Olympus said in a brief statement Sunday that it is “currently investigating a potential cybersecurity incident” affecting its European, Middle East and Africa computer network.
“Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners,” the statement said.
But according to a person with knowledge of the incident, Olympus is recovering from a ransomware attack that began in the early morning of September 8. The person shared details of the incident prior to Olympus acknowledging the incident on Sunday.
A ransom note left behind on infected computers claimed to be from the BlackMatter ransomware group. “Your network is encrypted, and not currently operational,” it reads. “If you pay, we will provide you the programs for decryption.” The ransom note also included a web address to a site accessible only through the Tor Browser that’s known to be used by BlackMatter to communicate with its victims.
Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch that the site in the ransom note is associated with the BlackMatter group.
BlackMatter is a ransomware-as-a-service group that was founded as a successor to several ransomware groups, including DarkSide, which recently bounced from the criminal world after the high-profile ransomware attack on Colonial Pipeline, and REvil, which went silent for months after the Kaseya attack flooded hundreds of companies with ransomware. Both attacks caught the attention of the U.S. government, which promised to take action if critical infrastructure was hit again.
Groups like BlackMatter rent access to their infrastructure, which affiliates use to launch attacks, while BlackMatter takes a cut of whatever ransoms are paid. Emsisoft has also found technical links and code overlaps between Darkside and BlackMatter.
Since the group emerged in June, Emsisoft has recorded more than 40 ransomware attacks attributed to BlackMatter, but that the total number of victims is likely to be significantly higher.
Ransomware groups like BlackMatter typically steal data from a company’s network before encrypting it, and later threaten to publish the files online if the ransom to decrypt the files is not paid. Another site associated with BlackMatter, which the group uses to publicize its victims and touts stolen data, did not have an entry for Olympus at the time of publication.
Japan-headquartered Olympus manufactures optical and digital reprography technology for the medical and life sciences industries. Until recently, the company built digital cameras and other electronics until it sold its struggling camera division in January.
Olympus said it was “currently working to determine the extent of the issue and will continue to provide updates as new information becomes available.”
Christian Pott, a spokesperson for Olympus, did not respond to emails and text messages requesting comment.
Tech giants Apple, Google and Microsoft have pledged billions to bolster U.S. cybersecurity following a meeting with President Joe Biden at the White House on Wednesday.
The meeting, which also included attendees from the financial and education sectors, was held following months of high-profile cyberattacks against critical infrastructure and several U.S. government agencies, along with a glaring cybersecurity skills gap; according to data from CyberSeek, there are currently almost 500,000 cybersecurity jobs across the U.S that remain unfilled.
“Most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone,” Biden said at the start of the meeting. “I’ve invited you all here today because you have the power, the capacity and the responsibility, I believe, to raise the bar on cybersecurity.”
In order to help the U.S. in its fight against a growing number of cyberattacks, Big Tech pledged to invest billions of dollars to strengthen cybersecurity defenses and to train skilled cybersecurity workers.
Apple has vowed to work with its 9,000-plus suppliers in the U.S. to drive “mass adoption” of multi-factor authentication and security training, according to the White House, as well as to establish a new program to drive continuous security improvements throughout the technology supply chain.
Google said it will invest more than $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and to enhance open source security. The search and ads giant has also pledged to train 100,000 Americans in fields like IT support and data analytics, learning in-demand skills including data privacy and security.
“Robust cybersecurity ultimately depends on having the people to implement it,” said Kent Walker, Google’s global affairs chief. “That includes people with digital skills capable of designing and executing cybersecurity solutions, as well as promoting awareness of cybersecurity risks and protocols among the broader population.”
And, Microsoft said it’s committing $20 billion to integrate cybersecurity by design and deliver “advanced security solutions.” It also announced that it will immediately make available $150 million in technical services to help federal, state, and local governments with upgrading security protection, and will expand partnerships with community colleges and non-profits for cybersecurity training.
Other attendees included Amazon Web Services (AWS), Amazon’s cloud computing arm, and IBM. The former has said it will make its security awareness training available to the public and equip all AWS customers with hardware multi-factor authentication devices, while IBM said it will help to train more than 150,000 people in cybersecurity skills over the next five years.
While many have welcomed Big Tech’s commitments, David Carroll, managing director at Nominet Cyber, told TechCrunch that these latest initiatives set a “powerful precedent” and show “the gloves are well and truly off” — some within the cybersecurity industry remain skeptical.
Following the announcement, some infosec veterans noted that many of the vacant cybersecurity jobs the U.S. is looking to fill fall behind on competitive salaries and few, if any, benefits.
“So 500,000 open cybersecurity jobs and almost that same amount or more looking for jobs,” said Khalilah Scott, founder of TechSecChix, a foundation for supporting women in technology, in a tweet. “Make it make sense.”
