Press Releases

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, released the following statement after the Biden administration announced several steps to respond to Russian aggression, including interference in the 2020 election, the hack impacting thousands of SolarWinds customers, bounties on American soldiers in Afghanistan, and the illegal annexation of Crimea:

“I am glad to see the Biden administration formally attributing the SolarWinds hack to Russian intelligence services and taking steps to sanction some of the individuals and entities involved. The scale and scope of this hack are beyond any that we’ve seen before, and should make clear that we will hold Russia and other adversaries accountable for committing this kind of malicious cyber activity against American targets. Across both the public and private sector, we have a lot of work to do to deter our adversaries from conducting these types of damaging intrusions, and to guard against future interference in our elections. But this is a good first step in making clear that these sorts of actions are unacceptable and will be met with consequences.”

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) and Sen. Thom Tillis (R-NC) will co-chair the bipartisan Senate Cybersecurity Caucus in the 117th Congress. First launched in 2016 by Sen. Warner and then-Sen. Cory Gardner (R-CO), the Senate Cybersecurity Caucus provides a platform for Senators and their staffs to stay informed on major policy issues and developments in cybersecurity. 

“Recent hacks involving SolarWinds and Microsoft only serve to underscore that cybersecurity is one of the biggest economic and national security challenges we face as a nation,” said Sen. Warner, Chairman of the Senate Select Committee on Intelligence. “The Senate Cybersecurity Caucus is a platform for Senators and their staffs to keep up to date on cyber policy and engage in discussions about cybersecurity that cross Committee jurisdictions. I’m pleased to welcome Sen. Tillis as a co-chair of this effort, and look forward to working with him to bring bipartisan attention to these critical issues.”

“The threat of cyberattacks by foreign adversaries such as China and Russia targeting American businesses, research institutions, hospitals, and federal agencies is one of the most pressing issues for Congress to address,” said Sen. Tillis. “These cyberattacks are a threat to national security and our innovation economy. Over the last year, we have seen numerous cyberattacks targeting American infrastructure and intellectual property—primarily related to testing and vaccines for COVID-19. Senator Warner is a thought leader on cybersecurity issues and has a proven track record of bipartisan policymaking. I am proud to join the Cybersecurity Caucus as co-chair, and I look forward to working with Senator Warner to provide productive information on cybersecurity issues for Senators and their staff.”

An early investor in the cellular telephone business, Sen. Warner spent 20 years in the technology industry before entering public office. In the Senate, Warner has been a longtime leader on issues relating to technology and cybersecurity. As Chairman of the Senate Intelligence Committee, Warner recently convened the first public hearing into the SolarWinds supply chain attack that enabled hackers to penetrate multiple federal agencies and corporations.   

###

WASHINGTON – U.S. Sen. Mark R. Warner, Chairman of the Senate Select Committee on Intelligence, today requested information from the Federal Bureau of Investigation (FBI) and the Environmental Protection Agency (EPA) following a cyber incident in which hackers remotely breached a Florida water treatment plant and sought to dramatically alter water chemical levels in a move that could have poisoned thousands of residents.  

“The security and integrity of our critical infrastructure is of utmost importance. The Cybersecurity & Infrastructure Security Agency (CISA) states that 80% of the United States receives potable water from approximately 153,000 public drinking water systems, and any type of attack, including a cyber attack, could result in ‘illnesses or casualties and/or a denial of service that would also impact public health and economic vitality,’” wrote Sen. Warner in a letter to the Assistant Director of the FBI and the Acting Assistant Administrator at the EPA. “This incident has implications beyond the 15,000-person town of Oldsmar. While the Oldsmar water treatment facility incident was detected with sufficient time to mitigate serious risks to the citizens of Oldsmar, and appears to have been identified as the result of a diligent employee monitoring this facility’s operations, future compromises of this nature may not be detected in time.”

He continued, “The Federal Government must ensure we are taking all precautions to keep drinking water safe for Americans. Designated as one of the 16 infrastructure sectors critical to national security under the Presidential Policy Directive 21 (PPD-21), we must protect water facilities from cyber and other compromises.” 

On February 5, a water treatment facility in Oldsmar, Florida was accessed remotely by hackers, who increased sodium hydroxide levels from 100 parts per million to 11,100 parts per million, a dangerous amount that could have sickened town residents, had the attack gone unnoticed by a plant employee.

In his letter, Sen. Warner requested a progress update on the FBI’s investigation into this incident. He also asked for an EPA review into whether the Oldsmar water treatment facility was compliant with the most recent Water and Wastewater Sector-Specific Plan, and whether that plan needs to be updated to confront similar risks. Additionally, Sen. Warner inquired about any plans to share timely threat information related to this incident with water and wastewater facilities, and other critical infrastructure providers.

Sen. Warner, a former technology executive, is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus. Throughout the COVID-19 crisis, he has fought for increased cybersecurity measures commensurate with Americans’ increased reliance on remote work. Among other measures, Sen. Warner has advocated for increased funding to modernize federal information technology, urged internet networking device vendors to ensure the security of their products, and pressed cybersecurity officials to bolster defenses against cybersecurity attacks. 

A copy of the letter can be found here and below.

 

Dear Mr. Gorham and Ms. Fox,

I am writing to request information about reports of a serious security compromise of a water treatment plant in Oldsmar, Florida on February 5, 2021.  The security and integrity of our critical infrastructure is of utmost importance.  The Cybersecurity & Infrastructure Security Agency (CISA) states that 80% of the United States receives potable water from approximately 153,000 public drinking water systems, and any type of attack, including a cyber attack, could result in “illnesses or casualties and/or a denial of service that would also impact public health and economic vitality.”[i]  Additionally, other critical infrastructure sectors such as healthcare, emergency services, energy, food and agriculture, and transportation systems depend on the cyber resilience of water facilities.[ii]

According to information released by the Pinellas County Sheriff’s Office, the Oldsmar water treatment facility was accessed remotely by an unauthorized entity, who increased the amount of sodium hydroxide in the potable water supply to a dangerous level.[iii]  Given the consequences of a successful compromise of this kind, and the broader security weaknesses this unsuccessful attempt may illustrate within critical infrastructure sectors reliant on similar industrial control systems, I would request first, to be informed of the progress of the FBI’s investigation of the incident; second, a review by the Environmental Protection Agency into whether the Oldsmar water treatment facility was compliant with the most recent Water and Wastewater Sector-Specific Plan, and whether that plan, most recently updated in 2015, needs to be updated to confront similar risks; and third, to confirm the Federal Government is sharing timely threat information related to this incident with water and wastewater facilities, and other critical infrastructure providers across the United States.

This incident has implications beyond the 15,000-person town of Oldsmar.  While the Oldsmar water treatment facility incident was detected with sufficient time to mitigate serious risks to the citizens of Oldsmar, and appears to have been identified as the result of a diligent employee monitoring this facility’s operations, future compromises of this nature may not be detected in time.  The Federal Government must ensure we are taking all precautions to keep drinking water safe for Americans.  Designated as one of the 16 infrastructure sectors critical to national security under the Presidential Policy Directive 21 (PPD-21), we must protect water facilities from cyber and other compromises.  

Please coordinate with my office to provide updates on the investigation of the incident, as well as efforts underway to avoid future compromises on water facilities in the United States.

###

WASHINGTON – Today, Senate Select Committee on Intelligence Chairman Mark R. Warner (D-VA) and Vice Chairman Marco Rubio (R-FL) released a joint statement after the Biden administration confirmed Anne Neuberger, the National Security Agency's cybersecurity director, will lead the administration’s response to the SolarWinds breach. Yesterday, Chairman Warner and Vice Chairman Rubio sent a letter to the Intelligence Community urging the Unified Coordination Group to name a leader in the United States’ response to the SolarWinds cyber breach that has affected numerous federal agencies and thousands of private sector entities.

“The federal government’s response to date to the SolarWinds breach has lacked the leadership and coordination warranted by a significant cyber event, so it is welcome news that the Biden administration has selected Anne Neuberger to lead the response. The Committee looks forward to getting regular briefings from Ms. Neuberger and working with her to ensure we fully confront and mitigate this incident as quickly as possible.”

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence and U.S. Sen. Marco Rubio (R-FL), Vice Chairman of the Senate Select Committee on Intelligence, sent a letter to the Director of National Intelligence (ODNI) Avril Haines, National Security Agency (NSA) Director General Paul Nakasone, Federal Bureau of Investigation (FBI) Director Christopher Wray, and Cybersecurity and Infrastructure Security Agency (CISA) Acting Director Brandon Wales, urging the Unified Coordination Group to name a leader  in the United States’ response to the SolarWinds cyber breach that has affected numerous federal agencies and thousands of other private sector entities.

In the letter to the intelligence community, the Senators wrote, “The briefings we have received convey a disjointed and disorganized response to confronting the breach. Taking a federated rather than a unified approach means that critical tasks that are outside the central roles of your respective agencies are likely to fall through the cracks.  The threat our country still faces from this incident needs clear leadership to develop and guide a unified strategy for recovery, in particular a leader who has the authority to coordinate the response, set priorities, and direct resources to where they are needed.”

The text of the full letter is here and can be found below.

Dear Director Haines, General Nakasone, Director Wray, and Acting Director Wales:

We are writing to urge you to name and empower a clear leader in the United States’ response to the SolarWinds cyber breach that has affected numerous federal agencies, and thousands of other private sector entities.  The federal government’s response so far has lacked the leadership and coordination warranted by a significant cyber event, and we have little confidence that we are on the shortest path to recovery.

The briefings we have received convey a disjointed and disorganized response to confronting the breach. Taking a federated rather than a unified approach means that critical tasks that are outside the central roles of your respective agencies are likely to fall through the cracks.  The threat our country still faces from this incident needs clear leadership to develop and guide a unified strategy for recovery, in particular a leader who has the authority to coordinate the response, set priorities, and direct resources to where they are needed. 

The handling of this incident is too critical for us to continue operating the way we have been.  Presidential Policy Directive-41 was not meant to impede a joint response to significant cyber incidents and clearly gives the Unified Coordination Group the authority, with mutual agreement and consistent with applicable legal authorities, to realign operational control of respective agency assets to respond to such incidents.  We urge you to reach such an agreement and assign a clear leader to ensure we confront and mitigate this incident fully, and as quickly as possible.

 

Sincerely,

 

###

WASHINGTON - As tech companies and public health agencies deploy new tools to fight the spread of COVID-19 – including contact tracing apps, digital monitoring, home tests, and vaccine appointment booking – U.S. Sens. Mark R. Warner (D-VA), Richard Blumenthal (D-CT) and U.S. Representatives Anna G. Eshoo (D-CA), Jan Schakowsky (D-IL), and Suzan DelBene (D-WA) introduced the Public Health Emergency Privacy Act to set strong and enforceable privacy and data security rights for health information.

After decades of data misuse, breaches, and privacy intrusions, Americans are reluctant to trust tech firms to protect their sensitive health information – according to a recent poll, more than half of Americans would not use a contact tracing app and similar tools from Google and Apple over privacy concerns. The bicameral Public Health Emergency Privacy Act would protect Americans who use this kind of technology during the pandemic and safeguard civil liberties. Strengthened public trust will empower health authorities and medical experts to leverage new health data and apps to fight COVID-19. 

“Technologies like contact tracing, home testing, and online appointment booking are absolutely essential to stop the spread of this disease, but Americans are rightly skeptical that their sensitive health data will be kept safe and secure,” Blumenthal said. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19. This measure sets strict and straightforward privacy protections and promises: Your information will be used to stop the spread of this disease, and no more. The Public Health Emergency Privacy Act’s commitment to civil liberties is an investment in our public health.”

