The US has suffered a flurry of major cyberattacks targeting everyone from federal prosecutors through to meat suppliers, and the White House hopes some discussions with key companies will produce some long-term security solutions. The Washington Postreports that President Biden, certain cabinet members and relevant security officials are holding talks on August 25th with tech giants ADP, Amazon, Apple, Google, IBM and Microsoft to see how they can help bolster cybersecurity.

While the spate of ransomware attacks will be on the agenda, a senior Biden administration official said the White House wanted to tackle the "root causes" of cybersecurity issues. This included addressing a wide range of vulnerabilities, instituting "good operational practices" and hiring more security workers.

The conversations will also involve financial and insurance giants (including JPMorgan Chase, Bank of America and Travelers) as well as educational organizations like Code.org and Girls Who Code. While the Biden meeting is at the center of the discussions, the chats with cabinet members and officials are billed as "informal" sessions that will help establish definitive solutions.

The White House said the meetups were a recognition that the US needed a "whole-of-nation" cybersecurity strategy involving both the government and private sector. It also promised this wouldn't be the "last engagement" with companies on security issues. This comes soon after Biden took multiple steps in a bid to improve digital security for vital infrastructure, such as issuing an executive order meant to bolster federal security standards and coordination.

The question, as always, is whether or not the discussions will lead to meaningful action. The meeting with tech firms might help with top-down decision-making, but that won't matter much unless the other talks also lead to tangible strategy changes. This could be little more than a public relations exercise if the companies don't (or can't) commit to specific cybersecurity improvements.

The FCC has proposed the largest fine yet under the Telephone Consumer Protection Act, and the subjects are two robocallers Law & Crime describes as "hard-right hoaxers." John M. Burkman and Jacob Alexander Wohl are facing a $5,134,500 fine for allegedly making 1,141 unlawful pre-recorded calls to mobile phones without the recipients' prior consent. The calls' content? Fake information designed to discourage people from voting by mail. 

According to the commission's Enforcement Bureau, the calls were made on August 26th and September 14th, 2020, prior to last year's Presidential elections in the US. The robocalls told potential voters that if they vote by mail, their personal information will be added to a public database law enforcement can use to track down old warrants. Credit card companies will also be able to access the database to collect outstanding debts, the calls said, and the CDC can issue mandatory vaccines on the people in the list. Law & Crime says the calls primarily targeted Black and Latino populations in New York, Ohio and Michigan.

The FCC started investigating the calls after receiving complaints from consumers and a non-profit organization. Its Enforcement Bureau then worked with the Ohio Attorney General's Office to identify the dialing service providers Burkman and Wojl used. The providers turned over subpoenaed call records to identify Burkman and Wohl by name, along with information on the zip codes they wanted to target. Both individuals also admitted under oath that they were involved in the creation and distribution of those particular robocalls.

In addition to facing a $5 million fine from the FCC, the pair also face a $2.75 million lawsuit from the New York Attorney General's office. Back in May, a federal judge gave the NY AG the go-ahead to join a lawsuit accusing the pair of violating the Ku Klux Klan Act, which protects Americans from political intimidation. As for the FCC fine, Burkman and Wohl will be given an opportunity to submit evidence and legal arguments before the commission takes any more step towards a resolution.

The FBI received a tip off about suspicious activity ahead of the Capitol Riot on January 6th from a surprising source. Elliot Carter, a recreational mapmaker, contacted law enforcement after his site about Washington, D.C.'s underground infrastructure witnessed a spike in activity from suspicious websites. His warning eventually made it to the highest ranks of the Capitol Police, according to a new investigation by News4 I.

Normally a mecca for local history buffs, the Washington Tunnels website Carter oversees was flooded with nationwide visitors in the days before the insurrection. A deeper review of the traffic analytics revealed that many of the clicks were coming from hyperlinks shared on anonymous message boards, sites and forums named after militias or firearms, or using Donald Trump’s name. Though the initial interest originated from the deepest and darkest recesses of the web, it eventually transitioned onto popular social media sites, including Twitter.

The Washington Tunnels website itself was a labor of love. Back in 2018, Carter set to work building his online resource of the District's subway and freight rail tunnels, pedestrian passageways, underground steam tunnels and sewage and water pipelines. But, even then he was rebuffed by some government agencies concerned by the security and terrorism risks that could arise from publishing such information online.

Carter's "online tip" to the FBI was mentioned in the US Senate Rules and Homeland Security committees' June 2021 review of the US Capitol insurrection. In a statement to News 4 I, the US Capitol Police said its leadership had been alerted "to the spike in website traffic regarding maps" ahead of the insurrection. But, added that its wider intelligence gathering "didn't reveal [that the expected] large-scale demonstration would become a large-scale attack on the Capitol Building."

The FBI’s Terrorist Screening Center (TSC) may have exposed the records of nearly 2 million individuals and left them accessible online for three weeks. Security researcher Bob Diachenko says he discovered a terrorist watchlist on July 19th that included information like the name, date of birth and passport number of those listed in the database. The cluster also included “no-fly” indicators.

