Press Releases

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA) and John Thune (R-SD) introduced the Drone Evaluation to Eliminate Cyber Threats Act of 2024 (DETECT Act), legislation directing the National Institute of Standards and Technology (NIST) to develop cybersecurity guidelines for the federal government’s use of drones.

Drones have the ability to collect sensitive information, and as they become more common, the security of this technology is of increasing importance. The DETECT Act would address cybersecurity concerns by directing the National Institute of Standards and Technology (NIST) to develop a set of guidelines. Following an implementation period, these guidelines would be binding on the federal government’s use of civilian drones, the private sector may voluntarily use these guidelines in their own operations.

“Drones and unmanned systems have the capability to transform the way we do business, manage our infrastructure, and deliver life-saving medicine, and as drones become a larger part of our society, it’s crucial that we ensure their safety and security,” said Sen. Warner. “This legislation will establish sensible cybersecurity guidelines for drones used by the federal government to ensure that sensitive information is protected while we continue to invest in this new technology.” 

“As the capabilities of drones continue to evolve and be utilized by both the federal government and the private sector, it’s critically important that they operate securely,” said Sen. Thune. “This common-sense legislation would require the federal government to follow stringent cybersecurity guidelines and protocols for drones and unmanned systems.”

Specifically, The DETECT Act:

  •  Directs NIST to develop guidelines covering cybersecurity for civilian drones;
  • Directs OMB to test the guidelines by requiring one federal agency to implement them on a pilot basis;
  • Directs OMB, after the conclusion of the test period described above, to require every agency with civilian drones to implement politics and principles based on the NIST guidelines;
  • Directs OMB to issue guidance to agencies governing the reporting of security vulnerabilities discovered in drones used by the agencies;
  • Requires contactors who supply civilian drones or drone-related services to the federal government to report any security vulnerabilities discovered;
  • Directs the Federal Acquisition Regulatory Council to promulgate any necessary regulation to carry the forgoing contractor requirements into effect;
  • Forbids agencies from acquiring drones that do not meet the guidelines referenced above, subject to a waiver process under certain circumstances.

Sens. Warner and Thune have been strong supporters of the domestic production of unmanned systems, including driverless cars, drones, and unmanned maritime vehicles, and have taken steps to ensure that domestic production of drones is both safe and keeping up with global competitors. Last year, the senators introduced the Increasing Competitiveness for American Drones Act, legislation that would clear the way for drones to be used for commercial transport of goods across the country. Sen. Warner also championed legislation to prohibit federal dollars from being used to procure or operate drones from countries or companies identified as posing a national security threat, which was ultimately included in the National Defense Authorization Act (NDAA) of 2024.

"As the use of drones for multiple types of important operations –critical infrastructure inspection, public safety, agriculture, drone delivery, and more– has grown significantly in recent years, the need for cybersecurity standards for these critical mission tools has become evident,” said Michael Robbins, Chief Advocacy Officer of the Association for Uncrewed Vehicle Systems International. “To ensure safety and security, the U.S. must lead in this area. AUVSI thanks Senators Warner and Thune for their leadership in protecting our nation from cyber risks and supporting American leadership in advanced aviation.”

Full text of the legislation is available here.

###

Today, U.S. Sens. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, John Cornyn (R-TX), and Maggie Hassan (D-NH) launched a bipartisan working group to examine and propose potential legislative solutions in the HELP Committee jurisdiction to strengthen cybersecurity in the health care and public health sector. This effort comes at a time of record cybersecurity attacks on health care entities. Health records, unlike other personal records like credit card numbers, are more valuable on the black market since health conditions are permanent and cannot be reissued.  

According to the Department of Health and Human Services (HHS), a record 89 million Americans have already had their health information breached, more than double since last year. These cyberattacks severely impact health care operations, costing an average of $10 million per breach and leading to an interruption or long-term delay in care. Last year in Louisiana, hackers compromised almost 270,000 personal records, including health information. 

“As Chairman of the Senate Select Committee on Intelligence, I am acutely aware of the most serious threats facing our country, and I know that shoring up our cybersecurity is one of the best tools we have to protect ourselves and our sensitive materials. In no industry is this more obvious and important than health care, where such care is increasingly connected and even a brief period of interruption can have life and death consequences. I am proud to launch this bipartisan group to build on the policy options I have been exploring and better improve our cybersecurity through legislative fixes,” said Sen. Warner.  

“We are seeing a disturbing rise in cyberattacks on our health care system. These attacks not only put patients’ sensitive health data at risk but can delay life-saving care,” said Dr. Cassidy. “Just like a strong military and police force defends us against physical attacks, we must ensure health institutions can safeguard against increasing cyber threats and protect Americans’ crucial health data.” 

“Cyberattacks on health care organizations threaten the security of patients’ private medical information and can interrupt the delivery of critical care,” said Sen. Cornyn. “I am eager to join my colleagues in looking for solutions that shield our health care institutions and Americans from these dangerous crimes.” 

“Hospitals and doctor’s offices are increasingly facing cyberattacks that threaten to expose patients’ medical information and even shut down ERs,” said Sen. Hassan. “This is a particularly pressing challenge for rural doctors and hospitals, which often don’t have the resources necessary to protect against these threats. I am glad to join this bipartisan working group to find effective, commonsense ways to protect medical providers and patients from cyberattacks.” 

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, wrote to Office of Management and Budget (OMB) Director Shalanda Young, calling on OMB to fulfill requirements outlined in his Internet of Things Cybersecurity Improvement Act of 2020. Under the law, OMB was directed to complete a review of agency policies pertaining to IoT devices to ensure they are consistent with the National Institute of Standards and Technology (NIST) cybersecurity guidelines. Almost three years later, OMB has yet to complete this review.

“I acknowledge that the law has far-reaching impacts across the federal government, which may require extensive interagency coordination, but I believe that IoT cybersecurity is of critical importance to our national security,” Sen. Warner wrote. “I am disappointed to see that OMB has not yet fulfilled its obligation to ensure that IoT devices procured by the Federal government meet the NIST guidance.”

Sen. Warner recognized the progress made by the agency to issue guidance, but voiced frustration over the lack of urgency to review agency policies.

He continued, “We were happy to see some forward progress – namely, the inclusion of information on the IoT Cybersecurity waiver process in OMB’s December, 2022 FISMA guidance – and we know that you intend to include additional guidelines in the upcoming Fall 2023 FISMA guidance. However, I am concerned by the pace that OMB has taken to meet its statutory obligations under federal law.”

In order to ensure that OMB is taking appropriate steps to fulfill its obligations outlined in the Internet of Things Cybersecurity Improvement Act of 2020, Sen. Warner posed a series of questions to Director Young:

  • Where is OMB in the review of agency information security policies and principles to ensure that they align with NIST guidelines?
  • What policies and principles has OMB issued to date to:
    • ensure agency policies and principles are consistent with the NIST standards and guidelines?
    • address security vulnerabilities of information systems?
  • Which agencies have aligned policies with NIST guidelines, and which have yet to do so?
  • Is OMB tracking the volume of waivers that agencies are granting? Can you provide my office with a summary of these numbers?

Sen. Warner, a former technology entrepreneur, is co-Chair of Senate Cybersecurity Caucus and is a leader in the Senate on security issues related to the Internet of Things.

Text of the letter can be found here and below.

Dear Director Young,

I write today to express my concern and emphasize my support for the implementation of the Internet of Things Cybersecurity Improvement Act of 2020 (Public Law No: 116-207). This Act, signed into law on December 4, 2020, requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take steps to increase the cybersecurity of Internet of Things (IoT) devices acquired by the Federal Government. NIST completed its statutory obligation – publishing IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements – on November 29, 2021. However, OMB has yet to uphold its own statutory obligation under the law – to review agency policies and principles pertaining to IoT devices to ensure those policies and principles are consistent with the NIST guidelines. Under the law, OMB was supposed to complete the agency review within 180 days of NIST’s publication but has yet to make significant progress on a key piece of implementation.

I acknowledge that the law has far-reaching impacts across the Federal government, which may require extensive interagency coordination, but I believe that IoT cybersecurity is of critical importance to our national security. The security of the Federal government’s IoT devices is a priority the Administration and I share, as outlined by Executive Order 14028, Improving the Nation’s Cybersecurity (EO 14028). Despite the requirements under this law and the aforementioned EO, I am disappointed to see that OMB has not yet fulfilled its obligation to ensure that IoT devices procured by the Federal government meet the NIST guidance.

Throughout 2022 and 2023, my office has been engaged with you in order to better understand where OMB stands in their implementation of this law. We were happy to see some forward progress – namely, the inclusion of information on the IoT Cybersecurity waiver process in OMB’s December, 2022 FISMA guidance – and we know that you intend to include additional guidelines in the upcoming Fall 2023 FISMA guidance. However, I am concerned by the pace that OMB has taken to meet its statutory obligations under federal law.  

We intended the IoT Cybersecurity Improvement Act to harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell. I would like to emphasize the importance of OMB’s implementation of the IoT Cybersecurity Improvement Act of 2020 and ask that you provide responses to the following questions within 60 days:

  1. Where is OMB in the review of agency information security policies and principles to ensure that they align with NIST guidelines?
  2. What policies and principles has OMB issued to date to:
    1. ensure agency policies and principles are consistent with the NIST standards and guidelines?
    2. address security vulnerabilities of information systems?
  3. Which agencies have aligned policies with NIST guidelines, and which have yet to do so?
  4. Is OMB tracking the volume of waivers that agencies are granting? Can you provide my office with a summary of these numbers?

I applaud OMB’s continued efforts to improve Federal government cybersecurity, and look forward to continued engagement as you make progress with implementation of the IoT Cybersecurity Improvement Act of 2020.

Sincerely,

 

###

WASHINGTON –This week, U.S. Sens. Mark R. Warner (D-VA) and Deb Fischer (R-NE), joined by Sens. Amy Klobuchar (D-MN), and John Thune (R-SD), introduced the Deceptive Experiences To Online Users Reduction (DETOUR) Act to prohibit large online platforms from using deceptive user interfaces, known as “dark patterns,” to trick consumers into handing over their personal data. The bill would also require these platforms to obtain consent from users for covered research and prohibit them from using features that result in compulsive usage by children and teens.

The term “dark patterns” is used to describe online interfaces in websites and apps designed to intentionally manipulate users into taking actions they otherwise would not. These design tactics are frequently used by social media platforms to mislead consumers into agreeing to settings and practices more beneficial to the company. 

“Dark patterns – manipulative online designs that trick you into signing up for services you don’t want or spending money you don’t mean to – are everywhere online, and they make user experience worse, and data less secure. The DETOUR Act will end this practice while working to instill transparency and oversight that the tech world lacks,” said Sen. Warner. “Consumers shouldn’t have to navigate intentionally misleading interfaces and design features in order to protect their privacy.” 

“Manipulative 'dark pattern' interfaces trick users – including children – online. The ‘choices’ platforms present can often be deceptively obscured to exploit users' personal data and behavior,” said Sen. Fischer. “It’s wrong, and our bipartisan bill will finally crack down on this harmful practice. I encourage my colleagues to support the DETOUR Act to increase trust online and protect consumer privacy.”

Dark patterns can take various forms, pushing users into agreeing to terms stacked in favor of the service provider. These deceptive practices can include deliberately obscuring alternate choices or settings through design or other means or the use of privacy settings to push users to ‘agree’ as the default option while more privacy-friendly options can only be found through a much longer process, detouring through multiple screens. Frequently, users cannot find the alternate option, if it exists at all, and simply give up looking.

The result is that large online platforms have an unfair advantage over users and often force consumers to give up personal data such as their contacts, messages, web activity, or location in order to benefit of the company.