“Our health privacy laws have not kept pace with what Americans have come to expect for their sensitive health data,” Warner said. “Strong privacy protections for COVID health data will only be more vital as we move forward with vaccination efforts and companies begin experimenting with things like ‘immunity passports’ to gate access to facilities and services. Absent a clear commitment from policymakers to improving our health privacy laws, as this important legislation seeks to accomplish, I fear that creeping privacy violations and discriminatory uses of health data could become the new status quo in health care and public health.” 

“I’m exceedingly proud of the American innovators, many of whom are in my congressional district, who have built technologies to combat the coronavirus. As these technologies are used, they must be coupled with policies to protect the civil liberties that define who we are as a nation,” said Eshoo. “The Public Health Emergency Privacy Act is a critical bill that will prohibit privacy invasions by preventing misuse of pandemic-related data for unrelated purposes like marketing, prohibiting the data from being used in discriminatory ways, and requiring data security and integrity measures. The legislation will give the American people confidence to use technologies and systems that can aid our efforts to combat the pandemic.”

“As we continue to respond to the devastating suffering caused by COVID-19, our country’s first and foremost public health response must be testing, testing, testing, AND manual contact tracing. Digital contact tracing can and should complement these efforts, but it is just that – complimentary. However, if we do pursue digital contact tracing, consumers need clearly-defined privacy rights and strong enforcement to safeguard these rights. I am proud to re-introduce this bill with my friend and fellow Energy & Commerce Subcommittee Chairwoman Eshoo and Congresswoman DelBene, along with Senators Blumenthal and Warner,” said Schakowsky. “It’s our shared belief that the Trump Administration missed an opportunity when it failed to advocate for swift passage of this legislation. Based on how poorly the Trump Administration’s contact tracing scheme went, we all know this legislation would go a long way towards establishing the trust American consumers need – and which Big Tech has squandered, time and again – for digital contact tracing to be a worthwhile auxiliary to the Biden Administration’s plan for widespread testing and manual contact tracing.” 

“Technology has become one of our greatest tools in responding to the COVID-19 pandemic but we need to build trust with the broader public if we are going to reach its full potential. Americans need to be certain their sensitive personal information will be protected when using tracing apps and other COVID-19 response technology and this pandemic-specific privacy legislation will help build that trust,” said DelBene. “Data privacy should not end with the pandemic. We need comprehensive privacy reform to protect Americans at all times, including state preemption to create a strong, uniform national standard. I hope that this crisis has shed light on the lack of adequate digital privacy policies in our country and look forward to working with these lawmakers and others to create the necessary standards moving forward.”

The bill is co-sponsored in the Senate by U.S. Senators Michael Bennet (D-CO), Amy Klobuchar (D-MN), Edward J. Markey (D-MA), Tammy Baldwin (D-WI), Mazie K. Hirono (D-HI), Cory Booker (D-NJ), Robert Menendez (D-NJ), Angus King (I-ME), Elizabeth Warren (D-MA) and Dick Durbin (D-IL).

The bill is co-sponsored in the House of Representatives by Don Beyer (D-VA), Jerry McNerney (D-CA), Nanette Diaz Barragán (D-CA), Mark Pocan (D-WI), Bobby Rush (D-IL), Peter Welch (D-VT), Mary Gay Scanlon (D-PA), Doris Matsui (D-CA), Ted Lieu (D-CA), Mark DeSaulnier (D-CA), Jahana Hayes (D-CT), Ro Khanna (D-CA), Jesús ''Chuy'' García (D-IL), Stephen Lynch (D-MA), Raúl Grijalva (D-AZ), Barbara Lee (D-CA), Debbie Dingell (D-MI), and Peter DeFazio (D-OR). 

The Public Health Emergency Privacy Act would:

·       Ensure that data collected for public health is strictly limited for use in public health;

·       Explicitly prohibit the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising, e-commerce, or efforts to gate access to employment, finance, insurance, housing, or education opportunities;

·       Prevent the potential misuse of health data by government agencies with no role in public health;

·       Require meaningful data security and data integrity protections – including data minimization and accuracy – and mandate deletion by tech firms after the public health emergency;

·       Protect voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps;

·       Require regular reports on the impact of digital collection tools on civil rights;

·       Give the public control over their participation in these efforts by mandating meaningful transparency and requiring opt-in consent; and

·       Provide for robust private and public enforcement, with rulemaking from an expert agency while recognizing the continuing role of states in legislation and enforcement.

The Public Health Emergency Privacy Act is endorsed by Access Now, Electronic Privacy and Information Center (EPIC), the Center for Digital Democracy, Color of Change, Common Sense Media, New America’s Open Technology Institute, and Public Knowledge.

“A public health crisis is not the time to give up on our privacy rights, and this bill would go a long way toward protecting those rights. COVID-19 response apps are already out there, and this bill will help ensure that the apps are distributed and used in a responsible manner that will limit the new and expansive surveillance systems companies are building. Allowing these apps to proceed unchecked would create serious privacy violations that will never be undone,”said Eric Null, U.S. Policy Manager at Access Now.

“The Public Health Emergency Privacy Act shows that privacy and public health are complementary goals. The bill requires companies to limit the collection of health data to only what is necessary for public health purposes, and crucially, holds companies accountable if they fail to do so,” said Caitriona Fitzgerald, Interim Associate Director and Policy Director with Electronic Privacy Information Center (EPIC).

“Public health measures to contain the deadly spread of COVID-19 must be effective and protect those most at risk. Where data are collected or used, they should not be misused to undermine privacy, fairness and equity, or place our civil rights in peril. The Public Health Emergency Privacy Act ensures that efforts to limit the spread of the virus truly protect all our interests,” said Katharina Kopp, Director of Policy for the Center for Digital Democracy.

“Color Of Change strongly supports the Public Health Emergency Privacy Act, as it would prevent corporate profiteering and government misuse of health data to help ensure Black people — who are disproportionately exposed to the dangers of surveillance — can operate online without fear. Profit-incentivized corporations should not be allowed to exploit loopholes to gather and sell sensitive health and location data without any regard to the safety of our communities. As the COVID-19 pandemic rages on, we need stringent and enforceable safeguards in place to protect private health information of Black people and other marginalized communities, who are most at risk of both COVID-19 and surveillance. We thank Senators Blumenthal and Warner for their leadership on this legislation, and we will continue to advocate for the highest standard of protection against the abuse of personal data,” said Color Of Change President Rashad Robinson.

“Common Sense calls on Congress to pass meaningful privacy safeguards for families. More than ever, the pandemic has highlighted how important it is that families can trust how their information is being collected, used, and shared. PHEPA is an important proposal to ensure technologies and data being used to combat COVID are used in privacy-protective ways, and it also can serve as a model for how Congress can comprehensively protect privacy in the near future,” said Ariel Fox Johnson, Senior Counsel for Global Policy with Common Sense Media. 

“OTI welcomes the re-introduction of this legislation that would establish strong safeguards to prevent personal data from being used for non-public health purposes and prevent the data from being used in a discriminatory manner. The ongoing privacy threats and urgency of the pandemic make these protections more important than ever,” said Christine Bannan, Policy Counsel at New America’s Open Technology Institute.

“As contact tracing apps and other types of COVID-19 surveillance become commonplace in the United States, this legislation will protect the privacy of Americans regardless of the type of technology used or who created it. It is critical that Congress continue to work to prevent this type of corporate or government surveillance from becoming ubiquitous and compulsory,” said Sara Collins, Policy Counsel at Public Knowledge.

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and Co-Chair of the Senate Cybersecurity Caucus, released the following statement:

“The SolarWinds hack is a devastating breach of U.S. networks and once again shows that the President and the White House are not taking this issue seriously enough.  An incident of this magnitude and lasting impact requires an engaged and public response by the U.S. government, led by a President who understands the significance of this intrusion and who is actively marshaling a domestic remediation strategy and an international response. 

“As we learn about the wider impact of this malign effort – with the potential for wider compromise of critical global technology vendors and their products – it is essential that we see an organized and concerted federal response. It is extremely troubling that the President does not appear to be acknowledging, much less acting upon, the gravity of this situation.”

 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, released the following statement on the SolarWinds supply chain attack:

“As we learned in the NotPetya attacks, software supply chain attacks of this nature can have devastating and wide-ranging effects – whether it’s via niche Ukrainian tax software or, as here, network management tools relied upon by some of the world’s largest companies. As we gather more information on the impact and goals of these malign efforts, we should make clear that there will be consequences for any broader impact on private networks, critical infrastructure, or other sensitive sectors.”

 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and Co-Chair of the Senate Cybersecurity Caucus, released a statement today on the announcement by cybersecurity firm FireEye that it was the victim of hackers tied to a nation-state:

“The hack of a premier cybersecurity firm demonstrates that even the most sophisticated companies are vulnerable to cyber-attacks.

“I applaud FireEye for quickly going public with this news, and I hope the company’s decision to disclose this intrusion serves as an example to others facing similar intrusions.

“We have come to expect and demand that companies take real steps to secure their systems, but this case also shows the difficulty of stopping determined nation-state hackers. As we have with critical infrastructure, we have to rethink the kind of cyber assistance the government provides to American companies in key sectors on which we all rely.”

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, issued a statement today following the President’s firing of Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher C. Krebs:

“Chris Krebs is an extraordinary public servant and exactly the person Americans want protecting the security of our elections.

“It speaks volumes that the president chose to fire him simply for telling the truth.”

Sen. Warner, co-chair of the Senate Cybersecurity Caucus, has previously cautioned about the dangers of destabilizing the government by ousting key officials amid a transition of Presidential power. Just last week, he reacted to reports that Director Krebs expected to be fired by the President, noting that there is “no possible justification to remove him from office.”

###

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO) applauded congressional passage of their bipartisan legislation to require minimum security requirements for Internet of Things (IoT) devices purchased by the U.S. government. Leveraging the purchasing power of the federal government, the bill will ultimately help move the wider market for IoT devices towards greater cybersecurity. The Internet of Things (IoT) Cybersecurity Improvement Act passed through the U.S. House of Representatives in September and was approved in the Senate today by unanimous consent. It now heads to the President’s desk for signature.

“While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security,” said Sen. Warner. “I’m proud that Congress was able to come together today to pass this legislation, which will harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell. I urge the President to sign this bill into law without delay.” 

“I applaud the Senate for passing our bipartisan and bicameral legislation to ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from accessing government systems,” said Sen. Gardner. “Most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand. We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks, particularly when they are integrated into the federal government’s networks.” 

Sens. Warner and Gardner originally authored and introduced this legislation in the Senate back in August 2017. They reintroduced the bill in the 116th Congress and saw its passage through the Senate Homeland Security and Governmental Affairs Committee in June 2019. 

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act would:

  • Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
  • Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, including making any necessary revisions to the Federal Acquisition Regulation to implement new security standards and guidelines.
  • Require any IoT devices  purchased by the federal government to comply with those recommendations.
  • Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidelines on vulnerability disclosure and remediation for federal information systems. 
  • Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.

Sens. Warner and Gardner are co-chairs of the Senate Cybersecurity Caucus. Sen. Warner – a former technology entrepreneur and Vice Chairman of the Senate Select Committee on Intelligence – is also leader in Congress on security issues related to the Internet of Things. 

