FBI Data and Threat Website Hacked 

Hello and happy Thursday! This will be the last newsletter of 2022 as I prepare to take some time off with the family. I hope the holidays will be a special and restful time for you too! 

The FBI’s Information Sharing Portal Has Been Hacked 

Hackers have breached the FBI’s InfraGard website and are offering to sell the contact information of the site’s 80,000 members, according to journalist Brian Krebs. Adding insult to injury, the hackers have used a fake account of a real CEO to communicate directly with other users. 

InfraGard is a public-private partnership between the bureau and American business that allows participants to share cyber and physical threat information. It’s billed as a vetted “who’s who” of private sector leaders across industries, but particularly those who manage risk to the nation’s critical infrastructure. “InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks,” the FBI’s InfraGard fact sheet reads. 

The exposure was publicly disclosed in the cybercrime forum Breached in early December. The FBI confirms it is aware of the report but is saying only, “This is an ongoing situation, and we are not able to provide any additional information at this time.”  

Krebs contacted the hackers and got them to talk, and you can read their explanation of how they popped the website here. 

Here’s What I’m Thinking (HWIT): 

While it’s embarrassing, this isn’t a surprise. Anytime you have this many senior executives gathering in one place—especially those involved in critical infrastructure—it’s going to attract attention. Make it an FBI-run website and it becomes a target too sweet for some hackers to pass up. The leaked contact data itself is interesting, but the hackers in this circumstance also seem to be enjoying the sport of it all.  

Nevertheless, these partnerships are important. More than 75 percent of industrial control devices are vulnerable and unpatched, according to a new Microsoft study shared with the Washington Post. The devices are used to manage everything from energy grids to water treatment systems to telecommunications infrastructure. Because most of these systems are privately owned, the U.S. government cannot, and should not, unilaterally secure or manage them. But, if the private sector owners of these systems are going to manage their risk effectively, they need to receive and share threat information with each other and with the government quickly. So, we have systems like InfraGard. While sharing portals like this are far from perfect, they are essential. That’s why it’s best if the FBI dusts itself off, keeps InfraGard online, and, if it can, makes an example of the hackers who breached the site. 

New Rules on Former Intelligence Pros  

Earlier this year, Congress included an important provision in its 2022 Consolidated Appropriations Act, placing new restrictions on jobs former members of the U.S. intelligence community can pursue. These “Section 308” restrictions place a five-year ban on any former intelligence community personnel working for a foreign government or a private entity under the influence of a foreign government. 

HWIT: 

Section 308 is too broad. The new rules not only prohibit “direct or indirect employment,” but also “any provision of advice or service relating to national security, intelligence, the military, or internal security.” Even more, not only are foreign governments covered, but so is any private company whose efforts are “directly or indirectly supervised, directed, controlled, financed, or subsidized, in whole or in major part” by a foreign government. On their face both provisions make sense, but practically they place a huge burden on job seekers to gain a deep understanding of the ownership and financial structures of would-be employers. Commenting on this, Stewart Baker—a longtime national security official and the current chairman of the board for the Association of Foreign Intelligence Officers (AFIO)—asks the following: 

What does it mean, one might ask, for a company to be “indirectly … financed, or subsidized” by a foreign government? Does that include Airbus, notoriously subsidized by European governments? What about the Atlantic Council, also dependent on the donations of numerous governments? What about working for the independent subsidiaries created under Defense Department auspices to insulate U.S. defense contractors from the influence of foreign owners? Indeed, in many cases, it may not be possible to know whether a company is indirectly financed or supervised by a foreign government, at least not before taking the job. 

Don’t get me wrong, I’m all about protecting our nation’s secrets. But a 308 violation isn’t just a bureaucratic infraction, it’s a federal crime, and one that can be committed only by a former member of the IC. Which brings me to my other critique. 

Section 308 is also too narrow. These employment restrictions apply only to intelligence producers and not to intelligence consumers (policymakers, lawmakers, etc., in the legislative and executive branches). But many of these consumers have access to some of our nation’s most valuable secrets and, if the whole point is to protect intelligence sources and methods, they should be equally constrained by these rules. But they’re not. For example, ByteDance and TikTok have hired an army of former congressional members and staffers, including former Sens. Trent Lott and John Breaux, former Reps. Jeffrey Dunham and Barton Gordon, as well as at least 31 former staffers who, among others, worked for House Speaker Nancy Pelosi, Minority Leader Kevin McCarthy, and Senate Majority Leader Chuck Schumer. You’re telling me there’s no national security or foreign policy risk here? Please. 

Three Encouragements 

It’s been a crazy year, and because this newsletter is all about technology and national security, things can get heavy sometimes. But as we close out the year, here are three brief encouragements to help us go into 2023 with some momentum. 

Pressure is mounting on TikTok. As of this writing, seven states have banned the Chinese-owned social media on government phones (Nebraska did this in 2020), 15 attorneys general are calling on Apple and Google to age-restrict TikTok because of the prevalence of mature content it serves up, and the state of Indiana is suing the company over the same data and mature content concerns. Also, Sen. Marco Rubio and Rep. Mike Gallagher have introduced a bill that would ban TikTok completely from the United States, saying, “This is about an app that is collecting data on tens of millions of American children and adults every day. We know it’s used to manipulate feeds and influence elections. We know it answers to the People’s Republic of China. There is no more time to waste on meaningless negotiations with a CCP-puppet company. It is time to ban Beijing-controlled TikTok for good.” Giddy-up. 

YMTC is going on the Entities List. You’ll remember that in October I explained how the Biden administration was adding several Chinese companies to the “unverified list” and that this was likely to result in these companies ending up on the U.S. Entities List. Well guess what? It’s happening and, according to the Financial Times, Chinese chipmaker YMTC is among the new inductees. In September I explained how Apple was planning to use YMTC as its main provider for Flash NAND memory chips and why I thought this was a bad idea. Well, not long after the White House added YMTC to the unverified list, Apple (to its credit) changed course and, with the chipmaker becoming an “entity,” we can all breathe a sigh of relief.  

Congress is passing a serious defense budget. My AEI colleague Mackenzie Eaglen explains in this post how Congress came through this year when it comes to building out our nation’s military capacity. First, she argues, by getting the authorization done before the end of the year, we avoided another “sequestration-like disaster.” The defense budget also expands shipbuilding, backfills munition stocks across the board, makes essential improvements to military facilities, and keeps essential manufacturing lines humming so that our defense industrial base can get back into fighting shape. While there’s always room for improvement, Congress and the administration have served the nation well with this latest budget for the Pentagon, and that’s something we can all be cheery about. 

Thanks again for a great 2022 and I hope you have a merry Christmas, happy holidays, and wonderful new year! 

That’s it for this edition of The Current. Be sure to comment on this post and to share this newsletter with your family, friends, and followers. You can also follow me on Twitter (@KlonKitchen). Thanks for taking the time!!