The Deceptive Experiences To Online Users Reduction (DETOUR) Act aims to curb this manipulative behavior by prohibiting large online platforms (those with over 100 million monthly active users) from relying on user interfaces that intentionally impair user autonomy, decision-making, or choice. The legislation:

  • Prohibits large online operators from designing, modifying, or manipulating user interface with the purpose or substantial effect of obscuring, subverting, or impairing user autonomy, decision-making, or choice to obtain consent or user data.
  • Prohibits subdividing or segmenting consumers for the purposes of behavioral experiments without a consumer’s informed consent, which cannot be buried in a general contract or service agreement. This includes routine disclosures for large online operators, not less than once every 90 days, on any behavioral or psychological experiments to users and the public. Additionally, the bill would require large online operators to create an internal Independent Review Board to provide oversight on these practices to safeguard consumer welfare.
  • Prohibits user design intended to create compulsive usage among children and teens under the age of 17 years old.

“Social media companies often trick users into giving up their personal data – everything from their thoughts and fears to their likes and dislikes – which they then sell to advertisers. These practices are designed to exploit people; not to serve them better. Senator Warner and Senator Fischer’s DETOUR Act would put a stop to the destructive and deceptive use of dark patterns,” said Imran Ahmed, CEO of the Center for Countering Digital Hate.

“Momentum is building, in Congress and across the states, to force tech companies to reduce the serious harm to kids and teens caused by the way that these companies design and operate their platforms," said James P. Steyer, founder and CEO of Common Sense Media. “The reintroduction of the DETOUR Act comes at just the right time to add another important element of protection for children and their families. We applaud Senators Warner and Fischer for working together to try to stop companies from utilizing manipulative design features that trick kids into giving up more personal information and compulsive usage of their platforms for the sake of increasing their profits and engagement without regard for the harm it inflicts on kids.”

“The proposed legislation represents an important step towards reducing big tech companies’ use of dark patterns that prioritize user engagement over well-being. As a developmental scientist, I’m hopeful the DETOUR Act will encourage companies to adopt a child-centered approach to design that places children’s well-being front and center, reducing the burden on parents to look out for and avoid dark patterns in their children’s technology experiences,” said Katie Davis, EdD, Associate Professor at the University of Washington.

“The DETOUR Act proposed by Sen. Warner and co-sponsors represents a positive and important step to protect American consumers,” said Colin M. Gray, PhD Associate Professor, Indiana University. “DETOUR provides a mechanism for independent oversight over large technology companies and curtailing the ability of these companies to use deceptive and manipulative design practices, such as ‘dark patterns,’ which have been shown to produce substantial harms to users. This legislation provides a foothold for regulators to better guard against deceptive and exploitative practices that have become rampant in many large technology companies, and which have had outsized impacts on children and underserved communities.”

Sen. Warner, a former tech entrepreneur, has been one of Congress’s leading voices calling for accountability in Big Tech. He has introduced several pieces of legislation aimed at addressing these issues, including the ACCESS Act earlier this week, which will promote competition in social media by making it easier to transport user data to new sites; the RESTRICT Act, which would comprehensively address the ongoing threat posed by technology from foreign adversaries; the SAFE TECH Act, which would reform Section 230 and allow social media companies to be held accountable for enabling cyber-stalking, online harassment, and discrimination on social media platforms; and the Kids Online Safety Act, which would protect children online by providing young people and parents with the tools, safeguards, and transparency they need to protect against online harms. 

Full text of the bill is available here

 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, today urged the Biden administration to build on its recently announced voluntary commitments from several prominent artificial intelligence (AI) leaders in order to promote greater security, safety, and trust in the rapidly developing AI field.

As AI is rolled out more broadly, researchers have repeatedly demonstrated a number of concerning, exploitable weaknesses in prominent products, including abilities to generate credible-seeming misinformation, develop malware, and craft sophisticated phishing techniques. On Friday, the Biden administration announced that several AI companies had agreed to a series of measures that would promote greater security and transparency. Sen. Warner wrote to the administration to applaud these efforts and laid out a series of next steps to bolster this progress, including extending commitments to less capable models, seeking consumer-facing commitments, and developing an engagement strategy to better address security risks.

“These commitments have the potential to shape developer norms and best practices associated with leading-edge AI models. At the same time, even less capable models are susceptible to misuse, security compromise, and proliferation risks,” Sen. Warner wrote. “As the current commitments stand, leading vendors do not appear inclined to extending these vital development commitments to the wider range of AI products they have released that fall below this threshold or have been released as open source models.”

The letter builds on Sen. Warner’s continued advocacy for the responsible development and deployment of AI. In April, Sen. Warner directly expressed concerns to several AI CEOs about the potential risks posed by AI, and called on companies to ensure that their products and systems are secure.

The letter also affirms Congress’ role in regulating AI, and expands on the annual Intelligence Authorization Act, legislation that recently passed unanimously through the Sente Select Committee on Intelligence. Sen. Warner urges the administration to adopt the strategy outlined in this pending bill as well as work with the FBI, CISA, ODNI, and other federal agencies to fully address the potential risks of AI technology.

Sen. Warner, a former tech entrepreneur, has been a vocal advocate for Big Tech accountability and a stronger national posture against cyberattacks and misinformation online. In addition to his April letters, has introduced several pieces of legislation aimed at addressing these issues, including the RESTRICT Act, which would comprehensively address the ongoing threat posed by technology from foreign adversaries; the SAFE TECH Act, which would reform Section 230 and allow social media companies to be held accountable for enabling cyber-stalking, online harassment, and discrimination on social media platforms; and the Honest Ads Act, which would require online political advertisements to adhere to the same disclaimer requirements as TV, radio, and print ads.

A copy of the letter can be found here and below. 

Dear President Biden,

I write to applaud the Administration’s significant efforts to secure voluntary commitments from leading AI vendors related to promoting greater security, safety, and trust through improved development practices. These commitments – largely applicable to these vendors’ most advanced products – can materially reduce a range of security and safety risks identified by researchers and developers in recent years. In April, I wrote to a number of these same companies, urging them to prioritize security and safety in their development, product release, and post-deployment practices. Among other things, I asked them to fully map dependencies and downstream implications of compromise of their systems; focus greater financial, technical and personnel resources on internal security; and improve their transparency practices through greater documentation of system capabilities, system limitations, and training data.

These commitments have the potential to shape developer norms and best practices associated with leading-edge AI models. At the same time, even less capable models are susceptible to misuse, security compromise, and proliferation risks. Moreover, a growing roster of highly-capable open source models have been released to the public – and would benefit from similar pre-deployment commitments contained in a number of the July 21st obligations. As the current commitments stand, leading vendors do not appear inclined to extending these vital development commitments to the wider range of AI products they have released that fall below this threshold or have been released as open source models. 

To be sure, responsibility ultimately lies with Congress to develop laws that advance consumer and patient safety, address national security and cyber-crime risks, and promote secure development practices in this burgeoning and highly consequential industry – and in the downstream industries integrating their products. In the interim, the important commitments your Administration has secured can be bolstered in a number of important ways. 

First, I strongly encourage your Administration to continue engagement with this industry to extend these all of these commitments more broadly to less capable models that, in part through their wider adoption, can produce the most frequent examples of misuse and compromise.

Second, it is vital to build on these developer- and researcher-facing commitments with a suite of lightweight consumer-facing commitments to prevent the most serious forms of abuse. Most prominent among these should be commitments from leading vendors to adopt development practices, licensing terms, and post-deployment monitoring practices that prevent non-consensual intimate image generation, social-scoring, real-time facial recognition (in contexts not governed by existing legal protections or due process safeguards), and proliferation activity in the context of malicious cyber activity or the production of biological or chemical agents.

Lastly, the Administration’s successful high-level engagement with the leadership of these companies must be complemented by a deeper engagement strategy to track national security risks associated with these technologies. In June, the Senate Select Committee on Intelligence on a bipartisan basis advanced our annual Intelligence Authorization Act, a provision of which directed the President to establish a strategy to better engage vendors, downstream commercial users, and independent researchers on the security risks posed by, or directed at, AI systems.

This provision was spurred by conversations with leading vendors, who confided that they would not know how best to report malicious activity – such as suspected intrusions of their internal networks, observed efforts by foreign actors to generate or refine malware using their tools, or identified activity by foreign malign actors to generate content to mislead or intimidate voters.  To be sure, a highly-capable and well-established set of resources, processes, and organizations – including the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the Office of the Director of National Intelligence’s Foreign Malign Influence Center – exist to engage these communities, including through counter-intelligence education and defensive briefings. Nonetheless, it appears that these entities have not been fully activated to engage the range of key stakeholders in this space. For this reason, I would encourage you to pursue the contours of the strategy outlined in our pending bill. 

Thank you for your Administration’s important leadership in this area. I look forward to working with you to develop bipartisan legislation in this area.

###

WASHINGTON — Today, U.S. Sen. Mark R. Warner (D-VA) issued the following statement after the Biden Administration announced new voluntary commitments from leading artificial intelligence (AI) companies promoting safety, security, and trust:

“I’m glad to see the Administration taking steps to address the security and trust of AI systems, but this is just the beginning. We must continue to ensure these systems, which are already being adopted and integrated into broader IT systems in areas as wide-ranging as consumer finance and critical infrastructure, are safe, secure, and trustworthy – including through consumer-facing commitments and rules. While we often hear AI vendors talk about their commitment to security and safety, we have repeatedly seen the expedited release of products that are exploitable, prone to generating unreliable outputs, and susceptible to misuse. These commitments are a step in the right direction, but, as I have said before, we need more than industry commitments. We also need some degree of regulation. That’s why I will continue to work diligently to ensure that vendors prioritize security, combat bias, and responsibly roll out new technologies.”

In April, Sen. Warner sent a series of letters to AI companies asking them to provide greater information on their safety, security, and integrity practices and commit to a series of best practices. A copy of the letters can be found here.

###

WASHINGTON - In an effort to prevent money laundering and stop crypto-facilitated crime and sanctions violations, a leading group of U.S. Senators is introducing new, bipartisan legislation requiring decentralized finance (DeFi) services to meet the same anti-money laundering (AML) and economic sanctions compliance obligations as other financial companies, including centralized crypto trading platforms, casinos, and even pawn shops.  The legislation also modernizes key Treasury Department anti-money laundering authorities, and sets new requirements to ensure that “crypto kiosks” don’t become a vector for laundering the proceeds of illicit activities.

DeFi generally refers to applications that facilitate peer-to-peer financial transactions that are recorded on blockchains.  The most prominent example of DeFi is so called “decentralized exchanges,” where automated software purportedly allows users to trade cryptocurrencies without using intermediaries.

By design, DeFi provides anonymity.  This can allow malicious and criminal actors to evade traditional financial regulatory tools, including longstanding and well-developed rules requiring financial institutions to monitor all transactions and report suspected money laundering and financial crime to the Financial Crimes Enforcement Network (FinCEN), which is a bureau of the U.S. Treasury Department.  This allows DeFi to be used to launder criminal proceeds and fund more crime.

Criminals, drug traffickers, and hostile state actors such as North Korea have all demonstrated a propensity for using (DeFi) as a preferred method of transferring and laundering ill-gotten gains.  These bad actors have been quick to recognize how DeFi can be exploited to advance nefarious activities like cross-border fentanyl trafficking and financing the development of weapons of mass destruction. 

According to the most recent U.S. National Money Laundering Risk Assessment: “DeFi services often involve no AML or other processes to identify customers.”  According to another recent Treasury Department report, “illicit actors, including ransomware cybercriminals, thieves, scammers, and Democratic People’s Republic of Korea (DPRK) cyber actors, are using DeFi services in the process of transferring and laundering their illicit proceeds. To accomplish this, illicit actors are exploiting vulnerabilities in the U.S. and foreign AML regulatory, supervisory, and enforcement regimes as well as the technology underpinning DeFi services.”

Noting that transparency and sensible rules are vital for protecting the financial system from crime, U.S. Senators Jack Reed (D-RI), Mike Rounds (R-SD), Mark Warner (D-VA), and Mitt Romney (R-UT) today unveiled the Crypto-Asset National Security Enhancement and Enforcement (CANSEE) Act (S. 2355).  This legislation targets money laundering and sanctions evasion involving DeFi.

