Cyber Week in Review: March 29, 2024

OMB issues new draft guidance on AI for federal agencies 

The U.S. Office of Management and Budget (OMB) issued new guidance on mitigating the risks posed by artificial intelligence on Thursday; the regulations will require all federal agencies to address the risks posed by algorithmic discrimination, test and report AI’s impact on the public, and support transparency, including by publishing a list of use cases for AI. The guidance will also require agencies to make model code and data publicly available, unless doing so would pose an undue risk to national security. If an AI system does not meet the standards set by OMB, it cannot be used unless the head of a respective agency applies for an exemption that justifies that describes why not implementing, or removing, such a system would “increase risks to safety or rights overall or would create an unacceptable impediment to critical agency operations.” All federal agencies will also be required to designate a Chief AI Officer and an AI Governance Board, which will be responsible for coordinating and governing the use of AI across their agencies. OMB was directed to create its guidance under Executive Order 14110 issued on October 30, 2023. 

The United Kingdom and the United States accuse China of cyberattacks  

The United Kingdom accused Chinese hackers of cyberattacks against both the Electoral Commission, the U.K. watchdog that oversees Britain's election integrity, and at least forty three Members of Parliament. The Electoral Commission said that the names and addresses of 40 million registered voters, including overseas voters, were stolen between 2014 to 2022. Though the U.K. believes the hackers did not change any registration data and did not pose an imminent security threat, the Commission warned that the hackers could combine the stolen data with other public data to profile individuals. The deputy prime minister, Oliver Dowden, announced sanctions against two Chinese nationals and APT31, a Chinese hacking group known for targeting and spying on foreign government officials believed to be behind the hack. The U.K. sanctions coincide with the U.S. Department of Justice's indictment against seven individuals involved in APT31, alleging that the company sent over 10,000 malicious emails to high-ranking U.S. government officials, targeted U.S. elections, and attempted to steal trade secrets. The United States also alleged that the spy company placed malware in America’s electrical grids and other pieces of critical infrastructure. The seven individuals indicted had previously been identified in a series of leaks by Intrusion Truth, a group known for doxing Chinese cyber espionage operators. 

Meta created program to spy on Snapchat analytics in 2016 

Facebook (now known as Meta) executives signed off on a program, dubbed Project Ghostbusters and later In-App Action Panel (IAAP), to break Snapchat’s encryption and gain access to its analytics. The program ran from 2016 to 2019 and used a virtual private network product, Onavo, to launch “man in the middle” attacks that bypassed Snapchat’s encryption and give Facebook engineers access to Snapchat’s analytics. The project was approved at Facebook’s highest levels, although the level of involvement among senior executives beyond approving the project is unclear, with Facebook CEO Mark Zuckerberg writing in a 2016 email, “It seems important to figure out a new way to get reliable analytics about [Snapchat]… You should figure out how to do this.” The evidence of Project Ghostbuster came to light as part of a separate lawsuit, Klein v. Facebook Inc, over whether Facebook used its user data to illegally maintain its market dominance. The plaintiff attorneys in the Klein case argued that Facebook’s actions could amount to a violation of the federal Wiretap Act. 

Apple, Meta, and Alphabet under investigation by European Commission for DMA non-compliance  

The European Commission has announced a Digital Markets Act (DMA) non-compliance investigation against four companies classified as “gatekeepers,” meaning they provide a core internet platform or service that most consumers use: Amazon, Apple, Google's parent company Alphabet, and Meta. The investigation primarily examines: Apple’s anti-steering rules, which prevent app developers from linking to their own payment options; Alphabet’s steering in its Google Play store and its measures to prevent self-preferencing for results on Google Search; and Amazon’s possible preferencing of its products on the Amazon Store. Additionally, the investigation will examine Meta’s “pay or consent” model, which requires users to pay €9.99 a month to avoid ads. Executive Vice President of the European Commission for A Europe Fit for the Digital Age, Margrethe Vestager, stated that “Gatekeepers can no longer prevent their business users from informing their users within the app about cheaper options outside the gatekeeper's ecosystem.” The Commission will investigate within 12 months, and if any of the companies are found to have violated the DMA, the Commission can impose fines up to 10 percent of the company’s total worldwide turnover. This investigation follows the European Commission's recent $1.8 billion antitrust fine against Apple, the European Commission’s third biggest antitrust penalty. 

Taiwan declares TikTok a national security threat  

The Taiwanese government has classified TikTok as a national security threat with Minister of Digital Affairs Audrey Tang calling it a “dangerous product.” During a legislative hearing, Tang stated that foreign adversaries, largely China, could influence and control the data collected from TikTok users in a way that posed a risk to Taiwan. Taiwan already banned TikTok from government agency devices and networks in December 2022, but Tang proposed additional amendments to the Cyber Security Management Act, the main cybersecurity legislation in Taiwan, that would allow the government to ban TikTok more widely, and stated that “the final decision will be made by the Cabinet after extensive consideration of opinions in the various sectors.” Taiwan’s Cabinet will consider a national ban on TikTok in the coming months. The Taiwanese government’s statement reflects similar concerns of the United States government regarding the dangers of TikTok’s algorithms; last week, the U.S. House of Representatives passed the Protecting Americans from Foreign Adversary Controlled Applications Act, which would require TikTok’s Chinese parent company ByteDance to divest from the company or face a ban on TikTok within the United States. 

Cecilia Marrinan is the intern for the Digital and Cyberspace Policy Program.