One of Silicon Valley’s most influential lobbying arms joins privacy reformers in a fight against the Biden administration–backed expansion of a major US surveillance program.

A trade organization representing some of the world’s largest information technology companies—Google, Amazon, IBM, and Microsoft among them—say its members are voicing strong opposition to ongoing efforts by the Biden administration to dramatically expand a key US government surveillance authority.

The US Senate is poised to vote Thursday on legislation that would extend a global wiretap program authorized under the Foreign Intelligence Surveillance Act (FISA). Passed by the House of Representatives last week, a provision contained in the bill—known as the Reforming Intelligence and Securing America Act (RISAA)—threatens to significantly expand the scope of the spy program, helping the government to compel the assistance of whole new categories of businesses.

Legal experts argue the provision could enable the government to conscript virtually anyone with access to facilities or equipment housing communications data, forcing “delivery personnel, cleaning contractors, and utilities providers,” among others, to assist US spies in acquiring access to Americans’ emails, phone calls, and text messages—so long as one side of the communication is foreign.

A global tech trade association, the Information Technology Industry Council (ITI), is now urging Congress not to pass RISAA without removing a key provision “dramatically expanding the scope of entities and individuals covered” by the program, known as Section 702. Changes to the 702 program included in the House bill, ITI says, would only serve to send customers in the US and abroad fleeing to foreign competitors, convincing many that technology in the US is far too exposed to government surveillance.

The group’s membership includes several major equipment manufacturers, such as Ericsson, Nokia, and Broadcom, as well as large cloud storage providers like Google, Microsoft, IBM, and Salesforce. “ITI’s position is that the provision should be removed,” the group’s communications director, Janae Washington, tells WIRED. “Our positions are based on member consensus.”

The individual ITI member companies WIRED contacted for their comment on the legislation did not immediately respond or declined to comment.

The provision under fire stems from a ruling handed down by the US government’s secret surveillance court—the FISA court—that oversees the 702 program. The program is designed to target the communications of foreigners, including calls and emails to and from US citizens. To this aim, the federal statute specifies that the government may compel the assistance of businesses that fall into the category of what it calls “electronic communications service providers,” or ECSPs.

Companies like Google and AT&T have typically fallen into this category as direct providers of the services being wiretapped; however, the US government has also moved in recent years to interpret the term more broadly as part of an effort to expand the roster of entities whose assistance it’s allowed to compel.

The FISA court, in a decision backed by its own review body, pushed back against the expanded definition, telling the government that what constitutes an ECSP remains “open to reconsideration by the branches of government whose competence and constitutional authority extend to statutory revision.”

More concisely: The court reminded the government that only Congress has the power to rewrite the law.

The US Intelligence Community (IC) thus began a campaign to ensure that this year’s legislation reauthorizing the 702 program redefines “ECSP” to address what it calls a “collection gap resulting from recent court opinions.”

Internal emails obtained by WIRED show that members of the House Intelligence Committee served as intermediaries for the IC in its campaign to convince Congress to support the provision. An email circulated to House members in February by Michael Calcagni, the intel committee’s deputy staff director, for instance, informed lawmakers that the “collection gap” was both “serious and dangerous” and that “contrary to unsubstantiated assertions, it would not authorize or enable the Government to conduct surveillance of any American who connects to public WiFi at a Starbucks or McDonalds.”

One of the nation’s leading FISA experts, Marc Zwillinger, a private attorney who has twice appeared before the FISA Court of Review, began raising the alarm in December over the provision, pointing to text that would allow the government to compel the assistance of “any service provider” with access to “equipment that is being or may be used to transmit or store” communications, so long as one of the recipients is a foreigner reasonably believed to be overseas.

While rejecting Zwillinger’s analysis publicly, House intel members nevertheless attempted to quietly “narrow” the provision to clamp down on any criticism, excluding a handful of business types such as senior centers, hotels, and coffee shops. In a follow-up last week, Zwillinger and other attorneys who’ve made rare appearances before the FISA court characterized the intel committee’s improvements as “marginal,” saying the need for the exclusions only served to demonstrate the government is overreaching.

The provision, Zwillinger says, continues to ensnare owners and operators of facilities housing equipment used to store and carry data, “such as data centers and buildings owned by commercial landlords, who merely have access to communications equipment in their physical space.” The text could be interpreted to extend to “delivery personnel, cleaning contractors, and utility providers.” And while the new provision excludes businesses like coffee shops, those businesses typically rely on cloud computer services whose equipment remains subject to the 702 program’s expanded scope.

“Although the effects of this provision may be unintentional, its impacts would be very real,” ITI’s senior vice president of policy, John Miller, says. “The language in the provision vastly expands the US government’s warrantless surveillance capabilities, damaging the competitiveness of US technology companies large and small, and arguably imperiling the continued global free flow of data between the US and its allies.”

Should it become apparent to the world that America’s top IT companies—data centers, cloud providers, and security services alike—have been turned into a watering hole for the US Intelligence Community, many customers will “likely look to foreign competitors,” Miller says, companies whose technologies are viewed as less exposed to clandestine government requests.

“There is no greater responsibility of the US government than to provide for the security of the country,” he says, adding it was incumbent upon to craft legislation to address national security concerns “in a focused way.”

_Updated 4/17/2024, 6:30 pm ET: Added additional details clarifying ITI's position on RISAA._

Big Tech Says Spy Bill Turns Its Workers Into Informants

Cyber Army of Russia Reborn, a group with ties to the Kremlin’s Sandworm unit, is crossing lines even that notorious cyberwarfare unit wouldn’t dare to.

Russia's military intelligence unit known as Sandworm has, for the past decade, served as the Kremlin’s most aggressive cyberattack force, triggering blackouts in Ukraine and releasing self-spreading, destructive code in incidents that remain some of the most disruptive hacking events in history. In recent months, however, one group of hackers linked to Sandworm has attempted a kind of digital mayhem that, in some respects, goes beyond even its predecessor: They've claimed responsibility for directly targeting the digital systems of a hydroelectric dam in France and water utilities in the United States and Poland, flipping switches and changing software settings in an apparent effort to sabotage those countries’ critical infrastructure.

Since the beginning of this year, a hacktivist group known as the Cyber Army of Russia, or sometimes Cyber Army of Russia Reborn, has taken credit on at least three occasions for hacking operations that targeted US and European water and hydroelectric utilities. In each case, the hackers have posted videos to the social media platform Telegram that show screen recordings of their chaotic manipulation of so-called human-machine interfaces, software that controls physical equipment inside those target networks. The apparent victims of that hacking include multiple US water utilities in Texas, one Polish wastewater treatment plant, and a French hydroelectric plant—though it’s not clear exactly how much disruption or damage the hackers may have managed against any of those facilities.

A new report published today by cybersecurity firm Mandiant draws a link between that hacker group and Sandworm, which has been identified for years as Unit 74455 of Russia’s GRU military intelligence agency. Mandiant found evidence that Sandworm helped create Cyber Army of Russia Reborn and tracked multiple instances when data stolen from networks that Sandworm had attacked was later leaked by the Cyber Army of Russia Reborn group. Mandiant couldn't determine, however, whether Cyber Army of Russia Reborn is merely one of the many cover personas that Sandworm has adopted to disguise its activities over the last decade or instead a distinct group that Sandworm helped to create and collaborated with but which is now operating independently.

