The new rules, passed by a 3-2 vote along party lines, also require publicly traded companies to annually disclose information on their cybersecurity risk management and executive expertise in the field. The idea is to protect investors.

Breach disclosures can be delayed if the U.S. Attorney General determines they would “pose a substantial risk to national security or public safety” and notifies the SEC in writing. Only under extraordinary circumstances could that delay be extended beyond 60 days.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a statement, noting the current inconsistency in disclosures.

The rules will put “more transparency into an otherwise opaque but growing risk” and may spur improvements in cyber defenses — though potentially posing a bigger challenge for smaller companies with limited resources, Lesley Ritter, senior VP at Moody’s Investors Service, said in a statement.

Technically, the clock doesn’t start ticking on the four-day window for reporting until companies have determined a breach is material.

One of the dissenting Republican commissioners, Hester Peirce, complained that the new requirements overstep the SEC’s authority and “seem designed to better meet the needs of would-be hackers” – who could benefit from detailed info on how companies manage cyberrisk.

As well, Peirce said in a statement, the temptation for the SEC to “micromanage” company operations will only grow.

A leading figure in cybersecurity, Tenable CEO Amit Yoran, heartily welcomed the new rule.

“For a long time, the largest and most powerful U.S. companies have treated cybersecurity as a nice-to-have, not a must have. Now, it’s abundantly clear that corporate leaders must elevate cybersecurity within their organizations,” he said in a statement.

The rules were first proposed in March 2022, when the SEC determined that breaches of corporate networks posed an escalating risk as their digitization of operations and remote work increased — and the cost to investors from cybersecurity incidents rose.

While some critical infrastructure operators and all health care providers must by law report breaches, no federal breach disclosure law exists.

In a new report published by IBM, researchers found organizations now pay an average of $4.5 million to deal with breaches — a 15% increase over the past three years. The Ponemon Institute researchers also found that impacted businesses typically pass the costs on to consumers, who may themselves also be victims with personal information stolen in a breach.

The rule’s passage also comes amid slow-moving, often cryptic disclosures — some through SEC filings — from a major data breach affecting hundreds of organizations caused by the so-called supply chain hack by Russian cybercriminals of a widely used file transfer program, MOVEit. The breach has impacted multiple universities, major pensions funds, U.S. government agencies, more than 9 million motorists in Oregon and Louisiana and companies including the BBC, British Airways, Ernst & Young and PricewaterhouseCoopers.

Many victims of the MOVEit breach were quick to point out that they were failed by a third-party application. The new SEC rule encompasses third-party apps and notes how companies have increasingly relied on outside cloud services for data management and storage.

The post New SEC rule requires public companies to disclose cybersecurity breaches in 4 days first appeared on Federal News Network.

Officials likened the new U.S. Cyber Trust Mark initiative — to be overseen by the Federal Communications Commission, with industry participation voluntary — to the Energy Star program, which rates appliances’ energy efficiency.

“It will allow Americans to confidently identify which internet- and Bluetooth-connected devices are cybersecure,” deputy national security adviser Anne Neuberger told reporters in a pre-announcement briefing.

Amazon, Best Buy, Google, LG Electronics USA, Logitech and Samsung are among industry participants.

Devices including baby monitors, home security cameras, fitness trackers, TVs, refrigerators and smart climate control systems that meet the U.S. government’s cybersecurity requirements will bear the “Cyber Trust” label, a shield logo, as early as next year, officials said.

FCC Chairwoman Jessica Rosenworcel said the mark will give consumers “peace of mind” and benefit manufacturers, whose products would need to adhere to criteria set by the National Institute of Standards and Technology to qualify.

The FCC was launching a rule-making process to set the standards and seek public comment. Besides carrying logos, participating devices would have QR codes that could be scanned for updated security information.

In a statement, the Consumer Technology Association said consumers could expect to see certification-ready products at the industry’s annual January show, CES 2024, once the FCC adopts final rules. A senior Biden administration official said it was expected that products that qualify for the logo would undergo an annual re-certification.

The director of technology policy at Consumer Reports, Justin Brookman, welcomed the White House proposal but cautioned in a statement that “a long road remains” to its effective adoption.

“Our hope is that this label will ignite a healthy sense of competition in the marketplace, compelling manufacturers to safeguard both the security and privacy of consumers who use connected devices and to commit to supporting those devices for the lifetime of those products.”

The Cyber Trust initiative was first announced in October following a meeting between White House and tech industry representatives.

The proliferation of so-called smart devices has coincided with growing cybercrime in which one insecure device can often give a cyberintruder a dangerous foothold on a home network.

An April report from the cybersecurity firm Bitdefender and networking equipment company NetGear, based on their monitoring of smart homes, found that the most vulnerable devices in 2022 were, far and away, smart TVs, followed by smart plugs, routers and digital video recorders.

Providers of numerous smart home devices often don’t update and patch software fast enough to thwart newly emerging malware threats. The Cyber Mark standards are expected to make clear which devices patch vulnerable software in a timely fashion and secure their communications to preserve privacy, officials said. Also important will be informing consumers which devices are equipped to detect intrusions.

The post Cybersecurity labeling for smart devices aims to help people choose those less vulnerable to hacking first appeared on Federal News Network.

Republicans charged that Lina Khan is “harassing” Twitter since its acquisition by Elon Musk, arbitrarily suing large tech companies and declining to recuse herself from certain cases. In April, the committee subpoenaed Khan after an investigation by the panel that concluded the agency went after Musk for political reasons.

Biden’s FTC is “trying to usher in a radical departure from the norms that made the American economy great” and to give the government unchecked power over business practices, said House Judiciary Committee Chairman Jim Jordan, R-Ohio.

Khan pushed back on the criticism, arguing that more regulation has become more necessary as the companies have grown and that tech conglomeration has the potential hurt the economy and consumers.