###

 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), former technology entrepreneur and Vice Chairman of the Senate Intelligence Committee, today expressed grave concerns regarding the cybersecurity measures in place at one of the nation’s largest medical facility operators, which recently fell victim to an apparent ransomware attack. In a letter to United Health Services (UHS), Sen. Warner posed a series of questions for Chairman and Chief Executive Officer Alan B. Miller regarding the ransomware attack and stressed the need for UHS and other clinical providers to ensure that all information, medical, and critical systems are sufficiently protected.

“As UHS has expanded over four decades to encompass 250 medical facilities across the U.S., including twelve facilities in Virginia, effective clinical environment cybersecurity cannot be a casualty to value-based care cost savings and economies of scale. Indeed, hospital systems have frequently suggested to competition authorities that greater consolidation will allow for greater operational efficiencies; yet this does not appear to be the case when it pertains to something as vital as information security,” wrote Sen. Warner. “An increasing number of medical facilities sharing connected information systems and computer networks requires adequate protection for a significantly larger attack surface. Any failure to protect this considerable attack surface with appropriately segmented networks and data provides opportunities for lateral movement across disparate systems. An unmitigated breach in one facility can cripple systems at hundreds of medical facilities, risking patient care throughout a large provider network while healthcare delivery remains strained by a pandemic.”

“With the full resources of a Fortune 500 company receiving over $11 billion in annual revenue, UHS’s patients expect and deserve that their provider’s cybersecurity posture to be sufficiently mature and robust to prevent major interruptions to health care operations,” he continued. “While UHS’s latest annual report acknowledges that a cyber-attack that causes a security breach or loss of HIPAA protected health information could have a material impact on business, there is more than just business at stake when clinical operations are disrupted.”

In the letter, Sen. Warner noted that authorities in both countries where UHS operates – including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) – have continued to raise alarm regarding the danger posed by advanced persistent threat groups who exploit the COVID-19 pandemic, waging attacks against healthcare providers that include password “spraying” campaigns, scanning for vulnerabilities in unpatched software, and targeting supply chains. 

Sen. Warner also posed the following series of questions in order to gain a better understanding of the situation facing UHS:

  1. Please describe the UHS vulnerability management process, including your current practices relating to patch management across your health infrastructure.
  2. How are various UHS facilities’ networks and IT systems isolated from each other to prevent a cybersecurity breach at one facility from affecting multiple facilities?
  3. Does UHS have effective segmentation measures in place within its healthcare facilities to prevent any type of malware from spreading?
  4. What policies does UHS maintain relating to third-party risk management?
  5. What are your cybersecurity and risk assessment requirements?
  6. How are clinical medical devices isolated from administrative systems and networks to ensure a breach of the administrative network does not interrupt medical devices?
  7. Who is the senior-most executive responsible for day-to-day oversight of information security and who does that executive report to?
  8. Has UHS paid any ransom or does UHS plan to any ransom?
  9. Have any patient medical records, HIPAA protected data, or healthcare information been affected or suffered a denial of access?
  10. Have any patient medical records, HIPAA protected data, or healthcare information been exfiltrated from UHS owned or operated systems without authorization? 

Sen. Warner, a former technology executive, is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus. Throughout the COVID-19 crisis, he has fought for increased cybersecurity measures as Americans have increasingly relied on internet connectivity for remote work, health, and education purposes. Among other measures, Sen. Warner has recently advocated for increased funding to modernize federal information technology, urged internet networking device vendors to ensure the security of their products, and pressed cybersecurity officials to bolster defenses against cybersecurity attacks.  He has also introduced legislation to set strong and enforceable privacy and data security rights for health information as tech companies and public health agencies deploy contact tracing apps and digital monitoring tools to fight the spread of COVID-19. 

The letter is available here and text can be found below.

 

Mr. Alan B. Miller

Chairman and Chief Executive Officer

Universal Health Services, Inc.

367 S. Gulph Road

King of Prussia, PA  19406

Dear Mr. Miller: 

I write you with grave concerns about United Health Services’ digital medical records and clinical healthcare operations succumbing to an apparent ransomware attack. As one of the nation’s largest medical facility operators with 3.5 million patient visits a year, it is imperative that medical care is provided to all patients without any interruption or disturbance created by inadequate cybersecurity. While initial reports suggest that the attackers did not access patient or employee data, an incident such as this sharply highlights the need to ensure adequate cybersecurity hygiene in a healthcare setting. The national health crisis during the COVID-19 pandemic only exacerbates the consequences of insufficient cybersecurity. 

The need for health care providers to address cybersecurity threats has been obvious for several years now. Clinical providers including UHS must ensure all information, medical, and critical systems are sufficiently protected. Ransomware continues to impact organizations that have not demonstrated sufficient risk management maturity. The threat of ransomware to hospital systems – and the impact it has on clinical healthcare operations, patient care, and life safety – has been clear since 2016, when a series of major incidents occurred.[1] 

Although the threats are not new, authorities have continued to sound the alarm about the cyber threats to healthcare – including the heightened impact during our current public health emergency. For example, in both countries where UHS operates, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert on May 5, 2020[2]. This alert announced that advanced persistent threat (APT) groups are exploiting the COVID-19 pandemic as part of cyber operations against healthcare and essential services. Attacks observed against healthcare providers include password “spraying” attacks that automate attempts to use commonly used passwords, scanning for vulnerabilities in unpatched software, such as virtual private networks, and targeting supply chains. 

As UHS has expanded over four decades to encompass 250 medical facilities across the U.S., including twelve facilities in Virginia, effective clinical environment cybersecurity cannot be a casualty to value-based care cost savings and economies of scale. Indeed, hospital systems have frequently suggested to competition authorities that greater consolidation will allow for greater operational efficiencies; yet this does not appear to be the case when it pertains to something as vital as information security. An increasing number of medical facilities sharing connected information systems and computer networks requires adequate protection for a significantly larger attack surface. Any failure to protect this considerable attack surface with appropriately segmented networks and data provides opportunities for lateral movement across disparate systems. An unmitigated breach in one facility can cripple systems at hundreds of medical facilities, risking patient care throughout a large provider network while healthcare delivery remains strained by a pandemic.

With the full resources of a Fortune 500 company receiving over $11 billion in annual revenue, UHS’s patients expect and deserve that their provider’s cybersecurity posture to be sufficiently mature and robust to prevent major interruptions to health care operations. While UHS’s latest annual report acknowledges that a cyber-attack that causes a security breach or loss of HIPAA protected health information could have a material impact on business, there is more than just business at stake when clinical operations are disrupted. 

To gain a better understanding of this situation, I would appreciate answers to the following questions:

1.         Please describe the UHS vulnerability management process, including your current practices relating to patch management across your health infrastructure.

2.         How are various UHS facilities’ networks and IT systems isolated from each other to prevent a cybersecurity breach at one facility from affecting multiple facilities?

3.         Does UHS have effective segmentation measures in place within its healthcare facilities to prevent any type of malware from spreading?

4.         What policies does UHS maintain relating to third-party risk management?

5.         What are your cybersecurity and risk assessment requirements?

6.         How are clinical medical devices isolated from administrative systems and networks to ensure a breach of the administrative network does not interrupt medical devices?

7.         Who is the senior-most executive responsible for day-to-day oversight of information security and who does that executive report to?

8.         Has UHS paid any ransom or does UHS plan to any ransom?

9.         Have any patient medical records, HIPAA protected data, or healthcare information been affected or suffered a denial of access?

10.       Have any patient medical records, HIPAA protected data, or healthcare information been exfiltrated from UHS owned or operated systems without authorization?

Patients deserve to know that healthcare systems are secure, particularly as the nation faces a pandemic straining resources nationwide. When a cybersecurity failure occurs, patients need reassurance that their healthcare provider is committed to learning from and responding to this truly concerning incident, and that it is taking all appropriate steps to help ensure it cannot happen again.

Your response will be critical to this process, and I look forward to receiving that within the next two weeks. If you should have any questions or concerns, please contact my office.

Thank you for your attention to this important issue. I look forward to your response in the next two weeks.

Sincerely,

 ###

WASHINGTON – Today, Senate Intelligence Committee Vice Chairman Mark R. Warner (D-VA) and Chairman Marco Rubio (R-FL) led a bipartisan group of Senators in urging the Federal Communications Commission (FCC) to encourage the adoption of OpenRAN and other open and interoperable standards solutions by affected carriers as it works to implement the Secure and Trusted Communications Networks Actlegislation championed by Sen. Warner and passed earlier this year. 

In a letter, the Senators urged FCC Chairman Ajit Pai to include OpenRAN and OpenRAN solutions on the list of suggested replacements for physical and virtual communications equipment, application and management software, and services. This inclusion would allow affected carriers to adopt these alternative solutions as they dispose of risky communications equipment, as outlined in the Secure and Trusted Communications Networks Act. In addition to Sens. Warner and Rubio, this letter was signed by Sens. Margaret Wood Hassan (D-NH), John Cornyn (R-TX), Robert Menendez (D-NJ), Richard Burr (R-NC), Michael F. Bennet (D-CO), Tom Cotton (R-AR) and Angus S. King (I-ME).

“The inclusion of OpenRAN solutions on the list of suggested replacements could produce benefits beyond the immediate goal of securing American communications networks. Such equipment is interoperable, uses open interfaces, is not reliant on a single equipment vendor, and is easily upgradeable to new applications and uses, including 5G OpenRAN, without the need to continually replace proprietary equipment or conduct additional tower climbs,” the Senators wrote. “Moreover, this equipment will help spur innovation and create more competition and diversity in the supply chain. It is prudent that we take full advantage of this moment to prevent similar concerns from arising in the future.”

The Secure and Trusted Communications Networks Act was modeled on legislation Sen. Warner first cosponsored to protect American communications networks from threats presented by foreign suppliers like Huawei and ZTE. Specifically, it offers relief to reimburse smaller telecommunications providers – largely in rural areas – by reimbursing them for the costs of removing and replacing untrusted foreign equipment which presents risks to U.S. national security.

In their letter, the Senators also requested that the FCC aid in securing communications networks as expeditiously as possible by clarifying that carriers can begin replacing equipment right away, rather than needing to wait for the Secure and Trusted Communications Networks Act be fully implemented and funded. 

A copy of the letter can be downloaded here and text is available below. 

 

Dear Chairman Pai:

As the Federal Communications Commission (FCC) continues to implement the Secure and Trusted Communications Networks Act (the “Act”), we write to urge you to include OpenRAN and other solutions that adhere to open and interoperable standards (“OpenRAN solutions”) on “the list of suggested replacements of both physical and virtual communications equipment, application and management software, and services” that the Act requires the FCC to develop. As you know, the Act directs that the list shall be technology neutral. An explicit assurance to impacted carriers that they may select OpenRAN solutions to replace covered equipment would support other potential benefits, including easing subsequent updates to “future proof” networks. This guarantee may also stretch federal dollars further, as OpenRAN offers the possibility of cost savings. 

Further, to aid in securing communications networks as expeditiously as possible, the FCC should make clear that equipment and services on the list of suggested replacements, including OpenRAN solutions, will be eligible for reimbursement as prescribed in the Act. The FCC should also clarify to carriers that they need not wait for the Act to be fully implemented and funded to begin the replacement process to be eligible for reimbursement if using suggested replacement equipment and services.  

The inclusion of OpenRAN solutions on the list of suggested replacements could produce benefits beyond the immediate goal of securing American communications networks. Such equipment is interoperable, uses open interfaces, is not reliant on a single equipment vendor, and is easily upgradeable to new applications and uses, including 5G OpenRAN, without the need to continually replace proprietary equipment or conduct additional tower climbs. Moreover, this equipment will help spur innovation and create more competition and diversity in the supply chain. It is prudent that we take full advantage of this moment to prevent similar concerns from arising in the future.