Either way, Cyber Army of Russia Reborn’s hacking has now, in some respects, become even more brazen than Sandworm itself, says John Hultquist, who leads Mandiant’s threat-intelligence efforts and has tracked Sandworm’s hackers for nearly a decade. He points out that Sandworm has never directly targeted a US network with a disruptive cyberattack—only planted malware on US networks in preparation for one or, in the case of its 2017 NotPetya ransomware attack, infected US victims indirectly with self-spreading code. Cyber Army of Russia Reborn, by contrast, hasn’t hesitated to cross that line.

“Even though this group is operating under this persona that’s tied to Sandworm, they do seem more reckless than any Russian operator we’ve ever seen targeting the United States,” Hultquist says. “They’re actively manipulating operational technology systems in a way that’s highly aggressive, probably disruptive, and dangerous.”

**An Overflowed Tank and a French Rooster**

Mandiant didn't have access to the targeted water utility and hydroelectric plant networks, so wasn't able to determine how Cyber Army of Russian Reborn got access to those networks. One of the group’s videos posted in mid-January, however, shows what appears to be a screen recording that captures the hackers’ manipulation of software interfaces for the control systems of water utilities in the Texas towns of Abernathy and Muleshoe. “We are starting our next raid across the USA,” reads a message introducing the video on Telegram. “In this video there are a couple of critical infrastructure objects, namely water supply systems😋”

A screen recording shows Cyber Army of Russian Reborn clicking buttons on the interface of a water utility in Texas.

Cyber Army of Russia Reborn via Telegram

The video then shows the hackers frenetically clicking around the target interface, changing values and settings for both utilities’ control systems. Though it’s not clear what effects that manipulation may have had, the Texas newspaper _The Plainview Herald_ reported in early February that local officials had acknowledged the cyberattacks and confirmed some level of disruption. The city manager for Muleshoe, Ramon Sanchez, reportedly said in a public meeting that the attack on the town’s utility had resulted in one water tank overflowing. Officials for the nearby towns of Abernathy and Hale Center—a target not mentioned in the hackers’ video—also said they’d been hit. All three towns’ utilities, as well as another, in Lockney, reportedly disabled their software to prevent its exploitation, but officials said that service to the water utilities’ customers was never interrupted. (WIRED reached out to officials from Muleshoe and Abernathy but didn't immediately hear back.)

Another screen recording shows Cyber Army of Russian Reborn tampering with the control systems of a Polish wastewater treatment plant, seemingly changing settings at radom.

Cyber Army of Russia Reborn via Telegram

Another video the Cyber Army of Russia Reborn hackers posted in January shows what appears to be a screen recording of a similar attempted sabotage of a wastewater utility in Wydminy, a village in Poland, a country whose government has been a staunch supporter of Ukraine in the midst of Russia’s invasion. “Hi everybody, today we will play with the Polish wastewater treatment plants. Enjoy watching!” says an automated Russian voice at the beginning of the video. The video then shows the hackers flipping switches and changing values in the software, set to a Super Mario Bros. soundtrack.

A third screen recording shows Cyber Army of Russia Reborn's access to a French water utility.

Cyber Army of Russia Reborn via Telegram

In a third video, published in March, the hackers similarly record themselves tampering with the control system for what they describe as the Courlon Sur Yonne hydroelectric dam in France. That video was posted just after French president Emmanuel Macron had made public statements suggesting he would send French military personnel to Ukraine to aid in its war against Russia. The video starts by showing Macron in the form of a rooster holding a French flag. “We recently heard a French rooster crowing,” the video says. “Today we’ll take a look at the Courlon dam and have a little fun. Enjoy watching, friends. Glory to Russia!”

In their Telegram post, the hackers claim to have lowered the French dam’s water level and stopped the flow of electricity it produced, though WIRED couldn’t confirm those claims. Neither the Wydminy facility nor the owner of the Courlon dam, Energies France, responded to WIRED’s request for comment.

In the videos, the hackers do display some knowledge of how a water utility works, as well as some ignorance and random switch-flipping, says Gus Serino, the founder of cybersecurity firm I&C Secure and a former staffer at a water utility and at the infrastructure cybersecurity firm Dragos. Serino notes that the hackers did, for instance, change the “stop level” for water tanks in the Texas utilities, which could have triggered the overflow that officials mentioned. But he notes that they also made other seemingly arbitrary changes, particularly for the Wydminy wastewater plant, that would have had no effect.

Hackers Linked to Russia’s Military Claim Credit for Sabotaging US Water Utilities

A cybercriminal gang called RansomHub claims to be selling highly sensitive patient information stolen from Change Healthcare following a ransomware attack by another group in February.

Change Healthcare is facing a new cybersecurity nightmare after a ransomware group began selling what it claims is Americans’ sensitive medical and financial records stolen from the health care giant.

“For most US individuals out there doubting us, we probably have your personal data,” the RansomHub gang said in an announcement seen by WIRED.

The stolen data allegedly includes medical and dental records, payment claims, insurance details, and personal information like Social Security numbers and email addresses, according to screenshots. RansomHub claimed it had health care data on active-duty US military personnel.

The sprawling theft and sale of sensitive health care data represents a dramatic new form of fallout from the February cyberattack on Change Healthcare that crippled the company’s claims-payment operations and sent the US health care system into crisis as hospitals struggled to stay open without regular funding.

Change Healthcare, a subsidiary of UnitedHealth Group, previously acknowledged that a ransomware gang known as BlackCat or AlphV breached its systems, and told WIRED last week that it is investigating RansomHub’s claims about possessing the company’s stolen data. Change Healthcare did not immediately respond to a request for comment about the group’s alleged sale of its data.

The wide variety of patient data that RansomHub claims to be selling is a testament to Change Healthcare’s role as a critical intermediary between insurers and health care providers, facilitating payments between both parties and collecting reams of sensitive information about patients and their medical procedures in the process.

Among the sample records that RansomHub posted are a list of open claims handled by the company’s EquiClaim subsidiary that includes patient and provider names; a hospital record for a 74-year-old woman in Tampa, Florida; and part of a database record related to US military service members’ health care.

RansomHub said it would allow individual insurance companies that worked with Change Healthcare and had their data compromised to pay ransoms to prevent the sale of their records. It specified that it was selling data belonging to MetLife, CVS Caremark, Davis Vision, Health Net, and Teachers Health Trust.

Change Healthcare’s “processing of sensitive data for all of these companies is just something unbelievable,” RansomHub said in its announcement.

Most firms whose data RansomHub claims to possess did not immediately respond to WIRED's request for comment.

Mike DeAngelis, the executive director of corporate communications for CVS Health says the company is “aware of unsubstantiated claims from threat actors that confidential data, including personal information of patients and members belonging to multiple organizations, was accessed as part of Change Healthcare’s cyber security incident.”

“We are closely monitoring Change Healthcare’s response to this issue and will provide updates with more information as appropriate,” DeAngelis adds, noting that Change Healthcare has not yet confirmed that patient data “was impacted by this incident.”

Brett Callow, a threat analyst at the security firm Emsisoft who closely tracks ransomware gangs, says the new sale of stolen data was probably “less about actually selling the data” and more about putting Change Healthcare—and the partner companies whose records it failed to protect—“under additional pressure to pay.”

Change Healthcare appears to have paid a $22 million ransom to AlphV to stop it from leaking terabytes of stolen data.

Two months into the crisis spawned by the ransomware attack, Change Healthcare has faced mounting losses. The company recently reported spending $872 million responding to the incident as of March 31.

At the same time, Change is under increasing pressure from lawmakers and regulators to explain its cybersecurity lapse and the steps it’s taking to prevent another hack.

