Press Releases

WASHINGTON – Today, Senate Select Committee on Intelligence Chairman Mark R. Warner (D-VA) and Vice Chairman Marco Rubio (R-FL) urged the Federal Trade Commission (FTC) to formally investigate TikTok and its parent company, ByteDance. The call comes in response to recent reports that the social media platform has permitted TikTok engineers and executives in the People’s Republic of China (PRC) to repeatedly access private data of US users despite repeated claims to lawmakers and users that this data was protected. This includes instances where staff based in the United States had to consult with their China-based colleagues for information about U.S. user data as they did not have access to the data on their own. These revelations undermine longstanding claims by TikTok’s management that the company’s operations were firewalled from demands of the Chinese Communist Party.

“We write in response to public reports that individuals in the People’s Republic of China (PRC) have been accessing data on U.S. users, in contravention of several public representations, including sworn testimony in October 2021,” the senators wrote in a letter to FTC Chair Lina Khan. “In light of this new report, we ask that your agency immediately initiate a Section 5 investigation on the basis of apparent deception by TikTok, and coordinate this work with any national security or counter-intelligence investigation that may be initiated by the U.S. Department of Justice.”

The report also highlights TikTok’s misrepresentation of the company’s relationship to ByteDance and its subsidiaries, including Beijing-based ByteDance Technology, which is partially owned by the Chinese Communist Party (CCP). 

The senators continued, “TikTok’s Trust and Safety department was aware of these improper access practices and governance irregularities, which – according to internal recordings of TikTok deliberations – offered PRC-based employees unfettered access to user information, including birthdates, phone numbers, and device identification information. Recent updates to TikTok’s privacy policy, which indicate that TikTok may be collecting biometric data such as faceprints and voiceprints (i.e. individually-identifiable image and audio data, respectively), heighten the concern that data of U.S. users may be vulnerable to extrajudicial access by security services controlled by the CCP.”

As Chairman and Vice Chair of the Senate Select Committee on Intelligence, Sens. Warner and Rubio have been vocal about the cyber and national security threats posed by the CCP. In 2019, the senators introduced legislation to combat tech-specific threats to national security posed by foreign actors like China.

A copy of the letter is available here and below. 

Dear Chairwoman Khan:

We write in response to public reports that individuals in the People’s Republic of China (PRC) have been accessing data on U.S. users, in contravention of several public representations, including sworn testimony in October 2021. In an interview with the online publication Cyberscoop, the Global Chief Security Officer for TikTok’s parent company, ByteDance, made a number of public representations on the data security practices of TikTok, including unequivocal claims that the data of American users is not accessible to the Chinese Communist Party (CCP) and the government of the PRC. As you know, TikTok’s privacy practices are already subject to a consent decree with the Federal Trade Commission, based on its improper collection and processing of personal information from children. In light of this new report, we ask that your agency immediately initiate a Section 5 investigation on the basis of apparent deception by TikTok, and coordinate this work with any national security or counter-intelligence investigation that may be initiated by the U.S. Department of Justice.

Additionally, these recent reports suggest that TikTok has also misrepresented its corporate governance practices, including to Congressional committees such as ours. In October 2021, TikTok’s head of public policy, Michael Beckerman, testified that TikTok has “no affiliation” with another ByteDance subsidiary, Beijing-based ByteDance Technology, of which the CCP owns a partial stake. Meanwhile, as recently as March of this year, TikTok officials reiterated to our Committee representations they have previously made that all corporate governance decisions are wholly firewalled from their PRC-based parent, ByteDance. Yet according to a recent report from Buzzfeed News, TikTok’s engineering teams ultimately report to ByteDance leadership in the PRC. 

According to this same report, TikTok’s Trust and Safety department was aware of these improper access practices and governance irregularities, which – according to internal recordings of TikTok deliberations – offered PRC-based employees unfettered access to user information, including birthdates, phone numbers, and device identification information. Recent updates to TikTok’s privacy policy, which indicate that TikTok may be collecting biometric data such as faceprints and voiceprints (i.e. individually-identifiable image and audio data, respectively), heighten the concern that data of U.S. users may be vulnerable to extrajudicial access by security services controlled by the CCP.

A series of national security laws imposed by the CCP, including the 2017 National Intelligence Law and the 2014 Counter-Espionage Law provide extensive and extra-judicial access opportunities for CCP-controlled security services. Under these authorities, the CCP may compel access, regardless of where data is ultimately stored. While TikTok has suggested that migrating to U.S.-based storage from a U.S. cloud service provider alleviates any risk of unauthorized access, these latest revelations raise concerns about the reliability of TikTok representations: since TikTok will ultimately control all access to the cloud-hosted systems, the risk of access to that data by PRC-based engineers (or CCP security services) remains significant in light of the corporate governance irregularities revealed by BuzzFeed News. Moreover, as the recent report makes clear, the majority of TikTok data – including content posted by users as well as their unique IDs– will remain freely accessible to PRC-based ByteDance employees.

In light of repeated misrepresentations by TikTok concerning its data security, data processing, and corporate governance practices, we urge you to act promptly on this matter.

Sincerely, 

### 

WASHINGTON – With the privacy debate receiving renewed attention in Congress, U.S. Sens. Mark R. Warner (D-VA), Deb Fischer (R-NE), Amy Klobuchar (D-MN), and John Thune (R-SD) and Reps. Lisa Blunt Rochester (D-DE-AL) and Anthony Gonzalez (R-OH-16) today announced that their bipartisan, bicameral DETOUR Act – legislation that would prevent large online platforms from using deceptive user interfaces, known as “dark patterns,” to trick consumers into handing over their personal data – has picked up several new endorsements.

“We are pleased to see growing momentum behind our bipartisan effort to ban these manipulative practices,” said the members of Congress today. “There’s an increasing consensus in Congress that Americans should be able to make informed choices about handing over their data to large platform companies.”

The term “dark patterns” is used to describe online interfaces in websites and apps designed to intentionally manipulate users into taking actions they would otherwise not. These design tactics, drawn from extensive behavioral psychology research, are frequently used by social media platforms to mislead consumers into agreeing to settings and practices advantageous to the company.

The DETOUR Act would also prohibit large platforms from deploying features that encourage compulsive usage by children and from conducting behavioral experiments without a consumer’s consent.

"The American Psychological Association supports the efforts of Senators Mark Warner, Deb Fischer, Amy Klobuchar and John Thune to reduce harmful practices and deceptive tactics by social media companies. These practices can be especially harmful to children, but adults are also susceptible,” said Mitch Prinstein, PhD, Chief Science Officer at the American Psychological Association. “Through my research and that of my colleagues in psychological science, we increasingly understand how these companies can mislead individuals. This is why we support the DETOUR Act and its aim to protect social media users.”

“Social media companies often trick users into giving up their personal data – everything from their thoughts and fears to their likes and dislikes – which they then sell to advertisers. These practices are designed to exploit people; not to serve them better. Senator Warner and Senator Fischer’s DETOUR Act would put a stop to the destructive and deceptive use of dark patterns,” said Imran Ahmed, CEO of the Center for Countering Digital Hate.

“The DETOUR Act is an important step towards curbing Big Tech's unfair design choices that manipulate users into acting against their own interests. We are particularly excited by the provision that prohibits designs that cultivate compulsive use in children,” said Josh Golin, Executive Director of Fairplay. “Over the past year, we've heard a lot of talk from members of Congress about the need to protect children and teens from social media harms. It's time to put those words into action - pass the DETOUR Act!”

“The DETOUR Act proposed by Sen. Warner and co-sponsors represents a positive and important step to protect American consumers. DETOUR provides a mechanism for independent oversight over large technology companies and curtailing the ability of these companies to use deceptive and manipulative design practices, such as ‘dark patterns,’ which have been shown to produce substantial harms to users,” said Colin M. Gray, PhD, Associate Professor at Purdue University. “This legislation provides a foothold for regulators to better guard against deceptive and exploitative practices that have become rampant in many large technology companies, and which have had outsized impacts on children and underserved communities.”

“The proposed legislation represents an important step towards reducing big tech companies’ use of dark patterns that prioritize user engagement over well-being,” said Katie Davis, EdD, Associate Professor at the University of Washington. “As a developmental scientist, I’m hopeful the DETOUR Act will encourage companies to adopt a child-centered approach to design that places children’s well-being front and center, reducing the burden on parents to look out for and avoid dark patterns in their children’s technology experiences.”

The legislation was also previously supported by Mozilla, Common Sense, and the Center for Digital Democracy. Full text of the DETOUR Act is available here

###

 

WASHINGTON – U.S. Sen. Mark R. Warner, Chairman of the Senate Select Committee on Intelligence, was joined by U.S. Sens. Steve Daines (R-MT) and Thom Tillis (R-NC) in urging Senate Committee on Appropriations leadership to include significant funding to modernize federal information technology (IT) systems for Fiscal Year (FY) 2023. This request includes at least $300 million in funding for the Technology Modernization Fund (TMF), created through a Warner-led bill in 2017.

“It is widely acknowledged that our federal government needs to make significant and urgent investments in replacing outdated and insecure legacy IT systems,” the senators wrote. “Each year, the federal government spends roughly $90 billion on IT systems. Significant portions of this funding go toward the maintenance of older, legacy systems, which over time grow increasingly costly, and often present concerning cybersecurity vulnerabilities.”

“In addition to the urgent security concerns, ignoring these needed modernization efforts hinders the public’s ability to interact with the government in an efficient and responsive way. We saw this issue magnified during the course of the pandemic, as added demands at times overwhelmed our government’s ability to continue providing effective customer service and critical benefits to Americans. We have heard repeatedly from constituents how these strains have slowed the processing of benefits and claims, in many cases hindering their ability to access critical resources and needed assistance that Congress has put in place,” they continued.

Sen. Warner has long pushed for the federal government to improve IT infrastructure. Last year, Sen. Warner applauded the Biden Administration for taking steps to more quickly and effectively help agencies address technology-related issues, after having previously called for them to do so. In 2020, Sen. Warner joined colleagues in calling on the Appropriations Committee to include funding for IT modernization in future COVID-19 relief packages.