“Our competition mission is driven by the tenet that vigorous antitrust enforcement is critical to the growth and dynamism of our economy, as well as to our shared prosperity and liberty,” Khan said. “Recent decades, however, have vividly illustrated how Americans lose out when markets become more consolidated and less competitive.”

The hearing comes as the agency has been embroiled in several legal cases against technology companies and as Khan — an outspoken critic of Big Tech before becoming the agency’s head — has tried, not always successfully, to toughen government regulation of those companies and prevent them from growing any larger.

Khan and the agency suffered a major defeat Tuesday when a federal judge declined to block Microsoft’s looming $69 billion takeover of video game company Activision Blizzard. The FTC had sought to ax the deal, saying it will hurt competition.

U.S. District Judge Jacqueline Scott Corley said the deal, the largest in the history of the tech industry, deserved scrutiny but the FTC hadn’t shown that it would cause serious harm. The FTC is now appealing her ruling.

In a similar case, another judge rebuffed the FTC’s attempt earlier this year to stop Meta from taking over the virtual reality fitness company Within Unlimited.

Republicans focused on the agency’s poor legal record on those antitrust cases.

“Are you losing on purpose?” asked Rep. Kevin Kiley, a California Republican, citing a past comment from Khan that suggested courtroom losses would signal to Congress that it needs to update its antitrust laws.

“Absolutely not,” Khan replied, while acknowledging that “unfortunately, things don’t always go our way.”

Republicans questioned the wisdom behind aggressive regulation, and whether it could hurt small businesses as well. California Rep. Darrell Issa criticized the FTC’s “left turn” since she took over two years ago.

“Shame on you,” Issa said. “The reality is we’re a global market, and you are thinking only of who you want to go after for some reason, and I cannot find your logic.”

As the hearing drew to a close, White House Spokesman Michael Kikukawa issued a statement saying that Biden appointed Khan “because he believes in fair and vigorous enforcement” of antitrust laws.

“Chair Khan has delivered results for families, consumers, workers, small businesses, and entrepreneurs — on everything from protecting our kids from unlawful use of their personal data, to making it cheaper and easier for consumers to repair items they own, to moving to ban non-competes that hurt workers, to stopping bad mergers like a semiconductor megamerger that would’ve stifled innovation,” Kikukawa said.

The FTC has also sued Amazon for allegedly engaging in a yearslong effort to enroll consumers without consent into Amazon Prime and making it difficult for them to cancel their subscriptions. In a complaint filed in federal court last month, the agency accused Amazon of using deceptive designs, known as “dark patterns,” to deceive consumers into enrolling in the service.

In addition, Khan and other FTC officials have repeatedly warned they will also crack down on harmful business practices involving artificial intelligence, in messages partly directed at the developers of widely-used AI tools such as ChatGPT.

Much of the Republicans’ focus has been on the FTC’s actions toward Twitter, which the agency has been investigating as part of ongoing oversight into the social media company’s privacy and cybersecurity practices. The GOP lawmakers noted that the agency probe included efforts this spring to obtain Musk’s internal communications and information about journalists he hired, and gave access to internal records, to investigate the company’s past actions before he took over.

Jordan said that Khan’s oversight of Twitter seems like an “obsession.”

“Why are you harassing Twitter?” Jordan asked.

Khan said the agency has been focused on Twitter’s lax security and privacy policies. She noted that the agency has been investigating the platform for years, since before Musk’s tenure.

The FTC has been watching the company since Twitter agreed to a 2011 consent order alleging serious data security lapses. But the agency’s concerns spiked with the tumult that followed Musk’s October takeover of the company and mass layoffs.

Twitter, now under parent company X Corp., on Thursday ahead of the congressional hearing asked a federal court to end that consent order and “rein in an investigation that has spiraled out of control and become tainted by bias.”

Republicans also criticized Khan for not recusing herself from the Meta case after the company had sought her recusal over Khan’s past advocacy against Facebook’s big mergers. They questioned her about whether she had ignored recommendations to do so, citing an internal agency memo.

“There was no violation under the ethics law,” Khan said, noting that she had no financial entanglements that would necessitate recusal.

Democrats defended Khan’s work. New York Rep. Jerry Nadler, the top Democrat on the Judiciary panel, told Khan at the opening of the hearing that he hopes Republicans can put their “baseless and often personal attacks on pause long enough to focus on the importance of your mission.”

Khan, a legal scholar, was a known tech critic when she took over the agency in 2021. Her nomination was seen as a signal from the Biden administration that it would be tough on technology companies as they have been under intense pressure from other regulators and state attorneys general.

She was a professor at Columbia University Law School and became known for her scholarly work in 2017 as a Yale law student, “Amazon’s Antitrust Paradox.” That work helped lay the foundation for a new way of looking at antitrust law beyond the impact of big-company market dominance on consumer prices.

And she has experience with the Judiciary committee, having served as a counsel to the panel’s antitrust subcommittee in 2019 and 2020. In that position she played a key role in a sweeping bipartisan investigation of the market power of the tech giants.

Jordan’s House Judiciary panel has gone after the tech companies, as well, for what Republicans say is censorship of conservatives. The committee subpoenaed the chief executives of the five largest tech companies in February as part of an effort to investigate Big Tech’s moderation of content.

__

Associated Press writer Josh Boak contributed to this report. O’Brien reported from Providence, Rhode Island.

The post House Republicans interrogate FTC’s Khan over regulation of Big Tech first appeared on Federal News Network.

The surgical, targeted espionage accessed the email of a small number of individuals at an unspecified number of U.S. agencies and was discovered in mid-June by the State Department, U.S. officials said. They said none of the breached systems were classified, nor was any of the stolen data.

The hacked officials included Commerce Secretary Gina Raimondo, The Washington Post reported, citing anonymous U.S. officials. Export controls imposed by her agency have stung multiple Chinese companies.

One person familiar with the investigation said U.S. military and intelligence agencies were not among the agencies impacted in the monthlong spying campaign, which also affected unnamed foreign governments.

