Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.

At 1,700 words, this briefing is about a 6-minute read.

At a Glance.

• Chinese hackers target both Trump's and Vance’s mobile phones.
• US formalizes rule to ban specific tech exports to China.

Chinese hackers target both Trump’s and Vance’s phones.

Last week, reports emerged that a Chinese hacking group, known as Salt Typhoon, targetted the cell phones of both former President Trump and his running mate, JD Vance, among others as a part of an espionage campaign. While it's still unclear what information the hackers were or were not able to access, it is believed that at least forty people had their unencrypted calls and text data surveilled as a result of this campaign. 

Investigators believe that the group successfully infiltrated at least ten telecommunications providers, including AT&T, Lumen, and Verizon. The Department of Homeland Security announced its intentions to investigate the incident through a federal cyber review panel. Other targets included staffers working with Senate Majority Leader Chuck Schumer and Vice President Kamala Harris.

With this announcement, the Federal Bureau of Investigation (FBI) stated that the government is “investigating the unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People’s Republic of China.” The statement continued highlighting how after discovering the incident both “the FBI and the Cybersecurity and Infrastructure Security Agency immediately notified affected companies, rendered technical assistance, and rapidly shared information to assist other potential victims.” Verizon also released a statement emphasizing that the firm is “aware that a highly sophisticated nation-state actor has reportedly targeted several US telecommunications providers to gather intelligence…[and is] working to confirm, assess, and remediate any potential impact.”

The Knowledge.

News of this espionage campaign comes just weeks before the United States (US) election is set to take place. For months, news has continued to emerge that has detailed how hostile actors have attempted to influence the election’s results by either sabotaging the major campaigns or by actively using fake social media accounts and dummy news sites to spread misinformation. For example, in August, the Trump campaign confirmed it was hacked by Iranian actors, which resulted in some of its internal communications being exposed. While both this most recent incident and previous ones have been largely contained, these hostile efforts should not come as a surprise. In May, a Senate Intelligence Committee hearing discussed this exact topic with the directors of the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence. During this hearing, these agency leaders testified on how Russia, China, and Iran all remained the most significant foreign election threats.

Aside from targeting political campaigns, hostile actors have also attempted to impact the election by spreading misinformation. In a recent report published by Pew Research, they found that roughly seventy-three percent of voters have seen inaccurate news coverage about the election with fifty-two percent stating that they found it difficult to determine what is true and what is not. While these statistics may seem surprising, these findings are reflective of a growing issue that has plagued social media companies for years now. For example, Meta found that China was increasing its efforts to spread misinformation. In this instance, Meta emphasized that China was utilizing a network of over 4,800 accounts that were impersonating Americans and attempting to influence political conversations by spreading misinformation.

The Impact.

With election day drawing nearer and the race between the two candidates being close, it should not come as a surprise that hostile actors have both continued and grown their efforts to influence and disrupt the election. Unfortunately, it is highly unlikely that these incidents and the spread of misinformation will be stopped over the coming days. For US citizens, people should understand that these actors are not looking to support any candidate but rather are looking to spread confusion and partisanship before and after the election regardless of its results. For now, voters should always verify the news they consume with trusted sources before formulating any opinions. 

Additionally, staffers working for any political candidate should be aware that these hostile actors are looking to find ways to exploit these campaigns to gain access to sensitive information and disrupt their efforts. Campaigners should remain vigilant for phishing attacks and monitor for any suspicious activity.

US formalizes rule to ban high-tech exports to China.

The News.

On Monday, the Treasury Department finalized a rule that will set specific limits on certain technologies being exported to China. These rules are meant to prevent the nation from being able to access certain technologies that could bolster China’s military or harm the US’s national security. These finalized rules will specifically limit the exportation of specific semiconductors, microelectronics, and quantum information and artificial intelligence (AI) technologies. With this announcement, a senior administration official stated that these technologies were selected because they all “pose a particularly acute national security risk to the United States.” 

With this final rule, the Department has defined key terms and provided further details on these specific concepts:

• The obligations of US persons regarding covered transactions.
• The categories of covered transactions and excepted transactions. 
• The technical specifications for certain technologies and products in the areas of semiconductors, microelectronics, quantum information technologies, and AI.
• Information that US persons are required to provide the Treasury Department.
• The knowledge standard and expectations for a US person to conduct a reasonable and diligent inquiry before undertaking a transaction.
• The conduct that would be treated as a violation of this final rule and the applicable penalties.