According to Diachenko, the watchlist wasn’t password protected. Moreover, it was quickly indexed by search engines like Censys and ZoomEye before the Department of Homeland Security took the server offline on August 9th. It’s unclear who may have accessed the data.

“I immediately reported it to Department of Homeland Security officials, who acknowledged the incident and thanked me for my work,” Diachenko said in a LinkedIn post spotted by Bleeping Computer. “The DHS did not provide any further official comment, though.” We’ve reached out to the Department of Homeland Security.

Among the watchlists the TSC maintains is America’s no-fly list. Federal agencies like Transportation Security Administration (TSA) use the database to identify known or suspected terrorists attempting to enter the country. Suffice to say, the information included in the exposed watchlist was highly sensitive.

A recent bipartisan Senate report recently warned of glaring cybersecurity holes at several federal agencies, including the Department of Homeland Security. It said many of the bodies it audited had failed to implement even basic cybersecurity practices like multi-factor authentication and warned national security information was open to theft as a result.

Several US federal agencies are unprepared to protect the personal information of everyday Americans should they become the target of a cyberattack, according to a new report put together by the Senate Homeland Security Committee. The panel found that out of eight federal bodies, including the departments of State, Transportation and Education, only Homeland Security complied with the Federal Information Security Modernization Act (FISMA), an Obama-era law Congress passed to enable the US government to better respond to online threats.

"All agencies failed to comply with statutory requirements to certify to Congress they have implemented certain key cybersecurity requirements including encryption of sensitive data, least privilege and multi-factor authentication," the report said.

As The Record points out, one of the more glaring oversights the panel found was that the State Department left thousands of employee accounts on its classified and unclassified networks active even after those individuals left the agency. In another particularly worrisome example, the Department of Agriculture had vulnerabilities on its websites that it wasn't aware of. What's more, at least seven of the eight agencies the panel audited were using outdated and unsupported IT systems, leaving them vulnerable to attacks. "It is clear that the data entrusted to these eight agencies remains at risk," the report said.

"From SolarWinds to recent ransomware attacks against critical infrastructure, it's clear that cyberattacks are going to keep coming," Senator Rob Portman, the panel's top Republican, said on Twitter. "It is unacceptable that our own federal agencies are not doing everything possible to safeguard America's data. I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade — the American people deserve better."

Among other recommendations, the report highlights the need for a single agency to oversee federal cybersecurity. To that end, the panel suggests Congress update the Federal Information Security Modernization Act to make the law better reflect current cybersecurity practices and establish the Cybersecurity and Infrastructure Security Agency as the federal lead for those types of issues. It also recommends amending FISMA to require agencies to notify both CISA and, in some instances, Congress when they become entangled in a major incident.

A week after Surgeon General Dr. Vivek Murthy declared health misinformation an "urgent threat" to the US public, Senators Amy Klobuchar of Minnesota and Ben Ray Luján of New Mexico have introduced new legislation that would modify Section 230 of the 1996 Communications Decency Act to strip liability protections from technology companies if their platforms help spread misinformation during a health crisis.

If passed, the Health Misinformation Act of 2021 would create an exception to Section 230 that would see social media platforms like Facebook and Twitter "treated as the publisher or speaker of health misinformation" when their platforms algorithmically amplify misleading health content. What falls under the definition of health-related misinformation would be decided by the Secretary of Health and Human Services. The exception would only apply during a public health crisis, which the HMS Secretary would have to declare beforehand.

In establishing a rationale for the change, the bill cites a joint report from the Center for Countering Digital Hate and Anti-Vax Watch that found that as much 73 percent of vaccine misinformation on Facebook can be linked to a group of 12 individuals known as the "disinformation dozen." White House Press Secretary Jen Psaki recently referenced that same report, saying that many of those individuals are still active on the social network.

"For far too long, online platforms have not done enough to protect the health of Americans. These are some of the biggest, richest companies in the world and they must do more to prevent the spread of deadly vaccine misinformation," Senator Klobuchar said in a statement. "The coronavirus pandemic has shown us how lethal misinformation can be and it is our responsibility to take action."

The bill's introduction also follows a recent statement made by President Joe Biden. He said platforms like Facebook were "killing people" by not doing more to stop vaccine- and health-related misinformation. "We will not be distracted by accusations which aren't supported by facts," a spokesperson for Facebook told Engadget after Biden made his comments. "The facts show that Facebook is helping save lives. Period." The president later walked back his statement, noting the people using the platform to spread their misinformation were the ones doing harm but reiterated his belief that Facebook could do more to combat what was happening.

The US Federal Trade Commission has voted unanimously to tackle unlawful repair restrictions. In a policy statement published on Wednesday, the agency said it plans to devote additional resources to enforcing existing laws, such as the Magnuson-Moss Warranty Act, that protect small businesses and consumers from companies that would prevent them from fixing on their own products they purchased. In doing so, the FTC will take a five-part approach to the problem that will involve it collecting comments and complaints from the public, as well as working more closely with state law enforcement and policymakers to update existing regulations.     