The CANSEE Act would end special treatment for DeFi by applying the same national security laws that apply to banks and securities brokers, casinos and pawn shops, and even other cryptocurrency companies like centralized trading platforms.  That means DeFi services would be forced to meet basic obligations, most notably to maintain AML programs, conduct due diligence on their customers, and report suspicious transactions to FinCEN.

These requirements will close an attractive avenue for money laundering that has been routinely exploited over the past several months by the North Korean government, Chinese chemicals manufacturers, Mexican drug cartels, cybercriminals, ransomware attackers, scammers, and a host of other bad actors. 

The legislation also makes clear that if a sanctioned person, like a Russian oligarch, uses a DeFi service to evade U.S. sanctions, then anyone who controls that project will be liable for facilitating that violation.  If nobody controls a DeFi service, then—as a backstop—anyone who invests more than $25 million in developing the project will be responsible for these obligations.

The CANSEE Act would also require operators of crypto kiosks (also known as crypto ATMs) to improve traceability of funds by verifying the identities of each counterparty to each transaction using a kiosk.  Unless these vulnerabilities are addressed, criminals will continue to exploit these kiosks to launder money from drug trafficking, human trafficking, scams, and other crimes.

Featuring an interface similar to regular ATMs, crypto ATMs are often found at convenience stores, laundromats, and gas stations.  Users can insert cash or a debit card into the machine to turn their real money into cryptocurrency, which is then transferred into a digital wallet that can then be accessed by scammers.   Once a transfer is complete, users cannot get their money back.  Currently, there are about 30,600 crypto ATMs across the country – up from 1,200 in 2018, according to Coin ATM Radar.

Finally, the CANSEE Act makes important updates to the Treasury Department’s authority to require participants in the U.S. financial system to take special measures against money laundering threats.  Currently, these authorities are limited to transactions conducted in the traditional banking system.  But as new technologies like cryptocurrency increasingly enable new ways to conduct financial transactions, it is critical to extend Treasury’s authority to crack down on illicit financial activity that may occur outside the banking sector.

“DeFi and crypto ATMs are part of a largely unregulated technology that needs stronger oversight and guardrails to prevent rampant money laundering and sanctions evasion,” said Sen. Reed. “This legislation bolsters the Treasury Department’s tools to protect our national and economic security. Drug cartels, sex traffickers, and the like shouldn’t be able to use DeFi platforms to avoid justice – their victims deserve better.  Our bill  will also ensure that law enforcement has access to better information about cryptocurrency transactions, which they need to fight crimes like cross-border drug trafficking, weapons proliferation, and ransomware attacks.  We must protect the integrity of the financial system from new and emerging threats from the worst criminal organizations and malicious state actors.”

“Our adversaries and criminals worldwide are using creative ways every day to take advantage of the United States financial system and we should not allow them to exploit American innovation to evade sanctions and money launder,” said Sen. Rounds. “As more Americans start to use and invest in cryptocurrency, both DeFi platforms and crypto kiosks remain in the blind spot of regulation. This targeted legislation kicks off an important debate on how to protect our financial system and give law enforcement the tools they need to prosecute bad actors.” 

“As Chair of the Senate Intelligence Committee, I remain deeply concerned that criminals and rogue states continue to use crypto to launder money, evade sanctions, and conceal illicit activity. The targeted package we’re introducing today will help address specific problems in decentralized finance and crypto kiosks, and incorporates the Special Measures to Address Modern Threats bill I introduced in the last Congress to modernize FinCEN’s existing anti-money laundering authorities,” said Sen. Warner. “I believe these focused measures will help maintain the robust AML and sanctions enforcement we need to protect our national security, while allowing participants who play by the rules to continue to take advantage of the potential of distributed ledger technologies.”

“Malign actors—including China-based fentanyl manufacturers and drug cartels operating along the southern border—are capitalizing on existing loopholes under current law to evade sanctions using decentralized finance services,” said Sen. Romney. “By fortifying U.S. anti-money laundering frameworks, our legislation cracks down on crypto-facilitated crimes and ultimately reinforces our national security.”

###

WASHINGTON — Today, U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, issued the following statement following reports of a breach of Microsoft email accounts at over two-dozen organizations, including government agencies, by China-based hackers:

“The Senate Intelligence Committee is closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence. It’s clear that the PRC is steadily improving its cyber collection capabilities directed against the U.S. and our allies. Close coordination between the U.S. government and the private sector will be critical to countering this threat.”

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) today announced $1,820,000 for Virginia universities to research and develop AI capabilities to mitigate cyberattacks. Federal funding will allow the University of Virginia and Norfolk State University to study innovative AI-based approaches to cybersecurity. Researchers from these institutions will collaborate with teams at 10 additional educational institutions and 20 private industry partners to develop revolutionary methods to counter cyberattacks in which AI-enabled intelligent security agents will cooperate with humans to build more resilient networks.

“Addressing the cybersecurity threats that our nation faces requires constant adaptation and innovation, and utilizing AI to counter these threats is an incredibly exciting use-case for this emerging technology,” said Sen. Warner. “This funding will allow teams at the University of Virginia and Norfolk State to do groundbreaking research on ways AI can help safeguard against cyberattacks. I congratulate UVA and NSU on receiving this funding, and I can’t wait to see what they discover and develop. 

The funding is distributed as follows:

·         Norfolk State University will receive $975,000.

·         University of Virginia will receive $845,000.

Funding for these awards is provided jointly by the National Science Foundation, the Department of Homeland Security, and IBM. Investments are designed to build a diverse AI workforce across the United States. 

Sen. Warner, a former tech entrepreneur, has been a vocal advocate for improving cybersecurity and security-oriented design by AI companies. In April, he sent a series of letters to CEOs of several AI companies urging them to prioritize security, combat bias, and responsibly roll out new technologies. In November 2022, he published “Cybersecurity is Patient Safety,” a policy options paper that outlined current cybersecurity threats facing health care providers and offering a series of policy solutions to improve cybersecurity. As Chairman of the Senate Select Committee on Intelligence, Sen. Warner co-authored legislation that requires companies responsible for U.S. critical infrastructure report cybersecurity incidents to the government. He has also introduced several pieces of legislation aimed at building a more secure internet, including the RESTRICT Act, which would comprehensively address the ongoing threat posed by technology from foreign adversaries and the SAFE TECH Act, which would reform Section 230 and allow social media companies to be held accountable for enabling cyber-stalking, online harassment, and discrimination on social media platforms.

### 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, today urged CEOs of several artificial intelligence (AI) companies to prioritize security, combat bias, and responsibly roll out new technologies. In a series of letters, Sen. Warner expressed concerns about the potential risks posed by AI technology, and called on companies to ensure that their products and systems are secure.

In the past several years, AI technology has rapidly advanced while chatbots and other generative AI products have simultaneously widened the accessibility of AI products and services. As these technologies are rolled out broadly, open source researchers have repeatedly demonstrated a number of concerning, exploitable weaknesses in the prominent products, including abilities to generate credible-seeming misinformation, develop malware, and craft sophisticated phishing techniques.

“[W]ith the increasing use of AI across large swaths of our economy, and the possibility for large language models to be steadily integrated into a range of existing systems, from healthcare to finance sectors, I see an urgent need to underscore the importance of putting security at the forefront of your work,” Sen. Warner wrote. “Beyond industry commitments, however, it is also clear that some level of regulation is necessary in this field.”

Sen. Warner highlighted several specific security risks associated with AI, including data supply chain security and data poisoning attacks. He also expressed concerns about algorithmic bias, trustworthiness, and potential misuse or malicious use of AI systems.

The letters include a series of questions for companies developing large-scale AI models to answer, aimed at ensuring that they are taking appropriate measures to address these security risks. Among the questions are inquiries about companies' security strategies, limits on third-party access to their models that undermine the ability to evaluate model fitness, and steps taken to ensure secure and accurate data inputs and outputs. Recipients of the letter include the CEOs of OpenAI, Scale AI, Meta, Google, Apple, Stability AI, Midjourney, Anthropic, Percipient.ai, and Microsoft.

Sen. Warner, a former tech entrepreneur, has been a vocal advocate for Big Tech accountability and a stronger national posture against cyberattacks and misinformation online. He has introduced several pieces of legislation aimed at addressing these issues, including the RESTRICT Act, which would comprehensively address the ongoing threat posed by technology from foreign adversaries; the SAFE TECH Act, which would reform Section 230 and allow social media companies to be held accountable for enabling cyber-stalking, online harassment, and discrimination on social media platforms; and the Honest Ads Act, which would require online political advertisements to adhere to the same disclaimer requirements as TV, radio, and print ads.

A copy of the letters can be found here and below. 

I write today regarding the need to prioritize security in the design and development of artificial intelligence (AI) systems. As companies like yours make rapid advancements in AI, we must acknowledge the security risks inherent in this technology and ensure AI development and adoption proceeds in a responsible and secure way. While public concern about the safety and security of AI has been on the rise, I know that work on AI security is not new. However, with the increasing use of AI across large swaths of our economy, and the possibility for large language models to be steadily integrated into a range of existing systems, from healthcare to finance sectors, I see an urgent need to underscore the importance of putting security at the forefront of your work. Beyond industry commitments, however, it is also clear that some level of regulation is necessary in this field.

I recognize the important work you and your colleagues are doing to advance AI. As a leading company in this emerging technology, I believe you have a responsibility to ensure that your technology products and systems are secure. I have long advocated for incorporating security-by-design, as we have found time and again that failing to consider security early in the product development lifecycle leads to more costly and less effective security. Instead, incorporating security upfront can reduce costs and risks. Moreover, the last five years have demonstrated that the ways in which the speed, scale, and excitement associated with new technologies have frequently obscured the shortcomings of their creators in anticipating the harmful effects of their use. AI capabilities hold enormous potential; however, we must ensure that they do not advance without appropriate safeguards and regulation. 

While it is important to apply many of the same security principles we associate with traditional computing services and devices, AI presents a new set of security concerns that are distinct from traditional software vulnerabilities. Some of the AI-specific security risks that I am concerned about include the origin, quality, and accuracy of input data (data supply chain), tampering with training data (data poisoning attacks), and inputs to models that intentionally cause them to make mistakes (adversarial examples). Each of these risks further highlighting the need for secure, quality data inputs. Broadly speaking, these techniques can effectively defeat or degrade the integrity, security, or performance of an AI system (including the potential confidentiality of its training data). As leading models are increasingly integrated into larger systems, often without fully mapping dependencies and downstream implications, the effects of adversarial attacks on AI systems are only magnified.

In addition to those risks, I also have concerns regarding bias, trustworthiness, and potential misuse or malicious use of AI systems. In the last six months, we have seen open source researchers repeatedly exploit a number of prominent, publicly-accessible generative models – crafting a range of clever (and often foreseeable) prompts to easily circumvent a system’s rules. Examples include using widely-adopted models to generate malware, craft increasingly sophisticated phishing techniques, contribute to disinformation, and provide harmful information. It is imperative that we address threats to not only digital security, but also threats to physical security and political security.

In light of this, I am interested in learning about the measures that your company is taking to ensure the security of its AI systems. I request that you provide answers to the following questions no later than May 26, 2023.

Questions: 

1.     Can you provide an overview of your company’s security approach or strategy?

2.     What limits do you enforce on third-party access to your model and how do you actively monitor for non-compliant uses?

3.     Are you participating in third party (internal or external) test & evaluation, verification & validation of your systems?

4.     What steps have you taken to ensure that you have secure and accurate data inputs and outputs? Have you provided comprehensive and accurate documentation of your training data to downstream users to allow them to evaluate whether your model is appropriate for their use?

5.     Do you provide complete and accurate documentation of your model to commercial users? Which documentation standards or procedures do you rely on?

