House Committee Considers U.S. Cyber Defenses and Russian Threats

House Committee Considers U.S. Cyber Defenses and Russian Threats
Photo by Maxim Hopman on Unsplash

The House Homeland Security Committee held a hearing titled “Mobilizing our Cyber Defenses: Securing Critical Infrastructure Against Russian Cyber Threats,” which is obviously timely given the continuing threat from Russian state and associated cyber attacks. It is also timely because Congress recently passed significant cyber legislation: the cyber incident reporting bill tucked into the FY 2022 omnibus appropriations act (see here for more detail and analysis.) Some of the Members asked the witness, all of whom hailed from the private sector, for views on how the United States (U.S.) Cybersecurity Infrastructure and Security Agency should implement the new system. And yet, no one said a word about the larger Senate package from which the cyber incident reporting bill was pulled that would increase government and contractor compliance requirements under the Federal Information Security Modernization Act. (see here for more detail and analysis.)

Having said all that, there is still acute worry on both sides of Pennsylvania Avenue about direct Russian cyber attacks on U.S. critical cyber infrastructure or a spillover effect where an attack on Ukraine gets out into the wild like NotPetya did a few years ago. There were questions about how CISA and the private sector operators of critical cyber infrastructure can prepare for and ideally fend off possible attacks.

However, not much was said at the hearing about the Biden administration using its current authorities over some sectors of the economy to require the use of certain cybersecurity practices nor was much said about adding to the executive branch’s authority. In the Congress, this debate still works from the twin assumptions that not only would public sector regulation prove ineffective and onerous but also it is not politically possible to expand U.S. government powers in any broad fashion. This is in contrast to Australia, which has enacted two major pieces of legislation to extend Canberra’s regulation over its private sector infrastructure (see here for more detail and analysis.)

As a result, only some of the U.S. most regulated industries must meet specified standards and engage in certain practices upon pain of significant civil fines. This leaves many entities U.S. regulators consider critical cyber infrastructure left to respond to some government incentives (i.e. possible punishment for data security and cybersecurity failures) and market incentives. As an example, the top Republican on the committee suggested that shareholder suits would bring the proper discipline to the private sector more effectively than tighter regulation could.

Vice Chair Ritchie Torres (D-NY) (watch his opening statement) stated:

§  Russia’s willingness to deploy its cyber capabilities against the United States is well-documented. Since at least 2008, the intelligence community has warned of Russia’s formidable cyber capabilities in its annual threat assessment. In 2017, the Intelligence Community concluded that the Russian government had attempted to interfere in the 2016 Presidential elections – engaging in both information operations and targeting election infrastructure. The following year, DHS and FBI warned entities in a range of sectors — from energy and aviation to water and critical manufacturing — that the Russian government was attempting to gain access to their networks. Despite these warnings, the Federal Government and its private sector partners have been slow to chart an enduring course for strategic partnership.

§  Historically, the Federal Government has struggled to demonstrate the security value of public-private partnerships. Meanwhile, the private sector has been reluctant to fully engage and feared new regulations. One of the most frustrating challenges we face is the lack of urgency to act based on intelligence alone. Too often, it has taken a major incident to force change.

§  The SolarWinds supply-chain attack is a good example. It forced a collective shift from admiring policy problems to solving them. The President issued an Executive Order overhauling and modernizing the
Federal Government’s approach to securing its networks.

§  The administration, Congress, and our private-sector partners have acted with urgency over the past year and left us better prepared to defend U.S. networks. But there is still room to improve.

§  First, the Biden administration has engaged in unprecedented cyber-threat information and intelligence sharing with critical infrastructure owners and operators in advance of and during Russia’s unprovoked invasion of Ukraine. Moving forward, the government and private sector must assess the effectiveness of existing partnerships and continue to deepen strategic collaboration to defend against current and future cyber threats.

§  Second, the administration has undertaken historic initiatives to raise the cybersecurity posture across all 16 critical infrastructure sectors, which varies dramatically due to a range of factors from resources to regulation. To effectively defend against Russian cyber threats, the Federal Government must tailor its support to, and collaboration with, critical infrastructure sectors to their varying degrees of capability.

