Press Releases

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) urged six internet networking device vendors to help ensure that their internet connectivity products remain secure as Americans across the nation ramp up their use of these devices for remote work, health, and education purposes as part of COVID-19 social distancing efforts. In letters to GoogleNetgearBelkinEeroAsus, and Commscope, Sen. Warner urged vendors to help ensure that their wireless access points, routers, modems, mesh network systems, and related connectivity products remain secure and cannot be easily exploited to attack consumer systems and workplace networks.

“As the COVID-19 pandemic unfolds, Americans will depend on connectivity products to receive telehealth; remain connected with family, colleagues, employers, and friends; and to receive news reports, and guidance from government and public health officials,” wrote Sen. Warner. “During this time, the security of consumer devices and networks will be of heightened importance.”

He continued, “I request your attention and diligence to help protect the consumer devices you sell. Both new and older devices in use deserve protection from cybersecurity threats, including timely updates to mitigate vulnerabilities and exposures.”

As the COVID-19 outbreak continues to spread, and workplaces, schools, and businesses shut their doors as part of social distancing efforts, Americans are increasingly relying on their home networks and personal internet connectivity devices. However, without proper cybersecurity measures, these home devices can pose a risk to larger workplace systems, potentially creating a door for bad actors to infiltrate these networks. 

According to CNBC, cyberthreats – including phishing and other cyber scams – have increased amid the COVID-19 outbreak, as online criminals look to take advantage of home network vulnerabilities and stressed IT systems.

In the letters, Sen. Warner urged vendors to continue to issue timely security updates in order to mitigate known cybersecurity vulnerabilities. Additionally, he stressed the importance of having vendors notify consumers who may own devices that are no longer able to receive critical updates and are therefore no longer protected from cybersecurity threats.

Sen. Warner also highlighted his Internet of Things (IoT) Cybersecurity Improvement Act – a bipartisan bill he introduced last year that would improve the cybersecurity of Internet-of-Things devices and help ensure that vendors of key information technology products maintain coordinated vulnerability programs.

A full list of Sen. Warner’s work to protect Americans amid the COVID-19 outbreak is available here.

 ###

WASHINGTON, DC – Today, U.S. Senators Rob Portman (R-OH) and Mark Warner (D-VA) led a letter urging Secretary of State Mike Pompeo to continue to prioritize American leadership in talks about international standards for artificial intelligence, and to build an international coalition to preserve the integrity of international standards setting bodies. The letter responds to efforts by China, and technology companies closely aligned with the Chinese Communist Party, to utilize international standards setting bodies, such as the International Telecommunications Union (ITU), to advance and legitimize artificial intelligence-based technologies, such as facial recognition technologies, that have been used to oppress Uyghur Muslims. The United States must ensure that American values remain a part of the international conversation about artificial intelligence and facial recognition.

“We are writing to share our concerns regarding efforts by China, and technology companies closely aligned with the Chinese Communist Party, to utilize international standards setting bodies, such as the International Telecommunications Union (ITU), to internationalize standards for advanced surveillance technology. The evidence from Xinjiang Province of how artificial intelligence-based technologies, such as facial recognition technologies, are used to oppress Uyghur Muslims makes clear that standards setting bodies should not be used to advance or legitimize such practices. We urge you to continue to prioritize American leadership on this issue, and build an international coalition to preserve international standards setting bodies as technical economic fora,” wrote the senators.

Portman and Warner were joined in sending the letter by Senators Tom Cotton (R-AR), Richard Blumenthal (D-CT), Cory Gardner (D-CO), Chris Coons (D-DE), Steve Daines (R-MT), Chris Murphy (D-CT), Mike Braun (R-IN), Ed Markey (D-MA), John Cornyn (R-TX), Gary Peters (D-MI), Josh Hawley (R-MO), Jeanne Shaheen (D-NH), Marco Rubio (R-FL), Brian Schatz (D-HI), and Jacky Rosen (D-NV).

The full text of the letter to Secretary Pompeo can be found below and here

Dear Secretary Pompeo,

 Thank you for your efforts to draw attention to, and address, the ever growing number of concerns about totalitarian activities by the People’s Republic of China. We are writing to share our concerns regarding efforts by China, and technology companies closely aligned with the Chinese Communist Party, to utilize international standards setting bodies, such as the International Telecommunications Union (ITU), to internationalize standards for advanced surveillance technology. The evidence from Xinjiang Province of how artificial intelligence-based technologies, such as facial recognition technologies, are used to oppress Uyghur Muslims makes clear that standards setting bodies should not be used to advance or legitimize such practices. We urge you to continue to prioritize American leadership on this issue, and build an international coalition to preserve international standards setting bodies as technical economic fora.

International standards setting bodies are foundational to international trade and commerce. Without them, a litany of technical and logistical barriers to trade erected by different countries – with divergence on things as wide-ranging as food labeling, construction materials, and wireless communications standards – would balkanize our global economy. Thanks to American industry’s leadership, the United States has consistently set the bar for international standards setting. We believe it is vital for our economy, and foreign policy, to maintain that leadership.

Unfortunately, China has indicated a willingness to use standard setting bodies in perverse ways to normalize global opinions about Orwellian surveillance technology. By shaping the debate about the legitimate uses of artificial intelligence and facial recognition, China can expand opportunities for countries, particularly those in the developing world, to utilize Chinese surveillance technology. According to the Carnegie Endowment for International Peace, Chinese companies have supplied AI-based surveillance systems to 63 countries, including 36 of which are part of China’s Belt and Road Initiative. 

With respect to the Uyghurs, China is using technology in ways never seen before. China use facial recognition to profile Uyghur individuals, classify them on the basis of their ethnicity, and single them out for tracking, mistreatment, and detention. The machine learning techniques used in Xinjiang Province, and throughout China, which are designed specifically, and intentionally, to classify people on the basis of physical traits harken back to troubling practices related to phrenology and eugenics. And these technologies are deployed in service of a dystopian vision for technology governance, that harnesses the economic benefits of the internet in the absence of political freedom and sees technology companies as instruments of state power.

As you know, China is currently working to use standards setting bodies to gain the imprimatur of international legitimacy and support across a range of emerging technologies. China’s censorship and surveillance technologies are the envy of autocratic regimes around the world, with China exporting both its technology and its technology governance vision to countries such as Venezuela, Ethiopia, Pakistan, Rwanda, Mongolia, and Zimbabwe. China’s efforts to steer standards setting bodies towards work in service of this anti-democratic vision for technology undermines the apolitical purposes standard setting bodies serve.

At the same time, we have seen our position as a global leader on technology issues weakened by a retreat of the United States from the global stage. The United States and its allies must build international support for rules and standards that address the internet’s potential for censorship and repression, presenting alternatives that explicitly embrace a free and open internet. To that end, we urge you to work closely with other countries to ensure China cannot use the ITU to advance its techno-nationalist agenda.

Some argue that China has an inherent advantage over the United States with respect to artificial intelligence because of China’s lax privacy standards and lack of respect for human rights—we disagree. We believe privacy and human rights protections are features, not bugs, of our democracy and our culture of innovation; they make America stronger, and more likely to win any “artificial intelligence race” going forward. Ultimately, technology is shaped by the norms of its development. Thank you for your consideration of our views on the intersection of human rights and artificial intelligence in China, and we look forward to working with you to ensure that the American values remain part of the international conversation about artificial intelligence and facial recognition.

Sincerely,

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-chair of the bipartisan Senate Cybersecurity Caucus, stressed the importance of vulnerability disclosure programs, such as the one at the Department of Defense (DoD) that recently allowed a researcher to report malware that was actively exploiting a security misconfiguration on a DoD server. In a letter to the DoD’s Chief Information Officer, Sen. Warner highlighted his Internet of Things (IoT) Cybersecurity Improvement Act, noting that the piece of legislation would help advance similar coordinated vulnerability programs and work in conjunction with the procedures in place at DoD.

The bipartisan, bicameral legislation, which successfully passed through the Senate Homeland Security and Governmental Affairs Committee in June, would improve the cybersecurity of Internet-connected devices and require that devices purchased by the U.S. government meet certain minimum security requirements.

“This incident demonstrates the inherent value of vulnerability disclosure programs for information technology products operated by federal agencies,” wrote Sen. Warner. “These programs are a crucial force multiplier for federal cybersecurity efforts. Clear guidelines and a process for security researchers to find and share vulnerabilities enabled this malware discovery, and ultimately prompt remedial action by DoD. Continuing to encourage the responsible discovery and disclosure of bugs or vulnerabilities on federal information technology systems with both internal and outside security researchers can only strengthen the cybersecurity posture of federal and DoD systems.”

According to ZDNet, a security researcher searching for bots discovered that a DoD automation server running on an Amazon Web Services (AWS) cloud-computing platform was publicly accessible and did not require login credentials. Later on, the researcher discovered that the server had been compromised and was being used to mine cryptocurrency by a botnet.

In his letter, the Senator also emphasized the need to utilize proper cybersecurity measures and monitoring, including on commercial cloud-computing platforms and open source software, such as the server involved in the DoD incident.  

“I am hopeful that DoD will take the lessons from this incident seriously and reassess current processes as necessary. It is crucial to ensure that future incidents involving open vulnerabilities and improper access configurations that permit malware installation on federal information technology systems cannot reoccur, including on systems hosted by commercial cloud service providers,” he continued. “I also hope to continue to work with you on passing my legislation and continuing to push for strong, thoughtful, cybersecurity policies.”

 

A copy of the letter can be found here and below.

Dana Deasy

Chief Information Officer

U.S. Department of Defense

1300 Defense Pentagon

Washington, DC 20301-1300

Dear Mr. Deasy:

I write about some recently reported cybersecurity issues at DoD.  In particular, I read about malware actively exploiting a security misconfiguration that was recently discovered on a Department of Defense (DoD) web server. From the current analysis and reporting of the incident, the malware was part of a botnet that apparently mined cryptocurrency using DoD resources and IT systems and raises broader cybersecurity concerns.

According to news reports, a security researcher first found the vulnerability on a DoD-managed cloud computing system exposed to the internet. The researcher then discovered that malware associated with mining Monero cryptocurrency was installed and operating on the same server. In January, once the security certificate identified the web server as an official DoD resource, the researcher reported the vulnerability and subsequent malware discovery under DoD’s official vulnerability disclosure program. 

This incident demonstrates the inherent value of vulnerability disclosure programs for information technology products operated by federal agencies. These programs are a crucial force multiplier for federal cybersecurity efforts. Clear guidelines and a process for security researchers to find and share vulnerabilities enabled this malware discovery, and ultimately prompt remedial action by DoD. Continuing to encourage the responsible discovery and disclosure of bugs or vulnerabilities on federal information technology systems with both internal and outside security researchers can only strengthen the cybersecurity posture of federal and DoD systems.

There is pending bipartisan, bicameral legislation that I have introduced which would ensure that vendors of key information technology products, such as Internet of Things devices, maintain coordinated vulnerability programs.  This bill would serve as a complement to the procedures DoD already employs.

While the use of commercial cloud computing can be a cost effective method to deploy and manage information technology and services, the use of a cloud itself does not ensure cybersecurity. Rigorous cybersecurity defensive measures and monitoring remain crucial for systems, even when DoD resources are deployed on commercial cloud computing platforms. While open source software, such as the automation server employed in this incident, may be beneficial, it is also essential to monitor all software for vulnerabilities and ensure they are promptly mitigated. Likewise, continuous use of software requires an effective continuous monitoring process for addressing newly discovered vulnerabilities in the software. And perhaps most importantly in the shared security model of commercial cloud computing, ensuring safe and secure configurations related to access is a key concern. 

I am hopeful that DoD will take the lessons from this incident seriously and reassess current processes as necessary. It is crucial to ensure that future incidents involving open vulnerabilities and improper access configurations that permit malware installation on federal information technology systems cannot reoccur, including on systems hosted by commercial cloud service providers. I also hope to continue to work with you on passing my legislation and continuing to push for strong, thoughtful, cybersecurity policies.

As always, I appreciate your service in this important role.

Sincerely,

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-chair of the Senate Cybersecurity Caucus, issued the following statement regarding the Iowa caucuses:

“As the Department of Homeland Security has said, there is no indication that the failures associated with the app from last night’s caucuses were the result of malicious cyber activity.

“But the continuing chaos in Iowa is illustrative of our overall failure to take sufficient steps to protect the integrity of our election systems.   

“We need to look holistically at protecting the security, integrity, and resiliency of election systems – from registration systems, to e-poll books, voting machines, tabulation machines, and election night reporting systems. As the Senate Intelligence Committee has repeatedly emphasized, paper ballots are the least vulnerable to cyberattack, and at a minimum, all voter machines should have a voter-verified paper trail. What happened in Iowa last night underscores the necessity of all these measures were election-night systems to face a devastating hack.

“But what we’ve also seen that this chaos has created an environment where misinformation is now running rampant online, further undermining confidence in the democratic process. As we’ve seen in the past, foreign actors like Russia and China won’t hesitate to latch onto this kind of content in order to add to the domestic discord and distrust in our elections.

