion legislation was also introduced in the House of Representatives on January 16 by Congressmen C.A. Dutch Ruppersberger (D-MD), Mike Conaway (R-TX), Jim Himes (D-CT), and Will Hurd (R-TX).
China and other nations are currently attempting to achieve technological and economic superiority over the United States through the aggressive use of state-directed or -supported technology transfers. At the same time, the U.S. is also facing major challenges to the integrity of key supply chains as a result of reliance on foreign products that have been identified as national security risks. A national response to combat these threats and ensure our national security has, to date, been hampered by insufficient coordination at the federal level.
The Warner-Rubio bill would guarantee that there is a federal entity responsible for proactively coordinating interagency efforts and developing a national strategy to deal with these challenges to our national security and long-term technological competitiveness. Under the bill, the Office of Critical Technologies & Security would be directed to coordinate and consult with federal and state tech and telecom regulators, the private sector, nongovernmental experts and academic stakeholders, and key international partners and U.S. allies to ensure that every available tool is being utilized to safeguard the supply chain and protect emerging, foundational and dual-use technologies. The Office would also be responsible for raising awareness of these threats and improving the overall education of the American public and business leaders in key sectors about the threats to U.S. national security posed by the improper acquisition and transfer of critical technologies by foreign countries and reliance on foreign products – such as those manufactured by Chinese telecom companies ZTE and Huawei – that jeopardize the overall security of private sector supply chains.
“Our message is clear: We need a whole-of-government technology strategy to protect U.S. competitiveness in emerging and dual-use technologies and address the Chinese threat,” said Sen. Warner, a former technology and telecommunications executive. “I thank Senator Bennet, Senator Blunt, Senator Coons and Senator Collins for their support of this measure, and I look forward to working with them and the Executive Branch to improve coordination and respond to this threat.”
“I thank my Senate colleagues for recognizing the importance of this legislation and the continued threat posed by Chinese government’s assault on U.S. intellectual property, U.S. businesses, and our government networks and information with the full backing of the Chinese Communist Party,” Sen. Rubio said. “The United States needs a more coordinated approach to directly counter this critical threat and ensure we better protect U.S. technology, and this important, bipartisan legislation will streamline efforts across the government. I look forward to working with my colleagues and the Administration to enact this legislation and guard against these national security threats.”
“The United States must sharpen efforts to address technology threats from China and other nations that undermine our economic and national security, erode democratic norms, and leave vulnerable our supply chains. Successfully combatting these threats requires a long-term strategy for maintaining U.S. competitiveness in technologies of the future. We must work across public and private sectors to galvanize efforts that ensure our technological competitiveness,” said Sen. Bennet.
“It’s more important than ever for the federal government to have a comprehensive strategy to combat the increase in tech-related security threats from China and other nations,” said Blunt. “This bill is an important step to better protect our critical supply chains and push back against state-sponsored technology theft,” Sen. Blunt said.
“The United States needs a strategy to protect our critical infrastructure and safeguard technologies in industries of the future like 5G, quantum computing, artificial intelligence, and biotech,” said Sen. Coons, a member of the Senate Foreign Relations Committee. “I am proud to support a bill that can improve our government’s capacity to secure our supply chains and prevent forced technology transfer. I look forward to working with my colleagues to pass this bill and other similar efforts into law.”
“China’s theft of critical U.S. technologies and increased efforts to expand into our telecommunications market pose as serious threats to our national security and to consumers,” said Sen Collins. “This bipartisan bill would ensure greater coordination and cooperation between government at the federal and state levels, as well as with nongovernmental experts and the private sector, to develop a long-term strategy on combatting foreign attempts to acquire U.S. technologies.”
Sen. Warner, a former telecommunications executive and entrepreneur, has long expressed concerns about the risks to our national security posed by Chinese-controlled telecom companies. On October 12, 2018, Sen. Warner and Sen. Rubio sent a letter to Canadian Prime Minister Justin Trudeau urging his country to reconsider Huawei’s inclusion in any aspect of Canada’s 5G development, introduction, and maintenance. Warner has also urged the Administration to work with our allies to combat these technology threats. Sens. Warner and Rubio are also the authors of bipartisan legislation to enforce full compliance by ZTE with all probationary conditions of a U.S. Commerce Department’s deal struck with the company last year that ended U.S. imposed sanctions.
For a copy of the bill text, click here.
