The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Cyber officials may have to testify about alleged social media collusion

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Here’s a periodic reminder to send scoops to tim.starks@washpost.com. Everyone benefits when you do.

Below: Chinese spies are accused of trying to obstruct a U.S. investigation of Huawei, and the FTC singles out a Drizly executive over a data breach. First:

A Louisiana judge orders some cyber feds to be dragged in to testify

Two Republican attorneys general have won an initial hand in their effort to force feds to hand over information about alleged attempts to silence voices on the right on social media.

Last week Judge Terry Doughty ordered the deposition of a number of high-ranking federal government officials, something judges are usually loath to do. They include some cyber officials: Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly; a member of a CISA team that fights influence operations; a State Department official who does the same; and an assistant special agent in charge assigned to FBI San Francisco who’s recognized as a cyber and election security expert.

Case basics

Conservatives have long been frustrated by a perceived bias among social media companies in deciding which kinds of comments to allow on their platforms, pointing to examples like Twitter’s ban of the New York Post after it ran a story a few weeks before the 2020 election about alleged contents of Hunter Biden’s laptop (Twitter’s then-CEO has since said banning the newspaper was a mistake).

But in this lawsuit, First Amendment experts say evidence that government officials colluded with social media organizations to censor information is thin or nonexistent and the deposition ruling troubled them.

Missouri Attorney General Eric Schmitt (R) and his Louisiana counterpart Jeff Landry (R) filed their suit in May. Schmitt is running for the Senate this year and Landry plans to run for governor next year.

The thrust of their suit is that people within the Biden administration (some of whom served under Trump, including  Anthony Fauci) allegedly colluded with social media companies to violate the First Amendment rights of some prominent conservative activists and also regular citizens in the name of countering disinformation and misinformation on subjects like the coronavirus pandemic and election integrity. 

  • “The potential burden” for each of the high-ranking officials whom the court ordered to be deposed “is outweighed by the need to determine whether First Amendment rights of free speech have been suppressed,” wrote judge of the U.S. District Court for the Western District of Louisiana Terry Doughty.
Who’s affected

Besides Easterly, other cyber-related officials who could be deposed under the suit are:

  • Lauren Protentis with CISA’s Mis-, Dis- and Malinformation team. However, Doughty said the plaintiffs must pick Easterly or Protentis to depose, but not both. Younes said they chose Easterly.
  • Elvis Chan with the FBI’s San Francisco office.
  • Daniel Kimmage, the State Department Global Engagement Center’s acting coordinator.

In Easterly’s case, the alleged evidence includes a text exchange about a since-abandoned Disinformation Governance Board with a former CISA official. “The conversations ultimately describe how Easterly seeks greater censorship and that this would be done by federal pressure on social media platforms to increase censorship,” Doughty wrote, summarizing the plaintiffs’ claims.

According to a text message from Easterly, filed as discovery, her remarks were about “trying to get us in a place where Fed can work with platforms to better understand the mis/dis trends so relevant agencies can try to prebunk/debunk as useful.” The plaintiffs deem that censorship.

Reactions

Plaintiffs hailed the decision from Doughty, who was nominated by Trump, as a victory that demonstrated the importance of their case. “I’m very pleased with it,” Jenin Younes, litigation counsel at the nonprofit New Civil Liberties Alliance that joined the case, told me. “High-ranking federal officials are  generally shielded from having to give depositions. But exceptions are made for circumstances like these where nobody else would have the information.”

Some outside legal minds who work on First Amendment cases were less enthused.

  • George Freeman, executive director of the Media Law Resource Center, called the lawsuit “outlandish,” saying it “doesn’t even make sense” in situations like where then-White House press secretary Jen Psaki openly said things like, “Facebook needs to move more quickly to remove harmful, violative posts.”
  • “When the press secretary says she’s against information, that really hardly seems enough of anything much less a threat to be actionable in some way counter to the First Amendment,” Freeman said.
  • “The fact that this is moving forward, and they’ve gotten such a broad-based order for deposition of such high-ranking officials, it’s a bit of surprise,” Evelyn Douek, a Stanford law professor, told me. “The reaction to when the suit was first filed was very much that this was just political grandstanding around social media platforms.”
The depositions

Younes said that if the defendants want to fight the deposition ruling, it would be “relatively soon.” Under federal rules, the depositions could last up to seven hours, she said.

The Justice Department didn’t answer requests for comment about its plans. A spokesperson for CISA, Michael Feldman, said the agency wouldn’t comment on litigation.