“As we get further into the 2020 primaries, what happened in Iowa is an early warning sign that Congress, local officials, and the social media platform companies have much more work to do to ensure the integrity of our elections.”

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-chair of the Senate Cybersecurity Caucus, issued the following statement after the United Kingdom announced its decision to allow Chinese equipment provider Huawei to help build its 5G wireless network:

"I am disappointed by the UK’s decision today, especially since the security risks are so well understood. But under current circumstances, I remain committed to working with the UK and other key allies to build more diverse and secure telecommunication options that provide competitive alternatives to Huawei.  I have introduced legislation that seeks to accomplish that, including a Multilateral Telecommunications Security Fund, and hope the UK will commit to partnering on this effort in the coming months. It is critical that countries committed to building and maintaining secure networks come together. Current financial support by China for Huawei puts any Western alternative at a serious disadvantage.”

Sen. Warner, a former telecommunications entrepreneur, has been outspoken about the dangers of allowing the use of Huawei equipment in U.S. telecommunications infrastructure, and that of U.S. allies. Earlier this month, Sen. Warner and a bipartisan group of leading national security Senators introduced legislation to encourage and support U.S. innovation in the race for 5G, providing over $1 billion to invest in Western-based alternatives to Chinese equipment providers Huawei and ZTE. Last year, he and Sen. Marco Rubio (R-FL) warned the Trump Administration against using Huawei as a bargaining chip in trade negotiations, and urged Canadian Prime Minister Justin Trudeau to reconsider Huawei’s inclusion in Canada’s 5G development, introduction and maintenance.

###

 

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), co-chair of the bipartisan Senate Cybersecurity Caucus, urged the Defense Health Agency to remove sensitive medical data belonging to servicemembers exposed online, where it remains vulnerable due to insecure data practices at Ft. Belvoir Medical Center, Ireland Army Health Clinic, and the Womack Army Medical Center.

“As a matter of national security, the sensitive medical information of our men and women of the armed services is particularly vulnerable and should be, at a minimum, protected by robust security controls and routine scans,” wrote Sen. Warner. “The exposure of this information is an outrageous violation of privacy and represents a grave national security vulnerability that could be exploited by state actors or others.”

He continued, “We owe an enormous debt to our armed forces, and at the very least, we ought to ensure that their private medical information is protected from being viewed by anyone without their express consent. Whenever data moves from one entity to another it should be protected by encryption, proper hashing, segmentation, identity and access controls, and vulnerability management capabilities that include diligent monitoring, auditing, and logging practices.”

In September 2019, Sen. Warner sought answers from TridentUSA Health Services regarding reports that many unsecured picture archiving and communication servers (PACS) left the names, dates of birth, medical images, and medical procedures of more than one million Americans accessible to anyone with basic computer expertise. Following that letter, the images were removed but millions of records were left online. Nearly two months later, Sen. Warner called out the U.S. Department of Health and Human Services (HHS) for its failure to act following the exposure.

Since the letter to HHS, 16 systems, 31 million images and 1.5 million exam records have been removed from the internet. However, a significant number of personally identifiable and sensitive medical information belonging to servicemembers remains online, due to unsecured Army PACS.

In his letter to the Assistant Secretary, Sen. Warner asked the agency to remediate the situation immediately and posed the following questions for Assistant Secretary Thomas McCaffery:

  1. Please describe the information security management practices at military medical hospitals. Do you require organizations to operate on a segmented network? To implement micro-segmentation? To implement access controls? If so, what kind? Do you require the hospitals to implement multifactor authentication, logging, and monitoring?
  2. Do you audit and monitor logs? 
  3. Do you require full-disk encryption and authentication for PACS?
  4. Do you require the hospitals to have a Chief Information Security Officer?
  5. Please describe what steps you took to address this issue, and when you were able to remove these systems from the internet.  

A copy of the letter can be found here and below.

 

Mr. Thomas McCaffery

Assistant Secretary of Defense for Health Affairs

Defense Health Agency

7700 Arlington Boulevard

Falls Church, VA 22042

Dear Mr. McCaffery,

As the healthcare sector becomes increasingly reliant on technology to deliver essential services to patients, it also faces rising threats from malicious actors that seek to compromise the personally identifiable and other sensitive information of Americans. As a matter of national security, the sensitive medical information of our men and women of the armed services is particularly vulnerable and should be, at a minimum, protected by robust security controls and routine scans. It is with great alarm that I recently learned that unsecured Picture and Archiving Servers (PACS) at Ft. Belvoir Medical Center, Ireland Army Health Clinic, and the Womack Army Medical Center have left personally identifiable and sensitive medical information available online for anyone with a DICOM viewer to find.

Following a report  in September of 2019 highlighting the exposure of sensitive medical images belonging to millions of American through unsecured PACS, I wrote letters  to two healthcare entities that controlled the PACS, and those images were removed. However, millions of records remained online. The following month, I wrote  to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) regarding the remaining exposure of the personally identifiable information belonging to 6 million American patients. Since that letter, 16 systems, 31 million images and 1.5 million exam records were removed from the internet. However, I recently learned that a significant number of medical records belonging to servicemembers remain online. This information was discovered by the German researchers at Greenbone Networks, who accessed the information using German IP addresses; this itself should have triggered alarms by the hospital information security systems.

The exposure of this information is an outrageous violation of privacy and represents a grave national security vulnerability that could be exploited by state actors or others. We owe an enormous debt to our armed forces, and at the very least, we ought to ensure that their private medical information is protected from being viewed by anyone without their express consent. Whenever data moves from one entity to another it should be protected by encryption, proper hashing, segmentation, identity and access controls, and vulnerability management capabilities that include diligent monitoring, auditing, and logging practices. To better understand how this happened, I would like information about your organization’s oversight of the information security practices at military hospitals, particularly at Ft. Belvoir Medical Center and Womack Army Medical Center.

I ask that you immediately remediate this situation, and remove the vulnerable PACS from open access to the internet. To understand how these records have been exposed and accessed repeatedly by a German IP address, please also answer the following questions:

  1. Please describe the information security management practices at military medical hospitals. Do you require organizations to operate on a segmented network? To implement micro-segmentation? To implement access controls? If so, what kind? Do you require the hospitals to implement multifactor authentication, logging, and monitoring?
  2. Do you audit and monitor logs? 
  3. Do you require full-disk encryption and authentication for PACS?
  4. Do you require the hospitals to have a Chief Information Security Officer?
  5. Please describe what steps you took to address this issue, and when you were able to remove these systems from the internet.

Given the gravity of this issue, I would appreciate a response within two weeks.

Sincerely,

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-chair of the bipartisan Senate Cybersecurity Caucus, voiced deep concerns with the ability of the U.S. Department of State to address the surge of offensive cyber activity by Iran. In a letter, which comes on the heels of a U.S. airstrike that killed Iranian general Qassem Soleimani, Sen. Warner notes Iran’s growing cybersecurity capabilities and presses Secretary Mike Pompeo for answers on how the Department plans to defend its information security systems in light of its long history of information breaches.

The Iranian government’s state-sponsored cybersecurity capabilities have grown in sophistication and intensity in recent years, and they have developed a number of advanced persistent threat (APT) groups that conduct various offensive operations. Examples include prolonged espionage, destructive malware and ransomware attacks, and social media manipulation through influence campaigns,” wrote Sen. Warner. “These attacks serve both political and economic purposes, and use methods like password spray attacks, scanning for VPN vulnerabilities, DNS hijacking, spear-phishing emails, and social engineering.”

As recently as 2018, the Department of Justice indicted two Iranian individuals who conducted a 34-month-long international scheme, in which they used ransomware to extort hospitals, municipalities and public institutions, causing $30 million in losses.

In his letter, Sen. Warner cites two separate reports by the Department of State’s Office of the Inspector General (OIG) that detail a number of cybersecurity risks presented by the structure of the Department of State and by hiring freezes affecting the department. These risks include a diminished ability to respond to malicious cyber activity targeting personnel and information assets due to the hiring freeze, as well as a lack of cybersecurity oversight resulting in unauthorized and misconfigured network devices comprising the Department’s sensitive network.

“The State Department has a long history of information security breaches, beginning with a series of blunders in the late 1990’s, and including a massive and prolonged attack in 2014, when the National Security Agency (NSA) and Russian hackers fought for control of State Department servers,” wrote Sen. Warner. “In September 2018, after an email breach of unclassified systems, a bipartisan group of Senators asked you how the State Department was addressing the issue.  Two months later, hackers with suspected ties to the Russian government were found to be impersonating State Department officials in an attempt to infiltrate computers belonging to the U.S. government, the military, and defense contractors.”

Noting the Department of State’s cybersecurity vulnerabilities and the risks of Iran carrying out cyberattacks with disruptive effects, Sen. Warner posed the following questions for Secretary Pompeo, requesting an answer by January 31st:

  1. Currently, cybersecurity personnel are dispersed organizationally across different bureaus within the Department of State, and across embassies around the world. Since the OIG report was issued in August 2019, what personnel changes have you made to more efficiently and effectively address both the hiring freeze impacts and the earlier security and audit concerns presented by the OIG?
  2. The OIG report noted that the Chief Information Security Officer (CISO) of the Department of State lacked necessary seniority for effectiveness or accountability. My understanding is that the current CIO reports to the Undersecretary for Management to the Secretary of State, and that the CISO reports to the CIO. In 2018 a study by the Financial Services Information Sharing and Analysis Center (FS-ISAC) recommended that CISO’s have clear and direct communication with the CEO, rather than just to the CIO.  Most organizations provide at least a dotted-line reporting structure from the CISO to the CEO. What kind of direct communication do you have with the CISO, given that the position sits below a CIO and an Undersecretary?
  3. What kind of employee training changes have you made to protect employees from phishing and other social engineering attacks?
  4. What technical changes have you made within the information security organization of the State Department to protect against ransomware and wiper malware attacks?
  5. Have you addressed the August 2019 OIG report’s hiring concerns for information and IT security personnel at our embassies? Are you up-to-date on your information security audits? Does the State Department, at the very least, conduct routine scanning, patching, and utilize multifactor authentication?

Earlier this month, Sen. Warner cautioned the Trump Administration on the dangers of escalating tensions with Iran and urged the Administration to prepare for the long-term potential consequences of targeting Soleimani.

A copy of the letter can be found here and below.

 

The Honorable Mike Pompeo

Secretary of State

U.S. Department of State

2201 C Street NW

Washington, DC 20520

Dear Secretary Pompeo:

As tensions between the United States and Iran rise, and the risks of Iran carrying out cyberattacks with “disruptive effects” grow, I write to express my deep concern about the State Department’s ability to defend its information security systems and that of our embassies around the world, and request a plan for how you will bolster these systems. 

The Iranian government’s state-sponsored cybersecurity capabilities have grown in sophistication and intensity in recent years, and they have developed a number of advanced persistent threat (APT) groups that conduct various offensive operations. Examples include prolonged espionage, destructive malware and ransomware attacks, and social media manipulation through influence campaigns. These attacks serve both political and economic purposes, and use methods like password spray attacks, scanning for VPN vulnerabilities, DNS hijacking, spear-phishing emails, and social engineering. Iran’s threat group APT33 has been linked to notorious disk-wiping malware including SHAMOON and SHAPESHIFT (which attacked industrial systems across the Middle East and in Europe). As recently as 2018, the Department of Justice indicted two Iranian men for deploying ransomware to extort hospitals, municipalities, and public institutions, causing over $30 million in losses. 

In August 2019, the Department of State’s Office of Inspector General (OIG) issued a report on the effects of the hiring freeze on the State Department, finding in particular, serious impacts on the cybersecurity functions of the Department. The IG found the following:

The bureau was unable to fill two Senior Executive Service positions responsible for cybersecurity, which it said delayed implementing an enterprise risk management program for IT systems. The DS [Bureau of Diplomatic Security] Computer and Technical Security Directorate reported that staffing shortfalls hampered its ability to develop tools and procedures to react and respond to malicious cyber activity targeting Department personnel and information assets. DS also reported delays in conducting penetration testing of Department networks and providing IT security support for integrating cybersecurity for new and existing systems, which they attributed, in part, to the hiring freeze.

That IG report followed a 2017 report by the State Department OIG that noted a number of cybersecurity risks presented by the structure of the State Department. The report noted that the Chief Information Security Officer was not well placed to be held fully accountable for State Department cybersecurity issues, and highlighted an incident in Guatemala City where unauthorized and misconfigured network devices comprised the Department’s sensitive network.

The State Department has a long history of information security breaches, beginning with a series of blunders in the late 1990’s, and including a massive and prolonged attack in 2014, when the National Security Agency (NSA) and Russian hackers fought for control of State Department servers.  In September 2018, after an email breach of unclassified systems, a bipartisan group of Senators asked you how the State Department was addressing the issue.  Two months later, hackers with suspected ties to the Russian government were found to be impersonating State Department officials in an attempt to infiltrate computers belonging to the U.S. government, the military, and defense contractors.  In March 2019, a State Department contractor was convicted of theft and embezzlement of 16 computers from your organization. 

