Hillicon Valley: Feds warn hackers targeting critical infrastructure | Twitter exploring subscription service | Bill would give DHS cyber agency subpoena power

Welcome to Hillicon Valley, The Hill’s newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you don’t already, be sure to sign up for our newsletter with this LINK.

Welcome! Follow our cyber reporter, Maggie Miller (@magmill95), and tech reporter, Chris Mills Rodrigo (@chrisismills), for more coverage.

THREATS AGAINST CRITICAL INFRASTRUCTURE: Federal authorities on Thursday warned that foreign hackers are attempting to target U.S. critical infrastructure. 

The National Security Agency (NSA) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) specifically warned that internet-connected operational technology (OT) assets – which are used throughout U.S. defense systems – were often the targets of malicious cyber actors attempting to hit critical infrastructure, such as systems providing water, gas and electricity.

As a result, the agencies recommended that critical infrastructure operators and owners take “immediate action” to secure their systems.

“Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to US interests or retaliate for perceived US aggression,” the agencies wrote in a joint alert.

The security agencies noted that OT assets are used in Department of Defense systems and throughout the defense industrial base sector, including in national security systems.

The NSA and CISA wrote they had seen evidence of email spear phishing attacks to gain access to critical infrastructure networks to access OT assets, along with attempted ransomware attacks on these systems. This type of attack, which has become an increasing headache over the past year for state and local governments, involves an attacker encrypting a network and demanding payment before allowing the user to gain access again.

CISA previously issued an alert in February following a ransomware attack on an unnamed “natural gas compression facility” that temporarily shut down operations and disrupted other critical systems operators that interacted with the facility. 

Read more about the alerts here.

 

TWITTER SUBSCRIPTION SERVICE: Twitter is considering building a subscription service as it explores other revenue sources amid a marked drop in advertising revenue spurred by the pandemic.

Twitter CEO Jack Dorsey said on an earnings call with investors on Thursday that the company was currently in the early stages of exploring a subscription option on the platform. The comments came as the company reported that its advertising revenue, a core part of its business, suffered a year-over-year decline of 23 percent, which it attributed in part to the rapid scaling-back of ad spending caused by coronavirus lockdowns.

“First and foremost, we have a really high bar for when we would ask consumers to pay for aspects of Twitter,” Dorsey said. “And, you know, this is a start. And we’re in the very early phases of exploring.”

Dorsey went on to note that Twitter has a small team exploring other potential revenue sources, including subscription and commerce. He said that the team is currently hiring and that he expected initial tests of a subscription product to be performed later this year. 

“Most importantly, we want to make sure any new lines of revenue is complementary to our advertising business,” he said. “We do think there is a world where subscription is complementary.” 

The possibility of a subscription service on Twitter gained attention earlier this month after the company posted a job listing associated with the product. The job notice said the company is looking for a senior full-stack software engineer to work with a team dedicated to building a subscription platform.

Like other social media platforms, Twitter offers its app for free and makes the majority of its revenue through ad sales. 

Read more about the proposed service here.

 

CYBERSECURITY GETS A BOOST: The Senate version of the annual National Defense Authorization Act (NDAA) approved Thursday included a raft of measures designed to shore up federal cybersecurity, including a clause giving the Department of Homeland Security’s cybersecurity agency subpoena power.

The provision, originally introduced by Senate Homeland Security and Governmental Affairs Committee Chairman Ron Johnson (R-Wis.) and Sen. Maggie Hassan (D-N.H.) in December, would allow the department’s Cybersecurity and Infrastructure Security Agency (CISA) to issue subpoenas to internet service providers compelling them to release information on cyber vulnerabilities detected on the networks of critical infrastructure organizations.

“Every day our adversaries target our critical infrastructure, including our electric grids, dams, and airports, and every day, CISA is made aware of vulnerabilities to these systems — some easily fixable — but is powerless to warn the potential victims,” Johnson said in a statement following the NDAA’s passage. 

“This legislation gives CISA the authority necessary to reach out and warn owners of critical infrastructure that they are open and vulnerable to cyberattacks before they become a victim,” he added. “We ask Americans: if you see something, say something. With this legislation we are empowering CISA to do the same.”

Hassan described the subpoena power proposal as “common-sense,” adding in a separate statement that she would “keep working” with Johnson to get the provision signed into law as part of the final version of the fiscal year 2021 NDAA that will be conferenced between the House and Senate in coming weeks. 

The legislation was also included in the House version of the NDAA, approved earlier this week, making it likely the provision will stay in the final version eventually sent to President Trump for signature. 