6.     What kind of input sanitization techniques do you implement to ensure that your systems are not susceptible to prompt injection techniques that pose underlying system risks?

7.     How are you monitoring and auditing your systems to detect and mitigate security breaches?

8.     Can you explain the security measures that you take to prevent unauthorized access to your systems and models?

9.     How do you protect your systems against potential breaches or cyberattacks? Do you have a plan in place to respond to a potential security incident? What is your process for alerting users that have integrated your model into downstream systems? 

10. What is your process for ensuring the privacy of sensitive or personal information you that your system uses?

11. Can you describe how your company has handled past security incidents?

12. What security standards, if any, are you adhering to? Are you using NIST’s AI Risk Management Framework?

13. Is your company participating in the development of technical standards related to AI and AI security?

14. How are you ensuring that your company continues to be knowledgeable about evolving security best practices and risks? 

15. How is your company addressing concerns about AI trustworthiness, including potential algorithmic bias and misuse or malicious use of AI?

16. Have you identified any security challenges unique to AI that you believe policymakers should address?

Thank you for your attention to these important matters and I look forward to your response. 

###

WASHINGTON –U.S. Sens. Mark R. Warner (D-VA) and Marsha Blackburn (R-TN) joined Reps. Doris Matsui (D-CA-07), Representative Zach Nunn (R-IA-03) reintroduced the Enhancing K-12 Cybersecurity Act, legislation to strengthen cybersecurity at America’s K-12 schools by promoting access to information, better tracking cyberattacks nationally, and providing new cybersecurity resources.

“As cyberattacks continue to expose private information and disrupt infrastructure across industries, including in education, with increased frequency, we must ensure that schools are in the best position possible to prevent and respond to attacks,” said Sen. Warner. “This legislation will put in place necessary procedures to protect our students’ data and keep sensitive information private.”

“Cyberattacks continue to grow in size, frequency, and complexity in critical U.S. institutions, including in America’s schools,” said Sen. Blackburn. “We must ensure that our education sector is equipped to address these threats and keep students’ personal information private. This bipartisan and bicameral legislation will improve the cybersecurity tracking system for schools and provide them with necessary training resources and best practices for prevention.”

“From ransomware to data breaches, cyberattacks targeting our K-12 schools are growing increasingly sophisticated and common, necessitating a robust response to keep our students and teachers safe,” said Rep. Matsui. “Cybercriminals are rapidly evolving their strategies to cause chaos and disruption, yet a lack of resources for our schools is forcing them to do more with less. The Enhancing K-12 Cybersecurity Act would establish a crucial roadmap to prepare our K-12 cyberinfrastructure for future attacks.”

“When I was working on the White House’s National Security Council, I witnessed firsthand how important it is to prioritize cybersecurity. With these crimes on the rise, it’s imperative that we provide our schools with the tools to keep students’ information secure,” said Rep. Nunn. “In the wake of the ransomware incident in January, I’m proud to work across the aisle to ensure our schools have the resources and training they need to protect students.”

Cyberattacks targeting schools are increasing in frequency and severity. These attacks have threatened students’ privacy and caused harmful classroom disruptions. According to the K-12 Cybersecurity Resource Center, from 2016-2021 there were over 1,300 publicly disclosed cyber incidents involving education organizations across all 50 states. These cyber incidents included ransomware, data breaches, and denial-of service attacks, among others.

 

Last September, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the MultiState Information Sharing and Analysis Center (MS-ISAC) released a Cybersecurity Advisory outlining the significant cyber threat facing K-12 institutions, noting certain cybercriminals are “disproportionately targeting the education sector with ransomware attacks,” and that they anticipated increases in such attacks. As schools continue to expand the use of digital platforms to engage students, the Enhancing K-12 Cybersecurity Act provides additional resources to address cyber threats and protect personal information.

Specifically this bill:

  • Directs the Cybersecurity and Infrastructure Security Agency Director to establish a Cybersecurity Information Exchange to disseminate information, best practices, and grant opportunities to improve cybersecurity.
  • Establishes a Cybersecurity Incident Registry within CISA to track incidents of cyberattacks on elementary and secondary schools. Information submitted to the Registry is strictly voluntary and will help improve data collection to coordinate activities related to the nationwide monitoring of the incidence and financial impact of cyberattacks.
  • Directs CISA to establish the K-12 Cybersecurity Technology Improvement Program to be administered through an information and analysis organization to deploy cybersecurity capabilities that will help address cybersecurity risks and threats to information systems of K-12 schools. This approach will capitalize on the existing services and expertise of organizations like MS-ISAC & others to ensure maximum impact of funds. The bill authorizes $10 million per year for FYs ‘24 & ‘25 to fund the Technology Improvement Program.

Full text of the Enhancing K-12 Cybersecurity Act is available here.

###

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA) and John Thune (R-SD), lead sponsors of the RESTRICT Act, legislation that will comprehensively address the ongoing threat posed by technology from foreign adversaries, released a statement in response to TikTok CEO Shou Zi Chew’s testimony today before the House Energy and Commerce Committee:

“Under PRC law, all Chinese companies, including TikTok, whose parent company is based in Beijing, are ultimately required to do the bidding of Chinese intelligence services, should they be called upon to do so. Nothing we heard from Mr. Chew today assuaged those concerns. It is vital for Congress to establish a process to review and mitigate the harms posed by foreign technology products that come from places like China and Russia. We are encouraged by the quick momentum and strong bipartisan support for our legislation and expect that it will only grow following today’s testimony.”

Sen. Warner, Chairman of the Senate Select Committee on Intelligence, and Sen. Thune, ranking member of the Commerce Committee’s Subcommittee on Communications, Media and Broadband, recently introduced the RESTRICT Act along with a bipartisan coalition of co-sponsors, including U.S. Sens. Tammy Baldwin (D-WI), Deb Fischer (R-NE), Joe Manchin (D-WV), Jerry Moran (R-KS), Michael Bennet (D-CO), Dan Sullivan (R-AK), Kirsten Gillibrand (D-NY), Susan Collins (R-ME), Martin Heinrich (D-NM), Mitt Romney (R-UT), Ben Ray Lujan (D-NM), Shelley Moore Capito (R-WV), Tim Kaine (D-VA), Kevin Cramer (R-ND), Richard Blumenthal (D-CT), Chuck Grassley (R-IA), John Hickenlooper (D-CO), and Thom Tillis (R-NC). 

### 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, released the following statement ahead of TikTok CEO Shou Zi Chew’s testimony before the House Energy and Commerce Committee tomorrow:

“While I appreciate Mr. Chew’s willingness to answer questions before Congress, TikTok’s lack of transparency, repeated obfuscations, and misstatements of fact have severely undermined the credibility of any statements by TikTok employees, including Mr. Chew. Congress needs to give the administration the tools to review and mitigate the harms posed by foreign technology products that come from adversarial nations. I’m proud to say that 20 senators have already signed on to the RESTRICT Act, our bipartisan legislation that would do just that.”

Sen. Warner recently introduced the RESTRICT Act along with Sen. John Thune (R-SD) to address the threat posed by the use of technology, like TikTok, from foreign adversaries. The legislation is co-sponsored by U.S. Sens. Tammy Baldwin (D-WI), Deb Fischer (R-NE), Joe Manchin (D-WV), Jerry Moran (R-KS), Michael Bennet (D-CO), Dan Sullivan (R-AK), Kirsten Gillibrand (D-NY), Susan Collins (R-ME), Martin Heinrich (D-NM), Mitt Romney (R-UT), Ben Ray Lujan (D-NM), Shelley Moore Capito (R-WV), Tim Kaine (D-VA), Kevin Cramer (R-ND), Richard Blumenthal (D-CT), Chuck Grassley (R-IA), John Hickenlooper (D-CO), and Thom Tillis (R-NC). 

### 

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, and John Thune (R-SD), ranking member of the Commerce Committee’s Subcommittee on Communications, Media and Broadband, announced six new bipartisan co-sponsors for the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act, legislation that will comprehensively address the ongoing threat posed by technology from foreign adversaries by better empowering the Department of Commerce to review, prevent, and mitigate information communications and technology transactions that pose undue risk to our national security.

U.S. Sens. Ben Ray Lujan (D-NM), Shelley Moore Capito (R-WV), Tim Kaine (D-VA), Kevin Cramer (R-ND), Richard Blumenthal (D-CT), and Chuck Grassley (R-IA) have signed on to the bill in the last week. This announcement brings the total number of cosponsors to 18 – nine Democrats and nine Republicans. The legislation has also been endorsed by the White House.

“We are pleased by the growing support for our sensible, bipartisan bill to establish a comprehensive, risk-based approach to tackle technology threats from countries like China and Russia,” said Sens. Warner and Thune.

The Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act would:

  • Require the Secretary of Commerce to establish procedures to identify, deter, disrupt, prevent, prohibit, and mitigate transactions involving information and communications technology products in which any foreign adversary has any interest and poses undue or unacceptable risk to national security;
  • Prioritize evaluation of information communications and technology products used in critical infrastructure, integral to telecommunications products, or pertaining to a range of defined emerging, foundational, and disruptive technologies with serious national security implications;
  • Ensure comprehensive actions to address risks of untrusted foreign information communications and technology products by requiring the Secretary to take up consideration of concerning activity identified by other government entities;
  • Educate the public and business community about the threat by requiring the Secretary of Commerce to coordinate with the Director of National Intelligence to provide declassified information on how transactions denied or otherwise mitigated posed undue or unacceptable risk.

“The technology challenges that we face require a strong approach to protect Americans online from our foreign adversaries,” said Sen. Luján. “I’m proud to co-sponsor the bipartisan RESTRICT Act to improve the federal government’s capabilities to address growing technology threats to our national security.”

“Beyond the piecemeal attempts we have seen in the past, the RESTRICT Act provides a holistic approach to dealing with current and emerging technologies emanating from our foreign adversaries that pose an undue risk to the national security of our country. I was proud to join my colleagues on Day One of this legislation, which establishes a clear plan to address these risks and threats,” Sen. Capito said.

“As a member of the Senate Armed Services and Foreign Relations Committees, America’s national security is one of my top priorities,” said Sen. Kaine. “That’s why I’m proud to cosponsor the RESTRICT Act. This comprehensive legislation would help address 21st century technological threats posed by foreign adversaries, who may seek to manipulate Americans’ personal data, or track U.S. military personnel, assets, or their families, among other dangerous steps. There is bipartisan agreement on the need to counter these threats and it’s time to turn that agreement into action.”

“Digital security is national security, and much like foreign purchases of land in the U.S., we ought to carefully scrutinize the technology products we use daily and store our personal data. This bill will establish a process to quickly identify and respond to foreign technology while making the public aware of the real threats they face,” said Sen. Cramer.

“The risks are unacceptable—foreign powers exploiting tech platforms like TikTok and Huawei to undercut our national security must be stopped,” said Sen. Blumenthal. “The reasons for passing the RESTRICT Act are real and urgent—preventing espionage and privacy invasion. This bipartisan measure should command broad support.”

A two-page summary of the bill is available here. A copy of the bill text is available here.

### 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Intelligence Committee, released the following statement today after the Department of Health and Human Services (HHS) issued new voluntary cybersecurity guidance for health care organizations looking to bolster their cybersecurity:

“As cyber criminals continue to target health systems in order to steal or hold for ransom the sensitive medical data of American patients and jeopardize the daily operations of health care providers, I am pleased to see the Department of Health and Human Services issue new voluntary guidance to bolster health care cybersecurity. I applaud the Health Sector Coordinating Council Cybersecurity Working Group for working to translate cyber practices into appropriate standards for providers in the health care space. I look forward to continuing to work with cyber experts, health stakeholders, and officials in the Biden Administration to determine which voluntary measures we need to start requiring to ensure patient safety.”  