Given Iran’s technical capabilities and threats to retaliate, as well as the State Department’s systemic organizational and functional problems addressing cybersecurity vulnerabilities, I ask you to answer the following questions on how the State Department will address a surge of offensive cyber activity by Iran:

  1. Currently, cybersecurity personnel are dispersed organizationally across different bureaus within the Department of State, and across embassies around the world. Since the OIG report was issued in August 2019, what personnel changes have you made to more efficiently and effectively address both the hiring freeze impacts and the earlier security and audit concerns presented by the OIG?
  2. The OIG report noted that the Chief Information Security Officer (CISO) of the Department of State lacked necessary seniority for effectiveness or accountability. My understanding is that the current CIO reports to the Undersecretary for Management to the Secretary of State, and that the CISO reports to the CIO. In 2018 a study by the Financial Services Information Sharing and Analysis Center (FS-ISAC) recommended that CISO’s have clear and direct communication with the CEO, rather than just to the CIO.  Most organizations provide at least a dotted-line reporting structure from the CISO to the CEO. What kind of direct communication do you have with the CISO, given that the position sits below a CIO and an Undersecretary?
  3. What kind of employee training changes have you made to protect employees from phishing and other social engineering attacks?
  4. What technical changes have you made within the information security organization of the State Department to protect against ransomware and wiper malware attacks?
  5. Have you addressed the August 2019 OIG report’s hiring concerns for information and IT security personnel at our embassies? Are you up-to-date on your information security audits? Does the State Department, at the very least, conduct routine scanning, patching, and utilize multifactor authentication?

I would appreciate your answers by January 31, 2020.

Sincerely,

###

WASHINGTON – Today, a bipartisan group of leading national security Senators introduced legislation to encourage and support U.S. innovation in the race for 5G, providing over $1 billion to invest in Western-based alternatives to Chinese equipment providers Huawei and ZTE.  

Heavily subsidized by the Chinese government, Huawei is poised to become the leading commercial provider of 5G, with far-reaching effects for U.S. economic and national security. With close ties to the Communist Party of China, Chinese state-directed technology companies present unacceptable risks to our national security and to the integrity of information networks globally. However, U.S. efforts to convince foreign partners to ban Huawei from their networks have stalled amid concerns about a lack of viable, affordable alternatives.

Today’s bipartisan legislation, the Utilizing Strategic Allied (USA) Telecommunications Act, would reassert U.S. and Western leadership by encouraging competition with Huawei that capitalizes on U.S. software advantages, accelerating development of an open-architecture model (known as O-RAN) that would allow for alternative vendors to enter the market for specific network components, rather than having to compete with Huawei end-to-end.

“Every month that the U.S. does nothing, Huawei stands poised to become the cheapest, fastest, most ubiquitous global provider of 5G, while U.S. and Western companies and workers lose out on market share and jobs. Widespread adoption of 5G technology has the potential to unleash sweeping effects for the future of internet-connected devices, individual data security, and national security. It is imperative that Congress address the complex security and competitiveness challenges that Chinese-directed telecommunication companies pose,” said Sen. Mark R. Warner (D-VA), who co-founded the wireless company Nextel before entering public service and currently serves as Vice Chairman of the Senate Select Committee on Intelligence. “We need to move beyond observing the problem to providing alternatives for U.S. and foreign network operators.”

“When it comes to 5G technology, the decisions we make today will be felt for decades to come. The widespread adoption of 5G has the potential to transform the way we do business, but also carries significant national security risks. Those risks could prove disastrous if Huawei, a company that operates at the behest of the Chinese government, military, and intelligence services, is allowed to take over the 5G market unchecked. This legislation will help maintain America’s competitive advantage and protect our national security by encouraging Western competitors to develop innovative, affordable, and secure 5G alternatives,” said Sen. Richard Burr (R-NC), Chairman of the Senate Select Committee on Intelligence.

“The Trump Administration’s lecturing of our allies about the dangers of relying on the Chinese for 5G is no replacement for the development of 5G alternatives,” said Sen. Bob Menendez (D-NJ), Ranking Member of the Senate Foreign Relations Committee. “This bill, which will supply the U.S. government with resources to help the private sector create viable 5G alternatives from all ends of the supply chain, is a long overdue step in the right direction. As I’ve said over and over again, confronting China is not the same as being competitive with China. It is time we do just that.”

“We are at a critical point in history for defining the future of the U.S.-China relationship in the 21st century, and we cannot allow Chinese state-directed telecommunications companies to surpass American competitors,” Sen. Marco Rubio (R-FL), a member of the Senate Intelligence and Foreign Relations Committees, said. “It is not only in our national security interests to support American competition in the 5G market, but it is also in our economic interests to continue to build and support an economy that leverages American strengths and creates American jobs in the industries of the future without relying on malign Chinese state-directed actors like Huawei and ZTE.”

“We should not accept a world that is forced to rely on Chinese telecommunication companies to unlock the benefits of 5G and next generation wireless technologies,” said Sen. Michael Bennet (D-CO), a member of the Senate Intelligence Committee. “It is imperative for America’s competitiveness and security that we develop alternatives for U.S. and foreign network operators. This $1 billion investment will send a strong, bipartisan signal that the United States is committed to developing viable, secure, and cutting-edge alternatives to China’s 5G technology while eliminating dependence on technology that poses real security threats.”

“5G technology presents a host of opportunities to transform American telecommunications,” Sen. John Cornyn (R-TX), a member of the Senate Intelligence Committee, said. “By helping to spur innovations in 5G, we can inoculate ourselves against the threat posed by China and encourage the development of technology that is secure, affordable, and economically beneficial to our allies.”

The Utilizing Strategic Allied (USA) Telecommunications Act would:

  • Require the Federal Communications Commission (FCC) to direct at least $750 million, or up to 5 percent of annual auction proceeds, from new auctioned spectrum licenses to create an O-RAN R&D Fund to spur movement towards open-architecture, software-based wireless technologies, funding innovative, ‘leap-ahead’ technologies in the U.S. mobile broadband market. The fund would be managed by the National Telecommunications and Information Administration (NTIA), with input from the FCC, Defense Advanced Research Project Agency (DARPA), and National Institute of Standards and Technology (NIST), among others;
  • Create a $500 million Multilateral Telecommunications Security Fund, working with our foreign partners, available for 10 years to accelerate the adoption of trusted and secure equipment globally and to encourage multilateral participation, and require reports for Congress on use of proceeds and progress against goals to ensure ample oversight;
  • Create a transition plan for the purchase of new equipment by carriers that will be forward-compatible with forthcoming O-RAN equipment so small and rural carriers are not left behind;
  • Increase U.S. leadership in International Standards Setting Bodies (ISSBs) by encouraging greater U.S. participation in global and regional telecommunications standards forums and requiring the FCC write a report to Congress with specific recommendations;
  • Expand market opportunities for suppliers and promote economies of scale for equipment and devices by encouraging the FCC to harmonize new commercial spectrum allocations with partners where possible, thus promoting greater alignment with allies and driving down the cost of Huawei alternatives.

“VMware is very supportive of the Utilizing Strategic Allied (USA) Telecommunications Act. Moving towards an open, virtualized RAN infrastructure will speed up 5G network integration and rollout, while decreasing deployment costs. We thank Senator Warner for his approach, which will foster U.S.-led innovation in the mobile technology space and give carriers more secure options to buildout our next-generation wireless infrastructure,” said Allwyn Sequeira, SVP & GM of Telco Edge Cloud Products for VMware.

“The security of America's communications networks is an essential component in ensuring our nation's economic leadership, now and in the future.  It  requires all of us -- the industry, the government and those who live and work here – collaborating on efforts to build and maintain smart and secure communications.  Verizon appreciates the forward-thinking, bipartisan Members of Congress that introduced this bill today.  We look forward to working with Congress as we move forward with this important measure,” said Robert Fisher, SVP Federal Government Relations, Verizon.

“AT&T applauds Senator Warner, Senator Burr and the bipartisan group of cosponsors for introducing legislation that will promote the development and deployment of open standards-based advanced telecommunications networks.  We look forward to working with Congress through the legislative process to see this measure enacted,” said Tim McKone, Executive Vice President, Federal Relations, AT&T.

“Juniper Networks supports the ‘USA Telecommunications Act’ introduced by Senator Mark Warner, Senator Richard Burr and the bipartisan group of original cosponsors. The development of open standards and deployment of open standards-based interoperable equipment are crucial to the building of secure 5G networks. The Trust Funds that the Warner-Burr bill proposes would boost R&D spending as well as U.S. leadership in 5G. We look forward to working with Congress and the Administration to get this bill enacted into law and implemented," said Manoj Leelanivas, Executive Vice President and Chief Product Officer, Juniper Networks.

Bill text is available here.

###

 

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), the bipartisan co-chairs of the Senate Cybersecurity Caucus, issued a statement after convening a classified briefing with Senators and Chris Krebs, Director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), to discuss the growing threat posed by ransomware attacks:

“The continued prevalence of ransomware should really capture our attention. It’s costly, devastatingly high-impact, growing, and, in most cases, easily preventable with basic responsible cybersecurity practices.

“Ransomware and its destructive cousin wiperware are designed to inflict fear and uncertainty, disrupt vital services, and sow distrust in public institutions. While often viewed as basic digital extortion, ransomware has had materially adverse impacts on markets, social services like education, water, and power, and on healthcare delivery, as we have seen in a number of states and municipalities across the United States.

“We are glad our colleagues in the Senate Cybersecurity Caucus could join Director Krebs for this much-needed conversation about ways Congress and the federal government can better address this important issue.”

###

WASHINGTON – Today, the bipartisan leadership of several key Senate committees urged President Trump’s national security adviser to designate a senior coordinator dedicated to leading the nation’s effort to develop and deploy next-generation communications technologies. In a letter to Robert O’Brien, who was appointed as national security adviser in September, the top Republican and Democratic Senators on the Senate Select Committee on Intelligence, the Senate Homeland Security and Governmental Affairs Committee, the Senate Foreign Relations Committee and the Senate Armed Services Committee stressed the urgent need for the Trump administration to develop a national strategy for 5G, and to prioritize across government agencies the nation’s effort to develop and deploy the technology. 

“While we appreciate the progress being made within and across departments and agencies, we are concerned that their respective approaches are not informed by a coherent national strategy. In our view, the current national level approach to 5G comprises of a dispersed coalition of common concern, rather than a coordinated, interagency activity. Without a national strategy, facilitated by a common understanding of the geopolitical and technical impact of 5G and future telecommunications advancements, we expect each agency will continue to operate within its own mandate, rather than identifying national authority and policy deficiencies that do not neatly fall into a single department or agency. This fractured approach will not be sufficient to rise to the challenge the country faces. We hope that you, as the new National Security Adviser, will make this issue a top priority. We would further urge you to designate a dedicated, senior individual focused solely on coordinating and leading the nation’s effort to develop and deploy future telecommunications technologies. We believe that having a senior leader would position the United States to lead on telecommunications advancements, ensure the United States is appropriately postured against this strategic threat, and demonstrate to our allies the seriousness with which the nation considers the issue,” wrote Sens. Mark R. Warner (D-VA) and Richard Burr (R-NC), the Vice Chairman and Chairman of the Intelligence Committee; Sens. Ron Johnson (R-WI) and Gary Peters (D-MI), the Chairman and Ranking Member of the Homeland Security and Governmental Affairs Committee; Sens. Jim Risch (R-ID) and Bob Menendez (D-NJ), the Chairman and Ranking Member of the Foreign Relations Committee; and Sens. Jim Inhofe (R-OK) and Jack Reed (D-RI), the Chairman and Ranking Member of the Armed Services Committee.

The Senators stressed the dangers of allowing China to continue to lead the development of 5G technology. Maintaining White House focus on 5G is especially important in light of last week’s decision to eliminate the emerging technologies directorate at the National Security Council. 

“While the United States has led in the development and deployment of previous telecommunications evolutions, 5G represents the first evolutionary step for which an authoritarian nation leads the marketplace for telecommunications solutions. China’s leadership, combined with the United States’ increased reliance on high-speed, reliable telecommunications services to facilitate both commerce and defense, poses a strategic risk for the country. We cannot rely exclusively on defensive measures to solve or mitigate the issue, but rather we must shape the future of advanced telecommunications technology by supporting domestic innovation through meaningful investments, leveraging existing areas of U.S. strength, and bringing together like-minded allies and private sector expertise through a sustained effort over the course of decades, not months. A challenge of this magnitude requires a more ambitious response than traditional agency processes can support,” wrote the Senators.

A copy of the letter is available here. 

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, wrote to the Department of Health and Human Services (HHS) regarding a proposed rule by the Centers for Medicare and Medicaid Services (CMS) that would require CMS-funded health plans (including ACA marketplace plans) to allow patients to access their personal health information electronically through third-party consumer applications. In his letter, Sen. Warner urged HHS to include clear standards and defined controls for accessing patient data in order to address the potential for misuse of these interoperability features.