A copy of this year’s bipartisan letter is available here and below.

Chairman Leahy, Vice Chairman Shelby, Chairman Van Hollen, and Ranking Member HydeSmith: 

As your committee begins consideration of appropriations for Fiscal Year (FY) 2023, we write to urge you to include significant and critically needed funding to modernize federal information technology (IT) systems. In particular, we request that you provide funding of at least $300 million for the Technology Modernization Fund (TMF).

Congress created the TMF as part of the Modernizing Government Technology (MGT) Act, in response to pressing needs for federal agencies to modernize outdated IT systems and address critical vulnerabilities. The TMF – a revolving fund governed by a board of experts with backgrounds in IT, cybersecurity, financial management, and federal acquisition – is unique in its ability to rapidly evaluate agencies’ technology modernization proposals, assign funding in an agile manner that prioritizes high-need and cost-saving projects, and do all of this in a transparent and accountable manner.

In the roughly four years since it was established, the TMF has delivered approximately $400 million in funding to 20 modernization projects across the government, funding projects that the TMF Board identified as having significant impact on agencies’ security, program operability, and ability to efficiently and effectively deliver results for taxpayers. As the TMF is a revolving fund, agencies that receive funding are given repayment terms that vary based on the project, which allows the TMF to recover a portion of the funds – often through direct cost savings.

It is widely acknowledged that our federal government needs to make significant and urgent investments in replacing outdated and insecure legacy IT systems. Each year, the federal government spends roughly $90 billion on IT systems. Significant portions of this funding go toward the maintenance of older, legacy systems, which over time grow increasingly costly, and often present concerning cybersecurity vulnerabilities.

In addition to the urgent security concerns, ignoring these needed modernization efforts hinders the public’s ability to interact with the government in an efficient and responsive way. We saw this issue magnified during the course of the pandemic, as added demands at times overwhelmed our government’s ability to continue providing effective customer service and critical benefits to Americans. We have heard repeatedly from constituents how these strains have slowed the processing of benefits and claims, in many cases hindering their ability to access critical resources and needed assistance that Congress has put in place.

In 2021 Congress appropriated $1 billion to the TMF to address government IT challenges. While this served as a sizable investment towards these efforts, the demand for these funds was more than double their availability, and the Administration confirms that the TMF will allocate the majority of these funds by the end of this current fiscal year.

By necessity, efforts to modernize and improve the security of IT systems require ongoing and sustained effort by agencies. Congress has a similar responsibility to continue to fund modernization efforts, so that legacy systems aren’t left to grow increasingly costly and insecure over time. The TMF presents agencies with a funding vehicle that is agile and allows them to amortize modernization costs, and that makes technical experts available to agencies throughout the proposal and implementation phases. It also provides Congress a tool with additional accountability and oversight, in the form of board-review of proposals, incremental funding based on outcome-based milestones, and regular follow-up with funding recipients during funding implementation.

We appreciate your consideration of our request for at least $300 million for the Technology Modernization Fund – the level requested by the Administration – and we look forward to continuing to work with you, and with our other colleagues here in the Senate, to ensure that we are providing necessary investment in our federal government’s IT systems.

Sincerely,

###

WASHINGTON - As the U.S. Securities and Exchange Commission (SEC) works to finalize policy changes to modernize and enhance the agency’s rules relating to cybersecurity, a bipartisan group of leading U.S. Senators is urging the SEC to increase transparency for investors in an age of persistent cybersecurity threats with rising economic costs. 

In March, the SEC published proposed rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. The proposed rules seek to enhance and standardize disclosures regarding public companies ’ cybersecurity risk governance, including disclosure of whether any directors on a company’s board have cybersecurity expertise.  The proposed rules would affect public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.

This week, U.S. Sens. Mark Warner (D-VA), Jack Reed (D-RI), Catherine Cortez Masto (D-NV), Kevin Cramer (R-ND), Angus King (I-ME), Ron Wyden (D-OR), and Susan Collins (R-ME) sent a comment letter to the SEC urging the agency to finalize rules regarding disclosures of the board’s oversight of cybersecurity risks. 

The seven Senators, all cosponsors of the Cybersecurity Disclosure Act (S. 808), have urged the SEC to issue the exact rules that the agency proposed in March to require publicly traded companies to disclose whether they have cybersecurity expertise on their boards of directors.

The Senators wrote: “The Proposal would implement bipartisan legislation that we have introduced called the Cybersecurity Disclosure Act.  That legislation directs the SEC to issue rules requiring each public company to disclose, in its annual report or annual proxy statement, whether any member of its governing body has expertise or experience in cybersecurity, including details necessary to describe fully the nature of that expertise or experience.  And if no member has such expertise or experience, a company would be required to describe what other aspects of the company’s cybersecurity were considered by any person, such as an official serving on a nominating committee, who is responsible for identifying and evaluating nominees for membership to the governing body.

“The Proposal follows the intent of our bill by encouraging directors to play a more effective role in cybersecurity risk oversight at public companies, and we commend the SEC for issuing a Proposal that would achieve this important goal.” 

Full text of the letter follows:

May 9, 2022

Re: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (SEC File No. S7-09-22).

Dear Ms. Countryman:

                We write to respectfully request that the Securities and Exchange Commission (SEC) finalize, as proposed, rules requiring periodic disclosures by public companies regarding cybersecurity expertise on their boards of directors and management’s role in implementing cybersecurity policies and procedures (the Proposal). 

The Proposal would implement bipartisan legislation that we have introduced called the Cybersecurity Disclosure Act.  That legislation directs the SEC to issue rules requiring each public company to disclose, in its annual report or annual proxy statement, whether any member of its governing body has expertise or experience in cybersecurity, including details necessary to describe fully the nature of that expertise or experience.  And if no member has such expertise or experience, a company would be required to describe what other aspects of the company’s cybersecurity were considered by any person, such as an official serving on a nominating committee, who is responsible for identifying and evaluating nominees for membership to the governing body.

The Proposal follows the intent of our bill by encouraging directors to play a more effective role in cybersecurity risk oversight at public companies, and we commend the SEC for issuing a Proposal that would achieve this important goal. 

We respectfully request that the SEC finalize Items 106(c) and 407(j) of Regulation S-K as proposed.  Item 106(c) would require disclosure about public companies’ cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant experience of management, and its role in implementing cybersecurity policies, procedures, and strategies. Item 407(j) would require disclosure about the cybersecurity expertise of members of the board of directors, if any, including the name of any director, and details to describe the nature of the expertise.

I.             Cybersecurity is an important component of long term shareholder value.

Cybersecurity incidents have never been more frequent, complex, and costly.  Last year, the overall number of data breaches reached an all-time high of 1,862, up 23% year-over-year. Almost all of these data breaches were caused by cyberattacks.  The average cost of a data breach has also reached an all-time high last year of $4.24 million, up 10% year-over-year. To take one concrete example at the high end of this scale, the Equifax breach in 2017 ultimately cost the company over $1.7 billion. Companies of all sizes and in many industries have experienced serious cybersecurity incidents with significant impacts on customers, counterparties, and investors. 

Investors often bear the costs associated with these incidents.  The Proposal details a number of specific costs to companies and shareholders, including payments to meet ransom, liability for stolen information, increased insurance premiums, lost revenues due to theft of intellectual property, reputational damage, and litigation costs. These costs culminate in damage not only to a company’s profitability, but also to its stock price.  According to a report by leading economic consulting firms, a severe cybersecurity breach causes an average permanent decline in a company’s valuation of 1.8%.[5]  The Proposal would provide investors with the disclosure they deserve regarding how public companies plan to guard against these risks before they materialize.

II.            The Proposal provides powerful incentives for public companies to bolster cybersecurity, preserving long-term shareholder value. 

Prudent management of cybersecurity risk is important to maintaining long-term shareholder value.  Directors therefore have a responsibility to manage this risk and contribute to a company’s cybersecurity.  But corporate boards are struggling to meet this important obligation.  Only 40% of boards have a director with cybersecurity experience.  And a recent survey by consulting firm EY confirmed a “deficiency of cybersecurity expertise at the C-suite level.” Indeed, according to a recent survey, 60% of directors “don’t believe that cybersecurity should get in the way of business operations.” The Proposal appropriately recognizes that boards must be more vigilant because cybersecurity is among the most significant challenges companies face. 

The Proposal would create powerful incentives for public companies to pay greater attention to cybersecurity risks.  According to a report by the prior Administration’s Council of Economic Advisors, “mandatory disclosure requirements were previously shown to incentivize firms to adopt better cybersecurity measures.” The Proposal’s board level expertise disclosure requirement is a prime example of such an incentive.  The North American Securities Administrators Association agrees that “[i]ncentivizing publicly traded companies to consider whether or not they have appropriate cybersecurity expertise on their governing body is a common-sense way to promote greater attention to cybersecurity risk by public corporations. Investors and customers are well-served by policies that encourage companies to consider such risks proactively, as opposed to after a data breach has already occurred, when such investors and customers have already been harmed.” Proposed Item 106(c) of Regulation S-K would direct public companies to provide these exact disclosures. 

The disclosures in the Proposal will also enable investors to hold public companies accountable.  In a letter of support for the Cybersecurity Disclosure Act, the Council of Institutional Investors stated its belief that “cybersecurity is an integral component of a board’s role in risk oversight.” In another letter of support, the California Public Employees’ Retirement System said that this approach will “ensure that investors have access to decision useful information to better assess the ability of corporate management to adequately address cybersecurity risks.” And according to consulting firm EY, “remaining cyber-resilient and building stakeholder trust in the company’s data security and privacy practices is a strategic imperative. Public disclosures can help build trust by providing transparency and assurance around how boards are fulfilling their cybersecurity risk oversight responsibilities.” If public companies provide the market with more insights into their governance of cybersecurity risks, then investors will be better equipped to decide whether to invest in a public company and how to vote in elections for directors.

III.           Cybersecurity poses unique risks to public companies, which justify the disclosures required by the Proposal.

