TECH & CYBER BRIEFING: CISA Deputy Seeks 24-Hour Cyber Reports

A Cybersecurity and Infrastructure Security Agency official wants cyberattacks on critical infrastructure operators to be reported to the government within 24 hours, a divergence from legislation in Congress that sets a 72-hour timeframe.

The increase in cyberattacks on critical infrastructure such as Colonial Pipeline has led lawmakers and federal agencies to push for mandatory reporting of attacks to the government.

“The U.S. government has argued that we think 24 hours is the right amount of time, that brings it early enough for us to use the information, but does give the companies some time to determine whether this is a real incident or not,” Brandon Wales, the executive director for CISA, told Bloomberg Government’s Rebecca Kern during a Bloomberg event yesterday.

“When there are these big incidents that are happening, 24 hours is pretty deep into the response cycle already,” he said. “In the Colonial example, they were already letting customers know that they were shutting down parts of their pipeline well in advance of 24 hours. So we do think that 24 hours is a good metric.”

Legislation moving through Congress would set a 72-hour clock to report to CISA, a provision based on feedback from companies seeking more time to weed out false positives.

Kevin Kirwan, senior vice president at American Water — a trade association representing water and wastewater utilities — raised concerns about smaller utilities being able to respond in such a short period. “When an entity’s dealing with an incident, they’re trying to fight the fire,” Kirwan said in an interview.

Sen. Gary Peters (D-Mich.), chair of the Senate Homeland Security and Governmental Affairs Committee and a cosponsor of the Senate reporting bill (S. 2875), wants to strike a balanced approach. Peters said in a statement he’s seeking a bill to require reporting of “serious cyber-attacks in a timely manner, without placing additional burdens on organizations that are already struggling to manage and respond to a crisis.”

Sen. Rob Portman (R-Ohio), the bill’s cosponsor, said he also doesn’t want to overtax industry or CISA. He said in a statement the bill balances “the need to get CISA information quickly with the need to let critical infrastructure cybersecurity experts focus on defending against cyber-attacks early on in the attack, not filling in forms.”

The House counterpart from Reps. Bennie Thompson (D-Miss.), Yvette Clarke (D-N.Y.) and John Katko (R-N.Y.) advanced as an amendment to the fiscal 2022 National Defense Authorization Act (H.R. 4350) in September. Peters and Portman’s committee advanced its bill earlier this month, and Peters said he aims to include it in the Senate version of the annual defense bill, potentially leaving any further changes to the bill in the hands of a bicameral conference committee.

A House staffer who worked on the legislation told Bloomberg Government that the panel doesn’t disagree that some incidents can and should be reported sooner, but that other events may take more time to uncover and investigate, and would have a smaller impact than the shutdown of Colonial’s pipeline.

Wales said CISA will keep working with lawmakers on the bills regardless of the timeline. “Ultimately, we think that getting the information in is the most important thing, so if we have to work on a timeline other than 24 hours, we will,” he said.

Senate Version of CISA Exercise Bill Introduced: Bipartisan senators yesterday introduced the CISA Cyber Exercise Act, which would direct the agency to continue its work in establishing a National Cyber Exercise Program where it could test responses to cyberattacks. CISA would have to create model exercises for state and local governments and the private sector to use to test their infrastructure. Sens. Jacky Rosen (D-Nev.), Angus King (I-Maine) and Ben Sasse (R-Neb.) sponsored the bill. The House version, from Reps. Elissa Slotkin (D-Mich.) and Mike Gallagher (R-Wis.)—advanced as an amendment on the House-passed defense authorization bill (H.R. 4350).

Also on Lawmakers’ Radars

Infrastructure Battle Puts China Chip Bill on Back-Burner: A bipartisan push to make the U.S. more competitive with China and bolster domestic chip production risks falling by the wayside as Congress grapples with a packed year-end agenda in an ever-more-divided Capitol. The Senate-passed legislation (S. 1260), which includes $52 billion to strengthen the U.S. semiconductor industry and other provisions to aid the technology sector, marked a rare piece of cooperation over the summer between progressives and conservatives. President Joe Biden and Commerce Secretary Gina Raimondo lent their support, fueling hopes it could become law this year.

