Privacy panel suggests limiting controversial surveillance program

The Privacy and Civil Liberties Oversight Board (or PCLOB) was divided 3-2 over the restriction on how the program handles reviewing Americans’ communications, my colleague Devlin Barrett reports this morning. The majority of the panel supported a total of 19 recommendations, with the minority calling the majority’s approach “deeply flawed.”

Known as Section 702, the program is aimed at warrantlessly collecting the emails and calls of foreign targets. But the targets are sometimes communicating with Americans, and intelligence officials can query the system to search for those communications specifically.

Critics of the program have called on Congress to require a warrant to review Section 702 data about Americans. The PCLOB recommends just that, with some conditions. National security officials have said a warrant requirement in those circumstances would deeply hamper the effectiveness of the program.

Three of the five PCLOB members recommended that FBI agents be required to get approval from the Foreign Intelligence Surveillance Court to review Americans’ Section 702 data, “if a judge agrees such a search is ‘reasonably likely to retrieve’ foreign intelligence or evidence of a crime,” as Devlin wrote.

• Specifically, per Devin: “The report calls for ‘individualized and particularized judicial review’ for any searches using query terms related to U.S. citizens and lawful residents. At the same time, however, the recommendation said there should be two exceptions to that requirement — one for fast-moving emergencies, and another for instances in which the government is seeking data about a potential American victim and has the victim’s consent to conduct such a search.”

“Section 702 remains highly valuable to protect national security,” the report says, but it also “creates serious privacy and civil liberties risks.”

The minority members wrote in a separate statement that failing to reauthorize Section 702 “would cause grave damage to the security of our country, and quite likely, lead to the loss of American lives.” The right move is to “reform the structure and culture of the FBI” rather than mandating warrants for the Section 702 data of Americans, they argued.

Created in the aftermath of the Sept. 11 terrorist attacks, Section 702 has become the “crown jewel” of U.S. surveillance in the eyes of national security officials who say it now accounts for 60 percent of the items in the president’s daily intelligence briefing.

The administration also has said that cyber investigations are one of the major uses of Section 702.

• They’ve declassified information that says Section 702 played a vital role in identifying the hackers behind the 2021 ransomware attack on Colonial Pipeline, an incident that sparked a gasoline panic in the United States.
• They’ve also declassified information about how the program helped them identify Chinese hackers behind a cyberattack on an unnamed critical infrastructure target, as well as how it helped them mitigate an attack by Iranian hackers on a U.S. nonprofit.

In May, the majority of The Cybersecurity 202 Network — a group of cyber experts — said Section 702 should be renewed with alterations to further safeguard privacy.

On the other side, skeptics of the program cite cases where it’s been repeatedly abused, pointing to its use on Black Lives Matter protesters, crime victims, Jan. 6 suspects and thousands of donors to a congressional candidate. (Officials say they have fixed the problems, which they blamed on a misunderstanding.)

Notably the three PCLOB members who recommended court approval for searches of Americans are Democrats while the two who oppose that recommendation are Republicans.

But that doesn’t exactly encapsulate the political outlook for renewal in Congress. Civil libertarians on the left have long disapproved of Section 702. Many Republicans, once reliable votes on surveillance, have grown critical of U.S. intelligence over what they view as mistreatment of former president Donald Trump and bias against the right.

Both skeptical sides have gotten ammunition from repeated reports on the misuse of the program.

There are a mere three months before Section 702 is set to expire. None of the House or Senate committees with oversight of the law have publicly introduced legislative proposals, and it’s not as if Congress will be in session every day between now and the end of the year. Furthermore, the Hill has been engulfed in a spending debate and possible government shutdown.

In short: There’s not a lot of time left to settle a difficult divide.

Tech giants face pressure from Washington to shore up cloud security

A recent China-linked espionage operation that compromised thousands of U.S. government Microsoft emails is putting more pressure on premier cloud providers to ramp up their security posture, our colleague Joseph Menn reports.

Joseph writes: “Cybersecurity experts in and out of government say that email, word processing and other software running on computer networks owned by those big companies remain more secure than the equivalent programs running on government-owned machines. But federal officials and legislators nevertheless have been stepping up their demands that the cloud giants do more, part of a strategy that also includes more cybersecurity rules for critical infrastructure.”

• The Cybersecurity and Infrastructure Security Agency has directed its review board to investigate that Microsoft cloud breach, Joseph writes. (More details on the breach below.)
• “These are very large providers, providing a pretty substantial chunk of the computing environment, and they should have an obligation to deliver on security,” said Scott Crawford, research director for security at S&P Global’s 451 Research. “It’s good to see when they are, and it’s also good to see when they are called to account,” he added.

But every major cloud provider operates differently with different customer bases. Amazon, for instance, demonstrated how Amazon Web Services can send takedown requests to the administrators that host malicious programs within an hour, without any human involvement, the report notes. (Amazon founder and former CEO Jeff Bezos owns The Washington Post. The Post’s interim CEO Patty Stonesifer sits on Amazon’s board.)

• Amazon Chief Security Officer Steve Schmidt said in an interview that the company has a “net footprint larger than any other cloud provider,” and “there have been several situations where we have produced the pivotal component in a CISA advisory.”

Google, similarly, also said it automates takedown requests. The company “knows the most about individual online accounts, including those used by impostors, and the physical location of hackers,” Joseph writes.