The unique harms caused by cybersecurity breaches justify the Proposal.  According to testimony by Professor John Coates of Harvard Law School before the Senate Banking Committee:

[T]here is maybe going to be some suggestion that there is a slippery slope and there is all kinds of risks and that cyber is one of them and so on. I really do want to emphasize that cyber is unique. Other than financial risk, where we already have an obligation for boards to say do they have financial expertise on the board or not, other than financial risk, cyber risk is, I believe, the one type of risk that is almost universal among public companies. It is very hard to think of a public company in this network age that is not at least somewhat exposed to cyber risk.

This is precisely why cybersecurity risk warrants special attention from the SEC.  The Proposal is narrowly tailored to require disclosure of board-level expertise that is important to mitigating this singular risk to public companies’ profitability and valuation. 

Moreover, the Proposal accomplishes this goal while providing appropriate discretion to public companies to define what constitutes “cybersecurity expertise” and to address cybersecurity risks through any means they see fit.  The Proposal, like our legislation, does not mandate that any company’s board actually have a person with expertise in cybersecurity or require companies to take any actions other than to provide this disclosure.  We respectfully request that the SEC adopt this flexible disclosure approach over mandating any set of best practices, in order to encourage boards to develop approaches that are tailored to mitigate risks to the specific set of shareholders to which they are accountable.

 ###

WASHINGTON – Today it was announced that U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, will serve on the conference committee of Senators and House members working to reconcile differences between the House and Senate version of the jobs and competitiveness bill, which has been known variously as the Bipartisan Innovation Act, America COMPETES Act, the United States Innovation and Competition Act, or the Endless Frontier Act, in order to send a final bill to President Biden’s desk for signature.

“For too long, the United States has allowed our global competitors to out-invest and out-hustle us in regard to our innovation economy. This competitiveness bill will make major investments in domestic semiconductor manufacturing, create good-paying jobs, and provide the tools our country needs to continue competing in the global economy while addressing some of the major causes of economic inflation,” said Sen. Warner. “I am honored to be a member of the conference committee that will work to get a strong bill to the president’s desk ASAP.”

“The Senate is moving an important step closer to delivering a robust jobs and competitiveness bill that will help fix our supply chains and boost American innovation and technological dominance for generations. Our Democratic conferees will ensure that the Senate-passed bill stays on track to create more good-paying jobs, boost domestic manufacturing, and spark American ingenuity that will be the engine that drives our economy forward for years to come,” said Senate Majority Leader Chuck Schumer (D-NY).

In June, the Senate voted 68-28 to pass the United States Innovation and Competition Act, bipartisan legislation that includes Warner-led provisions to foster U.S. innovation in the race for 5G and shore up American leadership in the semiconductors industry. In February, the House finally acted to pass its own version of the bill, the America COMPETES Act. Now, a small group of House members and Senators will form a conference committee to negotiate differences between the two bills and assemble a final product to send to President Biden.

Earlier today, Sen. Warner joined Rep. Abigail Spanberger (D-VA) in leading the Virginia congressional delegation in calling on the U.S. Department of Commerce to consider Virginia for future locations of major semiconductor production and research facilities.

###

WASHINGTON - Today, Senate Intelligence Committee Chairman Mark Warner (D-VA), Sen. Elizabeth Warren (D-MA), Senate Armed Services Committee Chairman Jack Reed (D-RI), and Senate Defense Appropriations Subcommittee Chair Jon Tester (D-MT) introduced the Digital Asset Sanctions Compliance Enhancement Act to ensure that Vladimir Putin and Russian elites don't use digital assets to undermine the international community’s economic sanctions against Russia following its invasion of Ukraine. The senators’ bill comes amid bipartisan concerns and warnings by federal agencies that Russian actors may try to evade economic sanctions by using digital currencies. Countries hit hard by sanctions, including North Korea and Iran, have been previously found to use cryptocurrency to curb the effects of economic sanctions. This legislation is cosponsored by Sens. Tammy Duckworth (D-IL), Debbie Stabenow (D-MI), Raphael Warnock (D-GA), Chris Van Hollen (D-MD), Tina Smith (D-MN), Catherine Cortez Masto (D-NV), and Bob Menendez (D-NJ).

“In order for the sanctions levied by the United States and our allies to have the maximum impact on Vladimir Putin and his oligarch friends, we must close off avenues they might use to evade those sanctions. This legislation will crack down on foreign actors who help sanctioned Russians use digital assets like cryptocurrencies to circumvent the crippling measures we’ve put in place to punish Russia for its barbaric invasion of Ukraine,” said Sen. Warner.

“Putin and his cronies can move, store, and hide their wealth using cryptocurrencies, potentially allowing them to evade the historic economic sanctions the U.S. and its partners across the world have levied in response to Russia’s war against Ukraine. I'm glad to introduce the Digital Asset Sanctions Compliance Enhancement Act with my colleagues to strengthen our sanctions program and close off any avenues for Russian evasion,” said Sen. Warren. 

“The U.S. and its allies have imposed some of the strongest sanctions in history to try to stop Putin and his cronies from waging war on Ukraine.  A sanctions system without strong authorities to limit evasion using digital assets is like having a security system but leaving the front door open.  This bill would clarify Treasury’s authorities and strengthen our sanctions on Putin and his enablers,” said Sen. Reed.

 “Vladimir Putin’s unprovoked war in Ukraine is a threat to democracies everywhere, and if we are going to hold him and his cronies accountable, we have to be sure they aren’t using digital tools to evade sanctions,” said Sen. Tester. “I’m proud to introduce this legislation that will make sure we isolate Putin and sends a message to America’s adversaries that folks who threaten freedom and democracy around the world cannot hide from the consequences of their actions.”

“We’ve imposed devastating sanctions on Russia, and we must ensure that there aren’t any loopholes that would allow Putin and his oligarchs to evade them,” said Sen. Cortez Masto. “This legislation gives the U.S. the tools it needs to crack down on any entity using cryptocurrency to trade with sanctioned banks or individuals. We must do all we can to completely isolate Putin, and that includes strengthening the enforcement mechanisms in all of our economic measures.” 

“Digital currencies can offer the Russian government and wealthy oligarchs an opportunity to evade the sanctions that President Biden has enacted on Russia as Putin continues to wage his unprovoked and inexcusable war of choice against Ukraine,” said Sen. Duckworth. “The United States can do more to ensure Putin and his cronies feel the full weight of the free world’s sanctions, which is one reason I’m proud to help introduce this legislation with Senator Warren to crack down on cryptocurrency exchanges that engage with Russian entities.”

“Russia must be held accountable for its cold-blooded, unprovoked attack on Ukraine. We’ve seen how economic sanctions can deliverer a major blow to the Russian economy, but we must do everything in our power to prevent Putin and his corrupt cronies from circumventing these sanctions using cryptocurrencies. This legislation provides the necessary tools to monitor and shut down any such loopholes,” said Sen. Van Hollen.

The Digital Asset Sanctions Compliance Enhancement Act would combat the risk of Russian actors from using digital assets to evade international sanctions by discouraging foreign crypto firms from doing business with sanctioned Russian elites, providing the Administration with authority to suspend transactions with Russia-linked crypto addresses, and increasing transparency around crypto holdings. 

Specifically, the Digital Asset Sanctions Compliance Enhancement Act would close potential avenues for evasion of sanctions against Russia by:

  • Requiring the President to identify foreign digital asset actors that are facilitating evasion of sanctions against Russia, and authorizing the President to sanction such actors, prohibiting their transactions with U.S. persons and blocking their assets. 
  •  Providing the Treasury Secretary clear authority to prohibit digital asset trading platforms and transaction facilitators under U.S. jurisdiction from transacting with cryptocurrency addresses that are known to be, or could reasonably be known to be, in Russia.
  • Directing FinCEN to require U.S. taxpayers engaged in a transaction with a value greater than $10K of cryptocurrency offshore to file FinCEN Form 114 (FBAR).
  • Requiring the Treasury Department to report on its progress in implementing these provisions, including any resources needed by the Department to improve implementation and progress in coordinating with foreign partners.
  • Requiring the Treasury Department to issue a public report identifying foreign digital asset trading platforms that are determined to be high risk for sanctions evasion, money laundering, or other illicit activities.

Earlier this month, Sens. Warren, Senate Intelligence Committee Chairman Mark Warner, Senate Banking, Housing, and Urban Affairs Chairman Sherrod Brown, and Senate Armed Services Committee Chairman Jack Reed led a letter to Treasury Secretary Janet Yellen raising concerns regarding the potential use of cryptocurrency to evade sanctions, which have become even more urgent amid the sanctions imposed on Russia after their invasion of Ukraine. 

 

###

 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Intelligence Committee, released the following statement regarding President Biden’s executive order on ensuring responsible innovation in digital assets:

“Today’s executive order does a commendable job of balancing the potential opportunities and benefits of digital assets in financial innovation, economic inclusion, and global payments modernization against the risks and challenges they present to core U.S. interests. I applaud the executive order’s recognition that maintaining the centrality of the United States in the global financial system – and, in particular, the role of American governance standards and the primacy of the U.S. dollar – is absolutely fundamental to our efforts with regard to digital assets. The EO’s urgency with respect to a strategy for a U.S. Central Bank Digital Currency (CBDC) is especially welcome, and I look forward to working with the administration on further steps to engage on international norms and standards related to CBDCs.

“Today, we face a highly motivated adversary that is actively searching for opportunities to evade the substantial sanctions imposed by the Biden administration and our allies around the globe. We must ensure that all participants in the digital assets marketplace are actively complying with sanctions, and we need to develop clearer guardrails and improved enforcement to address fraud, illicit finance, and insecurity in the wider digital assets industry.”

Last week, Sen. Warner sent a letter to Treasury Secretary Janet Yellen raising concerns regarding the potential use of cryptocurrency to evade sanctions imposed on Russia after their invasion of Ukraine.

