Sept. 11’s imprint on the U.S. surveillance apparatus
With help from Eric Geller, Benjamin Din and John Hendel
Editor’s Note: Weekly Cybersecurity is a weekly version of POLITICO Pro’s daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— The United States dove head-first into surveillance following the Sept. 11 attacks. Two decades later, there are few signs of reeling it in.
— A proposal to establish a data privacy and security bureau at the Federal Trade Commission will be front and center at a House markup today.
— And that’s not all on Congress' plate: With the Senate returning to Washington, lawmakers have a long list of cyber priorities to work through
HAPPY MONDAY, and welcome back to Morning Cybersecurity! I’m your host, Sam Sabin, and I’m accepting tips on how to manifest fall energy this week as the high temperatures return to Washington. What activities help you get into the autumn spirit? (And if you tell me to order a Starbucks PSL, you’re canceled. Sorry, I don’t make the rules.)
Send your thoughts, feedback and — especially — tips to [email protected]. Follow @POLITICOPro and @MorningCybersec. Full team contact info below.
A WATCHFUL EYE — When three planes crashed into the World Trade Center towers and the Pentagon on Sept. 11, 2001, the United States government’s views on surveillance changed forever. The federal government took over passenger screening at airports. Cities stepped up their investments in surveillance cameras for public spaces. And the Pentagon and intelligence community mounted an aggressive monitoring of Americans' everyday communications for signs of sleeper cells.
Twenty years later, the United States’ decision to surveil its citizens has left a watermark on everything from international data privacy negotiations to public safety. And experts say it’s unlikely the repercussions will spur meaningful relaxation of surveillance anytime soon.
“The new Biden administration and the leaders in both parties in Congress right now do not seem to have as a priority the dismantlement of these post-9/11 surveillance programs from the NSA on down,” said Adam Schwartz, a senior staff attorney at the Electronic Frontier Foundation.
— Part of the U.S. response to the Sept. 11 attacks was a huge investment in surveillance, such as the NSA’s program allowing agents to gain access to Americans’ domestic call logs and texts. While the NSA has shut down its phone surveillance program, and Congress has placed limits on the agency's data collection over the years, the question of how far government surveillance should be allowed to go still causes headaches on the Hill.
Those surveillance programs still raise objections from allied countries, some U.S. lawmakers,human rights advocates — and the country’s cybersecurity workers.
“There is a non-insignificant percentage of the cybersecurity community whose views of the U.S. government have for a long time been defined by their feelings — good or bad, mostly bad — about those programs,” said Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative.
— The programs also have a lingering impact on U.S. international negotiations: The United States and Europe have long struggled to establish a data transfer agreement that doesn’t get overturned by a European court because of concerns about how extensive the U.S. surveillance programs are.
— Still an uphill battle: Similar to efforts to establish a national privacy law, Congress has struggled to gain momentum for limiting government surveillance. Sen. Ron Wyden (D-Ore.), a longtime advocate for ending mass surveillance, told Fast Company recently that “it’s still a small group of us” who are working on these issues in Congress.
While the NSA dismantling its touchstone surveillance program would be a good step, Schwartz would still like to see Congress change the aid it provides for state and local governments to purchase surveillance technologies, like cameras and facial recognition tools.
“America is a more surveilled society now than we were before the 9/11 attacks,” Schwartz told MC. “But a lot of communities are more organized now than ever.”
BEEFING UP THE FTC — An unexpected policy idea has made it onto the House Energy and Commerce Committee’s laundry list of items to debate during its budget markup this morning: creating a privacy and data security bureau at the Federal Trade Commission.
— Setting the stage: Democratic members have proposed giving the agency $1 billion to create the new bureau, which privacy and data security advocates have long argued is needed for the agency to effectively police data security abuses.
But Republicans aren’t huge fans of the price tag, which is more than three times the FTC’s entire annual budget. One GOP committee aide told my colleague John Hendel that the funding boost is effectively a “$1 billion war chest to advance [Democrats’] political agenda instead of passing actual legislation with real privacy protections for all Americans.”
— Long-time coming: FTC officials, lawmakers and privacy and digital security advocates have been pushing for years for more funding to strengthen the agency’s ability to regulate data breaches and privacy matters. In June 2020, the then-Republican-led FTC said in a report that while it believes it’s effectively dividing the workload among its roughly 40-45 privacy division employees, “with additional resources, we could better ensure that American consumers’ privacy is adequately protected.”
