What a new ruling in a social media case means for cyber agencies | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Court ruling frees CISA, but leaves FBI with restrictions on countering misinformation and disinformation

An appeals court ruling on whether federal agencies violated the First Amendment in their battle against misinformation and disinformation offers a mixed outcome for agencies with major cybersecurity responsibilities.

On Friday, the U.S. Court of Appeals for the 5th Circuit partially overturned a district court injunction limiting communication with social media platforms for some agencies, such as the Cybersecurity and Infrastructure Security Agency, but not others, namely the FBI. And it rolled back some of the injunction’s restrictions for all of the agencies that were the subject of the lawsuit.

Chris Krebs, the first CISA director who initiated some of the agency’s efforts to counter misinformation and disinformation during the 2020 election and its aftermath, said in a story by my colleagues Cat Zakrzewski and Joseph Menn that he found the ruling “reassuring.”

“As it relates to CISA, this ruling eviscerated the district court decision,” Krebs said.

The difference for the judges, all three appointed by Republicans, was whether the conduct of the agencies (which extend to others beyond cybersecurity-oriented ones) fell under “attempts to coerce” or “attempts to convince.”

The FBI, White House, surgeon general’s office and Centers for Disease Control — as well as some named officials — remain subject to some of the restrictions of the injunction. All of the others are free of those limits.

Previously, a federal judge’s injunction had prohibited contacts between a longer list of defendants and social media companies for 10 specific purposes. The appeals court revoked all of those prohibitions except one, which it altered. 

The original injunction had barred “threatening, pressuring, or coercing social-media companies in any manner to remove, delete, suppress, or reduce posted content of postings containing protected free speech.” But the appeals court wrote that “those terms could also capture otherwise legal speech. So, the injunction’s language must be further tailored to exclusively target illegal conduct and provide the officials with additional guidance or instruction on what behavior is prohibited.”

The modification now prohibits efforts to “coerce or significantly encourage social-media companies to remove, delete, suppress, or reduce, including through altering their algorithms, posted social-media content containing protected free speech.”

Among agencies with major cyber responsibilities, the court reversed the district court’s decision for both CISA and its parent department, Homeland Security — the latter without commentary. That reversal includes some named officials from the injunction, such as CISA Director Jen Easterly.

The judges wrote that CISA flagged content, including “switchboarding” operations where the agency acted as an intermediary for other groups to forward flagged content. And those actions “apparently” led to removal or demotion on social media platforms.

But, the judges said, for CISA and some other defendants, the evidence of coercion wasn’t ample enough.

“Although CISA flagged content for social-media platforms as part of its switchboarding operations, based on this record, its conduct falls on the ‘attempts to convince,’ not ‘attempts to coerce,’ side of the line,” the ruling states. Its further reasoning:

• “There is not sufficient evidence that CISA made threats of adverse consequences — explicit or implicit — to the platforms for refusing to act on the content it flagged,” it continued. “Nor is there any indication CISA had power over the platforms in any capacity, or that their requests were threatening in tone or manner.”
• “Similarly, on this record, their requests — although certainly amounting to a non-trivial level of involvement — do not equate to meaningful control,” the ruling reads. “There is no plain evidence that content was actually moderated per CISA’s requests or that any such moderation was done subject to non-independent standards.”

The FBI and some of its officials are still subject to the modified injunction, however. 

“Similar to the White House, Surgeon General, and CDC officials, the FBI regularly met with the platforms, shared ‘strategic information,’ frequently alerted the social media companies to misinformation spreading on their platforms, and monitored their content moderation policies. But, the FBI went beyond that — they urged the platforms to take down content,” it wrote. “In short, when the platforms acted, they did so in response to the FBI’s inherent authority and based on internal policies influenced by FBI officials.”

The court’s reasoning for the FBI is that while there’s no indication of overt threats for not complying with takedown requests, it cited a past legal ruling that a law enforcement officer’s request could be inherently coercive.

More reaction (or the lack thereof)

The FBI declined to comment for Cat and Joseph’s story. CISA declined to comment.

In a statement, a White House spokesperson said the Justice Department was “reviewing” the decision and its options.