But the popular legislation was quickly overrun by infighting among Democrats over Biden’s $3.5 trillion economic agenda and a $550 billion infrastructure plan, as well as a feud with Republicans over the debt ceiling and government spending. Daniel Flatley checks in on the state of play on the measure.

Snapchat, YouTube, TikTok Will Testify on Child Safety: Snapchat, YouTube and TikTok representatives will testify at a Senate hearing on Oct. 26 about the effects of social media platforms on children. Sen. Richard Blumenthal (D-Conn.), chair of the Senate Commerce Committee’s subcommittee on consumer protection, and Marsha Blackburn (R-Tenn.), the subcommittee’s ranking member, said in a statement they are concerned that tech companies are prioritizing profits over children’s safety online, Daniela Sirtori-Cortina reports.

Warren Urges Zuckerberg to Stop Novi Pilot: A group of Democratic senators including Elizabeth Warren (D-Mass.) and Senate Banking Chairman Sherrod Brown (D-Ohio) are urging Facebook CEO Mark Zuckerberg to immediately cease the company’s pilot project to launch a digital wallet called Novi and to commit to keeping its cryptocurrency Diem off the market, Caitlin Webber reports. “Facebook is once again pursuing digital currency plans on an aggressive timeline and has already launched a pilot for a payments infrastructure network, even though these plans are incompatible with the actual financial regulatory landscape—not only for Diem specifically, but also for stablecoins in general,” they wrote.

Industry Group Puts Cost of Regulating Big Tech at $300 Billion: A study by economists at NERA Economic Consulting commissioned by the Computer & Communications Industry Association looking at the effects of antitrust legislation recently introduced by bipartisan House and Senate lawmakers estimates those rules, if enacted, would cost the U.S. economy approximately $300 billion. “It is likely these costs would ultimately be passed down to consumers and small businesses in the form of higher retail prices and loss of free and valued services,” CCIA said in a statement.

According to the study, “the proposed bills create significant regulatory risks not only to the primary targets of the bills—Google, Apple, Facebook, Amazon, and Microsoft—but also to no less than 13 additional U.S. companies. The risks emanate from an overly broad definition of an online platform, the extensive regulatory framework that applies to covered platforms, the broad discretions that are granted to competition authorities tasked to determine compliance, and the extensive financial penalties that apply for noncompliance.”

House Floor: The House today is scheduled to consider at least one tech-related measure under expedited procedure:

• Oversight of AI in Counterterrorism: The Privacy and Civil Liberties Oversight Board would have access to information on federal agencies’ use of artificial intelligence in counterterrorism programs under a modified version of H.R. 4469. For more, see the BGOV Bill Summary by Michael Smallberg.

Tech Policy and Regulation

Facebook Renaming Report Sparks Speculation: The report that Facebook plans to change its corporate name prompted a flurry of online speculation as industry followers rushed to register their guesses. Suggestions on Twitter included simple ones like “FB” and a return to “The Facebook.” The Verge, which reported the plan yesterday, said the new name could have something to do with “Horizon” after a virtual reality platform the company has been developing. That would be a nod to Chief Executive Officer Mark Zuckerberg’s ambition for Facebook to eventually be known better for its metaverse — referring to the trendy proposition that the next evolution in online connectivity will be people living, working and interacting in an immersive virtual world — than its social network. Read more from Vlad Savov.

• Facebook has reached a settlement with the U.S. government over allegations that it discriminated against domestic workers by reserving thousands of positions for foreigners with temporary H-1B visas. Facebook agreed to pay as much as $14.3 million in separate settlement agreements with the Justice and Labor Departments, the government said yesterday. “Facebook is not above the law, and must comply with our nation’s federal civil rights laws, which prohibit discriminatory recruitment and hiring practices,” said Assistant Attorney General Kristen Clarke of the Justice Department’s Civil Rights Division. Read more from Chris Strohm and David Yaffe-Bellany.
• Facebook said yesterday it will show information in its news feed about how to vote with a link to states’ official websites ahead of elections in the U.S., Skylar Woodhouse reports.