GROWING TO-DO LIST — With the Senate back in full swing this week, Congress is officially back from its summer vacations. Along with the lingering questions about the Democrats' $3.5 trillion budget reconciliation bill, here’s what cybersecurity policy debates lawmakers are returning to:
— Infrastructure talks: Cyber policy onlookers are still watching to see whether the House changes key cyber provisions in the Senate-passed infrastructure package. Marjorie Dickman, chief government affairs and public policy officer at BlackBerry, told MC she’s specifically watching to see how funding for the Cyber Response and Recovery Fund, the national cyber director’s office and state and local cybersecurity grants, fare.
— Incident reporting bills: The Senate Intelligence Committee and both of Congress’ Homeland Security committees are working on their own draft bills that would require certain companies and contractors to report cybersecurity incidents to the federal government within a specified timeframe. As Eric pointed out last week, ironing out those details among panels will be an uphill battle — especially as options for passing such legislation this year start to dry up.
SPEAKING OF RECONCILIATION— The top election officials in 14 states sent a letter Friday to lawmakers demanding that the Democrats' $3.5 trillion reconciliation package include $20 billion to fund election security in the next decade.
The letter, addressed to House Speaker Nancy Pelosi, Senate Majority Leader Chuck Schumer and leaders on the appropriations and budget committees, argues the money is needed to help replace outdated voting equipment, upgrade voter registration and election management systems and make investments in security infrastructure.
— Election officials on the letter represent the states of Arizona, California, Colorado, Connecticut, Maine, Michigan, Minnesota, New Jersey, New Mexico, New York, Oregon, Pennsylvania, Rhode Island and Vermont.
PROTESTING APPLE — A group of civil rights and anti-surveillance groups is taking its actions against Apple’s plans to scan photos and messages for child abuse materials one step further today with protests planned in 11 cities across the United States.
The in-person protests will take place in cities like Washington, San Francisco and Chicago, and they come a day before Apple’s event Tuesday where the company is expected to unveil a new phone and other devices.
— Last week, a group of anti-surveillance and civil rights groups delivered a petition with more than 59,000 signatures to Apple demanding the company completely abandon its photo-scanning plans.
UNDERSEAS HACKING — Private companies’ problems with sharing security threat information with the U.S. government and others in their sector aren't limited to land. An Atlantic Council report released this morning warns that U.S. submarine cable operators also lack tools to share such information with one another — making it more difficult for them to identify and address possible security vulnerabilities.
— More attractive hacking target: As undersea cable systems become more key vessels in transmitting government documents, scientific research and other valuable information between officials, these systems have become more valuable hacking targets, the report warns.
— One recommendation: To help quickly identify threats, the report recommends that owners of these systems, including Google and Facebook, should form their own public-private Information Sharing and Analysis Center, which sectors set up to help share threat information with one another and the government.
Rafi Martina, a longtime tech and cybersecurity adviser to Sen. Mark Warner (D-Va.), is moving to the Senate Intelligence Committee’s staff to work on emerging tech issues, according to our friends at Morning Tech.
From Kat Sweet, a security awareness program manager at HubSpot: “If a piece of security guidance is hard for employees to follow, get curious about why. Often the blockers lie in usability, not awareness. Identify barriers and look for ways to meet them where they’re at.”
— The SEC is asking all companies affected by the SolarWinds hack to turn over documents about all other cyber incidents since October 2019. (Reuters)
— The Pentagon has reclaimed 175 million IP addresses that were handed over to a Florida company in January as part of an obscure cybersecurity measure. (The Washington Post)
— The U.S. and Europe are making progress in talks for a replacement Privacy Shield agreement, which has been held up over concerns about U.S. surveillance measures. (The Wall Street Journal)
— As the number of ransomware attacks targeting K-12 schools grows, so does the amount of sensitive data about students on the dark web. (NBC News)
— Here we go again: Ransomware gang REvil is attacking new victims after coming back online last week. (Bleeping Computer)
— Op-ed: “CISA can’t succeed in the Pentagon’s shadow” (README)
Chat soon.
Stay in touch with the whole team: Eric Geller ([email protected]); Bob King ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).
Gloss