Hillicon Valley: Report finds CIA security failures led to massive breach | Pelosi calls on advertisers to pressure social media giants | Experts warn firms facing serious cyber threats in COVID-19 era

Welcome to Hillicon Valley, The Hill’s newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you don’t already, be sure to sign up for our newsletter with this LINK.

Welcome! Follow our cyber reporter, Maggie Miller (@magmill95), and tech reporter, Chris Mills Rodrigo (@chrisismills), for more coverage.

CIA REPORT FAULTS AGENCY: A newly unclassified internal CIA report found that a massive 2017 data breach of the agency that enabled classified information to be sent to WikiLeaks was caused by the CIA failing to secure its own systems.

The report, put together by the CIA’s WikiLeaks Task Force in 2017, is partially redacted and was released publicly on Tuesday by Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee. 

According to the report, a CIA employee was able to steal up to 34 terabytes of information, or around 2.2 billion pages in Microsoft Word, of classified data and leak it to WikiLeaks in the spring of 2017 due to major security lapses at the CIA’s Center for Cyber Intelligence (CCI). 

“In a press to meet growing and critical mission needs, CCI had prioritized building cyber weapons at the expense of securing their own systems,” the task force wrote in the report. “Day-to-day security practices had become woefully lax.”

The investigators added that “CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.”

The leak marked the largest data breach in the CIA’s history and included information on hacking tools used by the agency to break into smartphones and other internet-connected devices. 

The task force noted that due to failures to address vulnerabilities in IT systems, if WikiLeaks had not published the stolen information, the CIA “might still be unaware of the loss — as would be true for the vast majority of data on Agency mission systems.”

In a letter to Director of National Intelligence John Ratcliffe on Tuesday, Wyden criticized the intelligence community for its “widespread cybersecurity problems.”

Wyden specifically pointed to a 2014 move by Congress that required all federal agencies, with the exception of the intelligence community, to adopt cybersecurity practices and protocols from the Department of Homeland Security (DHS). 

“While Congress exempted the Intelligence Community from the requirement to implement DHS’ cybersecurity directives, Congress did so reasonably expecting that intelligence agencies that have been entrusted with our nation’s most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems,” Wyden wrote. “Unfortunately it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake.”

Read more.

 

PELOSI ENLISTS ADVERTISERS: Speaker Nancy Pelosi (D-Calif.) on Tuesday urged advertisers to pressure social media platforms to tackle misinformation more aggressively.

“Advertisers are in a position — they have power — to discourage platforms for amplifying dangerous and even life threatening disinformation,” Pelosi said during a George Washington University forum focused on misinformation about the coronavirus spread on social media.

When asked whether advertisers should withdraw from social media companies or mount a public pressure campaign, Pelosi said they should do “a combination of both.”

Conspiracy theories and unfounded claims about the coronavirus, its origins and ways to combat it have surged online amid the spread of the disease, causing what the World Health Organization has branded an “infodemic.”

While major social media platforms have taken steps to reduce the spread of misinformation, such as elevating information from trusted sources and limiting the spread of potentially harmful posts, critics have said those efforts fall short.

Pelosi emphasized Tuesday that business models are contributing to the problem.

“Social media executives are not only allowing the spread of disinformation on platforms, they program their algorithms to enhance their business model of capturing your time and attention meaning that they amplify the most inflammatory content, no matter how dangerous or false,” she said.

Read more.

 

BANKERS BEWARE: Lawmakers on Tuesday received a loud warning about the danger of hackers zeroing in on financial institutions as prime targets during the COVID-19 pandemic.

“America is grappling with a cyber insurgency and our financial sector is the number one target,” Tom Kellermann, a former member of a presidential cybersecurity commission during the Obama administration, told a House Financial Services subcommittee during a Tuesday hearing on the threat. 

While cybersecurity has long been a major issue for the financial sector, a huge spike in cyberattacks in connection to the COVID-19 pandemic has only underlined the risks.

Kellermann now heads cybersecurity strategy at VMWare, a software company that released a report last month reporting a 238 percent surge in cyberattacks against banks between February and April.

Many of these cyberattacks stem from non-affiliated malicious actors, but experts warn that Russia, China and North Korea also may be targeting financial institutions during the pandemic.

“State-sponsored hacking is the biggest threat to our financial sector because of the capacities that they can bring to bear,” Jamil Jaffer, the founder and executive director of George Mason University’s National Security Institute, testified at the same hearing. “They have almost unlimited resources…you just can’t beat a nation state at their own game.”