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, issued the following statement after the Senate unanimously passed the Strengthening American Cybersecurity Act of 2022, which would require companies responsible for U.S. critical infrastructure to report cybersecurity incidents to the government:

“At a time when we are facing significant threats of Russian cyberattacks against our institutions and our allies, it’s more important than ever that the government have an idea of what those threats are. I am glad the Senate has passed our bipartisan cyber incident reporting bill, and I look forward to working with my colleagues in the House to get a final version of this legislation to the president’s desk as soon as possible.”

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, today sent letters to Alphabet, Meta, Reddit, Telegram, TikTok, and Twitter urging the companies to prevent misuse of their platforms by Russia and Russia-linked entities.

“In addition to Russia’s established use of influence operations as a tool of strategic influence, information warfare constitutes an integral part of Russian military doctrine. As this conflict continues, we can expect to see an escalation in Russia’s use of both overt and covert means to sow confusion about the conflict and promote disinformation narratives that weaken the global response to these illegal acts. While social media can provide valuable information to civilians in conflict zones, and educate audiences far removed from those conflict zones, as well as a platform for some relatively independent media outlets – including in Russia – it can also serve as a vector for harmful misinformation and disinformation campaigns, and a wide range of scams and frauds that opportunistically exploit confusion, desperation, and grief,” the senator wrote.

Copies of the letter sent to Meta, Reddit, Telegram, TikTok, and Twitter are available for download.

In his letter to YouTube parent company Alphabet, Sen. Warner noted that just yesterday his staff observed YouTube ads monetizing content regarding the conflict in Ukraine from RT, Sputnik and TASS, malign actors affiliated with the Russian government.

“Unfortunately, your platforms continue to be key vectors for malign actors – including, notably, those affiliated with the Russian government – to not only spread disinformation, but to profit from it. YouTube, for instance, continues to monetize the content of prominent influence actors that have been publicly connected to Russian influence campaigns,” the senator wrote.

Sen. Warner urged the companies to – at a minimum – take the following steps:

  • Establish mechanisms by which Ukrainian public safety entities can disseminate emergency communications to your users in Ukraine;
  • Furnish additional account monitoring and security resources to Ukrainian government, humanitarian, and public safety institutions to prevent account takeovers;
  • Surge integrity teams, including those with language expertise in Ukrainian, Russian, Polish, Romanian, and German, to monitor your platform for malign influence activity related to the conflict;
  • Devote additional resources towards the identification of inauthentic accounts, and the removal or labeling of inauthentic content, associated with Russian influence operations; and
  • Establish dedicated reporting channels for qualified academic, public interest, and open source intelligence researchers to share credible information about inauthentic activity, disinformation, and other malign efforts utilizing your platforms.

Sen. Warner has released multiple statements harshly condemning Russia’s attack on Ukraine, which can be found here and here.

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, issued the following statement today:

“It’s only a matter of when, not if, we face another widespread cyber breach that threatens our national security. I was glad to see this NTSB-like function included in the President’s May 2020 executive order on cybersecurity, and this is a good first step to establishing such a capability.  I look forward to monitoring how this board develops over the coming months.”

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, issued the following statement today:

“Earlier today, the U.S. Commerce Department reported that manufacturers that rely on semiconductor chips have less than five days’ supply on hand, leaving vital supply chains extremely vulnerable to delays that are increasing prices for consumers on everything from automobiles to home appliances. Months ago, the Senate passed the U.S. Innovation and Competition Act, which would invest $52 billion in domestic semiconductor production, by an overwhelming bipartisan vote. The Senate bill also invests in R&D for 5G technologies and takes other critical steps to secure our supply chains, improve innovation, and ensure that the U.S. can compete with China and the rest of the world. Today’s introduction in the House of Representatives of the America COMPETES Act is an important step in setting up a conference with the Senate so that we can finally get a bill to President Biden’s desk to sign.”

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence and co-chair of the Senate Cybersecurity Caucus, issued the following statement today after President Biden signed a National Security Memorandum (NSM) to improve the cybersecurity of National Security, Department of Defense, and Intelligence Community Systems, as required in Executive Order (E.O) 14028, Improving the Nation’s Cybersecurity:

“I applaud President Biden for signing this order to improve our nation’s cybersecurity. Among other priorities, this National Security Memorandum (NSM) requires federal agencies to report efforts to breach their systems by cyber criminals and state-sponsored hackers. Now it’s time for Congress to act by passing our bipartisan legislation that would require critical infrastructure owners and operators to report such cyber intrusions within 72 hours.”

In July 2021, following the SolarWinds and Colonial Pipeline hacks, Chairman Warner was joined by Senate Intelligence Committee Vice Chairman Marco Rubio (R-FL), senior Committee member Susan Collins (R-ME), and a number of colleagues in introducing legislation to require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected so that the U.S. government can mobilize to protect critical industries across the country. In November 2021, Warner announced that a bipartisan agreement had been reached with the leaders of the Senate Homeland Security Committee on compromise legislation requiring critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack.

###

WASHINGTON – Ahead of Wednesday’s Senate hearing with the head of Instagram, U.S. Sens. Mark R. Warner (D-VA), Deb Fischer (R-NE), Amy Klobuchar (D-MN), and John Thune (R-SD) along with Reps. Lisa Blunt Rochester (D-DE-AL) and Anthony Gonzalez (R-OH-16) have re-introduced the Deceptive Experiences to Online Users Reduction (DETOUR) Act to prohibit large online platforms from using deceptive user interfaces, known as “dark patterns,” to trick consumers into handing over their personal data. The DETOUR Act would also prohibit these platforms from using features that result in compulsive usage by children.

The term “dark patterns” is used to describe online interfaces in websites and apps designed to intentionally manipulate users into taking actions they would otherwise not. These design tactics, drawn from extensive behavioral psychology research, are frequently used by social media platforms to mislead consumers into agreeing to settings and practices advantageous to the company. 

“For years dark patterns have allowed social media companies to use deceptive tactics to convince users to hand over personal data without understanding what they are consenting to. The DETOUR Act will end this practice while working to instill some level of transparency and oversight that the tech world currently lacks,” said Sen. Warner, Chairman of the Senate Select Committee on Intelligence and former technology executive. “Consumers should be able to make their own informed choices on when to share personal information without having to navigate intentionally misleading interfaces and design features deployed by social media companies.” 

Manipulative user interfaces that confuse people and trick consumers into sharing access to their personal information have become all too common online. Our bipartisan legislation would rein in the use of these dishonest interfaces and boost consumer trust. It’s time we put an end to ‘dark patterns’ and other manipulative practices to protect children online and ensure the American people can better protect their personal data, said Sen. Fischer, a member of the Senate Commerce Committee.

“Dark patterns are manipulative tactics used to trick consumers into sharing their personal data. These tactics undermine consumers’ autonomy and privacy, yet they are becoming pervasive on many online platforms. This legislation would help prevent the major online platforms from using such manipulative tactics to mislead consumers, and it would prohibit behavioral experiments on users without their informed consent,” said Sen. Klobuchar, a member of the Senate Commerce and Judiciary Committees.

“We live in an environment where large online operators often deploy manipulative practices or ‘dark patterns’ to obtain consent to collect user data,” said Sen. Thune, ranking member of the Senate Commerce Committee’s Subcommittee on Communications, Media, and Broadband. “This bipartisan legislation would create a path forward to strengthen consumer transparency by holding large online operators accountable when they subject their users to behavioral or psychological research for the purpose of promoting engagement on their platforms.”

“My colleagues and I are introducing the DETOUR Act because Congress and the American public are tired of tech companies evading scrutiny and avoiding accountability for their actions. Despite congressional hearings and public outcries, many of these tech companies continue to trick and manipulate people into making choices against their own self-interest,” said Rep. Lisa Blunt Rochester. “Our bill would address some common tactics these companies use, like intentionally deceptive user interfaces that trick people into handing over their personal information. Our children, seniors, veterans, people of color, even our very way of life is at stake. We must act. And today, we are.”

“Social media has connected our communities, but also had detrimental effects on our society. Big tech companies that control these platforms currently have unregulated access to a wealth of information about their users and have used nontransparent methods, such as dark patterns, to gather additional information and manipulate users,” said Rep. Anthony Gonzalez. “The DETOUR Act would make these platforms more transparent through prohibiting the use of dark patterns. We live in a transformative period of technology, and it is important that the tech which permeates our day to day lives is transparent.”

Dark patterns can take various forms, often exploiting the power of defaults to push users into agreeing to terms stacked in favor of the service provider. Some examples of these actions include: a deliberate obscuring of alternative choices or settings through design or other means; the use of privacy settings that push users to ‘agree’ as the default option, while users looking for more privacy-friendly options often must click through a much longer process, detouring through multiple screens. Other times, users cannot find the alternative option, if it exists at all, and simply give up looking.

The result is that large online platforms have an unfair advantage over users and potential competitors in forcing consumers to give up personal data such as their contacts, messages, web activity, or location to the benefit of the company.

“Tech companies have clearly demonstrated that they cannot be trusted to self-regulate.  So many companies choose to utilize manipulative design features that trick kids into giving up more personal information and compulsive usage of their platforms for the sake of increasing their profits and engagement without regard for the harm it inflicts on kids,” said Jim Steyer, CEO of Common Sense. “Common Sense supports Senators Warner and Fischer and Representatives Blunt Rochester and Gonzalez on this bill, which would rightfully hold companies accountable for these practices so kids can have a healthier and safer online experience.”

“'Dark patterns' and manipulative design techniques on the internet deceive consumers. We need solutions that protect people online and empower consumers to shape their own experience. We appreciate Senator Warner and Senator Fischer's work to address these misleading practices,” said Jenn Taylor Hodges, Head of U.S. Public Policy at Mozilla.

“Manipulative design, efforts to undermine users’ independent decision making, and secret psychological experiments conducted by corporations are everywhere online. The exploitative commercial surveillance model thrives on taking advantage of unsuspecting users. The DETOUR Act would put a stop to this: prohibiting online companies from designing their services to impair autonomy and to cultivate compulsive usage by children under 13. It would also prohibit companies from conducting online user experiments without consent. If enacted, the DETOUR Act will make an important contribution to living in a fairer and more civilized digital world,” said Katharina Kopp, Director of Policy at Center for Digital Democracy.