These rules are set to go formally into effect on January 2nd, 2025.

The Knowledge.

This initiative comes in response to Executive Order 14105, which was issued last August. When originally issued, Executive Order 14105 empowered the Treasury Department to prevent many of these “countries of concern” from being able to access the critical technologies listed above. Following this order, the Treasury Department issued a Notice of Proposed Rulemaking in June 2024 to draft the regulations that they have now created as well as give time for the public to submit comments on their proposed rules.

Now that this final rule has been implemented, this step marks the Biden administration’s continuing effort to use exportation rules to directly limit what technologies cannot be sent to China. Apart from this final rule, the Biden administration also utilized the Commerce Department to limit exports. In this instance, the Commerce Department implemented controls that limited exports of quantum computers, quantum components, advanced chipmaking tools, high-bandwidth chips, and components related to specific metals and metal alloys. Similar to this most recent rule, the Commerce Department echoed similar concerns citing “national security and foreign policy reasons” when implementing their restrictions.

The Impact.

While this final rule has not gone into formal enforcement yet, these rules will directly impact any businesses or individuals involved in exporting these technologies to China or any other country of concern. Parties involved in or are in close proximity to these trade deals should thoroughly understand these final rules and the Treasury Department’s expectations. By understanding the nuances, requirements, and limits of these export rules, involved parties can ensure that they avoid any unnecessary government scrutiny that would most likely involve significant financial or legal penalties.

While US citizens are unlikely to notice the impacts of these export restrictions, people should understand that limiting these exports will theoretically help maintain US competitiveness and better secure national security in these fields.

Highlighting Key Conversations.

In this week’s Caveat Podcast, our team sat down with Joseph Jarnecki from RUSI to discuss their work on the research project “What Next for the UK-Japan Cyber Partnership?”For context, this paper examines this partnership, highlights how it functions, and provides recommendations for other activities that could help expand upon its existing efforts. Throughout this conversation, our team and Jarnecki discuss this partnership and its value driving engagement across multiple policy areas. 

Aside from our weekly Caveat Podcast, N2K CyberWire’s Chief Analyst and Senior Fellow, Rick Howard, has put together a three-part series on election propaganda. In "Part 1: How Does Election Propaganda Work?" Rick discusses personal defensive measures that every citizen can take—regardless of political philosophy—to resist the influence of propaganda. This foundational episode is essential for understanding how to navigate the complex landscape of election messaging.

In "Part 2: Modern propaganda efforts," Rick looks at recent international propaganda efforts in the form of nation-state interference and influence operations as well as domestic campaigns designed to split the target country into opposing camps. Guests include Nina Jankowicz, Co-Founder and CEO of the American Sunlight Project, and Scott Small, Director of Cyber Threat Intelligence at Tidal Cyber.

Lastly, in "Part 3: Efforts to reduce the impact of future elections," Rick discusses reducing the impact of propaganda in the future elections with Perry Carpenter, Chief Human Risk Management Strategist at KnowBe4 and host of the 8th Layer Insights Podcast, and is joined again by Nina Jankowicz and Scott Small.

Like what you read and curious about the conversation? Head over to the Caveat Podcast for the full scoop and additional compelling insights. Our Caveat Podcast is a weekly show where we discuss topics related to surveillance, digital privacy, cybersecurity law, and policy. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you.

Other Noteworthy Stories.

EU privacy regulator fines LinkedIn 310 million euros.

What: The lead European Union privacy regulator fined LinkedIn 310 million euros over its targeted advertising practices. 

Why: Last week, the Irish Data Protection Commissioner (DPC) fined LinkedIn 310 million euros for how the company was processing and using collected personal data. With this fine, DPC Deputy Commissioner Graham Doyle stated that “the processing of personal data without an appropriate legal basis is a clear and serious violation of data subjects’ fundamental right to data protection.” 

LinkedIn responded to this fine stating that “while we believe we have been in compliance with the General Data Protection Regulation, we are working to ensure our ad practices meet this decision by the IDPC’s deadline.”