A subcommittee of the House Energy and Commerce Committee held a hearing on the health sector’s cyber posture on Tuesday, with key lawmakers saying they were disappointed that UnitedHealth Group declined to make an executive available to testify. And the Department of Health and Human Services is investigating whether Change Healthcare’s failure to prevent hackers from accessing and stealing its data violated federal data-security rules.

_Updated 4/16/2024, 5:38 pm ET: Added additional details about the firms whose data RansomHub claims to possess._

Change Healthcare’s New Ransomware Nightmare Goes From Bad to Worse

A controversial bill reauthorizing the Section 702 spy program may force whole new categories of businesses to eavesdrop on the US government’s behalf, including on fellow Americans.

The United States Senate is poised to vote on legislation this week that, for the next two years at least, could dramatically expand the number of businesses that the US government can force to eavesdrop on Americans without a warrant.

Some of the nation’s top legal experts on a controversial US spy program argue that the legislation, known as the Reforming Intelligence and Securing America Act (RISAA), would enhance the US government’s spy powers, forcing a variety of new businesses to secretly eavesdrop on Americans’ overseas calls, texts, and email messages.

Those experts include a handful of attorneys who’ve had the rare opportunity to appear before the US government’s secret surveillance court.

The Section 702 program, authorized under the Foreign Intelligence Surveillance Act, or FISA, was established more than a decade ago to legalize the government’s practice of forcing major telecommunications companies to eavesdrop on overseas calls in the wake of the September 11, 2001, terrorist attacks.

On the one hand, the government claims that the program is designed to exclusively target foreign citizens who are physically located abroad; on the other, the government has fiercely defended its ability to access wiretaps of Americans' emails and phone conversations, often years after the fact and in cases unrelated to the reasons the wiretaps were ordered in the first place.

The 702 program works by compelling the cooperation of US businesses defined by the government as “electronic communications service providers”—traditionally phone and email providers such as AT&T and Google. Members of the House Intelligence Committee, whose leaders today largely serve as lobbyists for the US intelligence community in Congress, have been working to expand the definition of that term, enabling the government to force new categories of businesses to eavesdrop on the government’s behalf.

Marc Zwillinger, a private attorney who has twice appeared before the FISA Court of Review, wrote last week that the RISAA legislation expands the definition of “electronic communications service provider” (ECSR) to include data centers and commercial landlords—businesses, he says, that “merely have access to communications equipment in their physical space.” According to Zwillinger, RISAA may also ensnare anyone “with access to such facilities and equipment, including delivery personnel, cleaning contractors, and utilities providers.”

Zwillinger had earlier criticized the ECSR language this year, leading House lawmakers to amend the text to explicitly exclude certain types of businesses, including hotels.

Zwillinger noted in response that the need for those exclusions is proof enough that the text is overly broad; an exception that merely serves to prove that the rule exists: “The breadth of the new definition is obvious from the fact that the drafters felt compelled to exclude such ordinary places such as senior centers, hotels, and coffee shops,” he wrote. “But for these specific exceptions, the scope of the new definition would cover them—and scores of businesses that did not receive a specific exemption remain within its purview.”

This analysis quickly flooded inboxes on Capitol Hill last week, with some Hill staffers and privacy experts quietly dubbing the ECSR language the “Stasi amendment,” a reference to the East German secret police force notorious for infiltrating industry and forcing German citizens to spy on one another.

Digital rights groups have pointed to Zwillinger’s assessment while lobbying US senators this week to vote against the RISAA. “While the Department of Justice wants us to believe that this is simply about addressing data centers, that is no justification for exposing cleaning crews, security guards, and untold scores of other Americans to secret Section 702 directives,” says Sean Vitka, policy director at Demand Progress, which has taken to calling the ECSR text the “Make Everyone A Spy provision.”

In an interview with _The New York Times_ on Tuesday, Jim Himes, a Democrat from Connecticut, decried comparisons between the ECSR text and the East German secret police, saying critics of the provision were “massively exaggerating” the 702 program's domestic reach.

The Senate is expected to vote on RISAA on Wednesday, though a few procedural hurdles remain. A two-thirds majority vote will be needed to get the bill to the floor, and another two-thirds majority is required to prevent privacy defenders from filibustering the bill. Once those hurdles are cleared, however, a simple majority is needed to send the FISA reauthorization bill to the White House.

There is almost zero chance of US president Joe Biden rejecting the bill. The administration has spent months sending top lieutenants to the Hill to champion its cause. Biden’s support for the 702 program stands in stark contrast to the views of his campaign rival, former president Donald Trump, who last week commanded his supporters in Congress to “KILL FISA.”

Ron Wyden, the senior US senator from Oregon, argues that RISAA represents “one of the most dramatic and terrifying expansions of government surveillance authority in history.” A leading privacy hawk in Congress, Wyden joined the Senate Intelligence Committee just prior to the 9/11 attacks and has served for more than two decades.

The US House of Representatives passed RISAA last week in a 273–147 vote. An amendment aimed at requiring the Federal Bureau of Investigation to obtain search warrants before accessing wiretaps on US citizens was rejected after a vote on the amendment ended in a tie.

Members of the House Intelligence Community allied with the Biden White House and its spy agencies to defeat the amendment in what multiple House sources referred to as a “campaign of fear.” An hour before the vote on Friday, Himes openly threatened US lawmakers supporting the warrant requirement, claiming that if it passed, he’d ensure those lawmakers face the brunt of the blame in the wake of any future terrorist attacks.

“If we turn off the ability of the government to query US person data, the consequences will be known soon,” Himes said. “And we will audit why what happened happened. And accountability will be visited.”

For years, the US government has claimed that it would be impossible to estimate the number of Americans who are being eavesdropped on under Section 702. While statistics on the program are difficult to come by, it is known to have captured hundreds of millions of individual calls, texts, and emails while in the process of targeting only a few million individuals. (The FBI claims that, following a series of recent internal reforms, the 702 program now targets fewer than 300,000 individuals per year.)

While Section 702 is hailed as a powerful tool against terrorism, cybercrime, and drug trafficking, US spy agencies are likewise authorized to target foreigners on the basis that they’re believed to receive or possess “foreign intelligence information,” an ambiguous term legal experts argue could extend to a virtually unlimited number of activities with any number of tenuous ties to “foreign affairs.”

While attempting to paint the program as merely a threat to Americans who communicate with Hamas, ISIS, or other designated terrorist groups, House Intelligence Committee chairman Mike Turner did little to reject claims last week that the 702 program can also be aimed at foreign dignitaries and politicians of allied European nations. Notably, the US does not recognize any foreign citizen abroad as having privacy rights, and US spy agencies may freely target them without congressional approval. The 702 program exists because the government relies on US businesses to implement its wiretaps and ensnares Americans’ communications in the process.

Much of the criticism aimed at the 702 program stems from revelations in a declassified court filing last year that describes rampant abuse by agents of the FBI, which is known to have scoured the wiretap database for information on tens of thousands of American protesters, journalists, political donors, and at least one sitting member of Congress.

The FBI has implemented a number of internal policies in recent years designed to limit lower-ranking FBI employees from unilaterally authorizing searches that target Americans—reforms that Turner and other spy agency surrogates claim are sufficient to stave off future abuse.

The program’s critics, meanwhile, say relying on the FBI to internally police itself is a mistake, pointing to decades of surveillance abuses and political intelligence gathering carried out in clear violation of US law.

US Senate to Vote on a Wiretap Bill That Critics Call ‘Stasi-Like’

Microsoft has stumbled through a series of major cybersecurity failures over the past few years. Experts say the US government’s reliance on its systems means the company continues to get a free pass.

