Press Releases

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) issued the following statement in response to reports that General Motors plans to halt production temporarily at nearly all North American plants due to the shortage of semiconductor chips:

“The continuing impact of the chip shortage – epitomized most recently in the news that GM will be forced to idle plants across North America – speaks to the urgency of passing bipartisan legislation to fund new semiconductor production in the United States. While the impact of this funding will not solve the global semiconductor shortage overnight, the longer we wait, the worse this supply chain crunch will become. I would urge my House colleagues to pass the legislation funding my bill as soon as possible.” 

Sen. Warner, co-chair of the Senate Cybersecurity Caucus and former technology entrepreneur, has long sounded the alarm about the importance of investing in domestic semiconductor manufacturing. In June, he applauded the Senate passage of the United States Innovation and Competition Act, bipartisan legislation that includes Warner-led provisions to shore up American leadership in the microelectronics industry.  

The United States Innovation and Competition Act – also known by an earlier name, the Endless Frontier Act – would help invest in domestic semiconductor manufacturing, packaging and advanced research and development by investing $52 billion to implement the CHIPS for America Act, a bipartisan law championed by Sen. Warner to help restore semiconductor manufacturing back to American soil.

 

WASHINGTON – U.S. Mark Warner (D-VA) and Marco Rubio (R-FL), Chairman and Vice Chair of the Senate Select Committee on Intelligence, and Senators Gary Peters (D-MI) and Rob Portman (R-OH), Chairman and Ranking Member of the Homeland Security and Governmental Affairs Committee, introduced bipartisan legislation to help safeguard our nation’s critical infrastructure networks against cybersecurity threats. The bill would require the Cybersecurity and Infrastructure Security Agency (CISA) to ensure they can better identify and mitigate threats to Industrial Control Systems – the operational technology involved in operating the function of critical infrastructure networks like pipelines, and water and electric utilities. The bill is the Senate companion to legislation introduced by U.S. Representative John Katko, Ranking Member of the House Homeland Security Committee that has already passed the House unanimously. 

“The trend over the last decade to interconnect, automate, and in some cases bring online industrial controls has introduced significant cyber vulnerabilities, attack vectors and even potential systemic risk,” said Senator Warner. “The federal government needs to understand these risks and help our critical infrastructure sectors prepare for and defend against these threats, and this bill takes a good step forward in doing that.”

“As made clear by the recent attacks on Colonial Pipeline and SolarWinds, we need to do more to protect American critical infrastructure and industries from cyber-attacks,” said Senator Rubio. “Bad actors, often based in China or Russia, will stop at nothing to take advantage of any vulnerability in U.S. infrastructure. We need to strengthen our cyber defenses to more quickly detect and prevent these targeted attacks on our most critical industries.”

“As foreign adversaries and the criminal organizations they harbor continue to target our critical infrastructure systems, it is essential we work to protect these networks from attacks that can lead to significant harm to the American people,” said Senator Peters. “This bipartisan, commonsense bill will help shore up the defenses of critical infrastructure networks and address vulnerabilities in products and technologies that help operate them.” 

“Attacks like the one against Colonial Pipeline show the real-world implications that cyberattacks against critical infrastructure can have,” said Senator Portman. “CISA’s role to play in supporting critical infrastructure owners and operators is crucial. I am pleased to join my bipartisan colleagues in introducing this bill to ensure CISA can better defend against threats and increase the cybersecurity of critical infrastructure.”

Critical infrastructure companies in the United States have seen a stark rise in cyber-attacks. Earlier this year, hackers breached the network of a major oil pipeline forcing the company to shut down over 5,500 miles of pipeline – leading to increased prices and gas shortage for communities across the East Coast. Prior to that, malicious cyber actors took control of a Florida wastewater treatment plant's computer system that allowed hackers to temporarily tamper with Americans’ water supply. These attacks, and others, highlighted the urgent need to secure critical infrastructure systems from foreign adversaries and criminal organizations who are relentless in their pursuit to exploit vulnerabilities and infiltrate networks.

The DHS Industrial Control Systems Capabilities Enhancement Act directs CISA to lead federal efforts to better identify and respond to threats against Industrial Control Systems and the critical infrastructure networks they help operate. The legislation also requires CISA to provide technical assistance to public and private sector entities on how they can work to identify and mitigate vulnerabilities in their operational technology systems. The bill would also ensure CISA shares information on cyber threats with users of Industrial Control Systems and provides a briefing to Congress on its ability to protect these critical systems. Finally, the legislation would require the Government Accountability Office to produce a report on its implementation and CISA’s capabilities to fulfill this mandate. 

###

WASHINGTON — U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, U.S. Sen. Marco Rubio (R-FL), Vice Chairman of the Committee, and U.S. Sen. Susan Collins (R-ME), a senior member of the Committee, today led several colleagues in introducing bipartisan legislation requiring federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions within 24 hours of their discovery. The legislation is in part a response to the hack of IT management firm SolarWinds, which resulted in the compromise of hundreds of federal agencies and private companies, and the May 2021 ransomware attack on the Colonial Pipeline, which halted pipeline operations temporarily and resulted in fuel shortages along the Atlantic seaboard of the United States, as well as a recent onslaught of ransomware attacks affecting thousands of public and private entities.

Under existing law, there is currently no federal requirement that individual companies disclose when they have been breached, which experts have noted leaves the nation vulnerable to criminal and state-sponsored hacking activity. The bipartisan Cyber Incident Notification Act of 2021 would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected so that the U.S. government can mobilize to protect critical industries across the country. To incentivize this information sharing, the bill would grant limited immunity to companies that come forward to report a breach, and instruct CISA to implement data protection procedures to anonymize personally identifiable information and safeguard privacy.

“It seems like every day Americans wake up to the news of another ransomware attack or cyber intrusion. The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the initial target,” said Sen. Warner. “We shouldn’t be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.” 

“Cyberattacks against American businesses, infrastructure, and government institutions are out of control. The U.S. government must take decisive action against cybercriminals and the state actors who harbor them. It is also critical that American organizations act immediately once an attack occurs. The longer an attack goes unreported, the more damage can be done. Ensuring prompt notification will help protect the health and safety of countless Americans and will help our government track down those responsible,” Sen. Rubio said. 

“Having a clear view of the dangers the nation faces from cyberattacks is necessary to prioritizing and acting to mitigate and reduce the threat,” said Sen. Collins. “My 2012 bill would have led to improved information sharing with the federal government that likely would have reduced the impact of cyber incidents on both the government and the private sector.  Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure.  I urge my colleagues to pass the Cyber Incident Notification Act of 2021, which is common sense and long overdue.” 

In addition to Sens. Warner, Rubio and Collins, the legislation is co-sponsored by Senate Intelligence Committee members Sens. Dianne Feinstein (D-CA), Richard Burr (R-NC), Martin Heinrich (D-NM), James Risch (R-ID), Angus King (I-ME), Roy Blunt (R-MO), Michael Bennet (D-CO), Bob Casey (D-PA), Ben Sasse (R-NE), and Kirsten Gillibrand (D-NY), along with Sen. Joe Manchin (D-WV), Chairman of the Senate Armed Services Subcommittee on Cybersecurity, and Sen. Jon Tester (D-MT), Chairman of the Senate Appropriations Subcommittee on Defense.

“After years of talk about how our nation needs a real public-private partnership for better cybersecurity, we finally have concrete and critical action -- the introduction of the bipartisan Cyber Incident Notification Act of 2021. We can't track, or have any hope of stopping, foreign or domestic sources of cyber maliciousness unless we can find out about cyber problems quickly. This bill goes a long way in starting to solve the problem,” said Glenn Gerstell, former National Security Agency (NSA) General Counsel. 

“It's encouraging to see continued bipartisan Congressional recognition of CISA’s critical role as the front door for industry to engage with the U.S. government on cybersecurity,”said Chris Krebs, former Director of the Cybersecurity and Infrastructure Security Agency.

“This bill significantly advances the discussion around the need for mandatory notification of significant cyber activity to provide greater common situational awareness, better defend networks, and deepen our understanding about the scale and scope of the threat,” said Suzanne Spaulding, former Department of Homeland Security Under Secretary for Cyber and Infrastructure Protection.

A copy of the legislation is available here.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Intelligence Committee, and Sen. Susan Collins (R-ME), a member of the Senate Intelligence Committee and the Senate Committee on Health, Education, Labor and Pensions, urged the Biden administration to ensure that school systems across the country are equipped to fend off the growing number of cyberattacks targeting K-12 schools

In a letter to the Department of Education Secretary Miguel Cardona, the senators requested that the department issue guidance affirming that school districts across the country have the authority to use federal dollars from two COVID-19 relief funds on cybersecurity resources. The two funds – Elementary and Secondary School Emergency Relief Fund (ESSER) and Governor’s Emergency Education Relief Fund (GEER) – were authorized by the CARES Act supported by both senators. 

“Experts agree that the increased reliance on online learning programs is likely to far outlast the pandemic.  While online learning offers an abundance of positive opportunities for educators and students, without proper cybersecurity defenses, our nation’s education systems face formidable risks,” the Senators wrote. “School systems must have strong cybersecurity resources available to protect themselves against cyber and ransom attacks. With the increasingly persistent attacks on our schools, they simply cannot wait until they are a target to take action.”

In the letter, the Senators highlighted last year’s cybersecurity breach at Fairfax County Public Schools, the 11th largest school district in the nation, which had private informationstolen and published online. The senators also cited a report from the Government Accountability Office (GAO), which found that since 2016, more than 17,000 public school districts and approximately 98,000 public schools have experienced breaches that resulted in the disclosure of personal information.

Noting that they have heard from school district leaders who are unsure as to whether they can use relief funds to adopt better cybersecurity measures, the senators specifically requested that the Department of Education publish and publicize guidance clearly stating that these funds may be used to improve cybersecurity. The senators also urged the department to provide recommended cybersecurity benchmarks as well as guidance on suggested spending priorities to best address the disproportionate number of cyber-threats facing school systems.

A PDF of the letter is available here. Text is available below.

 

Dear Secretary Cardona: 

We write today regarding the continued need to prioritize cybersecurity efforts in the context of our nation’s school systems. You know better than anyone the dramatic ways the COVID-19 public health crisis has affected how students learn. Experts agree that the increased reliance on online learning programs is likely to far outlast the pandemic.  While online learning offers an abundance of positive opportunities for educators and students, without proper cybersecurity defenses, our nation’s education systems face formidable risks.  School districts have a unique opportunity to use COVID-19 relief funds to revamp their cybersecurity systems. Therefore, we strongly urge the Biden Administration to publicize guidance stating allowable Elementary and Secondary School Emergency Relief Fund (ESSER) and Governor’s Emergency Education Relief Fund (GEER) monies can be spent on cybersecurity resources and engage with school districts to increase awareness of the critical need for prioritizing stronger cybersecurity measures. 