"These types of restrictions can significantly raise costs for consumers, stifle innovation, close off business opportunity for independent repair shops, create unnecessary electronic waste, delay timely repairs, and undermine resiliency," recently confirmed FTC Chair Lina Khan said. "The FTC has a range of tools it can use to root out unlawful repair restrictions, and today’s policy statement would commit us to move forward on this issue with new vigor." 

The policy statement follows a July 9th executive order in which President Biden directed the FTC to tackle "unfair anti-competitive restrictions on third-party repair or self-repair of items" imposed by "powerful manufacturers" in the farming and technology industries. With Wednesday's announcement, the FTC didn't name any specific companies it will target as part of any enforcement action. However, a company like Apple is likely to be top of mind for the agency. The tech giant has consistently lobbied against state-level right to repair legislation, claiming those laws would put consumers at risk.        

Right to repair advocates were quick to praise the announcement. "The FTC sets the tone for the nation’s commerce. For too long, manufacturers have been bullying consumers and driving local repair shops out of business," iFixit CEO Kyle Wiens said in a blog post the company published following the policy announcement. "This landmark new policy changes that. There’s a new sheriff in town."

The Biden administration isn't hesitating to blame China for a string of Microsoft Exchange cyberattacks. The White House has declared "with a high degree of confidence" that hackers linked to China's Ministry of State Security (MSS) were responsible for a digital espionage campaign using the Exchange vulnerabilities. Officials have confronted senior Chinese leadership with this and "broader" hostile online activity, the White House said.

The US further accused China of running an intelligence operation that relied on "contract hackers" who frequently launched attacks meant solely for profit, such as ransomware schemes and crypto jacking. The Chinese government's reported unwillingness to tackle these abuses is believed to hurt businesses, governments and infrastructure with "billions of dollars" in damage, the White House said.

Accordingly, the Justice Department has revealed indictments of four MSS-affiliated Chinese men for allegedly conducting an extended hacking campaign meant to steal intellectual property and trade secrets, including health research. The initiative, which ran between 2011 and 2018, reportedly saw Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin and Wu Shurong compromise comptuers worldwide to grab information ranging from autonomous vehicle technology and chemical formulas through to research on Ebola, AIDS and other diseases.

Biden's administration has already taken multiple actions in response to attacks, including "proactive network defense actions" like deleting backdoors on compromised Exchange servers. It added private companies to its Unified Coordination Group to bolster its security incident response. CISA, the FBI and the NSA also released an advisory outlining China's strategy for compromising US and ally networks using the Exchange holes and other methods.

This comes on top of stricter security rules for pipeline companies as well as a pilot to tackle vulnerabilities in sectors like electricity and water supply.

China has historically denied involvement in attacks like these, and it's doubtful the country will have a change of heart after this. The White House effort is more of a warning — the US will not only pin attacks on China, but respond to them in kind.

California might soon make it practical for small internet providers to deliver speedy broadband, not just well-heeled incumbents. Ars Technicareports that the state Assembly and Senate have unanimously passed legislation that will create a statewide open fiber network that promises truly fast internet access from smaller ISPs, particularly in rural or otherwise underserved areas.

The strategy will devote $3.25 billion to the construction of a "middle-mile" network that won't directly connect customers, but should make it much easier for ISPs to launch or upgrade their service. Another $2 billion will help those providers establish last-mile connections to users.

Governor Newsom has yet to sign the legislation into law, but that's considered a formality when he made agreements on details with legislators.

The network met resistance from larger ISPs that lobbied to block the reach of the open fiber network. It might have a significant impact on internet access in the state, however. While state and federal governments have pushed for improved rural broadband coverage for years, the focus has usually been on merely offering service rather than upgrading quality. This could bring truly competitive speeds to underserved areas and ensure they can access the same services as people subscribed to major broadband companies.

A former NSA and White House official has been appointed to lead the Cybersecurity and Infrastructure Security Agency (CISA) at a time when ransomware and other kinds of cyberattacks are on the rise. The Senate has named Jen Easterly as the second person to head up the DHS agency, according to Politico. CISA provides cybersecurity tools and incident response services to government networks, and it also offers security advice to infrastructure operators and businesses. 

Politico previously reported that CISA has been struggling to handle one cybercrisis after another and that the agency is understaffed and overworked. It had to face multiple intrusions in the middle of the pandemic as bad actors attacked the healthcare industry with ransomware, forcing them to pay up to prevent delays that could cost lives. CISA also had to respond to the massive SolarWinds hack that the government is blaming on Russia, as well as the ransomware attacks on Colonial Pipeline, software giant Kaseya and meat supplier JBS. 

Easterly doesn't only have to lead response efforts to ongoing cyberattacks, it now also falls upon her shoulders to make sure CISA gains the ability to counter new threats as they come up. Before being named as the new CISA head, Easterly spent years as the number 2 official in the NSA's counterterrorism division and was also the National Security Council's senior director for counterterrorism under former President Barack Obama.