Jan 28 2019
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, issued the below statement after the Department of Justice charged Huawei with the theft of trade secrets, sanctions violations and obstruction of justice:
“There is ample evidence to suggest that no major Chinese company is independent of the Chinese government and Communist Party – and Huawei, which China’s government and military tout as a ‘national champion,’ is no exception. It has been clear for some time that Huawei poses a threat to our national security, and I applaud the Trump Administration for taking steps to finally hold the company accountable.
“This is also a reminder that we need to take seriously the risks of doing business with companies like Huawei and allowing them access to our markets, and I will continue to strongly urge our ally Canada to reconsider Huawei’s inclusion in any aspect of its 5G infrastructure.
“This action further underscores the need for a coordinated, whole-of-government and whole-of-society approach to dealing with the threat posed by an increasingly forceful China. I will continue to urge the Trump Administration to make China’s rampant IP theft a top priority in ongoing trade negotiations, and will continue pressing for a more coherent, cohesive national strategy to protect U.S. technology and ensure U.S. technological competitiveness.”
Sen. Warner, a former telecommunications executive and entrepreneur, has long expressed concerns about the risks to our national security posed by Chinese-controlled telecom companies.
Earlier this month, Sen. Warner and Sen. Marco Rubio (R-FL) introduced bipartisan legislation to create an Office of Critical Technologies & Security at the White House responsible for coordinating across agencies and developing a long-term, whole-of-government strategy to protect against state-sponsored technology theft and risks to critical supply chains.
On October 12, 2018, Sen. Warner and Sen. Rubio sent a letter to Canadian Prime Minister Justin Trudeau urging his country to reconsider Huawei’s inclusion in any aspect of Canada’s 5G development, introduction, and maintenance.
In September, Sen. Warner joined several colleagues to introduce the ZTE Enforcement Review and Oversight (ZERO) Act. The bipartisan bill would enforce full compliance by ZTE—a Chinese state-directed telecommunications firm that repeatedly violated U.S. laws – with all probationary conditions outlined in a Commerce Department deal with the company that lifted a denial order banning the export of U.S. parts and components.
WASHINGTON – Sen. Mark R. Warner (D-VA), along with Sens. Tim Kaine (D-VA), Ben Cardin (D-MD) and Chris Van Hollen (D-MD), wrote to Washington Metropolitan Area Transit Authority (WMATA) General Manager and CEO Paul J. Wiedefeld to express safety and security concerns regarding the possibility that Metro may award a contract to build its newest 8000-series rail cars to a Chinese manufacturing company.
The Senators wrote, “In the transportation sector, there has been increased interest from particular foreign governments to participate in state and local procurements, including those to manufacture and assemble rail cars for transit agencies around the country. While other cities have welcomed this kind of investment, we have serious concerns about similar activity happening here in our nation’s capital, particularly when it could involve foreign governments that have explicitly sought to undermine our country’s economic competitiveness and national security. As Metro continues its procurement process for the 8000-series rail car, we strongly urge you to take the necessary steps to mitigate growing cyber risks to these cars.”
The Washington Post recently reported that “the state-owned China Railway Rolling Stock Corp., or CRRC, has used bargain prices to win four of five large U.S. transit rail car contracts awarded since 2014. The company is expected to be a strong contender for a Metro contract likely to exceed $1 billion for between 256 and 800 of the agency's newest series of rail cars.”
In their letter, the Senators noted that Metro’s 8000-series rail car is expected to incorporate safety and communications technology such as automatic train control, network and trainline control, video surveillance, monitoring and diagnostics, and data interface with WMATA, among other potentially vulnerable mechanisms that could allow a foreign spy, terrorist, or other rogue actor to break in and take control of Metro’s systems to conduct foreign espionage or impact operations.
“Many of these technologies could be entirely susceptible to hacking, or other forms of interference, if adequate protections are not in place to ensure they are sourced from safe and reliable suppliers. In a Q&A document posted as part of the RFP, WMATA noted that there are ‘no Buy America or DBE requirements for this contract,’ raising further questions about what protections will be in place to ensure the integrity of these components,” the Senators told Wiedefeld.
The Senators then posed a series of questions regarding Metro’s plans for the rail car procurement process, including:
- While we are aware that nearly all passenger railcar manufacturers in the United States are foreign-owned, what steps is WMATA taking to ascertain and mitigate against the involvement of foreign governments in this procurement?
