At a glance.
- US domestic surveillance report emerges as Section 702 is debated by the Senate.
- Proposed Dutch law targets Chinese tech researchers.
- CISA issues Binding Operational Directive 23-02.
- Industry letter on the White House cybersecurity strategy.
US domestic surveillance report emerges as Section 702 is debated by the Senate.
A newly declassified report has revealed that the US government has been quietly collecting a “large amount” of “sensitive and intimate information” on Americans. The document comes from a panel of senior advisers to Director of National Intelligence (DNI) Avril Haines, and was prepared about a year ago, after Haines called for an investigation into business dealings between commercial data brokers and members of the US Intelligence Community. Privacy experts say the report confirms that domestic surveillance activities have gone too far, as officials find cracks in outdated laws, written before digital data collection was a possibility, to stretch the bounds of what counts as legal surveillance and what is an abuse of power. Sean Vitka, a policy attorney at the nonprofit Demand Progress, told Wired, “This report reveals what we feared most. Intelligence agencies are flouting the law and buying information about Americans that Congress and the Supreme Court have made clear the government should not have.” Whether this counts as "flouting the law" or is better understood as an expansion of the quality and quantity of data available in plain site is unclear, but the services of data brokers do represent something new for law enforcement and intelligence agencies.
Meanwhile, deliberations over a controversial US intelligence surveillance tool come to a head today. The Senate Judiciary Committee is holding a hearing on Section 702, a measure in the Foreign Intelligence Surveillance Act (FISA) that is set to expire at the end of the year. The program gives intelligence officials the authority to collect the digital communications of foreigners abroad with a warrant, but privacy advocates say the data on Americans are often swept up in the process as well. Lawmakers from both sides of the aisle are debating whether to renew it as-is, revise it, or let it lapse. Senate Judiciary Chair Richard J. Durbin, a Democrat out of Illinois, tweeted that Section 702 has “been abused again and again to spy on Americans.” DNI Avril Haines and Attorney General Merrick B. Garland have defended Section 702, saying the program helped US intelligence intercept communications about planned terrorist activity and ransomware attacks. Roll Call notes that the hearing comes on the heels of the discovery that the Federal Bureau of Investigation abused FISA to gather data on citizens tied to the 2020 racial justice protests and the January 6, 2021 attack on the Capitol.
Proposed Dutch law targets Chinese tech researchers.
Bloomberg reports that the Dutch government is considering legislation that would prevent Chinese students from enrolling in university programs where they could gain access to information about sensitive technologies. Though the legislation, which is still in the draft phase, will likely not explicitly and specifically mention China, the Dutch Ministry of Education plans to introduce mandatory screenings of researchers in sensitive subject areas, and sources say the intent is to prevent Chinese students from learning about semiconductors or defense tech. Earlier this year the Dutch government joined the US’s push to restrict chip tech exports to China, and the Netherlands also launched an investigation into the takeover of Dutch chipmaker Now by NExperia, a Chinese-owned firm. A recent report issued by a Dutch intelligence agency stated that China, which is one of the Netherland’s biggest trading partners, “poses the greatest threat” to the nation’s economic security” and said that many many Dutch organizations find it difficult to properly assess the risks of cooperation with China. “The country often conceals that the Chinese government or the Chinese army may be involved in such cooperation in the background,” the report read. “The disadvantages of cooperation often only become apparent in the longer term.”
CISA issues Binding Operational Directive 23-02.
CISA, the US Cybersecurity and Infrastructure Agency, this morning issued Binding Operational Directive 23-02. The directive requires Federal civilian Executive agencies to "to remove specific networked management interfaces from the public-facing internet or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery." The directive's intent is to reduce the attack surface that misconfigured or otherwise insecure management interfaces present to potential adversaries.
Industry letter on the White House cybersecurity strategy.
Industry leaders are calling for a new framework for the US National Cybersecurity Strategy, as the signatories believe that issues surrounding identity were not adequately addressed in the existing form of the cyber strategy. The CyberWire received a copy of the letter, whose signatories include the American Bankers Association and the Better Identity Coalition, among others. The groups advocate enhanced protections against identity-related cybercrime. Their recommendations include launching a task force dedicated to accelerated development of tools to guard against identity crimes, prioritization of the National Institute of Standards and Technology’s (NIST) identity and attribute validation services (with the end goal of a Digital Identity Framework encompassing standards and best practices for identity security), and documentation of the budget savings achieved when digital identity infrastructure and tools are implemented.