Accordingly, we request the FCC to explicitly allow reimbursement of affected carriers for purchases of OpenRAN solutions to replace covered equipment in their networks. We applaud the FCC’s recent Forum on 5G Open Radio Access Networks and laud your work to highlight the importance of OpenRAN solutions. Thank you for your attention to this important matter, and we look forward to our continued work.

Sincerely, 

###

 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), former technology entrepreneur and Vice Chairman of the Senate Intelligence Committee, today raised alarm regarding the need to protect education infrastructure from cyber-attacks following a ransomware incident at Fairfax County Public Schools, the largest school system in Virginia.

In a letter to Education Secretary Betsy DeVos, Sen. Warner urged the U.S. Department of Education to develop guidance and disseminate best practices for K-12 schools and institutions of higher education and to work with school districts to develop a comprehensive, risk-based funding request from Congress. 

“A ransomware attack on a school system in normal times can be disruptive and costly; in the context of a global public health emergency, with unprecedented reliance on remote learning, it is debilitating,” wrote Sen. Warner. “Sophisticated cyber-attacks and more opportunistic forms of malware, like ransomware, are widespread today and require sustained vigilance. Defending against these persistent attacks requires a consistent and holistic approach. The public sector is particularly at risk given constrained state and local budgets.” 

“I recommend providing schools with guidance that includes awareness campaigns, risk management, threat mitigation, cybersecurity posture reviews, and resiliency. Awareness campaigns for both educators and students can focus on the importance of recognizing threats, such as phishing attacks, ransomware, malware, and social engineering methods. Regular evaluations can determine the effectiveness of awareness campaigns to address any gaps. Threat mitigation includes developing sufficient safeguards to ensure data security and access control,” he continued. “Detection capabilities are also needed to continuously monitor for anomalies and cybersecurity events. Schools should review these capabilities, plus their readiness to respond and recover from attacks. For example, tabletop exercises can validate processes and test procedures used before, during, and after an attack. Cyber resiliency ensures systems have an ability to continue operating in case of attack, while full restoration takes place. Many of these objectives will require new funding from Congress, particularly in the wake of the devastating impact COVID-19 has had on school system budgets.”

Fairfax County Public Schools, which serves nearly 200,000 students and employs over 24,000 employees, was recently the target of a ransomware attack that involved the theft of protected information.

In his letter, Sen. Warner pressed Sec. DeVos to work to adapt available cybersecurity guidance from the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) to school systems. Stressing the need for robust cybersecurity education, Sen. Warner also pushed Sec. DeVos to disseminate best practices to states and localities seeking to teach cybersecurity in the K-12 setting.

Additionally, Sen. Warner urged the Department of Education to work with educators, industry, and CISA to encourage a consortium or Information Sharing and Analysis Center (ISAC) for K-12 schools to exchange cybersecurity threat information and best practices for defense that are tailored to account for capabilities and constraints of K-12 schools. 

Sen. Warner, a former technology executive, is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus. Throughout the COVID-19 crisis, he has fought for increased cybersecurity measures as Americans have increasingly relied on internet connectivity for remote work, health, and education purposes. Among other measures, Sen. Warner has recently advocated for increased funding to modernize federal information technology, urged internet networking device vendors to ensure the security of their products, and pressed cybersecurity officials to take bolster defenses against cybersecurity attacks. He has also introduced legislation to set strong and enforceable privacy and data security rights for health information as tech companies and public health agencies deploy contact tracing apps and digital monitoring tools to fight the spread of COVID-19.

The letter is available here and text can be found below.

 

Dear Secretary DeVos: 

I write to you about the need for effective cybersecurity in the context of our nation’s K-12 education system. As COVID-19 has placed a strong emphasis on remote learning throughout the United States, this new normal also highlights the heightened need to protect education infrastructure from cyber-attacks, provide measurable standards, and ensure educators are equipped to manage cybersecurity risk. 

Virginia’s Fairfax County Public Schools, a local school division with nearly 200,000 students and over 24,000 employees, was recently the target of a cyber and ransom attack that included theft of protected information. While an investigation proceeds, the incident in Fairfax County demonstrates the need for schools to be prepared with cybersecurity defenses and resilience. A ransomware attack on a school system in normal times can be disruptive and costly; in the context of a global public health emergency, with unprecedented reliance on remote learning, it is debilitating.

Sophisticated cyber-attacks and more opportunistic forms of malware, like ransomware, are widespread today and require sustained vigilance. Defending against these persistent attacks requires a consistent and holistic approach. The public sector is particularly at risk given constrained state and local budgets. It is too late to wait for a cyber-attack before taking action to ensure school systems and personal data is secure and available. 

I urge the U.S. Department of Education to develop baseline cybersecurity standards for K-12 schools and institutions of higher education and to work with school districts to develop a risk-based and comprehensive appropriations request for FY2022. Many school districts do not currently have sufficient guidance to implement an effective cybersecurity program. Fortunately, there is cybersecurity guidance available that could be tailored for education. Existing cybersecurity frameworks, such as National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA) guidance, can be adapted and applied for our school systems. We have seen a range of sectors develop customized Framework Profiles that tailor the NIST Cybersecurity Framework to the particular risks, resources, and circumstances of a particular sector.

I recommend providing schools with guidance that includes awareness campaigns, risk management, threat mitigation, cybersecurity posture reviews, and resiliency. Awareness campaigns for both educators and students can focus on the importance of recognizing threats, such as phishing attacks, ransomware, malware, and social engineering methods. Regular evaluations can determine the effectiveness of awareness campaigns to address any gaps. Threat mitigation includes developing sufficient safeguards to ensure data security and access control. Detection capabilities are also needed to continuously monitor for anomalies and cybersecurity events. Schools should review these capabilities, plus their readiness to respond and recover from attacks. For example, tabletop exercises can validate processes and test procedures used before, during, and after an attack. Cyber resiliency ensures systems have an ability to continue operating in case of attack, while full restoration takes place. Many of these objectives will require new funding from Congress, particularly in the wake of the devastating impact COVID-19 has had on school system budgets.

In addition to protecting school infrastructure, I urge you to develop guidance and disseminate best practices to states and localities seeking to teach cybersecurity in the K-12 setting. For example, the Cyberspace Solarium Commission recommends that the U.S. Government promote professional development programs to model safe, secure, and privacy-aware internet practices in classrooms. The Commission also recommends incorporating effective digital literacy curricula in American classrooms at the K-12 level and beyond, including critical thinking and problem solving skills.  

Finally, I urge the Department of Education to work with educators, industry, and CISA to encourage a consortium or Information Sharing and Analysis Center (ISAC) for K-12 schools to exchange cybersecurity threat information and best practices for defense. Such an organization could be a counterpart to the existing Research and Education Networks ISAC that focuses on higher education. Because K-12 schools have very different missions and resources than higher education institutions, I would encourage particular attention to ensuring such efforts meet K-12 educators where they are – with information sharing, best practices, and action items tailored to account for capabilities and constraints of K-12 schools.

Our nation faces increasing cybersecurity threats on our infrastructure. As the recent Fairfax County Public Schools incident demonstrates, our schools need vigilant defenses from these threats, similar to private industries and government. Adversaries have shown a willingness to attack our education facilities, and schools must be proactive, attentive, and proficient at cybersecurity. While the nation confronts the COVID-19 public health emergency, an increased reliance on remote learning makes the need for effective threat defense paramount.  

Schools have a unique strategic role in our nation’s cybersecurity posture through educating students and tomorrow’s leaders of essential cybersecurity practices. I urge you to take necessary steps to ensure schools have adequate guidance to defend attacks and provide a cybersecurity education. Thank you for your consideration of these issues and your timely response.

Sincerely,

 

###

 

WASHINGTON - As tech companies and public health agencies deploy contact tracing apps and digital monitoring tools to fight the spread of COVID-19, U.S. Sens. Mark R. Warner and Richard Blumenthal (D-CT) and U.S. Reps. Anna G. Eshoo (D-CA), Jan Schakowsky (D-IL), and Suzan DelBene (D-WA) introduced the Public Health Emergency Privacy Act to set strong and enforceable privacy and data security rights for health information.

After decades of data misuse, breaches, and privacy intrusions, Americans are reluctant to trust tech firms to protect their sensitive health information – according to a recent poll, more than half of Americans would not use a contact tracing app and similar tools from Google and Apple over privacy concerns. The bicameral Public Health Emergency Privacy Act would protect Americans who use this kind of technology during the pandemic and safeguard civil liberties. Strengthened public trust will empower health authorities and medical experts to leverage new health data and apps to fight COVID-19.

“This measure sets strict and straightforward privacy protections and promises: Your information will be used to stop the spread of this disease, and no more,” Blumenthal said. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19. Americans are rightly skeptical that their sensitive health data will be kept safe and secure, and as a result, they’re reluctant to participate in contact tracing programs essential to halt the spread of this disease. The Public Health Emergency Privacy Act’s commitment to civil liberties is an investment in our public health.”

“Communications technology has obviously played an enormously important role for Americans in coping with and navigating the new reality of COVID-19 and new technology will certainly play an important role in helping to track and combat the spread of this virus. Unfortunately, our health privacy laws have not kept pace with the privacy expectations Americans have come to expect for their sensitive health data,” Warner said. “Absent a clear commitment from policymakers to improving our health privacy laws, as this important legislation seeks to accomplish, I fear that creeping privacy violations could become the new status quo in health care and public health. The credibility – and indeed efficacy – of these technologies depends on public trust.” 

“I’m thankful that our country is blessed with the world’s best innovators and technologists, many of whom I represent in the House, and that they have joined the effort to combat the coronavirus by using technology to control the spread of the virus,” said Eshoo. “As we consider new technologies that collect vast amounts of sensitive personal data, we must not lose site of the civil liberties that define who we are as a nation. I’m proud to join my colleagues to introduce the Public Health Emergency Privacy Act, strong and necessary legislation that protects the privacy of every American while ensuring that innovation can aid important public health efforts.”

“As we continue to respond to the devastating suffering caused by COVID-19, our country’s first and foremost public health response must be testing, testing, testing, AND manual contact tracing. Digital contact tracing can and should complement these efforts, but it is just that – complimentary. However, if we do pursue digital contact tracing, consumers need clearly-defined privacy rights and strong enforcement to safeguard these rights. I am proud to introduce this bill with my friend and fellow Energy & Commerce Subcommittee Chairwoman Eshoo, along with Senators Blumenthal and Warner,” said Schakowsky. “It’s our shared belief that swift passage of this legislation would go a long way towards establishing the trust American consumers need – and which Big Tech has squandered, time and again –  for digital contact tracing to be a worthwhile auxiliary to widespread testing and manual contact tracing.”

“We must use every tool available to us to respond to the COVID-19 pandemic. Contract tracing, along with testing, are the cornerstones of a science-based approach to addressing this historic crisis. We can protect our public health response and personal data privacy,” said DelBene. “I have been calling on the Trump administration and the private sector to adopt data privacy principles since the start of this outbreak. It is time for Congress to lead the way in assuring we have a strong national contact tracing system and that Americans’ personal data is protected. This bill will achieve this mutual goal.”

Eshoo, Schakowsky, and DelBene introduced House legislation with original co-sponsors House Energy and Commerce Committee Vice Chair Yvette Clarke (D-NY), Health Subcommittee Vice Chair G. K. Butterfield (D-NY), and Consumer Protection & Commerce Subcommittee Vice Chair Tony Cárdenas (D-CA).