The pandemic has changed daily life for almost everyone in many ways; perhaps, there is no clearer example than the sudden shift to remote learning for students of all ages across the country. Census data shows that nearly 93% of people in households with school-age children reported their children were engaged in some form of “distance learning” over the past year.  While the distribution of COVID-19 vaccines has significantly slowed the spread of the virus, some remote learning is likely to continue, with hundreds of the nation’s 13,000 school districts having already created virtual schools intended to operate well into the pandemic’s aftermath.  Even as our nation’s schools fully return to in-person learning, cybersecurity risks will still be plentiful in the technology-dependent modern learning environment. 

With the shift to online instruction, school districts are now incredibly vulnerable to cybersecurity threats. Last fall, Virginia’s Fairfax County Public Schools, the 11th largest school district in the nation, was the target of a cybersecurity breach and ransomware incident that included theft of protected information.  This incident is far from an outlier. A report from the United States Government Accountability Office (GAO) released in September 2020 stated more than 17,000 public school districts and approximately 98,000 public schools throughout the U.S. had experienced breaches that resulted in the disclosure of personal information since 2016.  

School systems must have strong cybersecurity resources available to protect themselves against cyber and ransom attacks. With the increasingly persistent attacks on our schools, they simply cannot wait until they are a target to take action.  

The COVID-19 relief bills Congress passed over the past year allocated millions to ESSER and GEER funds, which can be used for this purpose. In total, these bills included almost $200 billion for ESSER and over $7 billion for GEER. These available funds provide schools with a unique opportunity to invest in cybersecurity resources. While we understand schools must divide these funds across various crucial concerns, the pandemic has catapulted our school systems to an inflection point where investment in cybersecurity is now more critical than ever.

We have heard from school districts unsure whether they can use relief funds for this purpose. We greatly appreciate the Department of Education recently issuing a “Frequently Asked Questions” document, which confirms they can be used to improve cybersecurity “to better meet educational and other needs of students related to preventing, preparing for, or responding to COVID-19.”  We respectfully ask that the Administration take steps to publicize this information and help school districts understand the importance of using funding for cybersecurity efforts, including by promulgating lists of recommended cybersecurity benchmarks that additional resources could help school districts attain. Specifically, we urge the Education Department to issue public guidance clearly stating that states and local education authorities (LEAs) can use ESSER or GEER funds to improve cybersecurity, with guidance on suggested spending priorities to address the endemic threat of ransomware disproportionately impacting school systems. We also ask that the Department develop a plan to make sure school districts are aware of this allowable use and engage with LEAs to ensure they understand the importance of these resources.

We implore the Administration to recognize the urgent national need to prioritize cybersecurity in our nation’s education systems. Because of the relief funding Congress has provided over the past year, we have a real opportunity to address accumulating cybersecurity risks in schools. We encourage the Administration to ensure school systems are aware of this use for these funds and engage with LEAs, so they are equipped to take on this challenge. 

Again, thank you for your attention to this matter. We greatly appreciate your efforts on behalf of our nation’s students, and we look forward to continuing work together as our systems grapple with the aftermath of the pandemic. 

Sincerely,

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, released the following statement on President Biden’s executive order on protecting sensitive data from foreign adversaries:

“This executive order by the Biden administration adopts a risk-based, transparent, and comprehensive approach to evaluating the security and privacy risks of foreign technology products, a clear contrast to the previous administration’s uncoordinated approach on this issue. I look forward to working with the administration and my colleagues on ways in which we can codify these approaches to better ensure long-term consistency and predictability in our national policies in this area.”

 ###

WASHINGTON — U.S. Sen. Mark R. Warner, Chairman of the Senate Select Committee on Intelligence, issued a statement on the Senate’s passage today of the United States Innovation and Competition Act, bipartisan legislation that includes Warner-led provisions to foster U.S. innovation in the race for 5G and shore up American leadership in the microelectronics industry: 

“America’s innovation in semiconductors undergirds our entire innovation economy. A wide array of products – from planes and automobiles to household appliances and small ‘smart’ devices – rely on these chips, and demand is only growing. But for too long, the U.S. has allowed competitors like China to out-invest us. No more. This bill makes a major, $52 billion investment in domestic semiconductor manufacturing, which will create good-paying jobs in America while maintaining our global innovation edge,” said Sen. Warner. “I am encouraged that this bill passed the Senate today on a broadly bipartisan basis, and strongly encourage our colleagues in the House to take it up and send it to the President’s desk without delay.” 

The United States Innovation and Competition Act – also known by an earlier name, the Endless Frontier Act – would help invest in domestic semiconductor manufacturing, packaging and advanced research and development by investing $52 billion to implement the CHIPS for America Act, a bipartisan law championed by Sen. Warner to help restore semiconductor manufacturing back to American soil. Semiconductors power modern technology, including cars, computers, smartphones and an increasing number of internet-connected ‘smart’ devices as varied as laundry machines to toothbrushes. A current production shortage of chips has backed up manufacturing supply lines in the United States, with major automobile manufacturers projecting $110 billion in lost sales this year due to factories sitting idle while waiting for components, and increased costs for goods such as televisions and home appliances dependent on imported semiconductors being passed on to U.S. consumers. Demand for semiconductors is expected to continue to grow, as internet connectivity and software processing is added to an ever-wider array of consumer, enterprise, and industrial products, services, and systems.  

The United States Innovation and Competition Act also includes funding for the bipartisan Utilizing Strategic Allied (USA) Telecommunications Act, legislation Sen. Warner introduced to support U.S. innovation in 5G and provide alternatives to Chinese equipment providers like Huawei and ZTE, which are heavily subsidized by the Communist Party of China and present serious risks to national security and the integrity of information networks globally.

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Intelligence Committee, took to the Senate floor today in support of the United States Innovation and Competition Act, bipartisan legislation that includes Warner-led provisions to foster U.S. innovation in the race for 5G and shore up American leadership in the microelectronics industry. This speech comes one day after the Senate reached a bipartisan deal with a procedural vote to move forward with the legislation.

The United States Innovation and Competition Act – also known by an earlier name, the Endless Frontier Act – would help invest in domestic semiconductor manufacturing, packaging and advanced research and development by investing $52 billion to implement the CHIPS for America Act, a bipartisan law championed by Sen. Warner to help restore semiconductor manufacturing back to American soil. Semiconductors power modern technology, including cars, computers, smartphones and an increasing number of internet-connected ‘smart’ devices as varied as laundry machines to toothbrushes. A current production shortage of chips has backed up manufacturing supply lines in the United States, with major automobile manufacturers projecting $110 billion in lost sales this year due to factories sitting idle while waiting for components, and increased costs for goods such as televisions and home appliances dependent on imported semiconductors being passed on to U.S. consumers. Demand for semiconductors is expected to continue to grow, as internet connectivity and software processing is added to an ever-wider array of consumer, enterprise, and industrial products, services, and systems.

The semiconductor industry, while we’ve seen some sliding, still represents one of the shining lights of our country’s innovation economy. And as a wider array of products and services depend on internet connectivity and software processing, the demand for semiconductors has only grown. Unfortunately, that leadership position we’ve had for so long is at stake,” said Sen. Warner on the floor of the U.S. Senate. So the CHIPS Act, which was baked into the Endless Frontiers Act, directs agencies like the Department of Commerce, in consultation with others like our Intelligence Community, to make investments in microelectronics R&D a priority.”

He continued, “It emphasizes the need for multilateral effort with our allies and close trading partners to bring greater transparency and accountability to subsidies. It alignspolicies towards non-transparent, non-market competitors like the Chinese, and it makes sure that we have concerted and coordinated action both domestically and again, with our allies, on supply chain security and integrity. It invest billions in basic research related to advanced semiconductors, via DoD and a newly created National Semiconductor Technology Center – helping us maintain our lead in the design, prototyping, lithography and packaging of advanced microelectronics. And it makes an unprecedented investment in trying to build new foundries, fabs, and basic manufacturing facilities here in the United States so that we have that secure supply chain for the future.”

This crucial provision comes as the U.S. faces a decline in R&D and advanced manufacturing, including in advanced chip manufacturing. As Sen. Warner noted on the Senate floor, U.S. production of semiconductors and microelectronics has gone down from 37 percent in 1990 to just 12 percent today. By contrast, China has committed to invest $150 billion and produce at least 70 percent of semiconductors it consumes by 2030.

The United States Innovation and Competition Act also includes funding for the bipartisan Utilizing Strategic Allied (USA) Telecommunications Act, legislation Sen. Warner introduced to provide Western-based alternatives to Chinese equipment providers like Huawei and ZTE, which are heavily subsidized by the Communist Party of China and present serious risks to national security and the integrity of information networks globally. 

“I was proud to work with two of my colleagues, Senator Burr and Senator Rubio. We put up a Public Wireless Supply Chain Innovation Fund to spur movement towards open-architecture and ‘leap-ahead’ technologies in our domestic mobile broadband market,” said Sen. Warner. “I believe that so-called ‘Open RAN’ represents the single best approach to tackling the 5G challenge – opening the radio access network to competition from a wider array of players, including startups, non-traditional players like software companies, and enterprise networking companies. That approach plays to U.S. strengths like software and network virtualization. And it means we have a wider set of firms – including American firms with healthier balance sheets – competing against Huawei. Because one thing that’s been clear over the past two Administrations: Our anti-Huawei message won’t work unless the U.S. proposes lower-cost Western alternatives.”

With the U.S. funding less than 28 percent of global R&D – down from 69 percent after World War II – the Warner-led provision would put forth $1.5 billion to invest in Western-based alternatives to Chinese equipment providers and $500 million to work with close allies and trading partners on the development and adoption of secure and trusted wireless infrastructure globally.

Sen. Warner’s remarks as prepared for delivery are available below:

I rise today in support of the Endless Frontier Act – a long-overdue bipartisan effort to invest in our country’s innovation and competitiveness. 

I am pleased to see Congress finally taking action to shore up U.S. investment in the research, development, and manufacturing of critical technologies. 

Without intervention, China will continue to outpace and outperform us in the global technology race – impacting our country’s economic well-being, our global influence, and our national security.

In recent years, China has rapidly ramped up investment in its domestic industries – and particularly in areas that confer long-term strategic influence.    

For instance, China consistently increases its investment in the semiconductor industry, with a commitment to invest $150 billion and a goal to produce at least 70 percent of semiconductors it consumes by 2030.

And this is a global competition: South Korea, for instance, has pledged to invest over $130 billion over the next 9 years, while training 36,000 new microelectronics engineers and technicians.  And Germany and 18 other EU members announced investments of up to $60 billion in key hardware like semiconductors over the next few years.