Sen. Warner, co-chair of the Senate Cybersecurity Caucus and a former technology entrepreneur, has long sounded the alarm about the importance of safeguarding our nation’s critical infrastructure – including our health care systems. In November, he authored and published a policy options paper outlining current cybersecurity threats facing health care providers and systems and offering for discussion a series of policy solutions to improve cybersecurity across the industry. 

### 

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, and John Thune (R-SD), ranking member of the Commerce Committee’s Subcommittee on Communications, Media and Broadband, led a group of 12 bipartisan senators to introduce the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act, legislation that will comprehensively address the ongoing threat posed by technology from foreign adversaries by better empowering the Department of Commerce to review, prevent, and mitigate information communications and technology transactions that pose undue risk to our national security.

“Today, the threat that everyone is talking about is TikTok, and how it could enable surveillance by the Chinese Communist Party, or facilitate the spread of malign influence campaigns in the U.S. Before TikTok, however, it was Huawei and ZTE, which threatened our nation’s telecommunications networks. And before that, it was Russia’s Kaspersky Lab, which threatened the security of government and corporate devices,” said Sen. Warner. “We need a comprehensive, risk-based approach that proactively tackles sources of potentially dangerous technology before they gain a foothold in America, so we aren’t playing Whac-A-Mole and scrambling to catch up once they’re already ubiquitous.”

“Congress needs to stop taking a piecemeal approach when it comes to technology from adversarial nations that pose national security risks,” said Sen. Thune. “Our country needs a process in place to address these risks, which is why I’m pleased to work with Senator Warner to establish a holistic, methodical approach to address the threats posed by technology platforms – like TikTok – from foreign adversaries. This bipartisan legislation would take a necessary step to ensure consumers’ information and our communications technology infrastructure is secure.”

The RESTRICT Act establishes a risk-based process, tailored to the rapidly changing technology and threat environment, by directing the Department of Commerce to identify and mitigate foreign threats to information and communications technology products and services.

In addition to Sens. Warner and Thune, the legislation is co-sponsored by Sens. Tammy Baldwin (D-WI), Deb Fischer (R-NE), Joe Manchin (D-WV), Jerry Moran (R-KS), Michael Bennet (D-CO), Dan Sullivan (R-AK), Kirsten Gillibrand (D-NY), Susan Collins (R-ME), Martin Heinrich (D-NM), and Mitt Romney (R-UT).

The Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act would:

  • Require the Secretary of Commerce to establish procedures to identify, deter, disrupt, prevent, prohibit, and mitigate transactions involving information and communications technology products in which any foreign adversary has any interest and poses undue or unacceptable risk to national security;
  • Prioritize evaluation of information communications and technology products used in critical infrastructure, integral to telecommunications products, or pertaining to a range of defined emerging, foundational, and disruptive technologies with serious national security implications;
  • Ensure comprehensive actions to address risks of untrusted foreign information communications and technology products by requiring the Secretary to take up consideration of concerning activity identified by other government entities;
  • Educate the public and business community about the threat by requiring the Secretary of Commerce to coordinate with the Director of National Intelligence to provide declassified information on how transactions denied or otherwise mitigated posed undue or unacceptable risk.

“We need to protect Americans’ data and keep our country safe against today and tomorrow’s threats. While many of these foreign-owned technology products and social media platforms like TikTok are extremely popular, we also know these products can pose a grave danger to Wisconsin’s users and threaten our national security,” said Sen. Baldwin. “This bipartisan legislation will empower us to respond to our fast-changing environment – giving the United States the tools it needs to assess and act on current and future threats that foreign-owned technologies pose to Wisconsinites and our national security.”

“There are a host of dangerous technology platforms – including TikTok – that can be manipulated by China and other foreign adversaries to threaten U.S. national security and abuse Americans’ personal data. I’m proud to join Senator Warner in introducing bipartisan legislation that would put an end to disjointed interagency responses and strengthen the federal government’s ability to counter these digital threats,” said Sen. Fischer.

“Over the past several years, foreign adversaries of the United States have encroached on American markets through technology products that steal sensitive location and identifying information of U.S. citizens, including social media platforms like TikTok. This dangerous new internet infrastructure poses serious risks to our nation’s economic and national security,” said Sen. Manchin. “I’m proud to introduce the bipartisan RESTRICT ACT, which will empower the Department of Commerce to adopt a comprehensive approach to evaluating and mitigating these threats posed by technology products. As Chairman of the Senate Armed Services Subcommittee on Cybersecurity, I will continue working with my colleagues on both sides of the aisle to get this critical legislation across the finish line.”

“Foreign adversaries are increasingly using products and services to collect information on American citizens, posing a threat to our national security,” said Sen. Moran. “This legislation would give the Department of Commerce the authority to help prevent adversarial governments from introducing harmful products and services in the U.S., providing us the long-term tools necessary to combat the infiltration of our information and communications systems. The government needs to be vigilant against these threats, but a comprehensive data privacy law is needed to ensure Americans are able to control who accesses their data and for what purpose.”

“We shouldn’t let any company subject to the Chinese Communist Party’s dictates collect data on a third of our population – and while TikTok is just the latest example, it won’t be the last. The federal government can’t continue to address new foreign technology from adversarial nations in a one-off manner; we need a strategic, enduring mechanism to protect Americans and our national security. I look forward to working in a bipartisan way with my colleagues on the Senate Select Intelligence Committee to send this bill to the floor,” said Sen. Bennet.

“Our modern economy, communication networks, and military rely on a range of information communication technologies. Unfortunately, some of these technology products pose a serious risk to our national security,” said Sen. Gillibrand. “The RESTRICT Act will address this risk by empowering the Secretary of Commerce to carefully evaluate these products and ensure that they do not endanger our critical infrastructure or undermine our democratic processes.”

“China’s brazen incursion of our airspace with a sophisticated spy balloon was only the most recent and highly visible example of its aggressive surveillance that has targeted our country for years.  Through hardware exports, malicious software, and other clandestine means, China has sought to steal information in an attempt to gain a military and economic edge,” said Sen. Collins. “Rather than taking a piecemeal approach to these hostile acts and reacting to each threat individually, our legislation would create a wholistic, government-wide response to proactively defend against surveillance attempts by China and other adversaries.  This will directly improve our national security as well as safeguard Americans’ personal information and our nation’s vital intellectual property.”

"Cybersecurity is one of the most serious economic and national security challenges we face as a nation. The future of conflict is moving further away from the battlefield and closer to the devices and the networks everyone increasingly depends on. We need a systemic approach to addressing potential threats posed by technology from foreign adversaries. This bill provides that approach by authorizing the Administration to review and restrict apps and services that pose a risk to Americans’ data security. I will continue to push for technology defenses that the American people want and deserve to keep our country both safe and free,” said Sen. Heinrich.

“The Chinese Communist Party is engaged in a multi-generational, multi-faceted, and systematic campaign to replace the United States as the world’s superpower. One tool at its disposal—the ability to force social media companies headquartered in China, like TikTok’s parent company, to hand over the data it collects on users,” said Sen. Romney. “Our adversaries—countries like China, Russia, Iran—are increasingly using technology products to spy on Americans and discover vulnerabilities in our communications infrastructure, which can then be exploited. The United States must take stronger action to safeguard our national security against the threat technology products pose and this legislation is a strong step in that direction.”

A two-page summary of the bill is available here. A copy of the bill text is available here.

### 

WASHINGTON – Today, Chairman of the Senate Select Committee on Intelligence U.S. Sen. Mark R. Warner (D-VA) appeared on FOX News Sunday to discuss the how the U.S. needs to tackle rising threats posed by the Communist Party of China. 

On the how the United States needs to address the rise of the Chinese Communist Party on the world stage:

“We have never had a potential adversary like China. The Soviet Union, Russia, was military or ideological, China is investing in economic areas. They have $500 billion in intellectual property theft, and we are in a competition not just on a national security basis but on a technology basis. That's why national security now includes telecommunications, satellites, artificial intelligence, quantum computing. Each of these domains, we have got to make the kind of investments to stay ahead. I think we are starting that in a bipartisan way. We did the CHIPS bill to try to bring semiconductor manufacturing back, we have kicked out Huawei out of our telecom systems. This week, I have a broad bipartisan bill that I am launching with my friend John Thune, the Republican lead, where we are going to say, in terms of foreign technology coming into America, we’ve got to have a systemic approach to make sure we can ban or prohibit it when necessary.”

On the influence of TikTok:

“Listen, you have 100 million Americans on TikTok, 90 minutes a day…They are taking data from Americans, not keeping it safe, but what worries me more with TikTok is that this could be a propaganda tool. The kind of videos you see would promote ideological issues. If you look at what TikTok shows to the Chinese kids, which is all about science and engineering, versus what our kids see, there’s a radical difference.”

On China’s support for Putin’s war in Ukraine:

“…if China moves forward to support Russia in Ukraine, I can't understand some of my colleagues who are willing to say, ‘I don't really care about Ukraine, but I'm concerned about China.’ Well, China and Russia, these authoritarian regimes, are linked, and we have to make sure Putin is not successful in Ukraine and that Xi doesn't further his expansion plans around Taiwan.”

Video of Sen. Warner on FOX News Sunday can be found here. A transcript follows.

FOX News Sunday 

SHANNON BREAM: Joining is now, Virginia Democratic Senator Mark Warner, Chairman of the Senate Intelligence Committee, welcome back. This week, you all have a hearing on worldwide threat assessments. You will have the DNI, the director of the CIA there. You have long been warning about China on multiple fronts. Do you think that we have lost valuable time in assessing the threat accurately? Will you talk about that this week?

SENATOR MARK WARNER: Well I think for a long time conventional wisdom was, the more you bring China into the world order, the more they’re going to change. That assumption was just plain wrong. China even changed their laws in 2016 to make it explicitly clear that every company in China, their first obligation is to the Communist Party. So we have never had a potential adversary like China. The Soviet Union, Russia, was military or ideological, China is investing in economic areas. They have $500 billion in intellectual property theft, and we are in a competition not just on a national security basis but on a technology basis. That's why national security now includes telecommunications, satellites, artificial intelligence, quantum computing. Each of these domains, we have got to make the kind of investments to stay ahead. I think we are starting that in a bipartisan way. We did the CHIPS bill to try to bring semiconductor manufacturing back, we have kicked out Huawei out of our telecom systems. This week, I have a broad bipartisan bill that I am launching with my friend John Thune, the Republican lead where we are going to say, in terms of foreign technology coming into America, we’ve got to have a systemic approach to make sure we can ban or prohibit it when necessary.

BREAMDoes that mean TikTok?

SEN. WARNER: That means TikTok is one of the potentials. Listen, you have 100 million Americans on TikTok, 90 minutes a day. Even you guys would like that kind of return, 90 minutes a day. They are taking data from Americans, not keeping it safe, but what worries me more with TikTok is that this could be a propaganda tool. The kind of videos you see would promote ideological issues. If you look at what TikTok shows to the Chinese kids, which is all about science and engineering, versus what our kids see, there’s a radical difference.

BREAM: We will watch that, because that's a bipartisan offering potentially this week. This past week we got information, it was revealed that both the Department of Energy and FBI believe that the origins of COVID were most likely a leak from the Wuhan Institute for Virology. This is something that early on this was called a conspiracy theory, you were racist if you talked about it. The Senate has actually unanimously passed a measure that would call on this administration to declassify information that we have about the origins. The White House won't say whether the president will veto it or not if it gets to his desk. Do Americans, worldwide, do people not have a right to see that information?

SEN. WARNER: Shannon, here is again an example of what we are dealing with, with the Communist Party in China. If this virus had originated virtually anywhere else, we would have had world scientists there. The Chinese Communist Party has been totally opaque about letting in outside scientists to figure this out. Now, you’ve still got of some parts of the intelligence community that think it originated in a wet market, others saying that it could have gotten out from a lab, although I would say that one entity says it came from one lab in Wuhan, another said from another. At the end of the day, we’ve got to keep looking and we've got to make sure, in terms of future pandemics, that we can have access to the source of where these diseases originate a lot earlier on in the system. We’re three and half later, we still don't have access to Wuhan.

