Hillicon Valley: ‘Stingray’ spying fears spark calls for action | AI debate flares at Google | Experts warn Russian malware more widespread | Lawmakers want Facebook to be more transparent

by Harper Neidig, Ali Breland, Morgan Chalfant, Olivia Beavers - 06/06/18 6:41 PM ET

The Cyber and Tech Overnights are joining forces to give you Hillicon Valley, The Hill’s new comprehensive newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley.

Welcome! Follow the cyber team Morgan Chalfant (@mchalfant16) and Olivia Beavers (@olivia_beavers), and the tech team, Ali Breland (@alibreland) and Harper Neidig (@hneidig), on Twitter. Send us your scoops, tips and compliments.

FEARS OVER ‘STINGRAY’ SPYING SPARK CALLS FOR ACTION: Fresh concerns about digital privacy and security are budding in Washington amid revelations of potential surveillance activity in the D.C. region, causing some lawmakers to demand action from the Trump administration.

Officials with the Department of Homeland Security (DHS) recently disclosed signs of sophisticated technology, known colloquially as “Stingrays,” near sensitive facilities including the White House.

The devices, International Mobile Subscriber Identity (IMSI) catchers, exploit cell towers to potentially intercept cellphone communications. The technology has historically been used by law enforcement officials to track suspects, but the new revelations have bolstered fears that foreign intelligence agencies could be using them to spy on U.S. officials.

Sen. Ron Wyden (D-Ore.) is demanding action from the Federal Communications Commission (FCC) and private phone companies to better protect Americans from being spied on or tracked.

In an interview with The Hill Tuesday, Wyden accused FCC Chairman Ajit Pai of “stonewalling” his pleas for action.

“Mr. Pai and the FCC are dragging their feet here,” Wyden said. “They are stonewalling. They are ducking. They are trying to conjure up any possible reason to sit it out.”

Pai so far has declined to investigate Stingrays further, but says his agency is open to digging into the matter down the road.

The controversial technology works by masquerading as legitimate cellphone towers, tricking mobile devices to locking onto them, enabling would-be spies to track individuals’ locations or to intercept communications.

Often, the devices work in tandem with a vulnerability in Signaling System Seven (SS7), the global telecommunications standard that connects phone networks, allowing them to swap information necessary to complete calls and send text messages.

“We have a system that was designed in 1975 to work, and security was an afterthought,” said Christopher Meserole, a technology expert at the Brookings Institution.

“The security flaws have been known for a long time,” he said. “They’ve never really been addressed because the underlying technology is so useful.”

We break down the issue and the fears here.

ARTIFICIAL INTELLIGENCE DEBATE FLARES AT GOOGLE: Google’s decision not to renew a controversial artificial intelligence (AI) contract with the Pentagon has reignited a debate about what Silicon Valley’s role should be with regard to the military and war. Google, facing internal pressure, told employees during a meeting on Friday that it would not renew its contract with the Defense Department’s flagship AI program, known as Project Maven, after it expires in 2019, according to multiple reports.

The contract sparked a public relations crisis after a handful of employees reportedly resigned in protest and thousands of employees signed a letter urging the company’s CEO not to allow Google to be drafted into the “business of war.” Employees pointed to the company’s old “Don’t Be Evil” motto in pressuring Google to cut ties with the Pentagon.

Project Maven had recruited Google to help advance technology like surveillance drones, which are used to track the whereabouts of terrorist organizations and uncover devised plots before they unfold.

On one side: Bob Work, a former deputy Defense secretary who established Project Maven in April 2017, told The Hill on Monday that he is still holding out hope that Google will reconsider. If they do not, he said it would be unfortunate and could result in other technology companies divorcing themselves from Maven and similar projects. “I worry that a lot of companies will look at Google and say, ‘Wow, if Google isn’t going to work with the Department of Defense, maybe I shouldn’t either.’ So I’m hoping that this is not going to turn into any type of stampede,” Work said.

On the other: Employees at Google and critics outside the company said the government’s partnership with the search giant raised a series of ethical and legal questions given the amount of personal data Google holds through email accounts and Google Maps. They warned that with Google’s help, the U.S. military could build advanced AI weapons that can function autonomously. The machines, they warned, could eventually reach the point of sophistication where they could kill without human input.

“We have warned that technology companies should be extremely cautious about working with any military agency where the application involves potential harm to humans or could contribute to arms races or geopolitical instability,” said Karen Gullo, a spokeswoman for the Electronic Frontier Foundation, who noted EFF is pleased Google listened to the employees’ concerns.