The officials spoke on condition they not be further identified.

In a technical advisory Wednesday and a call with reporters, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI said Microsoft determined the hackers gained access by impersonating authorized users.

Officials did not specify the nature of the stolen data. But one U.S. official said the intrusion was “directly targeted” at diplomats and others who deal with the China portfolio at the State Department and other agencies. The official added that it was not yet clear if there had been any significant compromise of information.

The Blinken trip went ahead as planned, although with customary information security procedures in place, which required his delegation to use “burner” phones and computers in China.

The hack was disclosed late Tuesday by Microsoft in a blog post. It said it was alerted to the breach, which it blamed on a state-backed, espionage-focused Chinese hacking group “known to target government agencies in Western Europe,” on June 16. Microsoft said the group, which it calls Storm-0558, had gained access to email accounts affecting about 25 organizations, including government agencies, since mid-May as well as to consumer accounts of individuals likely associated with those agencies.

Neither Microsoft nor U.S. officials would identify the agencies or governments impacted. A senior CISA official told reporters in a press call that the number of affected organizations in the United States is in the single digits.

While the official declined to say whether U.S. officials are displeased with Microsoft over the breach, U.S. National Security Council spokesman Adam Hodge noted that it was “government safeguards” that detected the intrusion and added, “We continue to hold the procurement providers of the U.S. Government to a high security threshold.”

In fact, those safeguards consist of a data-logging feature for which Microsoft charges a premium. The CISA official noted that some of the victims lacked the data-logging feature and, unable to detect the breach, learned of it from Microsoft.

But of greater concern to cybersecurity experts is that The Storm-0558 hackers broke in using forged authentication tokens — which are used to verify the identity of a user. Microsoft’s executive vice president for security, Charlie Bell, said on the company’s website that the hackers had done that by acquiring a “consumer signing key.”

Cybersecurity researcher Jake Williams, a former National Security Agency offensive hacker, said it remains unclear how the hackers accomplished that. Microsoft did not immediately respond to emailed questions, including whether it was breached by the hackers to obtain the signing key.

Williams was concerned the hackers could have forged tokens for wide use to hack any number of non-enterprise Microsoft users. “I can’t imagine China didn’t also use this access to target dissidents on personal subscriptions, too.”

The head of intelligence for the cybersecurity firm Crowdstrike, Adam Meyers, said in a statement that the incident highlights the systemic risk of relying on a single technology provider in Microsoft. He said “having one monolithic vendor that is responsible for all of your technology, products, services and security – can end in disaster.”

A Chinese foreign ministry spokesman, Wang Wenbin, called the U.S. accusation of hacking “disinformation” aimed at diverting attention from U.S. cyberespionage against China.

“No matter which agency issued this information, it will never change the fact that the United States is the world’s largest hacker empire conducting the most cyber theft,” Wang said in a routine briefing.

U.S. intelligence agencies also use hacking as a critical espionage tool and it is not a violation of international law.

Last month, Google-owned cybersecurity firm Mandiant said suspected state-backed Chinese hackers broke into the networks of hundreds of public and private sector organizations globally exploiting a vulnerability in a popular email security tool.

Earlier this year, Microsoft said state-backed Chinese hackers were targeting U.S. critical infrastructure and could be laying the technical groundwork to disrupt critical communications between the U.S. and Asia during future crises.

____

Associated Press writers Aamer Madhani in Washington and Zen Soo in Hong Kong contributed to this report. Bajak reported from Boston.

The post Chinese hackers breached State Dept., other government email on eve of Blinken visit, officials say first appeared on Federal News Network.

U.S. District Judge Terry Doughty of Louisiana granted the injunction in response to a 2022 lawsuit brought by attorneys general in Louisiana and Missouri. Their lawsuit alleged that the federal government overstepped in its efforts to convince social media companies to address postings that could result in vaccine hesitancy during the COVID-19 pandemic or affect elections.

Doughty cited “substantial evidence” of a far-reaching censorship campaign. He wrote that the “evidence produced thus far depicts an almost dystopian scenario. During the COVID-19 pandemic, a period perhaps best characterized by widespread doubt and uncertainty, the United States Government seems to have assumed a role similar to an Orwellian ‘Ministry of Truth.’ ”

Republican U.S. Sen. Eric Schmitt, who was the Missouri attorney general when the lawsuit was filed, said on Twitter that the ruling was “a huge win for the First Amendment and a blow to censorship.”

Louisiana Attorney General Jeff Landry said the injunction prevents the administration “from censoring the core political speech of ordinary Americans” on social media.

“The evidence in our case is shocking and offensive with senior federal officials deciding that they could dictate what Americans can and cannot say on Facebook, Twitter, YouTube, and other platforms about COVID-19, elections, criticism of the government, and more,” Landry said in a statement.

The Justice Department is reviewing the injunction “and will evaluate its options in this case,” said a White House official who was not authorized to discuss the case publicly and spoke on condition of anonymity.

“This administration has promoted responsible actions to protect public health, safety, and security when confronted by challenges like a deadly pandemic and foreign attacks on our elections,” the official said. “Our consistent view remains that social media platforms have a critical responsibility to take account of the effects their platforms are having on the American people, but make independent choices about the information they present.”

The ruling listed several government agencies, including the Department of Health and Human Services and the FBI, that are prohibited by the injunction from discussions with social media companies aimed at “encouraging, pressuring, or inducing in any manner the removal, deletion, suppression, or reduction of content containing protected free speech.”

The order mentions by name several officials, including Health and Human Services Secretary Xavier Becerra, Department of Homeland Security Secretary Alejandro Mayorkas and others.

Doughty allowed several exceptions, such as informing social media companies of postings involving criminal activity and conspiracies; as well as notifying social media firms of national security threats and other threats posted on platforms.