“In just the last three years, technology providers and policymakers have been unable to anticipate – or preemptively address – the misuse of consumer technology which has had profound impacts across our society and economy. As I have stated repeatedly, third-party data stewardship is a critical component of information security, and a failure to ensure robust requirements and controls are in place is often the cause of the most devastating breaches of sensitive personal information,” wrote Sen. Warner. “It is critical that there are proper safeguards are in place to protect patient privacy and sensitive health information. Moreover, there should be more work done by HHS to facilitate greater access to, and transfer of, electronic health information that does not inadvertently enable dominant IT providers to leverage their control over user data outside of the health care context into nascent markets for personalized health products.”

“Across all sectors – including health care – innovative products and services, increasingly dependent upon machine learning, rely on user data as the single most important productive input to innovation and customization. Importantly, however, any approach must balance innovation and ease of access with privacy, security, and a commitment to robust competition. Further, any effort must ensure that such access redounds to the benefit of patients – and that data, once shared with new providers, is not commercialized in ways that benefit those providers without direct benefits or compensation to users,” he continued. “As CMS and HHS move forward with this needed rule – I urge you to include clear standards and defined controls for all stakeholders that ensure third party software applications accessing patient data through APIs are effectively protecting patient information and that patients are appropriately (and routinely) informed, in clear and particularized ways, how their data is used.”

Under the proposed Interoperability and Patient Access rule, CMS would require Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plans (QHPs) on the federally-facilitated exchanges (FFEs) to allow patients to access their personal health information electronically through open application programing interfaces (APIs). APIs would allow third-party software applications to connect to, process, and make the data available to patients.

In the letter, Sen. Warner emphasized the importance of allowing patients to easily access their health information. He also noted the similarities between the proposed rule and the ACCESS Act – bipartisan legislation introduced by Sen. Warner that would promote market-based competition among social media platforms by requiring the largest social media companies to make user data portable, and their services interoperable, with other platforms. The ACCESS Act would also allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose. Additionally, Sen. Warner urged that, at a minimum, the final rule include the following standards:

  • Patient Access to Data – A guarantee that patients will have ready access to their personal health data and an ability to regularly monitor and ensure the accuracy of such information. Patients should be informed of all commercial uses of their data, including any third parties their data has been shared with (even if it has alleged to have been anonymized). Patients should also have the right to withhold consent for their data to be shared with third parties, or used in new ways without their consent. Patients should also reserve the right to have third party users dispose of their data upon request.
  • Adequate Privacy and Security Safeguards – Ensure participating stakeholders can adequately safeguard patient information by using existing best practices for secure storage and complying with applicable breach notification requirements. Moreover, HHS must work with the FTC and state attorneys general to develop mechanisms to report, supervise, and prosecute privacy and security lapses.
  • Documentation of the open API specifications and required security controls – Provide clear attestation of the open API specifications as defined for patient data, the security requirements and controls imposed on healthcare providers, and the third-party platform obligations in managing patient data. 
  • Patient Consent and Terms of Use – CMS and HHS should work proactively with the patient, provider and payer community to ensure users have informed proactive consent when user data is shared with a third party. In addition – there should be clear protections in place to ensure third party vendors use patient data solely for purposes in which the patient has expressly given informed proactive consent, including cases where patient information may be sold, and that patients retain the right to direct any party that has acquired their data to delete it upon request. Further, those accessing patient data should be prohibited from conditioning continued access on agreement by the patient to share their data with third parties. 

Sen. Warner has been a longtime critic of poor cybersecurity practices that compromise Americans’ personal information. Last week, Sen. Warner raised concern with HSS’ failure to act, following a mass exposure of sensitive medical images and information by health organizations. In September, he wrote to TridentUSA Health Services to inquire about the company’s data security practices, following reports that a company affiliate exposed medical data belonging to millions of Americans. Earlier that month, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. Sen. Warner has introduced legislation to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

 

The Honorable Alex M. Azar II

Department of Health and Human Services

Office of the Secretary

200 Independence Avenue, S.W.

Washington, D.C. 20201

 

Dear Secretary Azar:

I am writing regarding the proposed rule from the Center for Medicare and Medicaid Services (CMS) on Interoperability and Patient Access that would enable third party consumer applications to access sensitive patient and health plan data through application programming interfaces (APIs) [1]. I share the goals of advancing interoperability in patient health information and believe that – implemented appropriately – this proposal could represent a significant step in that direction. However, I urge CMS to take additional steps to address the potential for misuse of these features in developing the rules around APIs. In just the last three years, technology providers and policymakers have been unable to anticipate – or preemptively address – the misuse of consumer technology which has had profound impacts across our society and economy. As I have stated repeatedly, third-party data stewardship is a critical component of information security, and a failure to ensure robust requirements and controls are in place is often the cause of the most devastating breaches of sensitive personal information.

Congress passed the 21st Century Cures Act (P.L. 114-255) with a key objective of improving the protected exchange of electronic health records across the care continuum. Notably, Section 4003 and 4004 included specific provisions to establish a trusted health information exchange framework and reduce information blocking; it stated that there should be regulation over unreasonable practices to interfere with, prevent, or materially discourage access, exchange, or use of a patient’s electronic health records. While your agency has taken substantial steps to implement fundamental aspects of this legislation, it is critical that there are proper safeguards are in place to protect patient privacy and sensitive health information. Moreover, there should be more work done by HHS to facilitate greater access to, and transfer of, electronic health information that does not inadvertently enable dominant IT providers to leverage their control over user data outside of the health care context into nascent markets for personalized health products.

In your proposed rule CMS would specifically require Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plans (QHPs) on the federally-facilitated exchanges (FFEs) to allow patients to access their personal health information electronically through an open application programming interface (API). Data should be made available through an API so that third party software applications can connect to, process, and make the data available to patients.

I agree that patients should have an ability to easily acquire their health information. The rule is in many ways consistent with bipartisan legislation I have introduced in Congress – the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, which requires our nation’s largest social media companies to make user data portable, and make their services interoperable with other platforms.

Common to both my bill and the proposed rule is a recognition that consumers should have a right to possess their data – and share it with authorized third parties that will protect it. Both proposals also seek to address the control over consumer data that incumbents wield, often to the detriment of new, innovative providers. Across all sectors – including health care – innovative products and services, increasingly dependent upon machine learning, rely on user data as the single most important productive input to innovation and customization. Importantly, however, any approach must balance innovation and ease of access with privacy, security, and a commitment to robust competition. Further, any effort must ensure that such access redounds to the benefit of patients – and that data, once shared with new providers, is not commercialized in ways that benefit those providers without direct benefits or compensation to users.

 As CMS and HHS move forward with this needed rule – I urge you to include clear standards and defined controls for all stakeholders that ensure third party software applications accessing patient data through APIs are effectively protecting patient information and that patients are appropriately (and routinely) informed, in clear and particularized ways, how their data is used. Such standards in a final rule should include at a minimum:

  • Patient Access to Data – A guarantee that patients will have ready access to their personal health data and an ability to regularly monitor and ensure the accuracy of such information. Patients should be informed of all commercial uses of their data, including any third parties their data has been shared with (even if it has alleged to have been anonymized). Patients should also have the right to withhold consent for their data to be shared with third parties, or used in new ways without their consent. Patients should also reserve the right to have third party users dispose of their data upon request.
  • Adequate Privacy and Security Safeguards – Ensure participating stakeholders can adequately safeguard patient information by using existing best practices for secure storage and complying with applicable breach notification requirements. Moreover, HHS must work with the FTC and state attorneys general to develop mechanisms to report, supervise, and prosecute privacy and security lapses.
  • Documentation of the open API specifications and required security controls – Provide clear attestation of the open API specifications as defined for patient data, the security requirements and controls imposed on healthcare providers, and the third-party platform obligations in managing patient data. 
  • Patient Consent and Terms of Use – CMS and HHS should work proactively with the patient, provider and payer community to ensure users have informed proactive consent when user data is shared with a third party. In addition – there should be clear protections in place to ensure third party vendors use patient data solely for purposes in which the patient has expressly given informed proactive consent, including cases where patient information may be sold, and that patients retain the right to direct any party that has acquired their data to delete it upon request. Further, those accessing patient data should be prohibited from conditioning continued access on agreement by the patient to share their data with third parties. 

Thank you for your consideration your commitment to advancing interoperability to improve patient care. I believe the outline I have shared would strengthen and ensure the rule achieves its intended purpose.  It is my hope and belief that we can achieve both a higher level of interoperability and patient access to their data, as well as, strong protections for that information. I look forward to continued work with you on this important issue and our shared goals.

Sincerely,

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, today raised concern with the U.S. Department of Health and Human Services (HHS)’s failure to act, following a mass exposure of sensitive medical images and information by health organizations. In a letter to the HHS Director of the Office for Civil Rights, Sen. Warner identified this exposure as damaging to individual and national security, as this kind of information can be used to target individuals and to spread malware across organizations.

“I am alarmed that this is happening and that your organization, with its responsibility to protect the sensitive personal medical information of the American people, has done nothing about it,” wrote Sen. Warner. “As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling.”

“These reports indicate egregious privacy violations and represent a serious national security issue -- the files may be altered, extracted, or used to spread malware across an organization,” he continued. “In their current unencrypted state, CT, MRI and other diagnostic scans on the internet could be downloaded, injected with malicious code, and re-uploaded into the medical organization’s system and, if capable of propagating, potentially spread laterally across the organization. Earlier this year, researchers demonstrated that a design flaw in the DICOM protocol could easily allow an adversary to insert malicious code into an image file like a CT scan, without being detected.”

On September 17th, a report revealed that millions of Americans had their private medical images exposed online, due to unsecured picture archiving and communication servers (PACS) that utilize the Digital Imaging and Communications in medicine (DICOM) protocol. Along with the medical images, these PACS also exposed the names and social security numbers of those affected, leaving this information open to anyone with basic computer expertise, as these required no authentication to access or download.

This exposure was uncovered by German researchers, who contacted the German Federal Office for Information Security (BSI). BSI then alerted the United States Computer Emergency Readiness Team (US-CERT), who confirmed the exposure and reached out to HHS. However, if they received this information, HHS has failed to act on it, even failing to list TridentUSA Health Services – one of the main companies responsible for the exposure – on its breach portal website.

In his letter to Director Roger Severino, Sen. Warner also raised alarm with the fact that TridentUSA Health Services successfully completed an HHS Health Insurance Portability and Accountability Act (HIPAA) Security Rule compliance audit in March 2019, while patient images were actively accessible online.

Sen. Warner also posed the follow questions for HHS regarding the incident, and its current cybersecurity requirements and procedures:

  1. Did HHS receive a notice from US-CERT regarding the open PACS ports available with diagnostic imaging available on the internet without any restrictions?
    1. If so, what actions were taken to address the issue?
  2. What evidence do you require organizations to produce during a HIPAA Security Rule audit? Are organizations asked to turn over their audit logs? How does OCR review the logs?
    1. Does OCR have information security experts on staff or does it rely on external consultants as part of these audits? 
  3. What are the follow-up procedures if an organization’s log files reveal access to sensitive data from outside the United States, such as in this case?
  4. Please describe your information security audit process.
  5. Please describe your oversight of the DICOM protocol and PACS security. Do you require organizations to implement access controls? If so, what kind? Do you require full-disk encryption and authentication for PACS? Are the DICOM protocol implementations included in the audits?

Sen. Warner has been a champion for cybersecurity throughout his career, and has been an outspoken critic of poor cybersecurity practices that compromise Americans’ personal information. In September, Sen. Warner wrote to TridentUSA Health Services to inquire about the company’s data security practices, following reports that a company affiliate exposed medical data belonging to millions of Americans. Earlier that month, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. Sen. Warner has introduced legislation to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

 

Mr. Roger Severino                                                                

Director, Office for Civil Rights

Department of Health and Human Services

200 Independence Ave SW

Washington, DC 20201

Dear Director Severino,

As the health care industry increasingly harnesses internet connectivity and software, including machine learning systems, to improve patient care, a long overdue focus on data privacy and information security has come into sharper focus. This is particularly evident in light of reports that sensitive medical records of potentially millions of Americans were recently exposed online – and that your agency has done little to address this issue. Prompting even greater concern, one of the companies that left the data exposed online also successfully completed one of your Health Insurance Portability and Accountability Act (HIPAA) Security Rule compliance audits in March. I am alarmed that this is happening and that your organization, with its responsibility to protect the sensitive personal medical information of the American people, has done nothing about it. As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients, without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling.

On September 17th ProPublica published a shocking report that the sensitive medical images of millions of American patients were exposed online through unsecured picture and archiving and communications servers (PACS) that utilize the Digital Imaging and Communications in medicine (DICOM), protocol. The publicly-accessible information that had been accessed from Germany included MRI’s, X-rays, and CT scans, as well as names and social security numbers of the patients. The 13.7 million images found on the internet required absolutely no authentication to access or download. As of writing this letter, there are 779 million image records attached to 21.6 million patient records, impacting an estimated 5 million patients in 22 states. The largest system accessed holds 61 million diagnostic images attached to 1.23 million exam records of American patients and remains available on the internet.