§  Toward that end, I was pleased to see the President’s budget proposed a new competitive grant program aimed at raising the cybersecurity posture of certain critical infrastructure sectors. Finally, the Federal Government and the private sector must work together to harness the security gains realized as we defend against Russian cyber threats in order to establish a new, heightened security baseline.

Ranking Member John Katko (R-NY) (watch his opening statement) said:

§  There is so much this body should be doing to prepare for this type of threat, and thankfully, we have recently taken significant steps to make our country safer.

§  Just two weeks ago, the Cyber Incident Reporting for Critical Infrastructure Act was signed into law as part of the Omnibus Appropriations bill for Fiscal Year 2022.

§  This is one of the most important pieces of cybersecurity legislation in the past decade.

§  Enhanced reporting to the Cybersecurity and Infrastructure Security Agency, CISA, of significant cyber incidents and ransomware attacks on critical infrastructure will mean greater visibility for the federal government, earlier disruption of malicious cyber campaigns, and better information and threat intelligence going back out to the private sector so it can defend against future attacks.

§  This legislation also solidifies CISA’s roles as the lead federal agency for cybersecurity.

§  I want to thank my colleagues in both the House and Senate, as well as the private sector, for their partnership and support in getting this across the finish line.

§  The success of these tools is dependent on the success of the agencies we entrust them to, and fortunately, we have the extremely-capable CISA Director, Jen Easterly, and National Cyber Director, Chris Inglis, at the helm of our nation’s cyber defense efforts.

§  They have been working tirelessly to keep us safe, and I thank them for their work.

§  However, their impact only extends as far as their mandate.

§  It is up to all of us, especially those of you here today, as industry leaders, to keep your companies, clients, and customers – our constituents – secure and resilient.

Crowdstrike Senior Vice President for Intelligence Adam Meyers (watch his opening statement) argued:

§  Russian state actors have used cyber means over the years to advance its political agenda, and that continues in the context of the ongoing war in Ukraine. Events there have also affected the shape of the broader eCrime ecosystem and activated both pro-Russia and pro-Ukraine hacktivism. Outside the immediate theater of conflict, Russian activity to date has been modest relative to early fears. However, this could change at any time and indeed there are indications that Russia may become more aggressive in retaliation for foreign support to Ukraine and significant sanctions on Russian personnel and entities. U.S. critical infrastructure operators must remain on high alert. With significant media coverage and the efforts of U.S. Government actions and warnings described above, it appears that private sector entities are increasingly taking note.

§  But even with awareness sufficiently raised, and new resources and support, critical infrastructure operators must still “do” cybersecurity well. This is a “last mile” problem that cannot be solved through policy initiatives alone. Though not an exhaustive list, entities should:

o   Build relationships with law enforcement or homeland security staff that can help during an incident.

o   Develop or maintain access to know-how and skilled workers or support staff. This includes having an incident response plan in place and, in many cases, a retainer with a qualified provider of incident response services.

o   Levage (sic) measures identified in Executive Order 14028 on Improving the Nation's Cybersecurity. This includes use of modern IT enterprise security tools and concepts like Multi-Factor Authentication (MFA) and Endpoint Detection and Response (EDR); sufficient logging; migration where practical to cloud/Software-as-a-Service (SaaS) applications; implementation of Zero Trust Architectures; and proactive threat hunting for adversaries within their networks.

o   Utilize, where appropriate, specialized tools and capabilities required for Operational Technology (OT) security.

§  For small and medium sized organizations–say, those with fewer than 6 or 8 dedicated cybersecurity staff–one of the biggest “needle movers” in recent years has probably been the increasing adoption of managed security service providers (MSSP)/managed Detection and Response (MDR) providers. This is a trend that should be encouraged and incentivized.

§  Congress’ efforts in recent years implementing Cyberspace Solarium Commission recommendations and, most recently, Incident Reporting measures will absolutely help. In addition, consider:

o   Ensuring CISA is sufficiently resourced to carry out both its Federal Civilian Executive Branch (FCEB) and private sector/infrastructure security mandate.

o   Strengthening FCEB cybersecurity by modernizing the Federal Information Security Management Act (FISMA) to reduce compliance burdens and Federal Risk and Authorization Management Program (FedRAMP) to speed authorizations.

o   Expanding the use of shared services procurement models for Federal IT to create operational efficiencies, particularly for cyber threat intelligence and adoption of state-of-the-art cybersecurity technologies.

o   Working with CISA to guarantee that new Incident Reporting mandates do not become overly burdensome to victims and reduce focus on remediation during a cyber incident or event.

o   Taking measures to expand national incident response capacity.