The Deceptive Experiences To Online Users Reduction (DETOUR) Act aims to curb manipulative behavior by prohibiting the largest online platforms (those with over 100 million monthly active users) from relying on user interfaces that intentionally impair user autonomy, decision-making, or choice. The legislation:

  • Prohibits large online operators from designing, modifying, or manipulating user interface with the purpose or substantial effect of obscuring, subverting, or impairing user autonomy, decision-making, or choice to obtain consent or user data
  • Prohibits subdividing or segmenting consumers for the purposes of behavioral experiments without a consumer’s informed consent, which cannot be buried in a general contract or service agreement. This includes routine disclosures for large online operators, not less than once every 90 days, on any behavioral or psychological experiments to users and the public. Additionally, the bill would require large online operators to create an internal Independent Review Board to provide oversight on these practices to safeguard consumer welfare.
  • Prohibits user design intended to create compulsive usage among children under the age of 13 years old (as currently defined by the Children’s Online Privacy Protection Act).
  • Directs the FTC to create rules within one year of enactment to carry out the requirements related to informed consent, Independent Review Boards, and Professional Standards Bodies.

Sen. Warner first introduced the DETOUR ACT in 2019 and has been raising concerns about the implications of social media companies’ reliance on dark patterns for years. In 2014, Sen. Warner asked the FTC to investigate Facebook’s use of dark patterns in an experiment involving nearly 700,000 users designed to study the emotional impact of manipulating information on their News Feeds.

Sen. Warner is one of Congress’ leading voices in demanding accountability and user protections from social media companies. In addition to the DETOUR Act, Sen. Warner has introduced and written numerous bills aimed designed to improve transparency, privacy, and accountability on social media. These include the Safeguarding Against Fraud, Exploitation, Threats, Extremism and Consumer Harms (SAFE TECH) Actlegislation that allow social media companies to be held accountable for enabling cyber-stalking, targeted harassment, and discrimination across platforms; the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act, bipartisan legislation that would require data harvesting companies to tell consumers and financial regulators exactly what data they are collecting from consumers and how it is being leveraged by the platform for profit; and the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, legislation that would encourage market-based competition to dominant social media platforms by requiring the largest companies to make user data portable – and their services interoperable – with other platforms, and to allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose.

Full text of the bill is available here

###

 

WASHINGTONU.S. Sens. Mark Warner (D-VA), Gary Peters (D-MI), Rob Portman (R-OH), and Susan Collins (R-ME) introduced a bipartisan amendment to the annual defense authorization bill to require critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a cyber-attack, and most entities to report if they make a ransomware payment. The amendment is based on the Cyber Incident Reporting Act and Federal Information Security Modernization Act of 2021 authored by Peters and Portman, and advanced by the Homeland Security and Governmental Affairs Committee, where they serve as Chairman and Ranking Member, respectively.

“Cyber-attacks and ransomware attacks are a serious national security threat that have affected everything from our energy sector to the federal government and Americans’ own sensitive personal information,” said Senator Peters, Chairman of the Homeland Security and Governmental Affairs Committee. “I’m grateful to my colleagues for working together to introduce this bipartisan amendment that will take significant steps to strengthen cybersecurity protections, ensure that CISA is at the forefront of our nation’s response to serious breaches, and most importantly, requires timely reporting of these attacks to the federal government so that we can better prevent future incidents and hold attackers accountable for their crimes.”

“As cyber and ransomware attacks continue to increase, the federal government must be able to quickly coordinate a response and hold bad actors accountable,” said Senator Portman, Ranking Member of the Homeland Security and Governmental Affairs Committee. “That’s why I’m proud to introduce this bipartisan amendment to the FY 2022 NDAA to update the Federal Information Security Modernization Act (FISMA) and give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks. This bipartisan amendment to significantly update FISMA will provide the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised.”

“It seems like every day, Americans wake up to the news of another ransomware attack or cyber intrusion, but the SolarWinds hack showed us that there is nobody responsible for collecting information on the scope and scale of these incidents,” said Senator Warner, Chairman of the Senate Select Committee on Intelligence. “We can’t rely on voluntary reporting to protect our critical infrastructure – we need a routine reporting requirement so that when vital sectors of our economy are affected by a cyber breach, the full resources of the federal government can be mobilized to respond to, and stave off, its impact. I’m glad we were able to come to a bipartisan compromise on this amendment addressing many of the core issues raised by these high-profile hacking incidents.”   

“Having a clear view of the dangers the nation faces from cyberattacks is necessary to prioritizing and acting to mitigate and reduce the threat,” said Senator Collins. “My 2012 bill would have led to improved information sharing with the federal government that likely would have reduced the impact of cyber incidents on both the government and the private sector. Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure. I urge my colleagues to pass our amendment, which is common sense and long overdue.”

The amendment would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack. Many other organizations, including businesses, nonprofits, and state and local governments, would also be required to report to the federal government within 24 hours if they make a ransom payment following an attack. Additionally, the amendment would update current federal government cybersecurity laws to improve coordination between federal agencies, force the government to take a risk-based approach to security, as well as require all civilian agencies to report all cyber-attacks to CISA, and major cyber incidents to Congress. It also provides additional authorities to CISA to ensure they are the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks.

###

 

 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) issued the following statement in response to reports that General Motors plans to halt production temporarily at nearly all North American plants due to the shortage of semiconductor chips:

“The continuing impact of the chip shortage – epitomized most recently in the news that GM will be forced to idle plants across North America – speaks to the urgency of passing bipartisan legislation to fund new semiconductor production in the United States. While the impact of this funding will not solve the global semiconductor shortage overnight, the longer we wait, the worse this supply chain crunch will become. I would urge my House colleagues to pass the legislation funding my bill as soon as possible.” 

Sen. Warner, co-chair of the Senate Cybersecurity Caucus and former technology entrepreneur, has long sounded the alarm about the importance of investing in domestic semiconductor manufacturing. In June, he applauded the Senate passage of the United States Innovation and Competition Act, bipartisan legislation that includes Warner-led provisions to shore up American leadership in the microelectronics industry.  

The United States Innovation and Competition Act – also known by an earlier name, the Endless Frontier Act – would help invest in domestic semiconductor manufacturing, packaging and advanced research and development by investing $52 billion to implement the CHIPS for America Act, a bipartisan law championed by Sen. Warner to help restore semiconductor manufacturing back to American soil.

 

WASHINGTON – U.S. Mark Warner (D-VA) and Marco Rubio (R-FL), Chairman and Vice Chair of the Senate Select Committee on Intelligence, and Senators Gary Peters (D-MI) and Rob Portman (R-OH), Chairman and Ranking Member of the Homeland Security and Governmental Affairs Committee, introduced bipartisan legislation to help safeguard our nation’s critical infrastructure networks against cybersecurity threats. The bill would require the Cybersecurity and Infrastructure Security Agency (CISA) to ensure they can better identify and mitigate threats to Industrial Control Systems – the operational technology involved in operating the function of critical infrastructure networks like pipelines, and water and electric utilities. The bill is the Senate companion to legislation introduced by U.S. Representative John Katko, Ranking Member of the House Homeland Security Committee that has already passed the House unanimously. 

“The trend over the last decade to interconnect, automate, and in some cases bring online industrial controls has introduced significant cyber vulnerabilities, attack vectors and even potential systemic risk,” said Senator Warner. “The federal government needs to understand these risks and help our critical infrastructure sectors prepare for and defend against these threats, and this bill takes a good step forward in doing that.”

“As made clear by the recent attacks on Colonial Pipeline and SolarWinds, we need to do more to protect American critical infrastructure and industries from cyber-attacks,” said Senator Rubio. “Bad actors, often based in China or Russia, will stop at nothing to take advantage of any vulnerability in U.S. infrastructure. We need to strengthen our cyber defenses to more quickly detect and prevent these targeted attacks on our most critical industries.”

“As foreign adversaries and the criminal organizations they harbor continue to target our critical infrastructure systems, it is essential we work to protect these networks from attacks that can lead to significant harm to the American people,” said Senator Peters. “This bipartisan, commonsense bill will help shore up the defenses of critical infrastructure networks and address vulnerabilities in products and technologies that help operate them.” 

“Attacks like the one against Colonial Pipeline show the real-world implications that cyberattacks against critical infrastructure can have,” said Senator Portman. “CISA’s role to play in supporting critical infrastructure owners and operators is crucial. I am pleased to join my bipartisan colleagues in introducing this bill to ensure CISA can better defend against threats and increase the cybersecurity of critical infrastructure.”

Critical infrastructure companies in the United States have seen a stark rise in cyber-attacks. Earlier this year, hackers breached the network of a major oil pipeline forcing the company to shut down over 5,500 miles of pipeline – leading to increased prices and gas shortage for communities across the East Coast. Prior to that, malicious cyber actors took control of a Florida wastewater treatment plant's computer system that allowed hackers to temporarily tamper with Americans’ water supply. These attacks, and others, highlighted the urgent need to secure critical infrastructure systems from foreign adversaries and criminal organizations who are relentless in their pursuit to exploit vulnerabilities and infiltrate networks.

The DHS Industrial Control Systems Capabilities Enhancement Act directs CISA to lead federal efforts to better identify and respond to threats against Industrial Control Systems and the critical infrastructure networks they help operate. The legislation also requires CISA to provide technical assistance to public and private sector entities on how they can work to identify and mitigate vulnerabilities in their operational technology systems. The bill would also ensure CISA shares information on cyber threats with users of Industrial Control Systems and provides a briefing to Congress on its ability to protect these critical systems. Finally, the legislation would require the Government Accountability Office to produce a report on its implementation and CISA’s capabilities to fulfill this mandate. 

