Ctrl + N
The technology industry is all grown up, and Sen. Brian Schatz (D-Hawaii) says it’s time for Silicon Valley to start getting serious about cybersecurity threats.
Schatz is calling on the technology industry to create an Information Sharing and Analysis Center (ISAC) — an independent organization that acts as a clearinghouse where companies can share cybersecurity threats with each other. These organizations have been very popular in other established industries such as financial services, but there is no centralized hub for just technology companies.
“All mature industries that have a broad impact have an ISAC or an equivalent,” Schatz said in an interview. “It’s about time we have it in the tech industry.”
Schatz — who has drafted a privacy bill targeting the technology industry — isn't planning to introduce legislation calling for this right now, because he thinks the companies can accomplish this without a mandate from Congress. He notes that successful ISACs are largely private-sector initiatives, but he wants to help: Schatz has been talking to one of the technology industry’s leading trade groups, the Internet Association, about creating one.
Creating an ISAC, however, would not solve the technology industry's problems with lawmakers. Congress is eager for action -- and reluctant to trust Big Tech to regulate itself -- after high-profile data breaches, bugs and leaks exposed that companies aren’t doing enough to safeguard vast troves of personal data they hold. Members have already introduced bills this year to rein in data tracking and how to empower the Federal Trade Commission.
So Schatz's proposal for a technology industry ISAC would likely come in addition to a national privacy law. However, as companies, privacy advocates and policymakers dig in for what is likely to be a heated and lengthy privacy debate, an ISAC could perhaps come together more quickly than a federal privacy law. Schatz said he wants to see the ISAC launch within the year.
The industry appears open to the proposal. Internet Association General Counsel Jon Berroya tells me in a statement that these organizations can be useful in helping protect privacy, “especially when these organizations prioritize fostering trust among the participants.”
The trade group is “engaged in preliminary conversations with its members” about whether such an organization would be useful, he said.
“[The Internet Association] members share Sen. Schatz's concerns about this important issue and will continue to prioritize exploring this approach — and other approaches — to address threats to their services,” he said.
Creating an ISAC for the technology industry would not be without its challenges — and it’s unclear at this stage how robust and effective such an initiative would be.
I’ve previously reported on hurdles social media companies face to share threat data about disinformation with each other. Priscilla Moriuchi, the director of strategic threat development at Recorded Future, said there’s lots of hype about threat sharing. “It’s one of those things that everyone thinks is a great idea,” she told me last month. “But in practice, it’s more complicated and not as effective as we think.”
In fiercely competitive Silicon Valley, it’s not going to be easy to convince the companies to share sensitive information about cyberthreats with each other — especially when data breaches can inflict serious brand damage on companies. The initiative would have to come up with serious incentives and tough guidelines to ensure companies don’t use the threats as ammunition against one another.
Also, there’s the issue of resources. Any industry initiative will have to take measures to ensure it’s not a drain on already strapped security teams. Some companies within the technology industry participate in other industry ISACs. For example, some members of the Internet Association that build fintech already participate in an ISAC for financial services companies.
Many threats may also not apply across the board. The membership of the Internet Association — which ranges from ride-hailing companies like Uber to social networks like Facebook to dating websites like Match Group — highlights the diversity of the businesses that are considered technology companies. The cybersecurity threats facing Twitter could be pretty different from the potential cyberattacks Lyft worries about.
As the Internet Association talks with its member companies, there has been discussion about how to square this. One option: Creating "working groups" to share threat information between specific kinds of technology companies, according to a person familiar with the deliberations who spoke on the condition of anonymity because they were not authorized to speak on the record. There could, for instance, be one threat-sharing group for marketplace businesses like Uber, Airbnb and Lyft, and another for social networks like Facebook and Twitter.
Sen. Schatz said he thinks the industry can sort out these challenges.
“We’re confident they’re moving expeditiously and will be able to establish an ISAC,” he said.
|You are reading The Technology 202, our guide to the intersection of technology and politics.|
|Not a regular subscriber?|
BITS: Britain-based cybersecurity company Netcraft said the number of expired Web security certificates used by federal agencies has risen to more than 130 from about 80 in the past week as the government shutdown continues, The Washington Post's Brian Fung reported. That includes Web pages that are managed by the White House, the Federal Aviation Administration and other federal agencies. Paul Mutton, security consultant for Netcraft, said there could actually be more than 130 federal websites affected by this issue because some expired certificates could have applied to several Web pages.