- Has Metro received briefings from the Department of Homeland Security or related agencies on the attempts of foreign adversaries to infiltrate our critical infrastructure and the significant cyber vulnerabilities that can stem from them doing so?
- Will Metro take a company’s ties to foreign governments with a record of industrial and cyber espionage into account when evaluating bids, particularly if such company is a state-owned enterprise?
- If so, will Metro allow sensitive component parts of these railcars to be sourced from such countries?
- Will Metro consult with the Department of Defense prior to awarding a contract to confirm whether the Department would permit railcars built by certain foreign governments to operate through the Pentagon?
- We understand that Metro has announced that the RFP will be amended to include baseline cybersecurity protocols. Please provide information about these protocols and how they are being developed. How will Metro evaluate bidder responses to this forthcoming cybersecurity addendum? Will Metro review these responses with the Department of Transportation (USDOT) and the Department of Homeland Security, and seek the concurrence of USDOT and DHS in its cybersecurity evaluations before making any final contract award in this procurement? What specific requirements will the addendum include to ensure that any communications technology included in the rail car procurement is protected from being exploited for surveillance purposes?
The Senators concluded, “U.S. national security should be of the utmost importance as WMATA considers bids for its procurement of 8000-series rail cars, and we therefore request that you consider submitting an addendum to the earlier RFP [Request for Proposals] to ensure that the necessary steps are taken to protect against the aforementioned concerns.”
The full text of the letter is available here.
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, issued the below statement after the Department of Justice announced charges against two hackers associated with the Chinese government:
“The Department of Justice, and in particular Deputy Attorney General Rod Rosenstein, should be congratulated for their work on this announcement. DOJ’s recent moves to hold China accountable are important in exposing some of the threats posed by China as it attempts to pursue economic and technological dominance over the United States.
“While legal action is important, a truly effective response will require a coordinated approach with our allies and a comprehensive strategy to protect our national security and enhance U.S. competitiveness and resiliency. We have to punch back against China’s malign activities – but we also have to do more than play defense if we’re going to truly check China’s bad behavior.”
Dec 06 2018
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, issued the below statement following the Canadian government’s arrest of Meng Wanzhou, the chief financial officer of Huawei:
“There is ample evidence to suggest that no major Chinese company is independent of the Chinese government and Communist Party – and Huawei, which China’s government and military tout as a ‘national champion,’ is no exception. It has been clear for some time that Huawei, like ZTE, poses a threat to our national security. Now we know that Huawei, like ZTE, has violated U.S. sanctions law. It's my hope that the Trump Administration will hold Huawei fully accountable for breaking sanctions law, as it failed to do in the case of ZTE.
“This is a reminder that we need to take seriously the risks of doing business with companies like Huawei and allowing them access to our markets. I continue to strongly urge our close ally Canada to reconsider Huawei’s inclusion in any aspect of its 5G infrastructure.”
Sen. Warner, a former telecommunications executive and entrepreneur, has long expressed concerns about the risks to our national security posed by Chinese-controlled telecom companies.
On October 12, 2018, Sen. Warner and Sen. Marco Rubio (R-FL) sent a letter to Canadian Prime Minister Justin Trudeau urging his country to reconsider Huawei’s inclusion in any aspect of Canada’s 5G development, introduction, and maintenance.
In September, Sen. Warner joined several colleagues to introduce the ZTE Enforcement Review and Oversight (ZERO) Act. The bipartisan bill would enforce full compliance by ZTE—a Chinese state-directed telecommunications firm that repeatedly violated U.S. laws – with all probationary conditions outlined in a Commerce Department deal with the company that lifted a denial order banning the export of U.S. parts and components.
WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) sent another letter to Federal Trade Commission (FTC) Chairman Joseph J. Simons pressing the leader of the agency to use the authorities granted to it by Congress to protect American businesses and shoppers from digital advertising fraud, which reached $7.4 billion in 2016 – costs that are later passed on to consumers in the form of higher prices. Today’s letter follows an earlier Oct. 25 letter urging the FTC to do more to respond to the prevalence of digital ad fraud, in light of inaction by major industry players like Google to voluntarily curb the problem.
Sen. Warner noted that in large part because of enforcement decisions made by the FTC, Google has come to dominate the digital ad market, but has done little to crack down on fraud. Google was the only major social media company absent for a September hearing in the Senate Intelligence Committee, on which Sen. Warner serves as Vice Chairman.