Financial Services Information Sharing and Analysis Center Chief Executive Officer Steve Silberstein (watch his opening statement) contended:

§  We applaud the Biden-Harris Administration and its various federal government components on the expeditious and early sharing of information throughout the escalating geopolitical situation in Eastern Europe and current Russian invasion of Ukraine. The sector appreciated the paradigm shift from reactive to proactive warnings forecasting Russian military action, the potential for Russia to engage in malicious cyber activity against the U.S. and evolving intelligence that Russia may be exploring options for potential cyberattacks. The repeated, consistent messaging and realistic context provided by CISA, the Federal Bureau of Investigations (FBI), the Treasury Department and other government organizations allowed our sector to prepare for and institute the necessary security precautions, motivating institutions to conduct expeditious reviews of their incident response and regional personnel evacuation plans.

§  This early and continued sharing of indicators of compromise (IOCs) and warnings by CISA and the Treasury Department prompted the financial sector to open emergency communications channels prior to the 2021 holiday season and activate the sector’s Core Executive Response Group (CERG) on December 15, 2021. On this recurring call, government leadership, including the Treasury Department, CISA, and government regulators, provides updates on emerging vulnerabilities and associated mitigations, as well as current sanctions announcements, and facilitates the regular exchange of preparation activities taken by the sector.

§  The public/private partnership is not simply alive and well; it thrives within the financial sector. I cannot speak more highly of the value provided by the Treasury Department, CISA, FBIIC, FBI and U.S. Secret Service to the cause of enhancing resilience. All are to be commended for their contributions. Of course, as in any endeavor, improvements can always be made. To that end, I offer two brief items for enhancing collaboration.

o   The Treasury Department and CISA have recently increased the amount of information shared with the sector, and I applaud them for it. With respect to both classified and unclassified information, we encourage this trend to continue and increase, for the greater protection of the sector.

o   The highly regulated and global financial sector faces a variety of incident reporting requirements. We urge collaboration to minimize the operational impact of multiple incident reporting requirements unique to the financial sector.

§  These suggested improvements do not detract from the productive partnership that serves the financial sector and its customers so very well. The sector’s secure posture in the light of Russian cyber threats testifies, in no small part, to that partnership.

American Water Works Association Federal Relations Manager Kevin M. Morley, PhD (watch his opening statement) claimed:

§  Under Presidential Policy Directive 21, each sector has an established Sector Coordinating Council (SCC). The intent of this framework is partnership between CISA and SRMAs on critical homeland security matters facing the nation. While SCCs have provided invaluable support in fulfilling the mission of CISA and SMRAs, there is always opportunity for improvement and continued growth. Given the scale of the water sector, the function of the Water SCC and WaterISAC can be more consistently leveraged to provide real-time assessment and calibration of critical information-sharing products that may be developed by federal partners. Federal water sector-specific resources should not be developed and released independent of review and coordination by relevant subject matter experts, such as the members that constitute the Water SCC and supporting associations. Our shared mission to facilitate the secure operations of critical infrastructure is stronger when we work collaboratively and leverage the assets and resources each can bring to bear on the challenges imposed by cyber threats. Consistent messaging and clarity on how our respective resources and guidance documents complement each other is in the best interest of the public we serve together.

§  AWWA recognizes the cybersecurity challenge and is committed to establishing a new paradigm for cybersecurity governance in the water sector. We believe a new approach  is necessary, one that recognizes the technical and financial challenges facing the sector and sets minimum cybersecurity standards for all types of water systems. A tiered risk- and performance- based requirements model similar to the approach used in the electric sector under the auspices of North American Electric Reliability Corporation (NERC) would underpin this approach in the water sector. An entity similar to NERC would be created in the water sector to lead the development of the requirements using subject matter experts from the field. It would also perform periodic third-party conformity assessments. Federal oversight and approval of requirements would be provided by the EPA, given existing statutory authority for water and wastewater utility operations. A recent report by Foundation for the Defense of Democracies (FDD) recognized the merits of such an oversight body in providing ongoing industry-led cyber threat mitigation efforts. AWWA welcomes the opportunity to work with our federal partners to implement a strategy that provides sustainable cybersecurity protection that recognizes the variability in the maturity and complexity of water systems.