The Public Health Emergency Privacy Act would:

·       Ensure that data collected for public health is strictly limited for use in public health;

·       Explicitly prohibit the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising, e-commerce, or efforts to gate access to employment, finance, insurance, housing, or education opportunities;

·       Prevent the potential misuse of health data by government agencies with no role in public health;

·       Require meaningful data security and data integrity protections – including data minimization and accuracy – and mandate deletion by tech firms after the public health emergency;

·       Protect voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps;

·       Require regular reports on the impact of digital collection tools on civil rights;

·       Give the public control over their participation in these efforts by mandating meaningful transparency and requiring opt-in consent; and

·       Provide for robust private and public enforcement, with rulemaking from an expert agency while recognizing the continuing role of states in legislation and enforcement.

The Public Health Emergency Privacy Act is endorsed by Lawyers’ Committee for Civil Rights Under Law, Public Knowledge, New America’s Open Technology Institute, Consumer Reports, Free Press, Electronic Privacy and Information Center (EPIC), Public Citizen, health privacy scholar Frank Pasquale, and privacy scholar Ryan Calo.

“African Americans and other marginalized communities are suffering disproportionately from coronavirus and its economic effects. They do not need further harm from snake oil surveillance tech. This bill protects the most vulnerable—it ensures that any technology used to track the virus is not used to unfairly discriminate in employment, voting, housing, education, and everyday commerce,” said David Brody, Counsel and Senior Fellow for Privacy & Technology at the Lawyers’ Committee for Civil Rights Under Law.

“As contact tracing apps and other types of COVID-19 surveillance become commonplace in the United States, this legislation will protect the privacy of Americans regardless of the type of technology used or who created it. It is critical that Congress continue to work to prevent this type of corporate or government surveillance from becoming ubiquitous and compulsory,” said Sara Collins, Policy Counsel at Public Knowledge. 

“OTI welcomes this effort to protect privacy as lawmakers consider pandemic response plans that gather vast quantities of data. The bill would establish strong safeguards that would prevent personal data from being used for non-public health purposes and prevent the data from being used in a discriminatory manner,” said Christine Bannan, Policy Counsel at New America’s Open Technology Institute.

“When it comes to tracking and collecting people’s data, we want to make sure there are basic protections for people’s privacy, and this bill is a positive step to establish the trust and balance that’s needed. The bill smartly requires that data collected to fight coronavirus can only be used for public health purposes – and nothing else. Importantly, the bill ensures an individual's right to seek redress for violations, and it bars against the use of pre-dispute arbitration agreements. These measures will help individuals trust contact-tracing or proximity-tracing programs, and they can serve as a model for more comprehensive protections down the road,” said Justin Brookman, Director of Consumer Privacy and Technology Policy for Consumer Reports.

“Digital contact tracing and exposure notification systems may be important tools in combating the spread of coronavirus. But they must be deployed responsibly and with adequate safeguards that protect the privacy and civil rights of the people that use them. The Public Health Emergency Privacy Act is a serious effort at ensuring our rights are protected while giving public health officials the tools they need to track and notify those exposed to COVID-19. These rules must apply to everyone using these systems, whether that’s state or local governments, employers, or other tech companies. This bill protects the civil rights of the most vulnerable essential workers, the disproportionately Black and Latinx people most exposed to the virus, and will help ensure they’re not also subject to invasive and unnecessary surveillance that will linger long after this crisis passes,” said Gaurav Laroia, Senior Policy Counsel with Free Press.

“The Public Health Emergency Privacy Act shows that privacy and public health are complementary goals. The bill requires companies to limit the collection of health data to only what is necessary for public health purposes, and crucially, holds companies accountable if they fail to do so,” said Caitriona Fitzgerald, Interim Associate Director and Policy Director with Electronic Privacy Information Center (EPIC). 

“What we need more than anything during this global emergency is to feel less vulnerable, to be sure not just that our health is protected, but that our rights are protected as well. This bill will ensure that whatever technological innovation emerges during the pandemic, we will feel safer knowing that our rights to privacy, to our day in court and to access to the ballot box won’t be threatened,” said Robert Weissman, President of Public Citizen.

 “This bill establishes critical protections for patients whose health data is released in the context of the public health emergency. To build a trusted data infrastructure, the US needs to ensure that any entity which accesses such data is held accountable and does not abuse the public trust. The Public Health Emergency  Privacy Act is a big step in the right direction,” said Frank Pasquale, Piper & Marbury Professor of Law at University of Maryland Carey School of Law. 

“This draft legislation addresses two of my biggest privacy concerns about the use of technology and information to respond to COVID-19. As the Act makes clear, the emergency health data of Americans should only be used to fight the pandemic and should never be used to discriminate or deny opportunity,” said Ryan Calo, Lane Powell & D. Wayne Gittinger Endowed Professor at University of Washington School of Law.

WASHINGTON - Following reports of escalating foreign cyber espionage and cybercrime targeting American health institutions amid the COVID-19 pandemic, U.S. Sens. Mark R. Warner (D-VA), Richard Blumenthal (D-CT), Tom Cotton (R-AR), David Perdue (R-GA), and Edward J. Markey (D-MA) called on top U.S. cybersecurity officials to take immediate steps to bolster defenses, coordinate with hospitals, and engage in deterrence against such attacks. 

The bipartisan group of Senators wrote to the Cybersecurity and Infrastructure Security Agency (CISA) and United States Cyber Command after reports that Russia, China, Iran, North Korea, and criminal groups have launched hacking campaigns targeting the U.S. health care and medical research sectors in recent weeks. These malicious campaigns included ransomware attacks hitting hospitals, disinformation about health related to COVID-19, and spying on U.S. medical response and research. 

“[O]ur country’s healthcare, public health, and research sectors are facing an unprecedented and perilous campaign of sophisticated hacking operations from state and criminal actors amid the coronavirus pandemic,” wrote the Senators in a letter to CISA Director Christopher Krebs and Cyber Command Commander Paul Nakasone. “Disinformation, disabled computers, and disrupted communications due to ransomware, denial of service attacks, and intrusions means critical lost time and diverted resources. During this moment of national crisis, the cybersecurity and digital resilience of our healthcare, public health, and research sectors are literally matters of life-or-death.”

The Senators urged the agencies to make cyber threat information public to enable better defensive efforts, as well as raise public alarm and issue statements putting adversaries on notice. The Senators also called on the agencies to provide technical assistance to help states in their cybersecurity efforts, convene stakeholders in the medical sector to make sure they have the necessary resources, and engage in deterrence actions as necessary. 

The full text of the letter is available here and copied below.

 

 

Dear Mr. Krebs and General Nakasone,

We write to raise our profound concerns that our country’s healthcare, public health, and research sectors are facing an unprecedented and perilous campaign of sophisticated hacking operations from state and criminal actors amid the coronavirus pandemic. These hacking attempts pose an alarming risk of disrupting or undermining our public health response at this time of crisis. We write to urge the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with United States Cyber Command, and its partners to issue guidance to the health care sector, convene stakeholders, provide technical resources, and take necessary measures to deter our adversaries in response to these threats.

In recent weeks, Russian, Chinese, Iranian, and North Korean hacking operations have targeted the health care sector and used the coronavirus as a lure in their campaigns.  In March, the cyber security firm FireEye reported that a Chinese hacking group, APT41, carried out one of the broadest hacking campaigns from China in recent years, beginning at the onset of the pandemic.[1] According to researchers, APT41 is a sophisticated Chinese state sponsored group that specializes in espionage against healthcare, high-tech, and political interests.[2] This latest campaign sought to exploit several recent vulnerabilities in commonplace networking equipment, cloud software, and office IT management tools—the same systems that we are now more reliant on for telework and telehealth during this pandemic. Included in the new Chinese espionage campaign are the healthcare and pharmaceutical nonprofits and companies bracing to respond to the coronavirus. APT41’s campaign also appears to reflect a broader escalation from Chinese groups in recent weeks.[3]

China is not alone in exploiting the coronavirus pandemic against our interests. Russian, Iranian, and North Korean government hackers have reportedly targeted international health organizations and the public health institutions of U.S. allies.[4] Additionally, the State Department has identified disinformation operations from Russia, Iran, and China that sought to spread false information about coronavirus to undermine the nation’s response to the pandemic.[5] Unless we take forceful action to deny our adversaries success and deter them from further exploiting this crisis, we will be inviting further aggression from them and others.

The cybersecurity threat to our stretched and stressed medical and public health systems should not be ignored. Prior to the pandemic, hospitals had already struggled to defend themselves against an onslaught of ransomware and data breaches. Our hospitals are dependent on electronic health records, email, and internal networks that often heavily rely on legacy equipment. Even a minor technical issue with the email services of the Department of Health and Human Services meaningfully frustrated efforts to coordinate the federal government’s service.[6] Disinformation, disabled computers, and disrupted communications due to ransomware, denial of service attacks, and intrusions means critical lost time and diverted resources. During this moment of national crisis, the cybersecurity and digital resilience of our healthcare, public health, and research sectors are literally matters of life-or-death.

The Cybersecurity and Infrastructure Security Agency and Cyber Command are on the frontlines of our response to cybersecurity threats to our critical infrastructure. Hospitals, medical researchers, and other health institutions need the expertise and resources your agencies have developed defending against these same sophisticated threats. We urge you to take all necessary measures to protect these institutions during the coronavirus pandemic, including:           

1.)    Provide private and public cyber threat intelligence information, such as indicators of compromise (IOCs), on attacks against the healthcare, public health, and research sectors, including malware and ransomware.

2.)    Coordinate with the Department of Health and Human Services, the Federal Trade Commission, and the Federal Bureau of Investigation on efforts to increase public awareness on cyberespionage, cybercrime, and disinformation targeting employees and consumers, especially as increased telework poses new risks to companies.

3.)    Provide threat assessments, resources, and additional guidance to the National Guard Bureau to ensure that personnel supporting state public health departments and other local emergency management agencies are prepared to defend critical infrastructure from cybersecurity breaches.

4.)    Convene and consult partners in the healthcare, public health, and research sectors, including its government and private healthcare councils, on what resources and information are needed to reinforce efforts to defend healthcare IT systems, such as vulnerability detection tools and threat hunting.

5.)    Consider issuing public statements regarding hacking operations and disinformation related to the coronavirus for public awareness and to put adversaries on notice, similar to the joint statement on election inference issued on March 2nd.

6.)    Evaluate further necessary action to defend forward in order to detect and deter attempts to intrude, exploit, and interfere with the healthcare, public health, and research sectors.

 We stand ready to work with you to provide any further resources necessary in this effort. Thank you for your attention to this urgent matter.

 Sincerely,

###

 

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) urged six internet networking device vendors to help ensure that their internet connectivity products remain secure as Americans across the nation ramp up their use of these devices for remote work, health, and education purposes as part of COVID-19 social distancing efforts. In letters to GoogleNetgearBelkinEeroAsus, and Commscope, Sen. Warner urged vendors to help ensure that their wireless access points, routers, modems, mesh network systems, and related connectivity products remain secure and cannot be easily exploited to attack consumer systems and workplace networks.

“As the COVID-19 pandemic unfolds, Americans will depend on connectivity products to receive telehealth; remain connected with family, colleagues, employers, and friends; and to receive news reports, and guidance from government and public health officials,” wrote Sen. Warner. “During this time, the security of consumer devices and networks will be of heightened importance.”

He continued, “I request your attention and diligence to help protect the consumer devices you sell. Both new and older devices in use deserve protection from cybersecurity threats, including timely updates to mitigate vulnerabilities and exposures.”

