The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Surveillance program needs new protections, oversight board member says

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Winter, I can sense your slow death, and I relish it. Shhh. Just go to sleep. Go … to … sleep. (Don’t worry, no cat was hurt in that GIF.)

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The Environmental Protection Agency announced new cybersecurity rules, and hackers are using artificial intelligence to mimic voices of loved ones and scam people out of thousands of dollars. First:

Spying program needs more safeguards for Americans, privacy board member says

As the battle over renewal of a controversial surveillance program heats up, a member of an executive branch board that oversees it says it should only be reauthorized with additional safeguards for Americans.

The Privacy and Civil Liberties Oversight Board held a meeting in January to scrutinize expiring surveillance powers known as Section 702, and plans a full-board report later this year. In an exclusive interview, Travis LeBlanc — one of the board’s five members — explained his view of the program.

“I do have concerns with a clean reauthorization,” he said, and he believes the program needs “common-sense protections that could be put in place to balance privacy and civil liberties with the national security interest.”

The Section 702 program collects communications of foreign targets without warrants, but much of the controversy begins with what U.S. spy agencies refer to as “incidental collection” — when the U.S. intelligence community simultaneously collects the communications of Americans interacting with those foreign targets.

Many Republicans in Congress have grown increasingly skeptical of the U.S. national security apparatus, finding some common cause with privacy advocates. 

Last week, executive branch national security officials pressed their case on numerous fronts for renewal of the program, which is set to expire at the end of the year. The officials said the program is a vital tool for protecting the nation, including against cyberthreats — and the reauthorization debate is likely to come up again at a Senate Intelligence Committee hearing this week.

LeBlanc’s view

LeBlanc served in the Obama administration and as an adviser to Vice President Harris when she was California attorney general. He was first nominated to the board by President Donald Trump. He leads the cyber, data and privacy practice at Cooley, a law firm.

Beyond “incidental collection,” intelligence agencies can search the program’s query system using identifiers of Americans, like phone numbers.

“It is apparent now, as it has been for many years, that the 702 program collects the communications of untargeted U.S. persons in large numbers, although that number has never been detailed,” LeBlanc said.

  • “We also note from the transparency reports that have come out that there have been massive queries of U.S. persons” under Section 702 — 3.4 million as of 2021 in the last such report made public, LeBlanc noted. (Charlie Savage of the New York Times reported that while the FBI’s 3.4 million number was an increase from the estimated 1.9 million the previous year, the “value of those numbers is not clear for multiple reasons.” The numbers have apparently dropped since then, per a previously undisclosed report Savage cited.)
  • “Thus far, there isn’t a lot that anyone in the administration has said about the massive value of querying for U.S. persons,” LeBlanc said. The value of the program for foreign targets is more clear, he said. The Biden administration has cited Section 702 as contributing to the takedown of al-Qaeda leader Ayman al-Zawahiri, who was killed in a CIA drone strike last year.
  • “Where are all the crimes being committed allegedly by U.S. persons that we need to query Section 702 collections as the basis for it?” he asked. “Not only do we need to see the value of that, but what is the necessity to do that without a warrant?”
  • LeBlanc also said that “it is apparent we have reached a point where the massive number of U.S. queries, in particular, warrant the use of a prior court order before allowing any search of a Section 702 collection for U.S. persons information.”

LeBlanc said several additional safeguards could make Section 702 more defensible. Those changes are largely in Congress’ hands. One of his suggestions for Congress is putting some kind of tag or other technical flag on communications that involve Americans. The intelligence community needs to better estimate how many Americans’ communications are being collected, he said.

Next, Congress needs to codify the end of the practice of the National Security Agency searching through internet traffic for mentions of the surveillance target to collect those communications as well, LeBlanc said. The intelligence community said it would end this so-called “about” collection, and Congress in 2018 passed legislation saying that it must notify lawmakers within 30 days if it restarts it. LeBlanc said Congress should formally end such collection.

And he said Congress needs to address “batch queries,” where the FBI queries thousands of Americans’ communications at a time.

Why now?

LeBlanc will discuss his views on Section 702 reauthorization at the 2023 State of the Net Conference today, as well as his views on an E.U.-U.S. data privacy pact.