###

WASHINGTON — U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, U.S. Sen. Marco Rubio (R-FL), Vice Chairman of the Committee, and U.S. Sen. Susan Collins (R-ME), a senior member of the Committee, today led several colleagues in introducing bipartisan legislation requiring federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions within 24 hours of their discovery. The legislation is in part a response to the hack of IT management firm SolarWinds, which resulted in the compromise of hundreds of federal agencies and private companies, and the May 2021 ransomware attack on the Colonial Pipeline, which halted pipeline operations temporarily and resulted in fuel shortages along the Atlantic seaboard of the United States, as well as a recent onslaught of ransomware attacks affecting thousands of public and private entities.

Under existing law, there is currently no federal requirement that individual companies disclose when they have been breached, which experts have noted leaves the nation vulnerable to criminal and state-sponsored hacking activity. The bipartisan Cyber Incident Notification Act of 2021 would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected so that the U.S. government can mobilize to protect critical industries across the country. To incentivize this information sharing, the bill would grant limited immunity to companies that come forward to report a breach, and instruct CISA to implement data protection procedures to anonymize personally identifiable information and safeguard privacy.

“It seems like every day Americans wake up to the news of another ransomware attack or cyber intrusion. The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the initial target,” said Sen. Warner. “We shouldn’t be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.” 

“Cyberattacks against American businesses, infrastructure, and government institutions are out of control. The U.S. government must take decisive action against cybercriminals and the state actors who harbor them. It is also critical that American organizations act immediately once an attack occurs. The longer an attack goes unreported, the more damage can be done. Ensuring prompt notification will help protect the health and safety of countless Americans and will help our government track down those responsible,” Sen. Rubio said. 

“Having a clear view of the dangers the nation faces from cyberattacks is necessary to prioritizing and acting to mitigate and reduce the threat,” said Sen. Collins. “My 2012 bill would have led to improved information sharing with the federal government that likely would have reduced the impact of cyber incidents on both the government and the private sector.  Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure.  I urge my colleagues to pass the Cyber Incident Notification Act of 2021, which is common sense and long overdue.” 

In addition to Sens. Warner, Rubio and Collins, the legislation is co-sponsored by Senate Intelligence Committee members Sens. Dianne Feinstein (D-CA), Richard Burr (R-NC), Martin Heinrich (D-NM), James Risch (R-ID), Angus King (I-ME), Roy Blunt (R-MO), Michael Bennet (D-CO), Bob Casey (D-PA), Ben Sasse (R-NE), and Kirsten Gillibrand (D-NY), along with Sen. Joe Manchin (D-WV), Chairman of the Senate Armed Services Subcommittee on Cybersecurity, and Sen. Jon Tester (D-MT), Chairman of the Senate Appropriations Subcommittee on Defense.

“After years of talk about how our nation needs a real public-private partnership for better cybersecurity, we finally have concrete and critical action -- the introduction of the bipartisan Cyber Incident Notification Act of 2021. We can't track, or have any hope of stopping, foreign or domestic sources of cyber maliciousness unless we can find out about cyber problems quickly. This bill goes a long way in starting to solve the problem,” said Glenn Gerstell, former National Security Agency (NSA) General Counsel. 

“It's encouraging to see continued bipartisan Congressional recognition of CISA’s critical role as the front door for industry to engage with the U.S. government on cybersecurity,”said Chris Krebs, former Director of the Cybersecurity and Infrastructure Security Agency.

“This bill significantly advances the discussion around the need for mandatory notification of significant cyber activity to provide greater common situational awareness, better defend networks, and deepen our understanding about the scale and scope of the threat,” said Suzanne Spaulding, former Department of Homeland Security Under Secretary for Cyber and Infrastructure Protection.

A copy of the legislation is available here.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Intelligence Committee, and Sen. Susan Collins (R-ME), a member of the Senate Intelligence Committee and the Senate Committee on Health, Education, Labor and Pensions, urged the Biden administration to ensure that school systems across the country are equipped to fend off the growing number of cyberattacks targeting K-12 schools

In a letter to the Department of Education Secretary Miguel Cardona, the senators requested that the department issue guidance affirming that school districts across the country have the authority to use federal dollars from two COVID-19 relief funds on cybersecurity resources. The two funds – Elementary and Secondary School Emergency Relief Fund (ESSER) and Governor’s Emergency Education Relief Fund (GEER) – were authorized by the CARES Act supported by both senators. 

“Experts agree that the increased reliance on online learning programs is likely to far outlast the pandemic.  While online learning offers an abundance of positive opportunities for educators and students, without proper cybersecurity defenses, our nation’s education systems face formidable risks,” the Senators wrote. “School systems must have strong cybersecurity resources available to protect themselves against cyber and ransom attacks. With the increasingly persistent attacks on our schools, they simply cannot wait until they are a target to take action.”

In the letter, the Senators highlighted last year’s cybersecurity breach at Fairfax County Public Schools, the 11th largest school district in the nation, which had private informationstolen and published online. The senators also cited a report from the Government Accountability Office (GAO), which found that since 2016, more than 17,000 public school districts and approximately 98,000 public schools have experienced breaches that resulted in the disclosure of personal information.

Noting that they have heard from school district leaders who are unsure as to whether they can use relief funds to adopt better cybersecurity measures, the senators specifically requested that the Department of Education publish and publicize guidance clearly stating that these funds may be used to improve cybersecurity. The senators also urged the department to provide recommended cybersecurity benchmarks as well as guidance on suggested spending priorities to best address the disproportionate number of cyber-threats facing school systems.

A PDF of the letter is available here. Text is available below.

 

Dear Secretary Cardona: 

We write today regarding the continued need to prioritize cybersecurity efforts in the context of our nation’s school systems. You know better than anyone the dramatic ways the COVID-19 public health crisis has affected how students learn. Experts agree that the increased reliance on online learning programs is likely to far outlast the pandemic.  While online learning offers an abundance of positive opportunities for educators and students, without proper cybersecurity defenses, our nation’s education systems face formidable risks.  School districts have a unique opportunity to use COVID-19 relief funds to revamp their cybersecurity systems. Therefore, we strongly urge the Biden Administration to publicize guidance stating allowable Elementary and Secondary School Emergency Relief Fund (ESSER) and Governor’s Emergency Education Relief Fund (GEER) monies can be spent on cybersecurity resources and engage with school districts to increase awareness of the critical need for prioritizing stronger cybersecurity measures. 

The pandemic has changed daily life for almost everyone in many ways; perhaps, there is no clearer example than the sudden shift to remote learning for students of all ages across the country. Census data shows that nearly 93% of people in households with school-age children reported their children were engaged in some form of “distance learning” over the past year.  While the distribution of COVID-19 vaccines has significantly slowed the spread of the virus, some remote learning is likely to continue, with hundreds of the nation’s 13,000 school districts having already created virtual schools intended to operate well into the pandemic’s aftermath.  Even as our nation’s schools fully return to in-person learning, cybersecurity risks will still be plentiful in the technology-dependent modern learning environment. 

With the shift to online instruction, school districts are now incredibly vulnerable to cybersecurity threats. Last fall, Virginia’s Fairfax County Public Schools, the 11th largest school district in the nation, was the target of a cybersecurity breach and ransomware incident that included theft of protected information.  This incident is far from an outlier. A report from the United States Government Accountability Office (GAO) released in September 2020 stated more than 17,000 public school districts and approximately 98,000 public schools throughout the U.S. had experienced breaches that resulted in the disclosure of personal information since 2016.  

School systems must have strong cybersecurity resources available to protect themselves against cyber and ransom attacks. With the increasingly persistent attacks on our schools, they simply cannot wait until they are a target to take action.  

The COVID-19 relief bills Congress passed over the past year allocated millions to ESSER and GEER funds, which can be used for this purpose. In total, these bills included almost $200 billion for ESSER and over $7 billion for GEER. These available funds provide schools with a unique opportunity to invest in cybersecurity resources. While we understand schools must divide these funds across various crucial concerns, the pandemic has catapulted our school systems to an inflection point where investment in cybersecurity is now more critical than ever.

We have heard from school districts unsure whether they can use relief funds for this purpose. We greatly appreciate the Department of Education recently issuing a “Frequently Asked Questions” document, which confirms they can be used to improve cybersecurity “to better meet educational and other needs of students related to preventing, preparing for, or responding to COVID-19.”  We respectfully ask that the Administration take steps to publicize this information and help school districts understand the importance of using funding for cybersecurity efforts, including by promulgating lists of recommended cybersecurity benchmarks that additional resources could help school districts attain. Specifically, we urge the Education Department to issue public guidance clearly stating that states and local education authorities (LEAs) can use ESSER or GEER funds to improve cybersecurity, with guidance on suggested spending priorities to address the endemic threat of ransomware disproportionately impacting school systems. We also ask that the Department develop a plan to make sure school districts are aware of this allowable use and engage with LEAs to ensure they understand the importance of these resources.

We implore the Administration to recognize the urgent national need to prioritize cybersecurity in our nation’s education systems. Because of the relief funding Congress has provided over the past year, we have a real opportunity to address accumulating cybersecurity risks in schools. We encourage the Administration to ensure school systems are aware of this use for these funds and engage with LEAs, so they are equipped to take on this challenge. 

Again, thank you for your attention to this matter. We greatly appreciate your efforts on behalf of our nation’s students, and we look forward to continuing work together as our systems grapple with the aftermath of the pandemic. 

Sincerely,

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, released the following statement on President Biden’s executive order on protecting sensitive data from foreign adversaries:

“This executive order by the Biden administration adopts a risk-based, transparent, and comprehensive approach to evaluating the security and privacy risks of foreign technology products, a clear contrast to the previous administration’s uncoordinated approach on this issue. I look forward to working with the administration and my colleagues on ways in which we can codify these approaches to better ensure long-term consistency and predictability in our national policies in this area.”

 ###

WASHINGTON — U.S. Sen. Mark R. Warner, Chairman of the Senate Select Committee on Intelligence, issued a statement on the Senate’s passage today of the United States Innovation and Competition Act, bipartisan legislation that includes Warner-led provisions to foster U.S. innovation in the race for 5G and shore up American leadership in the microelectronics industry: 

“America’s innovation in semiconductors undergirds our entire innovation economy. A wide array of products – from planes and automobiles to household appliances and small ‘smart’ devices – rely on these chips, and demand is only growing. But for too long, the U.S. has allowed competitors like China to out-invest us. No more. This bill makes a major, $52 billion investment in domestic semiconductor manufacturing, which will create good-paying jobs in America while maintaining our global innovation edge,” said Sen. Warner. “I am encouraged that this bill passed the Senate today on a broadly bipartisan basis, and strongly encourage our colleagues in the House to take it up and send it to the President’s desk without delay.” 