By contrast, over the past 10 years only 17 major semiconductor fabs have been built in the U.S. – while we’ve seen over 122 built elsewhere. In absolute terms, we’ve actually seen the number of facilities in the U.S. decline – going from 81 production facilities a decade ago to 76 today.  And as a country we’ve gone from a 37% share of semiconductors and microelectronics production in 1990 to just 12% today.

In part, this is because the cost of new fabs is 25-50% higher in the U.S. – a delta, in major part, attributable to the significantly lower financial incentives government provides in the U.S. for new construction compared to in competing locales. 

And for its part, China doesn’t plan on taking its foot off the pedal any time soon. Last year, President Xi Jinping announced a $1.4 trillion commitment through 2025 to develop advanced technologies like next-generation wireless networks and artificial intelligence.  Technologies that will undergird entire ecosystems of innovation, commerce, and communications.

US semiconductor firms - and firms in the adjacent areas of lithography, packaging, and metrology – still lead the world. However, many of the key ingredients to our success… including federal support for R&D, investment in basic research, and support for advanced manufacturing… have declined over the last 20 years.

Simply put, we are just not keeping up.

Between 1995 and 2018, Chinese R&D investment increased by over 15 percent per year on average, compared to the United States, which averaged just over 3 percent growth per year over the same period.  

Despite once championing investment in R&D and technological advancements, we are losing ground.

After World War II, the United States funded 69 percent of annual global R&D. Today, we fund less than 28 percent, with only 7 percent going to non-defense technologies like wireless communications.

To get back to where we once were and reassert US technology leadership, we need to re-prioritize foundational technologies to maintain not just our country’s economic leadership, but to ensure that countries with inconsistent values and objectives aren’t able to leverage control over these foundational technologies in worrisome ways.

As Chairman of the Senate Select Committee on Intelligence, I have long been banging the drum about the ways that the PRC has taken advantage of what makes our country and our economic system so great – our openness, our transparency, our technology, and our free markets. 

The Chinese government, unfortunately, plays by a different set of rules.

The Chinese government is using all aspects of its society to increase China’s dominance– using all means at its disposal to establish its position as the world’s technology leader – often with opaque subsidies and financing that dramatically tilt the playing field towards Chinese vendors.

And unfortunately, for too many of these trading partners, the deal is simply too good to turn down… in part, because we haven’t worked, either on our own or better yet with our close allies, to offer a secure, competitively-priced alternative. 

That’s why this bill is so important. It includes funding for the bipartisan Utilizing Strategic Allied (USA) Telecommunications Act, which fosters U.S. innovation in the race for 5G by providing $1.5 billion to invest in Western-based alternatives to Chinese equipment providers like Huawei and ZTE, and $500 million to work with close allies and trading partners on development and adoption of secure and trusted wireless infrastructure globally.

This is a bill I was proud to work on with my colleagues, Senator Burr and Senator Rubio.

And it would stand up a new Public Wireless Supply Chain Innovation Fund – to spur movement towards open-architecture, software-based wireless technologies, funding innovative, “leap-ahead” technologies in the domestic mobile broadband market.

I believe that so-call “Open RAN” represents the single best approach to tackling the 5G challenge – opening the radio access network to competition from a wider array of players, including startups, non-traditional players like software companies, and enterprise networking companies.

That approach plays to U.S. strengths like software and network virtualization. And it means we have a wider set of firms – including American firms with healthier balance sheets – competing against Huawei.

Because one thing that’s been clear over the past two Administrations: Our anti-Huawei message won’t work unless the U.S. proposes lower-cost Western alternatives. 

Crucially, this bill also, invests in domestic semiconductor manufacturing, packaging and advanced R&D, with a $52 billion investment in the CHIPS for America law we enacted last year as part of a bipartisan effort by Senator Cornyn, Senator Schumer, Senator Cotton and me.

The semiconductor industry represents one of the shining lights of our country’s innovation economy. And as a wider array of products and services depend on internet connectivity and software processing, the demand for semiconductors has only grown. Unfortunately, experts note that the U.S. lead over China is shrinking each year.

The Endless Frontier Act would serve as a major step in shoring up American leadership in the microelectronics industry. 

It directs – and empowers – key agencies like the Department of Commerce to make investments in microelectronics R&D a priority. 

It emphasizes the need for multilateral effort with our allies and close trading partners – bringing greater transparency and accountability to subsidies… aligning policies towards non-transparent, non-market competitors… and underlining the need for concerted action on supply chain security and integrity.

It invest billions in basic research related to advanced semiconductors, via DoD and a newly created National Semiconductor Technology Center –helping us maintain our lead in the design, prototyping, lithography and packaging of advanced microelectronics. 

And it makes an unprecedented investment in advanced manufacturing, with a focus on building new, advanced fabs in the United States to ensure a resilient and secure supply chain for the future. The $39 billion we provide in the form of investment incentives will mean that 7 to 10 new fabs are built here in the U.S. – something that will help ensure we never face the devastating supply chain constraints across a wide array of industries … from automotive to aerospace, biomedical, and other important sectors … that we have seen in the last year, stemming from a shortfall in semiconductor production. 

The Endless Frontier Act serves as a once-in-a-generation opportunity to solidify U.S. leadership in science and tech innovation, strengthen our national security, and reinvigorate American ingenuity.

I urge my colleagues on both sides of the aisle to join me in meeting this challenge and investing in America’s competitiveness.  

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) released the following statement after the Biden administration increased flexibility of the Technology Modernization Fund (TMF). A move Sen. Warner and his colleagues pushed for in a letter to the Biden administration encouraging it to be flexible in its administration of the $1 billion in IT modernization funding provided by the American Rescue Plan.  

“Our Federal IT systems are long overdue for significant upgrades – we’ve known that to be true for years, but this reality has been further underlined by the COVID-19 pandemic. Through various pandemic relief packages, we’ve seen too many examples of individuals not being able to access timely or accurate benefits for which they’re eligible, and outdated IT systems have played a role in that.

“I’m glad to see that the administration is addressing feedback related to this TMF funding, and is committed to taking steps to ensure it can quickly and effectively help agencies address issues with security and the delivery of services to the American people. I encourage the administration to be as forward-leaning as possible in working with agencies to identify and address their needs, and am looking forward to working with them as they continue these efforts.”

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, released the following statement after the Biden administration announced several steps to respond to Russian aggression, including interference in the 2020 election, the hack impacting thousands of SolarWinds customers, bounties on American soldiers in Afghanistan, and the illegal annexation of Crimea:

“I am glad to see the Biden administration formally attributing the SolarWinds hack to Russian intelligence services and taking steps to sanction some of the individuals and entities involved. The scale and scope of this hack are beyond any that we’ve seen before, and should make clear that we will hold Russia and other adversaries accountable for committing this kind of malicious cyber activity against American targets. Across both the public and private sector, we have a lot of work to do to deter our adversaries from conducting these types of damaging intrusions, and to guard against future interference in our elections. But this is a good first step in making clear that these sorts of actions are unacceptable and will be met with consequences.”

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) and Sen. Thom Tillis (R-NC) will co-chair the bipartisan Senate Cybersecurity Caucus in the 117th Congress. First launched in 2016 by Sen. Warner and then-Sen. Cory Gardner (R-CO), the Senate Cybersecurity Caucus provides a platform for Senators and their staffs to stay informed on major policy issues and developments in cybersecurity. 

“Recent hacks involving SolarWinds and Microsoft only serve to underscore that cybersecurity is one of the biggest economic and national security challenges we face as a nation,” said Sen. Warner, Chairman of the Senate Select Committee on Intelligence. “The Senate Cybersecurity Caucus is a platform for Senators and their staffs to keep up to date on cyber policy and engage in discussions about cybersecurity that cross Committee jurisdictions. I’m pleased to welcome Sen. Tillis as a co-chair of this effort, and look forward to working with him to bring bipartisan attention to these critical issues.”

“The threat of cyberattacks by foreign adversaries such as China and Russia targeting American businesses, research institutions, hospitals, and federal agencies is one of the most pressing issues for Congress to address,” said Sen. Tillis. “These cyberattacks are a threat to national security and our innovation economy. Over the last year, we have seen numerous cyberattacks targeting American infrastructure and intellectual property—primarily related to testing and vaccines for COVID-19. Senator Warner is a thought leader on cybersecurity issues and has a proven track record of bipartisan policymaking. I am proud to join the Cybersecurity Caucus as co-chair, and I look forward to working with Senator Warner to provide productive information on cybersecurity issues for Senators and their staff.”

An early investor in the cellular telephone business, Sen. Warner spent 20 years in the technology industry before entering public office. In the Senate, Warner has been a longtime leader on issues relating to technology and cybersecurity. As Chairman of the Senate Intelligence Committee, Warner recently convened the first public hearing into the SolarWinds supply chain attack that enabled hackers to penetrate multiple federal agencies and corporations.   

###

WASHINGTON – U.S. Sen. Mark R. Warner, Chairman of the Senate Select Committee on Intelligence, today requested information from the Federal Bureau of Investigation (FBI) and the Environmental Protection Agency (EPA) following a cyber incident in which hackers remotely breached a Florida water treatment plant and sought to dramatically alter water chemical levels in a move that could have poisoned thousands of residents.  

“The security and integrity of our critical infrastructure is of utmost importance. The Cybersecurity & Infrastructure Security Agency (CISA) states that 80% of the United States receives potable water from approximately 153,000 public drinking water systems, and any type of attack, including a cyber attack, could result in ‘illnesses or casualties and/or a denial of service that would also impact public health and economic vitality,’” wrote Sen. Warner in a letter to the Assistant Director of the FBI and the Acting Assistant Administrator at the EPA. “This incident has implications beyond the 15,000-person town of Oldsmar. While the Oldsmar water treatment facility incident was detected with sufficient time to mitigate serious risks to the citizens of Oldsmar, and appears to have been identified as the result of a diligent employee monitoring this facility’s operations, future compromises of this nature may not be detected in time.”

He continued, “The Federal Government must ensure we are taking all precautions to keep drinking water safe for Americans. Designated as one of the 16 infrastructure sectors critical to national security under the Presidential Policy Directive 21 (PPD-21), we must protect water facilities from cyber and other compromises.” 

On February 5, a water treatment facility in Oldsmar, Florida was accessed remotely by hackers, who increased sodium hydroxide levels from 100 parts per million to 11,100 parts per million, a dangerous amount that could have sickened town residents, had the attack gone unnoticed by a plant employee.

In his letter, Sen. Warner requested a progress update on the FBI’s investigation into this incident. He also asked for an EPA review into whether the Oldsmar water treatment facility was compliant with the most recent Water and Wastewater Sector-Specific Plan, and whether that plan needs to be updated to confront similar risks. Additionally, Sen. Warner inquired about any plans to share timely threat information related to this incident with water and wastewater facilities, and other critical infrastructure providers.