Sen. Warner today criticized the FTC’s failure to take action, writing, “As long as Google stands to profit from the sale of additional advertisements, the financial incentive for it to voluntarily root out and address fraud remains minimal. It was thus enormously discouraging to read your own response to my [Oct. 25] letter, which did nothing to address the inaction of major industry stakeholders in curbing these abuses. Instead, your letter appeared to suggest that your authority to address deceptive and unfair practices does not apply to this conduct; rather, your letter portrays the FTC as successfully addressing online fraud through workshops and education campaigns. Neither suggestion inspires confidence in the FTC’s efforts as digital ad fraud has continued to proliferate.”
“In recent congressional testimony, you have urged Congress to provide the FTC with additional authority related to promoting competition and consumer protection in the digital age. Increasingly, I am not convinced the Commission is adequately utilizing the authority it already has to crack down on fraud and other misbehavior,” Sen. Warner added. “The FTC is the agency explicitly empowered to address fraud and deceptive practices, and Section 5 of the Federal Trade Commission Act was written in broad terms precisely for this purpose. Since 1938, Congress has given your agency broad enforcement authority to protect consumers and expects you to use it. I would like to sit down with you in the next month to discuss how the FTC can ensure it does the job Congress intended it to do.”
The full text of today’s letter is available here, and also appears below.
In October, Sen. Warner wrote a letter to the Federal Trade Commission (FTC) Chairman Joseph Simons expressing concern following a report published by Buzzfeed detailing continued prevalence of digital advertising fraud and inaction by Google to curb these efforts. AccordingBuzzfeed, this scheme has generated hundreds of millions of dollars in fraudulent advertising revenues, with operations spanning more than 125 Android apps and websites. The FTC’s November response can be found here.
In July 2016, Sen. Warner and Sen. Chuck Schumer (D-NY) wrote to then-FTC Chairwoman Ramirez calling on the agency to protect consumers from the growing digital ad fraud phenomenon. Since then, reports have estimated that digital ad fraud has only grown to $7.4 billion in 2017 – and projected to rise to $10.9 billion by 2021.
The full text of today’s letter follows:
December 6, 2018
The Honorable Joseph J. Simons
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, D.C. 20530
Dear Chairman Simons,
On October 25th, I wrote to you to express grave concerns with the growing phenomenon of digital ad fraud, and in particular my frustration with the ways that large intermediaries have turned a blind eye to, and in certain cases helped enable, this fraud. This letter followed concerns Senator Schumer and I raised in a 2016 letter to your predecessor about the negative economic impact of ad fraud on end users, advertisers, and publishers. I was deeply disappointed by your November 19th response, which failed to substantively address any of the concerns that I have been raising for two years now regarding the Federal Trade Commission’s failures to crack down on digital advertising fraud.
The digital advertising market has come to be largely dominated by one company, in part because of enforcement decisions by the FTC. The FTC’s failure to act has had the effect of allowing Google to structure its own market; through a series of transactions, the company has accomplished a level of vertical integration that allows it in effect to act as the equivalent of market-maker, commodities broker, and commodities exchange for digital advertising – in the process creating a range of conflicts of interest. While the company controls each link in the supply chain and therefore maintains the power to monitor activity in the digital advertising market from start to finish, it has continued to be caught flat-footed in identifying and addressing digital ad fraud. As we’ve seen in other contexts – such as the rampant proliferation of online disinformation – major platforms including Google have often proved unwilling to address misuse of their platforms until brought to the wider public’s attention by Congress or media outlets. As long as Google stands to profit from the sale of additional advertisements, the financial incentive for it to voluntarily root out and address fraud remains minimal.
It was thus enormously discouraging to read your own response to my letter, which did nothing to address the inaction of major industry stakeholders in curbing these abuses. Instead, your letter appeared to suggest that your authority to address deceptive and unfair practices does not apply to this conduct; rather, your letter portrays the FTC as successfully addressing online fraud through workshops and education campaigns. Neither suggestion inspires confidence in the FTC’s efforts as digital ad fraud has continued to proliferate.
In recent congressional testimony, you urged Congress to provide the FTC with additional authority related to promoting competition and consumer protection in the digital age. Increasingly, I am not convinced the Commission is adequately utilizing the authority it already has to crack down on fraud and other misbehavior. The FTC is the agency explicitly empowered to address fraud and deceptive practices, and Section 5 of the Federal Trade Commission Act was written in broad terms precisely for this purpose.