Jaffer argued that Congress needed to spearhead efforts to bring the financial sector together to protect the whole instead of individual companies in order to fight back against nation state threats.

“We don’t expect Target and Walmart to defend against Russian Bear bombers coming across the horizon, yet today in cyberspace we expect exactly that of JPMorgan and Citibank,” said Jaffer, who also serves as vice president for Strategy, Partnerships & Corporate Development at IronNet Cybersecurity. “That is simply an unsustainable scenario, and we have got to bring the nation together, large banks have to protect small banks.”

Members of the House Financial Services subcommittee on national security, international development, and monetary policy rolled out a raft of bills during Tuesday’s hearing that are designed to fend off hackers.

Read more about the threat to financial institutions here.

 

GOOGLE BANS ZEROHEDGE, CITES FEDERALIST: The far-right news site ZeroHedge will no longer be able to generate revenue from any advertisements served by Google Ads and The Federalist may follow suit.

The two sites were found to be in violation of Google’s policies on content related to race when they pushed unsubstantiated claims about the Black Lives Matter protests sparked in recent weeks by the death of George Floyd in Minneapolis police custody on May 25, NBC News first reported.

“We have strict publisher policies that govern the content ads can run on and explicitly prohibit derogatory content that promotes hatred, intolerance, violence or discrimination based on race from monetizing,” a Google spokesperson told NBC. “When a page or site violates our policies, we take action. In this case, we’ve removed both sites’ ability to monetize with Google.” 

A Google spokesperson told The Hill that sites are judged holistically when being reviewed for content violations. Both ZeroHedge and The Federalist were flagged for violations related to their comment sections that they did not do enough to mitigate.

Google informed ZeroHedge about their violation several days ago and The Federalist was informed Tuesday.

ZeroHedge did not address the issues brought up by Google, which is why they were removed from the ad platform. The Federalist still has three days to address the issues. 

Read more.

 

PINTEREST ALLEGATIONS: Two black women who left their public policy roles at Pinterest last month have alleged they experienced racial discrimination at the company.

Ifeoma Ozoma, the former public policy and social impact manager, and Aerica Shimizu Banks, who worked in federal government relations, made their accusations in Twitter threads Monday.

Ozoma, a Yale graduate who previously worked at Google and Facebook, said she lobbied unsuccessfully for a year to get a pay raise and accused her manager of “racism, gaslighting, & disrespect,” citing a time she said she was given a bad performance review for not “both-sidesing the promo of slave plantations” as wedding destinations.

She also alleged that a white male colleague gave her phone number, photo and name to “violently racist/misogynistic parts of the internet.” Ozoma called Pinterest’s response to the alleged doxxing “dangerously inadequate.”

“I busted my ass at Yale, Google, then Facebook before Pinterest recruited me as the *second hire* on the global Public Policy team. I led work that raised our public policy profile globally,” she tweeted. “It didn’t matter because I’m a Black woman.”

Ozoma said she and a black female colleague were replaced by a white man, Business Insider reported. On Twitter, Banks confirmed she was the other colleague who left the company.

Banks alleged that human resources at Pinterest misrepresented her pay to her and “pitted her” against Ozoma. She also said she was stripped of her responsibilities after she promoted a policy about the treatment of contractors.

“What should have been a moment of pride and the beginning of a long journey achieving federal and social impact wins for the company, Pinners, and the communities it serves instead marked a period of glaringly unfair pay, intense discrimination, and terrifying retaliation,” Banks posted Monday.

A Pinterest spokesperson said in a statement to The Hill that the company “took these issues seriously and conducted a thorough investigation when they were raised, and we’re confident both employees were treated fairly.”

Read more.

 

Lighter click: What a precious baby

An op-ed to chew on: Big Tech’s artificial intelligence aristocracy

 

NOTABLE LINKS FROM AROUND THE WEB: 

Facebook, Google chiefs open to testifying to Congress on antitrust, while Apple’s participation remains unclear (Washington Post / Tony Romm)

Airman charged in killing of federal officer during George Floyd protests in California (NBC News / Andrew Blankstein and Ben Collins)

New York lawmakers want to outlaw geofence warrants as protests grow (Protocol / Issie Lapowsky)

What’s left of Magic Leap? The dream of mixed reality is on life support (Verge / Adi Robertson)

The Incident on the A-Road (Vice News / Anna Merlan)