As the COVID-19 outbreak continues to spread, and workplaces, schools, and businesses shut their doors as part of social distancing efforts, Americans are increasingly relying on their home networks and personal internet connectivity devices. However, without proper cybersecurity measures, these home devices can pose a risk to larger workplace systems, potentially creating a door for bad actors to infiltrate these networks. 

According to CNBC, cyberthreats – including phishing and other cyber scams – have increased amid the COVID-19 outbreak, as online criminals look to take advantage of home network vulnerabilities and stressed IT systems.

In the letters, Sen. Warner urged vendors to continue to issue timely security updates in order to mitigate known cybersecurity vulnerabilities. Additionally, he stressed the importance of having vendors notify consumers who may own devices that are no longer able to receive critical updates and are therefore no longer protected from cybersecurity threats.

Sen. Warner also highlighted his Internet of Things (IoT) Cybersecurity Improvement Act – a bipartisan bill he introduced last year that would improve the cybersecurity of Internet-of-Things devices and help ensure that vendors of key information technology products maintain coordinated vulnerability programs.

A full list of Sen. Warner’s work to protect Americans amid the COVID-19 outbreak is available here.

 ###

WASHINGTON, DC – Today, U.S. Senators Rob Portman (R-OH) and Mark Warner (D-VA) led a letter urging Secretary of State Mike Pompeo to continue to prioritize American leadership in talks about international standards for artificial intelligence, and to build an international coalition to preserve the integrity of international standards setting bodies. The letter responds to efforts by China, and technology companies closely aligned with the Chinese Communist Party, to utilize international standards setting bodies, such as the International Telecommunications Union (ITU), to advance and legitimize artificial intelligence-based technologies, such as facial recognition technologies, that have been used to oppress Uyghur Muslims. The United States must ensure that American values remain a part of the international conversation about artificial intelligence and facial recognition.

“We are writing to share our concerns regarding efforts by China, and technology companies closely aligned with the Chinese Communist Party, to utilize international standards setting bodies, such as the International Telecommunications Union (ITU), to internationalize standards for advanced surveillance technology. The evidence from Xinjiang Province of how artificial intelligence-based technologies, such as facial recognition technologies, are used to oppress Uyghur Muslims makes clear that standards setting bodies should not be used to advance or legitimize such practices. We urge you to continue to prioritize American leadership on this issue, and build an international coalition to preserve international standards setting bodies as technical economic fora,” wrote the senators.

Portman and Warner were joined in sending the letter by Senators Tom Cotton (R-AR), Richard Blumenthal (D-CT), Cory Gardner (D-CO), Chris Coons (D-DE), Steve Daines (R-MT), Chris Murphy (D-CT), Mike Braun (R-IN), Ed Markey (D-MA), John Cornyn (R-TX), Gary Peters (D-MI), Josh Hawley (R-MO), Jeanne Shaheen (D-NH), Marco Rubio (R-FL), Brian Schatz (D-HI), and Jacky Rosen (D-NV).

The full text of the letter to Secretary Pompeo can be found below and here

Dear Secretary Pompeo,

 Thank you for your efforts to draw attention to, and address, the ever growing number of concerns about totalitarian activities by the People’s Republic of China. We are writing to share our concerns regarding efforts by China, and technology companies closely aligned with the Chinese Communist Party, to utilize international standards setting bodies, such as the International Telecommunications Union (ITU), to internationalize standards for advanced surveillance technology. The evidence from Xinjiang Province of how artificial intelligence-based technologies, such as facial recognition technologies, are used to oppress Uyghur Muslims makes clear that standards setting bodies should not be used to advance or legitimize such practices. We urge you to continue to prioritize American leadership on this issue, and build an international coalition to preserve international standards setting bodies as technical economic fora.

International standards setting bodies are foundational to international trade and commerce. Without them, a litany of technical and logistical barriers to trade erected by different countries – with divergence on things as wide-ranging as food labeling, construction materials, and wireless communications standards – would balkanize our global economy. Thanks to American industry’s leadership, the United States has consistently set the bar for international standards setting. We believe it is vital for our economy, and foreign policy, to maintain that leadership.

Unfortunately, China has indicated a willingness to use standard setting bodies in perverse ways to normalize global opinions about Orwellian surveillance technology. By shaping the debate about the legitimate uses of artificial intelligence and facial recognition, China can expand opportunities for countries, particularly those in the developing world, to utilize Chinese surveillance technology. According to the Carnegie Endowment for International Peace, Chinese companies have supplied AI-based surveillance systems to 63 countries, including 36 of which are part of China’s Belt and Road Initiative. 

With respect to the Uyghurs, China is using technology in ways never seen before. China use facial recognition to profile Uyghur individuals, classify them on the basis of their ethnicity, and single them out for tracking, mistreatment, and detention. The machine learning techniques used in Xinjiang Province, and throughout China, which are designed specifically, and intentionally, to classify people on the basis of physical traits harken back to troubling practices related to phrenology and eugenics. And these technologies are deployed in service of a dystopian vision for technology governance, that harnesses the economic benefits of the internet in the absence of political freedom and sees technology companies as instruments of state power.

As you know, China is currently working to use standards setting bodies to gain the imprimatur of international legitimacy and support across a range of emerging technologies. China’s censorship and surveillance technologies are the envy of autocratic regimes around the world, with China exporting both its technology and its technology governance vision to countries such as Venezuela, Ethiopia, Pakistan, Rwanda, Mongolia, and Zimbabwe. China’s efforts to steer standards setting bodies towards work in service of this anti-democratic vision for technology undermines the apolitical purposes standard setting bodies serve.

At the same time, we have seen our position as a global leader on technology issues weakened by a retreat of the United States from the global stage. The United States and its allies must build international support for rules and standards that address the internet’s potential for censorship and repression, presenting alternatives that explicitly embrace a free and open internet. To that end, we urge you to work closely with other countries to ensure China cannot use the ITU to advance its techno-nationalist agenda.

Some argue that China has an inherent advantage over the United States with respect to artificial intelligence because of China’s lax privacy standards and lack of respect for human rights—we disagree. We believe privacy and human rights protections are features, not bugs, of our democracy and our culture of innovation; they make America stronger, and more likely to win any “artificial intelligence race” going forward. Ultimately, technology is shaped by the norms of its development. Thank you for your consideration of our views on the intersection of human rights and artificial intelligence in China, and we look forward to working with you to ensure that the American values remain part of the international conversation about artificial intelligence and facial recognition.

Sincerely,

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-chair of the bipartisan Senate Cybersecurity Caucus, stressed the importance of vulnerability disclosure programs, such as the one at the Department of Defense (DoD) that recently allowed a researcher to report malware that was actively exploiting a security misconfiguration on a DoD server. In a letter to the DoD’s Chief Information Officer, Sen. Warner highlighted his Internet of Things (IoT) Cybersecurity Improvement Act, noting that the piece of legislation would help advance similar coordinated vulnerability programs and work in conjunction with the procedures in place at DoD.

The bipartisan, bicameral legislation, which successfully passed through the Senate Homeland Security and Governmental Affairs Committee in June, would improve the cybersecurity of Internet-connected devices and require that devices purchased by the U.S. government meet certain minimum security requirements.

“This incident demonstrates the inherent value of vulnerability disclosure programs for information technology products operated by federal agencies,” wrote Sen. Warner. “These programs are a crucial force multiplier for federal cybersecurity efforts. Clear guidelines and a process for security researchers to find and share vulnerabilities enabled this malware discovery, and ultimately prompt remedial action by DoD. Continuing to encourage the responsible discovery and disclosure of bugs or vulnerabilities on federal information technology systems with both internal and outside security researchers can only strengthen the cybersecurity posture of federal and DoD systems.”

According to ZDNet, a security researcher searching for bots discovered that a DoD automation server running on an Amazon Web Services (AWS) cloud-computing platform was publicly accessible and did not require login credentials. Later on, the researcher discovered that the server had been compromised and was being used to mine cryptocurrency by a botnet.

In his letter, the Senator also emphasized the need to utilize proper cybersecurity measures and monitoring, including on commercial cloud-computing platforms and open source software, such as the server involved in the DoD incident.  

“I am hopeful that DoD will take the lessons from this incident seriously and reassess current processes as necessary. It is crucial to ensure that future incidents involving open vulnerabilities and improper access configurations that permit malware installation on federal information technology systems cannot reoccur, including on systems hosted by commercial cloud service providers,” he continued. “I also hope to continue to work with you on passing my legislation and continuing to push for strong, thoughtful, cybersecurity policies.”

 

A copy of the letter can be found here and below.

Dana Deasy

Chief Information Officer

U.S. Department of Defense

1300 Defense Pentagon

Washington, DC 20301-1300

Dear Mr. Deasy:

I write about some recently reported cybersecurity issues at DoD.  In particular, I read about malware actively exploiting a security misconfiguration that was recently discovered on a Department of Defense (DoD) web server. From the current analysis and reporting of the incident, the malware was part of a botnet that apparently mined cryptocurrency using DoD resources and IT systems and raises broader cybersecurity concerns.

According to news reports, a security researcher first found the vulnerability on a DoD-managed cloud computing system exposed to the internet. The researcher then discovered that malware associated with mining Monero cryptocurrency was installed and operating on the same server. In January, once the security certificate identified the web server as an official DoD resource, the researcher reported the vulnerability and subsequent malware discovery under DoD’s official vulnerability disclosure program. 

This incident demonstrates the inherent value of vulnerability disclosure programs for information technology products operated by federal agencies. These programs are a crucial force multiplier for federal cybersecurity efforts. Clear guidelines and a process for security researchers to find and share vulnerabilities enabled this malware discovery, and ultimately prompt remedial action by DoD. Continuing to encourage the responsible discovery and disclosure of bugs or vulnerabilities on federal information technology systems with both internal and outside security researchers can only strengthen the cybersecurity posture of federal and DoD systems.

There is pending bipartisan, bicameral legislation that I have introduced which would ensure that vendors of key information technology products, such as Internet of Things devices, maintain coordinated vulnerability programs.  This bill would serve as a complement to the procedures DoD already employs.

While the use of commercial cloud computing can be a cost effective method to deploy and manage information technology and services, the use of a cloud itself does not ensure cybersecurity. Rigorous cybersecurity defensive measures and monitoring remain crucial for systems, even when DoD resources are deployed on commercial cloud computing platforms. While open source software, such as the automation server employed in this incident, may be beneficial, it is also essential to monitor all software for vulnerabilities and ensure they are promptly mitigated. Likewise, continuous use of software requires an effective continuous monitoring process for addressing newly discovered vulnerabilities in the software. And perhaps most importantly in the shared security model of commercial cloud computing, ensuring safe and secure configurations related to access is a key concern. 

I am hopeful that DoD will take the lessons from this incident seriously and reassess current processes as necessary. It is crucial to ensure that future incidents involving open vulnerabilities and improper access configurations that permit malware installation on federal information technology systems cannot reoccur, including on systems hosted by commercial cloud service providers. I also hope to continue to work with you on passing my legislation and continuing to push for strong, thoughtful, cybersecurity policies.

As always, I appreciate your service in this important role.

Sincerely,

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-chair of the Senate Cybersecurity Caucus, issued the following statement regarding the Iowa caucuses:

“As the Department of Homeland Security has said, there is no indication that the failures associated with the app from last night’s caucuses were the result of malicious cyber activity.

“But the continuing chaos in Iowa is illustrative of our overall failure to take sufficient steps to protect the integrity of our election systems.   