• “This Administration has promoted responsible actions to protect public health, safety, and security when confronted by challenges like a deadly pandemic and foreign attacks on our elections,” the White House official said. “Our consistent view remains that social media platforms have a critical responsibility to take account of the effects their platforms are having on the American people, but make independent choices about the information they present.”

The Justice Department didn’t respond to requests for comment, and it’s not clear whether it plans to appeal the ruling.

Evelyn Douek, assistant professor at Stanford Law, said in Cat and Joseph’s story that the case was a “strong candidate for the Supreme Court to weigh in, given the law isn’t clear, the issues are so important, and courts have come to different conclusions.”

Also in their story, Missouri Attorney General Andrew Bailey hailed the decision as a win.

“The first brick was laid in the wall of separation between tech and state on July 4,” he said in a statement. “Today’s ruling is yet another brick.”

Coalition urges intelligence community to consider surveillance power reforms

A coalition of civil liberties groups met with Avril Haines, the director or national intelligence, and other intelligence officials last week, urging them to support reforms to contentious U.S. surveillance powers that are set to expire at the end of the year. 

• Representatives from Demand Progress, the American Civil Liberties Union, the Project on Government Oversight, the Electronic Privacy Information Center and the Center for Democracy and Technology were among those that attended the meeting.

The spying authority — Section 702 of the Foreign Intelligence Surveillance Act — allows the FBI and National Security Agency to gather electronic data without a traditional warrant based on probable cause when the target is a foreigner overseas and it’s for foreign intelligence purposes. But those intercepted exchanges sometimes include conversations with Americans, raising skeptics’ fears that American communications are warrantlessly swept up in the process.

• Civil rights groups have also cited legal complaints that allege the intelligence community has misused the spying power in domestic incidents.
• Intelligence and national security representatives argue the tool is vital to U.S. operations and that information sourced from Section 702 makes up a large chunk of President Biden’s daily briefings.

In a letter, the groups had urged Haines’s agency and other federal intelligence entities to advocate for reforming legal components of the tool as Congress considers whether to reauthorize it before Dec. 31. Those requests include requiring the United States to obtain a warrant before searching contents of Americans’ communications collected by intelligence authorities and increasing government obligations to notify when information collected from the tool is used against a person accused of committing a crime.

• A White House advisory board in July recommended new restrictions be placed on 702, but argued against a long-demanded critique that authorities must seek a warrant before probing certain electronic communications. Meanwhile, key members of Congress say they will not support reauthorization unless significant changes are put in place.

After the meeting, the groups said they “appreciate DNI Haines taking time to hear our serious concerns with warrantless FISA 702 surveillance, but remain deeply distressed that the intelligence community will not commit to any of the meaningful reforms that are critical to protect Americans’ privacy.” They added that there “simply isn’t a path to reauthorization built on half-measures, window dressing, and codification of internal procedures that have repeatedly failed to protect Americans’ civil rights and civil liberties.”

The Office of the Director of National Intelligence confirmed the meeting and said in a statement to The Cybersecurity 202 that it “appreciated the opportunity to listen to the meaningful perspectives of representatives from non-governmental organizations and looks forward to continued engagement with interested parties on key civil liberties and privacy topics related to national security.”

Foreign student in Norway arrested for alleged espionage, eavesdropping

A 25-year-old foreign student in Norway was arrested late last week on suspicion of espionage and eavesdropping through various devices, the Associated Press reports. 

• “Norway’s domestic security agency, known by its acronym PST, told Norwegian media that the man, who was arrested on Friday, was charged in court on Sunday with espionage and intelligence operations against the Nordic country,” according to the report.
• The man pleaded not guilty, and authorities have not disclosed his nationality, the report adds. He is a student but is “not enrolled at any educational institution in Norway,” according to the AP, which adds he has been living in the country for only a short amount of time. PST is also investigating several of the man’s electronic devices.
• “Citing the arrest order, [Norwegian public broadcaster] NRK said the suspect had allegedly been caught conducting illegal signal surveillance in a rental car near the Norwegian prime minister’s office and the defense ministry,” the AP reported.

“We don’t quite know what we’re facing. We are in a critical, initial and vulnerable phase of the investigation,” PST lawyer Thomas Blom told NRK. “[The suspect] is charged with using technical installations for illegal signal intelligence,” Blom added.

Officials have suggested he was not operating alone. He is being held in custody for four weeks and is not permitted to receive mail or visits. 

PST in previous assessments has “singled out” North Korea, Russia and China as nations that pose a significant intelligence threat to Norway, according to the outlet. 

White House rejects congressional request for post-cyberattack economic plan

The Biden administration found that a plan sought by Congress for preventing economic catastrophe caused by a major cyberattack or other disasters could be duplicative and cause confusion, the Messenger’s Eric Geller reports.

The Cybersecurity and Infrastructure Security Agency report said “lawmakers’ requirements for a ‘continuity of the economy’ (COTE) plan ‘are addressed through existing authorities, policies, plans, and frameworks,’ and if the government created a new plan focused just on economic resilience, it might ‘create confusion and duplicate existing response and recovery mechanisms,’” Geller writes.

• The report could upset lawmakers who have begged the executive branch to craft a national economic strategy in the event of a crippling cyberattack.

Congress had previously given the administration a two-year window to develop the plan, which was inspired by a 2020 report from the first iteration of the Cyberspace Solarium Commission. The fiscal 2021 national defense bill baked that continuity plan into its directives, granting CISA $200,000 to put the crisis blueprint together.

• “The Biden Administration did not create this problem, but after 30 months in office they own it, and in this report they have missed a great opportunity to address the economic resilience and recovery challenge,” Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies and former executive of CSC, told the outlet.
• The White House “has no plan for how to work with the private sector” on economic resilience planning, Montgomery added. 

The Messenger adds that the CISA report “also looks at each of the specific elements of the COTE plan that Congress wanted and recommends steps that agencies should take to incorporate those elements into existing work. These include developing plans for the ‘methods and timing’ of the restoration of specific industrial equipment after an incident, as well as identifying backup sources of critical raw materials should a crisis disrupt U.S. supply chains.”

Cybersecurity consultant John Breth asked the cyber community for unpopular opinions about their industry. Google security executive Heather Adkins:

CrowdStrike R&D consultant Jack Halon:

Privacy lawyer Whitney Merrill:

State Department looks to satellite communications for emergencies in embassies around the world (FedScoop)

Amid shutdown anxiety, federal agencies are running up against an IT security deadline (Nextgov/FCW)

Pretrial-palooza underway for Trump (Perry Stein and Devlin Barrett)

Elon Musk’s X Corp sues California to undo content moderation law (Reuters)

Blinken says Musk’s Starlink should keep giving Ukraine full use (Bloomberg News)

Influx of Russian fraudsters gives Turkish cyber crime hub new lease of life (Financial Times)

Who pulled off a $41M online casino heist? North Korea, FBI says. (Motherboard)

Polish Senate says use of government spyware is illegal in the country (TechCrunch)

How Saudis quietly built influence at Spain’s Telefonica (Reuters)

G-20 broadens debate on AI risks and mulls global oversight (Bloomberg News)

Associated Press warns that AP Stylebook data breach led to phishing attack (Bleeping Computer)

U.S. org worker infected with new Pegasus vector; Apple releases security patch (Haaretz)

Massive DDoS attack on U.S. financial company thwarted by cyber firm (The Record)

VPNs, Verizon, and Instagram Reels: how students are getting around the TikTok ban (The Verge)

Chrome has new privacy settings. Here’s what to change now (Heather Kelly)

Your Gmail and Instagram are training AI. There’s little you can do about it. (Geoffrey A. Fowler)

Meta Platforms must face medical privacy class action (Reuters)

Carmakers can collect — and sell — too much data about you, watchdog says (Andrew Jeong)

• The House Homeland Security Committee holds a field hearing on emerging national security threats in New York City tomorrow at 9:15 a.m.
• Our Early 202 colleague Leigh Ann Caldwell interviews Senate AI Caucus leaders Martin Heinrich (D-N.M.) and Mike Rounds (R-S.D.) for a Washington Post Live event on congressional AI regulation efforts tomorrow at noon.
• The Center for Strategic and International Studies convenes a discussion on cybersecurity preparedness exercises tomorrow at 1 p.m.
• The Hudson Institute holds a discussion on quantum computing and U.S.-Japan relations tomorrow at 3 p.m.

Thanks for reading. See you tomorrow.