Hillicon Valley — US blacklists groups tied to cybersurveillance
Today is Wednesday. Welcome to Hillicon Valley, detailing all you need to know about tech and cyber news from Capitol Hill to Silicon Valley. Subscribe here: thehill.com/newsletter-signup.
The Commerce Department took steps Wednesday to crack down on a major Israeli surveillance group whose tools have been used by foreign governments to target dissidents, with the agency blacklisting NSO Group and three other companies.
Meanwhile, federal agencies were ordered to patch almost 300 vulnerabilities within the next six months, and Google is eying a cloud computing contract at the Defense Department.
Let’s jump in.
Commerce cracks down on spyware
The Commerce Department on Wednesday added four organizations linked to cyber surveillance operations, including the Israeli company NSO Group, to its “entity list,” effectively blacklisting them.
Also listed were the Israeli group Candiru, Russian group Positive Technologies and Singapore’s Computer Security Initiative Consultancy, all due to concerns around malicious cyber activity.
Major surveillance group: NSO Group and Candiru are alleged by the Commerce Department to have developed spyware programs and sold them to foreign governments to enable surveillance of dissidents, journalists, academics and others.
Positive Technologies and the Computer Security Initiative Consultancy are alleged to have sold cyber tools that enabled systems to be compromised without the victim’s permission, further enabling surveillance.
“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad,” Commerce Secretary Gina Raimondo said in a statement Wednesday.
Long history of allegations: NSO Group has been a key focus of concerns. The company was accused by WhatsApp in 2019 of allowing its spyware to be used to target government officials, and Reuters reported last year that the FBI was investigating the use of the group’s spyware against U.S. companies and officials.
Time to pay government IT workers overtime
The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday ordered all federal agencies to immediately begin work on patching hundreds of cyber vulnerabilities, warning that malicious actors are continuing to target U.S. critical infrastructure.
The new binding operational directive outlines almost 300 vulnerabilities — 200 from between 2017 and 2020 and 90 from 2021 — that federal agencies must work to patch. They are included in a catalog that will be updated as more critical vulnerabilities are discovered.
Agencies have six months to patch for vulnerabilities discovered prior to 2021, and two weeks to patch those discovered this year, though the order noted that these timelines could be sped up “in the case of grave risk to the Federal Enterprise.”
The order also requires that federal agencies update and establish a process for addressing the vulnerabilities, and that they submit reports on the status of patching.
(MORE) WORKPLACE ALLEGATIONS AT APPLE
A former Apple employee filed a charge with the National Labor Relations Board (NLRB) alleging that she was retaliated against for advocating for better workplace conditions.
Janneke Parrish, who was a product manager on Apple Maps, alleged in her complaint that Apple fired her “in attempt to nip-in-the-bud the successful organizing campaign that Parrish and her coworkers established to address and redress employees’ workplace concerns,” The Washington Post reported.
“No one is above the law. Not individuals. Not giant tech companies,” Parrish said on Twitter about the complaint. “We need to hold companies accountable for their actions.”
MORE SHAKEUPS AT BLIZZARD
A co-leader of gaming company Blizzard Entertainment, Jen Oneal, will be stepping down after just three months in the top position, the company said Tuesday.
The shakeup comes as Blizzard, the company behind popular games such as World of Warcraft and Overwatch, grapples with ongoing fallout over allegations that it fostered a workplace culture that subjected women to sexual harassment and lower pay than male peers.
“Jen Oneal will be stepping away from her leadership duties at Blizzard to dedicate her time to one of her greatest passions — bringing greater diversity and equity to the gaming industry,” Blizzard President and COO Daniel Alegre said in a statement.
Blizzard announced that in Oneal’s honor it will be making a $1 million grant to Women in Games International, an organization where Oneal sits on the board.
Mike Ybarra, who became co-lead at the same time as Oneal, will take over Oneal’s responsibilities, according to the announcement.
Pursuing the Pentagon
Google is reportedly pursuing a cloud computing contract with the Defense Department after the Pentagon and Microsoft severed ties over the summer.
The New York Times reported on Wednesday that the Pentagon is looking to resurrect its cloud computing project, which is posing an opportunity for Google to enter the bidding war to work with the military. Four people familiar with the matter told the newspaper that Google is now working to create a proposal to pitch to Defense officials.
Google’s cloud unit announced an emergency “Code Yellow” in September for the Pentagon proposal, two sources told the Times, which allows the company to transfer engineers from other assignments to the military endeavor.
A DASH MORE SECURITY
DoorDash announced on Wednesday it is adding new security features in an effort to protect drivers, who have been targeted in multiple violent attacks this year.
The San Francisco-based company said on Wednesday is partnering with security company ADT on the new features, which will be available to drivers by the end of 2021.
Using the new system, drivers who feel unsafe can contact an ADT agent using a button on the company’s app. The agent will stay on the line until the driver feels comfortable. If the driver drops the connection, ADT will then call 911.
BITS AND PIECES
An op-ed to chew on: Remote control: Who’s in charge of your media life?
Lighter click: Works every time
Notable links from around the web:
Satellites Could Help Track if Nations Keep Their Carbon Pledges (The New York Times / Henry Fountain)
Facebook skirts Apple’s App Store fees with custom subscription links for creators (The Verge/ Alex Heath)
New NYC Mayor Eric Adams Wants the City to Have Its Own Cryptocurrency (Motherboard / Edward Ongweso Jr)
One last thing: Small steps from Russia
White House National Cyber Director Chris Inglis testified on Capitol Hill Wednesday that there had been a “decrease” in the number of cyberattacks against U.S. companies traced back to Russia, but stressed that the reason was not clear.
“We have seen a discernible decrease. It’s too soon to tell whether that is because of the material efforts undertaken by the Russians or the Russian leadership,” Inglis said during a House Homeland Security Committee hearing. “It may well be that the transgressors in this space have simply lain low in understanding that this is for the moment a very hot time for them, and we need to ensure that that continues to be the case.”
Inglis, the nation’s first national cyber director, said that while this is encouraging progress, more work is needed to help cut down on malicious Russian-linked attacks.
“I think in the longer term, we will be able to measure in a qualitative and a quantitative fashion what the diminishment of those efforts are,” Inglis testified. “For the moment, I think it’s too soon to tell, we therefore need to ensure that our strategy is solidified and brought to bear.”