BREAM: They're not going to cooperate with that, especially if they assess internally they were at fault. How do they pay for this? Now, billions probably trillions in damages and losses for people, millions and millions of lives. How do they pay?

SEN. WARNER: Well I think again, this is where we’ve got to have that united front of countries all around the world, that there has to be consequences. There has to be consequences potentially in terms of sanctions, it’s one of the reasons why, if China moves forward to support Russia in Ukraine, I can't understand some of my colleagues who are willing to say, “I don't really care about Ukraine, but I'm concerned about China.” Well, China and Russia, these authoritarian regimes, are linked, and we have to make sure Putin is not successful in Ukraine and that Xi doesn't further his expansion plans around Taiwan.

BREAM: Well, we know that even if they are not sending bullets over to Russia, they are buying up copious amounts of Russian oil. They are sending dual-use products that could actually be used on the battlefield. Xi doesn't seem very worried about the warnings from the U.S. at this point. They haven't even acknowledged or apologized for the balloon that went across America, we think capturing information as it went. It Xi afraid of this administration? To our warnings mean anything?

SEN. WARNER: Well I think Xi, as Putin thought, thought that with the invasion of the Ukraine, that the West would basically throw in the towel. The fact that we’ve not, the fact that you've got, for example, the German chancellor here just this past week, Germany’s dramatically increasing their defense budget. The fact that we've got nations like Finland and Sweden trying to join NATO. I think Putin made a major miscalculation and I do think Xi is watching the West stand up against Putin and is taking some lessons from that.

BREAM: You're just back from India, among many other countries you visited. They abstained from the U.N. vote that condemned Russia's invasion of Ukraine and called for an end to this. How important is it, a critical place like India, that they choose a side, and with the West?

SEN. WARNER: I think it’s time. Look, India is a great nation, as a matter of fact, I’m chair of the India Caucus, I'm a big supporter of India. India is now a major, major power. Fifth-largest economy in the world, and a place where remarkable things are happening. My message to the Indians has been, we understand that you have historic ties to Russia, and you still get a lot of your arms, but you cannot be a world leader, and attempt to be a moral world leader, without picking a side. And in this case, I think the younger Indians get that. Some of the older generation, I think we still have work to do.

BREAM: Okay, let's turn to continued funding for Ukraine. Another $400 million was announced on Friday. There are questions, there'll be more requests from Congress no doubt in the coming weeks about that. While there is strong support, here across the U.S. and across the West, the polls show that it's pulling back a little bit. Here's the reality from one analyst, “funding for the Ukrainian government has not demanded any tough bureaucratic trade-offs between funding priorities. It's not requiring bouncing needs for Ukraine against a domestic spending.” We’ve hit our ceiling, we have some kind of negotiation that’s got to happen very shortly. There are competing needs and they are very real, so where do we assess our financial commitment?

SEN. WARNER: Well Shannon, let's look at this. We have allocated $113 billion to Ukraine. We have actually only given them actually less than half of that, and on the military side, about $30 billion of roughly $60 billion. We’ve still got some runway to go there. But I think we need to keep that commitment, and the truth is the Russian army is being chewed up by the Ukrainians. We spent $800 billion a year on defense, in most of my lifetime to prevent Russia from exploiting that. We are having Ukrainians do that right now, in a sense, for us. I think we need to continue that. I think we will see the vast majority of members of Congress in both parties, there are some loudmouths on both sides that are pulling back, but if we are going to keep in this competition against Russia and China, Putin cannot be successful. At the same time, we have to realize as we look at China that national security is no longer simply tanks and trucks and guns and ships. It's also telecom and AI and quantum computing and advanced synthetic biology. We have to make investments in those domains, as well, which is both an economic investment and I believe, national security investment.

BREAM: Speaking of another national security interest, Iran, this report on their nuclear capabilities came out this week and it’s kind of getting lost in all the other foreign policy headlines, but basically what the International Atomic Energy Agency told us is that they have hit 84% as far as enriching uranium. They said that’s just short of the 90% that you would need for a weapon. Britain, France, and Germany say they want to censure Iran over this. The U.S. is kind of hesitant. The reporting is that the Biden administration doesn’t want to go there. Are we now then softer on Iran's new program then Europe?

SEN. WARNER: I do not believe that. We have made it explicitly clear – and I was just in Israel recently with a group of senators  – that we agree with Israel. Iran cannot be a nuclear power. I think, that has been our policy it will continue to be our policy. There are two steps in this process, one is the enrichment issue, and I believe we will be tougher than the Europeans. We always historically always have been –

BREAM: So then why are we against censuring, reportedly?

SEN. WARNER: We have already sanctioned and censured more Iranian companies by far than our European friends. But there is also a question around delivery systems. Again, I think we and our Israeli friends are following this very closely. Again, we will not allow Iran to become a nuclear power.

BREAM: I've got to hit this, Havana Syndrome. The reporting out this week, an assessment from several intelligence agencies that they don't think –  that it's unlikely there was a foreign adversary carrying out these attacks, whatever they were, where our people, diplomats or Intel officers around the world in U.S. missions have suffered really debilitating symptoms from this. Senator Rubio, your colleague tweeted this: “The CIA took the investigation of Havana syndrome seriously. But when you read about the devastating injuries it's hard to except that it was by AC units and loud cicadas. Something happened here and just because we don’t have all the answers doesn’t mean it didn’t happen.” Will you continue trying to pursue answers?

SEN. WARNER: Absolutely. First of all, the most important thing is anyone who got sick, whatever the source was, whether they are CIA, DoD, State Department officials, we owe them the world's best health care and I think we are providing that now. Initially frankly, under the last administration, this whole issue was attempted to be swept under the rug. We are now making sure that health care is provided. I know how, particularly the CIA, how extensive the investigation has been. And I've made very clear to them, if they need to continue that investigation, if new facts come to light, they ought to pursue that. But at this moment in time, I know how thorough they have been, and they have not found the evidence that I think perhaps they thought they would have found. We've got to follow the facts. At the end of the day that's what we owe the members of this intel community, who protect our nation, and that means giving them the health care. If it ends up sensing some other source then what has been discovered so far, we have to pursue it.

BREAM: Senator, Chairman, thanks for coming back to Fox News Sunday.

 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Intelligence Committee, released the following statement on the President’s National Cyber Strategy:

“I’m pleased to see the Biden Administration advocating for the kind of best practices that I’ve long called for, such as building and reinforcing strong partnerships with the private sector, investing in the long-term protection of our nation’s critical infrastructure, being proactive about establishing strong cybersecurity foundations and meeting critical standards. I’m particularly pleased to see the Administration prioritize the coordination of cyber incident reporting requirements, as required by the cyber reporting law I was proud to author. I’m also glad to see the Administration’s renewed focus on protecting the sensitive medical data and safety of Americans as cyber attacks on our health care systems become more frequent and aggressive.”

### 

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) and Rep. Elissa Slotkin (D-MI) wrote to Sundar Pichai – the CEO of Alphabet Inc. and its subsidiary Google – urging him to curb deceptive advertisements and ensure that users receive accurate information when searching for abortion services on the platform. This letter comes on the heels of an investigation that reveals how Google regularly fails to apply disclaimer labels to misleading ads by anti-abortion clinics. It also follows a successful effort by Sen. Warner and Rep. Slotkin who previously urged Google to take action to prevent misleading search results for anti-abortion clinics. This push ultimately led Google to clearly label facilities that provide abortions and prevent users from being misled by fake clinics or crisis pregnancy centers.

“We are encouraged by and appreciative of the recent steps Google has taken to protect those searching for abortion services from being mistakenly directed to clinics that do not offer comprehensive reproductive health services. However, we ask you to address issues with misrepresentation in advertising on Google’s site and take a more expansive, proactive approach to addressing violations of Google’s stated policy,” wrote the lawmakers.

“According to an investigation by Bloomberg News and the Center for Countering Digital Hate (CCDH), depending on the search term used, Google does not consistently apply disclaimer labels to ads by anti-abortion clinics.  CCDH recently conducted searches that returned 132 misleading ads for such clinics that lacked disclaimers. Specifically, researchers found that queries for terms such as ‘Plan C pills,’ ‘pregnancy help,’ and ‘Planned Parenthood’ often returned results with ads that are not labeled accurately,” they continued. “Furthermore, the Tech Transparency Project found that some ads from ‘crisis pregnancy centers,’ even when they were properly labeled, the ads themselves included deliberately deceptive verbiage aimed at tricking users into believing that they offer abortion services.  For example, ads for ‘crisis pregnancy centers’ were found to contain language such as ‘Free Abortion Pill’ and ‘First Trimester Abortion.’ Such deceptive advertising likely reduces the effectiveness of labels and may lead to detrimental health outcomes for users who receive delayed treatment.”

In addition to urging Google to rectify these issues, the lawmakers also requested answers to the following questions:

 

  1. What specific search terms does Google consider related to “getting an abortion”?
  2. What criteria does Google use to determine whether specific queries are related to “getting an abortion”?
  3. What additional steps will Google take to identify and remove ads with misleading verbiage that violates Google’s policies against misrepresentation?

A copy of the letter is available here and full text of the letter can be found below:

Dear Mr. Pichai,

We write today regarding the responsibility that Google has to ensure users receive accurate information when searching for abortion services on your platform. We are encouraged by and appreciative of the recent steps Google has taken to protect those searching for abortion services from being mistakenly directed to clinics that do not offer comprehensive reproductive health services. However, we ask you to address issues with misrepresentation in advertising on Google’s site and take a more expansive, proactive approach to addressing violations of Google’s stated policy.

On June 17, 2022, we wrote to you, along with 19 other senators and representatives, regarding research that showed Google results for searches such as “abortion services near me” often included links to clinics that are anti-abortion, sometimes called “crisis pregnancy centers.”   We were extremely concerned with this practice of directing users toward “crisis pregnancy centers” without any disclaimer indicating those businesses do not provide abortions.

We were pleased to see the changes you have made in response to our letter, such as the new refinement tool that allows users to only see facilities verified to offer abortion services, while still preserving the option to see a broader range of search results.  The steps you have taken will help prevent users from mistakenly being sent to organizations that attempt to deceive individuals into thinking they provide comprehensive health services and instead, regularly provide users with disinformation regarding the risks of abortion.  As many states are increasingly narrowing the window between getting a positive pregnancy test and when you can terminate a pregnancy, every day counts.

But we find ourselves again asking that Google live up to its promises with regards to preventing misleading ads on its platform. According to an investigation by Bloomberg News and the Center for Countering Digital Hate (CCDH), depending on the search term used, Google does not consistently apply disclaimer labels to ads by anti-abortion clinics.  CCDH recently conducted searches that returned 132 misleading ads for such clinics that lacked disclaimers. Specifically, researchers found that queries for terms such as “Plan C pills,” “pregnancy help,” and “Planned Parenthood” often returned results with ads that are not labeled accurately.  We believe Google’s failure to apply disclaimer labels to these common searches appears to be a violation of your June 2019 policy that requires “advertisers who want to run ads using keywords related to getting an abortion” to go through a verification process and be labeled as a provider that “Provides abortions” or “Does not provide abortions.”

Furthermore, the Tech Transparency Project found that some ads from “crisis pregnancy centers,” even when they were properly labeled, the ads themselves included deliberately deceptive verbiage aimed at tricking users into believing that they offer abortion services.  For example, ads for “crisis pregnancy centers” were found to contain language such as “Free Abortion Pill” and “First Trimester Abortion.” Such deceptive advertising likely reduces the effectiveness of labels and may lead to detrimental health outcomes for users who receive delayed treatment. These ads appear to violate Google’s policy on misrepresentation, which prohibits ads that “deceive users.”  Your responsiveness to our first letter gives us hope that you are willing to see this issue through. We, therefore, would appreciate answers to the following questions:

  1. What specific search terms does Google consider related to “getting an abortion”?
  2. What criteria does Google use to determine whether specific queries are related to “getting an abortion”?
  3. What additional steps will Google take to identify and remove ads with misleading verbiage that violates Google’s policies against misrepresentation?