Tenable Chairman and Chief Executive Officer Mr. Amit Yoran (watch his opening statement) argued:

§  Government policy should not allow for "learned helplessness" by federal government agencies or private industry. Helplessness allows individuals and organizations to remain negligent and avoid accountability for not taking even the most basic steps to improve cyber posture. Government can surely play a stronger role in deterrence, to include thoughtful consideration of offensive capabilities, attributing attacks and establishing retorts and countermeasures as appropriate; however, those efforts should not replace strong basic cyber hygiene practices.

§  Tenable recommends the following steps that government should implement to enhance the cyber preparedness of U.S. critical infrastructure:

o   Establish baseline cybersecurity standards of care for critical infrastructure that align with international standards and the National Institutes of Standards and Technology (NIST) Cybersecurity Framework, based on effective cyber hygiene practices. Basic cyber hygiene for critical infrastructure operators includes continuous understanding of what assets are on your network, ensuring strong identity and access management, scanning for and patching known vulnerabilities, and implementing incident detection and response capabilities.

o   Finalize and implement the proposed SEC rule that requires public companies to disclose their policies and practices to address their cybersecurity risks. The SEC’s Proposed Rule on Cybersecurity Risk Management, Strategy, Governance and Disclosure would require public companies to disclose their policies and procedures for identifying and managing cybersecurity risks, management’s role in implementing cyber policies and procedures, and the board of directors’ cybersecurity expertise. This is the single action that would most dramatically improve our cybersecurity preparedness as a nation. Requiring greater transparency of cyber risk practices and oversight forces companies to treat cybersecurity risk as a business risk and  will lead to stronger cybersecurity governance and accountability among corporate leaders and boards, and ultimately more effective cybersecurity practices. Cybersecurity breaches can damage a company’s financial condition. In addition to the costs of remediation from a cyberattack and loss of customers, revenue and reputation, there are risks of shareholder lawsuits, customer lawsuits, increases in insurance premiums and increased scrutiny from external auditors and the board of directors. There are indirect consequences to cyber failures as well; cyberattacks can distract management, resulting in new problems; they can also trigger customer audits of a company’s cybersecurity defenses, which can lead to the involvement of outside counsel and other third parties, and significant added expenses.7 In forcing corporate leadership to pay attention, this proposal serves as the most significant driver for companies to establish baseline cybersecurity practices and processes.

o   Implement the cyber incident reporting requirements included in the FY 2022 Omnibus Appropriations bill. CISA must implement these new requirements in a way that will enable actionable incident information to be shared with owners and operators of critical infrastructure systems so that they can take steps to protect themselves and seek to mitigate any ongoing attacks.

o   Support and strengthen value added engagement between the private sector and public sector. The JCDC, of which Tenable is a member, is bringing together representatives from private industry and key government agencies to drive strategic planning and incident response capabilities. This type of operational government-industry engagement has been a positive step forward, and we thank CISA and Director Jen Easterly for their continued support and urge them to continue strengthening the JCDC’s alignment. In response to the ongoing Russia-Ukraine conflict, CISA established its Shields Up initiative to encourage all organizations to adopt a heightened posture of vigilance. Shields Up has

o   developed helpful resources to empower organizations to prepare for and defend against cyberattacks.

§  Protecting Government Networks and Systems

o   Accelerate effective Zero Trust implementation by federal agencies. Congress should provide federal agencies with the resources needed to implement Cyber Executive Order 14028 to modernize and strengthen our collective cyber defenses, recognizing that Zero Trust is a philosophy that dictates systems design and operation, not a singular product.

o   Strengthen government networks by including protection of federal OT and Active Directory services in the Continuous Diagnostics and Mitigation (CDM) Program.

o   OT: Federal civilian agencies own and operate a multitude of OT and ICS, particularly through the Departments of Energy and Commerce. However, the government doesn’t currently have a firm grasp of all the assets it controls. By adding OT/ICS security to the CDM program, government agencies will be required to conduct an inventory of their OT/ICS systems, and to take steps to strengthen their security.

