Welcome to Hillicon Valley, The Hill’s newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you don’t already, be sure to sign up for our newsletter with this LINK.
Welcome! Follow the cyber team, Maggie Miller (@magmill95), and the tech team, Emily Birnbaum (@birnbaum_e) and Chris Mills Rodrigo (@chrisismills).
IRANIAN CYBER THREAT: The Department of Homeland Security (DHS) released a bulletin through its National Terrorism Advisory System (NTAS) warning of Iran’s ability to carry out cyberattacks with “disruptive effects” against critical U.S. infrastructure.
In the bulletin, sent out in the wake of the U.S. airstrike that killed Iranian Quds Force commander Qassem Soleimani, DHS noted that while there is currently “no information indicating a specific, credible threat to the Homeland,” Iran does have the ability to attack the U.S. in cyberspace.
“Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.- based targets,” DHS wrote in the bulletin.
The agency noted that “Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
Acting DHS Secretary Chad Wolf tweeted on Saturday that the bulletin was intended to “inform & reassure the American public, state/local governments & private partners that DHS is actively monitoring & preparing for any specific, credible threat, should one arise.”
The bulletin, which also warned of the potential for Iran to attempt to carry out terrorist attacks on the U.S., recommended that Americans implement basic measures to defend against cyberattacks, such as backing up data and using two-factor authentication on sensitive accounts.
YOUTUBE UPDATES CHILD CONTENT POLICY: YouTube on Monday rolled out a series of changes to its content policies aimed at protecting children on the platform in an effort to appease federal regulators who fined the company millions for alleged privacy violations last year.
The changes, first introduced last September, were fully rolled out on Monday. The Google-owned company will now restrict the collection of data from people who watch videos meant for children, whether or not the viewers are children themselves.
YouTube will also stop running targeted ads on content for minors.
The decision on what content falls under these new rules will be made primarily by content creators. As of Monday, creators will have to designate whether videos are made for children during the uploading process.
“We also use machine learning to help us identify this content, and creators can update a designation made by our systems if they believe it is incorrect,” the company said in a blog post Monday, clarifying that YouTube can label a video as made for kids even if its creator does not.
“We will only override a creator designation if abuse or error is detected.”
NEW PRIVACY LAW IN EFFECT: California became the first state in the country to have a comprehensive data privacy law when the California Consumer Privacy Act (CCPA) went into effect this year.
Companies are scrambling to figure out how to handle the law, which is expected to require major firms to disclose the personal information they collect from consumers and what they do with it.
Much about the law, which will not be enforceable until either July 1 or six months after the final rule is released, remains unclear.
California Gov. Gavin Newsom signed the bill into law in June 2018, but California Attorney General Xavier Becerra only just published the first round of draft regulations in early October. His office closed the public comment period on Dec. 6, and the final version of the regulations is due out soon.
The bill is expected to allow Californians to view the information that companies have collected about them, and to opt out of that collection. The law is expected to forbid companies from discriminating against users who opt out of data collection.
While the law is not enforceable for now, California has hinted that companies could be sanctioned retroactively if they disregard the new rules on Jan. 1.
A spokesperson for Becerra told The Hill that qualifying companies “should be prepared to adhere to the law as of January 1,” suggesting that retroactive enforcement may be possible.
“While we can’t take action until six months after finalizing our rules, or July 1 — whichever comes first — we can consider a business’s efforts to comply with the law from January 1, onwards,” the spokesperson said.
The CCPA technically applies to businesses with online traffic in California that have annual revenues over $25 million, collect data on 50,000 consumers or receive 50 percent of their revenue from selling data, according to the draft regulation.
COMING SOON TO CAPITOL HILL: A federal strategy for defending the U.S. government against cyberattacks is one step closer to completion, with lawmakers saying they have a draft form that could be finalized as early as March.
The report has been in the works since 2018 after the National Defense Authorization Act created a commission, consisting of lawmakers and industry leaders, to draw up recommendations.
Rep. Mike Gallagher (R-Wis.), co-chairman of the commission, told The Hill that the group had recently put together a draft version.
