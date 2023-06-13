Comment on this story Comment Gift Article Share

Welcome to The Cybersecurity 202!

Below: An Illinois hospital is the first health-care establishment to close in part due to a ransomware attack, and India is denying a mass data breach of a coronavirus vaccination website. First:

The give and take on Section 702 surveillance

Civil liberties groups on Monday laid down a marker about the changes they want Congress to make to expiring surveillance powers that they say threaten Americans’ privacy rights.

The groups, 21 in all, released a joint statement calling on Congress to impose warrant requirements for spying on Americans, strengthen judicial review, establish protections for other kinds of surveillance and put in place some safeguards for foreign targets who are unlikely to be involved in threats to the United States.

The surveillance powers, also known as Section 702, are scheduled to expire at the end of 2023.

“Although purportedly targeted at foreigners, Section 702 has become a rich source of warrantless government access to Americans’ phone calls, texts, and emails,” the groups wrote. “This has turned Section 702 into something Congress never intended: a domestic spying tool.”

The groups’ proposals came in advance of a hearing this morning where top Biden administration spy agency officials are expected to make their case to the Senate Judiciary Committee that those same powers are an essential safeguard against cyber and other threats to the United States.

Here are the biggest things the groups are calling for. Senior administration officials who spoke with me about the proposals spoke on the condition of anonymity to speak more freely.

Warrant requirement

The groups say their biggest suggestion, a warrant requirement for agencies to search American’s communications, is necessary because existing agency measures to prevent abuses have proven ineffective.

Even though Section 702 targets foreigners, those targets might be communicating with Americans. And the FBI and National Security Agency can query the database of collected intelligence information using U.S. person identifiers, such as name or phone number.

While the administration says it has put in place measures to reduce the number of U.S. person queries by 93 to 94 percent, civil liberties groups say it still happens a ton. And the evidence of abuses — the FBI can only search the database for foreign intelligence purposes or with evidence of a crime — are legion, including a recently unsealed court document that found improper use against Jan. 6 participants and Black Lives Matters protesters.

“These represent just a small portion of the FBI’s misuse of Section 702,” the letter states. “Based on the 4 percent noncompliance rate reported in its most recent audit, which reflects compliance rates after the FBI implemented new training and oversight requirements and made changes to its data systems, the FBI conducted over 8,000 U.S. person queries that violated rules in 2022 alone, an average of over 20 improper queries every day.”

What the administration refers to as “incidental collection” of Americans’ communications isn’t unique to Section 702, a senior administration official told me.

“It’s inherent to the nature of collecting communications,” the official said. A warrant requirement would hamper the feasibility of quickly and widely searching for hack victims or someone that foreign intelligence agencies are trying to recruit to be a spy, the official said.

Further, another official noted that the courts have found the program and all of its parts to be “Fourth Amendment-reasonable.”

Judicial review

A court created under the Foreign Intelligence Surveillance Act (FISA) has some oversight of Section 702 of that law but it’s not enough, the groups argued. The court “operates in secret and often hears only from the government,” they wrote.

One of the mechanisms Congress established to bolster that oversight last time it reauthorized Section 702 in 2018 was meant to increase the use of amici curiae — outside experts who can offer different perspectives. But the groups said those experts are still sometimes out of the loop.

“Congress should strengthen FISA’s amici provisions by giving amici better access to relevant information and by encouraging appointment of amici in cases involving sensitive targets such as religious or political organizations, candidates for public office, and the media,” the groups said.

A senior administration official told me the process is working here.

“The FISA program is subject to pretty robust oversight and court review appropriate for an intelligence collection program,” a senior administration official said. Compliance problems have “come to light precisely because of the judicial review,” the official said.

Other protections

Some other types of surveillance fall under an executive order signed in 1981 and amended multiple times since. Even though those don’t fall under the FISA, any update to Section 702 should include protections for those types of surveillance, the groups said.

“The government conducts sweeping surveillance overseas, and collects geolocation data and other sensitive information inside the United States (often purchasing it from data brokers),” the groups wrote.

Wall Street Journal’s Byron Tau and Dustin Volz U.S. intelligence agencies are increasingly relying on commercially-available data; the’s Byron Tau and Dustin Volz have more details

The groups’ complaint is a “Catch-22,” a senior administration official said.

“On one hand, there’s a critique that we have 702 in place, which in fact has all these protections,” the official said. “And in this case, there’s a complaint that it’s not broad enough, that there’s gaps and there’s no 702 in place.”