The stakes are high: Google’s decision would be a blow to the Pentagon if the artificial intelligence technology it is pursuing is instead developed by another country. “Much of the interest … the Pentagon has in these kinds of technologies, and I think more importantly the Pentagon’s new embrace of Silicon Valley, is motivated by the fear of a rising China,” Peter Singer, a fellow studying war and technology at New America, told The Hill in an interview.

To read more of our coverage, click here.

EXPERTS WARN MASSIVE MALWARE MORE WIDESPREAD: Experts at Cisco’s threat intelligence arm Talos are warning that a sophisticated Russia-linked hacking campaign has infected more devices than previously reported and that the dangerous malware, dubbed VPNFilter, also has more capabilities than they initially found.

“We have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints,” according to a Wednesday Talos blog post. The hackers are targeting additional home network vendors like ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE, the cyber firm says.

Talos had reported last month that the botnet — a network of infected devices– had compromised Linksys, MikroTik, Netgear, and TP-Link, estimating that VPNFilter had affected 500,000 devices in 54 countries. The latest report, however, notes that new devices were also discovered on these initially reported routers.

The firm also said it discovered that the malware can “intercept network traffic and inject malicious code into it without the user’s knowledge.” “With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports,” the blog reads.

To read more, click here.

CYBER ACTION AT THE HOUSE HOMELAND SECURITY COMMITTEE: The House Homeland Security Committee on Wednesday voted down a Democratic resolution that would have forced the Department of Homeland Security (DHS) to provide lawmakers with more information about the threat posed by Chinese telecommunications firm ZTE.

While Chairman Michael McCaul (R-Texas) said he shared concerns about the potential security threat posed by ZTE, he explained that it would be “inappropriate” to try to force DHS to provide the information. McCaul also described the resolution as redundant, given that the department has already provided committee staff with some of the information behind closed doors.

McCaul also revealed that DHS, Department of Defense and FBI officials will brief members on the threats posed by ZTE and Huawei in a classified setting on June 13.

The measure, offered by ranking member Bennie Thompson (D-Miss.), would direct DHS to deliver a series of documents to the committee on the threat posed by ZTE, including information on whether the department or its contractors use ZTE products and what threats those products pose to the federal government.

We have more on the resolution here.

MEANWHILE … The committee approved legislation designed to boost security around industrial control systems (ICS) used to power the electric grid and other critical services in the United States.

The measure approved by the committee on Wednesday would codify and expand the Department of Homeland Security’s current efforts to identify and mitigate cyber threats to industrial control systems — technology used in a wide swath of critical sectors, including power and water systems, manufacturing, and transportation.

Security researchers have observed hackers growing more interested in targeting systems used to power critical infrastructure in recent years. Last month, cybersecurity firm Dragos released research showing that a hacking group that deployed sophisticated destructive malware to an industrial plant in the Middle East last year had expanded its operations to other targets and developed new capabilities.

“Industrial controls are the critical interface between the digital controls in an operational process,” Rep. Don Bacon (R-Neb.), who is sponsoring the legislation, said Wednesday.

“Disruptions or damage to these systems have the potential to cause catastrophic and cascading consequences to our nation’s national security, economic security and our public health and public safety.” Read more here.

HOUSE COMMERCE WANTS FACEBOOK TO BE MORE FORTHCOMING: The top Republican and Democrat on the House Energy and Commerce Committee admonished Facebook on Wednesday, saying in a joint statement that CEO Mark Zuckerberg should have been more forthcoming in his testimony before the panel in April.

Their remarks came after it was revealed that Facebook was sharing users personal data with dozens of device makers, including Huawei, a Chinese telecom that lawmakers and intelligence officials believe is a national security threat.

“Clearly, the company’s partnerships with Chinese technology companies and others should have been disclosed before Congress and the American people,” Reps. Greg Walden (R-Ore.) and Frank Pallone Jr. (D-N.J.) said in the statement. “The spirit of our questions about third-party access to user data should not have required technical knowledge of the legal agreements Facebook has with device manufacturers to get clear answers for the public.”

The intelligence community has long considered Huawei a national security threat due to its ties to Beijing and the firm has been mostly shut out of the U.S. since a 2012 congressional report warned that its hardware could be used to conduct surveillance on Americans.

The latest: Huawei responded on Wednesday, denying that it stored data on U.S. users.

“Like all leading smartphone providers, Huawei worked with Facebook to make Facebook’s services more convenient for users,” Huawei spokesman Joe Kelly told the AP, adding that the company “has never collected or stored any Facebook user data.”