When Microsoft revealed in January that foreign government hackers had once again breached its systems, the news prompted another round of recriminations about the security posture of the world’s largest tech company.

Despite the angst among policymakers, security experts, and competitors, Microsoft faced no consequences for its latest embarrassing failure. The United States government kept buying and using Microsoft products, and senior officials refused to publicly rebuke the tech giant. It was another reminder of how insulated Microsoft has become from virtually any government accountability, even as the Biden administration vows to make powerful tech firms take more responsibility for America’s cyberdefense.

That state of affairs is unlikely to change even in the wake of a new report by the Cyber Safety Review Board (CSRB), a group of government and industry experts, which lambasts Microsoft for failing to prevent one of the worst hacking incidents in the company’s recent history. The report says Microsoft’s “security culture was inadequate and requires an overhaul.”

Microsoft’s almost untouchable position is the result of several intermingling factors. It is by far the US government’s most important technology supplier, powering computers, document drafting, and email conversations everywhere from the Pentagon to the State Department to the FBI. It is a critical partner in the government’s cyberdefense initiatives, with almost unparalleled insights about hackers’ activities and sweeping capabilities to disrupt their operations. And its executives and lobbyists have relentlessly marketed the company as a leading force for a digitally safer world.

These enviable advantages help explain why senior government officials have refused to criticize Microsoft even as Russian and Chinese government-linked hackers have repeatedly breached the company’s computer systems, according to cybersecurity experts, lawmakers, former government officials, and employees of Microsoft’s competitors.

These people—some of whom requested anonymity to candidly discuss the US government and their industry’s undisputed behemoth—argue that the government’s relationship with Microsoft is crippling Washington’s ability to fend off major cyberattacks that jeopardize sensitive data and threaten vital services. To hear them tell it, Microsoft is overdue for oversight.

**A History of Breaches and Controversy**

Microsoft has a long track record of security breaches, but the past few years have been particularly bad for the company.

In 2021, Chinese government hackers discovered and used flaws in Microsoft’s email servers to hack the company’s customers, later releasing the flaws publicly to spark a feeding frenzy of attacks. In 2023, China broke into the email accounts of 22 federal agencies, spying on senior State Department officials and Commerce Secretary Gina Raimondo ahead of multiple US delegation trips to Beijing. Three months ago, Microsoft revealed that Russian government hackers had used a simple trick to access the emails of some Microsoft senior executives, cyber experts, and lawyers. Last month, the company said that attack also compromised some of its source code and “secrets” shared between employees and customers. On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that those customers included federal agencies, and issued an emergency directive warning agencies whose emails were exposed to look for signs that the Russian hackers were attempting to use login credentials contained in those emails.

These incidents occurred as security experts were increasingly criticizing Microsoft for failing to promptly and adequately fix flaws in its products. As by far the biggest technology provider for the US government, Microsoft vulnerabilities account for the lion’s share of both newly discovered and most widely used software flaws. Many experts say Microsoft is refusing to make the necessary cybersecurity improvements to keep up with evolving challenges.

Microsoft hasn’t “adapted their level of security investment and their mindset to fit the threat,” says one prominent cyber policy expert. “It’s a huge fuckup by somebody that has the resources and the internal engineering capacity that Microsoft does.”

The Department of Homeland Security’s CSRB endorsed this view in its new report on the 2023 Chinese intrusion, saying Microsoft exhibited “a corporate culture that deprioritized both enterprise security investments and rigorous risk management.” The report also criticized Microsoft for publishing inaccurate information about the possible causes of the latest Chinese intrusion.

The recent breaches reveal Microsoft’s failure to implement basic security defenses, according to multiple experts.

Adam Meyers, senior vice president of intelligence at the security firm CrowdStrike, points to the Russians’ ability to jump from a testing environment to a production environment. “That should never happen,” he says. Another cyber expert who works at a Microsoft competitor highlighted China’s ability to snoop on multiple agencies’ communications through one intrusion, echoing the CSRB report, which criticized Microsoft’s authentication system for allowing broad access with a single sign-in key.

“You don't hear about these types of breaches coming out of other cloud service providers,” Meyers says.

According to the CSRB report, Microsoft has “not sufficiently prioritized rearchitecting its legacy infrastructure to address the current threat landscape.”

In response to written questions, Microsoft tells WIRED that it’s aggressively improving its security to address recent incidents.

“We are committed to adapting to the evolving threat landscape and partnering across industry and government to defend against these growing and sophisticated global threats,” says Steve Faehl, chief technology officer for Microsoft’s federal security business.

As part of its Secure Future Initiative launched in November, Faehl says, Microsoft has improved its ability to automatically detect and block abuses of employee accounts, begun scanning for more types of sensitive information in network traffic, reduced the access granted by individual authentication keys, and created new authorization requirements for employees seeking to create company accounts.

Microsoft has also redeployed “thousands of engineers” to improve its products and has begun convening senior executives for status updates at least twice weekly, Faehl says.

The new initiative represents Microsoft’s “roadmap and commitments to answer much of what the CSRB report called out as priorities,” Faehl says. Still, Microsoft does not accept that its security culture is broken, as the CSRB report argues. “We very much disagree with this characterization,” Faehl says, “though we do agree that we haven’t been perfect and have work to do.”

**A Security Revenue ‘Addiction’**

Microsoft has earned special enmity from the cybersecurity community for charging its customers extra for better security protections like threat monitoring, antivirus, and user access management. In January 2023, the company touted that its security division had passed $20 billion in annual revenue.

“Microsoft has shifted to looking at cybersecurity as something that's meant to generate revenue for them,” says Juan Andrés Guerrero-Saade, associate vice president of research at security firm SentinelOne. His colleague Alex Stamos recently wrote that Microsoft’s “addiction” to this revenue “has seriously warped their product design decisions.”

These tensions exploded into the open in early 2021, as Congress and the new Biden administration scrambled to understand Russia’s far-reaching SolarWinds hacking campaign.

After breaching government networks through SolarWinds software, Moscow’s operatives fooled Microsoft’s cloud platform into granting them expansive access. Because most agencies weren’t paying for Microsoft’s premium service tier, they didn’t have the network activity logs necessary to detect these intrusions. Lawmakers were outraged that Microsoft was charging the government extra for such a basic feature, and Biden administration officials spent the next two and a half years privately urging Microsoft to make log data free for all customers. Microsoft finally agreed to do so last July—eight days after announcing yet another major hack, this one discovered by an agency paying for log data.

Microsoft won’t say if it plans to make other premium security features free for all of its customers. “We continue to raise the built-in security of our products and services to benefit customers,” Faehl says.

Asked about experts’ arguments that Microsoft’s strategy of profiting off of cybersecurity is incompatible with a security-first mindset, Faehl says, “We would disagree with that characterization.”

**A System That’s Everywhere**

Microsoft’s dominance has prompted concerns that it represents a single point of failure, concentrating America’s technology dependence in such a way that hackers could easily sabotage essential services by targeting one company’s products.

Few services better illustrate the government’s overwhelming dependence on Microsoft—and an area where some experts say a more diversified approach would be safer—than email. A former US cybersecurity official who works at one of Microsoft’s competitors predicts that an attack crippling Microsoft’s email platform would significantly reduce the government’s ability to operate.

Warnings about a Microsoft “monoculture” date back two decades, but the idea is now attracting new attention from policymakers.

“The US government’s dependence on Microsoft poses a serious threat to US national security,” says US senator Ron Wyden. “The government is effectively stuck with the company’s products, despite multiple serious breaches of US government systems by foreign hackers caused by the company’s negligence.”