Sen. Warner, a former technology executive, is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus. Throughout the COVID-19 crisis, he has fought for increased cybersecurity measures commensurate with Americans’ increased reliance on remote work. Among other measures, Sen. Warner has advocated for increased funding to modernize federal information technology, urged internet networking device vendors to ensure the security of their products, and pressed cybersecurity officials to bolster defenses against cybersecurity attacks. 

A copy of the letter can be found here and below.

 

Dear Mr. Gorham and Ms. Fox,

I am writing to request information about reports of a serious security compromise of a water treatment plant in Oldsmar, Florida on February 5, 2021.  The security and integrity of our critical infrastructure is of utmost importance.  The Cybersecurity & Infrastructure Security Agency (CISA) states that 80% of the United States receives potable water from approximately 153,000 public drinking water systems, and any type of attack, including a cyber attack, could result in “illnesses or casualties and/or a denial of service that would also impact public health and economic vitality.”[i]  Additionally, other critical infrastructure sectors such as healthcare, emergency services, energy, food and agriculture, and transportation systems depend on the cyber resilience of water facilities.[ii]

According to information released by the Pinellas County Sheriff’s Office, the Oldsmar water treatment facility was accessed remotely by an unauthorized entity, who increased the amount of sodium hydroxide in the potable water supply to a dangerous level.[iii]  Given the consequences of a successful compromise of this kind, and the broader security weaknesses this unsuccessful attempt may illustrate within critical infrastructure sectors reliant on similar industrial control systems, I would request first, to be informed of the progress of the FBI’s investigation of the incident; second, a review by the Environmental Protection Agency into whether the Oldsmar water treatment facility was compliant with the most recent Water and Wastewater Sector-Specific Plan, and whether that plan, most recently updated in 2015, needs to be updated to confront similar risks; and third, to confirm the Federal Government is sharing timely threat information related to this incident with water and wastewater facilities, and other critical infrastructure providers across the United States.

This incident has implications beyond the 15,000-person town of Oldsmar.  While the Oldsmar water treatment facility incident was detected with sufficient time to mitigate serious risks to the citizens of Oldsmar, and appears to have been identified as the result of a diligent employee monitoring this facility’s operations, future compromises of this nature may not be detected in time.  The Federal Government must ensure we are taking all precautions to keep drinking water safe for Americans.  Designated as one of the 16 infrastructure sectors critical to national security under the Presidential Policy Directive 21 (PPD-21), we must protect water facilities from cyber and other compromises.  

Please coordinate with my office to provide updates on the investigation of the incident, as well as efforts underway to avoid future compromises on water facilities in the United States.

###

WASHINGTON – Today, Senate Select Committee on Intelligence Chairman Mark R. Warner (D-VA) and Vice Chairman Marco Rubio (R-FL) released a joint statement after the Biden administration confirmed Anne Neuberger, the National Security Agency's cybersecurity director, will lead the administration’s response to the SolarWinds breach. Yesterday, Chairman Warner and Vice Chairman Rubio sent a letter to the Intelligence Community urging the Unified Coordination Group to name a leader in the United States’ response to the SolarWinds cyber breach that has affected numerous federal agencies and thousands of private sector entities.

“The federal government’s response to date to the SolarWinds breach has lacked the leadership and coordination warranted by a significant cyber event, so it is welcome news that the Biden administration has selected Anne Neuberger to lead the response. The Committee looks forward to getting regular briefings from Ms. Neuberger and working with her to ensure we fully confront and mitigate this incident as quickly as possible.”

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence and U.S. Sen. Marco Rubio (R-FL), Vice Chairman of the Senate Select Committee on Intelligence, sent a letter to the Director of National Intelligence (ODNI) Avril Haines, National Security Agency (NSA) Director General Paul Nakasone, Federal Bureau of Investigation (FBI) Director Christopher Wray, and Cybersecurity and Infrastructure Security Agency (CISA) Acting Director Brandon Wales, urging the Unified Coordination Group to name a leader  in the United States’ response to the SolarWinds cyber breach that has affected numerous federal agencies and thousands of other private sector entities.

In the letter to the intelligence community, the Senators wrote, “The briefings we have received convey a disjointed and disorganized response to confronting the breach. Taking a federated rather than a unified approach means that critical tasks that are outside the central roles of your respective agencies are likely to fall through the cracks.  The threat our country still faces from this incident needs clear leadership to develop and guide a unified strategy for recovery, in particular a leader who has the authority to coordinate the response, set priorities, and direct resources to where they are needed.”

The text of the full letter is here and can be found below.

Dear Director Haines, General Nakasone, Director Wray, and Acting Director Wales:

We are writing to urge you to name and empower a clear leader in the United States’ response to the SolarWinds cyber breach that has affected numerous federal agencies, and thousands of other private sector entities.  The federal government’s response so far has lacked the leadership and coordination warranted by a significant cyber event, and we have little confidence that we are on the shortest path to recovery.

The briefings we have received convey a disjointed and disorganized response to confronting the breach. Taking a federated rather than a unified approach means that critical tasks that are outside the central roles of your respective agencies are likely to fall through the cracks.  The threat our country still faces from this incident needs clear leadership to develop and guide a unified strategy for recovery, in particular a leader who has the authority to coordinate the response, set priorities, and direct resources to where they are needed. 

The handling of this incident is too critical for us to continue operating the way we have been.  Presidential Policy Directive-41 was not meant to impede a joint response to significant cyber incidents and clearly gives the Unified Coordination Group the authority, with mutual agreement and consistent with applicable legal authorities, to realign operational control of respective agency assets to respond to such incidents.  We urge you to reach such an agreement and assign a clear leader to ensure we confront and mitigate this incident fully, and as quickly as possible.

 

Sincerely,

 

###

WASHINGTON - As tech companies and public health agencies deploy new tools to fight the spread of COVID-19 – including contact tracing apps, digital monitoring, home tests, and vaccine appointment booking – U.S. Sens. Mark R. Warner (D-VA), Richard Blumenthal (D-CT) and U.S. Representatives Anna G. Eshoo (D-CA), Jan Schakowsky (D-IL), and Suzan DelBene (D-WA) introduced the Public Health Emergency Privacy Act to set strong and enforceable privacy and data security rights for health information.

After decades of data misuse, breaches, and privacy intrusions, Americans are reluctant to trust tech firms to protect their sensitive health information – according to a recent poll, more than half of Americans would not use a contact tracing app and similar tools from Google and Apple over privacy concerns. The bicameral Public Health Emergency Privacy Act would protect Americans who use this kind of technology during the pandemic and safeguard civil liberties. Strengthened public trust will empower health authorities and medical experts to leverage new health data and apps to fight COVID-19. 

“Technologies like contact tracing, home testing, and online appointment booking are absolutely essential to stop the spread of this disease, but Americans are rightly skeptical that their sensitive health data will be kept safe and secure,” Blumenthal said. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19. This measure sets strict and straightforward privacy protections and promises: Your information will be used to stop the spread of this disease, and no more. The Public Health Emergency Privacy Act’s commitment to civil liberties is an investment in our public health.”

“Our health privacy laws have not kept pace with what Americans have come to expect for their sensitive health data,” Warner said. “Strong privacy protections for COVID health data will only be more vital as we move forward with vaccination efforts and companies begin experimenting with things like ‘immunity passports’ to gate access to facilities and services. Absent a clear commitment from policymakers to improving our health privacy laws, as this important legislation seeks to accomplish, I fear that creeping privacy violations and discriminatory uses of health data could become the new status quo in health care and public health.” 

“I’m exceedingly proud of the American innovators, many of whom are in my congressional district, who have built technologies to combat the coronavirus. As these technologies are used, they must be coupled with policies to protect the civil liberties that define who we are as a nation,” said Eshoo. “The Public Health Emergency Privacy Act is a critical bill that will prohibit privacy invasions by preventing misuse of pandemic-related data for unrelated purposes like marketing, prohibiting the data from being used in discriminatory ways, and requiring data security and integrity measures. The legislation will give the American people confidence to use technologies and systems that can aid our efforts to combat the pandemic.”

“As we continue to respond to the devastating suffering caused by COVID-19, our country’s first and foremost public health response must be testing, testing, testing, AND manual contact tracing. Digital contact tracing can and should complement these efforts, but it is just that – complimentary. However, if we do pursue digital contact tracing, consumers need clearly-defined privacy rights and strong enforcement to safeguard these rights. I am proud to re-introduce this bill with my friend and fellow Energy & Commerce Subcommittee Chairwoman Eshoo and Congresswoman DelBene, along with Senators Blumenthal and Warner,” said Schakowsky. “It’s our shared belief that the Trump Administration missed an opportunity when it failed to advocate for swift passage of this legislation. Based on how poorly the Trump Administration’s contact tracing scheme went, we all know this legislation would go a long way towards establishing the trust American consumers need – and which Big Tech has squandered, time and again – for digital contact tracing to be a worthwhile auxiliary to the Biden Administration’s plan for widespread testing and manual contact tracing.” 

“Technology has become one of our greatest tools in responding to the COVID-19 pandemic but we need to build trust with the broader public if we are going to reach its full potential. Americans need to be certain their sensitive personal information will be protected when using tracing apps and other COVID-19 response technology and this pandemic-specific privacy legislation will help build that trust,” said DelBene. “Data privacy should not end with the pandemic. We need comprehensive privacy reform to protect Americans at all times, including state preemption to create a strong, uniform national standard. I hope that this crisis has shed light on the lack of adequate digital privacy policies in our country and look forward to working with these lawmakers and others to create the necessary standards moving forward.”

The bill is co-sponsored in the Senate by U.S. Senators Michael Bennet (D-CO), Amy Klobuchar (D-MN), Edward J. Markey (D-MA), Tammy Baldwin (D-WI), Mazie K. Hirono (D-HI), Cory Booker (D-NJ), Robert Menendez (D-NJ), Angus King (I-ME), Elizabeth Warren (D-MA) and Dick Durbin (D-IL).

The bill is co-sponsored in the House of Representatives by Don Beyer (D-VA), Jerry McNerney (D-CA), Nanette Diaz Barragán (D-CA), Mark Pocan (D-WI), Bobby Rush (D-IL), Peter Welch (D-VT), Mary Gay Scanlon (D-PA), Doris Matsui (D-CA), Ted Lieu (D-CA), Mark DeSaulnier (D-CA), Jahana Hayes (D-CT), Ro Khanna (D-CA), Jesús ''Chuy'' García (D-IL), Stephen Lynch (D-MA), Raúl Grijalva (D-AZ), Barbara Lee (D-CA), Debbie Dingell (D-MI), and Peter DeFazio (D-OR). 