The plaintiffs in the lawsuit also included individuals, including conservative website owner Jim Hoft. The lawsuit accused the administration of using the possibility of favorable or unfavorable regulatory action to coerce social media platforms to squelch what it considered misinformation on masks and vaccines during the COVID-19 pandemic. It also touched on other topics, including claims about election integrity and news stories about material on a laptop owned by Hunter Biden, the president’s son.

Administration lawyers said the government left it up to social media companies to decide what constituted misinformation and how to combat it. In one brief, they likened the lawsuit to an attempt to put a legal gag order on the federal government and “suppress the speech of federal government officials under the guise of protecting the speech rights of others.”

“Plaintiffs’ proposed injunction would significantly hinder the Federal Government’s ability to combat foreign malign influence campaigns, prosecute crimes, protect the national security, and provide accurate information to the public on matters of grave public concern such as health care and election integrity,” the administration says in a May 3 court filing.

___

Salter reported from O’Fallon, Missouri. Associated Press journalists Kevin McGill in New Orleans and Cal Woodward, Colleen Long and Ellen Knickmeyer in Washington, D.C., contributed to this report.

The post Judge limits Biden administration in working with social media companies first appeared on Federal News Network.

In the position, Cait Conley will coordinate with federal, state and local officials responsible for ensuring elections are secure ahead of the 2024 presidential election. CISA Director Jen Easterly said Conley’s national security experience made her “ideally suited to help those state and local officials carrying out elections in every community in America.”

Conley takes over duties from Kim Wyman, who will depart the agency at the end of July to join the private sector. Wyman, a former top election official in Washington state, joined the agency after the 2020 election in which CISA leadership was blasted by former President Donald Trump for countering false claims about the vote.

Trump ultimately fired then-CISA Director Chris Krebs after a group of federal, state and local officials issued a statement nine days after the election saying there was “no evidence that any voting system deleted or lost votes, changed votes or was in any way compromised.”

At the time, Wyman replaced Matt Masterson, who had served as the election security lead under Krebs. During their tenure, Masterson and Krebs were credited with building up the agency, which was created in 2018, and earning trust among state and local officials who were initially wary of the federal effort.

Easterly, who was confirmed by the Senate in July 2021, brought in Wyman, a Republican state official who was an outspoken defender of election officials and the work they did during the 2020 election.

Heading into the 2024 election, officials face complex threats as they look to protect voting systems while fighting misinformation that has been undermining public confidence in elections. Threats include hostile foreign nations, ransomware gangs and others seeking to interfere in U.S. elections.

Conley and Easterly have extensive military backgrounds. Both are graduates of the U.S. Military Academy at West Point and spent years in the Army. Prior to her appointment, Easterly served as special assistant to President Barack Obama and senior director for counterterrorism.

Conley previously served as a director for counterterrorism on the National Security Council. She also was the executive director of the bipartisan Defending Digital Democracy Project, based out of Harvard University’s Belfer Center. There, she led a team of experts in developing strategies to assist those working to protect elections.

“I am excited to return to the election security mission and build on the incredible progress CISA has made over the last several years,” Conley said.

___

Cassidy reported from Atlanta.

The post Army combat veteran to take over key election security role working with state, local officials first appeared on Federal News Network.

The New York Democrat said he is working on what he calls “exceedingly ambitious” bipartisan legislation to maximize the technology’s benefits and mitigate significant risks.

While Schumer did not lay out details of such legislation, he offered some key goals: protect U.S. elections from AI-generated misinformation or interference, shield U.S. workers and intellectual property, prevent exploitation by AI algorithms and create new guardrails to ward off bad actors.

AI legislation also should promote American innovation, Schumer said in a speech at the Center for Strategic and International Studies, a Washington think tank.

“If applied correctly, AI promises to transform life on Earth for the better,” Schumer said. “It will reshape how we fight disease, tackle hunger, manage our lives, enrich our minds and ensure peace. But there are real dangers that present themselves as well: job displacement, misinformation, a new age of weaponry and the risk of being unable to manage this new technology altogether.”

Schumer’s declaration of urgency comes weeks after scientists and tech industry leaders, including high-level executives at Microsoft and Google, issued a warning about the perils that artificial intelligence could pose to humankind.

“Mitigating the risk of extinction from AI should be a global priority alongside other societal-scale risks such as pandemics and nuclear war,” their statement said.

Worries about artificial intelligence systems outsmarting humans and running wild have intensified in recent months with the rise of a new generation of highly capable AI chatbots such as ChatGPT. It has sent countries around the world scrambling to come up with regulations for the developing technology, with the European Union blazing the trail with its AI Act expected to be approved later this year.

On Tuesday, President Joe Biden convened a group of technology leaders in San Francisco to debate what he called the “risks and enormous promises” of artificial intelligence. In May, the administration brought together tech CEOs at the White House to discuss these issues, with the Democratic president telling them, “What you’re doing has enormous potential and enormous danger.”

“We’ll see more technological change in the next 10 years that we saw in the last 50 years,” Biden said.

White House chief of staff Jeff Zients’ office is developing a set of actions the federal government can take over the coming weeks regarding AI, according to the White House.

Schumer’s hands-on involvement in crafting AI legislation is unusual, as Senate leaders usually leave the task to individual senators or committees. But he has taken a personal interest in regulating the development of artificial intelligence, arguing that it is urgent as companies have already introduced human-like chatbots and other products that could alter life as we know it. He is working with another Democrat, Sen. Martin Heinrich of New Mexico, and Republican Sens. Mike Rounds of South Dakota and Todd Young of Indiana to speak with experts, educate colleagues and write the legislation.

It’s an unexpected role for Schumer, in particular, who famously carries a low-tech flip phone, and for the Senate as a whole, where the pace of legislation is often glacial.

Senators average around retirement age and aren’t known for their mastery of high-tech. They’ve been mocked in recent years for basic questions at hearings — asking Facebook founder Mark Zuckerberg simple questions about how his platform works at a 2018 hearing on Russian interference, for example — and for a bipartisan reluctance to regulate the technology industry at all.