Last Monday, Wyden announced draft legislation that would set a four-year deadline for the federal government to stop buying collaboration technology like Microsoft Office that critics say doesn’t integrate well with competing services.

Reducing the government’s reliance on a single vendor wouldn’t just benefit the government, experts say. It would also spread the attack risk across more companies, taking some of the pressure off of Microsoft to protect such a vast portfolio of systems. The giant target on Microsoft’s back makes it a magnet for cybercriminals and government hackers, which helps explain its outsize number of breaches.

The government’s reliance on Microsoft also entrenches a sense of familiarity with its products that cements its places in federal networks. While some agencies are exploring alternatives to Microsoft, most of them are sticking with what they know—largely because it’s easier than switching to an alternative platform, the former cyber official says.

Microsoft denies making it difficult for customers to switch to or incorporate competitors’ products. “Our competitors often stoke subjective complaints about ‘compatibility,’” Faehl says, but “we hear this more from the vendors of some third-party products” than from customers trying to use them.

Regardless, experts say, the upshot is clear: The government is dependent on Microsoft, robbing it of the leverage needed to push back on the company’s practices.

**Working the Refs**

Microsoft isn’t counting on its market dominance alone to defang government oversight. Since its antitrust battles with the government in the 1990s, the company has crafted a sophisticated public policy strategy that combines earnest calls to protect cyberspace with omnipresent participation in government initiatives.

“Microsoft is by far the slickest operation out there in tech when it comes to these issues,” says Andrew Grotto, a former senior White House cyber official who now leads Stanford University’s Program on Geopolitics, Technology, and Governance and consults for some of Microsoft’s competitors. “They learned this lesson 25 years ago and have been applying it ever since.”

Microsoft’s threat intelligence team, which knows more about malicious cyber activity than virtually any other company and most governments, regularly publishes research about cyber threats and collaborates with law enforcement on operations to dismantle hackers’ infrastructure. The company also helps fund groups like the CyberPeace Institute, which advocates for a safer internet and helps defend nongovernment organizations from hackers. And it has positioned itself as a helpful partner to policymakers who want to take on cyber issues but don’t know where to start, sometimes providing lawmakers with draft legislative language.

With its market dominance and political savvy, Microsoft has ensured that officials almost never publicly criticize it, experts say.

“The government's uncomfortable saying bad things about Microsoft because they're fully committed to them,” says Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, a think tank.

The Biden administration has spoken grandly about wielding the government’s formidable contracting power to force companies to improve their security. But with Microsoft, that leverage is nonexistent, experts say. “There is no realistic chance that the government will wholesale cancel its contracts with Microsoft,” Paul Rosenzweig, a cyber consultant and former DHS policy official, says in an email.

Microsoft disputes this argument. “The idea that the government is too dependent on Microsoft is at odds with reality,” Faehl says.

The government’s lack of leverage means federal officials never use the kind of blunt language found in the CSRB report when discussing Microsoft, even when they insist on speaking to reporters anonymously. The result is a remarkable display of government deference to Microsoft.

After Chinese hackers broke into government email systems and eluded agencies not paying for Microsoft’s premium security features, a senior official at CISA acknowledged that Microsoft’s business model was “not yielding the sort of security outcomes that we seek,” but they declined to directly rebuke Microsoft, instead sticking to talking points about productive conversations with the company.

In fact, despite Microsoft’s yearslong defiance of CISA’s high-profile push for companies to be “secure by design,” CISA has steadfastly refused to criticize Microsoft’s failures. When Microsoft finally bowed to pressure and made logs free last July, CISA director Jen Easterly said she was “extremely pleased with Microsoft’s decision.”

The former cyber official finds the government’s meekness remarkable. “When their own emails are stolen, they don’t seem to push back on the vendor who is the cause of that.”

The White House’s National Security Council declined to comment for this story. In a statement, Eric Goldstein, CISA’s executive assistant director for cybersecurity, says his agency “has a robust partnership with Microsoft and will continue to collaborate in many areas,” while also continuing to “impress upon all technology companies the urgency of developing products that are secure by design so that consumers can trust the safety and integrity of the technology that they use every day.”

Microsoft’s Faehl says his company is “committed to secure by design and secure by default.”

**Forcing Change**

The CSRB report on Microsoft’s cloud breach calls for dramatic changes to the company’s security culture. According to many experts, it’s time for the government to find its spine and compel those changes.

“Big, powerful companies in general don’t change their behavior unless they’re incentivized to do so,” Stanford University’s Grotto says.

The CSRB report recommends tough new requirements for cloud providers like Microsoft, including periodic security reviews after they receive federal contracts. Experts say those requirements could shift corporate incentives in favor of better security.

Microsoft seems to realize that its recent breaches have sparked a public relations crisis. “We expect and welcome fair scrutiny,” says Faehl. “As an industry leader we must be accountable for the security of our products and services.”

At the same time, he says, Microsoft “wouldn’t mind seeing some scrutiny” of its competitors who “seek to sow fear, uncertainty and doubt about our position as a way to seek advantage for their own products.”

Taking on Microsoft would also be a way for the Biden administration to live up to the principles in its National Cybersecurity Strategy, which prioritizes shifting the burden of cybersecurity onto large, well-resourced tech vendors. “They make the point … that this balance needs to shift,” Grotto says. “The question now is, ‘Okay, what does administration do with that diagnosis?’”

There are signs that the administration is heeding this advice. During a briefing with reporters on Thursday about the possibility that Russian operatives stole government secrets through their latest Microsoft hack, Goldstein said that CISA and other agencies are “are working closely with Microsoft, in alignment with the recommendations of the Cyber Safety Review Board, to drive further progress in Microsoft’s improvement plans with their broader security culture and enterprise.”

In the meantime, experts say, the status quo allows Microsoft to shirk responsibility for problems that it is uniquely capable of resolving.

“No harm comes from doing nothing, at least not to these companies,” Guerrero-Saade of SentinelOne says. “And that’s what’s going to destroy us.”

The US Government Has a Microsoft Problem

The Iron Dome, US allies, and long-range interceptor missiles all came into play.

On Saturday, Iran launched more than 300 drones and cruise missiles at Israel, a response to a strike earlier this month against Iran's embassy in Syria. As they made their way to their target, Israel invoked a number of defense systems to impede their progress. That starts with the Iron Dome.

The Iron Dome, operational for well over a decade, comprises at least 10 missile-defense batteries strategically distributed around the country. When radar detects incoming objects, it sends that information back to a command-and-control center, which will track the threat to assess whether it’s a false alarm, and where it might hit if it’s not. The system then fires interceptor missiles at the incoming rockets that seem most likely to hit an inhabited area.

“All of that process was designed for defense against low-flying, fast-moving missiles,” says Iain Boyd, director of the Center for National Security Initiatives at the University of Colorado. Which also makes it well prepared for an onslaught of drones. “A drone is going to be flying probably slower than these rockets,” Boyd says, “so in some ways it’s an easier threat to address.”

Things get more complicated if the drones are flying so low that the radar can’t detect them. The biggest challenge to the Iron Dome, though, is sheer quantity. Israel has hundreds of interceptor missiles at its disposal, but it’s still possible for the Iron Dome to get overwhelmed, as it did on October 7 when Hamas attacked Israel with a barrage of thousands of missiles.

Israel officials say that the Iron Dome and other systems successfully defended against 99 percent of the Iranian drones and missiles, although a 10-year-old boy was reportedly injured by shrapnel from an interceptor.

