Hillicon Valley — Presented by Connected Commerce Council — New cyber vulnerability raises concerns
Today is Friday. Welcome to Hillicon Valley, detailing all you need to know about tech and cyber news from Capitol Hill to Silicon Valley. Subscribe here: digital-stage.thehill.com/newsletter-signup.
Follow The Hill’s cyber reporter, Maggie Miller (@magmill95), and tech team, Chris Mills Rodrigo (@millsrodrigo) and Rebecca Klar (@rebeccaklar_), for more coverage.
Ladies and gentlemen, the weekend! As you begin to celebrate your down time, cybersecurity teams are hard at work across the nation in response to a massive new vulnerability being exploited by malicious hackers, with federal officials in the U.S. and around the world stressing the need for companies to immediately take action.
Meanwhile, cyber experts from across various fields met Friday to discuss potential recommendations to protect the U.S. from cyber threats, and Meta launched a virtual world app as part of its “metaverse” plan.
Let’s jump into the news.
Cyber teams, say goodbye to your weekend
Officials and cyber experts on Friday sounded the alarm about a critical logging vulnerability that could potentially impact thousands of organizations. Many are racing to implement patches before hackers can exploit the opening.
This seems concerning: The vulnerability in an Apache logging framework, known as “Log4j,” that could allow hackers to obtain access to targeted systems remotely sent experts running to update systems. Apache put out a security advisory warning of the threat and recommending steps to help organizations protect themselves.
“It does feel like the internet is on fire today, anyone and everyone who is involved in the world of internet security is digging in right now trying to understand the implications of this new vulnerability,” Joe Sullivan, the chief security officer at Cloudflare, a website infrastructure and security company, told The Hill in an interview Friday.
The vulnerability was already seen Friday to have far-reaching implications.
High-profile victims: The online game Minecraft, which is owned by Microsoft, announced that its Java Edition was vulnerable to exploitation and recommended immediate steps users should take to address security concerns. Researchers at data security platform LunaSec found evidence that Steam and Apple’s iCloud were also impacted, while Palo Alto Networks noted in a blog post that Twitter, Amazon and Chinese web giant Baidu were also being attacked.
The Cybersecurity and Infrastructure Security Agency (CISA) put out an alert telling impacted organizations to “immediately” implement mitigations to protect against the vulnerability.
“A remote attacker could exploit this vulnerability to take control of an affected system,” the CISA alert read. “Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.”
A MESSAGE FROM CONNECTED COMMERCE COUNCIL
Congress is considering sweeping antitrust legislation that could hurt the digital economy – and put small businesses at risk. Learn more at connectedcouncil.org
Little more action, please
Top officials at the Department of Homeland Security (DHS) on Friday urged a newly established advisory committee composed of experts from across sectors to propose solutions to help tackle the growing wave of cyberattacks faced by the nation.
First meeting: The Cybersecurity Advisory Committee, established by DHS’s Cybersecurity and Infrastructure Security Agency (CISA) earlier this month, met in a hybrid format both in McLean, Va., and remotely for the first time Friday. It discussed strengthening the nation’s basic cybersecurity practices and concerns about disinformation, among other issues.
CISA Director Jen Easterly made clear at the top of the almost three-hour meeting that she hoped the advisory committee would “create action” and help move the nation forward in cybersecurity.
“At the end of the day, this is really about implementing those things that will help CISA truly be the nation’s cyber defense agency, that is what the American people need, and that is what the American people deserve,” Easterly said. “I am not looking for a 20 page white paper, I am looking for short papers from each of the subcommittees that give a series of recommendations that we can go ahead and implement.”
DHS Deputy Secretary John Tien made similar comments, telling committee members that “your voices, your thoughts, your brainpower are going to have to help us identify the gaps, the vulnerabilities, and also provide us some thoughts on solutions.”
MEET ME IN THE METAVERSE
Meta launched its virtual world app on Friday as the company pushes forward with plans to create a “metaverse.”
The Horizon Worlds app is available for users over 18 with a Quest 2 headset, the device sold by Meta subsidiary Oculus. For users with the nearly $300 headset, access to Horizon World will be free, the company said.
On Horizon, users can explore worlds created by other users and help build more. The company also said it is launching a laser tag game in the app and creating templates for users to build their own games.
Meta’s flagship platform Facebook has faced years of criticism over content moderation and handling of hate speech. In the Friday announcement, the company said it wants Horizon Worlds “to be a safe and respectful environment,” and users have to follow the company’s Conduct in VR Policy.
INSTACART SHAKE UP
The president of Instacart announced on Friday that she will step down at the end of the year, just three months after she took the tech company’s top job.
In a Facebook post, Carolyn Everson, the president of the digital app service that delivers groceries to customers, explained she wanted a break to reflect on her life and where she wanted to go next.
“My birthday present to myself is a real break while I dream up what’s next. Yes — this time, I will be taking time,” wrote Everson, who will turn 50 soon. “I know our time is short on this Earth and I know I want to keep making a difference and keep focusing on enlightened leadership and the importance of building strong cultures for people to thrive personally and professionally.”