Since 1938, Congress has given your agency broad enforcement authority to protect consumers and expects you to use it. I would like to sit down with you in the next month to discuss how the FTC can ensure it does the job Congress intended it to do.
Mark R. Warner
United States Senator
Nov 30 2018
WASHINGTON — U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-founder of the Senate Cybersecurity Caucus, released the following statement on Marriott’s disclosure of a data breach affecting up to 500 million guests:
“It seems like every other day we learn about a new mega-breach affecting the personal data of millions of Americans. Rather than accepting this trend as the new normal, this latest incident should strengthen Congress’ resolve. We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need. And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”
WASHINGTON — U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, and U.S. Sen. Marco Rubio (R-FL), a member of the Committee, urged Canadian Prime Minister Justin Trudeau to reconsider Huawei’s inclusion in any aspect of Canada’s 5G development, introduction, and maintenance. A letter from the two Senators to the Prime Minister follows comments made by Head-Designee of the Canadian Center for Cyber Security Scott Jones regarding Huawei.
The entry of Chinese state-directed telecommunications companies like Huawei into the Canadian market could seriously jeopardize the relationship between U.S. and Canadian carriers, depriving North American operators of the scale needed to rapidly build out 5G networks.
The full text of the letter is below. A copy of the signed letter is available here.
Dear Prime Minister Trudeau:
We write with grave concerns about the possibility that Canada might include Huawei Technologies or any other Chinese state-directed telecommunications company in its fifth-generation (5G) telecommunications network infrastructure. As you are aware, Huawei is not a normal private-sector company. There is ample evidence to suggest that no major Chinese company is independent of the Chinese government and Communist Party—and Huawei, which China’s government and military tout as a “national champion,” is no exception.
Based on what we know about Chinese state-directed telecommunications companies, it was troubling to learn that on September 20, 2018, the new Head-Designee of the Canadian Center for Cyber Security Scott Jones told the House of Commons Standing Committee on Public Safety and National Security that banning Huawei is not needed, in response to a question about why Canada has not come out against Huawei as other Five Eyes allies have. Specifically, he claimed that Canada has “a very advanced relationship with our telecommunications providers, something that is different from most other countries,” adding, “We have a program that is very deep in terms of working on increasing that broader resilience piece especially as we are looking at the next-generation telecommunications networks.”
In contrast to Mr. Scott’s comments, however, three former senior Canadian national security officials warned earlier this year against the inclusion of Huawei in Canada’s 5G network. One of them—Mr. Ward Elcock, former Deputy Minister of National Defence—told the Globe and Mail on March 18, 2018, “I have a pretty good idea of how signal-intelligence agencies work and the rules under which they work and their various operations,” concluding that, “I would not want to see Huawei equipment being incorporated into a 5G network in Canada.”
While Canada has strong telecommunications security safeguards in place, we have serious concerns that such safeguards are inadequate given what the United States and other allies know about Huawei. Indeed, we are concerned about the impact that any decision to include Huawei in Canada’s 5G networks will have on both Canadian national security and “Five Eyes” joint intelligence cooperation among the United States, United Kingdom, Australia, New Zealand, and Canada. As you know, Australia effectively banned Huawei, ZTE, and other Chinese state-directed companies from its nation’s 5G networks by excluding firms that “are likely to be subject to extrajudicial directions from a foreign government” and therefore pose unacceptable risks to national security. Moreover, the United Kingdom’s Huawei Cyber Security Evaluation Centre Oversight Board’s 2018 annual report to Britain’s national security adviser found that “identification of shortcomings in Huawei’s engineering processes have exposed new risks in the UK telecommunications networks and long-term challenges to mitigation and management.”
Further, the strong alignment between the United States and Canada in spectrum management has meant that American and Canadian carriers in many cases share complementary spectrum holdings, jointly benefiting from economies of scale for equipment designed for regionally harmonized frequencies. The entry of suppliers such as Huawei into the Canadian market could seriously jeopardize this dynamic, depriving both Canadian and American operators of the scale needed to rapidly build out 5G networks.
Given the strong statements by former Canadian national security officials as well as similar concerns out of the U.S., Australia, and the United Kingdom, we hope that you will reconsider Huawei’s inclusion in any aspect of Canada’s 5G development, introduction, and maintenance. Should you have any questions about the threat that Chinese state-directed telecommunications firms pose to your networks, we urge your government to seek additional information from the U.S. Intelligence Community.
Thank you for your attention to this matter.