While the Iron Dome is Israel’s last line of defense, it’s not the only factor that came into play. The UAVs in question are likely Iran-made Shahed-136 drones, which have played a prominent role in Russia’s war against Ukraine. These so-called suicide drones—it has a built-in warhead and is designed to crash into targets—are relatively cheap to produce, which is why Iran was able to send them in such quantity.

“At one level they’re not difficult to take down. They’re not stealthy, they don’t fly very fast, and they don’t maneuver,” says David Ochmanek, senior defense analyst at the nonprofit RAND Corporation. “In some way, they're like airborne targets.”

That slowness and fixed flight path in particular mean the unmanned aerial systems (UAS) had to travel for several hours before they reached their intended destination, leaving ample opportunities to intercept them.

“Because there’s so much indication of warning in advance of the UAS, presumably there’s going to be a lot of fixed-wing, manned aircraft that are looking at these things, tracking these things, and presumably trying to engage these things,” says Tom Karako, director of the Missile Defense Project at the Center for Strategic and International Studies, a policy think tank.

Some of that work fell to the US military; CNN reports that forces in the region intercepted more than 70 drones and “at least three” ballistic missiles. The UK said it also provided backup for US planes that had been diverted from their existing missions, and that it would intercept UAVs as well.

That doesn't mean, though, that these drones should be taken lightly. “They have high-explosive warheads of several hundred pounds. If one hits a building, it'll destroy that building,” says Ochmanek. “The other thing is, they fly low. If you have a ground-based radar, they don't break the horizon until they're fairly close to the target, so the engagement time is limited.”

Israel’s further-reaching defense systems also came into play. The country’s Arrow 3 antiballistic missiles can intercept exo-atmospheric targets—that is to say, in space—while Arrow 2 systems have less range but are still considered extremely effective. Israeli military spokesperson Daniel Hagari credited the Arrow system with taking out most of Iran’s ballistic missiles. There’s also the “David’s Sling” system, which has a much shorter range than Arrow but should prove effective against drone attacks.

Hagari also said that the country would scramble GPS signals as a further effort to disrupt the incoming UAVs.

The question now is whether the tensions will escalate from here, and how Israel’s air defense resources hold up after October 7 and months of sustained attacks on Gaza. “I think that’s probably part of the strategy on the part of Iran, is that the last six months has probably depleted the number of interceptors available to the Iron Dome systems,” says Boyd. “They saw for themselves the effectiveness of the Hamas attack. I think they’re trying to use the same approach.”

In an update Sunday morning local time, Hagari said Israel had intercepted most of the dozens of surface-to-surface missiles Iran had launched thus far, along with more than 10 cruise missiles and dozens of UAVs, all outside of Israel’s territory. Iran has indicated that the attack is over and that it considers the matter settled, but warned against retaliation from Israel.

“Should the Israeli regime commit any military aggression again, Iran's response will assuredly and decisively be stronger, and more resolute,” said Iranian ambassador Amir-Saeid Iravani in a letter to the United Nations.

“What I would be concerned about,” says Karako, “is what we haven’t yet seen.”

_Update 4/13/2024, 9:33 pm ET: Added comment from RAND Corporation's David Ochmanek._

_Update 4/14/2024, 9:00 am ET: Added latest details from the attack and a statement from Iran's UN ambassador._

How Israel Defended Against Iran's Drone and Missile Attack

Two satellites will engage in a “realistic threat response scenario” when Victus Haze gets underway.

The Victus Haze mission is more complicated than Victus Nox, involving two prime contractors, two spacecraft, and two rocket launches from different spaceports, all timed to occur with short timelines "to keep the demonstration as realistic as possible," a Space Force spokesperson told Ars.

"This demonstration will ultimately prepare the United States Space Force to provide future forces to combatant commands to conduct rapid operations in response to adversary on-orbit aggression," Space Systems Command said in a statement.

**Faith in Commercial Space**

"This is a really significant operational demonstration that is really pushing the envelope on technology and demonstrates a lot of faith in the US industrial base," Rogers said.

"Fundamentally, this is about characterizing an unknown capability for the first time in low-Earth orbit," Rogers said in an interview with Ars. "There are a whole host of challenges that come with that, consistent coverage with communications, how do you track a maneuvering object in low-Earth orbit with limited space domain awareness capabilities, what’s the right level of autonomy and human interaction?"

True Anomaly's first two Jackal satellites launched on a SpaceX rideshare mission last month, but the company announced a few weeks later that the two satellites would be unable to complete their planned rendezvous demonstration. This would have been a precursor to the type of activity True Anomaly and Rocket Lab will demonstrate on Victus Haze.

Rogers said his company is working on two more demonstration missions that will fly before Victus Haze.

The military's Defense Innovation Unit awarded $32 million to Rocket Lab for its part of the Victus Haze mission. True Anomaly's contract with SpaceWERX, the innovation arm of the Space Force, is valued at $30 million. True Anomaly is contributing $30 million in private capital to help pay for the mission, bringing the total cost of Victus Haze to approximately $92 million. Space Safari, a division of Space Systems Command, oversees the entire project.

"We recognize the significant opportunity to leverage the commercial space industry’s innovations to counter China as America’s pacing threat," said Colonel Bryon McClain, Space Systems Command's program executive officer for space domain awareness and combat power. "The United States has the most innovative space industry in the world. Victus Haze will demonstrate, under operationally realistic conditions, our ability to respond to irresponsible behavior on orbit."

"Once the build phase is completed the mission will enter several successive phases to include hot standby, activation, alert, and launch phases," the Space Force said. "While this is a coordinated demonstration, each vendor will be given unique launch and mission profiles."

True Anomaly's Jackal satellite, nearly as large as a refrigerator, will launch on a "rapid rideshare" mission from Cape Canaveral Space Force Station in Florida or Vandenberg Space Force Base in California, Space Systems command said. This will most likely be a rideshare launch aboard a SpaceX Falcon 9 rocket. Launching on a rideshare flight comes with different challenges than launching on a dedicated rocket, as the Victus Nox mission did last year.

True Anomaly says it could get its satellite out of storage and integrate it with a rocket in 12 to 84 hours, depending on the flight cadence of the launch provider. After the launch of True Anomaly's Jackal, the Space Force will give Rocket Lab a 24-hour call-up to launch its satellite, similar in size to True Anomaly's spacecraft, on an Electron rocket from New Zealand or from Virginia. Rocket Lab's launch must be precisely timed to allow its satellite to rendezvous with True Anomaly's spacecraft in orbit.

Space Force Is Planning a Military Exercise in Orbit

Plus: Apple warns iPhone users about spyware attacks, CISA issues an emergency directive about a Microsoft breach, and a ransomware hacker tangles with an unimpressed HR manager named Beth.

After months of delays, the US House of Representatives voted on Friday to extend a controversial warrantless wiretap program for two years. Known as Section 702, the program authorizes the US government to collect the communications of foreigners overseas. But this collection also includes reams of communications from US citizens, which are stored for years and can later be warrantlessly accessed by the FBI, which has heavily abused the program. An amendment that would require investigators to obtain such a warrant failed to pass.

A group of US lawmakers on Sunday unveiled a proposal that they hope will become the country’s first nationwide privacy law. The American Privacy Rights Act would limit the data that companies can collect and give US residents greater control over the personal information that is collected about them. Passage of such legislation remains far off, however: Congress has attempted to pass a national privacy law for years and has thus far failed to do so.