The Public Health Emergency Privacy Act would:

·       Ensure that data collected for public health is strictly limited for use in public health;

·       Explicitly prohibit the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising, e-commerce, or efforts to gate access to employment, finance, insurance, housing, or education opportunities;

·       Prevent the potential misuse of health data by government agencies with no role in public health;

·       Require meaningful data security and data integrity protections – including data minimization and accuracy – and mandate deletion by tech firms after the public health emergency;

·       Protect voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps;

·       Require regular reports on the impact of digital collection tools on civil rights;

·       Give the public control over their participation in these efforts by mandating meaningful transparency and requiring opt-in consent; and

·       Provide for robust private and public enforcement, with rulemaking from an expert agency while recognizing the continuing role of states in legislation and enforcement.

The Public Health Emergency Privacy Act is endorsed by Access Now, Electronic Privacy and Information Center (EPIC), the Center for Digital Democracy, Color of Change, Common Sense Media, New America’s Open Technology Institute, and Public Knowledge.

“A public health crisis is not the time to give up on our privacy rights, and this bill would go a long way toward protecting those rights. COVID-19 response apps are already out there, and this bill will help ensure that the apps are distributed and used in a responsible manner that will limit the new and expansive surveillance systems companies are building. Allowing these apps to proceed unchecked would create serious privacy violations that will never be undone,”said Eric Null, U.S. Policy Manager at Access Now.

“The Public Health Emergency Privacy Act shows that privacy and public health are complementary goals. The bill requires companies to limit the collection of health data to only what is necessary for public health purposes, and crucially, holds companies accountable if they fail to do so,” said Caitriona Fitzgerald, Interim Associate Director and Policy Director with Electronic Privacy Information Center (EPIC).

“Public health measures to contain the deadly spread of COVID-19 must be effective and protect those most at risk. Where data are collected or used, they should not be misused to undermine privacy, fairness and equity, or place our civil rights in peril. The Public Health Emergency Privacy Act ensures that efforts to limit the spread of the virus truly protect all our interests,” said Katharina Kopp, Director of Policy for the Center for Digital Democracy.

“Color Of Change strongly supports the Public Health Emergency Privacy Act, as it would prevent corporate profiteering and government misuse of health data to help ensure Black people — who are disproportionately exposed to the dangers of surveillance — can operate online without fear. Profit-incentivized corporations should not be allowed to exploit loopholes to gather and sell sensitive health and location data without any regard to the safety of our communities. As the COVID-19 pandemic rages on, we need stringent and enforceable safeguards in place to protect private health information of Black people and other marginalized communities, who are most at risk of both COVID-19 and surveillance. We thank Senators Blumenthal and Warner for their leadership on this legislation, and we will continue to advocate for the highest standard of protection against the abuse of personal data,” said Color Of Change President Rashad Robinson.

“Common Sense calls on Congress to pass meaningful privacy safeguards for families. More than ever, the pandemic has highlighted how important it is that families can trust how their information is being collected, used, and shared. PHEPA is an important proposal to ensure technologies and data being used to combat COVID are used in privacy-protective ways, and it also can serve as a model for how Congress can comprehensively protect privacy in the near future,” said Ariel Fox Johnson, Senior Counsel for Global Policy with Common Sense Media. 

“OTI welcomes the re-introduction of this legislation that would establish strong safeguards to prevent personal data from being used for non-public health purposes and prevent the data from being used in a discriminatory manner. The ongoing privacy threats and urgency of the pandemic make these protections more important than ever,” said Christine Bannan, Policy Counsel at New America’s Open Technology Institute.

“As contact tracing apps and other types of COVID-19 surveillance become commonplace in the United States, this legislation will protect the privacy of Americans regardless of the type of technology used or who created it. It is critical that Congress continue to work to prevent this type of corporate or government surveillance from becoming ubiquitous and compulsory,” said Sara Collins, Policy Counsel at Public Knowledge.

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and Co-Chair of the Senate Cybersecurity Caucus, released the following statement:

“The SolarWinds hack is a devastating breach of U.S. networks and once again shows that the President and the White House are not taking this issue seriously enough.  An incident of this magnitude and lasting impact requires an engaged and public response by the U.S. government, led by a President who understands the significance of this intrusion and who is actively marshaling a domestic remediation strategy and an international response. 

“As we learn about the wider impact of this malign effort – with the potential for wider compromise of critical global technology vendors and their products – it is essential that we see an organized and concerted federal response. It is extremely troubling that the President does not appear to be acknowledging, much less acting upon, the gravity of this situation.”

 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, released the following statement on the SolarWinds supply chain attack:

“As we learned in the NotPetya attacks, software supply chain attacks of this nature can have devastating and wide-ranging effects – whether it’s via niche Ukrainian tax software or, as here, network management tools relied upon by some of the world’s largest companies. As we gather more information on the impact and goals of these malign efforts, we should make clear that there will be consequences for any broader impact on private networks, critical infrastructure, or other sensitive sectors.”

 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and Co-Chair of the Senate Cybersecurity Caucus, released a statement today on the announcement by cybersecurity firm FireEye that it was the victim of hackers tied to a nation-state:

“The hack of a premier cybersecurity firm demonstrates that even the most sophisticated companies are vulnerable to cyber-attacks.

“I applaud FireEye for quickly going public with this news, and I hope the company’s decision to disclose this intrusion serves as an example to others facing similar intrusions.

“We have come to expect and demand that companies take real steps to secure their systems, but this case also shows the difficulty of stopping determined nation-state hackers. As we have with critical infrastructure, we have to rethink the kind of cyber assistance the government provides to American companies in key sectors on which we all rely.”

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, issued a statement today following the President’s firing of Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher C. Krebs:

“Chris Krebs is an extraordinary public servant and exactly the person Americans want protecting the security of our elections.

“It speaks volumes that the president chose to fire him simply for telling the truth.”

Sen. Warner, co-chair of the Senate Cybersecurity Caucus, has previously cautioned about the dangers of destabilizing the government by ousting key officials amid a transition of Presidential power. Just last week, he reacted to reports that Director Krebs expected to be fired by the President, noting that there is “no possible justification to remove him from office.”

###

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO) applauded congressional passage of their bipartisan legislation to require minimum security requirements for Internet of Things (IoT) devices purchased by the U.S. government. Leveraging the purchasing power of the federal government, the bill will ultimately help move the wider market for IoT devices towards greater cybersecurity. The Internet of Things (IoT) Cybersecurity Improvement Act passed through the U.S. House of Representatives in September and was approved in the Senate today by unanimous consent. It now heads to the President’s desk for signature.

“While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security,” said Sen. Warner. “I’m proud that Congress was able to come together today to pass this legislation, which will harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell. I urge the President to sign this bill into law without delay.” 

“I applaud the Senate for passing our bipartisan and bicameral legislation to ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from accessing government systems,” said Sen. Gardner. “Most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand. We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks, particularly when they are integrated into the federal government’s networks.” 

Sens. Warner and Gardner originally authored and introduced this legislation in the Senate back in August 2017. They reintroduced the bill in the 116th Congress and saw its passage through the Senate Homeland Security and Governmental Affairs Committee in June 2019. 

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act would:

  • Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
  • Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, including making any necessary revisions to the Federal Acquisition Regulation to implement new security standards and guidelines.
  • Require any IoT devices  purchased by the federal government to comply with those recommendations.
  • Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidelines on vulnerability disclosure and remediation for federal information systems. 
  • Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.

Sens. Warner and Gardner are co-chairs of the Senate Cybersecurity Caucus. Sen. Warner – a former technology entrepreneur and Vice Chairman of the Senate Select Committee on Intelligence – is also leader in Congress on security issues related to the Internet of Things. 

###

 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), former technology entrepreneur and Vice Chairman of the Senate Intelligence Committee, today expressed grave concerns regarding the cybersecurity measures in place at one of the nation’s largest medical facility operators, which recently fell victim to an apparent ransomware attack. In a letter to United Health Services (UHS), Sen. Warner posed a series of questions for Chairman and Chief Executive Officer Alan B. Miller regarding the ransomware attack and stressed the need for UHS and other clinical providers to ensure that all information, medical, and critical systems are sufficiently protected.

“As UHS has expanded over four decades to encompass 250 medical facilities across the U.S., including twelve facilities in Virginia, effective clinical environment cybersecurity cannot be a casualty to value-based care cost savings and economies of scale. Indeed, hospital systems have frequently suggested to competition authorities that greater consolidation will allow for greater operational efficiencies; yet this does not appear to be the case when it pertains to something as vital as information security,” wrote Sen. Warner. “An increasing number of medical facilities sharing connected information systems and computer networks requires adequate protection for a significantly larger attack surface. Any failure to protect this considerable attack surface with appropriately segmented networks and data provides opportunities for lateral movement across disparate systems. An unmitigated breach in one facility can cripple systems at hundreds of medical facilities, risking patient care throughout a large provider network while healthcare delivery remains strained by a pandemic.”

“With the full resources of a Fortune 500 company receiving over $11 billion in annual revenue, UHS’s patients expect and deserve that their provider’s cybersecurity posture to be sufficiently mature and robust to prevent major interruptions to health care operations,” he continued. “While UHS’s latest annual report acknowledges that a cyber-attack that causes a security breach or loss of HIPAA protected health information could have a material impact on business, there is more than just business at stake when clinical operations are disrupted.”

In the letter, Sen. Warner noted that authorities in both countries where UHS operates – including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) – have continued to raise alarm regarding the danger posed by advanced persistent threat groups who exploit the COVID-19 pandemic, waging attacks against healthcare providers that include password “spraying” campaigns, scanning for vulnerabilities in unpatched software, and targeting supply chains. 

Sen. Warner also posed the following series of questions in order to gain a better understanding of the situation facing UHS:

  1. Please describe the UHS vulnerability management process, including your current practices relating to patch management across your health infrastructure.
  2. How are various UHS facilities’ networks and IT systems isolated from each other to prevent a cybersecurity breach at one facility from affecting multiple facilities?
  3. Does UHS have effective segmentation measures in place within its healthcare facilities to prevent any type of malware from spreading?
  4. What policies does UHS maintain relating to third-party risk management?
  5. What are your cybersecurity and risk assessment requirements?
  6. How are clinical medical devices isolated from administrative systems and networks to ensure a breach of the administrative network does not interrupt medical devices?
  7. Who is the senior-most executive responsible for day-to-day oversight of information security and who does that executive report to?
  8. Has UHS paid any ransom or does UHS plan to any ransom?
  9. Have any patient medical records, HIPAA protected data, or healthcare information been affected or suffered a denial of access?
  10. Have any patient medical records, HIPAA protected data, or healthcare information been exfiltrated from UHS owned or operated systems without authorization? 

Sen. Warner, a former technology executive, is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus. Throughout the COVID-19 crisis, he has fought for increased cybersecurity measures as Americans have increasingly relied on internet connectivity for remote work, health, and education purposes. Among other measures, Sen. Warner has recently advocated for increased funding to modernize federal information technology, urged internet networking device vendors to ensure the security of their products, and pressed cybersecurity officials to bolster defenses against cybersecurity attacks.  He has also introduced legislation to set strong and enforceable privacy and data security rights for health information as tech companies and public health agencies deploy contact tracing apps and digital monitoring tools to fight the spread of COVID-19. 