Overseas questions

Lastly, the groups wrote, there need to be protections for some foreign targets.

“Although the purpose of Section 702 is to prevent terrorism and head off other foreign threats, the law allows surveillance of an extremely broad class of foreigners abroad, including law-abiding private citizens,” the groups argued. “This jeopardizes the privacy of foreigners who pose no threat to the United States as well as the Americans with whom they communicate.”

The lack of such protections has led to regulatory problems for U.S. companies trying to do business overseas in places like the European Union, they said.

The president is already working on this issue, a senior administration official said, including with an executive order last year.

It’s been the subject of a steady dialogue between the United States and E.U., the official said: “There’s ongoing discussions between the United States and the E.U. in order to put mechanisms in place that will ensure the continued transfer of data from the U.S. to the E.U.”

The keys

Illinois hospital is first hospital to close as result ransomware attack, experts say

Illinois-based St. Margaret’s Health in Spring Valley will close on Friday in part due to a devastating ransomware attack, Kevin Collier reports for NBC News.

According to experts who spoke with Collier, that “makes it the first hospital to publicly link criminal hackers to its closure.” A 2021 ransomware attack slowed computers for months and burdened the hospital with hefty costs.

“Due to a number of factors, such as the covid-19 pandemic, the cyberattack on the computer system of St. Margaret’s Health, and a shortage of staff, it has become impossible to sustain our ministry,” Stahl said in a Facebook video.

The closure is set to have a “profound impact” on residents seeking medical care, said Spring Valley Mayor Melanie Malooley-Thompson. It means that some will have to travel 30 minutes to seek care, she said.

“Multiple studies have shown a correlation between hospital downtime because of ransomware attacks and increased mortality rates ,” the NBC report says.

Brian Mazanec, the Department of Health and Human Services deputy director of the office of preparedness, told a House panel last month that the agency found nearly all hospitals it surveyed had some devices running operating systems that are no longer supported or software with known vulnerabilities. Stricter cybersecurity rules for medical device manufacturers are also now in play, The Cybersecurity 202 previously reported.

U.K. communications regulator latest in long list of MOVEit victims

Ofcom, the U.K. communications regulatory agency, is the latest victim to be revealed to be subject to a Russia-linked ransomware attack on secure file transfer software MOVEit, Chris Vallance reports for BBC News.

“Ofcom said it had ‘swiftly’ alerted all the companies that it regulates and referred the matter to the data and privacy watchdog, the Information Commissioners Office (ICO),” Vallance writes, adding that payroll data was not affected, nor were core systems compromised.

“A limited amount of information about certain companies we regulate — some of it confidential — along with personal data of 412 Ofcom employees, was downloaded during the attack,” the agency said.

The hackers are linked to the Clop ransomware group, a “repeat player” that has claimed credit for the attack, as reported last week by your newsletter host.

British Airways, the government of Nova Scotia, accounting firm Ernst and Young and Transport for London (TfL), which operates London’s public transportation system, are among several victims affected by the attack (around a dozen U.S. federal agencies also appear to have active contracts that mention MOVEit).

The incident was first disclosed by MOVEit owner Progress Software.

The Cybersecurity and Infrastructure Security Agency and National Institute of Standards has told agencies agencies to patch their MOVEit software by June 23.

Meanwhile, Clop has reportedly given victims until Wednesday to “get in touch in order to prevent data stolen from their systems from getting leaked,” Eduard Kovacs writes for SecurityWeek.

Indian government denies massive data breach of coronavirus vaccination website

The Indian government has denied reports that its CoWin coronavirus vaccination portal was breached following reports that a Telegram bot was spreading data from the site online, Arpan Rai reports for the Independent.

The CoWin portal was required for people to book their first, second and booster shots against coronavirus. If the breach did indeed happen, some 1 billion people including foreign nationals could be affected, according to the report.

“Multiple news outlets reported on Monday that sensitive personal information such as private contact numbers, passport numbers, dates of birth and national ID numbers known as Aadhaar were available on the Telegram channel if a user typed in a phone number registered with CoWin,” Rai writes.

Electronics and technology official Rajeev Chandrasekhar tweeted Monday that “it does not appear that CoWin app or database has been directly breached” and that the data in question seems to be affiliated with “previously breached/stolen data stolen from the past.”

“Co-WIN portal of Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc.,” the Indian Health Ministry said in a statement

Thanks for reading. See you tomorrow.