We urge you to take proactive action to rectify these and any additional issues surrounding misleading ads, and help ensure users receive search results that accurately address their queries and are relevant to their intentions.

Thanks for your consideration, and we look forward to your timely response. 

### 

WASHINGTON – Today, Senate Select Committee on Intelligence Chairman Mark R. Warner (D-VA) published “Cybersecurity is Patient Safety,” a policy options paper, outlining current cybersecurity threats facing health care providers and systems and offering for discussion a series of policy solutions to improve cybersecurity across the industry.  

Over the last decade cyberattacks in the health care sector have risen exponentially, with attacks on providers reaching an all-time high in 2021. The white paper, assembled by Sen. Warner’s staff, drawing on input from health care and cybersecurity experts, argues that improving cybersecurity in the health care sector will require collaboration from both the public and private sectors, and calls for improving federal leadership, strengthening health care providers’ cybersecurity capabilities, and building a robust response system in order to efficiently recover from attacks.

“Unfortunately, the health care sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate. The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities,” wrote Sen. Warner.

Divided in three parts, the white paper is organized as follows:

  1. Chapter one covers areas that the federal government needs to address to improve our national risk posture when it comes to cybersecurity in the health care sector. Specifically, it notes seven key challenges facing federal government agencies with jurisdiction over health care providers and cybersecurity, details the current state of play regarding cybersecurity threats, and outlines policy options for shoring up existing vulnerabilities.    
  2. Chapter two covers ways that the federal government can help the private sector meet this threat through a combination of potential mandates and voluntary incentives to adopt best practices.
  3. Chapter three covers policies that could help health care providers respond to attacks in the event of a cybersecurity failure. Specifically, it notes ways institutions can recover following successful cyberattacks, and how to limit the resulting impact on patients and systems.

Sen. Warner has been a leader in the cybersecurity realm throughout his time in the Senate, crafting numerous pieces of legislation aimed at addressing these threats facing our nation. Recognizing that cybersecurity is an increasingly complex issue that affects the health, economic prosperity, national security, and democratic institutions of the United States, Sen. Warner cofounded the bipartisan Senate Cybersecurity Caucus with former Sen. Cory Gardner (R-CO) in 2016.  A year later, in 2017, he authored the Internet of Things (IoT) Cybersecurity Improvement Act with Sen. Gardner. This legislation, signed into law by President Donald Trump in December 2020, requires that any IoT device purchased with federal funds meet minimum security standards. As Chairman of the Senate Select Committee on Intelligence, Sen. Warner co-authored legislation that requires companies responsible for U.S. critical infrastructure report cybersecurity incidents to the government. This legislation was signed into law by President Joe Biden as part of the Consolidated Appropriations Act in March 2022.

Sen. Warner has also examined cybersecurity in the health care sector specifically. In 2019, Sen. Warner sent a letter to several health care providers and industry trade associations – from large hospital networks to trade associations representing rural providers and medical technology vendors – asking a series of questions related to the steps their organizations and/or members had taken to improve their cybersecurity posture. Sen. Warner received a number of thoughtful responses to those questions that revealed a wide-range of cybersecurity capabilities and depth of understanding of the problems health care providers are facing.

Sen. Warner is releasing this policy options document with the intent of soliciting feedback from stake-holders on the potential options described within. Any individuals, researchers, businesses, organizations, or advocacy groups that are interested in submitting comments – specific to the content and questions outlined in this document or additional ideas or language for inclusion in eventual legislation – should send a letter or an email to cyber@warner.senate.gov.

A copy of full policy options paper can be found here.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) wrote to Meta CEO Mark Zuckerberg expressing concern and requesting more information regarding Meta’s practice of collecting user’s health information through tracking applications.

In the letter, Sen. Warner highlighted the need for user privacy and increased transparency around how user data is collected online, which has become increasingly important as the use of telehealth appointments, online appointment booking, and electronic record keeping have risen exponentially over the course of the pandemic.

“As we increasingly move health care online, we must ensure there are strong safeguards in place surrounding the use of these technologies to protect sensitive health information,” wrote Sen. Warner.

Specifically, Sen. Warner called attention to Meta Pixel, a tracking tool that sends Meta a packet of data whenever a user clicks a button to schedule a doctor’s appointment – without the knowledge of the individual making the appointment.

He continued, “I am troubled by the recent revelation that the Meta Pixel was installed on a number of hospital websites – including password-protected patient portals – and sending sensitive health information to Meta when a patient scheduled an appointment online.  This data included highly personal health data, including patients’ medical conditions, appointment topics, physician names, email addresses, phone numbers, IP addresses, and other details about patients’ medical appointments.”

Sen. Warner also noted allegations that this practice of data harvesting and collection has been used by Meta to target advertisements across their platforms. In August of this year, two lawsuits were filed against the company over the alleged unlawful collection and sharing of health data without consent.

To address these concerns, Sen. Warner requested Meta respond to the following questions:

  1. What information does Meta have access to or receive directly from the Meta Pixel, either currently or previously?
  2. How does Meta store information received through the Meta Pixel?
  3. Has information Meta received from the Meta Pixel ever been used to inform targeted advertisements on Meta’s platforms?
  4. How does Meta handle sensitive information that it receives from third parties that violate its business guidelines?
  5. What steps is Meta taking to safeguard sensitive health information, particularly with third-party vendors? Since the release of The Markup’s report in June, what additional steps have been taken?
  6. According to the report released by the New York State Department of Financial Services last year, Meta stated that the filtering system was “not yet operating with complete accuracy.” What improvements have been made to make the filtering system more effective? How is Meta testing and evaluating the filtering system’s ability to identify sensitive health information?
  7. Where required by law, does Meta always comply with any and all notification requirements when the Meta Pixel handles or transmits protected information, in the manner and time required by such laws?

Sen. Warner has been a leader in Congress pushing for increased transparency and protections surrounding user data and privacy. He introduced the DASHBOARD Act, which works to increase transparency around data collection; the DETOUR Act, which would prohibit companies like Meta from using deceptive dark patterns to manipulate users into handing over their data; and the Public Health Emergency Privacy Act, which would set strong and enforceable privacy and data security rights for health information.

A copy of the letter can be found here and below.

October 20, 2022

Dear Mr. Zuckerberg:

I write to you today to express my concern regarding Meta’s collection of sensitive health information through the Meta Pixel tracking tool without user consent.

As you know, I have long worked to protect user privacy and increase transparency around how user data is collected and shared. This mission is more urgent than ever as the last two years have shown us the importance of health care technology, with many relying on electronic health records, online appointment booking, and virtual patient portals to receive care during the pandemic. As we increasingly move health care online, we must ensure there are strong safeguards in place surrounding the use of these technologies to protect sensitive health information.

I am troubled by the recent revelation that the Meta Pixel was installed on a number of hospital websites – including password-protected patient portals – and sending sensitive health information to Meta when a patient scheduled an appointment online.  This data included highly personal health data, including patients’ medical conditions, appointment topics, physician names, email addresses, phone numbers, IP addresses, and other details about patients’ medical appointments. Additionally, of particular concern are the recent allegations that Meta has used Meta Pixel data to inform targeted advertisements on Meta’s platforms.  The use of the Meta Pixel is widespread, as the tool was installed in the systems of 33 of the top 100 hospitals in the country and inside the patient portals of seven health systems at the time of the investigation.

Unfortunately, privacy issues involving the Meta Pixel are not new, as there has been previous scrutiny of the Meta Pixel outside of the health care context. Reports published earlier this year found that the Pixel sent personal information to Meta that was collected from the Free Application for Federal Student Aid (FAFSA) on the website of the Federal Student Aid (FSA) office within the U.S. Department of Education.  Data sent to Meta includes applicant first and last name, email addresses, and zip codes. Additionally, this is not the first time that your company has been involved in the wrongful collection of sensitive health information. In 2021, an investigation by the New York State Department of Financial Services found that Meta (then Facebook) collected user data from several health and wellness apps, including results from blood pressure and heart rate readings, menstruation and fertility tracking, pregnancy status, and other deeply personal information. 

Meta’s own business guidelines state that the company “[doesn’t] want websites or apps sending [Meta] sensitive information about people,”  including sensitive health information, which Meta identifies as medical conditions, sexual and reproductive health, mental health, details regarding medical devices and trackers, treatments, test results, body specifications or cycles, locations of treatment, and other health-related data.  Yet, in this most recent case and as we have seen previously, Meta is continuing to access this highly sensitive information.

It is critical that technology companies like Meta take seriously their role in protecting user health data. Without meaningful action, I fear that these continuing privacy violations and harmful uses of health data could become the new status quo in health care and public health.

To address the concerns raised in this letter, I request that you provide responses to the following questions by November 3, 2022:

  1. What information does Meta have access to or receive directly from the Meta Pixel, either currently or previously?
  2. How does Meta store information received through the Meta Pixel?
  3. Has information Meta received from the Meta Pixel ever been used to inform targeted advertisements on Meta’s platforms?
  4. How does Meta handle sensitive information that it receives from third parties that violate its business guidelines?
  5. What steps is Meta taking to safeguard sensitive health information, particularly with third-party vendors? Since the release of The Markup’s report in June, what additional steps have been taken?
  6. According to the report released by the New York State Department of Financial Services last year, Meta stated that the filtering system was “not yet operating with complete accuracy.” What improvements have been made to make the filtering system more effective? How is Meta testing and evaluating the filtering system’s ability to identify sensitive health information?
  7. Where required by law, does Meta always comply with any and all notification requirements when the Meta Pixel handles or transmits protected information, in the manner and time required by such laws?

I look forward to your prompt responses.

Sincerely,

###

 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) issued the following statement in response to the Federal Communications Commission (FCC) plan to ban new sales of Chinese-based Huawei and ZTE technologies on the bases of national security:

“Several years ago a bipartisan group of senators on the Senate Select Committee on Intelligence began raising the alarm about the threat that Huawei and ZTE posed to our national security. I’m proud of the steps that Congress has since taken to confront this challenge, including passing Secure and Trusted Communications Networks Act of 2019 – which I co-wrote to incentivize carriers to replace Huawei and ZTE equipment in their networks. I’m glad to see the Federal Communications Commission finally take this step to protect our networks and national security.”

Sen. Warner, a former telecommunications entrepreneur, has long been outspoken about the dangers of allowing the use of Huawei equipment in U.S. telecommunications infrastructure and that of U.S. allies.

Last year, Sen. Warner, joined by Sen. Tom Cotton (R-AR), introduced legislation to prohibit federal funding from the American Rescue Plan Act from being used to purchase Chinese telecommunications equipment, including from Huawei and ZTE. In 2020, Sen. Warner and a bipartisan group of leading national security Senators introduced legislation to encourage and support U.S. innovation in the race for 5G, providing over $1 billion to invest in Western-based alternatives to Chinese equipment providers Huawei and ZTE.

###

WASHINGTON — This week, U.S. Sens. Mark R. Warner (D-VA), Jon Ossoff (D-GA), and  Cynthia Lummis (R-WY) introduced the bipartisan Improving Cybersecurity of Credit Unions Act to protect credit union members from cybersecurity threats that could jeopardize their identities, privacy, and security.

The bill will empower the National Credit Union Administration (NCUA) to assess cybersecurity risks posed by service providers and take action to protect credit union members.

The bill also restores previous NCUA authority to examine credit union service providers and mirrors the provisions of the Bank Service Company Act.

“Credit unions serve communities all across Virginia,” said Sen. Warner. “I’m proud to join Senator Ossoff and Senator Lummis in offering this bipartisan proposal to improve cybersecurity for credit union customers.”