 Mark S. Zaid, a D.C. attorney who frequently litigates against the U.S. government, told me via email he wouldn’t be surprised if DOJ appealed the ruling, given that it authorized the deposition of a long list of officials.

Whether the depositions might substantially help the plaintiffs build their case is a separate question.

“Even with the depositions, the burden that they have to prove their case here is extraordinarily high,” and “there’s nothing on the record that suggests they have a chance,” Douek said. “So the idea that this is going to be a big ‘gotcha’ moment, it’s very unlikely.” 

For now, the plaintiffs are emboldened.

“It is high time we shine a light on this censorship enterprise and force these officials to come clean to the American people, and this ruling will allow us to do just that,” Schmitt said. “We’ll keep pressing for the truth.”

The keys

Chinese spies accused of trying to obstruct Huawei investigation

The Justice Department said two men working on behalf of Beijing bribed a U.S. law enforcement official to share secrets about the prosecution of a major Chinese firm that people familiar with the matter said was Huawei, Devlin Barrett, Perry Stein and Ellen Nakashima report. But the official was actually a double agent working for the U.S. government who was gathering evidence against the suspects and feeding them fake documents and information.

“The U.S. Justice Department indicted Huawei Technologies in 2019, accusing the world’s largest communications equipment manufacturer and some of its executives of violating U.S. sanctions on Iran and conspiring to obstruct justice related to the investigation — prompting furious condemnations from both the company and the country,” Devlin, Perry and Ellen write. “The new charges suggest that the Chinese government went to great lengths to try to defeat the U.S. case against the company, assigning alleged Chinese intelligence officers to obtain information about witnesses and evidence. Huawei has long insisted it operates independently of the Chinese government.” 

A Huawei representative didn’t respond to a request for comment. 

FTC singles out Drizly executive over data privacy abuses

The Federal Trade Commission’s proposed order will follow Drizly CEO Cory Rellas to his future businesses, forcing him to implement security programs at any companies he leads that collect data from at least 25,000 people, Cat Zakrzewski reports.  The punishment came after alleged security failures under Rellas’s watch that exposed around 2.5 million customers’ personal information.

It also comes after Democrats pushed for more aggressive penalties for individual executives involved in major data breaches. “There are only a handful of examples of the FTC pursuing such individual liability in past cases involving online data,” Cat writes. “In 2019, the agency reached a settlement with the operator of an online rewards website, ClixSense, that will follow [the executive] to future companies. That same year, the agency also named executives in an order it brought against a dress-up games website, which allegedly violated a law that protects children under the age of 13 online.”

Under the order, Rellas and Drizly, which is owned by Uber, will also have to destroy unnecessary data, put new data controls in place and train their employees about cybersecurity. The FTC will decide on finalizing the order after getting public comments for 30 days.

Securing the ballot

Biden admin set to warn about threats to nation’s election infrastructure (Politico)

Global cyberspace

Medibank reveals hack has affected more customers than first thought (The Guardian)

When would a cyberattack trigger a NATO response? It’s a mystery (The Hill)

Cyber insecurity

Apple fixes new zero-day used in attacks against iPhones, iPads (Bleeping Computer)

Industry report

British company Interserve fined £4.4 million over ransomware attack (The Record)

Cyber unicorn Snyk to sack 198 employees, 14 percent of workforce (CTech)

Daybook

  • CISA chief of staff Kiersten Todt speaks at an event hosted by the Virginia Academy of Science, Engineering, and Medicine today.
  • The Small Business Administration hosts its cyber summit on Wednesday. 
  • Rep. Tony Gonzales (R-Tex.), Col. Jennifer Krolikowski, the chief information officer at U.S. Space Systems Command, and other speakers attend the BlackBerry Security Summit 2022 on Wednesday.
  • The Information Security and Privacy Advisory Board meets on Wednesday and Thursday.
  • The R Street Institute holds an event on school cybersecurity on Wednesday at 10 a.m.
  • The Aspen Institute hosts an event on Wednesday at 1 p.m. on election security, audits, influence operations and other things to know ahead of the midterm elections.
  • The Atlantic Council hosts an event on supply chain cybersecurity on Wednesday at 10 a.m.
  • National Cyber Director Chris Inglis and Anne Neuberger, the deputy national security adviser, speak at a Center for Strategic and International Studies event on Thursday at 10 a.m.
  • Rob Silvers, the undersecretary for policy at DHS, discusses cybersecurity initiatives at a Center for Strategic and International Studies event on Friday at 11 a.m.

Secure log off

Thanks for reading. See you tomorrow.

Loading...