The letter is available here and text can be found below.

 

Mr. Alan B. Miller

Chairman and Chief Executive Officer

Universal Health Services, Inc.

367 S. Gulph Road

King of Prussia, PA  19406

Dear Mr. Miller: 

I write you with grave concerns about United Health Services’ digital medical records and clinical healthcare operations succumbing to an apparent ransomware attack. As one of the nation’s largest medical facility operators with 3.5 million patient visits a year, it is imperative that medical care is provided to all patients without any interruption or disturbance created by inadequate cybersecurity. While initial reports suggest that the attackers did not access patient or employee data, an incident such as this sharply highlights the need to ensure adequate cybersecurity hygiene in a healthcare setting. The national health crisis during the COVID-19 pandemic only exacerbates the consequences of insufficient cybersecurity. 

The need for health care providers to address cybersecurity threats has been obvious for several years now. Clinical providers including UHS must ensure all information, medical, and critical systems are sufficiently protected. Ransomware continues to impact organizations that have not demonstrated sufficient risk management maturity. The threat of ransomware to hospital systems – and the impact it has on clinical healthcare operations, patient care, and life safety – has been clear since 2016, when a series of major incidents occurred.[1] 

Although the threats are not new, authorities have continued to sound the alarm about the cyber threats to healthcare – including the heightened impact during our current public health emergency. For example, in both countries where UHS operates, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert on May 5, 2020[2]. This alert announced that advanced persistent threat (APT) groups are exploiting the COVID-19 pandemic as part of cyber operations against healthcare and essential services. Attacks observed against healthcare providers include password “spraying” attacks that automate attempts to use commonly used passwords, scanning for vulnerabilities in unpatched software, such as virtual private networks, and targeting supply chains. 

As UHS has expanded over four decades to encompass 250 medical facilities across the U.S., including twelve facilities in Virginia, effective clinical environment cybersecurity cannot be a casualty to value-based care cost savings and economies of scale. Indeed, hospital systems have frequently suggested to competition authorities that greater consolidation will allow for greater operational efficiencies; yet this does not appear to be the case when it pertains to something as vital as information security. An increasing number of medical facilities sharing connected information systems and computer networks requires adequate protection for a significantly larger attack surface. Any failure to protect this considerable attack surface with appropriately segmented networks and data provides opportunities for lateral movement across disparate systems. An unmitigated breach in one facility can cripple systems at hundreds of medical facilities, risking patient care throughout a large provider network while healthcare delivery remains strained by a pandemic.

With the full resources of a Fortune 500 company receiving over $11 billion in annual revenue, UHS’s patients expect and deserve that their provider’s cybersecurity posture to be sufficiently mature and robust to prevent major interruptions to health care operations. While UHS’s latest annual report acknowledges that a cyber-attack that causes a security breach or loss of HIPAA protected health information could have a material impact on business, there is more than just business at stake when clinical operations are disrupted. 

To gain a better understanding of this situation, I would appreciate answers to the following questions:

1.         Please describe the UHS vulnerability management process, including your current practices relating to patch management across your health infrastructure.

2.         How are various UHS facilities’ networks and IT systems isolated from each other to prevent a cybersecurity breach at one facility from affecting multiple facilities?

3.         Does UHS have effective segmentation measures in place within its healthcare facilities to prevent any type of malware from spreading?

4.         What policies does UHS maintain relating to third-party risk management?

5.         What are your cybersecurity and risk assessment requirements?

6.         How are clinical medical devices isolated from administrative systems and networks to ensure a breach of the administrative network does not interrupt medical devices?

7.         Who is the senior-most executive responsible for day-to-day oversight of information security and who does that executive report to?

8.         Has UHS paid any ransom or does UHS plan to any ransom?

9.         Have any patient medical records, HIPAA protected data, or healthcare information been affected or suffered a denial of access?

10.       Have any patient medical records, HIPAA protected data, or healthcare information been exfiltrated from UHS owned or operated systems without authorization?

Patients deserve to know that healthcare systems are secure, particularly as the nation faces a pandemic straining resources nationwide. When a cybersecurity failure occurs, patients need reassurance that their healthcare provider is committed to learning from and responding to this truly concerning incident, and that it is taking all appropriate steps to help ensure it cannot happen again.

Your response will be critical to this process, and I look forward to receiving that within the next two weeks. If you should have any questions or concerns, please contact my office.

Thank you for your attention to this important issue. I look forward to your response in the next two weeks.

Sincerely,

 ###

WASHINGTON – Today, Senate Intelligence Committee Vice Chairman Mark R. Warner (D-VA) and Chairman Marco Rubio (R-FL) led a bipartisan group of Senators in urging the Federal Communications Commission (FCC) to encourage the adoption of OpenRAN and other open and interoperable standards solutions by affected carriers as it works to implement the Secure and Trusted Communications Networks Actlegislation championed by Sen. Warner and passed earlier this year. 

In a letter, the Senators urged FCC Chairman Ajit Pai to include OpenRAN and OpenRAN solutions on the list of suggested replacements for physical and virtual communications equipment, application and management software, and services. This inclusion would allow affected carriers to adopt these alternative solutions as they dispose of risky communications equipment, as outlined in the Secure and Trusted Communications Networks Act. In addition to Sens. Warner and Rubio, this letter was signed by Sens. Margaret Wood Hassan (D-NH), John Cornyn (R-TX), Robert Menendez (D-NJ), Richard Burr (R-NC), Michael F. Bennet (D-CO), Tom Cotton (R-AR) and Angus S. King (I-ME).

“The inclusion of OpenRAN solutions on the list of suggested replacements could produce benefits beyond the immediate goal of securing American communications networks. Such equipment is interoperable, uses open interfaces, is not reliant on a single equipment vendor, and is easily upgradeable to new applications and uses, including 5G OpenRAN, without the need to continually replace proprietary equipment or conduct additional tower climbs,” the Senators wrote. “Moreover, this equipment will help spur innovation and create more competition and diversity in the supply chain. It is prudent that we take full advantage of this moment to prevent similar concerns from arising in the future.”

The Secure and Trusted Communications Networks Act was modeled on legislation Sen. Warner first cosponsored to protect American communications networks from threats presented by foreign suppliers like Huawei and ZTE. Specifically, it offers relief to reimburse smaller telecommunications providers – largely in rural areas – by reimbursing them for the costs of removing and replacing untrusted foreign equipment which presents risks to U.S. national security.

In their letter, the Senators also requested that the FCC aid in securing communications networks as expeditiously as possible by clarifying that carriers can begin replacing equipment right away, rather than needing to wait for the Secure and Trusted Communications Networks Act be fully implemented and funded. 

A copy of the letter can be downloaded here and text is available below. 

 

Dear Chairman Pai:

As the Federal Communications Commission (FCC) continues to implement the Secure and Trusted Communications Networks Act (the “Act”), we write to urge you to include OpenRAN and other solutions that adhere to open and interoperable standards (“OpenRAN solutions”) on “the list of suggested replacements of both physical and virtual communications equipment, application and management software, and services” that the Act requires the FCC to develop. As you know, the Act directs that the list shall be technology neutral. An explicit assurance to impacted carriers that they may select OpenRAN solutions to replace covered equipment would support other potential benefits, including easing subsequent updates to “future proof” networks. This guarantee may also stretch federal dollars further, as OpenRAN offers the possibility of cost savings. 

Further, to aid in securing communications networks as expeditiously as possible, the FCC should make clear that equipment and services on the list of suggested replacements, including OpenRAN solutions, will be eligible for reimbursement as prescribed in the Act. The FCC should also clarify to carriers that they need not wait for the Act to be fully implemented and funded to begin the replacement process to be eligible for reimbursement if using suggested replacement equipment and services.  

The inclusion of OpenRAN solutions on the list of suggested replacements could produce benefits beyond the immediate goal of securing American communications networks. Such equipment is interoperable, uses open interfaces, is not reliant on a single equipment vendor, and is easily upgradeable to new applications and uses, including 5G OpenRAN, without the need to continually replace proprietary equipment or conduct additional tower climbs. Moreover, this equipment will help spur innovation and create more competition and diversity in the supply chain. It is prudent that we take full advantage of this moment to prevent similar concerns from arising in the future.

Accordingly, we request the FCC to explicitly allow reimbursement of affected carriers for purchases of OpenRAN solutions to replace covered equipment in their networks. We applaud the FCC’s recent Forum on 5G Open Radio Access Networks and laud your work to highlight the importance of OpenRAN solutions. Thank you for your attention to this important matter, and we look forward to our continued work.

Sincerely, 

###

 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), former technology entrepreneur and Vice Chairman of the Senate Intelligence Committee, today raised alarm regarding the need to protect education infrastructure from cyber-attacks following a ransomware incident at Fairfax County Public Schools, the largest school system in Virginia.

In a letter to Education Secretary Betsy DeVos, Sen. Warner urged the U.S. Department of Education to develop guidance and disseminate best practices for K-12 schools and institutions of higher education and to work with school districts to develop a comprehensive, risk-based funding request from Congress. 

“A ransomware attack on a school system in normal times can be disruptive and costly; in the context of a global public health emergency, with unprecedented reliance on remote learning, it is debilitating,” wrote Sen. Warner. “Sophisticated cyber-attacks and more opportunistic forms of malware, like ransomware, are widespread today and require sustained vigilance. Defending against these persistent attacks requires a consistent and holistic approach. The public sector is particularly at risk given constrained state and local budgets.” 

“I recommend providing schools with guidance that includes awareness campaigns, risk management, threat mitigation, cybersecurity posture reviews, and resiliency. Awareness campaigns for both educators and students can focus on the importance of recognizing threats, such as phishing attacks, ransomware, malware, and social engineering methods. Regular evaluations can determine the effectiveness of awareness campaigns to address any gaps. Threat mitigation includes developing sufficient safeguards to ensure data security and access control,” he continued. “Detection capabilities are also needed to continuously monitor for anomalies and cybersecurity events. Schools should review these capabilities, plus their readiness to respond and recover from attacks. For example, tabletop exercises can validate processes and test procedures used before, during, and after an attack. Cyber resiliency ensures systems have an ability to continue operating in case of attack, while full restoration takes place. Many of these objectives will require new funding from Congress, particularly in the wake of the devastating impact COVID-19 has had on school system budgets.”

Fairfax County Public Schools, which serves nearly 200,000 students and employs over 24,000 employees, was recently the target of a ransomware attack that involved the theft of protected information.

In his letter, Sen. Warner pressed Sec. DeVos to work to adapt available cybersecurity guidance from the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) to school systems. Stressing the need for robust cybersecurity education, Sen. Warner also pushed Sec. DeVos to disseminate best practices to states and localities seeking to teach cybersecurity in the K-12 setting.