The United States Innovation and Competition Act – also known by an earlier name, the Endless Frontier Act – would help invest in domestic semiconductor manufacturing, packaging and advanced research and development by investing $52 billion to implement the CHIPS for America Act, a bipartisan law championed by Sen. Warner to help restore semiconductor manufacturing back to American soil. Semiconductors power modern technology, including cars, computers, smartphones and an increasing number of internet-connected ‘smart’ devices as varied as laundry machines to toothbrushes. A current production shortage of chips has backed up manufacturing supply lines in the United States, with major automobile manufacturers projecting $110 billion in lost sales this year due to factories sitting idle while waiting for components, and increased costs for goods such as televisions and home appliances dependent on imported semiconductors being passed on to U.S. consumers. Demand for semiconductors is expected to continue to grow, as internet connectivity and software processing is added to an ever-wider array of consumer, enterprise, and industrial products, services, and systems.  

The United States Innovation and Competition Act also includes funding for the bipartisan Utilizing Strategic Allied (USA) Telecommunications Act, legislation Sen. Warner introduced to support U.S. innovation in 5G and provide alternatives to Chinese equipment providers like Huawei and ZTE, which are heavily subsidized by the Communist Party of China and present serious risks to national security and the integrity of information networks globally.

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Intelligence Committee, took to the Senate floor today in support of the United States Innovation and Competition Act, bipartisan legislation that includes Warner-led provisions to foster U.S. innovation in the race for 5G and shore up American leadership in the microelectronics industry. This speech comes one day after the Senate reached a bipartisan deal with a procedural vote to move forward with the legislation.

The United States Innovation and Competition Act – also known by an earlier name, the Endless Frontier Act – would help invest in domestic semiconductor manufacturing, packaging and advanced research and development by investing $52 billion to implement the CHIPS for America Act, a bipartisan law championed by Sen. Warner to help restore semiconductor manufacturing back to American soil. Semiconductors power modern technology, including cars, computers, smartphones and an increasing number of internet-connected ‘smart’ devices as varied as laundry machines to toothbrushes. A current production shortage of chips has backed up manufacturing supply lines in the United States, with major automobile manufacturers projecting $110 billion in lost sales this year due to factories sitting idle while waiting for components, and increased costs for goods such as televisions and home appliances dependent on imported semiconductors being passed on to U.S. consumers. Demand for semiconductors is expected to continue to grow, as internet connectivity and software processing is added to an ever-wider array of consumer, enterprise, and industrial products, services, and systems.

The semiconductor industry, while we’ve seen some sliding, still represents one of the shining lights of our country’s innovation economy. And as a wider array of products and services depend on internet connectivity and software processing, the demand for semiconductors has only grown. Unfortunately, that leadership position we’ve had for so long is at stake,” said Sen. Warner on the floor of the U.S. Senate. So the CHIPS Act, which was baked into the Endless Frontiers Act, directs agencies like the Department of Commerce, in consultation with others like our Intelligence Community, to make investments in microelectronics R&D a priority.”

He continued, “It emphasizes the need for multilateral effort with our allies and close trading partners to bring greater transparency and accountability to subsidies. It alignspolicies towards non-transparent, non-market competitors like the Chinese, and it makes sure that we have concerted and coordinated action both domestically and again, with our allies, on supply chain security and integrity. It invest billions in basic research related to advanced semiconductors, via DoD and a newly created National Semiconductor Technology Center – helping us maintain our lead in the design, prototyping, lithography and packaging of advanced microelectronics. And it makes an unprecedented investment in trying to build new foundries, fabs, and basic manufacturing facilities here in the United States so that we have that secure supply chain for the future.”

This crucial provision comes as the U.S. faces a decline in R&D and advanced manufacturing, including in advanced chip manufacturing. As Sen. Warner noted on the Senate floor, U.S. production of semiconductors and microelectronics has gone down from 37 percent in 1990 to just 12 percent today. By contrast, China has committed to invest $150 billion and produce at least 70 percent of semiconductors it consumes by 2030.

The United States Innovation and Competition Act also includes funding for the bipartisan Utilizing Strategic Allied (USA) Telecommunications Act, legislation Sen. Warner introduced to provide Western-based alternatives to Chinese equipment providers like Huawei and ZTE, which are heavily subsidized by the Communist Party of China and present serious risks to national security and the integrity of information networks globally. 

“I was proud to work with two of my colleagues, Senator Burr and Senator Rubio. We put up a Public Wireless Supply Chain Innovation Fund to spur movement towards open-architecture and ‘leap-ahead’ technologies in our domestic mobile broadband market,” said Sen. Warner. “I believe that so-called ‘Open RAN’ represents the single best approach to tackling the 5G challenge – opening the radio access network to competition from a wider array of players, including startups, non-traditional players like software companies, and enterprise networking companies. That approach plays to U.S. strengths like software and network virtualization. And it means we have a wider set of firms – including American firms with healthier balance sheets – competing against Huawei. Because one thing that’s been clear over the past two Administrations: Our anti-Huawei message won’t work unless the U.S. proposes lower-cost Western alternatives.”

With the U.S. funding less than 28 percent of global R&D – down from 69 percent after World War II – the Warner-led provision would put forth $1.5 billion to invest in Western-based alternatives to Chinese equipment providers and $500 million to work with close allies and trading partners on the development and adoption of secure and trusted wireless infrastructure globally.

Sen. Warner’s remarks as prepared for delivery are available below:

I rise today in support of the Endless Frontier Act – a long-overdue bipartisan effort to invest in our country’s innovation and competitiveness. 

I am pleased to see Congress finally taking action to shore up U.S. investment in the research, development, and manufacturing of critical technologies. 

Without intervention, China will continue to outpace and outperform us in the global technology race – impacting our country’s economic well-being, our global influence, and our national security.

In recent years, China has rapidly ramped up investment in its domestic industries – and particularly in areas that confer long-term strategic influence.    

For instance, China consistently increases its investment in the semiconductor industry, with a commitment to invest $150 billion and a goal to produce at least 70 percent of semiconductors it consumes by 2030.

And this is a global competition: South Korea, for instance, has pledged to invest over $130 billion over the next 9 years, while training 36,000 new microelectronics engineers and technicians.  And Germany and 18 other EU members announced investments of up to $60 billion in key hardware like semiconductors over the next few years.

By contrast, over the past 10 years only 17 major semiconductor fabs have been built in the U.S. – while we’ve seen over 122 built elsewhere. In absolute terms, we’ve actually seen the number of facilities in the U.S. decline – going from 81 production facilities a decade ago to 76 today.  And as a country we’ve gone from a 37% share of semiconductors and microelectronics production in 1990 to just 12% today.

In part, this is because the cost of new fabs is 25-50% higher in the U.S. – a delta, in major part, attributable to the significantly lower financial incentives government provides in the U.S. for new construction compared to in competing locales. 

And for its part, China doesn’t plan on taking its foot off the pedal any time soon. Last year, President Xi Jinping announced a $1.4 trillion commitment through 2025 to develop advanced technologies like next-generation wireless networks and artificial intelligence.  Technologies that will undergird entire ecosystems of innovation, commerce, and communications.

US semiconductor firms - and firms in the adjacent areas of lithography, packaging, and metrology – still lead the world. However, many of the key ingredients to our success… including federal support for R&D, investment in basic research, and support for advanced manufacturing… have declined over the last 20 years.

Simply put, we are just not keeping up.

Between 1995 and 2018, Chinese R&D investment increased by over 15 percent per year on average, compared to the United States, which averaged just over 3 percent growth per year over the same period.  

Despite once championing investment in R&D and technological advancements, we are losing ground.

After World War II, the United States funded 69 percent of annual global R&D. Today, we fund less than 28 percent, with only 7 percent going to non-defense technologies like wireless communications.

To get back to where we once were and reassert US technology leadership, we need to re-prioritize foundational technologies to maintain not just our country’s economic leadership, but to ensure that countries with inconsistent values and objectives aren’t able to leverage control over these foundational technologies in worrisome ways.

As Chairman of the Senate Select Committee on Intelligence, I have long been banging the drum about the ways that the PRC has taken advantage of what makes our country and our economic system so great – our openness, our transparency, our technology, and our free markets. 

The Chinese government, unfortunately, plays by a different set of rules.

The Chinese government is using all aspects of its society to increase China’s dominance– using all means at its disposal to establish its position as the world’s technology leader – often with opaque subsidies and financing that dramatically tilt the playing field towards Chinese vendors.

And unfortunately, for too many of these trading partners, the deal is simply too good to turn down… in part, because we haven’t worked, either on our own or better yet with our close allies, to offer a secure, competitively-priced alternative. 

That’s why this bill is so important. It includes funding for the bipartisan Utilizing Strategic Allied (USA) Telecommunications Act, which fosters U.S. innovation in the race for 5G by providing $1.5 billion to invest in Western-based alternatives to Chinese equipment providers like Huawei and ZTE, and $500 million to work with close allies and trading partners on development and adoption of secure and trusted wireless infrastructure globally.

This is a bill I was proud to work on with my colleagues, Senator Burr and Senator Rubio.

And it would stand up a new Public Wireless Supply Chain Innovation Fund – to spur movement towards open-architecture, software-based wireless technologies, funding innovative, “leap-ahead” technologies in the domestic mobile broadband market.

I believe that so-call “Open RAN” represents the single best approach to tackling the 5G challenge – opening the radio access network to competition from a wider array of players, including startups, non-traditional players like software companies, and enterprise networking companies.

That approach plays to U.S. strengths like software and network virtualization. And it means we have a wider set of firms – including American firms with healthier balance sheets – competing against Huawei.