“We need to look holistically at protecting the security, integrity, and resiliency of election systems – from registration systems, to e-poll books, voting machines, tabulation machines, and election night reporting systems. As the Senate Intelligence Committee has repeatedly emphasized, paper ballots are the least vulnerable to cyberattack, and at a minimum, all voter machines should have a voter-verified paper trail. What happened in Iowa last night underscores the necessity of all these measures were election-night systems to face a devastating hack.

“But what we’ve also seen that this chaos has created an environment where misinformation is now running rampant online, further undermining confidence in the democratic process. As we’ve seen in the past, foreign actors like Russia and China won’t hesitate to latch onto this kind of content in order to add to the domestic discord and distrust in our elections.

“As we get further into the 2020 primaries, what happened in Iowa is an early warning sign that Congress, local officials, and the social media platform companies have much more work to do to ensure the integrity of our elections.”

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-chair of the Senate Cybersecurity Caucus, issued the following statement after the United Kingdom announced its decision to allow Chinese equipment provider Huawei to help build its 5G wireless network:

"I am disappointed by the UK’s decision today, especially since the security risks are so well understood. But under current circumstances, I remain committed to working with the UK and other key allies to build more diverse and secure telecommunication options that provide competitive alternatives to Huawei.  I have introduced legislation that seeks to accomplish that, including a Multilateral Telecommunications Security Fund, and hope the UK will commit to partnering on this effort in the coming months. It is critical that countries committed to building and maintaining secure networks come together. Current financial support by China for Huawei puts any Western alternative at a serious disadvantage.”

Sen. Warner, a former telecommunications entrepreneur, has been outspoken about the dangers of allowing the use of Huawei equipment in U.S. telecommunications infrastructure, and that of U.S. allies. Earlier this month, Sen. Warner and a bipartisan group of leading national security Senators introduced legislation to encourage and support U.S. innovation in the race for 5G, providing over $1 billion to invest in Western-based alternatives to Chinese equipment providers Huawei and ZTE. Last year, he and Sen. Marco Rubio (R-FL) warned the Trump Administration against using Huawei as a bargaining chip in trade negotiations, and urged Canadian Prime Minister Justin Trudeau to reconsider Huawei’s inclusion in Canada’s 5G development, introduction and maintenance.

###

 

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), co-chair of the bipartisan Senate Cybersecurity Caucus, urged the Defense Health Agency to remove sensitive medical data belonging to servicemembers exposed online, where it remains vulnerable due to insecure data practices at Ft. Belvoir Medical Center, Ireland Army Health Clinic, and the Womack Army Medical Center.

“As a matter of national security, the sensitive medical information of our men and women of the armed services is particularly vulnerable and should be, at a minimum, protected by robust security controls and routine scans,” wrote Sen. Warner. “The exposure of this information is an outrageous violation of privacy and represents a grave national security vulnerability that could be exploited by state actors or others.”

He continued, “We owe an enormous debt to our armed forces, and at the very least, we ought to ensure that their private medical information is protected from being viewed by anyone without their express consent. Whenever data moves from one entity to another it should be protected by encryption, proper hashing, segmentation, identity and access controls, and vulnerability management capabilities that include diligent monitoring, auditing, and logging practices.”

In September 2019, Sen. Warner sought answers from TridentUSA Health Services regarding reports that many unsecured picture archiving and communication servers (PACS) left the names, dates of birth, medical images, and medical procedures of more than one million Americans accessible to anyone with basic computer expertise. Following that letter, the images were removed but millions of records were left online. Nearly two months later, Sen. Warner called out the U.S. Department of Health and Human Services (HHS) for its failure to act following the exposure.

Since the letter to HHS, 16 systems, 31 million images and 1.5 million exam records have been removed from the internet. However, a significant number of personally identifiable and sensitive medical information belonging to servicemembers remains online, due to unsecured Army PACS.

In his letter to the Assistant Secretary, Sen. Warner asked the agency to remediate the situation immediately and posed the following questions for Assistant Secretary Thomas McCaffery:

  1. Please describe the information security management practices at military medical hospitals. Do you require organizations to operate on a segmented network? To implement micro-segmentation? To implement access controls? If so, what kind? Do you require the hospitals to implement multifactor authentication, logging, and monitoring?
  2. Do you audit and monitor logs? 
  3. Do you require full-disk encryption and authentication for PACS?
  4. Do you require the hospitals to have a Chief Information Security Officer?
  5. Please describe what steps you took to address this issue, and when you were able to remove these systems from the internet.  

A copy of the letter can be found here and below.

 

Mr. Thomas McCaffery

Assistant Secretary of Defense for Health Affairs

Defense Health Agency

7700 Arlington Boulevard

Falls Church, VA 22042

Dear Mr. McCaffery,

As the healthcare sector becomes increasingly reliant on technology to deliver essential services to patients, it also faces rising threats from malicious actors that seek to compromise the personally identifiable and other sensitive information of Americans. As a matter of national security, the sensitive medical information of our men and women of the armed services is particularly vulnerable and should be, at a minimum, protected by robust security controls and routine scans. It is with great alarm that I recently learned that unsecured Picture and Archiving Servers (PACS) at Ft. Belvoir Medical Center, Ireland Army Health Clinic, and the Womack Army Medical Center have left personally identifiable and sensitive medical information available online for anyone with a DICOM viewer to find.

Following a report  in September of 2019 highlighting the exposure of sensitive medical images belonging to millions of American through unsecured PACS, I wrote letters  to two healthcare entities that controlled the PACS, and those images were removed. However, millions of records remained online. The following month, I wrote  to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) regarding the remaining exposure of the personally identifiable information belonging to 6 million American patients. Since that letter, 16 systems, 31 million images and 1.5 million exam records were removed from the internet. However, I recently learned that a significant number of medical records belonging to servicemembers remain online. This information was discovered by the German researchers at Greenbone Networks, who accessed the information using German IP addresses; this itself should have triggered alarms by the hospital information security systems.

The exposure of this information is an outrageous violation of privacy and represents a grave national security vulnerability that could be exploited by state actors or others. We owe an enormous debt to our armed forces, and at the very least, we ought to ensure that their private medical information is protected from being viewed by anyone without their express consent. Whenever data moves from one entity to another it should be protected by encryption, proper hashing, segmentation, identity and access controls, and vulnerability management capabilities that include diligent monitoring, auditing, and logging practices. To better understand how this happened, I would like information about your organization’s oversight of the information security practices at military hospitals, particularly at Ft. Belvoir Medical Center and Womack Army Medical Center.

I ask that you immediately remediate this situation, and remove the vulnerable PACS from open access to the internet. To understand how these records have been exposed and accessed repeatedly by a German IP address, please also answer the following questions:

  1. Please describe the information security management practices at military medical hospitals. Do you require organizations to operate on a segmented network? To implement micro-segmentation? To implement access controls? If so, what kind? Do you require the hospitals to implement multifactor authentication, logging, and monitoring?
  2. Do you audit and monitor logs? 
  3. Do you require full-disk encryption and authentication for PACS?
  4. Do you require the hospitals to have a Chief Information Security Officer?
  5. Please describe what steps you took to address this issue, and when you were able to remove these systems from the internet.

Given the gravity of this issue, I would appreciate a response within two weeks.

Sincerely,

###

WASHINGTON – Today, a bipartisan group of leading national security Senators introduced legislation to encourage and support U.S. innovation in the race for 5G, providing over $1 billion to invest in Western-based alternatives to Chinese equipment providers Huawei and ZTE.  

Heavily subsidized by the Chinese government, Huawei is poised to become the leading commercial provider of 5G, with far-reaching effects for U.S. economic and national security. With close ties to the Communist Party of China, Chinese state-directed technology companies present unacceptable risks to our national security and to the integrity of information networks globally. However, U.S. efforts to convince foreign partners to ban Huawei from their networks have stalled amid concerns about a lack of viable, affordable alternatives.

Today’s bipartisan legislation, the Utilizing Strategic Allied (USA) Telecommunications Act, would reassert U.S. and Western leadership by encouraging competition with Huawei that capitalizes on U.S. software advantages, accelerating development of an open-architecture model (known as O-RAN) that would allow for alternative vendors to enter the market for specific network components, rather than having to compete with Huawei end-to-end.

“Every month that the U.S. does nothing, Huawei stands poised to become the cheapest, fastest, most ubiquitous global provider of 5G, while U.S. and Western companies and workers lose out on market share and jobs. Widespread adoption of 5G technology has the potential to unleash sweeping effects for the future of internet-connected devices, individual data security, and national security. It is imperative that Congress address the complex security and competitiveness challenges that Chinese-directed telecommunication companies pose,” said Sen. Mark R. Warner (D-VA), who co-founded the wireless company Nextel before entering public service and currently serves as Vice Chairman of the Senate Select Committee on Intelligence. “We need to move beyond observing the problem to providing alternatives for U.S. and foreign network operators.”

“When it comes to 5G technology, the decisions we make today will be felt for decades to come. The widespread adoption of 5G has the potential to transform the way we do business, but also carries significant national security risks. Those risks could prove disastrous if Huawei, a company that operates at the behest of the Chinese government, military, and intelligence services, is allowed to take over the 5G market unchecked. This legislation will help maintain America’s competitive advantage and protect our national security by encouraging Western competitors to develop innovative, affordable, and secure 5G alternatives,” said Sen. Richard Burr (R-NC), Chairman of the Senate Select Committee on Intelligence.

“The Trump Administration’s lecturing of our allies about the dangers of relying on the Chinese for 5G is no replacement for the development of 5G alternatives,” said Sen. Bob Menendez (D-NJ), Ranking Member of the Senate Foreign Relations Committee. “This bill, which will supply the U.S. government with resources to help the private sector create viable 5G alternatives from all ends of the supply chain, is a long overdue step in the right direction. As I’ve said over and over again, confronting China is not the same as being competitive with China. It is time we do just that.”

“We are at a critical point in history for defining the future of the U.S.-China relationship in the 21st century, and we cannot allow Chinese state-directed telecommunications companies to surpass American competitors,” Sen. Marco Rubio (R-FL), a member of the Senate Intelligence and Foreign Relations Committees, said. “It is not only in our national security interests to support American competition in the 5G market, but it is also in our economic interests to continue to build and support an economy that leverages American strengths and creates American jobs in the industries of the future without relying on malign Chinese state-directed actors like Huawei and ZTE.”

“We should not accept a world that is forced to rely on Chinese telecommunication companies to unlock the benefits of 5G and next generation wireless technologies,” said Sen. Michael Bennet (D-CO), a member of the Senate Intelligence Committee. “It is imperative for America’s competitiveness and security that we develop alternatives for U.S. and foreign network operators. This $1 billion investment will send a strong, bipartisan signal that the United States is committed to developing viable, secure, and cutting-edge alternatives to China’s 5G technology while eliminating dependence on technology that poses real security threats.”

“5G technology presents a host of opportunities to transform American telecommunications,” Sen. John Cornyn (R-TX), a member of the Senate Intelligence Committee, said. “By helping to spur innovations in 5G, we can inoculate ourselves against the threat posed by China and encourage the development of technology that is secure, affordable, and economically beneficial to our allies.”