Additionally, Sen. Warner urged the Department of Education to work with educators, industry, and CISA to encourage a consortium or Information Sharing and Analysis Center (ISAC) for K-12 schools to exchange cybersecurity threat information and best practices for defense that are tailored to account for capabilities and constraints of K-12 schools. 

Sen. Warner, a former technology executive, is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus. Throughout the COVID-19 crisis, he has fought for increased cybersecurity measures as Americans have increasingly relied on internet connectivity for remote work, health, and education purposes. Among other measures, Sen. Warner has recently advocated for increased funding to modernize federal information technology, urged internet networking device vendors to ensure the security of their products, and pressed cybersecurity officials to take bolster defenses against cybersecurity attacks. He has also introduced legislation to set strong and enforceable privacy and data security rights for health information as tech companies and public health agencies deploy contact tracing apps and digital monitoring tools to fight the spread of COVID-19.

The letter is available here and text can be found below.

 

Dear Secretary DeVos: 

I write to you about the need for effective cybersecurity in the context of our nation’s K-12 education system. As COVID-19 has placed a strong emphasis on remote learning throughout the United States, this new normal also highlights the heightened need to protect education infrastructure from cyber-attacks, provide measurable standards, and ensure educators are equipped to manage cybersecurity risk. 

Virginia’s Fairfax County Public Schools, a local school division with nearly 200,000 students and over 24,000 employees, was recently the target of a cyber and ransom attack that included theft of protected information. While an investigation proceeds, the incident in Fairfax County demonstrates the need for schools to be prepared with cybersecurity defenses and resilience. A ransomware attack on a school system in normal times can be disruptive and costly; in the context of a global public health emergency, with unprecedented reliance on remote learning, it is debilitating.

Sophisticated cyber-attacks and more opportunistic forms of malware, like ransomware, are widespread today and require sustained vigilance. Defending against these persistent attacks requires a consistent and holistic approach. The public sector is particularly at risk given constrained state and local budgets. It is too late to wait for a cyber-attack before taking action to ensure school systems and personal data is secure and available. 

I urge the U.S. Department of Education to develop baseline cybersecurity standards for K-12 schools and institutions of higher education and to work with school districts to develop a risk-based and comprehensive appropriations request for FY2022. Many school districts do not currently have sufficient guidance to implement an effective cybersecurity program. Fortunately, there is cybersecurity guidance available that could be tailored for education. Existing cybersecurity frameworks, such as National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA) guidance, can be adapted and applied for our school systems. We have seen a range of sectors develop customized Framework Profiles that tailor the NIST Cybersecurity Framework to the particular risks, resources, and circumstances of a particular sector.

I recommend providing schools with guidance that includes awareness campaigns, risk management, threat mitigation, cybersecurity posture reviews, and resiliency. Awareness campaigns for both educators and students can focus on the importance of recognizing threats, such as phishing attacks, ransomware, malware, and social engineering methods. Regular evaluations can determine the effectiveness of awareness campaigns to address any gaps. Threat mitigation includes developing sufficient safeguards to ensure data security and access control. Detection capabilities are also needed to continuously monitor for anomalies and cybersecurity events. Schools should review these capabilities, plus their readiness to respond and recover from attacks. For example, tabletop exercises can validate processes and test procedures used before, during, and after an attack. Cyber resiliency ensures systems have an ability to continue operating in case of attack, while full restoration takes place. Many of these objectives will require new funding from Congress, particularly in the wake of the devastating impact COVID-19 has had on school system budgets.

In addition to protecting school infrastructure, I urge you to develop guidance and disseminate best practices to states and localities seeking to teach cybersecurity in the K-12 setting. For example, the Cyberspace Solarium Commission recommends that the U.S. Government promote professional development programs to model safe, secure, and privacy-aware internet practices in classrooms. The Commission also recommends incorporating effective digital literacy curricula in American classrooms at the K-12 level and beyond, including critical thinking and problem solving skills.  

Finally, I urge the Department of Education to work with educators, industry, and CISA to encourage a consortium or Information Sharing and Analysis Center (ISAC) for K-12 schools to exchange cybersecurity threat information and best practices for defense. Such an organization could be a counterpart to the existing Research and Education Networks ISAC that focuses on higher education. Because K-12 schools have very different missions and resources than higher education institutions, I would encourage particular attention to ensuring such efforts meet K-12 educators where they are – with information sharing, best practices, and action items tailored to account for capabilities and constraints of K-12 schools.

Our nation faces increasing cybersecurity threats on our infrastructure. As the recent Fairfax County Public Schools incident demonstrates, our schools need vigilant defenses from these threats, similar to private industries and government. Adversaries have shown a willingness to attack our education facilities, and schools must be proactive, attentive, and proficient at cybersecurity. While the nation confronts the COVID-19 public health emergency, an increased reliance on remote learning makes the need for effective threat defense paramount.  

Schools have a unique strategic role in our nation’s cybersecurity posture through educating students and tomorrow’s leaders of essential cybersecurity practices. I urge you to take necessary steps to ensure schools have adequate guidance to defend attacks and provide a cybersecurity education. Thank you for your consideration of these issues and your timely response.

Sincerely,

 

###

 

WASHINGTON - As tech companies and public health agencies deploy contact tracing apps and digital monitoring tools to fight the spread of COVID-19, U.S. Sens. Mark R. Warner and Richard Blumenthal (D-CT) and U.S. Reps. Anna G. Eshoo (D-CA), Jan Schakowsky (D-IL), and Suzan DelBene (D-WA) introduced the Public Health Emergency Privacy Act to set strong and enforceable privacy and data security rights for health information.

After decades of data misuse, breaches, and privacy intrusions, Americans are reluctant to trust tech firms to protect their sensitive health information – according to a recent poll, more than half of Americans would not use a contact tracing app and similar tools from Google and Apple over privacy concerns. The bicameral Public Health Emergency Privacy Act would protect Americans who use this kind of technology during the pandemic and safeguard civil liberties. Strengthened public trust will empower health authorities and medical experts to leverage new health data and apps to fight COVID-19.

“This measure sets strict and straightforward privacy protections and promises: Your information will be used to stop the spread of this disease, and no more,” Blumenthal said. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19. Americans are rightly skeptical that their sensitive health data will be kept safe and secure, and as a result, they’re reluctant to participate in contact tracing programs essential to halt the spread of this disease. The Public Health Emergency Privacy Act’s commitment to civil liberties is an investment in our public health.”

“Communications technology has obviously played an enormously important role for Americans in coping with and navigating the new reality of COVID-19 and new technology will certainly play an important role in helping to track and combat the spread of this virus. Unfortunately, our health privacy laws have not kept pace with the privacy expectations Americans have come to expect for their sensitive health data,” Warner said. “Absent a clear commitment from policymakers to improving our health privacy laws, as this important legislation seeks to accomplish, I fear that creeping privacy violations could become the new status quo in health care and public health. The credibility – and indeed efficacy – of these technologies depends on public trust.” 

“I’m thankful that our country is blessed with the world’s best innovators and technologists, many of whom I represent in the House, and that they have joined the effort to combat the coronavirus by using technology to control the spread of the virus,” said Eshoo. “As we consider new technologies that collect vast amounts of sensitive personal data, we must not lose site of the civil liberties that define who we are as a nation. I’m proud to join my colleagues to introduce the Public Health Emergency Privacy Act, strong and necessary legislation that protects the privacy of every American while ensuring that innovation can aid important public health efforts.”

“As we continue to respond to the devastating suffering caused by COVID-19, our country’s first and foremost public health response must be testing, testing, testing, AND manual contact tracing. Digital contact tracing can and should complement these efforts, but it is just that – complimentary. However, if we do pursue digital contact tracing, consumers need clearly-defined privacy rights and strong enforcement to safeguard these rights. I am proud to introduce this bill with my friend and fellow Energy & Commerce Subcommittee Chairwoman Eshoo, along with Senators Blumenthal and Warner,” said Schakowsky. “It’s our shared belief that swift passage of this legislation would go a long way towards establishing the trust American consumers need – and which Big Tech has squandered, time and again –  for digital contact tracing to be a worthwhile auxiliary to widespread testing and manual contact tracing.”

“We must use every tool available to us to respond to the COVID-19 pandemic. Contract tracing, along with testing, are the cornerstones of a science-based approach to addressing this historic crisis. We can protect our public health response and personal data privacy,” said DelBene. “I have been calling on the Trump administration and the private sector to adopt data privacy principles since the start of this outbreak. It is time for Congress to lead the way in assuring we have a strong national contact tracing system and that Americans’ personal data is protected. This bill will achieve this mutual goal.”

Eshoo, Schakowsky, and DelBene introduced House legislation with original co-sponsors House Energy and Commerce Committee Vice Chair Yvette Clarke (D-NY), Health Subcommittee Vice Chair G. K. Butterfield (D-NY), and Consumer Protection & Commerce Subcommittee Vice Chair Tony Cárdenas (D-CA).

The Public Health Emergency Privacy Act would:

·       Ensure that data collected for public health is strictly limited for use in public health;

·       Explicitly prohibit the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising, e-commerce, or efforts to gate access to employment, finance, insurance, housing, or education opportunities;

·       Prevent the potential misuse of health data by government agencies with no role in public health;

·       Require meaningful data security and data integrity protections – including data minimization and accuracy – and mandate deletion by tech firms after the public health emergency;

·       Protect voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps;

·       Require regular reports on the impact of digital collection tools on civil rights;

·       Give the public control over their participation in these efforts by mandating meaningful transparency and requiring opt-in consent; and

·       Provide for robust private and public enforcement, with rulemaking from an expert agency while recognizing the continuing role of states in legislation and enforcement.

The Public Health Emergency Privacy Act is endorsed by Lawyers’ Committee for Civil Rights Under Law, Public Knowledge, New America’s Open Technology Institute, Consumer Reports, Free Press, Electronic Privacy and Information Center (EPIC), Public Citizen, health privacy scholar Frank Pasquale, and privacy scholar Ryan Calo.

“African Americans and other marginalized communities are suffering disproportionately from coronavirus and its economic effects. They do not need further harm from snake oil surveillance tech. This bill protects the most vulnerable—it ensures that any technology used to track the virus is not used to unfairly discriminate in employment, voting, housing, education, and everyday commerce,” said David Brody, Counsel and Senior Fellow for Privacy & Technology at the Lawyers’ Committee for Civil Rights Under Law.

“As contact tracing apps and other types of COVID-19 surveillance become commonplace in the United States, this legislation will protect the privacy of Americans regardless of the type of technology used or who created it. It is critical that Congress continue to work to prevent this type of corporate or government surveillance from becoming ubiquitous and compulsory,” said Sara Collins, Policy Counsel at Public Knowledge. 