In late August, German researchers initiated an investigation to determine the global accessibility and remote access capabilities of PACS. On September 9th, the researchers concluded their two week inquiry and submitted their findings to the German Federal Office for Information Security (BSI). By September 17th, BSI had addressed the affected systems which were removed from the internet prior to the publishing of the ProPublica report.

After US-CERT was notified of the problem by BSI, US-CERT contacted the German researchers at Greenbone Networks, confirming they received the data on September 20th. US-CERT stated the agency would convey the information to the U.S. Department of Health and Human Services (HHS). According to the researchers, however, there has been no further communication from US-CERT or HHS, even though data privacy authorities from other countries like France and the UK contacted Greenbone Networks following the publication of ProPublica’s report.

On September 23rd, I wrote to TridentUSA Health Services expressing my concern regarding the issues raised in the ProPublica report, and pointed out that MobilexUSA, a TridentUSA Health Services affiliate, was identified as controlling one of the unsecured PACS. On October 15th, the German researchers demonstrated to my office a number of US-based PACS have open ports, supporting unencrypted communications protocols, exposing images to the internet like chest X-rays and mammograms, and identifying details like names and social security numbers. Those images and medical records continue to be accessible.

These reports indicate egregious privacy violations and represent a serious national security issue -- the files may be altered, extracted, or used to spread malware across an organization. Earlier this year, researchers demonstrated that a design flaw in the DICOM protocol could easily allow an adversary to insert malicious code into an image file like a CT scan, without being detected. The researchers who discovered the flaw in the DICOM protocol were able to use a polyglot file, which can contain more than one stream of data with different file formats, and hide the malicious code in the scan. In their current unencrypted state, CT, MRI and other diagnostic scans on the internet could be downloaded, injected with malicious code, and re-uploaded into the medical organization’s system and, if capable of propagating, potentially spread laterally across the organization.

In their response to my letter, TridentUSA Health Services noted that they successfully completed the Department of Health and Human Services audits, confirming compliance with the HIPAA Security Rule, the last of which concluded in March 2019, while patient images were accessible online.

While the information security lapses by the medical companies using the PACS are clear, it is unclear how your agency has addressed this issue. As of the writing of this letter, TridentUSA Health Services is not included on your breach portal website, and I have seen no evidence that, once contacted by US-CERT, you acted on that information in any meaningful way.

To understand how such an enormous oversight in your organization has allowed medical companies to leave insecure ports open to the internet and accessed repeatedly by a German IP address, I ask that you answer the following questions:

1.      Did HHS receive a notice from US-CERT regarding the open PACS ports available with diagnostic imaging available on the internet without any restrictions?
a.      If so, what actions were taken to address the issue?
2.      What evidence do you require organizations to produce during a HIPAA Security Rule audit? Are organizations asked to turn over their audit logs? How does OCR review the logs?
a.      Does OCR have information security experts on staff or does it rely on external consultants as part of these audits? 
3.      What are the follow-up procedures if an organization’s log files reveal access to sensitive data from outside the United States, such as in this case?
4.      Please describe your information security audit process.
5.      Please describe your oversight of the DICOM protocol and PACS security. Do you require organizations to implement access controls? If so, what kind? Do you require full-disk encryption and authentication for PACS? Are the DICOM protocol implementations included in the audits?

The American people deserve to have their sensitive private information protected and their government held accountable for enforcing the rules in place to keep that information private. I hope that you will share what immediate actions you are taking, along with answering the questions above. I look forward to hearing your response no later than November 18, 2019.

Sincerely,

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, wrote to the CEO of TridentUSA Health Services today to ask about the company’s data security practices as they relate to Health Insurance Portability and Accountability Act (HIPAA) compliance. The letter comes in light of a report that MobileXUSA – an affiliate of TridentUSA Health Services – left an unencrypted server online, exposing the medical data of millions of Americans.

“It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices— no software vulnerabilities were involved, and no explicit hacking was required,” wrote Sen. Warner. “While HIPAA lays out some guidelines for secure data storage and transfer, it is not always clear who bears responsibility for securing the data and ensuring the use of proper controls. However, it is certainly the responsibility of companies like yours to control and secure sensitive medical data, maintain an audit trail of medical images, and to ensure the information is not publicly accessible.”

According to recent reports, many unsecured picture archiving and communication servers (PACS) left the names, dates of birth, medical images, and medical procedures of more than one million Americans accessible to anyone with basic computer expertise. As part of the report, researchers identified 187 servers in the U.S. – including that of MobileXUSA – that were unprotected by passwords or basic security precautions.

In the letter to TridentUSA Health Services, Sen. Warner stressed the importance of protecting Americans’ privacy and personal health information. He also posed the following questions for TridentUSA Health Services:

  1. HIPAA requires audit trails for PACS, which stores the data in centralized auditing databases with multiple audit layers. What audit and monitoring tools do you use to analyze the data to remain HIPAA compliant? 
  2. PAC server vulnerabilities are well known, however, their use of the DICOM protocol makes them easily accessible via the Internet. DICOM also enables PACS to communicate with neighboring systems in a medical or clinical process within a network of IP-enabled devices. Does your company require neighboring systems to comply with current standards and use access management controls? 
  3. What are your identity and access management controls for IP-addresses and/or port filters?
  4. Do you require VPN or SSL to communicate with your PACS?
  5. What is the frequency of your vulnerability scans and HIPAA-compliant audits?
  6. What are your server encryption practices?
  7. Do you have an internal security team or do you outsource it?

Sen. Warner has been a champion for cybersecurity throughout his career, and has been an outspoken critic of poor cybersecurity practices that have led to the compromise of Americans’ personal information. Last week, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. He also introduced legislation earlier this year to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

 

Andrei Soran, CEO

TridentUSA Health Services

930 Ridgebrook Rd.

Sparks Glencoe, MD 21152

Dear Mr. Soran,

It has come to my attention that one of your affiliated companies, MobileXUSA, recently left an unencrypted server online, exposing sensitive medical images and health data of Americans. According to recent reporting, researchers found 13.7 million data sets and 303.1 million images in medical image storage systems have been freely accessible online with no authentication requirements to access or download the images.  This left the MRI’s, X-rays, and CT scans of millions of Americans exposed on the internet, not because of a breach, but simply because they were stored on 187 unprotected picture archiving and communication servers (PACS) including yours.  Additionally, along with the sensitive medical images, according to the research, your server displayed the names of more than a million patients. 

My colleagues and I in the Senate have been concerned about negligent cybersecurity practices in the health care space for a long time. Cybersecurity risks within the health care sector represent a growing threat, with 285 breaches reported between January and June of this year.  According to one report, there has been at least one healthcare-related data breach a day since 2016.  Just recently, the Senate Cybersecurity Caucus, of which I am a co-founder, convened a briefing that focused on healthcare and cybersecurity, particularly on the security of healthcare records which further highlighted the need for more robust cyber hygiene practices, and possibly additional standards.

It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices— no software vulnerabilities were involved, and no explicit hacking was required. While HIPAA lays out some guidelines for secure data storage and transfer, it is not always clear who bears responsibility for securing the data and ensuring the use of proper controls. However, it is certainly the responsibility of companies like yours to control and secure sensitive medical data, maintain an audit trail of medical images, and to ensure the information is not publicly accessible.

To better understand how exactly millions of private medical scans were left open on the internet, I would appreciate your answers to the following questions:  

  1. HIPAA requires audit trails for PACS, which stores the data in centralized auditing databases with multiple audit layers. What audit and monitoring tools do you use to analyze the data to remain HIPAA compliant? 
  2. PAC server vulnerabilities are well known, however, their use of the DICOM protocol makes them easily accessible via the Internet. DICOM also enables PACS to communicate with neighboring systems in a medical or clinical process within a network of IP-enabled devices. Does your company require neighboring systems to comply with current standards and use access management controls? 
  3. What are your identity and access management controls for IP-addresses and/or port filters?
  4. Do you require VPN or SSL to communicate with your PACS?
  5. What is the frequency of your vulnerability scans and HIPAA-compliant audits?
  6. What are your server encryption practices?
  7. Do you have an internal security team or do you outsource it?

It is critical that the privacy of the individual– including their personal health information – is appropriately protected.  I look forward to hearing your response by October 9th, 2019. Any further questions can be directed to Leisel Bogan in my office at Leisel_Bogan@warner.senate.gov

Sincerely,

###

 

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and former tech entrepreneur, wrote to U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate but alarming incidents that impacted both entities and exposed Americans’ personal, permanently identifiable data. In a letter to CBP, Sen. Warner inquired about the information security practices of CBP contractors, in light of a June cyberattack that resulted in the theft of tens of thousands of facial images belonging to U.S. travelers. In a separate letter, Sen. Warner requested more information from Suprema HQ, the company that owns web-based biometric lock system, Biostar 2, which experienced a cyber incident in August, resulting in the exposure of permanently identifiable biometric data belonging to at least one million people worldwide.

“While all of the stolen information was sensitive and required protection, facial image data is especially sensitive, since such permanent personal information cannot be replaced like a password or a license plate number,” wrote Sen. Warner to Acting CBP Commissioner Mark Morgan.  “It is absolutely critical that federal agencies and industry improve their track records, especially when handling and processing biometric data. Americans deserve to have their sensitive information secured, regardless of whether it is being handled by a first or a third-party.”

In June, CBP announced the theft of at least 100,000 traveler ID photos from a CBP subcontractor that had improperly transferred copies of these photos from CBP servers to its own company database. In addition to facial images, the cyberattack resulted in the theft of several gigabytes of data, including license plate photos, confidential agreements, hardware blueprints for security systems, and budget spreadsheets.

In the letter to CBP, Sen. Warner expressed alarm regarding the failure of federal agencies to ensure that Americans’ sensitive information is safe in the hands of contractors. He also asked CBP to provide timely answers to a series of questions regarding the information security practices of CBP contractors and subcontractors. Among these questions, Sen. Warner requested details on CBP’s third-party contractual requirements concerning database encryption, biometric data management, vulnerability management, logging data retention, and identity and access management, among other security measures.

Similarly, in his letter to Suprema HQ, Sen. Warner raised concerns about the Biostar 2 incident, which exposed permanently identifiable biometric data, including user photos.

“Unlike passwords, email addresses and phone numbers, biometric information in voices, fingerprints, and eyes are unique data that are impossible to reset. Biometric data can be used effectively for unauthorized surveillance and access to secure facilities, to steal identities, and is even valuable in developing deepfake technologies,” wrote Sen. Warner to Suprema HQ CEO James Lee. “It is my understanding that your customers use your biometric security system to provide access to secure facilities, and that the product has also been integrated into Nedap’s AEOS access control systems, which are used by at least 5,700 organizations in 83 countries, including banks and foreign law enforcement entities.  Given the sensitivity of this information, it is absolutely critical that companies like yours exercise exceptional due care when collecting and securing biometric information, and when contracting with customers that collect permanent personal information.”

The Biostar 2 breach resulted in the online exposure of more than one million fingerprint records, in addition to user images, personal details, usernames and passwords, and employee security clearances. The breach also revealed that large portions of the Biostar 2 database were unprotected and unencrypted. In the letter, Sen. Warner asked Suprema HQ to list which U.S. businesses are served by the company. He also requested more information on the company’s practices regarding server security, biometric data storage security, and database encryption.

Sen. Warner has been a champion for cybersecurity throughout his career, and has been an outspoken critic of poor cybersecurity practices that compromise Americans’ personal information. In May, Sen. Warner introduced bold legislation to hold credit reporting agencies accountable for data breaches. He also introduced legislation earlier this year to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

###

Washington, D.C. – Citing the vital need for a secure U.S. industrial base, U.S. Senators Mike Crapo (R-Idaho) and Mark Warner (D-Virginia) have introduced bipartisan legislation to guard against attempts by the People’s Republic of China and others to undermine U.S. national security by exploiting and penetrating U.S. supply chains.  The Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property and Supply (MICROCHIPS) Act (S. 2316) would develop a national strategy to assess and prevent risks to critical U.S. technologies. 

“Actions by the People’s Republic of China have contributed to an unfair and unsafe advantage in its technological race against the United States,” said Senator Crapo.  “Through government investments and subsidies, as well as intellectual property theft of companies like Idaho’s Micron, China aims to dominate a $1.5 trillion electronics industry, which creates serious, far-reaching threats to the supply chains that support the U.S. government and military.  The MICROCHIPS Act would create a coordinated whole-of-government approach to identify and prevent these efforts and others aimed at undermining or interrupting the timely and secure provision of dual-use technologies vital to our national security.”

“While there is a broad recognition of the threats to our supply chain posed by China, we still lack a coordinated, whole-of-government strategy to defend ourselves,” said Senator Warner.  “As a result, U.S. companies lose billions of dollars to intellectual property theft every year, and counterfeit and compromised electronics in U.S. military, government and critical civilian platforms give China potential backdoors to compromise these systems. We need a national strategy to unify efforts across the government to protect our supply chain and our national security.”