Schumer, along with several Republican colleagues, say the federal government can no longer afford to be laissez-faire with tech companies.

“If the government doesn’t step in, who will fill its place?” Schumer asked. “Individuals and the private sector can’t do the work of protecting our country. Even if many developers have good intentions, there will always be rogue actors, unscrupulous companies, and foreign adversaries that seek to harm us. And companies may not be willing to insert guardrails on their own, certainly if their competitors are not required to insert them as well.”

Attempting to regulate AI, Schumer said, “is unlike anything Congress has dealt with before.”

It is unclear if Schumer will be able to accomplish his goals. The effort is in its earliest stages, with the bipartisan working group just starting a series of briefings for all 100 senators to get them up to speed. In the House, legislation to regulate or oversee artificial intelligence has been more scattershot, and Republican leaders have not laid out any ambitious goals.

Schumer acknowledged that there are more questions than answers about the technology.

“It’s not like labor or healthcare or defense where Congress has a long history we can work off of,” Schumer said. “In fact, experts admit nobody is even sure which questions policymakers should be asking. In many ways, we’re starting from scratch.”

The post AI is a ‘moment of revolution,’ top Democrat says in urging swift action on regulations first appeared on Federal News Network.

The Biden administration is seeking to figure out how to regulate the emergent field of AI, looking for ways to nurture its potential for economic growth and national security and protect against its potential dangers.

“We’ll see more technological change in the next 10 years that we saw in the last 50 years,” Biden said as the meeting with eight technology experts from academia and advocacy groups kicked off.

“AI is already driving that change,” Biden said.

The sudden emergence of AI chatbot ChatGPT and other tools has jumpstarted investment in the sector. AI tools are able to craft human-like text, music, images and computer code. This form of automation could increase the productivity of workers, but experts warn of numerous risks.

The technology could be used to replace workers, causing layoffs. It’s already being deployed in false images and videos, becoming a vehicle of disinformation that could undermine democratic elections. Governments, as well as the European Union, have said they are determined to regulate and put brakes on AI before it is too late.

Biden said social media has already shown the harm technology can do “without the right safeguards in place.”

In May, Biden’s administration brought together tech CEOs at the White House to discuss these issues, with the Democratic president telling them, “What you’re doing has enormous potential and enormous danger.”

White House chief of staff Jeff Zients’ office is developing a set of actions the federal government can take over the coming weeks regarding AI, according to the White House. Top officials are meeting two to three times each week on this issue, in addition to the daily work of federal agencies. The administration wants commitments from private companies to address the possible risks from AI.

Biden met Tuesday at the Fairmont hotel in San Francisco with Tristan Harris, executive director of the Center for Human Technology; Jim Steyer, the CEO of Common Sense Media; and Joy Buolamwin, founder of the Algorithmic Justice League, among others. California Gov. Gavin Newsom was also in attendance.

Biden is also in the San Francisco area to raise money for this 2024 reelection campaign. At his first fundraiser of the night, Biden spoke about what he saw as freedoms under siege, particularly for the LGBTQ community and with the overturning of abortion protections by the U.S. Supreme Court. And as president, it’s his job to help safeguard the right to choose.

“I think the American people need to have the confidence that we’re going to do what we say we’re going to do,” he said.

Climate change has also been a priority in Biden’s speeches at the fundraisers. On Tuesday, he told a group that he expects that John Kerry, the special envoy for climate, will soon return to China for talks on reducing carbon emissions.

__

Associated Press writer Barbara Ortutay in San Francisco contributed to this report.

The post In San Francisco, Biden talks with tech leaders about risks and promises of artificial intelligence first appeared on Federal News Network.

No injuries have been reported, according to the Kansas Bureau of Investigation. It had counted more than 30 letters as of late Friday afternoon and increased the tally to 100 as of Sunday.

In a Facebook post Sunday, the bureau said preliminary tests on the substance were negative for common dangerous toxins.

In emails sent to legislators and obtained by The Topeka Capital-Journal, Tom Day, director of Legislative Administrative Services, said the Kansas Highway Patrol had informed his office of the letters, which contain a return address of either Kansas City or Topeka.

The letters were sent to legislators at their homes and have been turned over to the KBI and the Federal Bureau of Investigation, Day wrote.

The post Roughly 100 letters with suspicious white powder sent to Kansas lawmakers, officials first appeared on Federal News Network.

But for others among what could be hundreds of victims from industry to higher education — including patrons of at least two state motor vehicle agencies — the hack was beginning to show some serious impacts.

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, told reporters that unlike the meticulous, stealthy SolarWinds hacking campaign attributed to state-backed Russian intelligence agents that was months in the making, this campaign was short, relatively superficial and caught quickly.

“Based on discussions we have had with industry partners … these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high value information— in sum, as we understand it, this attack is largely an opportunistic one,” Easterly said.

“Although we are very concerned about this campaign and working on it with urgency, this is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation’s networks,” she added.

A senior CISA official said neither the U.S. military nor intelligence community was affected. Energy Department spokesperson Chad Smith said two agency entities were compromised but did not provide more detail.

Known victims to date include Louisiana’s Office of Motor Vehicles, Oregon’s Department of Transportation, the Nova Scotia provincial government, British Airways, the British Broadcasting Company and the U.K. drugstore chain Boots. The exploited program, MOVEit, is widely used by businesses to securely share files. Security experts say that can include sensitive financial and insurance data.

Louisiana officials said Thursday that people with a driver’s license or vehicle registration in the state likely had their personal information exposed. That included their name, address, Social Security number and birthdate. They encouraged Louisiana residents to freeze their credit to guard against identity theft.

The Oregon Department of Transportation confirmed Thursday that the attackers accessed personal information, some sensitive, for about 3.5 million people to whom the state issued identity cards or driver’s licenses.