He said he wanted to make his opinion known now, before the Privacy and Civil Liberties Oversight Board puts together its report later this year, because the congressional renewal debate has already begun.

“The Congress, the administration and the public benefit from a diversity of bipartisan views in approaching reauthorization and informed views,” he said. “Those who have had the ability to review the record of classified materials will be of critical value.”

And he thinks he’s not alone in his views. “By and large, I think the recommendations I'm making are consistent with the concerns you're hearing from Democrats, Republicans, civil society, even the administration,” LeBlanc said.

How might his suggestions affect cyber investigations? He said it was difficult to answer that question because of classified issues, but “it is a challenge for me to understand why a warrant requirement would preclude the bureau from conducting those investigations.” 

We’ll close on this, from our colleague Ellen Nakashima, who reported last week on national security officials’ push for Congress to reauthorize the program:

The keys

They thought loved ones were calling for help. It was an AI scam.

Scammers are using artificial intelligence to impersonate people’s loved ones in distress and in need of thousands of dollars — and people, often the elderly, are falling for it, our colleague Pranshu Verma reports.

Such schemes are becoming more common across the country, with technology making it easier for hackers to replicate voices based on an audio sample of just a few sentences. In 2022 alone, swindlers were able to obtain more than $11 million in over the phone impostor scams pretending to be friends and family, making it the second most popular racket in America, according to data from the Federal Trade Commission. 

However, “experts say federal regulators, law enforcement and the courts are ill-equipped to rein in the burgeoning scam,” Pranshu writes. “Most victims have few leads to identify the perpetrator and it’s difficult for the police to trace calls and funds from scammers operating across the world. And there’s little legal precedent for courts to hold the companies that make the tools accountable for their use.” 

The uptick in generated voice technology, which is making the ruse more convincing, shows how the growing field of artificial intelligence software is being manipulated by bad actors.

EPA announces new cybersecurity rules

The Environmental Protection Agency on Friday issued new water sector cybersecurity standards that require state public water systems to “evaluate the adequacy” of any digital defenses through sanitation surveys, CyberScoop’s Christian Vasquez reports.

During a call with reporters Thursday, EPA Assistant Administrator Radhika Fox said that the mandates are meant to close cybersecurity gaps in fields that Americans rely on each day. 

“Many [facilities] don’t even have basic cybersecurity practices in place. As a result the water sector, a critical infrastructure sector to the United States, is at risk of cyberattacks,” Fox said. “As we issue this implementation memorandum, we are committed to partnering with states in exercising their authority,” and creating a scaled-up cybersecurity action program. 

However, some industry experts have raised alarm that sanitation surveyors might not have the expertise to confidently protect their systems from the various forms of cyberthreats. Plus, such surveys only occur every three to five years, which is not compatible with the rapid pace that hacks evolve. 

In a joint letter sent to the EPA on Jan. 25, water industry groups said the plan’s parameters were “ill-advised, impractical, and are not designed to meaningfully improve system resiliency.” The groups added that the EPA’s interpretation of its authorities under the Safe Drinking Water Act does not make the rule “legally justifiable, as interpretive rules must not set new legal standards or impose new requirements.” 

Global cyberspace

European police, FBI bust international cybercrime gang (Associated Press)

Huawei fights for role as Malaysia reviews 5G tender (Financial Times)

Securing the ballot

SNP leadership contest at risk of being hacked as cyber chiefs issue warning (Scottish Daily Express )

Government scan

FBI, CISA warn organizations of royal ransomware attacks (Security Week)

Cyber insecurity

Ransomware hackers release some stolen Oakland data (CBS News)

TPM 2.0 library vulnerabilities may affect billions of IoT devices (InfoSecurity Magazine)


  • Travis LeBlanc, of the Privacy and Civil Liberties Oversight Board, will discuss FISA Section 702 and the E.U.-U.S. data privacy framework today at 3:45 p.m. during the State of the Net Conference. 
  • Acting National Cyber Director Kemba Walden will deliver the keynote address at the State of the Net Conference today at 4 p.m.
  • Former deputy national security adviser Matthew Pottinger speaks at a Washington Post Live event today at 11 a.m. on U.S.-China tensions.

Correction: A previous version of this newsletter incorrectly spelled Kemba Walden’s name. This version has been corrected.

Secure log off

Thanks for reading. See you tomorrow.