Chinese companies export telecommunication technology equipment into software, hardware, and services used in the United States, and hope to export fifth generation technology (5G) to the U.S. that could potentially harm and expose both consumer and U.S. military information.  Malicious chips or counterfeit parts could create backdoors enabling the monitoring or stealing of consumer data or cause broader system malfunctions.  Even with high investments in cybersecurity, the United States remains vulnerable to advanced cyber attackers like Russia and China.  A 2018 Government Accountability Office report stated that, despite multiple warnings since the early 1990s, cybersecurity has not been a focus of weapon systems acquisitions within the military community.  The Department of Defense’s (DOD) continuous acquisition of weapons systems without making security a key priority could potentially lead to loss of U.S. intellectual property and technological advantage of the U.S. Armed Forces, contribute to unnecessary risks to human life and interfere with the ability of the Armed Forces to execute their missions.

The MICROCHIPS Act would address China’s practice of four major non-kinetic areas of warfare, including supply chain exploitation through supplying faulty software hardware and components; cyber-physical attacks on U.S. systems with real-time operating deadlines, such as missiles, aircraft and electrical grids; cyber-attacks on computer systems; and bad actors gaining sensitive information.  S. 2316 contains four sections with the following main components:

  • Summarizes key findings of Congress regarding supply chain security;
  • Directs the Director of National Intelligence, DOD and other relevant agencies to develop a plan to increase supply chain intelligence within 180 days;
  • Establishes a National Supply Chain Security Center within the Office of the Director of National Intelligence to collect supply chain threat information and disseminate it to agencies with the authority to intervene; and
  • Makes funds available under the Defense Production Act for federal supply chain security enhancements.

Section two of the bill was included in the House-passed version of the Intelligence Authorization Act, and the Senate adopted section four of the bill through its version of the National Defense Authorization Act.

A copy of the bill text is available HERE, and a one-page summary of the legislation is available HERE.

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Banking Committee, issued the following statement after regulators and the credit bureau Equifax reached a $700 million settlement over a 2017 data breach that compromised the personal information of more than 145 million Americans:

Americans don’t choose to have companies like Equifax collecting their data – by the nature of their business models, credit bureaus collect your personal information whether you want them to or not. In light of that, the penalties for failing to secure that data should be appropriately steep. While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”

Sen. Warner is the leading sponsor along with Sen. Elizabeth Warren (D-MA) of legislation that would hold Equifax and other credit reporting agencies (CRAs) accountable for data breaches. The Data Breach Prevention and Compensation Act would provide robust compensation to consumers for stolen data, impose mandatory penalties on CRAs for data breaches, and give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs. Had the bill been in effect prior to the 2017 Equifax breach, the company would have had to pay at least $1.5 billion for their failure to protect Americans’ personal information.

Companion legislation is sponsored in the House of Representatives by Reps. Elijah Cummings (D-MD) and Raja Krishnamoorthi (D-IL).

###

WASHINGTON – Today the Senate Homeland Security and Governmental Affairs Committee advanced bipartisan legislation written by U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-founders of the Senate Cybersecurity Caucus, to improve the cybersecurity of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would require that devices purchased by the U.S. government meet certain minimum security requirements. The bill now awaits consideration in the full Senate.

“While I’m excited about their life-changing potential, many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Warner, a former technology entrepreneur and executive and Vice Chairman of the Senate Select Committee on Intelligence. “Today the Committee took an important step forward to proactively address the risks posed by improperly secured IoT devices, by using the purchasing power of the federal government to establish some minimum security standards for IoT devices.”

“I was pleased to see further action in the Senate on this important bill and I look forward to it being swiftly signed into law. The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years,” said Sen. Gardner. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks. Agencies like the National Institute of Standards and Technology (NIST), which has a major campus in Boulder, are key players in helping establish guidelines for improved IoT security and our bill builds on those efforts.”

Last week, the House of Representatives Committee on Oversight and Reform advanced companion legislation sponsored by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX).

“This is an essential and bipartisan step toward improving our cybersecurity. We simply cannot allow IoT devices to become a backdoor for hackers and cybercriminals,” said Rep. Kelly. With the House and Senate taking action, Congress is signaling that it’s past time to address the issue of unsecure devices on federal networks.”  

“Every single minute of every single day, hackers are trying to steal Americans’ information. From credit card numbers, to social security numbers, our personal information is targeted by bad actors around the globe. Internet of Things devices will improve and enhance nearly every aspect of our society, economy and everyday lives – and are growing rapidly. We must act now to ensure these devices are built with security in mind, not as an afterthought,” said Rep. Hurd. “I applaud Sens. Warner and Gardner for their hard work on moving this important, bipartisan cybersecurity bill forward in the Senate, and I’ll continue to work with Rep. Kelly and my colleagues in the House to bring this bill to the House floor.”

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 as passed out of Committee today would:

  • Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
  • Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
  • Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
  • Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
  • Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) has introduced several amendments to the annual defense authorization bill, including one that would build on his legislation, Ensuring Safe Housing for Our Military Act, most of which was included in the base text, by adding additional measures to improve privatized military housing.

Following reports of health hazards in privatized military housing in bases across the Commonwealth and the country, Sen. Warner has advocated on behalf of servicemembers and their families, and recently introduced an amendment to establish an advisory group to help the Department of Defense strengthen accountability and oversight in military housing. The amendment was offered in the FY20 National Defense Authorization Act (NDAA), the legislative vehicle that provides support for our servicemembers and sets the national security priorities for the United States.

“Servicemembers and their families sacrifice so much for this country. That’s why we’ve got to make things right for military families who, too often, have been subjected to subpar and sometimes dangerous living conditions. This includes making sure that the health and well-being of our nation’s servicemembers and their families are part of our national security priorities,” said Sen. Warner.

The amendment would also require the Secretaries of the Navy, Air Force, and Army to issue standard mold assessments, remediation’s and procedures in their agreements with privatized housing companies. Sens. Tim Kaine (D-VA) and Dianne Feinstein (D-CA) joined Sen. Warner in introducing the amendment, which comes on the heels of Sen. Warner’s letter to Acting Secretary of Defense Patrick Shanahan, urging the Department of Defense (DoD) to establish an advisory group to address the prevalent health and environmental hazards in privatized military housing.

To protect U.S. innovation and combat technology threats, Sen. Warner filed a bipartisan amendment with Sen. Marco Rubio (R-FL) to establish an Office of Critical Technologies within the Executive Office of the President. The office would be responsible for coordinating a whole-of-government approach to protect the U.S. from state-sponsored technology theft and risks to critical supply chains. The amendment is based on the bipartisan legislation introduced by Sens. Warner and Rubio that would combat technology threats from China. Sen. Warner also introduced a bipartisan amendment with Sen. Crapo to strengthen the intelligence support to protect our supply chain from growing adversary threats.

“In the 20th century, the U.S. pioneered many groundbreaking technological advancements, and today, countries like China are using every tool in their arsenal to try to diminish U.S. leadership, set the standards for technologies like 5G, and dominate key technologies. In order to confront this challenge, the United States must push forward a coherent strategy to protect our technological edge and preserve American leadership,” continued Sen. Warner.

In a move to further defend national security and respond to emerging cyber-threats, Sen. Warner also introduced a series of amendments that would revamp the security clearance process, assess cyber threat detection and encourage the DoD to work with the Federal Communications Commission (FCC) to identify new spectrum for reallocation for 5G services.

“To ensure the U.S. can hire trusted professionals to tackle the emerging threats in cyber and technology, we must modernize our outdated security clearance system. While we’ve already seen an encouraging drop in individuals waiting on a background check, there is still more work to be done,” concluded Sen. Warner. 

The security clearance reform language is based on legislation introduced by Vice Chair Warner, and unanimously approved in the Intelligence Authorization Act (IAA) for Fiscal Years 2018-2020. Text for the cyber threat assessment amendment can be found here.

Sen. Warner also introduced amendments to improve the quality in information submitted in background investigation requests, ensure DoD has the funding flexibility to perform the personnel vetting mission, and ensure the new Defense Counterintelligence and Security Agency adequately protects the millions of pieces of personally identifiable information it will hold as the government’s primary investigative service provider.

###

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, and Marco Rubio (R-FL), member of the Senate Select Committee on Intelligence, expressed deep concern that the Trump Administration may concede on important national security matters related to the development of fifth-generation wireless telecommunications technology (5G) in order to achieve a favorable outcome on trade negotiations. In a letter to the U.S. Department of State and the Office of the U.S. Trade Representative, the Senators underscored the threats posed by Chinese telecommunications equipment to network security, data privacy, and economic security across the globe, and emphasized the need to keep trade negotiations separate from any changes in policy concerning national security threats posed by Huawei.

“Allowing the use of Huawei equipment in U.S. telecommunications infrastructure is harmful to our national security,” the Senators wrote. “In no way should Huawei be used as a bargaining chip in trade negotiations. Instead, the U.S. should redouble our efforts to present our allies with compelling data on why the long-term network security and maintenance costs on Chinese telecommunications equipment offset any short-term cost savings.”

Sens. Warner and Rubio reiterated their support for existing U.S. efforts to convey the long-term security risks posed by Chinese telecommunications firms to allies and partners abroad. However, the Senators expressed concern that this message is being undermined by President Trump, whose Administration reversed a seven-year ban on ZTE last year in defiance of a Commerce Department recommendation, and who in late May indicated that Huawei could be included in a future trade deal. In the letter, the Senators also emphasized that any modifications of Huawei’s Temporary General License must be pursued in a risk-based way, separate from trade negotiations, and without undermining national security.  

As a former telecommunications executive who introduced bipartisan legislation on 5G, Sen. Warner continues to be a leading voice on the national security risks posed by Chinese-controlled telecom companies. In December, Sens. Warner and Rubio urged Canadian Prime Minister Justin Trudeau to reconsider Huawei’s inclusion in Canada’s fifth-generation network. In January, Sens. Warner and Rubio teamed up to introduce legislation to combat tech-specific, national security threats posed by foreign actors like China, and establish a whole-of-government strategy to protect the U.S. from technology theft. Additionally, Sen. Warner led legislation with Sen. Wicker to provide $700 million for rural telecommunications providers in order to offset the costs of removing equipment from vendors that pose a security threat, such as Huawei.

The full text of the letter appears below. A copy of the letter is available here.

June 13, 2019
 
Secretary Michael Pompeo
U.S. Department of State
2201 C Street NW
Washington, DC 20520
 
Trade Representative Robert Lighthizer
Office of the U.S. Trade Representative
600 17th Street NW
Washington, DC 20006
 

Dear Secretary Pompeo and Trade Representative Robert Lighthizer:

We are writing to express our deep concern that the Administration may concede on important national security matters related to Huawei Technologies, Inc. and the adoption of fifth-generation wireless telecommunications technology (5G) in order to achieve a favorable outcome in the Administration’s trade negotiations.

As Members of the Senate Select Committee on Intelligence (SSCI), we have strongly supported efforts by our diplomats, military, and intelligence personnel to persuade allies and partners around the world that Huawei and other Chinese telecommunications firms present a long-term legitimate security threat to their network security, data privacy, and economic security.  As you know, Chinese telecommunications equipment poses a threat that intelligence and military officials assess will only become more acute as energy infrastructure, transportation networks and other critical functions move to 5G networks and as millions more Internet of things (IoT) devices are connected.

Despite the best efforts of our government to convince other countries to keep Huawei components out of their 5G infrastructure, our message is being undermined by concerns that we are not sincere.  For example, Europeans have publicly expressed fears that the Administration will soften its position on Huawei in the United States to gain leverage in trade talks, as the Administration did in June 2018 when the seven-year ban on ZTE was reversed and a new settlement agreement reached at the urging of President Xi over the recommendation of Commerce Department leadership.  The President himself reinforced these fears in late May, stating:

“Huawei is something that’s very dangerous.  You look at what they’ve done from a security standpoint, from a military standpoint.  It’s very dangerous.  So it’s possible that Huawei even would be included in some kind of a trade deal.  If we made a deal, I could imagine Huawei being possibly included in some form of or some part of a trade deal.”

Allowing the use of Huawei equipment in U.S. telecommunications infrastructure is harmful to our national security.  In no way should Huawei be used as a bargaining chip in trade negotiations. Instead, the U.S. should redouble our efforts to present our allies with compelling data on why the long-term network security and maintenance costs on Chinese telecommunications equipment offset any short-term cost savings. Any modifications to Huawei’s Temporary General License must be pursued in a risk-based way, separate from any trade negotiations, and consistent with national security considerations. Successfully identifying and mitigating these security risks requires sustained coordination and alignment with our international partners, particularly the Europeans who represent key parts of the 5G supply chain, and India, which is poised to be the single-largest telecommunications market. Conflating national security concerns with levers in trade negotiations undermines this effort, and endangers American security.

We appreciate your attention to this important matter of national security and request that you keep us apprised of your efforts.