Absent a US privacy law, you’ll need to take matters into your own hands. DuckDuckGo, the privacy-focused company famous for its search engine, now offers a new product called Privacy Pro that includes a VPN, a tool for having your data removed from people-search websites, and a service for restoring your identity if you fall victim to identity theft. There are also steps you can take to wrench back some of the data used to train generative AI systems. Not all systems out there offer the option to opt out of data collection, but we have a rundown of the ones that do and how to keep your data out of AI models.

Data collection isn’t the only risk associated with AI advancements. AI-generated scam calls are becoming more sophisticated, with cloned voices sounding eerily like the real thing. But there are precautions you can take to protect yourself from getting swindled by someone using AI to sound like a loved one.

Change Healthcare’s ongoing ransomware nightmare appears to have gotten worse. The company was originally targeted by a ransomware gang known as AlphV in February. But after the hackers received a $22 million payment early last month, a rift appeared to grow between AlphV and affiliate hackers, who say AlphV took the money and ran without paying other groups that helped them carry out the attack. Now, another ransomware group, RansomHub, claims it has terabytes of Change Healthcare’s data and is attempting to extort the company. Service disruptions caused by the ransomware attack have impacted healthcare providers and their patients across the US.

That’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The streaming video service Roku warned customers Friday that 576,000 accounts had been compromised, a breach it discovered in the midst of its investigation of a far smaller-scale intrusion that it dealt with in March. Roku said that rather than actually penetrating Roku’s own network through a security vulnerability, the hackers had carried out a “credential-stuffing” attack in which they tried passwords for users that had leaked elsewhere, thus breaking into accounts where users had reused those passwords. The company noted that in less than 400 cases, hackers had actually exploited their access to make purchases with the hijacked accounts. But the company nonetheless reset users’ passwords and is implementing two-factor authentication on all user accounts.

**Apple Notifies Users of Mercenary Spyware Infections**

Apple sent notices via email to users in 92 countries around the world this week, warning them that they had been targeted by sophisticated “mercenary spyware” and that their devices may be compromised. The notice stressed that the company had “high confidence” in this warning and urged potential hacking victims to take it seriously. In a status page update, it suggested that anyone who receives the warning contact the Digital Security Helpline of the nonprofit Access Now and enable Lockdown Mode for future protection. Apple didn’t offer any information publicly about who the hacking victims are, where they’re located, or who the hackers behind the attacks might be, though in its blog post, it compared the malware to the sophisticated Pegasus spyware sold by the Israeli hacking firm NSO Group. It wrote in its public support post that it’s warned users in a total of 150 countries about similar attacks since 2021.

**CISA Warns Federal Agencies to Look Out for Russian Hackers Stealing Emails**

April continues to be the cruelest month for Microsoft—or perhaps Microsoft’s customers. On the heels of a Cybersecurity Review Board report on Microsoft’s previous breach by Chinese state-sponsored hackers, the Cybersecurity and Infrastructure Security Agency (CISA) published a report this week warning federal agencies that their communications with Microsoft may have been compromised by a group known as APT29, Midnight Blizzard, or Cozy Bear, believed to work on behalf of Russia’s SVR foreign intelligence agency. “Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA said in the emergency directive. As recently as March, Microsoft said that it was still working to expel the hackers from its network.

**When a Ransomware Hacker Calls a Victim Company’s Front Desk**

As ransomware hackers seek new ways to bully their victims into giving in to their extortion demands, one group tried the novel approach of calling the front desk of the company it had targeted to verbally threaten its staff. Thanks to one HR manager named Beth, that tactic ended up sounding about as threatening as a clip from an episode of _The Office_.

TechCrunch describes a recording of the conversation, which a ransomware group calling itself Dragonforce posted to its dark-web site in a misguided attempt to pressure the victim company to pay. (TechCrunch didn’t identify the victim.) The call starts like any tedious attempt to find the right person after calling a company’s publicly listed phone number, as the hacker waits to speak to someone in “management.”

Eventually, Beth picks up and a somewhat farcical conversation ensues as she asks that the hacker explain the situation. When he threatens to make the company’s stolen data available for “fraudulent activities and for terrorism by criminals,” Beth responds “Oh, ok,” in an altogether unimpressed tone. She then asks if the data will be posted to “Dragonforce.com.” At another point, she notes to the increasingly frustrated hacker that recording their call is illegal in Ohio, and he responds, “Ma’am, I am a hacker. I don’t care about the law.” Finally, Beth refuses to negotiate with the hacker with a “Well, good luck,” to which the hacker responds, “Thank you, take care.”

Roku Breach Hits 567,000 Users

The US House of Representatives voted on Friday to extend the Section 702 spy program. It passed without an amendment that would have required the FBI to obtain a warrant to access Americans’ information.

A controversial US wiretap program days from expiration cleared a major hurdle on its way to being reauthorized.

After months of delays, false starts, and interventions by lawmakers working to preserve and expand the US intelligence community’s spy powers, the House of Representatives voted on Friday to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA) for two years.

Legislation extending the program—controversial for being abused by the government—passed in the House in a 273–147 vote. The Senate has yet to pass its own bill.

Section 702 permits the US government to wiretap communications between Americans and foreigners overseas. Hundreds of millions of calls, texts, and emails are intercepted by government spies each with the “compelled assistance” of US communications providers.

The government may strictly target foreigners believed to possess “foreign intelligence information,” but it also eavesdrops on the conversations of an untold number of Americans each year. (The government claims it is impossible to determine how many Americans get swept up by the program.) The government argues that Americans are not themselves being targeted and thus the wiretaps are legal. Nevertheless, their calls, texts, and emails may be stored by the government for years, and can later be accessed by law enforcement without a judge’s permission.

The House bill also dramatically expands the statutory definition for communication service providers, something FISA experts, including Marc Zwillinger—one of the few people to advise the Foreign Intelligence Surveillance Court (FISC)—have publicly warned against.

“Anti-reformers not only are refusing common-sense reforms to FISA, they’re pushing for a major expansion of warrantless spying on Americans,” US senator Ron Wyden tells WIRED. “Their amendment would force your cable guy to be a government spy and assist in monitoring Americans’ communications without a warrant.”

The FBI’s track record of abusing the program kicked off a rare détente last fall between progressive Democrats and pro-Trump Republicans—both bothered equally by the FBI’s targeting of activists, journalists, and a sitting member of Congress. But in a major victory for the Biden administration, House members voted down an amendment earlier in the day that would’ve imposed new warrant requirements on federal agencies accessing Americans’ 702 data.

“Many members who tanked this vote have long histories of voting for this specific privacy protection,” says Sean Vitka, policy director at the civil-liberties-focused nonprofit Demand Progress, “including former speaker Pelosi, Representative Lieu, and Representative Neguse.”

The warrant amendment was passed earlier this year by the House Judiciary Committee, whose long-held jurisdiction over FISA has been challenged by friends of the intelligence community. Analysis by the Brennan Center this week found that 80 percent of the base text of the FISA reauthorization bill had been authored by intelligence committee members.

“Three million Americans' data was searched in this database of information,” says Representative Jim Jordan, chair of the House Judiciary Committee. “The FBI wasn't even following its own rules when they conducted those searches. That's why we need a warrant.”

Representative Mike Turner, who chairs the House Intelligence Committee, campaigned alongside top spy agency officials for months to defeat the warrant amendment, arguing they’d cost the bureau precious time and impede national security investigations. The communications are legally collected and already in the government's possession, Turner argued; no further approval should be required to inspect them.