“OTI welcomes this effort to protect privacy as lawmakers consider pandemic response plans that gather vast quantities of data. The bill would establish strong safeguards that would prevent personal data from being used for non-public health purposes and prevent the data from being used in a discriminatory manner,” said Christine Bannan, Policy Counsel at New America’s Open Technology Institute.

“When it comes to tracking and collecting people’s data, we want to make sure there are basic protections for people’s privacy, and this bill is a positive step to establish the trust and balance that’s needed. The bill smartly requires that data collected to fight coronavirus can only be used for public health purposes – and nothing else. Importantly, the bill ensures an individual's right to seek redress for violations, and it bars against the use of pre-dispute arbitration agreements. These measures will help individuals trust contact-tracing or proximity-tracing programs, and they can serve as a model for more comprehensive protections down the road,” said Justin Brookman, Director of Consumer Privacy and Technology Policy for Consumer Reports.

“Digital contact tracing and exposure notification systems may be important tools in combating the spread of coronavirus. But they must be deployed responsibly and with adequate safeguards that protect the privacy and civil rights of the people that use them. The Public Health Emergency Privacy Act is a serious effort at ensuring our rights are protected while giving public health officials the tools they need to track and notify those exposed to COVID-19. These rules must apply to everyone using these systems, whether that’s state or local governments, employers, or other tech companies. This bill protects the civil rights of the most vulnerable essential workers, the disproportionately Black and Latinx people most exposed to the virus, and will help ensure they’re not also subject to invasive and unnecessary surveillance that will linger long after this crisis passes,” said Gaurav Laroia, Senior Policy Counsel with Free Press.

“The Public Health Emergency Privacy Act shows that privacy and public health are complementary goals. The bill requires companies to limit the collection of health data to only what is necessary for public health purposes, and crucially, holds companies accountable if they fail to do so,” said Caitriona Fitzgerald, Interim Associate Director and Policy Director with Electronic Privacy Information Center (EPIC). 

“What we need more than anything during this global emergency is to feel less vulnerable, to be sure not just that our health is protected, but that our rights are protected as well. This bill will ensure that whatever technological innovation emerges during the pandemic, we will feel safer knowing that our rights to privacy, to our day in court and to access to the ballot box won’t be threatened,” said Robert Weissman, President of Public Citizen.

 “This bill establishes critical protections for patients whose health data is released in the context of the public health emergency. To build a trusted data infrastructure, the US needs to ensure that any entity which accesses such data is held accountable and does not abuse the public trust. The Public Health Emergency  Privacy Act is a big step in the right direction,” said Frank Pasquale, Piper & Marbury Professor of Law at University of Maryland Carey School of Law. 

“This draft legislation addresses two of my biggest privacy concerns about the use of technology and information to respond to COVID-19. As the Act makes clear, the emergency health data of Americans should only be used to fight the pandemic and should never be used to discriminate or deny opportunity,” said Ryan Calo, Lane Powell & D. Wayne Gittinger Endowed Professor at University of Washington School of Law.

WASHINGTON - Following reports of escalating foreign cyber espionage and cybercrime targeting American health institutions amid the COVID-19 pandemic, U.S. Sens. Mark R. Warner (D-VA), Richard Blumenthal (D-CT), Tom Cotton (R-AR), David Perdue (R-GA), and Edward J. Markey (D-MA) called on top U.S. cybersecurity officials to take immediate steps to bolster defenses, coordinate with hospitals, and engage in deterrence against such attacks. 

The bipartisan group of Senators wrote to the Cybersecurity and Infrastructure Security Agency (CISA) and United States Cyber Command after reports that Russia, China, Iran, North Korea, and criminal groups have launched hacking campaigns targeting the U.S. health care and medical research sectors in recent weeks. These malicious campaigns included ransomware attacks hitting hospitals, disinformation about health related to COVID-19, and spying on U.S. medical response and research. 

“[O]ur country’s healthcare, public health, and research sectors are facing an unprecedented and perilous campaign of sophisticated hacking operations from state and criminal actors amid the coronavirus pandemic,” wrote the Senators in a letter to CISA Director Christopher Krebs and Cyber Command Commander Paul Nakasone. “Disinformation, disabled computers, and disrupted communications due to ransomware, denial of service attacks, and intrusions means critical lost time and diverted resources. During this moment of national crisis, the cybersecurity and digital resilience of our healthcare, public health, and research sectors are literally matters of life-or-death.”

The Senators urged the agencies to make cyber threat information public to enable better defensive efforts, as well as raise public alarm and issue statements putting adversaries on notice. The Senators also called on the agencies to provide technical assistance to help states in their cybersecurity efforts, convene stakeholders in the medical sector to make sure they have the necessary resources, and engage in deterrence actions as necessary. 

The full text of the letter is available here and copied below.

 

 

Dear Mr. Krebs and General Nakasone,

We write to raise our profound concerns that our country’s healthcare, public health, and research sectors are facing an unprecedented and perilous campaign of sophisticated hacking operations from state and criminal actors amid the coronavirus pandemic. These hacking attempts pose an alarming risk of disrupting or undermining our public health response at this time of crisis. We write to urge the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with United States Cyber Command, and its partners to issue guidance to the health care sector, convene stakeholders, provide technical resources, and take necessary measures to deter our adversaries in response to these threats.

In recent weeks, Russian, Chinese, Iranian, and North Korean hacking operations have targeted the health care sector and used the coronavirus as a lure in their campaigns.  In March, the cyber security firm FireEye reported that a Chinese hacking group, APT41, carried out one of the broadest hacking campaigns from China in recent years, beginning at the onset of the pandemic.[1] According to researchers, APT41 is a sophisticated Chinese state sponsored group that specializes in espionage against healthcare, high-tech, and political interests.[2] This latest campaign sought to exploit several recent vulnerabilities in commonplace networking equipment, cloud software, and office IT management tools—the same systems that we are now more reliant on for telework and telehealth during this pandemic. Included in the new Chinese espionage campaign are the healthcare and pharmaceutical nonprofits and companies bracing to respond to the coronavirus. APT41’s campaign also appears to reflect a broader escalation from Chinese groups in recent weeks.[3]

China is not alone in exploiting the coronavirus pandemic against our interests. Russian, Iranian, and North Korean government hackers have reportedly targeted international health organizations and the public health institutions of U.S. allies.[4] Additionally, the State Department has identified disinformation operations from Russia, Iran, and China that sought to spread false information about coronavirus to undermine the nation’s response to the pandemic.[5] Unless we take forceful action to deny our adversaries success and deter them from further exploiting this crisis, we will be inviting further aggression from them and others.

The cybersecurity threat to our stretched and stressed medical and public health systems should not be ignored. Prior to the pandemic, hospitals had already struggled to defend themselves against an onslaught of ransomware and data breaches. Our hospitals are dependent on electronic health records, email, and internal networks that often heavily rely on legacy equipment. Even a minor technical issue with the email services of the Department of Health and Human Services meaningfully frustrated efforts to coordinate the federal government’s service.[6] Disinformation, disabled computers, and disrupted communications due to ransomware, denial of service attacks, and intrusions means critical lost time and diverted resources. During this moment of national crisis, the cybersecurity and digital resilience of our healthcare, public health, and research sectors are literally matters of life-or-death.

The Cybersecurity and Infrastructure Security Agency and Cyber Command are on the frontlines of our response to cybersecurity threats to our critical infrastructure. Hospitals, medical researchers, and other health institutions need the expertise and resources your agencies have developed defending against these same sophisticated threats. We urge you to take all necessary measures to protect these institutions during the coronavirus pandemic, including:           

1.)    Provide private and public cyber threat intelligence information, such as indicators of compromise (IOCs), on attacks against the healthcare, public health, and research sectors, including malware and ransomware.

2.)    Coordinate with the Department of Health and Human Services, the Federal Trade Commission, and the Federal Bureau of Investigation on efforts to increase public awareness on cyberespionage, cybercrime, and disinformation targeting employees and consumers, especially as increased telework poses new risks to companies.

3.)    Provide threat assessments, resources, and additional guidance to the National Guard Bureau to ensure that personnel supporting state public health departments and other local emergency management agencies are prepared to defend critical infrastructure from cybersecurity breaches.

4.)    Convene and consult partners in the healthcare, public health, and research sectors, including its government and private healthcare councils, on what resources and information are needed to reinforce efforts to defend healthcare IT systems, such as vulnerability detection tools and threat hunting.

5.)    Consider issuing public statements regarding hacking operations and disinformation related to the coronavirus for public awareness and to put adversaries on notice, similar to the joint statement on election inference issued on March 2nd.

6.)    Evaluate further necessary action to defend forward in order to detect and deter attempts to intrude, exploit, and interfere with the healthcare, public health, and research sectors.

 We stand ready to work with you to provide any further resources necessary in this effort. Thank you for your attention to this urgent matter.

 Sincerely,

###

 

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) urged six internet networking device vendors to help ensure that their internet connectivity products remain secure as Americans across the nation ramp up their use of these devices for remote work, health, and education purposes as part of COVID-19 social distancing efforts. In letters to GoogleNetgearBelkinEeroAsus, and Commscope, Sen. Warner urged vendors to help ensure that their wireless access points, routers, modems, mesh network systems, and related connectivity products remain secure and cannot be easily exploited to attack consumer systems and workplace networks.

“As the COVID-19 pandemic unfolds, Americans will depend on connectivity products to receive telehealth; remain connected with family, colleagues, employers, and friends; and to receive news reports, and guidance from government and public health officials,” wrote Sen. Warner. “During this time, the security of consumer devices and networks will be of heightened importance.”

He continued, “I request your attention and diligence to help protect the consumer devices you sell. Both new and older devices in use deserve protection from cybersecurity threats, including timely updates to mitigate vulnerabilities and exposures.”

As the COVID-19 outbreak continues to spread, and workplaces, schools, and businesses shut their doors as part of social distancing efforts, Americans are increasingly relying on their home networks and personal internet connectivity devices. However, without proper cybersecurity measures, these home devices can pose a risk to larger workplace systems, potentially creating a door for bad actors to infiltrate these networks. 

According to CNBC, cyberthreats – including phishing and other cyber scams – have increased amid the COVID-19 outbreak, as online criminals look to take advantage of home network vulnerabilities and stressed IT systems.

In the letters, Sen. Warner urged vendors to continue to issue timely security updates in order to mitigate known cybersecurity vulnerabilities. Additionally, he stressed the importance of having vendors notify consumers who may own devices that are no longer able to receive critical updates and are therefore no longer protected from cybersecurity threats.

Sen. Warner also highlighted his Internet of Things (IoT) Cybersecurity Improvement Act – a bipartisan bill he introduced last year that would improve the cybersecurity of Internet-of-Things devices and help ensure that vendors of key information technology products maintain coordinated vulnerability programs.

A full list of Sen. Warner’s work to protect Americans amid the COVID-19 outbreak is available here.

 ###