The Cl0p ransomware syndicate behind the hack announced last week on its dark web site that its victims, who it suggested numbered in the hundreds, had until Wednesday to get in touch to negotiate a ransom or risk having sensitive stolen data dumped online.

The gang, among the world’s most prolific cybercrime syndicates, also claimed it would delete any data stolen from governments, cities and police departments.

The senior CISA official told reporters a “small number” of federal agencies were hit — declining to name them — and said “this is not a widespread campaign affecting a large number of federal agencies.” The official, speaking on condition of anonymity to discuss the breach, said no federal agencies had received extortion demands and no data from an affected federal agency had been leaked online by Cl0p.

U.S. officials “have no evidence to suggest coordination between Cl0p and the Russian government,” the official said.

The parent company of MOVIEit’s U.S. maker, Progress Software, alerted customers to the breach on May 31 and issued a patch. But cybersecurity researchers say scores if not hundreds of companies could by then have had sensitive data quietly exfiltrated.

“At this point, we are seeing industry estimates of several hundred of victims across the country,” the senior CISA official said. Federal officials encouraged victims to come forward, but they often don’t. The U.S. lacks a federal data breach law, and disclosure of hacks varies by state. Publicly traded corporations, health care providers and some critical infrastructure purveyors do have regulatory obligations.

The cybersecurity firm SecurityScorecard says it detected 2,500 vulnerable MOVEit servers across 790 organizations, including 200 government agencies. It said it was not able to break down those agencies by country.

The Office of the Comptroller of the Currency in the Treasury Department uses MOVEit, according to federal contracting data. Spokeswoman Stephanie Collins said the agency was aware of the hack and has been monitoring the situation closely. She said it was “conducting detailed forensic analysis of system activity and has not found any indications of a breach of sensitive information.” She would not say how the agency uses the file-transfer program.

The hackers were actively scanning for targets, penetrating them and stealing data at least as far back as March 29, said SecurityScorecard threat analyst Jared Smith.

This is far from the first time Cl0p has breached a file-transfer program to gain access to data it could then use to extort companies. Other instances include GoAnywhere servers in early 2023 and Accellion File Transfer Application devices in 2020 and 2021.

The Associated Press emailed Cl0p on Thursday asking what government agencies it had hacked. It did not receive a response, but the gang posted a new message on its dark web leak site saying: “We got a lot of emails about government data, we don’t have it we have completely deleted this information we are only interested in business.”

Cybersecurity experts say the Cl0p criminals are not to be trusted to keep their word. Allan Liska of the firm Recorded Future has said he is aware of at least three cases in which data stolen by ransomware crooks appeared on the dark web six to 10 months after victims paid ransoms.

—

AP reporters Sara Cline in Baton Rouge, Louisiana, Eugene Johnson in Seattle and Nomaan Merchant and Rebecca Santana in Washington contributed to this report.

The post A Russian ransomware gang breaches the Energy Department and other federal agencies first appeared on Federal News Network.

The system involved in the previously undisclosed breach was not for casting or counting ballots, but rather was used to report unofficial election results on a public website. The breach was revealed during a presentation this week at the RSA Conference in San Francisco, which is focused on cybersecurity. Officials did not identify the local government that was targeted.

“This was not a system used in the conduct of the election, but we are of course also concerned with systems that could weigh on the perception of a potential compromise,” said Eric Goldstein, who leads the cybersecurity division at the U.S. Cybersecurity and Infrastructure Security Agency.

If not expelled from the site, the hackers could have altered or otherwise disrupted the public-facing results page — though without affecting ballot-counting.

“Our concern is always that some type of website defacement, some type of (denial of service) attack, something that took the website down or defaced the website say on the night of the election, could make it look like the vote had been tampered with when that’s absolutely not true,” Major Gen. William J. Hartman, commander of U.S. Cyber Command’s Cyber National Mission Force, told conference attendees Monday.

Hartman said his team identified the intrusion as part of what he termed a “hunt-forward” mission, which gathers intelligence on and surveils adversaries and criminals. The team quickly alerted officials at the U.S. cybersecurity agency, who then worked with the municipality to respond to the intrusion.

Hartman said his team then acted “to ensure the malicious cyber actor no longer had access to the network and was unable to come back into the network in direct support of the elections.”

No details were released on how or from what country the Iranian intrusion was detected.

Its successful thwarting highlights the stealthy, largely classified, efforts of U.S. military cyberwarriors to prevent a repeat of 2016, when a Russian hack-and-leak operation targeting Hillary Clinton’s campaign favored former President Donald Trump’s election.

Asked in a recent interview about his accomplishments since he was promoted to U.S. Cybercom and National Security Agency chief in 2018, Gen. Paul Nakasone pointed to election security.

“We said if you are going to come and try to influence or interfere in our elections, we’re going to take you on, and we did,” he said.

Election and national security officials have been increasingly focused on cybersecurity threats since the 2016 election. Locally, they have been trying to heighten protections for voting machines, vote tabulators, voter registration databases and electronic pollbooks, which are used to check in voters at polling locations.

Some of the non-voting systems present security challenges because they have internet connections. As the use of electronic systems has grown, they have proved an attractive target for those seeking to meddle in elections.

In 2016, Russian hackers scanned state voter registration systems looking for vulnerabilities and accessed the voter registration database in Illinois, although an investigation later determined no voter data was manipulated. In 2020, Iranian hackers obtained confidential voter data and used it to send misleading emails, seeking to spread misinformation and influence the election.

Beginning in 2018, the National Defense Authorization Act let the U.S. “take down infrastructure” and “take on adversaries” outside the country, Nakasone said. So by 2020, when Russian and Iranian actors attempted to interfere with the U.S. election, U.S. cyber operators were able to thwart them, he added.

Under Nakasone, Cybercom has sent small teams to 22 countries to help hunt on their networks — “to identify malware, tradecraft, techniques that adversaries are using and then broadly publicize that,” he said. That includes Ukraine, where he said a team arrived on Dec. 3, 2021, more than two months ahead of the Russian invasion.