“Over the holiday we will have a few weeks to dig into the draft text, and there are a few issues we are working through, but we feel good,” Gallagher said on Dec. 19. “We had a meeting this week, an additional meeting, and it was a really robust debate, and so I think we’re getting there.”
The 2020 National Defense Authorization Act, signed into law by President Trump last month, extended the initial deadline for the commission to produce the report to April 30.
Rep. Jim Langevin (D-R.I.), another member of the commission, told The Hill that the commission would likely publish the report before the new deadline.
“We will get our work done certainly before then. It could well be as early as March,” Langevin said on Dec. 19. “We are coming to a place where we can see the light at the end of the tunnel.”
ICYMI: GOOGLE UNDER FIRE OVER DIVERSITY: A former Google executive on Thursday unleashed a barrage of criticism over the tech giant’s diversity efforts, painting Google as hypocritical and insincere over its public claims that it is trying to cultivate an inclusive workplace.
Ross LaJeunesse, a trusted Google veteran who launched a bid for Sen. Susan Collins’s (R-Maine) seat after the company allegedly pushed him out last year, is publicly criticizing Google for disregarding his complaints about the mistreatment of minority employees during his decade-long tenure.
LaJeunesse penned a Medium op-ed divulging his struggles at Google on Thursday, making him the most senior executive yet to publicly raise concerns about retaliation and mistreatment at the Silicon Valley behemoth. He is claiming that he was effectively fired after pushing for a human rights framework within the company for years. In a statement, a Google spokeswoman said LaJeunesse’s former job was “eliminated as part of the broad reorganization of our policy team,” which affected many employees.
The stories from LaJeunesse come as Google is facing an escalating wave of allegations and multiple labor complaints from employees who say they were punished for engaging in employee activism at the company.
In a follow-up interview with The Hill on Thursday, LaJeunesse detailed several instances in which he said Google’s expansive human resources department disregarded his reports about racist comments and insensitive exercises. Ultimately, he says Google pushed him out of his job.
“There was no other way of explaining what had happened to me, other than my consistent advocacy for human rights,” LaJeunesse said.
And looking at the year ahead…
2020 TECH ISSUES TO WATCH: In 2019, the swirl of scrutiny and souring public opinion around Big Tech coalesced into serious regulatory threats as every relevant government body in the country launched investigations into the largest and most significant technology companies in the world.
Lawmakers pointed fingers at tech companies like Facebook, Google’s YouTube and Twitter as they worked to assign blame in the aftermath of horrific mass shootings and acts of terror, which went viral online. And they lambasted the social media companies for allowing lies and smears about politicians to spill unabated across their platforms.
The upcoming year is almost certain to bring an intensified level of antagonism and friction between the top tech companies and the U.S. government, with a stronger threat of regulatory action than ever before.
Here are the top tech policy stories to watch for in 2020.
2020 CYBER ISSUES TO WATCH: Headed into 2020, with a presidential election on the horizon, cyber concerns are also certain to be in the spotlight in Washington.
Atop the list of cyber issues will be persistent questions about election security. Officials at the federal, state and local levels say they will be vigilant to any efforts to interfere in the election after 2016, even as lawmakers weigh additional actions to safeguard the vote.
But lawmakers will also be looking to tackle other issues as well, such as the ransomware attacks spreading across the country and the growing concerns over companies with foreign ties accessing Americans’ data.
Here’s what we are watching on the cyber front for 2020.
A LIGHTER CLICK: Identity crisis
AN OP-ED TO CHEW ON: What was the Sea Dragon rocket, and what would it have been used for?
NOTABLE LINKS FROM AROUND THE WEB:
Inside the secretive Silicon Valley group that has funneled over $20 million to Democrats (Recode / Theodore Schleifer)
Pro-Soleimani messages flood Twitter following general’s death from U.S. drone strike (CyberScoop / Jeff Stone)
A look back at 10 years of CES (TechCrunch / Ingrid Lunden)
Uber’s secret project to bolster its case against AB5, California’s gig-worker law (Washington Post / Faiz Siddiqui)
Austria’s Foreign Ministry hit by cyberattack (Infosecurity Magazine / Sarah Coble)