Everson was a former Facebook executive, serving as the advertising chief for the company, now called Meta, for a decade.
New cyber reporting policy
A new policy recently rolled out by the White House gives certain federal agencies as little as 24 hours to assess the impact of a cyberattack and report the attack if it rises to a major level of concern.
CNN, which obtained a copy of the memo issued by the White House National Security Council (NSC), reported the policy applies to national security and intelligence agencies, including the FBI, and gives some of the agencies only 24 hours to report a cyberattack they assess to be “a national security concern” to the White House.
A U.S. official told The Hill on Friday the memo is “a process and a common methodology to help the USG speak with one voice — nothing more and nothing less. It gives the NSC the framework to make an initial assessment of whether a cyber incident rises to the level of a national security concern. In many incidents, that assessment will change with time.”
“Throughout the year, we have worked to refine and strengthen the federal government’s response to all cyber incidents in a more uniform, whole-of-government way,” the official said. “That continues to be our goal — we learn from every incident and refine our incident management approach to get faster and better each time.”
A MESSAGE FROM CONNECTED COMMERCE COUNCIL
Congress is considering sweeping antitrust legislation that could hurt the digital economy – and put small businesses at risk. Learn more at connectedcouncil.org
STUDY: BITCOIN BENEFITS ALT-RIGHT
The increase in Bitcoin’s value over the last few years has made several prominent white nationalists rich, according to a Southern Poverty Law Center study.
The legal nonprofit identified over 600 far-right extremists with cryptocurrency holdings.
Several prominent white supremacists, like Andrew Auernheimer and Andrew Anglin of the Daily Stormer and racial pseudoscientist Stefan Molyneux, were early adopters of Bitcoin, providing them with significant windfalls.
Tens of millions of dollars worth of value have been accumulated by far right figures overall through cryptocurrency holdings, the SPLC’s investigation through blockchain analysis software found.
‘EASILY ACCESSIBLE’ EXTREMISM
Instagram is a hotbed for white supremacist messaging, extremism and hateful content, according to new research from the Anti-Defamation League (ADL).
Researchers with the ADL’s Center for Extremism found hundreds of accounts sharing white supremacist and neo-Nazi content, including posts from members of the Atomwaffen Division, a neo-Nazi group pushing for a race war in order to prevent what they see as the cultural displacement of the white race.
Joanna Mendelson, the associate director for the Center for Extremism, told The Hill she has “observed an increase in extremists returning back to some of these mainstream spaces that historically they have been removed from.”
This leads to a “social impact that can be devastating on our society,” Mendelson said. “The ease in which they can access, recruit and radicalize is so much simpler when you are on mainstream platforms.”
$50M E-CIGARETTE SETTLEMENT
Former e-cigarette maker agreed to a more than $50 million settlement in Massachusetts over marketing its products to minors.
The office of Attorney General Maura Healey announced the $51 million settlement with Eonsmoke and its co-owners, saying the company was not verifying the age of customers online from 2015 to 2018 and was marketing to minors using social media in violation of Massachusetts’ consumer protection law.
Co-owners Gregory Grishayev and Michael Tolmach will be paying $750,000 of the settlement.
“Eonsmoke coordinated a campaign that intentionally targeted young people and sold dangerous and addictive vaping products directly to minors through their website,” Healey said in a statement. “We were the first to take action against this company and its owners, and today we are holding them accountable and permanently stopping them from conducting these illegal practices in our state.”
BITS AND PIECES
An op-ed to chew on: Congress will make your car spy on you
Lighter click: MY Prime Minister
Notable links from around the web:
Telehealth app Doxy.me is fixing a leak that exposed patient data to Facebook, Google (CyberScoop / Tonya Riley)
Racists and Taliban supporters have flocked to Twitter’s new audio service after executives ignored warnings (Washington Post / Elizabeth Dwoskin, Will Oremus, Craig Timberg and Nitasha Tiku)
Uber blocks transgender drivers from signing up: ‘They didn’t believe me’ (The Los Angeles Times / Suhauna Hussain)
Losing a Street Fight to Elon Musk (The AP (Alex Pareene) Newsletter)
One last thing: More bad news for NSO Group
The Biden administration announced an initiative Friday to tighten rules surrounding the exports of certain technologies that have been used by authoritarian governments and bad actors for repression.
The move comes on the heels of the administration’s sanctioning of the private Israeli spy-ware company NSO Group in November for “malicious cyber activities.”
The initiative was announced during the president’s “Summit for Democracy,” a first-ever virtual conference bringing together more than 100 democratic countries in an effort to address rising authoritarianism and efforts to strengthen democracy.
A senior administration official said the Export Controls and Human Rights Initiative is an outgrowth of the sanctions targeting NSO and other private groups whose “end users are using” such technology to violate human rights.
That’s it for today, thanks for reading. Check out The Hill’s technology and cybersecurity pages for the latest news and coverage. We’ll see you Monday.
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. Regular the hill posts