• Moreover, “we proactively scan the internet for Cloud credentials customers have exposed by mistake and notify customers of leaked credentials that pose a risk to their organizations’ security,” spokesperson Melanie Lombardi said.

Chinese hackers retrieved 60,000 emails in recent State Department breach

State Department officials told Senate staffers that when Chinese hackers leveraged a flaw in Microsoft’s cloud services, allowing them to access email accounts of top U.S. officials, they accessed the inboxes from 10 State Department officials and pilfered about 60,000 of their emails, a Senate staffer said.

A readout sent to The Cybersecurity 202 from a staffer for Sen. Eric Schmitt (R-Mo.) said a panel of State Department officials briefed Senate staff on Wednesday to discuss the incident, in which a hacker group, dubbed by Microsoft as Storm-0558, breached the emails of Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns and Assistant Secretary of State for East Asia Daniel Kritenbrink, as well as Rep. Don Bacon (R-Neb.).

• The hackers leveraged a stolen Microsoft signing key used by the company to authenticate customers, allowing them to masquerade as federal users of Microsoft’s email services and access officials’ inboxes.
• That stolen key was leaked in an April 2021 “crash dump” in which the contents of a computer’s memory and systems were recorded upon crashing (the recorded data is often used to figure out what went wrong with a computer during failure). 

That token was used to hack 25 entities, including emails from the 10 officials. Nine of the individuals whose emails were breached “were working on East Asia and the Pacific, while 1 individual was working on Europe (clarification could not be given on what specifically they worked on),” the staffer’s remarks said, adding that their focus was mostly on Indo-Pacific diplomacy efforts.

• Schmitt has led efforts to examine the U.S.’s dependence on Microsoft IT services. 
• “We need to harden our defenses against these types of cyberattacks and intrusions in the future, and we need to take a hard look at the federal government’s reliance on a single vendor as a potential weak point. I will continue to lead my colleagues in pushing for more answers to ensure China and other nefarious actors do not gain access to the federal government’s most sensitive information,” Schmitt said in a prepared statement.

Microsoft and the State Department did not immediately respond to comment from Reuters, which also reported on the briefing.

U.S., Japan advisory signals China-linked hackers exploiting routers for cyberattacks

A China-backed hacking group is exploiting vulnerabilities in internet routers, targeting government, industrial, technology, telecommunications and defense sectors, Bloomberg News’s Jamie Tarabay and Katrina Manson report, citing a joint advisory from U.S. and Japanese cybersecurity authorities.

The group, known as BlackTech, has “been discovered modifying software inside routers to target companies based in their countries,” Tarabay and Manson write.

• The hackers have been able to disable logging that allows users to identify activities occurring in their networks, allowing them to target U.S. and Japanese companies undetected. Specific companies were not named in the advisory,
• “BlackTech activity targets a wide range of public organizations and private industries across the U.S. and East Asia,” said Eric Goldstein, executive assistant at the Cybersecurity and Infrastructure Security Agency. The advisory says the group has compromised several Cisco router systems. Other providers were compromised but unnamed, Bloomberg notes.
• In a security advisory, Cisco said: “There is no indication that any Cisco vulnerabilities were exploited. Attackers used compromised credentials to perform administrative-level configuration and software changes.” The company also noted that “Modern network infrastructure devices now contain numerous security features and capabilities that mitigate the aforementioned attacks.”

The United States has previously warned Tokyo of Chinese efforts to breach Japanese networks. Defense Department officials announced last week that it met with Chinese government officials to discuss military and cybersecurity matters, the Record’s Jonathan Greig reported.

The Bloomberg report adds: “Senior US national security officials grew increasingly concerned that sensitive information that they shared with some allies could be at risk of the breach, which was discovered several years ago. That prompted multiple US delegations since 2020 to fly to Tokyo to warn Japan, according to the officials, who asked not to be identified discussing the sensitive matter.”

The report comes amid news that the United States is hosting Western Hemisphere cybersecurity partners this week in an effort to shore up their collective cyber defenses and work to decouple Latin America’s reliance on Chinese technology exports, which officials say poses a security threat to communications networks of allies south of the United States.

DHS shutdown plan sidelines 79% of CISA staff (MeriTalk)

Rosenworcel outlines proposal to restore net neutrality rules, includes aspects on national security (Inside Cybersecurity)

Democrats fear cyberattacks as government shutdown looms (Nextgov/FCW)

Election security report cautions against ‘jumping to conclusions’ on generative AI threats (Inside AI Policy)

Russian zero-day seller offers $20M for hacking Android and iPhones (TechCrunch)

‘Snatch’ ransom group exposes visitor IP addresses (Krebs on Security)

Vulnerability in popular ‘libwebp’ code more widespread than expected (The Record)

10 questions to ask yourself about data breaches (Wall Street Journal)

The sheriff, his girlfriend and his illegal subpoenas (Mississippi Today)

RICO class-action data privacy lawsuit filed against H&R Block, Google, Meta (The Record)

• White House chief science and technology adviser Arati Prabhakar speaks with the Information Technology Industry Council about public-private sector collaboration on AI systems at 10 a.m.
• Stanford University kicks off its two-day Trust & Safety Conference beginning 11:30 a.m.

Thanks for reading. See you tomorrow.