Microsoft Privacy Tool Aims to Boost EU, U.S. State Compliance: Microsoft is launching a privacy management tool for its 365 software to assist customers with compliance for international and state-level privacy laws, the company announced yesterday. Privacy Management for Microsoft 365 identifies privacy risks associated with personal data in products like email and determines whether data is being overshared, transferred, or unused, according to another company blog post. The management system also automates efforts to mitigate risks. Read more from Andrea Vittorio.

Add Chinese Drone Maker to Banned List, Carr Says: The top Republican on the Federal Communications Commission wants to blacklist another Chinese company over national security concerns by prohibiting federal dollars from being used to purchase its equipment.

SZ DJI Technology, a Shenzhen-based drone company, should be added to the FCC’s “covered list,” Commissioner Brendan Carr proposed yesterday during an event hosted by China Tech Threat, a consultancy that says it studies technology problems “produced” by China. Evidence against DJI has for years been mounting “and various components of the U.S. government have taken a range of independent actions—including grounding fleets of DJI drones based on security concerns,” Carr said. Read more from Maria Curi.

Google Tweaks Image Search for Racially Diverse Results: Google updated its algorithms in an effort to promote more racially diverse results in image searches—the tech giant’s latest attempt to excise biases from the world’s most popular search engine. The recent change, implemented without a formal announcement, is meant to present a variety of skin tones in image queries related to beauty, such as “beautiful skin” and “professional hairstyles,” as well as simpler people-related searches like “woman” or “happy family,” the Alphabet-owned company said yesterday. Read more from Nico Grant.

CBP Must Release Twitter Summons-Related Files: Several records related to U.S. Customs and Border Protection’s decision to pump Twitter for details about a user critical of the agency’s policies must be released to a national media group, a federal court said. The Reporters Committee for Freedom of the Press overcame the agency’s assertion of Freedom of Information Act exemptions for information about whether to issue a summons to the social medial company—and whether to withdraw it following legal action—the U.S. District Court for the District of Columbia said. Read more from Mary Anne Pazanowski.

Amazon Moves to Shed Proposed Privacy Class Action: A proposed class action accusing Amazon‘s Alexa of snooping on users should be dismissed because consumers consented to recordings during the registration process, the e-commerce giant is arguing in Washington federal court. Customers consented to recording to provide, personalize, and improve the Alexa service, and the terms disclose that Amazon retains recordings, the company argued in a motion to dismiss filed Monday in the U.S. District Court for the Western District of Washington. Read more from Jake Holland.

More Headlines:

• New York, San Francisco See Tech Salaries Slip Amid Remote Work
• U.S. Closes In on Deal This Week to Halt Europe’s Digital Taxes
• Amazon Avoids New Trial After Judge Rejects Antisemitism Claims

Cybersecurity Policy

Tech Modernization Fund a Down Payment, OMB Official Says: A new tranche of funding to defend federal agencies against cyberattacks will be announced in the coming weeks, but the more than $1 billion allocated by Congress is only a down payment on what’s needed, the U.S. chief information officer says.

The Technology Modernization Fund, launched in 2017, is a pool of money for federal agencies to modernize their information technology systems, both to guard against cyber threats and to offer more services online. The TMF board announced seven grants totaling $311 million at the end of September. It is working on allocating the next awards while signaling to Congress that it still won’t be enough. Read more from Josh Wingrove.

More Headlines:

• Texas Plans to Use Fed Stimulus on Hospital Staff, Cybersecurity
• Activision Asks to Pause Harassment Suit, Raising Ethics Dispute
• Quantum Computing and Communications: Status and Prospects (GAO)

To contact the reporters on this story: Giuseppe Macri in Washington at gmacri@bgov.com; Rebecca Kern in Washington at rkern@bgov.com

To contact the editors responsible for this story: Zachary Sherwood at zsherwood@bgov.com; Michaela Ross at mross@bgov.com