In a March statement ahead of a congressional hearing, Nakasone said Cybercom had deployed its teams 40 times to work on 59 networks, generating insights and “imposing costs on common adversaries.” He said the missions “exposed malicious cyber activity by China, Russia, Iran and cyber criminals,” helped make other nation’s networks more secure and “led to the public release of more than 90 malware samples for analysis by the cybersecurity community.”

___

Cassidy reported from Atlanta. Bajak reported from Boston.

The post US cyberwarriors thwarted 2020 Iran election hacking attempt first appeared on Federal News Network.

FTC Chair Lina Khan joined top officials from U.S. civil rights and consumer protection agencies to put businesses on notice that regulators are working to track and stop illegal behavior in the use and development of biased or deceptive AI tools.

Much of the scrutiny has been on those who deploy automated tools that amplify bias into decisions about who to hire, how worker productivity is monitored or who gets access to housing and loans.

But amid a fast-moving race between tech giants such as Google and Microsoft in selling more advanced tools that generate text, images and other content resembling the work of humans, Khan also raised the possibility of the FTC wielding its antitrust authority to protect competition.

“We all know that in moments of technological disruption, established players and incumbents may be tempted to crush, absorb or otherwise unlawfully restrain new entrants in order to maintain their dominance,” Khan said at a virtual press event Tuesday. “And we already can see these risks. A handful of powerful firms today control the necessary raw materials, not only the vast stores of data, but also the cloud services and computing power that startups and other businesses rely on to develop and deploy AI products.”

Khan didn’t name any specific companies or products but expressed concern about tools that scammers could use to “manipulate and deceive people on a large scale, deploying fake or convincing content more widely and targeting specific groups with greater precision.”

She added that “if AI tools are being deployed to engage in unfair, deceptive practices or unfair methods of competition, the FTC will not hesitate to crack down on this unlawful behavior.”

Khan was joined by Charlotte Burrows, chair of the Equal Employment Opportunity Commission; Rohit Chopra, director of the Consumer Financial Protection Bureau; and Assistant Attorney General Kristen Clarke, who leads the civil rights division of the Department of Justice.

As lawmakers in the European Union negotiate passage of new AI rules, and some have called for similar laws in the U.S., the top U.S. regulators emphasized Tuesday that many of the most harmful AI products might already run afoul of existing laws protecting civil rights and preventing fraud.

”There is no AI exemption to the laws on the books,” Khan said.

The post US officials seek to crack down on harmful AI products first appeared on Federal News Network.

The enthusiasm military personnel have for gaming — and the risk that carries — is in the spotlight after Jack Teixeira, a 21-year-old Massachusetts Air National Guardsman, was charged with illegally taking and posting highly classified material in a geopolitical chat room on Discord, a social media platform that started as a hangout for gamers.

State secrets can be illegally shared in countless different ways, from whispered conversations and dead drops to myriad social media platforms. But online gaming forums have long been a particular worry of the military because of their lure for young service members. And U.S. officials are limited in how closely they can monitor those forums to make sure nothing on them threatens national security.

“The social media world and gaming sites in particular have been identified as a counterintelligence concern for about a decade,” said Dan Meyer, a partner at the Tully Rinckey law firm, which specializes in military and security clearance issues.

Foreign intelligence agents could use an avatar in a gaming room to connect with “18 to 23-year-old sailors gaming from the rec center at Norfolk Naval Base, win their confidence over for months, and then, through that process, start to connect with them on other social media platforms,” Meyer said, noting that U.S. spy agencies have also created avatars to conduct surveillance in the online games World of Warcraft and Second Life.

The military doesn’t have the authority to conduct surveillance of U.S. citizens on U.S. soil — that’s the role of domestic law enforcement agencies like the FBI. Even when monitoring members of the armed forces, there are privacy issues, something the Defense Department ran into head-on as it tried to establish social media policies to counter extremism in the ranks.

The military does, however, have a presence in the online game community. Both the Army and the Navy have service members whose full-time job is to compete in video game tournaments as part of military esports teams. The teams are seen as an effective way to reach and potentially recruit youth who have grown up with online gaming since early childhood. But none of the services said they had any sort of similar team playing online to monitor for potential threats or leaks.

Pentagon spokeswoman Sue Gough said its intelligence activities are primarily focused internationally. In collecting any information on Americans, the Defense Department does so “in accordance with law and policy and in a manner that protects privacy and civil liberties,” she said in a statement to The Associated Press. She said the procedures must be approved by the attorney general.

Instead, the military has focused on training service members never to reveal classified information in the first place. In wake of the online leaks, the department is reviewing its processes to protect classified information, reducing the number of people who have access, and reminding the force that “the responsibility to safeguard classified information is a lifetime requirement for each individual granted a security clearance,” Deputy Secretary of Defense Kathleen Hicks said in a memo issued Thursday following Teixeira’s arrest.

But that may not be enough.

“These various gaming channels are just another form of social networks,” said Peter W. Singer, whose novel “Burn In” centered on attacks on the U.S. that are plotted in a private chamber of an online war game — and where all the plotters use avatars of historical figures to disguise themselves.

Singer, who has advised the Pentagon on future warfare, expects that future espionage and plotting will likely find haven in some of these private online worlds.

“There’s a shift from it being viewed as niche, and for kids to adults using it for everything from marketing and entertainment to criminality,” Singer said. “Is this the future? Most definitely.”

But besides the legal limitations on monitoring these games, the vast number of sites and private chats would be virtually impossible for the Pentagon to manage, Singer said.

“Your answer to this can’t be ‘How do I find it on video game channels?’” Singer said. “Your answer has to be, ‘How do I keep it from getting out in the first place?’”

The post Online gaming chats have long been spy risk for US military first appeared on Federal News Network.

The order responds to growing U.S. and global concerns about programs that can capture text messages and other cellphone data. Some programs — so-called “zero-click” exploits — can infect a phone without the user clicking on a malicious link.