Matthew Prince, chief executive of Cloudflare, said he contacted the Justice Department and NASA to pitch his company's services including automatic renewal for certificates, but the offer went nowhere. “They’ve said, ‘Thanks for the offer to help, but we don’t actually have anyone who is able to sign a new contract,’ " Prince told Brian. “Even agreeing to the terms of service is a contract. So they can’t even sign up for the free version of the service that would solve this problem.” Also, TechCrunch's Zack Whittaker has a list of federal HTTPS sites that are set to expire soon, which you can read here.
NIBBLES: Sophie Alpert, an engineering manager at Facebook who identifies as transgender, said she left the company after being “harassed” by employees for her views on diversity, CNBC's Salvador Rodriguez reported. The departure also highlights the lack of diversity at Facebook and more generally in Silicon Valley companies. Alpert, who left the social network to join a company named Humu, said she faced criticism on the anonymous workplace app Blind.
“Facebook is good for many people, but it's not the right place for me right now,” Alpert wrote in a post on Workplace, Facebook's internal social network, according to Rodriguez. “I want to spend my time at a place willing to push further on diversity and inclusion. One where it's not okay to write on Workplace that white privilege doesn't exist. One where if I call out that our board has too many white men, I don't get harassed by other employees on Blind with transphobic messages saying I should be fired.”
BYTES: The Trump administration used Excel spreadsheets as well as more than 60 other databases and files that made it “nearly impossible” track the thousands of children separated from their families at the border, according to Wired’s Issie Lapowsky.
A Health and Human Service’s Office of Inspector General report found that since 2017, “the Trump administration has separated thousands more children from their parents than it previously disclosed and that it tracked these kids in ad hoc, disparate databases, including Excel spreadsheets and Microsoft Sharepoint accounts, further complicating the already tortured process of figuring out where those children are today,” she reported.
The report said the number and status of the children separated from their parents under the Trump administration policy is unknown. . It lists the “lack of an existing, integrated data system to track separated families” as a key obstacle to reunification, Lapowsky reported.
-- The talk about safety and revised ambitions for autonomous vehicles at the CES technology show in Las Vegas and the Detroit auto show this year underscores how “cautious optimism” in the driverless car industry has replaced the hype of previous years, according to the Wall Street Journal's Tim Higgins. “What was underappreciated by the industry is how long and how difficult it would be to industrialize the technology,” Karl Iagnemma, president of automotive supplier Aptiv’s autonomous mobility, told the Journal. “Industrywide that recognition has dawned.”
A fatal crash involving an Uber test autonomous vehicle ushered in this more cautious approach. Moreover, developers of autonomous vehicles still face difficulties in addressing simple road scenarios — such as unprotected left turns. “The immediate future of autonomous vehicles is more subdued: plodding shuttles that drive around the block and cars that travel in confined, well-practiced routes with not one but two safety operators inside,” according to Higgins.
— As some companies such as Netflix move to stop sharing a portion of subscription or sales revenue with Apple, consumers find themselves “trapped” in a war that's being fought on Apple's App Store, Bloomberg Opinion columnist Shira Ovide wrote. “The reason for this mess is that companies have a binary choice: give Apple up to 30 percent of each sale, or elect not to sell digital goods from their iOS apps,” Ovide wrote. “Apple takes a cut of purchases made in iOS apps that use the company’s iTunes payments system if people are buying digital items to use in the app.” She added: “It’s Apple’s way or no in-app purchases.”
— Twitter chief executive Jack Dorsey wouldn't say whether President Trump's account would be removed from the platform if he were to tweet explicit calls for the murder of journalists, according to HuffPost's Ashley Feinberg. Dorsey said in an interview with Feinberg that it is “important that the world sees how global leaders think and how they act” in response to a question about whether Trump could do anything that would be considered as a misuse of Twitter and result in ban from the social network.