o   Active Directory. Active Directory is one of, if not the most highly targeted and compromised pieces of infrastructure. These systems provide access control across the network and persistence should attacks be detected. As highlighted by the Mandiant breach disclosures, Russian and other foreign intelligence services are actively targeting Active Directory when going after US Government systems. All government systems must incorporate Active Directory security to ensure least privileges for user identities, and to scan for misconfigurations that can be exploited to gain access to Active Directory and monitor for ongoing suspicious and high-risk activities within Active Directory.

o   Implement Section 1505 of the FY 2022 National Defense Authorization Act. This provision requires the Department of Defense to conduct an inventory of OT assets and update its policies to establish baseline cybersecurity requirements for operational technology.

o   Establish metrics for transparency and accountability. Congress should update its oversight of  agency cybersecurity by using the Federal Information Technology Acquisition Reform Act as a  model to replace existing unstructured agency reporting. A cybersecurity scorecard would provide improved transparency metrics and milestones against which all agencies measure and report their progress.

o   Ensure sufficient funding for CISA and the Office of the National Cyber Director to ensure they can meet mission requirements. I supported the creation of the Office of the National Cyber Director and applaud Director Chris Inglis’ efforts to stand up and staff the new office. The threats to federal networks and critical infrastructure are growing at a significant rate, and CISA must serve as an effective coordinator to strengthen security in these environments. Congress should see the FY 2022 appropriations for CISA as a new baseline number, which should grow at a rate commensurate with the needs of the mission.

Hearing Roadmap

§ Torres asked if Russia is cyber super power, whether the U.S. has more cyber vulnerabilities, it is reasonable an American business to defend itself against a nation state cyber attack, the U.S. assume a greater role, the U.S. government should mandate standards and best practices like multi-factor authentication, the U.S. water system can be protected from cyber threats

§ Katko asked where U.S. wastewater and water systems fall within the realm of cyber defenses and how to help CISA partner better with the private sector.

§ Representative James Langevin (D-RI) inquired how language in the “America COMPETES Act” establishing critical technology security centers would help U.S. cybersecurity and about the SEC’s proposed rules on cybersecurity risk and incident reporting.

§ Representative Dan Bishop (R-NC) asked whether Crowdstrike was contacted by the Office of Special Counsel regarding the hacking of the Democratic National Committee in 2016 and if the company could release the report on this incident. He yielded back his time after these two brief questions.

§ Representative Kathleen Rice (D-NY) asked how FS-ISAC pushes out CISA warnings and information to members and whether members report the same to the organization and whether CISA’s communications and warnings are intelligible and helpful to the smallest operators.

§ Representative Clay Higgins (R-LA) asked about state and local entities developing “off the grid” capability and about hacking back.

§ Representative Sheila Jackson Lee (D-TX) asked about which entity should consider evacuation as part of their cyber response plans, whether the financial services sector is prepared for potential Russian intrusions, and whether Colonial Pipeline paying a ransom was the best outcome.

§ Representative Jeff Van Drew (R-NJ) asked about the proliferation of ransomware attacks and how Congress can better address them and if the U.S. government has the smartest, most knowledgeable people working on this issue.

§ Representative Lou Correa (D-CA) asked how CISA can talk to state and local agencies on a daily basis

§ Representative Mariannette Miller-Meeks asked about the line between knowing who is behind attacks and what the attack is and the White House’s decision to put the Department of Energy in charge of the Colonial Pipeline hack.

§ Representative Yvette Clarke (D-NY) asked if FS-ISAC and Water-ISAC are doing anything to have its members voluntarily report threat information to CISA and whether companies are planning on participating in CISA’s rulemaking on cyber incident reporting.

§ Representative Carlos Gimenez (R-FL) asked if Russian ransomware proceeds makes it back to the Russian government.

§ Representative Tom Malinowski (D-NJ) asked how the U.S. government can address disparities in cyber resources that leave smaller critical infrastructure entities more exposed.

§ Representative August Pfluger (R-TX) asked if a clarification of U.S. intent to respond to cyber attacks would deter attacks.

§ Representative Jake LaTurner (R-KS) asked if CISA is helping large and small entities equally.

§ Representative Kat Cammack (R-FL) asked how the intent of a threat actor can be determined.

§ Representative Andrew Clyde (R-GA) asked if Russia had a role in the Colonial Pipeline attack.