Governments around the world — including the U.S. — are known to collect large amounts of data for intelligence and law enforcement purposes, including communications from their own citizens. The proliferation of commercial spyware has made powerful tools newly available to smaller countries, but also created what researchers and human-rights activists warn are opportunities for abuse and repression.

The White House released the executive order in advance of its second summit for democracy this week. The order “demonstrates the United States’ leadership in, and commitment to, advancing technology for democracy, including by countering the misuse of commercial spyware and other surveillance technology,” the White House said in a statement.

Biden’s order, billed as a prohibition on using commercial spyware “that poses risks to national security,” allows for some exceptions.

The order will require the head of any U.S. agency using commercial programs to certify that the program doesn’t pose a significant counterintelligence or other security risk, a senior administration official said.

Among the factors that will be used to determine the level of security risk is if a foreign actor has used the program to monitor U.S. citizens without legal authorization or surveil human rights activists and other dissidents.

“It is intended to be a high bar but also includes remedial steps that can be taken … in which a company may argue that their tool has not been misused,” said the official, who briefed reporters on condition of anonymity under White House ground rules.

The White House will not publish a list of banned programs as part of the executive order, the official said.

John Scott-Railton, a researcher at the University of Toronto’s Citizen Lab who has long studied spyware, credited the Biden administration for trying to set new global standards for the industry.

“Most spyware companies see selling to the U.S. as their eventual exit path,” Scott-Railton said. “The issue is the U.S. until now hasn’t really wielded its purchasing power to push the industry to do better.”

Congress last year required U.S. intelligence agencies to investigate foreign use of spyware and gave the Office of the Director of National Intelligence the power to ban any agency from using commercial programs.

Rep. Jim Himes of Connecticut, the top Democrat on the House Intelligence Committee, said in a committee hearing last year that commercial spyware posed a “very serious threat to our democracy and to democracies around the world.” He said Monday the new order should be followed by other democracies taking steps against spyware.

“It’s a very powerful statement and a good tool, but alone it won’t do the trick,” he said.

Perhaps the best known example of spyware, the Pegasus software from Israel’s NSO Group, was used to target more than 1,000 people across 50 countries, according to security researchers and a July 2021 global media investigation, citing a list of more than 50,000 cellphone numbers. The U.S. has already placed export limits on NSO Group, restricting the company’s access to U.S. components and technology.

Officials would not say if U.S. law enforcement and intelligence agencies currently use any commercial spyware. The FBI last year confirmed it had purchased NSO Group’s Pegasus tool “for product testing and evaluation only,” and not for operational purposes or to support any investigation.

White House officials said Monday they believe 50 devices used by U.S. government employees, across 10 countries, had been compromised or targeted by commercial spyware.

Despite NSO’s assertions that the program is supposed to be used to counter terrorism and crime, researchers found the numbers of more than 180 journalists, 600 politicians and government officials, and 85 human rights activists.

Pegasus use was most commonly linked to Mexico and countries in the Middle East. Amnesty International has alleged Pegasus was installed on the phone of Jamal Khashoggi’s fiancée just four days before the journalist was killed in the Saudi consulate in Istanbul in 2018. NSO has denied the allegation that its software was used in connection with Khashoggi’s murder.

The family of Paul Rusesabagina, credited with saving more than 1,200 lives during the Rwandan genocide, a story depicted in the movie “Hotel Rwanda,” has also alleged it was targeted by spyware. Rusesabagina was lured back to Rwanda under false pretenses and jailed on terrorism charges before his release last week. Rwanda has denied using commercial spyware.

The post US to adopt new restrictions on using commercial spyware first appeared on Federal News Network.

DC Health Link confirmed that data on an unspecified number of customers was affected and said it was notifying them and working with law enforcement. It said it was offering identity theft service to those affected and extending credit monitoring to all customers.

The FBI said it was aware of the incident and was assisting the investigation.

A broker on an online crime forum claimed to have records on 170,000 DC Health Link customers and was offering them for sale for an unspecified amount. The broker claimed they were stolen Monday. Reached by The Associated Press on an encrypted chat site, the broker did no say whether the data had been purchased and said they could not provide additional data to back the claim. They said they were acting on behalf of the seller, who they identified as “thekilob.”

Sample stolen data was posted on the site for a dozen apparent customers. It included Social Security numbers, addresses, names of employers, phone numbers, emails and addresses. The AP reached one of the dozen by dialing a listed number.

“Oh my God,” the man said when informed the information was public. All 12 people listed work for the same company or are family members.

In an email to all Senate email account holders, the sergeant at arms said it was informed that the stolen data included full names of the insured and family members. An email sent out by the office of the Chief Administrative Office of the House on behalf of House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries called the breach “egregious” and promised to provide updates. It urged members to use credit and identity theft monitoring resources.

The Senate email recommended that anyone registered on the health insurance exchange freeze their credit to prevent identity theft.

In an emailed statement, Rep. Joe Morelle of New York said House leadership was informed by Capitol Police that DC Health Link “suffered an extraordinarily large data breach of enrollee information” that posed a “great risk” to members, employees and their family members. “At this time the cause, size, and scope of the data breach impacting the DC Health Link still needs to be determined by the FBI,” Morelle said.

The hack follows several recent breaches affecting U.S. agencies. Hackers broke into a U.S. Marshals Service computer system and activated ransomware on Feb. 17 after stealing personally identifiable data about agency employees and targets of investigations.

An FBI computer system was recently breached at the bureau’s New York field office, CNN reported in mid-February. Asked about that intrusion, the FBI issued a statement calling it “an isolated incident that has been contained.” It declined further comment, including when it occurred and whether ransomware was involved.

There was no indication the Health breach was ransomware-related.

___

AP Technology Writer Frank Bajak in Boston contributed to this report.

The post Congress members warned of significant health data breach first appeared on Federal News Network.