“The United States is at its greatest risk of terrorism in more than a decade following the horrific October 7th attack on Israel, and the \[intelligence community\] must focus attention and resources on that threat while continuing to stay ahead of China,” Turner and Jim Himes, the top Democrat on the House Intelligence Committee, said in a joint statement after the vote, adding that 702 remains one of the country's most effective national security tools.

“It allows the United States to counter our adversaries, like China and Russia, thwart potential terrorist attacks from ISIS, Al-Qaeda, Hamas, and Hezbollah, and disrupt international drug cartels who are looking to smuggle fentanyl into our nation,” they said.

The FBI introduced a slate of new internal policies to clamp down on the abuse itself, changes that the Biden administration argues are sufficient to ward off future abuse. Knowingly searching the database for information about Americans requires analysts—who must now submit to annual training sessions—to seek approval from higher up the chain of command than before. Running batch queries targeting Americans’ communications now requires a consultation with a government attorney.

While opposing the search warrants, Turner backed a ban on searches of 702 data for criminal cases that lack any foreign element. While that amendment has been welcomed by members on both sides of the issue, privacy hawks say the ban is not quite the major reform that Turner has proclaimed. Data on the program made public by the FISC suggests the ban will in reality affect less than a handful of cases each year.

Critics of the program say that relying on the FBI to internally police against its own constitutional violations is a tactic that has failed in the past, and that the bureau can no longer be trusted not to spy on Americans without cause.

“Section 702 has been abused under presidents from both political parties, and it has been used to unlawfully surveil the communications of Americans across the political spectrum,” says Kia Hamadanchy, senior policy counsel at the American Civil Liberties Union. “The Senate must add a warrant requirement and rein in this out-of-control government spying.”

Judiciary members had also sought to include an amendment banning the government from buying Americans' geolocation data from private companies. At Turner’s behest, House speaker Mike Johnson killed the amendment earlier in the week.

The US Supreme Court has recognized geolocation data as protected from seizure by the “probable cause” standard. Rather than begin applying for warrants, the government has circumvented the ruling in many cases, buying up GPS data from companies that consumers largely believe are tracking them purely for advertising purposes.

“They’re buying data. That’s what they’re doing,” says Warren Davidson, a Republican congressperson from Ohio. “They’re structuring markets to collect the data and they’re circumventing the Fourth Amendment. We need to turn that off.”

House Votes to Extend—and Expand—a Major US Spy Program

Change Healthcare ransomware hackers already received a $22 million payment. Now a second group is demanding money, and it has sent WIRED samples of what they claim is the company's stolen data.

For months, Change Healthcare has faced an immensely messy ransomware debacle that has left hundreds of pharmacies and medical practices across the United States unable to process claims. Now, thanks to an apparent dispute within the ransomware criminal ecosystem, it may have just become far messier still.

In March, the ransomware group AlphV, which had claimed credit for encrypting Change Healthcare’s network and threatened to leak reams of the company’s sensitive health care data, received a $22 million payment—evidence, publicly captured on Bitcoin’s blockchain, that Change Healthcare had very likely caved to its tormentors’ ransom demand, though the company has yet to confirm that it paid. But in a new definition of a worst-case ransomware, a _different_ ransomware group claims to be holding Change Healthcare’s stolen data and is demanding a payment of their own.

Since Monday, RansomHub, a relatively new ransomware group, has posted to its dark-web site that it has 4 terabytes of Change Healthcare’s stolen data, which it threatened to sell to the “highest bidder” if Change Healthcare didn’t pay an unspecified ransom. RansomHub tells WIRED it is not affiliated with AlphV and “can’t say” how much it’s demanding as a ransom payment.

RansomHub initially declined to publish or provide WIRED any sample data from that stolen trove to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name.

While WIRED could not fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. “For anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories,” the RansomHub contact tells WIRED in an email.

Change Healthcare didn’t immediately respond to WIRED’s request for comment on RansomHub’s extortion demand.

Brett Callow, a ransomware analyst with security firm Emsisoft, says he believes AlphV did not originally publish any data from the incident, and the origin of RansomHub’s data is unclear. “I obviously don't know whether the data is real—it could have been pulled from elsewhere—but nor do I see anything that indicates it may not be authentic,” he says of the data shared by RansomHub.

Jon DiMaggio, chief security strategist at threat intelligence firm Analyst1, says he believes RansomHub is “telling the truth and does have Change HealthCare’s data,” after reviewing the information sent to WIRED. While RansomHub is a new ransomware threat actor, DiMaggio says, they are quickly “gaining momentum.”

If RansomHub’s claims are real, it will mean that Change Healthcare’s already catastrophic ransomware ordeal has become a kind of cautionary tale about the dangers of trusting ransomware groups to follow through on their promises, even after a ransom is paid. In March, someone who goes by the name “notchy” posted to a Russian cybercriminal forum that AlphV had pocketed that $22 million payment and disappeared without sharing a commission with the “affiliate” hackers who typically partner with ransomware groups and often penetrate victims’ networks on their behalf.

Notchy’s post suggested that Change Healthcare faced an unprecedented situation: It had allegedly already paid a ransom, yet jilted partners of the gang extorting it still felt they were owed money—and still possessed Change Healthcare’s stolen data. RansomHub tells WIRED it is associated with notchy.

Now, RansomHub has claimed “the data remains with the affiliate,” and AlphV did not directly have the data originally. WIRED could not verify these claims. “For everyone speculating and theorizing on the situation, AlphV stole our share of the payment and performed an exit scam,” a RansomHub representative wrote to WIRED. “AlphV performed the exit scam before we get to the data deletion part.”

Callow says the incident reinforces that cybercriminals can’t be trusted to delete data, even when they are paid. For example, when a global law enforcement operation disrupted the notorious LockBit ransomware group, in February, police said they discovered that the cybercriminals still had data that investigators had paid to be deleted.

“Sometimes they use the undeleted data to extort victims for a second time, and the risk of re-extortion will only increase as law enforcement up their disruption efforts and throw the ransomware ecosystem into chaos,” Callow says. “What were always unpredictable outcomes will now be even more unpredictable.”

Similarly, DiMaggio says victims of ransomware attacks need to learn they can’t trust cybercriminals. “Victims need to understand that paying a criminal who promises to delete their data permanently is a myth,” DiMaggio says. “They are paying to have their data taken off the public side of the ransomware attackers data leak site. They should assume it is never actually deleted.”

UnitedHealth Group’s website says it is continuing to “make progress in mitigating the impact” of the attack and expanding financial assistance to health care providers that have been impacted. However, the attack has sent long-lasting ripples across medical facilities in the United States, demonstrating how disruptive ransomware attacks can be and the difficulties in restoring services. Clinicians and patients alike have been impacted, with extra strain being placed upon medical business owners.

On Wednesday, the American Medical Association said “serious disruptions continue” across physician practices. A survey of AMA members, conducted between March 26 and April 3, found 80 percent of clinicians had lost revenue and many are using their own personal finances to cover a practice’s expenses. Medical practitioners responding to the survey said they were heading toward bankruptcy, were struggling to “manage pain care” for cancer patients, and that procedures had been delayed. “Practices will close because of this incident,” Jesse M. Ehrenfeld, the president of the AMA said in a statement, “and patients will lose access to their physicians.”

In a message to WIRED, the RansomHub contact claims—for whatever the word of a ransomware gang is worth—that they are different from other cybercriminals, and if Change Healthcare pays them, they wouldn’t try to extort it again. “We will delete the data,” they write. “This data is a bomb for us. If we can't get payment, we have no choice but to sell it. Of course, if we can reach an agreement, it will be better to delete the data and throw the bomb away.”

Source

Wired