Other Developments

Photo by Alina Grubnyak on Unsplash

The European Parliament passed the “Data Governance Act” that “aims to increase trust in data sharing, create new EU rules on the neutrality of data marketplaces…facilitate the reuse of certain data held by the public sector…[and] will set up common European data spaces in strategic domains such as health, the environment, energy, agriculture, mobility, finance, manufacturing, public administration, and skills.”

Britain’s government “announced moves that will see stablecoins recognised as a valid form of payment as part of wider plans to make Britain a global hub for cryptoasset technology and investment.”

The United States (U.S.) Senate Homeland Security and Governmental Affairs Committee marked up a number of bills, including: the “Healthcare Cybersecurity Act of 2022” (S.3904), the “Satellite Cybersecurity Act” (S.3511), and the “Legacy IT Reduction Act of 2022” (S.3897).

France’s Commission Nationale de l'Informatique et des Libertés (CNIL) issued guidance on the use of artificial intelligence in the context of the General Data Protection Regulation.

The United States (U.S.) Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) released a “Request for Information (RFI) to solicit public comment on certain provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, namely: The consideration of recognized security practices of covered entities and business associates when OCR makes determinations regarding fines, audits, and remedies to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule; and the distribution to harmed individuals of a percentage of civil money penalties (CMPs) or monetary settlements collected pursuant to the HITECH Act, which requires the Secretary of HHS (Secretary) to establish by regulation, and based upon recommendations from the Government Accountability Office (GAO), a methodology under which an individual who is harmed by an act that constitutes an offense under certain provisions of the HITECH Act or the Social Security Act relating to privacy or security may receive a percentage of any CMP or monetary settlement collected by OCR with respect to such offense.”

The United Kingdom’s Foreign, Commonwealth & Development Office published a fact sheet on “Russia's FSB malign activity.”

The European Data Protection Board (EDPB) met and adopted the following documents: EDPB letter on the draft national legislation impacting the Belgian Supervisory Authority, Rules of Procedure, version 8, and Statement 01/2022 on the announcement of an agreement in principle on a new Trans-Atlantic Data Privacy Framework.

United States (U.S.) Federal Trade Commission Chair Lina Khan made remarks at a conference in Brussels, Belgium on how “[t]he growing adoption of a newer set of technologies—including voice assistants, cloud computing, and virtual reality—impel us to learn from past missteps and prevent incumbents from unlawfully capturing control over emerging markets.”

Australia’s government “released draft legislation and explanatory material to implement a new Digital Games Tax Offset (DGTO).”

The United States Government Accountability Office (GAO) published a report titled “Critical Infrastructure Protection: DHS Actions Urgently Needed to Better Protect the Nation's Critical Infrastructure.”

The United Kingdom’s Department for Digital, Culture, Media & Sport released its “Cyber security breaches survey 2022.”

The United Kingdom’s (UK) Information Commissioner’s Office (ICO) has opened a consultation on “data security incident trends.”

The United States (U.S.) Government Accountability Office’s Office of the Inspector General found that privacy program improvements could enhance the agency’s efforts to protect data and systems.

United States President Joe Biden renominated Travis LeBlanc to serve on the Privacy and Civil Liberties Oversight Board.

Tweet of the Day

Further Reading

Photo by Martin Adams on Unsplash

Ukraine Crisis Tests Cyber Warfare’s Red Lines, Bitdefender Says” By Andra Timu and Irina Vilcu — Bloomberg

Tech workers describe detentions and interrogations as they flee Russia” By Vadim Smyslov — Bloomberg

Facebook restores banned ad promoting renters rights after tweet goes viral” By Alex Hern — The Guardian

Am I being tracked? Anti-stalking tech from Apple, Tile falls short.” By Geoffrey Fowler — Washington Post

Musk's stake in Twitter isn't good news for users” By Michael Hiltzik — Los Angeles Times

Border Patrol's use of Amazon's Wickr messaging app draws scrutiny” By Ben Goggin and Louise Matsakis — NBC News

How to document war crimes in the digital age” By Caitlin Thompson — coda

Russia’s slow cyberwar in Ukraine begins to escalate, experts say” By Kari Paul — The Guardian

The FBI is spending millions on social media tracking software” By Aaron Schaeffer — Washington Post