More pressure: Sen. Edward Markey (D-Mass.) is calling for the Senate Foreign Relations committee to hold a hearing over Facebook giving data to Chinese companies.

But hold on: It’s unclear if Congress will hold hearings yet. A spokesperson for House Energy and Commerce told The Hill on Wednesday that they were still waiting for Facebook’s written response to the committee’s questions before they decided on further action.

Read more here.

FORMER CAMBRIDGE ANALYTICA CEO ADMITS GETTING DATA FROM RESEARCHER: Alexander Nix, the former head of the now-defunct Cambridge Analytica, admitted on Wednesday that the firm had obtained data on 87 million Facebook users from a researcher embroiled in the data scandal.

According to Reuters, Nix told British lawmakers that he misspoke during previous testimony when he denied the origin of the data.

Nix affirmed that Cambridge Analytica had received data from the researcher, Aleksandr Kogan.

“Of course, the answer to this question should have been ‘yes,'” Nix said in a hearing Wednesday. Reuters reported that he had thought he was being asked if Cambridge Analytica was still holding on to the data.

5G: President Trump‘s 2020 campaign manager is calling for a single, privatized 5G mobile network across the country, arguing the current system is outdated.

Brad Parscale’s position contrasts with a reported proposal floated by the White House earlier this year that included a plan to nationalize 5G networks in an attempt to guard against China.

This is rare: People close to Trump don’t talk much about 5G policy publicly (as riveting as it is). Last month though, Commerce Secretary Wilbur Ross chimed in. He said that building a 5G mobile broadband network is a chief concern for the Trump administration.

“Whoever pursues it, whoever does it, we’re very much in support of 5G. We need it. We need it for defense purposes, we need it for commercial purposes,” he said.

FULL SENATE DEFENSE BILL RELEASED: We already knew some of the interesting cyber and tech nuggets from the summary released by the Senate Armed Services Committee in late May, but among the more interesting provisions, the bill would authorize the Pentagon to conduct surveillance on individuals carrying out hacking or disinformation campaigns on behalf of the Russian government – a clear reference to Moscow’s alleged interference in the 2016 presidential election.

More here.

CRYPTO UPDATE: Crytpo’s least favorite American favorite regulator, the Securities and Exchange Commission’s Jay Clayton, is circling the currency again.

He said Wednesday that the agency should not change its longstanding definition about what constitutes a security to ease the rules for cryptocurrencies.

“We are not going to do any violence to the traditional definition of a security that has worked for a long time,” SEC Chairman Jay Clayton told CNBC on Wednesday.

“We’ve been doing this a long time, there’s no need to change the definition,” added Clayton, whose agency oversees the stock market and a wide swath of U.S. investment offerings.

APPLE NEWS’ FAVORITE MEDIA?: The Hill’s Emily Birnbaum reports that Apple News disproportionately promotes stories from a few major news outlets, with only 4 percent of app’s content coming from regionally focused news outlets, according to a new study by the Tow Center for Digital Journalism.

The New York Times is the most mentioned publisher in U.S. Apple News newsletters, appearing in 60 percent, followed by GQ, The Washington Post, Bloomberg and National Geographic.

Only 14 of the 390 US newsletter recommendations were for articles from regionally focused news outlets: eight from New York magazine, five from the Los Angeles Times, and one from The Baltimore Sun.

Why this matters: Although Apple News employs human editors to identify stories “unlikely to be identified by algorithms,” the app finds itself subject to the same biases as numbers-driven news aggregators, according to CJR.

Bad news for Washingtonians: Apple News rarely promotes politics and policy-focused news outlets: The Hill, Politico, CQ and Roll Call did not make it into the top thirteen news outlets promoted in Apple News US newsletters.

A LIGHTER TWITTER CLICK: We had to swing this one around. You’re welcome.

ON TAP FOR TOMORROW:

USTelecom will host a cybersecurity policy forum at 9:30 a.m.

The FCC will hold its monthly open meeting at 10:30 a.m.

The House Science Committee is holding a hearing on the “electric grid of the future” at 1 p.m.

NOTABLE LINKS FROM AROUND THE WEB:

Republicans press top FBI official on Strzok’s role in federal probes. (The Hill)

Internal government documents warn it’s only a “matter of time” before an airline is hacked. (Motherboard)

Inside Google workers’ fight to stop Project Maven. (Jacobin)

A look inside the White House cybersecurity apparatus, where a ‘newbie’ has been elevated. (The Daily Beast)

ISPs have asked the Senate to limit funds for rural internet. (Motherboard)

ZTE goes on the offensive to save itself. (Wall Street Journal)