Sincerely,

 ###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, took to the Senate floor today to request immediate passage of a modified version of his Foreign Influence Reporting in Elections (FIRE) Act that would require campaigns to report to the appropriate federal authorities any contacts from foreign nationals seeking to interfere in a presidential election. Immediately after Sen. Warner requested unanimous consent, Sen. Marsha Blackburn (R-TN) objected and thereby blocked the immediate passage of this essential legislation.

Sen. Warner’s request comes on the heels of alarming comments by President Trump, who said on Wednesday that he would not alert the FBI if a foreign government tried to offer damaging information on his 2020 election opponents.

“President Trump's own FBI director and his Director of National Intelligence have said that Russia, or others, will likely be back in 2020 because their tactics in 2016 were both cheap and effective. We're now 17 months before the 2020 elections and personally, we are not prepared,” Sen. Warner said on the floor. “One of my colleagues on the other side said they don't want to re-litigate 2016. There will be other times and places to further litigate whatever happened in 2016. In terms of today, I don't want to either. I just want to make sure that we are safe from foreign intervention in 2020.”

He continued, “The mantra at our airports that the TSA and Homeland Security always try to promote is, ‘if you see something, say something.’ This is not an undue burden on our traveling public, and because of that involvement, I think airports are safer. Shouldn't we have the same de minimis standard to protect the integrity of our election system? If you see something, say something. All my legislation is requiring is if there is indications that agents of foreign governments are trying to intervene in our elections, tell law enforcement, tell the FBI.”

Sen. Warner also stressed that his legislation would not interfere with any official government activities, and urged his colleagues to work together to pass bipartisan election security legislation and to put guardrails on social media platforms like Facebook, Twitter and Google to prevent them from being used by bad actors for the widespread dissemination of misinformation.

 

Below are Sen. Warner’s floor remarks as originally prepared for delivery:

Mr. President, in a moment I will ask unanimous consent for the Senate to take up and pass by bill, the FIRE Act, S.1562, as amended. But before I do that, I want to address the President’s recent comments regarding foreign election interference.

We all take an oath when we get sworn into these jobs to defend the Constitution against all enemies foreign or domestic. Our own political ambitions, our partisan affiliations — that all should take a back seat to defending our democracy.

Unfortunately, this President doesn’t see it that way. His recent comments that he would once again welcome dirt on an opponent from a foreign government fly in the face of that oath.

Let me be clear. If a foreign adversary attempts to offer assistance to your campaign, you have a moral obligation to call the FBI.

And if the President, or his son-in-law, or other members of his campaign can't be trusted to do the right thing and report their foreign contacts, then we need to make it a legal requirement. That’s what this amendment is all about.

Mr. President, I am not here to re-litigate the 2016 election or second-guess the Special Counsel’s findings. This is a question of how we defend our democracy on a going-forward basis.

But I do want to recall the facts of what we learned through the Mueller investigation, as well as the Senate Intelligence Committee’s bipartisan investigation.

After two years of investigating, we now know that the Trump Campaign had a series of inappropriate and unreported contacts with the Russian government and its proxies, who were part of the Kremlin’s election interference efforts.

This should have come to light far sooner, but the Trump Campaign intentionally hid these contacts from the American people and law enforcement.

Another thing we learned through the investigation is that when then-candidate Trump made his infamous “Russia, if you’re listening” plea — on that very same day, Russian operatives began sending illegal phishing emails to members of his opponent’s campaign.

Mr. Trump’s comments this week are not trivial. These are the words of the President of the United States, spoken in the Oval Office. That still means something to the world.

And frankly, what it means here is that this President is once again giving Russia and other bad actors the greenlight to interfere in the 2020 elections.

This sends a message to the American people and foreign governments that this conduct is acceptable. Not only is this morally wrong, it also undermines the crucial counterintelligence work of our federal law enforcement agencies.

Recently, FBI Director Chris Wray testified that such attempts to offer assistance or “dirt” would be “something that the FBI would want to know about.”

He’s right. Because, the truth is, when a foreign adversary like Russia is peddling dirt on an American candidate, they are not doing it out of the goodness of their hearts. They’re trying to undermine our democracy, and the FBI is our first line of defense against that threat.

Mr. President, that is what this amendment is about — safeguarding our democracy from those who wish us harm. I ask my colleagues to take a step back, take off our Republican and Democratic hats for a minute, and support this amendment.

My bill, the FIRE Act — creates a first-of-its-kind requirement to make sure that foreign contacts during a presidential election are promptly reported to the FBI and FEC.

It would serve a vital intelligence need and make sure that all individuals involved in a presidential campaign understand both the existing law on foreign contributions and their affirmative obligation to report suspicious foreign contacts.  

The FIRE Act is not about prohibiting innocent contacts or the exercise of First Amendment rights. It is about restoring Americans’ trust in the democratic process. 

If a candidate is receiving or welcoming help from the Kremlin, I think the American people should have a right to know that before they head to the polls.

And in a world where campaigns are a target for foreign espionage, I think our law enforcement and counter-intelligence professionals should have the tools they need to protect the integrity of our presidential elections.

The Senate must take a stand against foreign attacks on the democratic process.  This is not a Republican or Democratic issue; it is an issue of America’s national security.

And I hope the Senate can come together at this moment to send a clear message that we will defend our Democracy, even if this President won’t.

###

Washington, D.C. – As Congressional Republicans and Democrats continue to call on Leader McConnell to bring election security legislation up for a vote on the Senate floor, Senator Mark Warner (D-VA), the Vice Chairman of the Senate Select Committee on Intelligence, delivers this week’s Weekly Democratic Address. In the address, Warner highlights the importance of securing our elections and explains why it is critical that the Senate vote on bipartisan election security legislation. In closing, he emphasizes that the Senate must act on this issue in order to secure the 2020 elections, and cannot allow critical, bipartisan bills to protect our democracy to die in Leader McConnell’s legislative graveyard.

The Weekly Democratic Address is available in both AUDIO AND VIDEO FORMAT. You may download the audio of the address HERE and the video of the address HERE.

Senator Warner’s remarks as delivered follow:

“Hi, I’m Senator Mark Warner. I’m proud to represent Virginia in the United States Senate. I also serve as Vice Chairman of the Senate Intelligence Committee, which is conducting the only bipartisan investigation into Russia’s interference in our 2016 presidential election.

“Our intelligence community, the bipartisan Senate Intelligence Committee, and Special Counsel Robert Mueller have all concluded that Russia mounted an unprecedented attack on our democratic process. Russian intelligence conducted hacking operations against Democratic targets and then released the stolen documents to influence the election. Using an army of Internet trolls, Russia flooded social media with fake news and propaganda designed to sow discord and divide Americans through our news feeds.

“We also know that, as part of its interference campaign, the Kremlin also targeted election infrastructure in all 50 states. The Intelligence Community’s Assessment in January 2017 concluded that Russia secured and maintained access to multiple elements of U.S. state and local electoral boards. For example, in Illinois, Russian hackers were able to penetrate a voter registration database and access 90,000 voter registration records. Using spearphishing emails, Russia was able to access the network of at least one county in Florida. Now, there is no evidence that Russians were successful in changing vote totals in 2016 or in 2018 – but we can certainly expect them to try again in 2020.

“While the Department of Homeland Security has improved information-sharing with states and Congress has allocated some additional funding for election security, there is still more work to do to secure local election equipment ahead of the presidential election.

“In 2016, Russia exploited platforms like Facebook, Instagram, Twitter and YouTube to manipulate and divide Americans, to smear Hillary Clinton, and to aid Donald Trump. As we enter another presidential election cycle susceptible to foreign interference, Congress needs to put in place some commonsense guardrails on social media. We should start with the bipartisan Honest Ads Act, which I introduced, which would prevent foreign actors from purchasing online political ads, and bring much-needed transparency to the online ad ecosystem.

“There is already a bill to protect our elections systems that has strong bipartisan support. The Secure Elections Act from the last session of Congress would establish some common-sense measures to ensure the sanctity of the ballot-box.

“It would provide states with money to replace old, insecure voting machines that don’t leave a paper trail, and make sure that elections can be audited, so that Americans can have confidence in the results. It would also take several steps to improve sharing about threat information between the Department of Homeland Security, and states that administer the vote. And it would require election agencies to promptly report suspected cybersecurity incidents to proper state and federal authorities.

“The truth is the Secure Elections Act that was introduced last session were brought to the floor today for a vote, it would pass overwhelmingly. But the White House and Senate Republican leaders have been blocking a vote.

“Unfortunately, that’s just part of a pattern with a White House and a President that has shown no interest in tackling this problem. According to reports, the former Secretary of Homeland Security was instructed not to even raise the issue of election security with the President, and when she tried to convene a Cabinet-level meeting ahead of the 2018 midterms, the White House chief of staff nixed the idea.

“What happened in 2016 will happen again in 2020 if we are not prepared. In the face of White House inaction to secure the vote, Congress must work together to protect our democracy and reassure Americans that their votes will be counted in 2020. We cannot let election security become another tombstone in the Republican Senate’s legislative graveyard.”

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, wrote today to the CEO of Quest Diagnostics, asking for information on the company’s supply chain management and cybersecurity practices after the company reported on Monday that approximately 11.9 million Quest patients may have been compromised as a result of a breach to a system used by one of Quest’s contractors.

“While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third party selection and monitoring process. According to a recent report, 20 percent of data breaches in the health care sector last year were traced to third-party vendors, and an estimated 56 percent of provider organizations have experienced a third-party breach,” Sen. Warner wrote in his letter to Stephen Rusckowski, Chairman, President and CEO of Quest Diagnostics.

Earlier this year, Sen. Warner sent letters to multiple health care associations and government agencies including the Food and Drug Administration, Department of Health and Human Services, Centers for Medicare and Medicaid Services, and National Institute of Standards and Technology, seeking more information about steps being taken to reduce cyber vulnerabilities in the health care industry, which has become a growing target for cyberattackers. In the letters, Sen. Warner pointed to apparent gaps in oversight, expressed concern about the impact of cyber-attacks on the health care sector, and conveyed his desire to work alongside stakeholders to develop strategies that strengthen information security.

In today’s letter to Quest, Sen. Warner asked the company to provide additional information regarding the breach and the company’s processes for selecting and monitoring sub-contractors and vendors.

The full text of the letter appears below. A copy of the letter is available here.

 

Mr. Stephen H. Rusckowski

Chairman, President and Chief Executive Officer

Quest Diagnostics                  

500 Plaza Drive          

Secaucus, NJ 0709

Dear Mr. Rusckowski,

On Monday June 3rd it was publicly reported that the data of an estimated 11.9 million of your customers were exposed by one of your bill collection vendors, American Medical Collection Agency (ACMA). According to your SEC filing, between August 1st 2018 and March 30th 2019, an unauthorized user had access to American Medical Collection Agency’s systems and data that included credit card numbers and bank account information, medical information, and other sensitive personal information like social security numbers. A statement by ACMA noted that the company was made aware of the breach by a security compliance firm that works with credit card companies. An internal review was then conducted by ACMA, which took down the web payments page, and notified law enforcement.

While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third party selection and monitoring process. According to a recent report, 20 percent of data breaches in the health care sector last year were traced to third-party vendors, and an estimated 56 percent of provider organizations have experienced a third-party breach.  One set of major vendor breaches in the last year were caused by a third-party administrator for health insurance companies, and impacted Highmark BCBS, Aetna, Emblem Health, Humana, and United Health. 

In February of this year I queried a number of health care stakeholders seeking input on how we might improve cybersecurity in the health care industry. As I work with stakeholders to develop a short and long term strategy for reducing cybersecurity vulnerabilities in the health care sector, I would like more information on your vendor selection and due diligence process, sub-supplier monitoring, continuous vendor evaluation policies, and what you plan to do about your other vendors, given the vulnerability and information security failures of this one.

Having long been an advocate for transparency and reporting of data breach information, I commend your reporting and handling of the breach notification, but I am still concerned with the third party evaluation and monitoring process.

To gain a better understanding of this situation, I would appreciate answers to the following questions:

1.      Please describe your third-party vendor information security vetting process.

2.      If you secure a contract with a third-party to collect information from your customers, do you have a process for evaluating the standards used by that entity, the sub-supplier, to secure their information systems?

3.      What are your third-party vendor security and risk assessment requirements?

4.      What are your third-party requirements for how customer information is processed and stored?

5.      What are your third-party vendor requirements for data encryption?

6.      How are you ensuring that your other third-party vendors like ACMA are not similarly vulnerable to point of sale malware or other information security vulnerabilities?

Thank you for your attention to this important issue. I look forward to your response in the next two weeks.

Sincerely,

Mark R. Warner

United State Senator

 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and a former telecommunications executive and entrepreneur, along with Sens. Roger Wicker (R-MS), Tom Cotton (R-AR), Ed Markey (D-MA), and Dan Sullivan (R-AK), introduced legislation to establish U.S. policy for the commercial deployment and security of Fifth Generation (5G) networks. The United States 5G Leadership Act of 2019 will prioritize national security in the development of 5G by ensuring that American networks do not include equipment or services provided by Huawei, ZTE, or their affiliates. This legislation will also create a Supply Chain Security Trust Fund grant program to help rural and regional U.S. communications providers remove from their networks Chinese equipment determined to threaten national security.