Because one thing that’s been clear over the past two Administrations: Our anti-Huawei message won’t work unless the U.S. proposes lower-cost Western alternatives. 

Crucially, this bill also, invests in domestic semiconductor manufacturing, packaging and advanced R&D, with a $52 billion investment in the CHIPS for America law we enacted last year as part of a bipartisan effort by Senator Cornyn, Senator Schumer, Senator Cotton and me.

The semiconductor industry represents one of the shining lights of our country’s innovation economy. And as a wider array of products and services depend on internet connectivity and software processing, the demand for semiconductors has only grown. Unfortunately, experts note that the U.S. lead over China is shrinking each year.

The Endless Frontier Act would serve as a major step in shoring up American leadership in the microelectronics industry. 

It directs – and empowers – key agencies like the Department of Commerce to make investments in microelectronics R&D a priority. 

It emphasizes the need for multilateral effort with our allies and close trading partners – bringing greater transparency and accountability to subsidies… aligning policies towards non-transparent, non-market competitors… and underlining the need for concerted action on supply chain security and integrity.

It invest billions in basic research related to advanced semiconductors, via DoD and a newly created National Semiconductor Technology Center –helping us maintain our lead in the design, prototyping, lithography and packaging of advanced microelectronics. 

And it makes an unprecedented investment in advanced manufacturing, with a focus on building new, advanced fabs in the United States to ensure a resilient and secure supply chain for the future. The $39 billion we provide in the form of investment incentives will mean that 7 to 10 new fabs are built here in the U.S. – something that will help ensure we never face the devastating supply chain constraints across a wide array of industries … from automotive to aerospace, biomedical, and other important sectors … that we have seen in the last year, stemming from a shortfall in semiconductor production. 

The Endless Frontier Act serves as a once-in-a-generation opportunity to solidify U.S. leadership in science and tech innovation, strengthen our national security, and reinvigorate American ingenuity.

I urge my colleagues on both sides of the aisle to join me in meeting this challenge and investing in America’s competitiveness.  

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) released the following statement after the Biden administration increased flexibility of the Technology Modernization Fund (TMF). A move Sen. Warner and his colleagues pushed for in a letter to the Biden administration encouraging it to be flexible in its administration of the $1 billion in IT modernization funding provided by the American Rescue Plan.  

“Our Federal IT systems are long overdue for significant upgrades – we’ve known that to be true for years, but this reality has been further underlined by the COVID-19 pandemic. Through various pandemic relief packages, we’ve seen too many examples of individuals not being able to access timely or accurate benefits for which they’re eligible, and outdated IT systems have played a role in that.

“I’m glad to see that the administration is addressing feedback related to this TMF funding, and is committed to taking steps to ensure it can quickly and effectively help agencies address issues with security and the delivery of services to the American people. I encourage the administration to be as forward-leaning as possible in working with agencies to identify and address their needs, and am looking forward to working with them as they continue these efforts.”

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, released the following statement after the Biden administration announced several steps to respond to Russian aggression, including interference in the 2020 election, the hack impacting thousands of SolarWinds customers, bounties on American soldiers in Afghanistan, and the illegal annexation of Crimea:

“I am glad to see the Biden administration formally attributing the SolarWinds hack to Russian intelligence services and taking steps to sanction some of the individuals and entities involved. The scale and scope of this hack are beyond any that we’ve seen before, and should make clear that we will hold Russia and other adversaries accountable for committing this kind of malicious cyber activity against American targets. Across both the public and private sector, we have a lot of work to do to deter our adversaries from conducting these types of damaging intrusions, and to guard against future interference in our elections. But this is a good first step in making clear that these sorts of actions are unacceptable and will be met with consequences.”

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) and Sen. Thom Tillis (R-NC) will co-chair the bipartisan Senate Cybersecurity Caucus in the 117th Congress. First launched in 2016 by Sen. Warner and then-Sen. Cory Gardner (R-CO), the Senate Cybersecurity Caucus provides a platform for Senators and their staffs to stay informed on major policy issues and developments in cybersecurity. 

“Recent hacks involving SolarWinds and Microsoft only serve to underscore that cybersecurity is one of the biggest economic and national security challenges we face as a nation,” said Sen. Warner, Chairman of the Senate Select Committee on Intelligence. “The Senate Cybersecurity Caucus is a platform for Senators and their staffs to keep up to date on cyber policy and engage in discussions about cybersecurity that cross Committee jurisdictions. I’m pleased to welcome Sen. Tillis as a co-chair of this effort, and look forward to working with him to bring bipartisan attention to these critical issues.”

“The threat of cyberattacks by foreign adversaries such as China and Russia targeting American businesses, research institutions, hospitals, and federal agencies is one of the most pressing issues for Congress to address,” said Sen. Tillis. “These cyberattacks are a threat to national security and our innovation economy. Over the last year, we have seen numerous cyberattacks targeting American infrastructure and intellectual property—primarily related to testing and vaccines for COVID-19. Senator Warner is a thought leader on cybersecurity issues and has a proven track record of bipartisan policymaking. I am proud to join the Cybersecurity Caucus as co-chair, and I look forward to working with Senator Warner to provide productive information on cybersecurity issues for Senators and their staff.”

An early investor in the cellular telephone business, Sen. Warner spent 20 years in the technology industry before entering public office. In the Senate, Warner has been a longtime leader on issues relating to technology and cybersecurity. As Chairman of the Senate Intelligence Committee, Warner recently convened the first public hearing into the SolarWinds supply chain attack that enabled hackers to penetrate multiple federal agencies and corporations.   

###

WASHINGTON – U.S. Sen. Mark R. Warner, Chairman of the Senate Select Committee on Intelligence, today requested information from the Federal Bureau of Investigation (FBI) and the Environmental Protection Agency (EPA) following a cyber incident in which hackers remotely breached a Florida water treatment plant and sought to dramatically alter water chemical levels in a move that could have poisoned thousands of residents.  

“The security and integrity of our critical infrastructure is of utmost importance. The Cybersecurity & Infrastructure Security Agency (CISA) states that 80% of the United States receives potable water from approximately 153,000 public drinking water systems, and any type of attack, including a cyber attack, could result in ‘illnesses or casualties and/or a denial of service that would also impact public health and economic vitality,’” wrote Sen. Warner in a letter to the Assistant Director of the FBI and the Acting Assistant Administrator at the EPA. “This incident has implications beyond the 15,000-person town of Oldsmar. While the Oldsmar water treatment facility incident was detected with sufficient time to mitigate serious risks to the citizens of Oldsmar, and appears to have been identified as the result of a diligent employee monitoring this facility’s operations, future compromises of this nature may not be detected in time.”

He continued, “The Federal Government must ensure we are taking all precautions to keep drinking water safe for Americans. Designated as one of the 16 infrastructure sectors critical to national security under the Presidential Policy Directive 21 (PPD-21), we must protect water facilities from cyber and other compromises.” 

On February 5, a water treatment facility in Oldsmar, Florida was accessed remotely by hackers, who increased sodium hydroxide levels from 100 parts per million to 11,100 parts per million, a dangerous amount that could have sickened town residents, had the attack gone unnoticed by a plant employee.

In his letter, Sen. Warner requested a progress update on the FBI’s investigation into this incident. He also asked for an EPA review into whether the Oldsmar water treatment facility was compliant with the most recent Water and Wastewater Sector-Specific Plan, and whether that plan needs to be updated to confront similar risks. Additionally, Sen. Warner inquired about any plans to share timely threat information related to this incident with water and wastewater facilities, and other critical infrastructure providers.

Sen. Warner, a former technology executive, is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus. Throughout the COVID-19 crisis, he has fought for increased cybersecurity measures commensurate with Americans’ increased reliance on remote work. Among other measures, Sen. Warner has advocated for increased funding to modernize federal information technology, urged internet networking device vendors to ensure the security of their products, and pressed cybersecurity officials to bolster defenses against cybersecurity attacks. 

A copy of the letter can be found here and below.

 

Dear Mr. Gorham and Ms. Fox,

I am writing to request information about reports of a serious security compromise of a water treatment plant in Oldsmar, Florida on February 5, 2021.  The security and integrity of our critical infrastructure is of utmost importance.  The Cybersecurity & Infrastructure Security Agency (CISA) states that 80% of the United States receives potable water from approximately 153,000 public drinking water systems, and any type of attack, including a cyber attack, could result in “illnesses or casualties and/or a denial of service that would also impact public health and economic vitality.”[i]  Additionally, other critical infrastructure sectors such as healthcare, emergency services, energy, food and agriculture, and transportation systems depend on the cyber resilience of water facilities.[ii]

According to information released by the Pinellas County Sheriff’s Office, the Oldsmar water treatment facility was accessed remotely by an unauthorized entity, who increased the amount of sodium hydroxide in the potable water supply to a dangerous level.[iii]  Given the consequences of a successful compromise of this kind, and the broader security weaknesses this unsuccessful attempt may illustrate within critical infrastructure sectors reliant on similar industrial control systems, I would request first, to be informed of the progress of the FBI’s investigation of the incident; second, a review by the Environmental Protection Agency into whether the Oldsmar water treatment facility was compliant with the most recent Water and Wastewater Sector-Specific Plan, and whether that plan, most recently updated in 2015, needs to be updated to confront similar risks; and third, to confirm the Federal Government is sharing timely threat information related to this incident with water and wastewater facilities, and other critical infrastructure providers across the United States.

This incident has implications beyond the 15,000-person town of Oldsmar.  While the Oldsmar water treatment facility incident was detected with sufficient time to mitigate serious risks to the citizens of Oldsmar, and appears to have been identified as the result of a diligent employee monitoring this facility’s operations, future compromises of this nature may not be detected in time.  The Federal Government must ensure we are taking all precautions to keep drinking water safe for Americans.  Designated as one of the 16 infrastructure sectors critical to national security under the Presidential Policy Directive 21 (PPD-21), we must protect water facilities from cyber and other compromises.  

Please coordinate with my office to provide updates on the investigation of the incident, as well as efforts underway to avoid future compromises on water facilities in the United States.

###