Cyber Week in Review: April 26, 2024

President Biden signs “Reforming Intelligence and Securing America Act” into law

On Saturday, President Biden signed H.R.7888, “Reforming Intelligence and Securing America Act” into law, extending and modifying Title VII of the Foreign Intelligence Surveillance Act by two years. President Biden signed it shortly after the Senate passed it with a vote of sixty to thirty-four. The law allows intelligence agencies to collect “targeted surveillance” data without a warrant on non-U.S. citizens abroad communicating with U.S. citizens in the United States. Supporters argue that the bill is critical to protecting national security, with National Security Advisor Jake Sullivan stating that the act would enhance “safeguards for privacy and civil liberties through the most robust set of reforms ever included in legislation to reauthorize Section 702.” However, critics of the bill have alleged that it is misused to conduct surveillance on American citizens through so-called “backdoor” searches. A 2023 report from the Foreign Intelligence Surveillance Court found that the FBI “used the tool nearly 300,000 times between 2020 and early 2021,” including by collecting information on Jan. 6 rioters and Black Lives Matter protesters. Some lawmakers have been reticent to pass the bills without significant reforms, with both conservative and progressive senators were defeated in a last-minute attempt to add six amendments to the bill, which, had they passed, would have sent the bill back to the House for further consideration.

House of Representatives passes the Fourth Amendment Is Not For Sale Act

The House of Representatives voted 219 to 199 to pass the Fourth Amendment Is Not For Sale Act, which would prohibit government agencies from accessing or purchasing American data collected from data brokers. The bill–first introduced in 2021–would require agencies to obtain a warrant to search data they buy. The law would restrict federal agencies’ capacity to buy and evaluate bulk data on Americans, including agencies such as the Internal Revenue Service, the Department of Defense, and the Centers for Disease Control and Prevention (CDC). The CDC had previously paid $420,000 to track millions of Americans’ cellphone data to monitor compliance with COVID-19 lockdown regulations, and then-National Security Agency Director Paul Nakasone admitted in January that the NSA has purchased bulk data on Americans as well. This bill follows a November 2023 Duke report that outlined how data brokers sold sensitive health and financial data on U.S. military members, and how that information could be used to identify and potentially coerce service members. The Biden administration has staunchly opposed the bill’s passage, indicating that President Biden has serious concerns about the law’s effect on national security, and would not sign it into law if it passes the Senate.

President Biden passes defense bill that requires TikTok to divest from Bytedance

President Biden signed a $95 billion foreign aid bill into law on Wednesday, allocating aid to Ukraine, Israel, and Taiwan and also codifying the Protecting Americans’ Data from Foreign Adversaries Act, banning data brokers from transferring certain kinds of sensitive data on United States individuals to foreign adversaries. The bill also incorporates a standalone bill that passed the House in March, which would force TikTok owner ByteDance to divest its ownership from TikTok within 270 days or see the app banned in the United States. The United States has not publicly released evidence that the Chinese government has manipulated TikTok’s algorithms or gathered data from the app; however, proponents of the bill claim that without ByteDance’s divestment from TikTok, Chinese authorities could access Americans’ personal data or manipulate Americans by suppressing specific content on the platform. Critics of the bill believe that banning TikTok would curb youth voter outreach in the upcoming November presidential election and that it infringes on free speech by limiting information accessibility. TikTok said on X that the bill’s passage will “trample the free speech rights of 170 million Americans, devastate 7 million businesses, and shutter a platform that contributes $24 billion to the U.S. economy annually.” TikTok also said it intends to sue over the potential ban, citing First Amendment violations and claiming the ban creates a precedent for government control over digital platforms in the United States. Additionally, critics of the bill’s passage argue that it is hypocritical for the Biden campaign to continue to utilize the app to campaign in the 2024 presidential election while the administration signed a bill banning it.

Chinese Government Orders Apple to remove Meta-owned apps from its App Store

Apple has removed Meta platforms WhatsApp and Threads from its App Store in China to comply with an earlier order from the Cyberspace Administration of China that mandated their removal. Though the government claimed that the app’s services pose national security threats, it remains unclear why the government is taking action at this moment. Telegram and Signal–end-to-end encrypted messaging apps– were also removed from the App Store in China alongside Meta’s apps, although Signal was already blocked in China by the country’s Great Firewall. In response to the removals, Apple stated that it is “obligated to follow the laws in the countries where we operate, even when we disagree.”

UnitedHealth Group announces updates on February ALPHV cyberattack

UnitedHealth Group announced updates on the Russian-backed ransomware group ALPHV’s, also known as BlackCat, ransomware attack on its subsidiary, Change Healthcare, in February. Change Healthcare processes about fifty percent of U.S. medical claims. In the recent update, the company found twenty-two screenshots of compromised files on the dark web posted by a hacking group called Ransomhub, which revealed that BlackCat had given them at least some of the hacked data containing personal health and personally identifiable information. UnitedHealth CEO Andrew Witty also stated that the company paid a ransom payment as “part of the company's commitment to do all it could to protect patient data from disclosure.” Though UnitedHealth Group did not say how much they paid in ransom, multiple media sources have stated that UnitedHealth paid $22 million in Bitcoin to BlackCat. The company has stated that there is no evidence hackers stole doctor’s charts or full medical histories, but BlackCat announced that it obtained eight terabytes of stolen data, including patients’ medical histories. Change Healthcare acknowledged the size of the breach, and said it was likely that a “substantial portion” of the U.S. population had their health data stolen.