“For a number of years, the federal government failed to effectively communicate the economic and national security risks of Huawei and ZTE communications equipment – and even adopted broadband grant policies that incentivized rural carriers to use this equipment because it was the cheapest around. While we’ve made enormous progress in educating the private sector of the dangers these vendors pose, we haven’t put in place policies to help resource-strapped rural carriers address and eliminate those risks. This bill ensures that on a going-forward basis we don’t make the same mistakes in allowing companies subject to extra-judicial directions of a foreign adversary to infiltrate our nation’s communications networks. And it provides significant resources to ensure that rural and regional providers can prioritize investments that eliminate this equipment from their existing networks where it poses a security threat,” said Sen. Warner. “Lastly, it builds on efforts my colleagues and I have already undertaken to engage with and educate the private sector about security risks and vulnerabilities posed to communications networks from certain foreign suppliers. We also believe this type of effort will be an important signal to international partners that we are putting resources behind this issue, and encouraging them to do the same.”

“5G networks need to be robust and secure, and not rely on equipment or services that pose a national security risk,” said Sen. Wicker. “This legislation would ensure continued American leadership in advanced wireless technology deployment. It offers relief to those providers that need to replace foreign equipment within their networks while augmenting the availability of secure 5G networks for all Americans.”

“Future U.S. security and economic prosperity will depend on 5G technology. With so much at stake, our communications infrastructure must be protected from threats posed by foreign governments and companies like Huawei,” said Sen. Cotton. “Our bill will support 5G’s deployment in the United States while defending that technology from exploitation.”  

“5G wireless will revolutionize global telecommunications and connect people, information, and technology like never before. While 5G could yield enormous benefits, it also could pose significant risks if not implemented properly,” said Sen. Markey. “We have a responsibility to ensure that this next generation of telecommunications infrastructure will safely and securely connect Americans to each other and to the rest of the world.”

“We urgently need a comprehensive strategy when it comes to the very real threat that foreign actors, particularly China, pose to our communications networks,” said Sen. Sullivan. “It is clear that this problem is only going to grow with the development of next generation communications technologies without aggressive intervention. I’m pleased to partner with Chairman Wicker on this critical issue at the intersection of national security and commerce.”

Among other measures, The United States 5G Leadership Act would:

  • Establish U.S. policy to promote the deployment of secure commercial 5G networks and the development of the Information and Communications Technology (ICT) sector in the U.S.
  • Establish U.S. policy to identify additional spectrum for 5G, with an emphasis on promoting harmonization with global allocations;
  • Establish U.S. policy that American 5G networks should not include equipment or services provided by Huawei, ZTE, or their affiliates.
  • Require the Federal Communications Commission (FCC) to finalize rulemaking that would prohibit the use of Universal Service Fund subsidies to buy equipment or services from providers who pose a national security risk.
  • Establish the Supply Chain Security Trust Fund grant program to help smaller U.S. communications providers remove Huawei equipment from their networks — and would make available up to $700 million from future spectrum auctions for this purpose.
  • Require a report on current Federal government measures to ensure the secure deployment and availability of 5G networks.
  • Establish an interagency program – led by the Department of Homeland Security – to share information regarding security, risks, and vulnerabilities with U.S. communications providers and trusted suppliers.
  • Prioritize funding to enhance U.S. representation at international 5G standards-setting bodies, such as the International Telecommunications Union.

“I thank Senators Wicker, Cotton, Warner, Sullivan, and Markey for introducing the United States 5G Leadership Act of 2019.  This bipartisan bill will help ensure that all carriers have the information and resources necessary to address security risks while advancing US leadership in 5G.  I appreciate the Senators’ leadership on this important issue and look forward to continued work with Congress to ensure access to secure wireless networks, particularly in rural America,” said Steven K. Berry, President & CEO, Competitive Carriers Association.

Sen. Warner has been a leading voice in the Senate about the national security risks posed by Chinese-controlled telecom companies. Last week, Sen. Warner spoke out in favor of the executive order banning U.S. telecommunications firms from installing foreign-made equipment that could threaten national security. He is also the lead sponsor of the Secure 5G and Beyond Acta bill to safeguard next-gen mobile telecommunications systems and infrastructure. Additionally, earlier this year, Sen. Warner introduced bipartisan legislation to help combat tech-specific, national security threats posed by foreign actors like China. As Vice Chairman of the Senate Intelligence Committee, Sen. Warner has been leading a bipartisan effort to educate the private sector on the economic and security risks posed by Chinese companies like Huawei.

For the full text of this legislation, click here

###

WASHINGTON – Today, U.S. Sens. Mark R. Warner and Tim Kaine (both D-VA) and U.S. Sens. Ben Cardin and Chris Van Hollen (both D-MD) introduced new legislation to renew the federal funding commitment to Metro, provide critical safety reforms, and strengthen oversight of the Washington Metropolitan Area Transit Authority (WMATA).

Recognizing that the Metro system is integral to the functioning of the federal government, for the last decade Congress has allocated $150 million annually to Metro for capital expenses, with Virginia, Maryland and the District of Columbia each providing $50 million in matching funds. However, the funding – a critical part of Metro’s budget – will expire this year unless Congress acts to renew it. The Metro Safety, Accountability and Investment Act of 2019 will provide additional federal funding for Metro while also enacting key reforms to ensure that the safety and reliability of the Metro system continues to improve.  

“The federal government runs on Metro. Thousands of federal workers, contractors, and military service members take Metro every day. This is an investment in the long-term safety and reliability of the Metro system,” said Sen. Warner, a member of the Committee on Banking, Housing and Urban Affairs, which has oversight over our nation’s urban transit systems. “But recent safety problems have illustrated that Metro still has work to do, which is why this money comes with some strings attached to ensure robust oversight, accountability, and meaningful safety reforms at WMATA.”

“Maintaining a safe and reliable public transit system for the seat of the federal government is a clear national priority. We recognized 10 years ago - as we do now - that providing dedicated funding for WMATA will help keep Metro on track,” said Sen. Cardin, ranking member of the Senate Environment and Public Works Transportation and Infrastructure Subcommittee. “Maryland and Virginia's Senate delegations wholeheartedly agree on the need for critical safety reforms and strengthened oversight to ensure that WMATA becomes as safe and efficient as possible.”

“This bill provides critical funding to reduce WMATA’s backlog of work, along with strict measures to ensure riders are safe on Metro. Following the death of a Virginian on Metrorail in 2015, we made it clear that major changes were needed. Since then, we passed a tough new federal safety oversight body through Congress, encouraged business and labor to work toward mutual goals, and worked with experts to provide WMATA with a roadmap for reform. But this work will only succeed if WMATA has the resources to do the turnaround job right. With this bill, we ensure that the federal government contributes its share, while also making clear that with new money comes new requirements for safety and accountability. Metro’s challenges won’t be solved overnight, but this bill will go a long way toward unlocking progress to rebuild trust with riders,” said Sen. Kaine.

“Maryland commuters and our federal workforce rely on the Metro day in and day out. This legislation reauthorizes the Federal investment in WMATA and provides much-needed funds to modernize our system. In addition to increased funding, this bill includes crucial safety improvements and oversight reforms,” said Sen. Van Hollen, a member of the Committee on Banking, Housing and Urban Affairs. “I’m proud to join my colleagues in introducing this measure as we work to ensure safe and dependable transportation throughout the region.”

The Metro Safety, Accountability and Investment Act of 2019 will renew the federal funding commitment for WMATA capital investments by reauthorizing the funding levels from the Passenger Rail Investment and Improvement Act of 2008 for an additional ten years, at an annual level of $150 million, matched by funding from Virginia, Maryland and the District of Columbia.

In addition, in exchange for key safety, oversight, and governance reforms at WMATA, the new legislation will include an additional $50 million per year in federal funding that is not subject to local match, bringing the annual federal commitment to Metro to $200 million. In order to access the additional $50 million, WMATA will be required to: grant additional powers to Metro’s Inspector General; establish task forces on track safety and bus safety; implement policy and procedures for a new capital planning process; improve the transit asset management planning process; reinforce restrictions on the activities of alternate WMATA Board members to provide more effective Board management and oversight; and prioritize the implementation of new cyber security protections and the integration of wireless services and emergency communications networks.

The bill also prohibits WMATA from using federal funds on a contract for rolling stock from any country that meets certain criteria related to illegal subsidies for state-owned enterprises. Sens. Warner, Kaine, Cardin and Van Hollen raised concerns earlier this year regarding the possibility that Metro may award a contract to build its newest 8000-series rail cars to a Chinese manufacturing company.  

“The Federal City Council applauds Sens. Warner, Cardin, Kaine, and Van Hollen for their continued commitment to WMATA and to ensuring that critically needed federal funding for the system is reauthorized this year. This funding, along with the new dedicated funding that was committed by the District of Columbia, Maryland, and Virginia in 2018 is critically needed to ensure a safe, reliable, and sustainable future for Metro,” said Tony Williams, former Mayor of the District of Columbia, current CEO and Executive Director of the Federal City Council and founding member of the MetroNow Coalition. “However, it has been the longstanding position of the Federal City Council and the MetroNow coalition that in addition to funding, Metro is also in need of a better framework to guide decision-making and increase accountability at WMATA—a critical part of the solution that has been missing, until now. With comprehensive enhancements to WMATA’s Office of the Inspector General and capital planning requirements, this legislation will help to safeguard the investment being made in this vital piece of our region’s transportation infrastructure and will inspire confidence in Metro going forward.”

“Metro is critical to those who live and work here and, equally important, it benefits those who travel here to do business, interact with the federal government, and enjoy all our region has to offer,” said Jack McDougle, President & CEO of the Greater Washington Board of Trade and founding member of the MetroNow Coalition. “Every day, we welcome visitors from around the country and the world, requiring us to maintain the safest, most reliable and world-class transit system possible. That’s why we and our partners in the MetroNow coalition urge Congress to pass this legislation.”

“The Amalgamated Transit Union (ATU) fully supports the Metro Safety, Accountability and Investment Act of 2019, renewing the federal commitment for WMATA capital investments. This is long overdue and critical, as the agency’s infrastructure, which dates back to the 1970s, has been crumbling. Riders have paid the price, as service sputtered and fares skyrocketed. Workers have been unfairly blamed for service issues when the real issue has been the generations of state and local lawmakers that until recently have financially starved the system of a critical dedicated revenue source,” said ATU International President John A. Costa. “Tragically, there have been several deadly accidents that have taken the lives of passengers as well as workers. There is no safety culture at WMATA. We thank Senators Warner, Cardin, Kaine and Van Hollen for including in the bill the ATU’s proposed labor-management safety task forces – bus and rail – to develop best principles and practices through collaboration so that we can prevent future tragedies. We are also grateful that these task forces have appropriately been named after ATU members who were killed on the job – Jeanice McMillan, the operator who was killed along with 8 passengers in the 2009 Red Line train crash at Fort Totten and was called a hero by WMATA for saving countless lives, and Keith Dodson, who was struck and killed by a tractor trailer when he exited the bus he was driving after it became disabled along southbound I-395 in Arlington County in 2007.”

More information about this bill is available here. For the full bill text, click here.

### 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, released the following statement after President Trump signed an executive order to ban American telecommunications firms from installing foreign-made equipment that could pose a threat to national security:

 “This is a needed step, and reflects the reality that Huawei and ZTE represent a threat to the security of U.S. and allied communications networks. Under current Chinese security laws, these and other companies based in China are required to provide assistance to the Chinese state. This executive order places a great deal of authority in the Department of Commerce, which must ensure that it is implemented in a fair and responsible fashion as to not harm or stifle legitimate business activities. It should also be noted that we have yet to see a compelling strategy from this Administration on 5G, including how the Administration intends to work cooperatively with our allies and like-minded nations to ensure that international standards set for 5G reflect Western values and standards for security and privacy. Nor do we have a stated plan for replacing this equipment from existing commercial networks – a potentially multi-billion dollar effort that, if done ineptly, could have a major impact on broadband access in rural areas. A coherent coordinated and global approach is critically needed as nations and telecom providers move to implement 5G.”

 As a former telecommunications executive and entrepreneur, Sen. Warner has been a leading voice in the Senate regarding the national security risks posed by Chinese-controlled telecom companies. He is the lead sponsor of the Secure 5G and Beyond Actlegislation to require the President to ensure the security of next-gen mobile telecommunications systems and infrastructure in the United States. He also introduced a bipartisan bill in January to help combat tech-specific threats to national security posed by foreign actors like China. Additionally, Sen. Warner called on the Trump Administration last week to promote U.S. leadership and strengthen diplomatic efforts around the development of a secure 5G architecture that challenges Huawei’s monopoly over the next generation of telecoms networks.