The Utilizing Strategic Allied (USA) Telecommunications Act would:

  • Require the Federal Communications Commission (FCC) to direct at least $750 million, or up to 5 percent of annual auction proceeds, from new auctioned spectrum licenses to create an O-RAN R&D Fund to spur movement towards open-architecture, software-based wireless technologies, funding innovative, ‘leap-ahead’ technologies in the U.S. mobile broadband market. The fund would be managed by the National Telecommunications and Information Administration (NTIA), with input from the FCC, Defense Advanced Research Project Agency (DARPA), and National Institute of Standards and Technology (NIST), among others;
  • Create a $500 million Multilateral Telecommunications Security Fund, working with our foreign partners, available for 10 years to accelerate the adoption of trusted and secure equipment globally and to encourage multilateral participation, and require reports for Congress on use of proceeds and progress against goals to ensure ample oversight;
  • Create a transition plan for the purchase of new equipment by carriers that will be forward-compatible with forthcoming O-RAN equipment so small and rural carriers are not left behind;
  • Increase U.S. leadership in International Standards Setting Bodies (ISSBs) by encouraging greater U.S. participation in global and regional telecommunications standards forums and requiring the FCC write a report to Congress with specific recommendations;
  • Expand market opportunities for suppliers and promote economies of scale for equipment and devices by encouraging the FCC to harmonize new commercial spectrum allocations with partners where possible, thus promoting greater alignment with allies and driving down the cost of Huawei alternatives.

“VMware is very supportive of the Utilizing Strategic Allied (USA) Telecommunications Act. Moving towards an open, virtualized RAN infrastructure will speed up 5G network integration and rollout, while decreasing deployment costs. We thank Senator Warner for his approach, which will foster U.S.-led innovation in the mobile technology space and give carriers more secure options to buildout our next-generation wireless infrastructure,” said Allwyn Sequeira, SVP & GM of Telco Edge Cloud Products for VMware.

“The security of America's communications networks is an essential component in ensuring our nation's economic leadership, now and in the future.  It  requires all of us -- the industry, the government and those who live and work here – collaborating on efforts to build and maintain smart and secure communications.  Verizon appreciates the forward-thinking, bipartisan Members of Congress that introduced this bill today.  We look forward to working with Congress as we move forward with this important measure,” said Robert Fisher, SVP Federal Government Relations, Verizon.

“AT&T applauds Senator Warner, Senator Burr and the bipartisan group of cosponsors for introducing legislation that will promote the development and deployment of open standards-based advanced telecommunications networks.  We look forward to working with Congress through the legislative process to see this measure enacted,” said Tim McKone, Executive Vice President, Federal Relations, AT&T.

“Juniper Networks supports the ‘USA Telecommunications Act’ introduced by Senator Mark Warner, Senator Richard Burr and the bipartisan group of original cosponsors. The development of open standards and deployment of open standards-based interoperable equipment are crucial to the building of secure 5G networks. The Trust Funds that the Warner-Burr bill proposes would boost R&D spending as well as U.S. leadership in 5G. We look forward to working with Congress and the Administration to get this bill enacted into law and implemented," said Manoj Leelanivas, Executive Vice President and Chief Product Officer, Juniper Networks.

Bill text is available here.

###

 

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-chair of the bipartisan Senate Cybersecurity Caucus, voiced deep concerns with the ability of the U.S. Department of State to address the surge of offensive cyber activity by Iran. In a letter, which comes on the heels of a U.S. airstrike that killed Iranian general Qassem Soleimani, Sen. Warner notes Iran’s growing cybersecurity capabilities and presses Secretary Mike Pompeo for answers on how the Department plans to defend its information security systems in light of its long history of information breaches.

The Iranian government’s state-sponsored cybersecurity capabilities have grown in sophistication and intensity in recent years, and they have developed a number of advanced persistent threat (APT) groups that conduct various offensive operations. Examples include prolonged espionage, destructive malware and ransomware attacks, and social media manipulation through influence campaigns,” wrote Sen. Warner. “These attacks serve both political and economic purposes, and use methods like password spray attacks, scanning for VPN vulnerabilities, DNS hijacking, spear-phishing emails, and social engineering.”

As recently as 2018, the Department of Justice indicted two Iranian individuals who conducted a 34-month-long international scheme, in which they used ransomware to extort hospitals, municipalities and public institutions, causing $30 million in losses.

In his letter, Sen. Warner cites two separate reports by the Department of State’s Office of the Inspector General (OIG) that detail a number of cybersecurity risks presented by the structure of the Department of State and by hiring freezes affecting the department. These risks include a diminished ability to respond to malicious cyber activity targeting personnel and information assets due to the hiring freeze, as well as a lack of cybersecurity oversight resulting in unauthorized and misconfigured network devices comprising the Department’s sensitive network.

“The State Department has a long history of information security breaches, beginning with a series of blunders in the late 1990’s, and including a massive and prolonged attack in 2014, when the National Security Agency (NSA) and Russian hackers fought for control of State Department servers,” wrote Sen. Warner. “In September 2018, after an email breach of unclassified systems, a bipartisan group of Senators asked you how the State Department was addressing the issue.  Two months later, hackers with suspected ties to the Russian government were found to be impersonating State Department officials in an attempt to infiltrate computers belonging to the U.S. government, the military, and defense contractors.”

Noting the Department of State’s cybersecurity vulnerabilities and the risks of Iran carrying out cyberattacks with disruptive effects, Sen. Warner posed the following questions for Secretary Pompeo, requesting an answer by January 31st:

  1. Currently, cybersecurity personnel are dispersed organizationally across different bureaus within the Department of State, and across embassies around the world. Since the OIG report was issued in August 2019, what personnel changes have you made to more efficiently and effectively address both the hiring freeze impacts and the earlier security and audit concerns presented by the OIG?
  2. The OIG report noted that the Chief Information Security Officer (CISO) of the Department of State lacked necessary seniority for effectiveness or accountability. My understanding is that the current CIO reports to the Undersecretary for Management to the Secretary of State, and that the CISO reports to the CIO. In 2018 a study by the Financial Services Information Sharing and Analysis Center (FS-ISAC) recommended that CISO’s have clear and direct communication with the CEO, rather than just to the CIO.  Most organizations provide at least a dotted-line reporting structure from the CISO to the CEO. What kind of direct communication do you have with the CISO, given that the position sits below a CIO and an Undersecretary?
  3. What kind of employee training changes have you made to protect employees from phishing and other social engineering attacks?
  4. What technical changes have you made within the information security organization of the State Department to protect against ransomware and wiper malware attacks?
  5. Have you addressed the August 2019 OIG report’s hiring concerns for information and IT security personnel at our embassies? Are you up-to-date on your information security audits? Does the State Department, at the very least, conduct routine scanning, patching, and utilize multifactor authentication?

Earlier this month, Sen. Warner cautioned the Trump Administration on the dangers of escalating tensions with Iran and urged the Administration to prepare for the long-term potential consequences of targeting Soleimani.

A copy of the letter can be found here and below.

 

The Honorable Mike Pompeo

Secretary of State

U.S. Department of State

2201 C Street NW

Washington, DC 20520

Dear Secretary Pompeo:

As tensions between the United States and Iran rise, and the risks of Iran carrying out cyberattacks with “disruptive effects” grow, I write to express my deep concern about the State Department’s ability to defend its information security systems and that of our embassies around the world, and request a plan for how you will bolster these systems. 

The Iranian government’s state-sponsored cybersecurity capabilities have grown in sophistication and intensity in recent years, and they have developed a number of advanced persistent threat (APT) groups that conduct various offensive operations. Examples include prolonged espionage, destructive malware and ransomware attacks, and social media manipulation through influence campaigns. These attacks serve both political and economic purposes, and use methods like password spray attacks, scanning for VPN vulnerabilities, DNS hijacking, spear-phishing emails, and social engineering. Iran’s threat group APT33 has been linked to notorious disk-wiping malware including SHAMOON and SHAPESHIFT (which attacked industrial systems across the Middle East and in Europe). As recently as 2018, the Department of Justice indicted two Iranian men for deploying ransomware to extort hospitals, municipalities, and public institutions, causing over $30 million in losses. 

In August 2019, the Department of State’s Office of Inspector General (OIG) issued a report on the effects of the hiring freeze on the State Department, finding in particular, serious impacts on the cybersecurity functions of the Department. The IG found the following:

The bureau was unable to fill two Senior Executive Service positions responsible for cybersecurity, which it said delayed implementing an enterprise risk management program for IT systems. The DS [Bureau of Diplomatic Security] Computer and Technical Security Directorate reported that staffing shortfalls hampered its ability to develop tools and procedures to react and respond to malicious cyber activity targeting Department personnel and information assets. DS also reported delays in conducting penetration testing of Department networks and providing IT security support for integrating cybersecurity for new and existing systems, which they attributed, in part, to the hiring freeze.

That IG report followed a 2017 report by the State Department OIG that noted a number of cybersecurity risks presented by the structure of the State Department. The report noted that the Chief Information Security Officer was not well placed to be held fully accountable for State Department cybersecurity issues, and highlighted an incident in Guatemala City where unauthorized and misconfigured network devices comprised the Department’s sensitive network.

The State Department has a long history of information security breaches, beginning with a series of blunders in the late 1990’s, and including a massive and prolonged attack in 2014, when the National Security Agency (NSA) and Russian hackers fought for control of State Department servers.  In September 2018, after an email breach of unclassified systems, a bipartisan group of Senators asked you how the State Department was addressing the issue.  Two months later, hackers with suspected ties to the Russian government were found to be impersonating State Department officials in an attempt to infiltrate computers belonging to the U.S. government, the military, and defense contractors.  In March 2019, a State Department contractor was convicted of theft and embezzlement of 16 computers from your organization. 

Given Iran’s technical capabilities and threats to retaliate, as well as the State Department’s systemic organizational and functional problems addressing cybersecurity vulnerabilities, I ask you to answer the following questions on how the State Department will address a surge of offensive cyber activity by Iran:

  1. Currently, cybersecurity personnel are dispersed organizationally across different bureaus within the Department of State, and across embassies around the world. Since the OIG report was issued in August 2019, what personnel changes have you made to more efficiently and effectively address both the hiring freeze impacts and the earlier security and audit concerns presented by the OIG?
  2. The OIG report noted that the Chief Information Security Officer (CISO) of the Department of State lacked necessary seniority for effectiveness or accountability. My understanding is that the current CIO reports to the Undersecretary for Management to the Secretary of State, and that the CISO reports to the CIO. In 2018 a study by the Financial Services Information Sharing and Analysis Center (FS-ISAC) recommended that CISO’s have clear and direct communication with the CEO, rather than just to the CIO.  Most organizations provide at least a dotted-line reporting structure from the CISO to the CEO. What kind of direct communication do you have with the CISO, given that the position sits below a CIO and an Undersecretary?
  3. What kind of employee training changes have you made to protect employees from phishing and other social engineering attacks?
  4. What technical changes have you made within the information security organization of the State Department to protect against ransomware and wiper malware attacks?
  5. Have you addressed the August 2019 OIG report’s hiring concerns for information and IT security personnel at our embassies? Are you up-to-date on your information security audits? Does the State Department, at the very least, conduct routine scanning, patching, and utilize multifactor authentication?

I would appreciate your answers by January 31, 2020.

Sincerely,

###

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), the bipartisan co-chairs of the Senate Cybersecurity Caucus, issued a statement after convening a classified briefing with Senators and Chris Krebs, Director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), to discuss the growing threat posed by ransomware attacks:

“The continued prevalence of ransomware should really capture our attention. It’s costly, devastatingly high-impact, growing, and, in most cases, easily preventable with basic responsible cybersecurity practices.

“Ransomware and its destructive cousin wiperware are designed to inflict fear and uncertainty, disrupt vital services, and sow distrust in public institutions. While often viewed as basic digital extortion, ransomware has had materially adverse impacts on markets, social services like education, water, and power, and on healthcare delivery, as we have seen in a number of states and municipalities across the United States.

“We are glad our colleagues in the Senate Cybersecurity Caucus could join Director Krebs for this much-needed conversation about ways Congress and the federal government can better address this important issue.”

###