Exclusive: U.S. probe of Google Maps picks up speed” By Diane Bartz and Paresh Dave — Reuters

Release of Ukraine Intelligence Represents New Front in U.S. Information War With Russia” By Warren Strobel — Wall Street Journal

Google unrolls search features to tackle misinformation” By Brandon Vigliarolo — The Register

Meta’s encryption plan has human rights benefits, report says” By Joseph Menn — Washington Post

Inside Cyber Front Z, the ‘People’s Movement’ Spreading Russian Propaganda” By David Gilbert — Vice

Antitrust Bill Targeting Amazon, Google, Apple Gets Support From DOJ” By Ryan Tracy — Wall Street Journal

House Oversight panel launches investigation into Amazon's labor practices” By Zoë Richards and Haley Talbot — NBC News

TikTok Has a Problem” By Kaitlyn Tiffany — The Atlantic

Senate’s Wyden Probes Use of Forged Legal Requests by Hackers” By William Turton — Bloomberg

Attacking rival, Google says Microsoft’s hold on government security is a problem” By Kevin Collier — NBC News

Writer named in controversial ‘media men’ list wins round in court” By Josh Gerstein — Politico

The chip challenge: Keeping Western semiconductors out of Russian weapons” By Jane Lanhee Lee — Reuters

Google Found to Unfairly Block Rival Payments on India Store” By Sankalp Phartiyal — Bloomberg

As right to repair legislation looms, Samsung introduces ‘self-service’ for Galaxy devices” By Brian Heater — Tech Crunch

Ex-Google CEO promotes digital West Point” By Margaret Harding McGill — Axios

Apple Backed by Koch Group in App Store Antitrust Fight” By Peter Blumberg and Malathi Nayak — Bloomberg

Former top national security officials side with Apple in app store antitrust case” By Brian Fung — CNN

Sanders looks to shoot down Bezos’ moon plans” By Bryan Bender — Politico

From Russia with money: Silicon Valley distances itself from oligarchs” By Joseph Menn, Elizabeth Dwoskin, Douglas MacMillan and  Cat Zakrzewski — Washington Post

Adults or Sexually Abused Minors? Getting It Right Vexes Facebook” By Michael H. Keller — New York Times

Twitter change leaves huge gaps in websites” By Jon Porter — The Verge

In Brazil, Firms Sought Black Workers. Then LinkedIn Got Involved.” By Jack Nicas and Flávia Milhorance — New York Times

Internet communities are battling over pixels” By Taylor Lorenz — Washington Post

Coming Events

Photo by Annie Spratt on Unsplash

§  20 April

o The United Kingdom’s House of Commons Science and Technology Committee will hold a formal meeting (oral evidence session)as part of its inquiry on “The right to privacy: digital data.”

§  21 April

o The United States (U.S.) Federal Communications Commission (FCC) will hold an open meeting with this tentative agenda:

§  Improving Receiver Performance. The Commission will consider a Notice of Inquiry to promote more efficient use of spectrum through improved receiver interference immunity performance, thereby facilitating the introduction of new and innovative services. (ET Docket No. 22-137)

§  Wireless Emergency Alerts. The Commission will consider a Further Notice of Proposed Rulemaking seeking comment on proposals to strengthen the effectiveness of Wireless Emergency Alerts, including through public reporting on the reliability, speed, and accuracy of these alerts. (PS Docket Nos. 15-91, 15-94)

§  Restricted Adjudicatory Matter. The Commission will consider a restricted adjudicatory matter.

§  Restricted Adjudicatory Matter. The Commission will consider a restricted adjudicatory matter.

§  Enforcement Bureau. The Commission will consider an enforcement action.

§  27 April

o   The United States (U.S.) Federal Trade Commission (FTC) and U.S. Department of Justice will hold a listening forum on firsthand effects of mergers and acquisitions: media and entertainment.

§  12 May

o   The United States (U.S.) Federal Trade Commission (FTC) and U.S. Department of Justice will hold a listening forum on firsthand effects of mergers and acquisitions: technology.

§  15-16 May

o   The United States-European Union Trade and Technology Council will reportedly meet in France.

§  16-17 June

o   The European Data Protection Supervisor will hold a conference titled “The future of data protection: effective enforcement in the digital world.”