Another key cybersecurity provision included in the Senate version of the annual defense spending bill was one establishing a federally funded cybersecurity coordinator in every state to prepare for and respond to cyberattacks. 

The legislation was introduced in January by Hassan and Sens. John Cornyn (R-Texas), Gary Peters (D-Mich.), and Rob Portman (R-Ohio) after a year of increasing cyberattacks across the nation crippled city governments in New Orleans and Baltimore, among many others. 

Read more about cyber provisions in the NDAA here.

 

FITBIT ACQUISITION CONCERNS: A group of Democratic senators urged the Department of Justice Thursday to conduct a “thorough and comprehensive” review of Google’s proposed acquisition of Fitbit.

Google’s purchase of the fitness tracking company immediately came under antitrust scrutiny when announced in November. The Justice Department launched an investigation at the time and has issued a second request for information on the merger.

A letter, led by Sen. Amy Klobuchar (D-Minn.), urges the agency to continue its efforts, warning that allowing Google free range on acquisitions may give it enduring dominance across several markets.

“Over the years, Google has completed more than 100 strategic acquisitions—including purchases of DoubleClick, AdMob, YouTube, Waze, and many other firms—virtually all without significant enforcement action by federal antitrust enforcers,” the senators wrote to Attorney General William Barr.

Democratic Sens. Richard Blumenthal (Conn.), Cory Booker (N.J.), Mazie Hirono (Hawaii), Sherrod Brown (D-Ohio), Mark Warner (Va.) and Elizabeth Warren (Mass.) also signed the letter.

Read more here.

 

THE ETHICS OF AI: The U.S. intelligence community (IC) on Thursday rolled out an “ethics guide” and framework for how intelligence agencies can responsibly develop and use artificial intelligence (AI) technologies.

Among the key ethical requirements were shoring up security, respecting human dignity through complying with existing civil rights and privacy laws, rooting out bias to ensure AI use is “objective and equitable,” and ensuring human judgement is incorporated into AI development and use. 

The IC wrote in the framework, which digs into the details of the ethics guide, that it was intended to ensure that use of AI technologies matches “the Intelligence Community’s unique mission purposes, authorities, and responsibilities for collecting and using data and AI outputs.”

Dean Souleles, the founder of the Office of the Director of National Intelligence’s Augmenting Intelligence through Machines Innovation Hub, said it was important that intelligence agencies use AI to help address an “increasingly complex digital world.”

Read more about the guidelines here.

 

MORE TWITTER HACK UPDATES: Twitter said that hackers who broke into its system last week were likely able to read the direct messages of 36 accounts, including those of one elected official in the Netherlands.

“We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands. To date, we have no indication that any other former or current elected official had their DMs accessed,” the social media giant said in an updated press release. 

“We are actively working on communicating directly with the account-holders that were impacted.” 

Twitter had previously said that hackers last week had gained access to 130 accounts in total, including 45 verified accounts. Some of those, including CEOs Elon Musk and Bill Gates, former Vice President Joe Biden and more, had tweets sent by attackers.

Twitter did not clarify if any of the 36 accounts where messages could have been read were verified accounts. The tech company previously said hackers downloaded mass data from eight accounts, though none were verified accounts.

Read more here.

 

NEW YORK PAUSES FACIAL RECOGNITION: New York’s state legislature voted to pause the use of facial recognition at schools for two years.

The moratorium, approved by both the state Assembly and Senate on Wednesday, follows an attempt by a school district in upstate New York to install the controversial technology at its schools.

The legislation comes after the New York Civil Liberties Union (NYCLU) filed a lawsuit forcing the state education department to block Lockport school district from adopting facial recognition systems to screen people entering campuses. The bill will now be sent to Gov. Andrew Cuomo’s (D) desk.

“We’ve said for years that facial recognition and other biometric surveillance technologies have no place in schools, and this is a monumental leap forward to protect students from this kind of invasive surveillance,” NYCLU Education Policy Center Deputy Director Stefanie Coyle said in a statement.

Read more.

Lighter click: This is why oceans are terrifying

An op-ed to chew on: The FCC must extend broadband opportunity for tribal communities

 

NOTABLE LINKS FROM AROUND THE WEB: 

Facebook’s employees reckon with the social network they’ve built (BuzzFeed News / Ryan Mac and Craig Silverman)

Facebook ignored racial bias research, employees say (NBC News / Olivia Solon)

‘We’re Embarrassed’: This Is What Twitter Sent to Accounts That Were Hacked (Motherboard / Lorenzo Franceschi-Bicchierai)

The big winner in Slack’s Microsoft fight could be Google (Verge / Tom Warren)