“Georgians should not have to fear that their identity or data could be stolen by hackers who target their bank or credit union,” Sen. Ossoff said. “This bipartisan bill will strengthen protections against hacking and identity theft. I thank Senators Lummis and Warner for joining me in this bipartisan effort.”

“Many people in Wyoming choose to keep their money or get a loan at their local credit union, and unfortunately, all too often, their sensitive information is targeted by cyber hackers,” said Sen. Lummis. “I’m proud to join my colleagues, Senators Ossoff and Warner, in introducing the Improving Cybersecurity of Credit Unions Act to help safeguard data at credit unions.”

Full text of the legislation is available here.  

 

# # #

 

 

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA), Pat Toomey (R-PA), Cynthia Lummis (R-WY), Kyrsten Sinema (D-AZ), and Rob Portman (R-OH) today introduced legislation to clarify the digital asset reporting requirements signed into law as part of last year’s Infrastructure Investment and Jobs Act.

Last August, the senators announced an agreement  with the Department of the Treasury (Treasury) on an amendment to the infrastructure package that would have clarified the definition of “broker” with respect to who must report to the government information about a digital asset transaction. The amendment specifically excluded from reporting requirements services like mining and wallet providers who do not take custody of other individuals’ cryptocurrency, nor are able to comply with the reporting requirements of a broker. While the amendment had strong bipartisan support, including from the Biden administration, the Senate was never afforded the opportunity to vote on and pass this amendment last August due to a procedural hurdle. The legislation introduced today is the exact same text introduced as a bipartisan amendment nearly one year ago.

“There’s been a lot of confusion about the reporting requirements included in the bipartisan infrastructure law,” said Sen. Warner. “As a former venture capitalist and someone who’s enthusiastic about innovation, I want to maintain America’s lead in financial innovation, including distributed ledger technologies. This bipartisan bill will underscore that the reporting requirements in the IIJA do not apply to crypto validators and other actors not providing broker-like functions while maintaining sensible guidelines to ensure that financial networks aren’t enabling illicit activity.”

“While there’s no question that digital asset exchanges behaving as brokers should be required to comply with existing reporting requirements, the bill signed into law last year would impose these requirements on many people who don’t even have the information needed to comply with them,” said Sen. Toomey. “By clarifying the definition of a broker, our legislation will protect innovation by exempting miners, network validators, and other service providers from onerous and unworkable requirements. This amendment had strong bipartisan support last August, and there’s no reason it shouldn’t be signed into law.”

“The Infrastructure Investments and Jobs Act placed unnecessary burdens on digital asset mining and wallet providers, and we must fix these reporting requirements,” said Sen. Lummis. “I’m proud to join my colleagues in introducing this important legislation which will ensure our tax system reflects the realities of the digital asset industry.”

“As more Arizonans utilize digital assets, our commonsense, bipartisan legislation ensures that everyday users of crypto – miners, stakers, and software developers – won't be subjected to reporting requirements that are intended for brokers of digital assets,” said Sen. Sinema.

“This legislation is designed to ensure that the digital asset reporting requirements signed into law as part of last year’s Infrastructure Investment and Jobs Act are implemented as intended,” said Sen. Portman. “I am pleased to see the Senate come together in bipartisan fashion to ensure that we provide clarity in the law and guidance around cryptocurrencies to maintain our edge in financial innovation.”

In addition to maintaining strong bipartisan support in the Senate, this legislation is widely supported by the digital asset industry.

“Coin Center supports any effort to improve the status quo created by the ill-advised crypto tax provisions in the Infrastructure Investment and Jobs Act,” said Jerry Brito, Executive Director of Coin Center. “We applaud Sen. Toomey for leading a bipartisan effort to address some of these issues and appreciate the support of Senators Warner, Sinema, Lummis and Portman.”

"We thank Senators Toomey, Sinema, Portman, Lummis, and Warner for their bipartisan leadership in this nuanced space,” said Sheila Warren, Chief Executive Officer of the Crypto Council for Innovation. “Clarifying how people can use and report on digital assets is important for the industry. We look forward to supporting the continued growth of innovation in the U.S. and working with policymakers on this issue."

“The Chamber of Digital Commerce commends Senator Toomey and co-sponsors for listening to the concerns of the digital asset community and continuing to advocate for regulatory clarity,” said Cody Carbone, Director of Policy, Chamber of Digital Commerce. “The infrastructure bill included burdensome reporting requirements for nearly every participant within the ecosystem and this bipartisan bill will ensure digital asset reporting requirements match the technology’s operation. We urge that this legislation is swiftly passed into law and look forward to working with all interested parties on policy that provides additional certainty for the digital asset space.”

"ADAM applauds Senators Toomey, Sinema, Portman, Lummis, and Warner for their continued bipartisan leadership to provide clarification on the definition of a broker as it relates to the 2021 Infrastructure Bill,” said Robert Baldwin, Head of Policy, Association for Digital Asset Markets. “Definitions matter and an overly broad interpretation of the broker definition as passed has the potential to dampen innovation and lead to the offshoring of various digital assets projects in the rapidly growing sector. This bill fixes the tax definitional issue. ADAM looks forward to continued bipartisan cooperation on this bill and other policy topics so that the U.S. can ensure a long-term position of leadership in digital assets.”

“Global DCA applauds the tireless efforts to clarify the definition of a broker with respect to the digital asset markets,” said Gabriella Kusz, CEO, Global Digital Asset and Cryptocurrency Association. “This common-sense solution will protect innovation while ensuring that those who are buying and selling cryptocurrency pay legitimate taxes that are owed. We look forward to continuing to work with Senator Toomey, Senator Sinema, Senator Portman, Senator Lummis, and Senator Warner to ensure there is responsible regulation without excessive federal overreach.”

“The proposed revisions to Internal Revenue Code regarding Information Reporting for Brokers and Digital Assets marks a key legislative opportunity that we believe will begin to unlock the best benefits of digital assets and blockchain,” said Ron Quaranta, Chairman of the Wall Street Blockchain Alliance. “By clarifying what it means to be a broker in light of this important innovation, the bi-partisan legislation paves the way for further innovations that can evolve markets and ultimately improve the overall financial lives of Americans. We are thankful for the continued effort and thought leadership of Senators Lummis, Portman, Sinema, and Warner, and on behalf of our members look forward to continued dialogue and collaboration with policymakers in the future.”

“Americans need common sense and fair guidance for engaging with blockchain protocols,” said Alison Mangiero, the Executive Director of The Proof of Stake Alliance (POSA). “POSA appreciates Sen. Toomey, Sen. Sinema, Sen. Warner, Sen. Lummis, and Sen. Portman’s, leadership and efforts to make clear that validators, those who do important work to secure blockchain protocols, are recognized appropriately for tax reporting purposes.  We urge the Senate to take up and pass this simple but important bill to provide much-needed clarity and help America grow its web3 economy.”

To read the full text of the bill click here.  

 ###

WASHINGTON – Today, Senate Select Committee on Intelligence Chairman Mark R. Warner (D-VA) and Vice Chairman Marco Rubio (R-FL) urged the Federal Trade Commission (FTC) to formally investigate TikTok and its parent company, ByteDance. The call comes in response to recent reports that the social media platform has permitted TikTok engineers and executives in the People’s Republic of China (PRC) to repeatedly access private data of US users despite repeated claims to lawmakers and users that this data was protected. This includes instances where staff based in the United States had to consult with their China-based colleagues for information about U.S. user data as they did not have access to the data on their own. These revelations undermine longstanding claims by TikTok’s management that the company’s operations were firewalled from demands of the Chinese Communist Party.

“We write in response to public reports that individuals in the People’s Republic of China (PRC) have been accessing data on U.S. users, in contravention of several public representations, including sworn testimony in October 2021,” the senators wrote in a letter to FTC Chair Lina Khan. “In light of this new report, we ask that your agency immediately initiate a Section 5 investigation on the basis of apparent deception by TikTok, and coordinate this work with any national security or counter-intelligence investigation that may be initiated by the U.S. Department of Justice.”

The report also highlights TikTok’s misrepresentation of the company’s relationship to ByteDance and its subsidiaries, including Beijing-based ByteDance Technology, which is partially owned by the Chinese Communist Party (CCP). 

The senators continued, “TikTok’s Trust and Safety department was aware of these improper access practices and governance irregularities, which – according to internal recordings of TikTok deliberations – offered PRC-based employees unfettered access to user information, including birthdates, phone numbers, and device identification information. Recent updates to TikTok’s privacy policy, which indicate that TikTok may be collecting biometric data such as faceprints and voiceprints (i.e. individually-identifiable image and audio data, respectively), heighten the concern that data of U.S. users may be vulnerable to extrajudicial access by security services controlled by the CCP.”

As Chairman and Vice Chair of the Senate Select Committee on Intelligence, Sens. Warner and Rubio have been vocal about the cyber and national security threats posed by the CCP. In 2019, the senators introduced legislation to combat tech-specific threats to national security posed by foreign actors like China.

A copy of the letter is available here and below. 

Dear Chairwoman Khan:

We write in response to public reports that individuals in the People’s Republic of China (PRC) have been accessing data on U.S. users, in contravention of several public representations, including sworn testimony in October 2021. In an interview with the online publication Cyberscoop, the Global Chief Security Officer for TikTok’s parent company, ByteDance, made a number of public representations on the data security practices of TikTok, including unequivocal claims that the data of American users is not accessible to the Chinese Communist Party (CCP) and the government of the PRC. As you know, TikTok’s privacy practices are already subject to a consent decree with the Federal Trade Commission, based on its improper collection and processing of personal information from children. In light of this new report, we ask that your agency immediately initiate a Section 5 investigation on the basis of apparent deception by TikTok, and coordinate this work with any national security or counter-intelligence investigation that may be initiated by the U.S. Department of Justice.

Additionally, these recent reports suggest that TikTok has also misrepresented its corporate governance practices, including to Congressional committees such as ours. In October 2021, TikTok’s head of public policy, Michael Beckerman, testified that TikTok has “no affiliation” with another ByteDance subsidiary, Beijing-based ByteDance Technology, of which the CCP owns a partial stake. Meanwhile, as recently as March of this year, TikTok officials reiterated to our Committee representations they have previously made that all corporate governance decisions are wholly firewalled from their PRC-based parent, ByteDance. Yet according to a recent report from Buzzfeed News, TikTok’s engineering teams ultimately report to ByteDance leadership in the PRC. 

According to this same report, TikTok’s Trust and Safety department was aware of these improper access practices and governance irregularities, which – according to internal recordings of TikTok deliberations – offered PRC-based employees unfettered access to user information, including birthdates, phone numbers, and device identification information. Recent updates to TikTok’s privacy policy, which indicate that TikTok may be collecting biometric data such as faceprints and voiceprints (i.e. individually-identifiable image and audio data, respectively), heighten the concern that data of U.S. users may be vulnerable to extrajudicial access by security services controlled by the CCP.

A series of national security laws imposed by the CCP, including the 2017 National Intelligence Law and the 2014 Counter-Espionage Law provide extensive and extra-judicial access opportunities for CCP-controlled security services. Under these authorities, the CCP may compel access, regardless of where data is ultimately stored. While TikTok has suggested that migrating to U.S.-based storage from a U.S. cloud service provider alleviates any risk of unauthorized access, these latest revelations raise concerns about the reliability of TikTok representations: since TikTok will ultimately control all access to the cloud-hosted systems, the risk of access to that data by PRC-based engineers (or CCP security services) remains significant in light of the corporate governance irregularities revealed by BuzzFeed News. Moreover, as the recent report makes clear, the majority of TikTok data – including content posted by users as well as their unique IDs– will remain freely accessible to PRC-based ByteDance employees.

In light of repeated misrepresentations by TikTok concerning its data security, data processing, and corporate governance practices, we urge you to act promptly on this matter.

Sincerely, 

###