Feinberg then followed up: “OK, but if Trump tweeted out asking each of his followers to murder one journalist, would you remove him?” Dorsey replied: “That would be a violent threat. We’d definitely . . . You know we’re in constant communication with all governments around the world. So we’d certainly talk about it.”
Doing this interview was my push, not our Comms team. I knew it would be tough. I don’t care about looking bad. I care about being open about how we’re thinking about what we see. These answers represent our current state. What we know, what we don’t, and what we need to improve.— jackie no edits (@jack) January 17, 2019
— More tech news from the private sector:
— More than a dozen privacy groups called for the creation of a new federal data privacy agency that would be tasked with regulating how companies and other organizations gather personal data, the Associated Press's Rachel Lerman and Tali Arbel reported. The plan would also impose limits on data collection by companies and would set the Federal Trade Commission aside when it comes to privacy protection. “Privacy advocates are fed up with the FTC and with Washington failing to [rein] in the immense power the big data giants hold,” said Jeffrey Chester, executive director of the Center for Digital Democracy, one of the groups that helped draft the plan, according to the AP.
— The American Civil Liberties Union and the ACLU of Northern California sued the federal government to obtain information about federal authorities' alleged “social media surveillance activities,” according to an ACLU news release. The suit, which was filed in the U.S. District Court for the Northern District of California, targets the Justice, Homeland Security and State departments as well as the FBI, U.S. Immigration and Customs Enforcement, U.S. Customs and Border Protection and U.S. Citizenship and Immigration Services.
“The ACLU’s lawsuit seeks the release of each agency’s guidelines and policies governing the use of social media surveillance, communications with private businesses or social media platforms, and materials related to purchasing or building social media monitoring tools, among other records,” the ACLU said.
— As the shutdown continues, a website built by the companies Moxit and BLEN Corp. seeks to connect furloughed workers with freelance jobs via Unfurlough.us. A version of the site had previously been used during the 2013 shutdown.
— More technology news from the public sector:
— Apple chief executive Tim Cook's call for Congress to focus on the “shadow economy” of data brokers in a Time magazine op-ed elicited numerous reactions from Democratic lawmakers, tech experts and journalists. (I wrote about Cook's proposal in yesterday's Technology 202.)
From. Sen. Edward J. Markey (D-Mass.):
.@tim_cook is right. It’s time for Congress to pass comprehensive privacy legislation and put rules on the books for data brokers who traffic our info in the shadows. I will reintroduce the Data Broker Accountability and Transparency Act to do just that.https://t.co/XZlegNYOjz— Ed Markey (@SenMarkey) January 17, 2019
From Sen. Ron Wyden (D-Ore.):
From Nuala O'Connor, president and chief executive of the Center for Democracy and Technology:
From Shira Ovide:
Your periodic reminder that Apple gets billions of dollars a year from Google -- to enable Google's data harvesting/tracking/online advertising.— Shira Ovide (@ShiraOvide) January 17, 2019
Tim Cook strangely doesn't mention this here: https://t.co/if7xihno46
From Wired's Antonio García Martínez:
Cook's proposal is a good one, and future privacy regulation should keep the first/third party distinction in mind, along with the incentives that distinction creates. Note: regulations like the GDPR and CCPA, though aimed at FB, really hit the third-party data people. Good.— Antonio García Martínez (@antoniogm) January 17, 2019
From Nilay Patel, editor-in-chief of the Verge:
— News about tech culture and workforce:
— Tech news generating buzz around the Web:
— David Canellos, a former Symantec executive, joined Ericom Software as chief executive, Reuters's Angela Moon reported.
— April Underwood, chief product officer at Slack, is leaving the company, TechCrunch's Kate Clark reported. Underwood will be replaced by Tamar Yehoshua, a longtime vice president at Google.
— News about tech incidents and blunders:
— Today in funding news:
- The Brookings Institution holds a discussion titled “Enabling opportunities: 5G, the internet of things, and communities of color” on Jan. 23.
- RE•WORK Deep Learning Summit in San Francisco on Jan. 24 through Jan. 25.
Schiff compares Trump to 5th grader after cancelling congressional trip:
How popular is the border wall?
A short history of Donald Trump and Steve King: