STRONG REGULATION NEEDED TO PROTECT US FROM META AND FACEBOOK

The harm that Facebook and other social media do to children and youth, our society and politics, and people and countries around the world is well documented. Clearly, the social media companies are far more committed to maximizing profits than they are to minimizing harm.

The harm that Facebook, Meta’s other platforms, and other social media do to children and youth, our society and politics, as well as to people and countries around the world, is well documented. The evidence continues to mount as new whistleblowers emerge and share inside information. Clearly, Meta (and other social media companies) are far more committed to maximizing profits than they are to minimizing harm.

SPECIAL NOTE: Please plan to participate in the next nationwide No Kings Day protest on Sat., Oct. 18. Find an event near you at https://www.mobilize.us/nokings/map/?tag_ids=27849.

(Note: If you find a post too long to read, please just skim the bolded portions. Thanks for reading my blog!)

(Note: Please follow me and get notices of my blog posts on Bluesky at: @jalippitt.bsky.social. Thanks!)

The harm that Facebook, Meta’s other platforms, and other social media do to children and youth is well documented, as this previous post covered. However, the harm to our society and politics, as well as to people and countries around the world, goes well beyond that and is long-standing. (See previous posts from 2022 and 2020 on Facebook’s knowing spread of divisive disinformation and right-wing content.) It’s clear that Meta and other social media companies are far more interested in maximizing profits than minimizing harm, such as avoiding spreading misinformation while fostering social division and conflict that sometimes lead to violence.

Meta has been in the news recently because more whistleblowers and former employees have come forward to report (again) that Meta CEO and owner Mark Zuckerberg and other senior Meta executives have repeatedly lied about the negative effects of their platforms and their knowledge of the harms caused for children, from spreading misinformation, and from fostering social division.

Coincidentally, I just finished reading a book about Facebook, Careless People: A cautionary tale of power, greed, and lost idealism, by Sarah Wynn-Williams, who worked at Facebook from 2011 – 2018. Perhaps her most poignant revelation is that “most leaders at Facebook … severely limit [their] kids’ access to screens, let alone social media accounts. … which only underscores how well these executives understand the real damage their product inflicts on young minds.” (p. 103-104)

Wynn-Williams reports on sexual harassment in the largely male world of Facebook, which senior management ignores (to say the least). She also documents Facebook’s role in:

The 2016 Trump campaign when Facebook staff were embedded at the campaign, which some people credit with Trump’s winning the election. (p. 264)
The violence and undermining of democracy in Myanmar from 2014 – 2017 due to Facebook’s failure to monitor and moderate content. This culminated in tens of thousands of deaths, untold atrocities, and the slaughter of Muslims and particularly the Rohingya people. The U.N. report on these human rights violations devotes over twenty pages to the role Facebook played in spreading hate. (p. 357-358)
Working with the Chinese government on censorship and surveillance to get it to allow Facebook in China. So desperate was Zuckerberg to get into the Chinese market that he gave the Chinese government access to user data that he had refused to give to other governments and that Facebook “aggressively fought against providing to the US government, even after receiving National Security Letters demanding it in specific cases.” (p. 311) Furthermore, Wynn-Williams notes that “Facebook has said [many things] are simply impossible when Congress and its own government have asked – on content, data sharing, privacy, censorship, and encryption – and yet its leadership are handing them all to China on a silver platter.” (p. 313) Facebook was very concerned about all of this leaking because “if it leaks we [Facebook] won’t be able to keep doing what we’re doing. … [it would] highlight differences in what we say to the public vs what we do.” (p. 313) When preparing Zuckerberg for congressional testimony about Facebook’s plans for China, Wynn-Williams reports that “No one suggests telling the truth … There seems to be no compunction about misleading Congress. Presumably because the team assumes they’ll never be caught …”. (p. 319)
Censoring content in Russia, Indonesia, Mexico, and South Korea at the request of senior government officials, largely solely at Zuckerberg’s discretion. (p. 158-164)
Selling advertisers on Facebook’s capabilities to target emotionally vulnerable teens while publicly denying that it was doing so. Advertisers know that people buy more when they are feeling insecure, “and it’s seen as an asset that Facebook knows when that is and can target ads.” (p. 334) While “this sort of ad targeting is commonplace at Facebook … it pretends the opposite: ‘We have opened an investigation to understand the process failure and improve our oversight.’” A follow up statement was “a flat-out lie: ‘Facebook does not offer tools to target people based on their emotional state.’” (p. 336-337)

Wynn-Williams documents that time and again Zuckerberg and other Meta senior executives lie about and distort what Meta is doing, the harm it’s causing, and their knowledge of the harm. They lie to the media and the public, they lie in congressional testimony, and they lie internally to their own employees. They also attack government officials and human rights groups that oppose the expansion or advocate regulation of Facebook and Meta’s other platforms. (p. 206-212) She also writes that “Facebook’s leadership could be utterly indifferent to the consequences of their decisions.”, hence the book’s title Careless People. (p. 307) In 2017, one of the findings of worldwide consumer focus groups was that “The idea that Facebook cares about people’s privacy is not believable anywhere.” (p. 315)

In response to the recent murder of Charlie Kirk, Utah Governor Spencer Cox made the point that social media is designed to amplify hate and division. They do this because social media companies know that this is the most effective way to maximize profits. Social media algorithms are designed to feed you stories that alarm and upset you because that results in your spending more time on the social media platform. [1]

I encourage you to contact your Representative and Senators in Congress and ask them to support strong regulation of the social media platforms to stop them from continuing to harm our children and youth, our society, and our politics and elections.

You can find contact information for your U.S. Representative at http://www.house.gov/representatives/find/ and for your U.S. Senators at http://www.senate.gov/general/contact_information/senators_cfm.cfm.

[1] Hubbell, R., 9/15/25, “Leaning into resistance during troubled times,” Today’s Edition Newsletter (https://roberthubbell.substack.com/p/leaning-into-resistance-during-troubled)

CHILDREN AREN’T SAFE ON META’S VIRTUAL REALITY PLATFORMS

The harm that Meta Platforms’ Facebook and virtual reality programs do to children and youth is well documented. The evidence continues to grow as new whistleblowers come forward and share inside information. Clearly, Meta is far more committed to its profits than it is to protecting children.

The harm that Meta Platforms’ social media platforms, including Facebook and virtual reality programs, do to children and youth is well documented. The evidence continues to grow as new whistleblowers come forward and share inside information. Clearly, Meta (and other social media platforms) are far more committed to their profits than they are to protecting children.

(Note: If you find a post too long to read, please just skim the bolded portions. Thanks for reading my blog!)

(Note: Please follow me and get notices of my blog posts on Bluesky at: @jalippitt.bsky.social. Thanks!)

It’s been far too long since I wrote about Meta Platforms and its subsidiaries. Meta’s Facebook and virtual reality platforms are harming children. The harm that Facebook and other social media do to children and youth is well documented. It is equally clear that Meta and other social media companies are far more interested in maximizing profits than protecting children.

Three years ago, I wrote a blog post calling for federal legislation to protect children on social media. No legislation has been passed in those three years and no significant federal legislation regulating social media has been passed since the 1998 Children’s Online Privacy Protection Act (COPPA). A lot has changed since 1998 and new federal legislation is sorely needed. In my September 2022 blog post, I called on Congress to pass two bills to protect children on social media. (Previous posts here and here document the harms to children and beyond of Facebook and other social media platforms, as well as ways to respond.)

The Kids Online Safety and Privacy Act (KOSA) (a combined version of the two previous bills) passed the Senate with a strong, bipartisan vote (91 – 3) in July 2024. Heavy lobbying, led by Mark Zuckerberg, Chairman, Chief Executive Officer, and controlling stockholder of Meta, blocked action on it in the House. By the way, Europe has done a much better job than the U.S. of protecting everyone’s privacy and well-being on social media, including that of children.

The social media platforms’ business model is to hook kids at an early age, feed them addictive content to keep them engaged, amass extensive personal information about them and their online behavior, and then use these data to sell very targeted, personalized, and effective advertising. This is very lucrative for the social media platforms, however, the content and marketing to kids often presents toxic content that harms kids’ well-being and mental health. [1]

Advocates for children, including Fairplay, filed a request in May for the Federal Trade Commission (FTC) to investigate Meta for violating children’s safety and privacy on its virtual reality platform Horizon Worlds. Children, including ones under 13, are at risk for sexual predation, financial harm, bullying, and harassment on Horizon Worlds. Meta knows this, but it fails to protect children while it captures their data, in violation of the Children’s Online Privacy Protection Act, to sell to advertisers and to make their platform as addictive as possible. The FTC complaint was supported by a sworn statement from Kelly Stonelake, the former director of marketing for Horizon Worlds at Meta.

Meta has been in the news this week because six whistleblowers and former employees have come forward to report (again) that Meta has been covering up and ignoring the harm they know their platforms are doing to children. The focus this week was on the virtual reality platforms that Meta offers. Current and former employees revealed that Meta is suppressing internal research on child and youth safety and is also turning a blind eye to children under 13 illegally using these platforms. Furthermore, Meta’s legal and communications teams work to communicate plausible deniable for its executives on company knowledge of negative effects on children. Zuckerberg and Meta have previously lied about the harmful effects of their platforms and their knowledge of those harmful effects on children. (Meta whistleblowers previously revealed similar misbehavior in congressional testimony in 2023 (Arturo Beja) and 2021 (Frances Haugen).)

Not surprisingly, therefore, the Kids Online Safety and Privacy Act (KOSA) is again being considered in the U.S. Senate (S.1748) and there’s also a push to pass it in the House: It would:

Provide privacy protections for children and youth,
- Extend to 13 to 16-year-olds the prohibition on social media platforms capturing children’s personal information without their consent and require the platforms to delete any such information they collect if requested to do so,
- Limit individually targeted advertising (referred to as surveillance advertising),
- Require the social media platforms to put the interests of young people first,
Provide families with the tools and safeguards to protect children’s well-being and mental health,
Require transparency from the social media platforms about the data they are capturing and the algorithms they are using for promoting content and advertising, and
Establish accountability for harms caused by social media.

I encourage you to contact your Representative and Senators in Congress and ask them to support strong regulation of social media platforms to prevent them from harming our children and youth. Urge them to support the Kids Online Safety Act (KOSA, Senate bill 1748) and similar legislation in the House.

SPECIAL NOTES:

Please plan to participate in the next nationwide No Kings Day protests on Saturday, Oct. 18.
Here’s a link to the most recent Jess Craven Chop Wood Carry Water post of good news: https://chopwoodcarrywaterdailyactions.substack.com/p/extra-extra-914

[1] Corbett, J., 7/27/22. “ ‘Critical’ online privacy protections for children advance to Senate floor,” Common Dreams (https://www.commondreams.org/news/2022/07/27/critical-online-privacy-protections-children-advance-senate-floor-vote)

EXAMPLES OF THE SOCIETAL TOLL OF TRUMP ADMINISTRATION ACTIONS

The actions of the Trump administration and Republicans in Congress are inflicting a serious toll on our society. Examples include their efforts to defund foreign aid and public broadcasting, their weakening of our cybersecurity defenses, and their efforts to eliminate the Consumer Financial Protection Bureau, not to mention all the horrible things in the budget bill.

(Note: If you find a post too long to read, please just skim the bolded portions. Thanks for reading my blog!)

The actions of the Trump administration and Republicans in Congress are taking a heavy toll on people, on our society, and on our democratic institutions. Here are some examples.(See this previous post for more examples.)

ACTION #1: Republicans in U.S. House recently passed a bill to rescind $9.4 billion of previously approved funding for foreign aid ($8.3 billion) and public broadcasting ($1.1 billion). The good news is that the Trump administration is tacitly acknowledging that it is illegal for it to cut congressionally approved funding through executive orders or actions by the so-called Department of Government Efficiency (DOGE). The vote to pass the bill was 214 to 212 and occurred only after Republican Speaker Johnson had pressured a few Republican representatives to switch their “no” votes and support the bill. [1] Republicans in both the House and the Senate have expressed concerns about this bill.

The bill would rescind funding for foreign aid programs that some of them support, such as President George W. Bush’s emergency AIDS program that has saved over 25 million lives around the globe. These cuts will ultimately harm health and result in deaths here in the U.S. as diseases spread across international borders.

It also would rescind funding that supports 1,500 public TV and radio stations, including many in rural, Republican areas where they are a vital, local resource.

ACTION #2: The Trump administration is weakening America’s cybersecurity defenses at a time when the likelihood of cyberattacks is growing. Trump fired the general who led the National Security Agency and other leaders of our cybersecurity agencies. He has cut staffing and funding for cybersecurity agencies. [2]

This makes no sense because the likelihood of cyber warfare is growing as global tensions and conflicts escalate – in Ukraine, the Middle East, and over Taiwan. U.S. adversaries Russia, Iran, China, and North Korea all have significant cyber warfare capabilities, and there are signs of cyber activity cooperation among them. Cyberattacks can be used for espionage – to steal valuable corporate or government information. Or they can be used to disrupt public infrastructure such as electric power supplies, phone and Internet services, hospitals, banks and financial services, and water supply systems. Recently, Russian hackers disabled the automatic control systems at a rural Texas municipal water plant. This was probably just a test of their capabilities or a warning about what they can do.

ACTION #3: The Trump administration, Republicans in Congress, and their wealthy backers in the financial industry are working hard to eliminate or at least emasculate the Consumer Financial Protection Bureau (CFPB). The CFPB was created in response to the financial industry corruption that caused the 2008 financial collapse and resulted in millions of Americans losing their homes due to abusive and fraudulent mortgages. Since its creation, the CFPB has returned more than $21 billion to consumers through enforcement actions on illegal behavior by financial companies. It has also saved consumers untold additional money through its regulation of the financial industry. [3] For example, it has capped exorbitant fees such as credit card late payment penalties and bank account overdraft charges.

The Trump administration and Elon Musk’s so-called Department of Government Efficiency (DOGE) have been trying to cut CFPB funding, fire its employees, and eliminate the agency. On February 14, a federal judge ordered a halt to these actions. The Trump administration responded by placing most of the CFPB staff on administrative leave and preventing them from performing their jobs.

On June 10, the head of enforcement for the CFPB resigned, writing: “It is clear that the bureau’s current leadership has no intention to enforce the law.” [4] (Russell Vought is the Acting Director of the CFPB and the Director of the White House Office of Management and Budget, as well as a key author of Project 2025.)

To benefit the wealthy executives and corporations in the financial industry, the Trump administration is persistently trying to eliminate the only independent agency protecting consumers from predatory and illegal practices of financial industry companies.

YOUR ACTION: Please contact your members of Congress and ask them to oppose these actions of the Trump administration in every way they can. Urge them to speak out against these actions and to explain to their constituents the toll Trump administration’s actions are taking on them and our society.

You can find contact information for your US Representative at http://www.house.gov/representatives/find/ and for your US Senators at http://www.senate.gov/general/contact_information/senators_cfm.cfm.

[1] Edmondson, C., 6/12/25, “House votes to claw back $9 billion for foreign aid and public broadcasting,” The Boston Globe from the New York Times

[2] Klepper, D., 4/21/25, “Nations ready cybersecurity defenses,” The Boston Globe from the Associated Press

[3] Economic Policy Institute, 6/12/25, “Trump administration attempts to close the CFPB, block agency’s work,” (https://www.epi.org/policywatch/trump-administration-closes-the-cfpb/)

[4] Economic Policy Institute, 6/12/25, see above

MICROSOFT PUTS PROFITS BEFORE CYBERSECURITY Part 2

Recent investigative reporting by ProPublica showed that Microsoft has put making profits, through securing a place as an industry leader in cloud computing, ahead of keeping its customers safe from cyberattacks – with very harmful results. [1] Punishments for corporations and their executives need to be increased to deter this type of corrupt extreme capitalism.

(Note: If you find my posts too long to read on occasion, please just skim the bolded portions. Thanks for reading my blog! Special Note: The new, more user-friendly website for my blog is here.)

Microsoft failed for three years to address a known flaw in its software that allowed Russian hackers in the SolarWinds breach to gain access to the data and emails of its customers, including sensitive agencies of the federal government. Moreover, its president lied in testimony to Congress claiming first that Microsoft flaws had not contributed to the breaches and later that he and Microsoft had not been aware of the flaw. (See this previous post for more details.)

In 2016, when the flaw was discovered, Microsoft was in a major industry battle to be a leader in cloud computing services and was vying for a multi-billion-dollar Defense Department cloud computing contract. Admitting to a software vulnerability in a related product would have hurt Microsoft’s chances of winning the contract. The Microsoft employee who discovered and reported the flaw, Andrew Harris, was told the decision not to fix the software flaw was a business decision not a technical one.

As background, Microsoft’s new CEO in 2014, Satya Nadella, saw cloud computing as the future of the technology industry and staked Microsoft’s future on being a major player in this arena. Under pressure to catch up to industry-leader Amazon, Microsoft focused on new features and functionality for its cloud computing products to generate sales and profits and not on security fixes, which cost money and have no immediately visible benefit.

In 2024, Microsoft President Brad Smith was called back to testify before Congress again (see this previous post for information on his 2021 appearance) after a series of cyberattacks on the federal government linked to flaws in Microsoft products. For example, in 2023, Chinese hackers exploited a Microsoft security flaw to access the email accounts of senior government officials. In addition, ProPublica’s reporting on Microsoft’s culpability in the 2019 SolarWinds breach (see this previous post for more information) had been published the day of Smith’s testimony. ProPublica had contacted Microsoft two weeks before with detailed questions related to its investigation and a request for an interview with Smith. Nonetheless, Smith claimed in his testimony to be unaware of the role of a Microsoft software flaw in the SolarWinds breach. [2]

The Federal Cyber Safety Review Board, in reviewing the Microsoft-related security breaches, found that Microsoft’s “security culture was inadequate and requires an overhaul.”

Microsoft’s ignoring of cybersecurity issues to maximize profits has put its customers at risk. It has allowed Russian, Chinese, and other hackers to steal information and data from government agencies, businesses, and their customers.

Publicly traded corporations, like Microsoft, are beholden to profits, to the price of their stock, and to stockholders, not to customers or any sense of the public good. That’s the reality of the unregulated, extreme capitalism allowed by current U.S. laws. This and the extreme personal wealth accumulation it allows seem to have resulted in greed rising to new heights and ethics falling to new lows.

The frequency, pervasiveness, and repetitiveness of business scandals driven by putting profits first and foremost is astounding. If you want to see how pervasive corporate violations of the law are, look at the Violation Tracker database compiled by Good Jobs First.

An underlying theme of this corrupt corporate behavior is the loss of robust competition in the marketplace due to the emergence of a handful of huge, monopolistic corporations in many industries. This has occurred largely through mergers and acquisitions that have occurred due to little or no enforcement of antitrust laws since the 1980s (until very recently).

To stop corporate corruption and bad behavior, there must be more enforcement with greater penalties. Otherwise, corporations just treat the penalties they pay as a cost of doing business. The size of the penalties must be big enough that it significantly reduces a corporation’s profits and share price. This would impact stockholders, particularly big ones, including senior executives. The impact should be big enough to put senior executives’ jobs at-risk.

For substantial illegal behavior by their corporations, CEOs and other senior executives need to be held personally accountable with criminal charges, the ability to make them return compensation (especially bonuses for generating big profits), and the risk of being fired with no severance package.

The ultimate penalty would be to revoke the corporation’s charter to do business, forcing the liquidation of the corporation. This does not seem likely to happen, so when the illegal or corrupt behavior is serious enough or repetitive enough, the financial penalties must be big enough to potentially put the corporation into bankruptcy and out of business – if the goal is to truly stop corporate corruption and bad behavior. Furthermore, corporations with a track record of serious violations should be banned from doing business with the federal government.

I urge you to contact President Biden to ask him to have the Department of Justice and other agencies investigate and seriously punish Microsoft and its executives for allowing dangerous cybersecurity breaches. You can email President Biden at http://www.whitehouse.gov/contact/submit-questions-and-comments or you can call the White House comment line at 202-456-1111 or the switchboard at 202-456-1414.

I urge you to contact your U.S. Representative and Senators to ask them to pass laws that place serious penalties and punishments on corporations and their executives when they put profits before the safety and security of their customers and the public. You can find contact information for your U.S. Representative at http://www.house.gov/representatives/find/ and for your US Senators at http://www.senate.gov/general/contact_information/senators_cfm.cfm.

[1] ProPublica, 6/18/24, “Nine takeaways from our investigation into Microsoft’s cybersecurity failures” (https://www.propublica.org/article/microsoft-solarwinds-what-you-need-to-know-cybersecurity)

[2] Dudley, R., with Burke, D., 6/13/24, “Microsoft president grilled by Congress over cybersecurity failures,” ProPublica (https://www.propublica.org/article/microsoft-solarwinds-cybersecurity-house-homeland-security-hearing)

MICROSOFT PUTS PROFITS BEFORE CYBERSECURITY

Recent investigative reporting by ProPublica brought to light another example of a corporation putting profit before the well-being of its customers. Microsoft put making profits, through securing a place as an industry leader in cloud computing, ahead of keeping its customers safe from cyberattacks – with very detrimental results.

You may remember the “SolarWinds” cybersecurity breach by Russian hackers that was revealed in 2020. It was one of the largest cyberattacks on U.S. government agencies and private businesses ever. The hackers penetrated the SolarWinds corporation’s software in 2019 and used it to gain access to the computer systems of multiple companies and U.S. government agencies. They got sensitive data from the National Nuclear Security Administration, which oversees U.S. nuclear weapons. They accessed the National Institutes of Health (NIH) as it was working to contain the Covid virus and develop a vaccine for it. They gained access to the email accounts of senior officials at the Treasury Department.

In 2021, Microsoft President Brad Smith testified before Congress that although all the affected companies and government agencies used Microsoft software and cloud computing services, no Microsoft vulnerability or flaw had been exploited in the SolarWinds cybersecurity breach. He said the customers should have done more to protect themselves.

Recent investigative reporting by ProPublica has shown this to be a lie and, moreover, that Microsoft had been warned multiple times, years earlier, about a software flaw that was taken advantage of in the cyberattack. [1] In 2016, Microsoft engineer and cybersecurity expert, Andrew Harris, identified a flaw in a Microsoft software product. The flaw allowed a hacker who had gained access to an individual’s local computer at a Microsoft customer to steal the keys needed to access a broad range of programs and networks. These included Microsoft products that provided remote computing services and data storage to multiple customers, a service called “cloud computing.” Millions of users of these Microsoft products, including federal government agencies and employees, were vulnerable.

In 2016, Harris reported the flaw to Microsoft’s Security Response Center and to the product’s manager, who agreed it was a significant flaw but did not feel it was urgent to address it. Harris suggested a simple fix that would require users of the Microsoft product to logon a second time to access other programs and networks, including cloud computing systems. This was rejected because it would inconvenience customers and hurt marketing of the product, for which the single logon capability was a key selling point.

Harris personally contacted some sensitive Microsoft customers he worked with to inform them of the flaw and their vulnerability. For example, he worked with the New York Police Department to implement the fix he had recommended. [2]

In November 2017, a private cybersecurity firm, Cyber Ark, identified the same flaw. It reported it publicly after having notified Microsoft about it twice with no response. In 2018, another Microsoft engineer identified a related flaw that made the flaw Harris had identified even more serious.

In 2019, another private cybersecurity firm, Mandiant, after notifying Microsoft but getting no response, publicly demonstrated the use of the flaw to gain access to cloud computing services.

Nonetheless, in 2021, after the SolarWinds cyberattack had given Russian hackers access to Microsoft’s cloud computing services and customers’ data and emails, as noted above, Microsoft President Brad Smith testified (untruthfully) before Congress that no Microsoft vulnerability or flaw had been exploited in the SolarWinds cybersecurity breach.

Harris, frustrated by the failure of Microsoft to address the flaw he’d identified, left Microsoft in August 2020, before the SolarWinds cyberattack became publicly known. He publicly stated that Microsoft’s “decisions [were] not based on what’s best for Microsoft customers but on what’s best for Microsoft.”

Some context for Microsoft’s behavior, as well as steps that should be taken to stop the corporate practice of putting profits before all else, will be in my next post.

FEDERAL LEGISLATION NEEDED TO PROTECT CHILDREN ON SOCIAL MEDIA

The harm that social media can do to children and youth is well documented. (See this previous post for more detail.) Clearly, the social media platforms are not going to do what’s necessary to keep our kids safe online on their own. No significant relevant federal legislation has been passed since the 1998 Children’s Online Privacy Protection Act (COPPA). A lot has changed since then and new federal legislation is needed.

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

Europe has done a better job than the U.S. of protecting everyone’s privacy and well-being on social media, including that of children. Its General Data Protection Regulation (GDPR) is four years old and provides greater protections than U.S. laws. Meta (formerly Facebook) was recently fined $400 million because its Instagram subsidiary violated European regulations on the protection of children’s data. [1]

The social media platforms’ business model is to hook kids at a young age, amass extensive personal information about them and their online and consumer behavior, and then use these to engage in lucrative (for them) marketing to the kids in ways that too often promote toxic content and harm kids’ well-being and mental health. [2]

Two pieces of relevant federal legislation are being considered in the U.S. Senate:

Kids Online Safety Act (KOSA, Senate bill 3663) and
Children and Teens’ Online Privacy Protection Act (COPPA 2.0, Senate bill 1628)

These bills seek to provide privacy protections for children and youth, limit individually targeted advertising (referred to as surveillance advertising), and require the social media platforms to put the interests of young people first. For example, KOSA would:

Provide families with the tools and safeguards to protect children’s well-being and health,
Require transparency from the social media platforms about the data they are capturing and the algorithms they are using for promoting content and advertising, and
Establish accountability for harms caused by social media.

COPPA 2.0 would, for example:

Extend to 13 to 16-year-olds the prohibition on social media platforms capturing children’s personal information without their consent and require the platforms to delete any such information they collect if requested to do so,
Ban individually targeted marketing to children,
Establish a “Digital Marketing Bill of Rights for Minors,” and
Create a Youth Privacy and Marketing Division at the Federal Trade Commission (FTC) to monitor and regulate data privacy for and marketing to minors.

Some concerns have been raised, particularly about KOSA. Some privacy advocates have raised concerns that it would allow parents to spy on and control children’s activities online. They worry about unsupportive parents spying on LGBTQ+ youth. They worry that politicians could force the social media platforms to block information on topics the politicians dislike, such as abortion information. And they worry that the social media platforms will block broad arenas of information to avoid liability for possible harm to children.

Trying to regulate social media platforms to keep children safe is complicated, but it’s clear that steps need to be taken to reduce the significant harm that’s occurring. The first laws and sets of regulations won’t be perfect, but we need to act. Then, we can figure out what is and isn’t working and make improvements.

I encourage you to contact your Representative and Senators in Congress and to tell them you support regulation of the social media platforms to prevent them from harming our children and youth. Urge them to support the Kids Online Safety Act (KOSA, Senate bill 3663) and the Children and Teens’ Online Privacy and Protection Act (COPPA 2.0, Senate bill 1628).

If you’re interested, you can sign-up here for an online information session and Rally for Kids’ Online Safety next Tuesday, September 13, from 6:30 – 7:00 p.m. eastern time. You’ll learn more about how you can support the Kids Online Safety Act (KOSA) and the Children and Teens’ Online Privacy Protection Act (COPPA 2.0). Senators Ed Markey and Richard Blumenthal will discuss how these bills would revolutionize social media platforms’ treatment of kids and teens, requiring them to put young users’ wellbeing ahead of their profits. If passed, the bills would ban surveillance advertising to minors, extend privacy protections to teens, and set the stage for a safer internet for children and youth. They would also hold the platforms accountable for exploiting kids’ vulnerabilities. Advocates, including Fairplay and members of its Screen Time Action Network, will discuss how you can take action to help get these bills passed.

[1] Business Talking Points, 9/6/22, “Instagram fined over protection of teenagers’ information,” The Boston Globe from the New York Times

[2] Corbett, J., 7/27/22. “ ‘Critical’ online privacy protections for children advance to Senate floor,” Common Dreams (https://www.commondreams.org/news/2022/07/27/critical-online-privacy-protections-children-advance-senate-floor-vote)

FACEBOOK KNOWS IT PROMOTES MISINFORMATION AND WILL CONTINUE TO DO SO WITHOUT GOVERNMENT REGULATION

Facebook’s promotion of low-quality, right-wing content and disinformation has been clearly documented. For example, in April 2021, The Daily Wire, a bigoted, sexist, anti-immigrant, far-right website that produces no original reporting and a low volume of articles had by far the highest distribution / engagement on Facebook. Second highest was the British tabloid, the Daily Mail, followed by Fox News. Four of the top six sources of content engagement on Facebook were right-wing publishers of disinformation. Credible media got much less engagement due to Facebook’s content promotion algorithm. For example, for April 2021: [1]

The Daily Wire (1^st) 74.9 million Facebook engagements based on 1,385 articles
CNN (4^th) 23.1 million Facebook engagements based on 4,765 articles
NBC (7^th) 18.7 million Facebook engagements based on 2,596 articles
New York Times (8^th) 18.6 million Facebook engagements based on 6,326 articles
Washington Post (14^th) 12.3 million Facebook engagements based on 6,228 articles

Facebook’s reality, driven by its content promotion algorithm, is NOT the reality outside of Facebook. The Daily Wire is NOT more popular than CNN, NBC, the New York Times, and the Washington Post in the world outside of Facebook, let alone more popular than all four of them combined – and the almost 20,000 articles they publish per month compared to the less than 1,400 articles of The Daily Wire, none of which contain original reporting. Facebook promotes this alternative reality because it maximizes its profits. (See this previous post for more detail.)

The election-related disinformation that flourishes on Facebook is a global crisis. There are 36 national elections in countries around the globe in 2022 and many of them will be affected by disinformation on Facebook. Some may be affected to an even greater degree than what has occurred in the U.S., where a strong case can be made that disinformation on social media (with Facebook as a major if not the major player) led to the election of Trump in 2016.

Facebook (and its parent Meta) know how to stop the proliferation of disinformation and have done so for short periods of time at least twice. Meta refers to these instances as “break the glass” emergencies, but the emergency is not short-term and specific incident related, it’s long-term and endemic.

For five days after the 2020 U.S. national election, Facebook’s News Feed and other features operated very differently. Facebook adjusted its content promotion calculations, i.e., its algorithm, to more strongly promote credible news sources. By implication, it deprioritized or down ranked sources publishing disinformation and divisive or hateful content. Facebook did this to slow the spread of disinformation about election fraud and the presidential election being stolen. However, it was too little and too late, lasting only five days in the face of many months of spreading lies about the election. Nonetheless, during the life of the adjusted algorithm, Facebook engagement for credible sources such as the New York Times, CNN, and NPR spiked up and the engagement dropped for the extreme right-wing sources, as well as for hyper-partisan left-wing sources.

Some Facebook staff pushed to make the algorithm change permanent, but were overruled by Facebook’s senior management, including Joel Kaplan, a Republican operative who had previously intervened on behalf of right-wing sources and the Facebook algorithm that promotes them. Moreover, as Facebook returned to “normal” operation, Facebook also eliminated its civic-integrity unit.

After the January 6, 2021, insurrection at the U.S. Capitol, Meta and Facebook again “broke the glass” and instituted more preferential promotion for credible news sources, but again, only for a few days.

Many concerned people from across the globe and from all walks of life – from policy makers to advocates to marginalized people – are calling on Facebook (and other social media platforms, including Instagram [also owned by Facebook’s parent Meta]) to take three steps: [2]

Be transparent: disclose business models, algorithms, and content moderation practices; and release internal data on the effects and harms of the current mode of operation. This would allow independent verification of whether content amplification and moderation are effectively combatting disinformation, protecting elections and democracy, and keeping people, especially young people and children, safe.
Change content promotion algorithms: stop preferential promotion of the most incendiary, hateful, and harmful content to the most vulnerable audiences.
Protect all people equally: bolster content moderation to protect all people, especially marginalized and vulnerable groups, in all countries and all languages.

Facebook and the other social media companies won’t do this on their own. Without government regulation, they will continue to put profits before social responsibility . We must take steps to reduce the disinformation and divisiveness spread by Facebook and other social media platforms. Doing so is critical to the well-being of all of us, especially our children, and to the well-being of society and democracy. Government regulation clearly has to be an important part of the answer.

I encourage to you contact President Biden and your Congress people. Tell them you want strong regulation of Facebook and other social media platforms, including requirements to implement the three steps outlined above. (See this previous post for more on fixes for the harmful behavior of Facebook and other social media platforms.)

You can email President Biden at http://www.whitehouse.gov/contact/submit-questions-and-comments or you can call the White House comment line at 202-456-1111 or the switchboard at 202-456-1414.

[1] Legum, J., 5/6/21, “Facebook’s problem isn’t Trump – it’s the algorithm,” Popular Information (https://popular.info/p/facebooks-problem-isnt-trump-its)

[2] Change the Terms Coalition, retrieved from the Internet 5/2/22, https://www.changetheterms.org/

FACEBOOK KNOWS IT PROMOTES MISINFORMATION AND DOES SO TO MAXIMIZE PROFITS

Facebook promotes misinformation. It knows this is harmful, it knows how to fix it, but it does it anyway – for the sake of profits. This is true across the full range of content from racist and misogynistic disinformation to Russian propaganda. It is true globally and across languages with the worst abuses probably occurring outside the U.S. and in languages other than English.

Facebook undermines democracy and promotes divisiveness and hate (as do other social media platforms such as Instagram, TikTok, Twitter, and YouTube) based on conscious decisions by senior management. (See this previous post on the harm being done by Facebook and other social media platforms.)

The reason that Facebook (and other social media platforms) refuse to effectively control (i.e., “moderate”) content is that profits come first. In 2021, Facebook made $39.4 billion in profits primarily from advertising exquisitely targeted to its almost three billion users.

Perhaps the ultimate confirmation of this is that Facebook and Instagram (both owned by Meta) have been blocked in Russia after the invasion of the Ukraine, but Facebook and Instagram are still publishing and promoting Russian propaganda around the world. Although they claim to be moderating disinformation from Russia, 80% of disinformation about U.S. biological weapons has been posted without being flagged or blocked. [1]

Currently, Facebook’s only incentives to moderate the content it allows and promotes are to avoid government regulation and to not be so offensive that advertisers pull their ads. In an effort to address concerns about content moderation – which admittedly sometimes requires making difficult, judgmental decisions that will be unpopular with some people – Facebook created an “Oversight Board” in 2019 to review its moderation decisions. Facebook claims the Board is independent and recruited an impressive set of individuals to serve on it. [2]

Roughly a year ago, the Board issued its first major report, a 12,000-word review of Facebook’s decision to indefinitely suspend Donald Trump from Facebook. The Board affirmed the decision to suspend Trump, but stated that it was inappropriate to make the suspension indefinite.

The Board said Facebook should either make the suspension permanent or set a specific length of time for it. The Board noted that Facebook management was seeking to dodge responsibility and that it should impose and justify a specific penalty.

The Board also posed questions to Facebook management whose answers it felt were essential to enabling it to do its oversight job. However, Facebook management refused to answer questions and failed to provide information on:

The extent to which the Facebook’s design decisions, including algorithms, policies, procedures, and technical features, amplified Trump’s posts.
Whether an internal analysis had been done of whether such design decisions might have contributed to the insurrection at the Capitol on January 6, 2021.
Content violations by followers of Trump’s accounts.

The Board noted that without this information it was difficult for it to assess whether less severe measures, taken sooner, might have been effective in solving the problem of Trump’s violations of Facebook’s standards.

As the Board suggests, the central issue is not simply Trump’s posts, but Facebook’s amplification of those posts and others like them. In other words, the real issue is the nature of Facebook’s content promotion algorithm and whether it promotes posts from Trump and from people expressing views like or in support of Trump’s posts. However, the Board’s jurisdiction, as defined by Facebook management, excludes oversight of Facebook’s algorithm and business practices. Furthermore, the Board has no power to compel Facebook management to abide by its decisions and recommendations – or even to simply answer its questions. It will be effective only to the extent that Facebook management voluntarily cooperates, which would mean reducing profits – not something they will do voluntarily.

Although Facebook founder and now chief executive of its parent Meta, Mark Zuckerberg, once stated: “At the heart of these accusations is this idea that we prioritize profit over safety and well-being. That’s just not true.” The data clearly show that this is true – and hardly anyone believed Zuckerberg when he said it wasn’t.

My next post will provide documentation of Facebook’s promotion of disinformation and divisiveness, as well as its conscious decision to do this and its ability – and occasional willingness – to change this. The post will also include steps that can and should be taken to force Facebook and other social media platforms to change their behavior.

[1] Benavidez, N., & Coyer, K., 4/17/22, “Facebook ought to be protecting democracy worldwide every day,” The Boston Globe

[2] Legum, J., 5/6/21, “Facebook’s problem isn’t Trump – it’s the algorithm,” Popular Information (https://popular.info/p/facebooks-problem-isnt-trump-its)

FIXES FOR INSTAGRAM AND FACEBOOK

The evidence that Facebook and Instagram are harmful, especially to teens and young people, goes back to 2006 and has been growing consistently more definitive over the last fifteen years. (See my previous post for more detail.) The pressure from the public, especially parents, and most recently from Congress to address this problem is mounting.

In response, in mid-March, Meta Platforms (the new parent corporation for Facebook and Instagram) made an announcement of some new and coming parental supervision tools for Instagram. Note that teens will have to consent to their parents’ use of supervision tools! Furthermore, teens will know what their parents are seeing about their account and activity. Rather than building in universal safety controls, Meta claims it wants to enable parents to control teens’ social media activity because parents know their teens best and teens have different maturity levels. This sounds to me like a classic blame the victim – and the victim’s parents – strategy.

Moreover, Meta knows that many parents aren’t tech savvy and/or won’t have the time and energy to effectively control teens’ social media activity. It also knows that teens tend to be far more tech savvy than their parents and will often be able to evade parental controls. It could easily institute universal strategies to eliminate or greatly reduce the potential for harm from its platforms. Finally, it knows that teens’ vulnerability changes over time and that having harm protections in place by default would be much more effective than relying on parents to recognize and quickly react to teens’ changing vulnerability.

Here’s what Meta announced about new parental supervision tools for Instagram: [1]

A Family Center providing information to teach parents how to talk about social media with teens.
An ability for teens to invite a parent to supervise their social media account.
Parental ability to see how much time their teens are spending on Instagram, whom they are following, who is following them, and when they complain to Instagram about another user. However, a parent will have to have an Instagram account themselves to do so.
Future plans for:
- Parental ability to limit when teens can use Instagram (e.g., not during school or after bedtime),
- Blocking of access to inappropriate content by parents and/or based on ratings by the International Age Rating Coalition, and
- Parental supervision tools for its Oculus Quest virtual reality program, where parents, experts, and the British government have raised concerns about exposure to violence and harassment.

Meta acknowledged in its statement that many parents are not on social media and are not tech savvy – meaning that these parental controls are often meaningless. Furthermore, many of these controls, including the future plans, seem like controls that should have been put in place years ago and before these products ever went on the market, i.e., they’re too little too late.

A bipartisan bill has been introduced in Congress, the Kids’ Online Safety Act (KOSA), requiring Facebook, Instagram, and other social media platforms to provide parents with more control over their children’s online interactions. The bill reflects months of congressional investigations and a history of failures by the social media platforms to respond to their documented harmful effects on young users. [2] Congress last passed legislation to protect children when they’re online, including their privacy, 24 years ago. [3] Needless to say, much has change since then and the current business model of Facebook, Instagram, and the Internet as a whole is simply not healthy for kids and teens.

KOSA would require social media platforms to provide “easy-to-use” tools to limit screen time, protect personal data, and keep kids under 16 safe. It holds the online platforms accountable by establishing an obligation for them to put the interests of children first and to make safety the default. It requires them to prevent the promotion of bullying, sexually abusive behavior, eating disorders, self-harm, and other harmful content. The bill mandates an annual independent audit of risks to minors, steps taken to prevent harm, and compliance with KOSA. [4]

The bill would require the social media platforms to be transparent about how they operate. It would require giving parents the ability to disable addictive product features and modify content recommendation algorithms to limit or ban certain types of content. It would require the social media platforms to provide researchers and regulators with access to company data to monitor and investigate actual and potential harm to teens and children. This would allow parents and policymakers to assess whether the online platforms are actually taking effective steps to protect children.

The root of the problems with social media platforms is that there is greater profit in promoting unsafe behaviors, creating animosity, encouraging extremism, and fueling pseudo-science than there is in creating a safe place for civil discourse based on facts. Our system of capitalism and the deference to and alignment of our policymakers with large corporations has allowed this business model that commodifies and exploits human attention to explode unchecked. In the world of social media, you, your time and attention span, and your clicks are the products that are being sold – to advertisers. This means the social media business is a race to the bottom; an enterprise based on stimulating, titillating, and capturing our most base emotional and subconscious responses. Social media’s ability to do harm to individuals, our society, and our democracy is well-documented and endemic to the current business model. Without strong and effective public oversight and control, the social media platforms will continue to inflict substantial harms.

I urge you to contact President Biden, as well as your U.S. Representative and Senators, to let them know that you support the Kids’ Online Safety Act and additional actions to regulate social media platforms.

You can email President Biden at http://www.whitehouse.gov/contact/submit-questions-and-comments or you can call the White House comment line at 202-456-1111 or the switchboard at 202-456-1414.

[1] Peng, I., 3/17/22, “Meta adds parental tools to Instagram,” The Boston Globe from Bloomberg News

[2] Zakrzewski, C., 2/17/22, “Senators introduce children’s online safety bill after months of hearings,” The Boston Globe from the Washington Post

[3] Monahan, D., 3/22/22, “Diverse coalition of advocates urges Congress to pass legislation to protect kids and teens online,” Fairplay (https://fairplayforkids.org/march-22-2022-diverse-coalition-of-advocates-urges-congress-to-pass-legislation-to-protect-kids-and-teens-online/)

[4] Blumenthal, Senator R., retrieved 2/16/22 from the Internet, “Blumenthal & Blackburn introduce comprehensive Kids’ Online Safety legislation,” (https://www.blumenthal.senate.gov/newsroom/press/release/blumenthal-and-blackburn-introduce-comprehensive-kids-online-safety-legislation)

THE HARMS OF INSTAGRAM, FACEBOOK, AND SOCIAL MEDIA

The news that Facebook and Instagram are harmful, especially to teens and young people, is not new. In 2006, a college professor, Joni Siani, whose class on Interpersonal Communications had access to Facebook a year before the public, found almost immediately that the Facebook experience was stressful and depressing for her students. Her class effectively became a Facebook group therapy session. That’s the beginning of a story I’ll come back to in a minute. [1] (By the way, Facebook and Instagram are now part of a new corporate entity, Meta Platforms. This name change seems to me to be an effort to obfuscate responsibility and accountability for the harms caused by Facebook and Instagram.)

In 2019, the docudrama The Social Dilemma came out, which highlights the manipulation and harms of social media. I encourage you to watch the film (on Netflix) or at least watch the 2 ½ minute trailer that’s available on the website. I urge you to explore the website; there’s a wealth of information under the button “The Dilemma” and a variety of ways to pushback under the “Take Action” button.

The Social Dilemma was created by the Center for Humane Technology, which was founded in 2013 by a Google design ethicist. The Center’s website provides terrific resources for understanding the effects of social media platforms and how to use them intelligently. It has modules for parents and educators on how to help teens be safe, smart users of social media.

Last fall, a former Facebook employee, Frances Haugen, blew the whistle on Facebook’s practices with testimony to Congress, an appearance on 60 Minutes, and a trove of inside documents that the Wall Street Journal reported on extensively. (Blogger Whitney Tilson in one of her posts provides links to Haugen’s interview on 60 Minutes and to the Wall St. Journal’s investigative articles based on documents provided by Haugen. Tilson also wrote a letter to Facebook COO Sheryl Sandberg that’s part of her blog post.)

Haugen documented that Facebook is a threat to our children and our democracy. Furthermore, she made it clear that Facebook knows this but fails to take steps to reduce the harm because doing so would hurt profits. I previously wrote about the threats of Facebook to our children and our democracy here and what can be done about them here.

Instagram, a Facebook partner under the Meta Platforms umbrella, says it only allows users on its platform who are 13 or older, but its age verification tools are weak. Its algorithm (i.e., its decision-making processes) for what information to direct to individual users has been shown to promote harmful content to youth who are particularly susceptible to such messages, such as material promoting eating disorders. Instagram was developing a separate product targeting children under 13 until criticism and pushback from parents and child advocacy organizations caused it to announce that it had paused (but not terminated) development.

A resource for responding to social media’s threats to children is an organization called Fairplay and its website. Formerly the Campaign for a Commercial Free Childhood, Fairplay has been fighting for years to protect kids from the manipulation and harm from commercial advertising and social media platforms. If you want to get updates from Fairplay, click on “Connect” under the “About” button to sign-up. Fairplay helps parents manage kids’ screen time and provides alternatives to screen time. It sponsors a Screen-free Week every spring. It has established the Screen Time Action Network to support parents concerned about the effects of screen time and social media platforms on their children.

Returning to the story of that college professor, Joni Siani, who in 2006 saw the harm that Facebook did to her college students, in 2013, she wrote a book about the love-hate relationship between users and their digital devices titled Celling your soul: no app for life. And she started an organization called No App for Life.

In 2021, Siani and No App for Life partnered with Fairplay and its Screen Time Action Network to create three podcasts titled The Harms. They present three stories of parents who lost a child due to social media platforms’ harmful impacts on their children. One describes the ruthless assaults of social media “friends” that led to a suicide. One describes how “fun” online challenges can lead to horrible results. And one describes how drug dealers sell their products on social media, even posting ads amongst all the other ads seen on social media constantly. These horrific examples are from strong families who were trying to do everything right in managing their children’s social media activities but were overwhelmed by the power of social media.

My next post will summarize Meta Platforms recent announcement of new and planned parental supervision tools, as well as the bipartisan Kids Online Safety Act, which has been introduced in Congress.

[1] Rogers, J., & Siani, J., 3/6/22, “What do I do now? Unthinkable stories Big Tech doesn’t want to tell,” Fairplay’s Screen Time Action Network and No App for Life Podcasts (https://fairplayforkids.org/harms-podcast/)

STOPPING CYBERCRIME AND CIVILIAN HARM FROM CYBERWARFARE

This is the final post of my nine-part series on computer hacking and cyberwarfare based on New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] These posts have summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; and have shared a number of examples. The previous post provided an overview of steps that can be taken to counter cybercrime at the personal, organizational, and governmental levels. This post discusses steps that are being taken to counter ransomware and to stop cyberwarfare from harming civilians.

The Biden Administration is working to reduce the frequency and profitability of ransomware attacks. It is disrupting the infrastructure ransomware hackers use to collect their ransom. It has put sanctions on cryptocurrency exchanges that are frequently used for ransomware payments and warned U.S. companies not to pay ransomware. In June, it was able to recover over half of the $4.4 million in cryptocurrency that Colonial Pipeline had paid to its ransomware attacker. [2] The U.S. Department of Justice (DOJ) reports that ransomware attacks have cost the U.S. almost $600 million in the first six months of 2021.

In November, the DOJ announced that a Ukrainian hacker had been arrested and charged in connection with a group of ransomware attacks. It also announced the recovery of $6.1 million from ransomware attacks by a Russian who was charged separately and is listed as wanted by law enforcement. In December, the head of the U.S. Cyber Command and the Director of the National Security Agency announced that the military had taken offensive actions against ransomware attackers who had targeted critical infrastructure. [3] These actions represent the strongest U.S. government response to ransomware attacks to-date and reflect a marshalling of resources across multiple agencies. European law enforcement officials also announced that seven ransomware hackers have been arrested in Europe since February. [4] Recently, a multi-national effort succeeded in shutting down, at least temporarily, a major Russian ransomware entity. In October, the Biden Administration convened over 30 countries to develop plans to combat ransomware attacks around the globe. [5]

Back in April, the Biden Administration announced tough sanctions on Russia for previous cyberattacks and, in June, President Biden warned Russian President Putin that future Russian cyberattacks would be grounds for additional retaliation.

Three former U.S. cyber intelligence agency employees, who had been hired by the United Arab Emirates (UAE) to conduct cyberespionage, pleaded guilty in September to cyber hacking and violating export laws by transferring military cyber technology to a foreign government. The DOJ is deferring criminal prosecutions of them if they pay hundreds of thousands of dollars in fines and abide by the terms of a three-year settlement agreement. They are also prohibited from ever receiving a U.S. security clearance. [6] Numerous former U.S. cyber intelligence employees have been lured to work for private companies and foreign governments to do cybersecurity or cyberespionage. Many do legitimate cybersecurity work but more than a few have done illegal or at least unethical work for their new employers.

In October, Biden’s Commerce Department announced a rule that limits the export and sale of hacking software to authoritarian and repressive governments. This effort is difficult for many reasons, in part because it needs to avoid inhibiting cybersecurity collaboration among countries and among companies located in different countries. Furthermore, some private companies and some other countries don’t share this goal of keeping hacking tools out of the hands of such governments. For example, the Israeli company NSO Group (with suspected but unproven connections to the Israeli government) sells spyware that can be hacked onto an individual’s phone, allowing the hacker to track the person’s location and monitor their communications. Governments and others have used it to track dissidents, activists, lawyers, politicians, and journalists. Saudi Arabia used it to track associates of Jamal Khashoggi, the journalist that it murdered. Most recently, it was identified as being used to spy on Palestinians. [7]

For 25 years, the U.S. and 42 other countries have blocked the sale of weapons and military technology to authoritarian and repressive governments. The Wassenaar Agreement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, originally signed in 1996, sets voluntary export controls on a list of weaponry. The list of controlled products is updated every December and cyber hacking and surveillance products were added to the list in 2013. However, the U.S. did not adopt controls on these products until now. This new Commerce Department rule will allow the U.S. to coordinate efforts to control the export of hacking tools with the 42 other countries that are part of the Wassenaar Agreement. [8]

Also on the international front, there have been calls for a treaty banning cyberwarfare from targeting civilians and civilian infrastructure, similar to the Geneva Convention for traditional warfare. Brad Smith, Microsoft’s president, called for such a treaty in 2017 after vulnerabilities in Microsoft software had been the vehicle for Russia’s devastating cyberattack on Ukraine’s civilian infrastructure and for North Korea’s worldwide ransomware attacks. Noting that the 1949 Geneva Convention protects civilians during traditional warfare, he called for a new convention to protect civilians from cyberwarfare – from attacks on hospitals, electric power grids, elections, and the intellectual property of private parties. Previously, after the 2010 U.S. attack on Iran’s uranium enrichment facility, European, Russian, and some U.S. officials had also called for such a treaty.

However, the U.S. has not pursued such a treaty, at least in part because it has been the world’s dominant cyber superpower. Nonetheless, U.S. businesses and civilians, as the most Internet-dependent ones in the world, are bearing the brunt of escalating cybercrime and cyberwarfare. Furthermore, the U.S. has continued to engage in its own cyberwarfare, including building its capacity to attack civilian infrastructure such as the Russian electric power grid.

I urge you to contact President Biden and thank him for his efforts to stop ransomware attacks and to keep cyber hacking tools out of the hands of authoritarian and repressive governments. Ask him to continue this work and to do more to protect civilians from cyberwarfare. You can email President Biden at http://www.whitehouse.gov/contact/submit-questions-and-comments or you can call the White House comment line at 202-456-1111 or the switchboard at 202-456-1414.

I also urge you to let your U.S. Representative and Senators know that you support strong steps to reduce ransomware attacks and the potential harm to civilians from cyberwarfare. You can find contact information for your U.S. Representative at http://www.house.gov/representatives/find/ and for your U.S. Senators at http://www.senate.gov/general/contact_information/senators_cfm.cfm.

[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2] Perlroth, N., 10/25/21, “A rare win for the good guys in cat-and-mouse game of ransomware,” The Boston Globe from the New York Times

[3] Barnes, J. E., 12/6/21, “US military has acted against ransomware groups, NSA chief says,” The Boston Globe from the New York Times

[4] Tucker, E., & Suderman, A., 11/9/21, “US charges 2 suspected ransomware operators,” The Boston Globe from the Associated Press

[5] McLaughlin, J., 10/13/21, “White House brings together 30 nations to combat ransomware,” National Public Radio (https://www.npr.org/2021/10/13/1045248842/white-house-brings-together-30-nations-to-combat-ransomware)

[6] Mazzetti, M., & Goldman, A., 9/15/21, “Former intelligence officers admit crimes,” The Boston Globe from the New York Times

[7] Kingsley, P., & Bergman, R., 11/9/21, “Spyware aimed at activists, group says,” The Boston Globe from the New York Times

[8] Nakashima, E., 10/21/21, “US aims to limit sale of hack tools to dictators,” The Boston Globe from the Washington Post

STOPPING CYBERCRIME AT THE PERSONAL, ORGANIZATIONAL, AND GOVERNMENTAL LEVELS

This is the first of my final two posts (out of nine total) on computer hacking and cyberwarfare. These two posts discuss steps that can be taken to counter cybercrime at the personal, organizational, and governmental levels, as well as efforts to stop cyberwarfare from harming civilians. This series of posts presents my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] These posts have summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; shared a number of examples; and the previous post provided an overview of Russia’s continuing attacks on the U.S., including on the 2018 and 2020 elections.

It is clear today that passwords, antivirus software, and firewalls will not protect a computer from reasonably sophisticated cyber hacking. With entities willing to pay over a million dollars for a vulnerability in a widespread piece of basic software, such as Microsoft Windows, Apple operating systems, Adobe, Java, and countless others, cybersecurity needs to be designed into these basic pieces of software and to have many layers of protection. Traditionally, basic software has only been tested to make sure it works, not to identify and eliminate vulnerabilities that hackers could use. This needs to change. When complex software is everywhere, even in cars, software vulnerabilities are ubiquitous and our whole mindset about cybersecurity must change to include preventing vulnerabilities, as well as protecting computers when they are attacked.

Individuals and businesses should assume that passwords alone are no longer effective protection from serious hackers because passwords are likely to have been stolen in one of the hacks of a large customer database or some other way. Two-factor or multi-factor authorization (2FA or MFA) is the best basic defense against cyber hacking and cybercrime. This is the process where when one logs into a system, a one-time code is sent by phone text or email that has to be entered to gain access. Turn on 2FA wherever it’s available and for any function where security is important, such as banking and financial transactions.

Voting simply cannot be safely conducted on-line according to Perlroth. She notes that as-of the date of her book, there was not a single on-line voting system that hackers had not been able to penetrate – often quite quickly and easily. [2] Voter registration databases and other election support systems need to be rigorously protected and audited to ensure their security.

While the Trump Administration largely ignored cybercrime and civilian harm from cyberwarfare, the Biden Administration has already been aggressive in tackling them. The U.S. Cybersecurity and Infrastructure Security Agency has recently announced that it is working to develop a national cybersecurity strategy. It noted that public-private collaboration will be essential as critical infrastructure must be secured whether it is in private or public hands.

The U.S. needs to establish strong mandates for cybersecurity for public entities and private companies that are part of critical infrastructure. The U.S. lags far behind other countries in doing this. Norway in 2003 and Japan in 2005, for example, implemented national cybersecurity strategies that have made them among the safest countries in the world in terms of cyberattacks. [3]

However, Congress has repeatedly failed to pass legislation that would establish even basic standards for companies operating critical infrastructure such as hospitals, fuel pipelines, the electric power grid, dams, and nuclear power plants. Such standards would, for instance, require operators of critical infrastructure to use up-to-date, well-maintained software; to change passwords regularly; to use two-factor authorization for system access; and to conduct regular, sophisticated tests of their protections against hackers.

The U.S. Chamber of Commerce and other business leaders have argued against even voluntary standards, claiming they are too onerous. Current events are proving that NOT having such standards and NOT having solid cybersecurity in place are far too dangerous and too costly for businesses and customers.

The Biden Administration is urging all companies to enhance their cybersecurity practices, including requiring two-factor authorization for employees to log in to computer systems. [4] It also needs to educate the American public about cybersecurity and about on-line disinformation campaigns; these need to be part of our national consciousness.

Public and private entities should be required to report and make public successful cyberattacks so:

Customers and the public can be appropriately warned and protected,
The entities have an incentive to fix problems and prevent successful future attacks, and
Appropriate law enforcement and national security responses can occur.

On the flip side, when U.S. intelligence agencies become aware of a vulnerability in computer software or hardware, they should be required to inform the product’s vendor and work with it to eliminate the vulnerability.

The private sector is not only stepping up its defensive measures against hacking but also going after hackers directly, rather than leaving this work to law enforcement as has been the practice. Google is suing two Russia-based individuals for using a massive network of hacked computers for a range of criminal activity. It is also working with other private companies to disable the computers used by the hackers. The hacked network has been tracked by law enforcement and cybersecurity experts for years and is estimated to include about a million Microsoft Windows-based computers around the globe. In cleaning up the damage that has been done and the vehicles the hackers used to spread their harmful software, Google has removed from the Internet about 63 million Google Docs, more than 1,000 Google accounts, and over 900 Google Cloud projects. Microsoft has also been active in this direct action, deleting from the Internet websites used by a China-based hacking group. [5]

I urge you to contact President Biden and thank him for his work to improve cybersecurity, including his efforts to create and implement a national cybersecurity plan. Ask him to continue this work and to do more to require private entities operating critical infrastructure to strengthen their cybersecurity. You can email President Biden at http://www.whitehouse.gov/contact/submit-questions-and-comments or you can call the White House comment line at 202-456-1111 or the switchboard at 202-456-1414.

I also urge you to let your U.S. Representative and Senators know that you support strong steps to improve cybersecurity, including requiring private businesses, especially those operating critical infrastructure or large aggregations of consumer data, to take meaningful steps to improve their cybersecurity. You can find contact information for your U.S. Representative at http://www.house.gov/representatives/find/ and for your U.S. Senators at http://www.senate.gov/general/contact_information/senators_cfm.cfm.

My next post will provide an overview of the Biden Administration’s efforts to combat ransomware attacks, address cybersecurity internationally, and protect civilians from harm from cyberwarfare.

[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2] Perlroth, N., 2021, see above, page 397

[3] Perlroth, N., 2021, see above, page 398-399

[4] De Vynck, G., 9/22/21, “Treasury’s fight against hackers targets crypto payments,” The Boston Globe from the Washington Post

[5] De Vynck, G., 12/8/21, “Google sues hackers tied to vast ring of infected devices,” The Boston Globe from the Washington Post

CYBERWARFARE: RUSSIA’S ATTACKS ON THE 2018 AND 2020 ELECTIONS AND THE TRUMP ADMINISTRATION’S RESPONSE

This is my seventh post on computer hacking and cyberwarfare and part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; the 2017 North Korean ransomware attack; and the 2009 U.S. National Security Agency (NSA) cyberwarfare attack on Iran. My second post covered the leaks from the NSA, electronic surveillance in the U.S., and the use of encryption to protect privacy. My third post described Russia’s cyberattacks on Ukraine. The fourth and fifth posts described China’s cyberattack on Google and Google’s response. The sixth post described Russia’s cyberattack on the 2016 U.S. election.

This post summarizes Russia’s attacks on the 2018 and 2020 U.S. elections and the responses of the Trump and Biden administrations.

Under the Trump Administration, concern for cyberwarfare and cybercrime seemed absent. For example, the Obama Administration had reached an agreement with China to stop its industrial espionage, however this ended when Trump began his very public trade war with China. Similarly, the Iran nuclear agreement worked to keep Iranian hackers at bay. Trump’s voiding of the nuclear deal resulted in levels of Iranian cyberattacks that were unprecedented. Furthermore, as Trump backed off both sanctions and rhetoric against Russia for its hacking and election interference, Russia continued to hack our election systems and infrastructure, as well as to spread division, distrust, and chaos through social and other media. Even Saudi Arabia, with no sanctions from the Trump Administration for its murder of Washington Post journalist Khashoggi, was emboldened to engage in cyber espionage targeting the U.S. Cybercriminals engaged in ransomware attacks on cities, towns, and other infrastructure with regularity – and with little response from the Trump Administration.

By 2018, Trump had eliminated the position of White House cybersecurity coordinator and had made it clear that he never wanted to hear anyone in his administration, including the director of Homeland Security, mention election interference or election security. As the 2018 elections approached, the Russian social media propaganda agency, the Internet Research Agency (IRA), was engaging in sophisticated election disinformation on social media. In the six months before the elections, it spent at least $10 million on its efforts to influence the U.S. elections and to sow division, distrust, and chaos.

Fortunately, in September 2018, Trump had ceded decision-making for offensive cyberattacks to the new director of the NSA, General Paul Nakasone, who also served as the head of the Pentagon’s Cyber Command. John Bolton, in his brief tenure as Trump’s national security advisor, had developed a new cyber strategy that gave the Cyber Command increased flexibility. So, in October, the Cyber Command posted warnings directly to the IRA’s computers threatening indictments and sanctions if Russia continued to meddle in the 2018 elections. Then, on Election Day, the Cyber Command shut down the Russian hackers’ computer servers and kept them offline for several days as votes were tabulated and certified. No one knows what might have happened if the Cyber Command had not done this, but the 2018 election results were processed without any serious glitches.

“By 2020, the U.S. was in the most precarious position it had ever been in the digital realm,” according to Perlroth. [2] More than 1,000 local governments had been hit with ransomware attacks over the previous year. Russian cybercriminals were getting billions of dollars because local governments and their insurers calculated that it was cheaper to pay the ransom than to have to recreate computer systems and data. Cybersecurity experts worried that the ransomware attacks were a smokescreen to probe municipal computers and develop the capability to disrupt voter and election related systems during the 2020 election. Some of these experts also thought the election hacking and interference in 2016 and 2018 might be trial runs for more extensive efforts planned for the 2020 elections. Apart from the elections, in September 2020, over 400 hospitals were the subject of ransomware attacks, coming, of course, at the worst possible time – in the middle of the pandemic.

In Congress, a number of efforts were made to address concerns about election security, including bills requiring paper trails for every ballot and rigorous post-election audits, banning voting machines from being connected to the Internet, and mandating that campaigns report contacts with foreign entities. These were largely uncontroversial security measures that generally had bipartisan support and were deemed critical by election integrity experts. However, Senator Mitch McConnell, the Republican Majority Leader, refused to let any election security bill move forward toward passage. Only after critics took to calling him “Moscow Mitch” did he relent and begrudgingly allow approval of $250 million to help states protect election infrastructure – a tiny amount of money when split among the 50 states (only $5 million each on average), especially given the seriousness of the threats their election systems were facing.

In early 2020, U.S. intelligence officials warned the White House and Congress that Russian hacking and election interference were working hard at promoting Trump’s re-election. Trump was so incensed that this information had been shared with Democrats that he fired his acting director of national intelligence and publicly dismissed the intelligence findings as misinformation. Beginning in August, Trump’s new head of intelligence refused to provide in-person briefings on election interference to Congress. The U.S. intelligence agencies had always been non-partisan, but the Trump administration increasingly manipulated their actions and statements to serve their political interests. Meanwhile, Microsoft revealed that in one two-week period Russian hackers had attempted to access 6,900 personal email accounts of politicians, campaign workers, and consultants of both parties.

During the 2020 election cycle, the Russians didn’t have to create “fake news” to foster distrust, division, and chaos; Americans, including President Trump, were providing plenty of such content on a daily basis. The Russian trolls simply worked to amplify, among other things, the vaccination debate, the lockdown protests, the misinformation about the benefits of mask wearing, and the blaming of the racial justice protests and any violence that occurred on violent, left-wing radicals.

As the 2020 election approached, the Cyber Command, the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security, the NSA, and the FBI worked diligently to protect election infrastructure in the states and nationally, as well as to actively counterattack. Many of the officials involved figured it was likely that Trump would fire them for their hard work as soon as the election was over, but they persisted in doing their jobs. On Election Day, CISA officials briefed reporters every three hours and, in the end, Election Day came and went with no evidence of fraud, outside efforts to alter vote tallies, or even a ransomware attack.

Perlroth notes that while she would like to credit the work of our cybersecurity agencies for the uneventful Election Day, she feels that the 2020 election went as smoothly as it did, not because the Russians were deterred, but because they (and specifically Russian President Putin) concluded that their work here was done and had been successful. Discord, distrust, and chaos were being created by American actors without the need for Russian interference. If Putin’s goal, in the U.S. elections and otherwise, was to undermine American democracy and American influence in world diplomacy, he had probably succeeded beyond his wildest dreams.

Nonetheless, Russian cyber hacking continues. In 2020, Russia’s premier intelligence agency, SVR was responsible for the cyberattack via the Solar Winds security software, a highly sophisticated attack that affected many government agencies and large companies. It gave the Russians access to tens of thousands of users’ computer systems. (By the way, SVR was also the first hacker to gain access to the Democratic National Committee’s computers in 2016.)

In October 2021, the Russians engaged in another massive campaign to hack into computer networks in the U.S. Microsoft announced that it had notified 600 organizations that they had been targeted by SVR with about 23,000 attempts to illegally access their computer systems in October alone. It noted that the attacks were relatively unsophisticated and were or could have been blocked by basic cybersecurity practices. It also stated that, for comparison, there had been only 20,500 such attempts by all other international governmental actors over the past three years. ^[3]

This Russian cyberattack occurred only six months after President Biden imposed sanctions on Russian financial and technology companies in April 2021 as punishment for previous cyberattacks. At the time, he noted that the sanctions could have been more severe but that he was trying to de-escalate confrontation between the two superpowers.

My next post will review things that can be done to counter cybercrime and warfare at the individual and governmental levels.

[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021. page 347

[3] Sanger, D.E., 10/26/21, “Russia tests US again with broad cybersurveillance,” The Boston Globe from The New York Times

CYBERWARFARE: RUSSIA’S ATTACK ON THE 2016 ELECTION

This is my sixth post on computer hacking and cyberwarfare and part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; the 2017 North Korean ransomware attack; and the 2009 U.S. National Security Agency (NSA) cyberwarfare attack on Iran. My second post covered the leaks from the NSA, electronic surveillance in the U.S., and the use of encryption to protect privacy. My third post described Russia’s cyberattacks on Ukraine. The fourth and fifth posts described China’s cyberattack on Google and Google’s response.

This post summarizes Russia’s attack on the 2016 U.S. election which began in June 2014 when Russia sent two agents to the U.S. for a three-week reconnaissance tour to gather intelligence on U.S. politics and elections. Their report became the field guide for Russia’s interference in the 2016 election. Starting in 2014, the Russians tried to hack into voter registration and election systems in all 50 states. They are known to have succeed in accessing Arizona’s and Illinois’s voter databases. In 2015 (and probably before then), the Russians aggressively hacked into computer networks at the State Department, White House, and Joint Chiefs of Staff of the Defense Department, although this was probably unrelated to the election and was just “routine” espionage. Occurring in the midst of the unprecedented and mind-boggling presidential campaign that was ongoing at the time, these cyberattacks got little coverage in the mainstream media.

Russia’s social media propaganda agency, known as the Internet Research Agency (IRA), had as its goal for the U.S. election in 2016 to “spread distrust toward the candidates and the political system in general. … [to create] division, distrust, and mayhem.” [2] In September 2014, the IRA created a Facebook group, Heart of Texas, focused on right-wing Texans that generated 5.5 million likes within a year. It also created another Facebook group, United Muslims of America. Then, among other things, it used these two Facebook groups to promote rallies and counter-rallies at the Islamic Center in Houston that led to real-world confrontations. The IRA used the stolen identities of Americans to make their work more credible, but nonetheless its cyber manipulators were surprised at how gullible and susceptible the Americans were to their Facebook disinformation.

Based on its success in Texas, the IRA began replicating this approach across the country, focusing on purple states. Its staffing grew to more than 80 people who were directed to “Use any opportunity to criticize Hillary and the rest (except Sanders and Trump – we support them)” according to leaked memos. [3] The IRA:

Communicated with Trump campaign volunteers.
Bought Facebook ads promoting Trump and attacking Clinton.
Promoted race-baiting and xenophobic messages.
Worked to suppress minority voter turnout and to encourage voting for third party candidates instead of for Clinton.
Paid an unwitting Florida Trump supporter to put a cage on a flatbed truck and paid an actress to dress up as Clinton and sit in the cage as Trump rally goers chanted “Lock her up!” Based on this success, they promoted similar rallies in other states.
Reached 126 million Facebook users and generated 288 million Twitter actions, which are staggering numbers given that 139 million people voted in the 2016 election.

In June 2016, it was discovered that two other Russian groups had hacked into the Democratic National Committee’s computer network months earlier, extracting and releasing embarrassing emails, among other things.

The Obama Administration, facing multi-faceted and snowballing Russian interference in the election, finally decided in the fall of 2016 that a strong bipartisan statement (so it wouldn’t appear political) was necessary. Top Homeland Security and FBI officials were sent to brief Congress. But the response from the Republicans was completely partisan. Republican Senate Majority Leader Mitch McConnell refused to warn Americans about Russia’s efforts to influence and undermine the 2016 elections. He refused to sign any bipartisan statement, argued (falsely) that the intelligence on the cyberattacks was wrong, and claimed (falsely) that this was all just Democratic partisan politics.

After the election, the Obama Administration imposed significant sanctions on the Russians, but they were too little and too late. Although there’s some argument over the ultimate impact of the Russian’s efforts, Perlroth concludes that the Russian actions may well have tipped the election to Trump. Black voter turnout declined sharply in 2016 for the first time in 20 years, which was a constituency and an outcome that the Russians had aggressively targeted. Black voter turnout fell from 66.6% in 2012 to 59.6% in 2016, its lowest level since 2000. This represented a decline of 765,000 votes when less than 80,000 votes in three key states determined the outcome of the election. Furthermore, Trump’s margin in each of these three key states – Wisconsin (22,800 votes, a 0.8% margin), Pennsylvania (44,300 votes, a 0.7% margin), and Michigan (10,700 votes, a 0.2% margin) – was less in each state than the vote for the Green Party candidate. This voting for third party candidates instead of Clinton was another outcome that the Russians had aggressively targeted. Given the closeness of the election, a relatively small change in either (let alone both) of Black voter turnout or the number of votes for the Green Party instead of for Clinton would have changed the outcome of the election – and both of these were factors that the Russians specifically worked to influence.

Subsequent posts will outline the Perlroth book’s reporting on:

Russia’s continuing cyberattacks on the 2018 and 2020 U.S. elections and the Trump administration’s response, and
What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2] Perlroth, N., see above, page 310

[3] Perlroth, N., see above, page 311

CYBERWARFARE: GOOGLE’S RESPONSE TO CHINA’S ATTACK

This is my fifth post on computer hacking and cyberwarfare, all of which are part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; the 2017 worldwide ransomware attack by North Korea; and the 2009 cyberwarfare attack by the NSA on Iran’s uranium enrichment plant. My second post provided an overview of the book’s reporting on leaks from the NSA, electronic surveillance in the U.S., and the use of encryption to protect privacy. My third post described Russia’s cyberattacks on Ukraine and the fourth post described China’s cyberattack on Google.

Google had begun doing business in China in 2006, agreeing to the censorship of search results that the government demanded. In 2009, it was still struggling to accommodate China’s increasingly draconian censorship rules. Nonetheless, China waged a cyberattack on Google in 2009 in an effort to make Google an unwitting accomplice in Chinese surveillance of dissidents. (See my previous post for more details about this cyberattack.)

In response, on January 12, 2010, Google publicly revealed the Chinese cyberattack and its decision to pull out of China, despite its being the largest and most sought-after market in the world. Fearing for its employees’ safety, it had briefed the State Department and the U.S. embassy in Beijing was prepared to undertake a mass evacuation of Google’s Chinese employees and their families. Google shut down its Chinese operation and routed all Chinese Internet traffic to Hong Kong. In response, the Chinese government scrambled to censor and block Internet content flowing from Hong Kong, lambasted Google, denied involvement in the cyberattack, and accused the U.S. government of conducting an anti-China propaganda campaign. It permanently blocked Internet access to Google and three years later, under new President Xi Jinping, took over total control of the Internet in China.

The Chinese hackers who had executed the attack, having been outed, unplugged their Internet computer servers and abandoned their hacking tools. They abstained from hacking in the U.S. for a number months, but one year later engaged in a sophisticated attack on RSA, the cybersecurity company that sold security services to, among others, high profile defense contractors. Based on this successful attack, the Chinese hackers were able to infiltrate Lockheed Martin and thousands of other western companies including banks, automakers, chemical companies, law firms, non-profit organizations, and more. They stole billions of dollars-worth of proprietary information, including military and trade secrets.

Back at Google, less than a year after the 2010 pullout, some executives began pushing to go back to doing business in China. As Google diversified its businesses and re-organized under the over-arching corporation Alphabet in 2015, re-entry into the Chinese market, with its 750 million Internet users, became a hot topic of debate. Ultimately, human rights, ethical considerations, and Google’s motto of “Don’t be evil” were overwhelmed by a focus on profits.

In 2016, Google established a new, artificial intelligence research center in Beijing and released some small-scale products, e.g., an app and a mobile game, into the Chinese market. Simultaneously, it was working on a search engine for the Chinese market, code-named Dragonfly, that met government censorship requirements. In August 2018, an employee leaked information about the work on Dragonfly. After protests by Google employees and others, the Dragonfly project was terminated in July 2019. Google does not offer a search engine in China at this time.

Google’s business ethics have been questioned not just for doing business in China, but for its behavior in the U.S. and elsewhere. It profits off sites that spread disinformation and conspiracy theories, and its YouTube subsidiary allows the spread of videos that harm the well-being of children. In Saudi Arabia, it hosted an app that allowed men to track and, thereby, control the movements of female family members.

In subsequent posts, I will outline the Perlroth book’s reporting on:

The cyberattacks on U.S. elections and the Trump administration’s response, and
What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

CYBERWARFARE: CHINA’S ATTACK ON GOOGLE

This is my fourth post on computer hacking and cyberwarfare and part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; the 2017 worldwide ransomware attack by North Korea; and the 2009 cyberwarfare attack by the U.S. National Security Agency (NSA) on Iran’s uranium enrichment plant. My second post provided an overview of the book’s reporting on leaks from the NSA, electronic surveillance in the U.S., and the use of encryption to protect privacy. My third post described Russia’s cyberattacks on Ukraine.

This post summarizes China’s cyberwarfare and, in particular, its attack on Google. The Chinese government’s cyberwarfare initiatives use both army personnel and contracts with non-government hackers at Chinese universities and technology companies. This contracting with private hackers is similar to President Putin’s strategy in Russia, where cyberattacks had been outsourced to cybercriminals for years to give the government some marginally credible deniability of responsibility. As in Russia, many of the private hackers in China are likely to have been conscripted, rather than hired in the private market.

For years, the Chinese have been hacking into defense companies where they focus on stealing aerospace, missile, space, and satellite technologies, as well as nuclear propulsion and weapon information. They have also been hacking into a broad range of U.S. businesses and stealing intellectual property. A former Director of the NSA, Keith Alexander, called Chinese cyber theft the “greatest transfer of wealth in history.” [2]

In December 2009, now ancient history in the annals of cyber hacking, Google’s digital security team noticed an electronic intruder in their computer network. It was moving from computer to computer in what they called the fastest cyberattack they had ever seen. It had managed to breach what was one of the toughest digital security systems in existence at the time and was conducting a very sophisticated search across Google’s extensive computer network. As is often the case, the intruder’s access had been initiated by unsuspecting Google employees who had clicked on a link in a hacker’s phishing message. The link went to a website in Taiwan that put the hacker’s computer program, i.e., malware, onto the employee’s computer via a vulnerability in Microsoft’s Internet Explorer browser. The malware allowed the hacker to access the employee’s computer and Google’s network.

The attack was very sophisticated – the work of highly skilled, well-resourced hackers, not a small-time, individual cybercriminal. This was made clear by the hackers’ encrypting of their attacking computer program and obfuscating of their tracks, along with the expertise needed to use the Internet Explorer vulnerability.

Over a couple of weeks, Google assembled a team of 250 inside and outside security experts to counter the attack, and then determine who had attacked and what they were trying to accomplish. Team members worked 24/7 and December holiday vacations were canceled.

Eventually, the team’s work identified the attacker as a group contracted with by the Chinese government. It was being monitored by the NSA, which had code-named it “Legion Yankee.” It was one of the most active of the more than two dozen Chinese hacking groups that the NSA monitored. These groups had attacked U.S. government agencies, technology companies, think tanks, and universities in attempts to steal intellectual property, military secrets, and correspondence.

As Google and outside security experts dug into the attack, they traced it back to Legion Yankee’s computer server and discovered that dozens of other U.S. companies had been attacked as well, including Adobe, Intel, Northrop Grumman, Dow Chemical, and Morgan Stanley. As Google tried to warn these other companies, they found it was hard to reach someone who would take their warning seriously and understand its implications. Many of the companies refused to acknowledge that their computer systems had been breached – not wanting the bad publicity.

Google and its outside experts also eventually figured out what the attacker was after: Google’s source code. This is the computer programming that runs the Google application – it’s what displays its screens when you access Google, it’s what runs the search engine and displays the results, it’s what determines what ads to show you and what to do when you click on an ad or search result, etc. Microsoft’s Windows computer operating system, which runs many of our computers, is probably the best-known example of source code, along with Apple’s Operating System (OS) or the Android software that runs your phone.

This kind of attack wasn’t about short-term gain, e.g., theft of money or information, this was a long-term strategy that could bear fruit immediately but also for years to come. The hackers would insert code into or change the programming of Goggle’s source code to allow them access to the information that was flowing through Google, to Gmail accounts, and also to the computers and networks that were using Google.

Ultimately, Google determined that Chinese government wanted to change Google’s source code so it would have long-term access to any Gmail account and that its interest was in accessing the Gmail accounts of Chinese dissidents, including pro-democracy activists in Hong Kong, Tibetan and Uighur Muslim dissidents, pro-independence Taiwanese, the Dalai Lama, and others. In other words, China’s goal for its most sophisticated cyberattack capabilities was to be able to monitor, threaten, and thereby control its own people.

U.S. State Department officials would eventually connect Legion Yankee and the Google attack to the Chinese government’s top security official, Zhou Yongkang, and to Li Changchun, a member of China’s top ruling body (the Politburo Standing Committee) and China’s top propaganda official. Li had reportedly googled himself and was not happy with what he found and, therefore, ordered the attack on Google.

My next post will summarize Google’s response to the Chinese attack: it made a big splash by publicizing China’s attack and pulling out of the Chinese market completely in 2010 – only to re-enter the Chinese market in 2016. Subsequent posts will outline the Perlroth book’s reporting on:

The cyberattacks on U.S. elections and the Trump administration’s response, and
What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021. page xix

CYBERWARFARE: RUSSIA’S ATTACKS ON UKRAINE AND USE OF NSA’S CYBER WEAPONS

This is my third post on computer hacking and cyberwarfare, part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on:

The scale of computer hacking, cybercrime, and cyberwarfare,
The 2017 worldwide ransomware attack by North Korea using a Microsoft Windows vulnerability stolen from the U.S. National Security Agency (NSA), and
The 2009 cyberwarfare attack by the NSA on Iran’s uranium enrichment plant.

My second post provided an overview of the book’s reporting on:

Electronic surveillance in the U.S. and the use of encryption to protect privacy, and
Leaks from the NSA, including of its cyberwarfare weapons.

This post provides an overview of Russia’s cyberattacks on Ukraine. Russia is and has been a formidable and active player in espionage and international warfare since the 1950s Cold War, which Perlroth touches on as background for her reporting on cyberwarfare.

Not surprisingly then, Russia has been an early, active, and formidable participant in cyberwarfare. It has attacked Ukraine both to demonstrate its capabilities to the world and to display its ongoing displeasure with independence in Ukraine, which threw out the Russian puppet government in 2014. Russia’s cyberwarfare has interfered with Ukraine’s elections and its everyday life. In 2014, Russia planted disinformation during Ukraine’s election and engaged in serious cyber hacking of its election infrastructure. Ukrainian election officials discovered the hacking just before manipulated results would have been announced to the media. It was the most brazen cyberattack on a national election ever at the time.

For its next attack, on Christmas Eve in 2015, Russia’s cyber warriors flipped off circuit breakers in the Ukrainian power grid, turning off electricity for hundreds of thousands of people. They also shut off backup power in many locations and shut down emergency phone lines. Things were turned back on roughly six hours later, but the message and the capabilities were clear. This represented an escalation of cyberwarfare; no country had ever shutdown another country’s civilian power grid before. A year later, Russia did it again, this time shutting down the power and heat in the Ukrainian capital of Kyiv.

On June 27, 2017, Russia launched another, much more devastating cyberattack on the Ukraine, this time using weapons from the U.S. National Security Administration (NSA) that had been stolen and leaked in 2016 and 2017. (See my previous post for more details on this leak.) Russia specifically timed its attack to occur on Ukraine’s independence day to underscore its political message. The attack shutdown government offices, trains, ATMs, the postal service, and almost all financial systems so people couldn’t get paid and electronic cash registers didn’t work so people couldn’t buy anything, even food and gas. Even the radiation monitors at the Chernobyl nuclear disaster site were shutdown. The attack destroyed the data on 80% of the computers in Ukraine. The damage was so severe that it took over two years for Ukraine to recover from this Russian cyberattack.

Not unexpectedly, the cyberweapons (i.e., malicious computer programming) that Russia used in the attack on Ukraine self-propagated through the Internet and other computer networks so that any company doing business in Ukraine was vulnerable. The cyberweapons shutdown factories in Tasmania, destroyed vaccines at pharmaceutical companies Pfizer and Merck, infected FedEx’s computer systems, and brought the world’s biggest shipping company, Maersk, to a halt. The cyberweapons even spread back to Russia, destroying data at the giant, Russian government-owned oil company, Rosneft, and at the Russian steelmaker, Evraz.

When author Perlroth visited Ukraine in the winter of 2019, a year and a half after the attack, the damage estimate there was $10 billion and climbing, and significant disruption of daily life was still evident. Railroad and shipping systems were still not back to normal, pension checks still hadn’t been received, and people were still trying to find packages that had gone missing when shipment tracking data was lost, for example. It was also estimated that the attack cost just Merck, Fed Ex, and all the other companies that were affected billions of dollars. Some insurers refused to pay for damages from this cyberattack, claiming it was an act of war and therefore fell under a war exemption clause in their policies.

This Russian cyberattack made it clear that cyberweapons are weapons of mass destruction. Russia could have done much worse. It could have crashed trains and planes instead of just disabling scheduling, ticketing, and payment systems. It could have created explosions or toxic incidents at manufacturing plants or nuclear power plants.

Some experts believe Russia used the NSA’s tools in this attack to discredit and expose the NSA and the U.S. government. Others believe Russia was just using this attack, and the earlier ones in the Ukraine, to test its capabilities and prepare or signal its capability to execute even more devastating attacks in the future. By the way, Russia has continued to harass Ukraine. For example, in 2019, it inundated Ukrainian Facebook accounts with anti-vaccination propaganda as the worst measles outbreak of recent times spread there.

In subsequent posts, I will outline the Perlroth book’s reporting on:

The Chinese attack on Google and Google’s response,
The cyberattacks on U.S. elections and the Trump administration’s response, and
What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

CYBERSECURITY AND THE DEVASTATING LEAK OF THE NSA’S CYBER TOOLS

My previous post on computer hacking and cyberwarfare began my overview of New York Times cybersecurity reporter Nicole Perlroth’s book, This Is How They Tell Me the World Ends. [1] My post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare, while also outlining two examples from the book:

The 2017 worldwide ransomware attack by North Korea using a Microsoft Windows vulnerability stolen from the U.S. National Security Agency (NSA), and
The 2009 cyberwarfare attack by the NSA on Iran’s uranium enrichment plant.

This post provides an overview of the book’s reporting on:

Electronic surveillance in the U.S. and the use of encryption technology to protect privacy, and
Leaks from the NSA, including of its cyberwarfare tools.

After the September 11, 2001, attacks, the U.S. greatly expanded its electronic surveillance within the U.S. In 2013, Edward Snowden, a consultant for the NSA and a former CIA employee, released thousands of classified NSA documents. They described activities the NSA was engaged in, including mass surveillance of Americans. Among many other things, the documents revealed that the NSA was secretly surveilling users of Microsoft, Facebook, Google, and Yahoo and that in a single day it had collected roughly 445,000 Yahoo email address books, 105,000 from Hotmail, 83,000 from Facebook, 34,000 from Gmail, and 23,000 from other providers.

Snowden was charged with espionage. He left the country prior to releasing the NSA documents and is living in Russia under a grant of asylum. In 2020, a U.S. federal court ruled that the NSA’s mass surveillance program exposed by Snowden was illegal and possibly unconstitutional.

As a response to U.S. government surveillance and cyber hacking, software and hardware providers started offering users’ the ability to encrypt their data. Initially, intelligence agencies and law enforcement had ways to overcome the encryption and access the data, typically with the assistance of the product’s provider. Then in 2014, in the wake of the Snowden revelations, Apple announced that the iPhone 6 would automatically encrypt everything on the phone using the phone user’s unique password, making the data impossible to unencrypt by anyone else. Previously, Apple had a key that could unencrypt a user’s data when requested by law enforcement. The FBI and those running government surveillance programs were upset and concerned about this truly secure encryption, but there was strong support from users because they valued their privacy.

A year later, two terrorists, who had sworn allegiance to ISIS, shot and killed 14 people and injured 22 at the San Bernadino, CA, health department. The terrorists fled and were killed in a shootout within hours. One piece of evidence recovered was an encrypted iPhone. The FBI demanded that Apple unencrypt the phone, which apparently it could not, and also demanded that Apple change its software to allow the FBI to unencrypt data in the future. Apple refused, pointing out that if there was such a capability others would want access to it too and that hackers would be able to find it as well.

The FBI initiated a court case to force Apple to allow it access to iPhone data, but four months after the shooting it abruptly dropped the case. It turned out that an unidentified hacker had sold the FBI a way to overcome the encryption. Surprisingly, the FBI Director, Comey, admitted that it had paid the hacker at least $1.3 million for this capability. This was the first time the U.S. government had admitted to paying a hacker a large sum to give it access to a vulnerability in a widely used electronic device or piece of software. The FBI claimed that it did not know what the underlying flaw was and that it had no intention of letting Apple know so it could fix it.

Apple was correct, of course, in stating that any ability of the FBI or U.S. intelligence agencies to circumvent the encryption of users’ data would eventually be available to others, including those with less scrupulous intentions (assuming you believe U.S. intelligence agencies and the FBI always have scrupulous intentions). International adversaries and individual computer hackers are constantly uncovering computer software and hardware vulnerabilities. They use or sell these vulnerabilities to obtain unauthorized access to data, for use in international cyberwarfare, or for use for private gain through theft of money, trade secrets, or other valuable information. These computer vulnerabilities can also be used in ransomware attacks, where computer systems are disabled or data stolen for nefarious use unless a ransom is paid.

Probably the worst piece of news for the U.S. intelligence agencies in the history of cyberwarfare was the leak of the NSA’s tools and techniques in 2016 and 2017. While Snowden’s leaks revealed what the NSA was doing, these leaks revealed, in detail, specifically how it was doing its cyber espionage and cyberwarfare.

Over a nine-month period, an unknown individual or individuals leaked specific software vulnerabilities and the computer code the NSA was using to exploit them. These NSA hacking tools had been stolen and were now being released publicly on the Internet, sharing the world’s most powerful cyber arsenal with anyone and everyone who might want to use it. These NSA cyber weapons were used, for example, by North Korea in its global ransomware attack (described in my previous post) and by Russia in its devastating attack on the Ukraine in 2017 (to be described in my next post).

The leak of the NSA’s cyber weapons exposed what was probably the biggest federal program the public had never heard of, a cyber espionage and warfare effort so classified it was invisible: hidden through blacked out budgets, large cash transactions, shell companies, contractors, and nondisclosure agreements required of everyone involved in it.

In subsequent posts, I will outline the Perlroth book’s reporting on:

Russia’s cyberattacks on Ukraine,
The Chinese attack on Google and Google’s response,
The cyberattacks on U.S. elections and the Trump administration’s response, and
What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

THE COST, DAMAGE, AND THREAT OF CYBERCRIME AND WARFARE

The lines between computer hacking, cybercrime, and cyberwarfare are blurry. They are threats to our national security and also to you. At risk is not only your financial welfare and identity, but also your health and well-being. Cyberwarfare is at a level of threat that has similarities to nuclear weapons in that it can inflict major societal harm and is restrained or deterred only by the threat of retaliatory harm and damage, similar to the mutual assured destruction that deters nuclear war.

This is not an exaggeration, as the book by New York Times cybersecurity reporter, Nicole Perlroth, This Is How They Tell Me the World Ends, [1] makes clear in great detail. She presents the development and evolution of cyber hacking, crime, and warfare since she began reporting on it for the Times in 2013. She also puts it in an historical context of espionage going back to the Cold War and the 1950s and then outlines its transition from human agents to cyber capabilities over the last 40 years. I encourage you to read her 406-page, revealing, convincing, and downright scary book if you are so motivated. I will attempt to summarize it in this and subsequent blog posts.

The scale of computer hacking, cybercrime, and cyberwarfare is much greater than I had any idea it was. The costs to individuals, businesses, governments, and other organizations (such as hospitals) are enormous. A 2018 RAND Corporation report, the most comprehensive study of cyberattacks at the time, estimated that the worldwide losses for the year from cyberattacks were hundreds of billions of dollars. By comparison, the estimated cost of terrorist attacks in 2018 was just $33 billion. Some current estimates put the costs of cyberattacks at over $2 trillion a year and growing.

The number of ransomware attacks, where hackers prevent an organization from accessing its computer systems and data until a ransom is paid, more than doubled from 2019 to 2020, for example. [2] Much of this is done by cyber criminals looking to make money. However, back in May 2017, one of the cyber hacking tools stolen from the U.S. National Security Agency (NSA) (more on this in a subsequent post) was put to use by North Korea in ransomware attacks all around the globe. Within 24 hours, 200,000 organizations in 150 countries were attacked. For example, nearly 50 British hospitals were incapacitated as were Russian railroads and banks, Indian airlines, Germany’s railroads, Spain’s largest telecommunications company, Japanese police, South Korean movie theaters, many gas stations and universities in China, and small electric utilities and Fed Ex in the U.S. Russia and China suffered the most, partially because vulnerable, pirated software was widely used there.

The attack used a vulnerability in Microsoft’s Windows operating system that the NSA had discovered and exploited for years. When knowledge of it was stolen from the NSA and released publicly, the NSA notified Microsoft, but, needless to say, there was not enough time to fix the vulnerability (aka bug) and get the fix onto millions of customers’ computers before the vulnerability was exploited by North Korea and others. Exacerbating the problem, many customers are not always quick to install Microsoft’s Windows updates, particularly at companies using it on computers performing critical functions where software updates must be closely managed to minimize downtime. Making matters worse, many computers, including ones controlling critical infrastructure, were running an old version of Windows that Microsoft had stopped updating three years earlier. Now, Microsoft had to go back and update this software so its users wouldn’t be held hostage by cyberattacks from North Korea or run-of-the-mill cyber criminals.

Microsoft’s President, Brad Smith, was angry; this was not the first time the NSA had put Microsoft in this position. He publicly criticized the NSA for withholding the Windows vulnerability from Microsoft and then, when it became a problem, dumping it in Microsoft’s lap to fix on short notice. At the time, this story got short shrift in the U.S. media because of all the focus on the new Trump administration and the controversies it was generating. The administration was, however, quick to identify North Korea as the culprit, in stark contrast to its failure to out Russia for its cyberattacks, including its meddling in the 2016 U.S. election. (More on this in a subsequent post.)

Initially, government-sponsored cyber hacking, with the U.S. leading the pack, was used for espionage and surveillance of foreign governments and agents. The U.S. has multiple agencies spending billions of dollars developing and using cyber hacking capabilities. It has large teams of computer experts identifying vulnerabilities in computer software. Rather than alerting companies to the vulnerabilities in their products, U.S. intelligence agencies developed the software vulnerabilities into weapons for spying on adversaries (e.g., by stealing data from their computers). This use of cyber hacking is considered defensive as it is used to protect the U.S. and not to harm others.

The U.S. government also bought software vulnerabilities from private hackers who had discovered them, sometimes paying millions of dollars for them. Private computer hackers’ uncovering and selling of software vulnerabilities is a worldwide entrepreneurial business, given that any computer-savvy individual with a computer can do this.

However, as was probably inevitable, computer hacking shifted to being used offensively, to harm adversaries, given that it has the inherent capability to disrupt computer-controlled equipment and communications. In 2008 and 2009, the U.S. government, led by the NSA, probably with Israel’s participation, successfully executed a cyberwarfare attack on Iran’s nuclear enrichment plant. It damaged the centrifuges used to enrich uranium in order to delay Iran’s ability to generate enough, sufficiently enriched uranium to build an atomic bomb. Many experts view this attack as marking the shift of cyberwarfare from espionage and defensive uses to offensive uses.

After a cyberattack, given time, effort, and expertise, the target can almost always identify the source of the attack. So, when U.S. intelligence agencies say they “think” a cyberattack came from say Russia, they know that it came from Russia. Furthermore, they usually know what organization was behind the attack, although sometimes it can be difficult to ascertain whether it was a government-sponsored attack or private hackers physically located say in Russia (or China, Iran, or North Korea, etc.).

After the successful attack on its nuclear enrichment plant, Iran, not surprisingly, was looking for revenge. When it discovered the cyberattack, it also then had possession of the weapon – the software that had been used – and could turn it back on the attacker.

Furthermore, the weapon, as cyber weapons often do, spread itself out from the Iranian centrifuge plant over the Internet and around the globe, eventually reaching the U.S. and infecting computers at Chevron. Fortunately, because it was designed to specifically attack the Iranian centrifuges, it didn’t do a lot of damage at Chevron or at other sites it infected.

Despite this experience, the U.S. government continued to focus on its offensive cyberwarfare programs and largely ignored building cyber defenses. Surprisingly, it ignored the clear vulnerability of U.S. computers and systems to the types of attacks it was undertaking, despite the fact that the U.S. is more dependent on computers and the Internet than other countries, making the U.S. more vulnerable to a cyberattack than anyone else.

In subsequent posts, I will outline the Perlroth book’s reporting on:

Electronic surveillance in the U.S. and the use of encryption technology to protect privacy,
Leaks from the NSA, including of its cyberwarfare tools,
Russia’s cyberattacks on Ukraine,
The Chinese attack on Google and Google’s response,
The cyberattacks on U.S. elections and the Trump administration’s response, and
What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2] De Vynck, G., 9/22/21, “Treasury’s fight against hackers targets crypto payments,” The Boston Globe from the Washington Post