Later this year, Apple will roll out a technology that will allow the company to detect and report known child sexual abuse material to law enforcement in a way it says will preserve user privacy.
Apple told TechCrunch that the detection of child sexual abuse material (CSAM) is one of several new features aimed at better protecting the children who use its services from online harm, including filters to block potentially sexually explicit photos sent and received through a child’s iMessage account. Another feature will intervene when a user tries to search for CSAM-related terms through Siri and Search.
Most cloud services — Dropbox, Google, and Microsoft to name a few — already scan user files for content that might violate their terms of service or be potentially illegal, like CSAM. But Apple has long resisted scanning users’ files in the cloud by giving users the option to encrypt their data before it ever reaches Apple’s iCloud servers.
Apple said its new CSAM detection technology — NeuralHash — instead works on a user’s device, and can identify if a user uploads known child abuse imagery to iCloud without decrypting the images until a threshold is met and a sequence of checks to verify the content are cleared.
News of Apple’s effort leaked Wednesday when Matthew Green, a cryptography professor at Johns Hopkins University, revealed the existence of the new technology in a series of tweets. The news was met with some resistance from some security experts and privacy advocates, but also users who are accustomed to Apple’s approach to security and privacy that most other companies don’t have.
Apple is trying to calm fears by baking in privacy through multiple layers of encryption, fashioned in a way that requires multiple steps before it ever makes it into the hands of Apple’s final manual review.
NeuralHash will land in iOS 15 and macOS Monterey, slated to be released in the next month or two, and works by converting the photos on a user’s iPhone or Mac into a unique string of letters and numbers, known as a hash. Any time you modify an image slightly, it changes the hash and can prevent matching. Apple says NeuralHash tries to ensure that identical and visually similar images — such as cropped or edited images — result in the same hash.
Before an image is uploaded to iCloud Photos, those hashes are matched on the device against a database of known hashes of child abuse imagery, provided by child protection organizations like the National Center for Missing & Exploited Children (NCMEC) and others. NeuralHash uses a cryptographic technique called private set intersection to detect a hash match without revealing what the image is or alerting the user.
The results are uploaded to Apple but cannot be read on their own. Apple uses another cryptographic principle called threshold secret sharing that allows it only to decrypt the contents if a user crosses a threshold of known child abuse imagery in their iCloud Photos. Apple would not say what that threshold was, but said — for example — that if a secret is split into a thousand pieces and the threshold is ten images of child abuse content, the secret can be reconstructed from any of those ten images.
It’s at that point Apple can decrypt the matching images, manually verify the contents, disable a user’s account and report the imagery to NCMEC, which is then passed to law enforcement. Apple says this process is more privacy mindful than scanning files in the cloud as NeuralHash only searches for known and not new child abuse imagery. Apple said that there is a one in one trillion chance of a false positive, but there is an appeals process in place in the event an account is mistakenly flagged.
But despite the wide support of efforts to combat child sexual abuse, there is still a component of surveillance that many would feel uncomfortable handing over to an algorithm, and some security experts are calling for more public discussion before Apple rolls the technology out to users.
A big question is why now and not sooner. Apple said its privacy-preserving CSAM detection did not exist until now. But companies like Apple have also faced considerable pressure from the U.S. government and its allies to weaken or backdoor the encryption used to protect their users’ data to allow law enforcement to investigate serious crime.
Tech giants have refused efforts to backdoor their systems, but have faced resistance against efforts to further shut out government access. Although data stored in iCloud is encrypted in a way that even Apple cannot access it, Reuters reported last year that Apple dropped a plan for encrypting users’ full phone backups to iCloud after the FBI complained that it would harm investigations.
The news about Apple’s new CSAM detection tool, without public discussion, also sparked concerns that the technology could be abused to flood victims with child abuse imagery that could result in their account getting flagged and shuttered, but Apple downplayed the concerns and said a manual review would review the evidence for possible misuse.
Apple said NeuralHash will roll out in the U.S. at first, but would not say if, or when, it would be rolled out internationally. Until recently, companies like Facebook were forced to switch off its child abuse detection tools across the bloc after the practice was inadvertently banned. Apple said the feature is technically optional in that you don’t have to use iCloud Photos, but will be a requirement if users do. After all, your device belongs to you but Apple’s cloud does not.
The General Services Administration has denied a senator’s request to review documents Zoom submitted to have its software approved for use in the federal government.
The denial was in response to a letter sent by Democratic senator Ron Wyden to the GSA in May, expressing concern that the agency cleared Zoom for use by federal agencies just weeks before a major security vulnerability was discovered in the app.
Wyden said the discovery of the bug raises “serious questions about the quality of FedRAMP’s audits.”
Zoom was approved to operate in government in April 2019 after receiving its FedRAMP authorization, a program operated by the GSA that ensures cloud services comply with a standardized set of security requirements designed to toughen the service from some of the most common threats. Without this authorization, federal agencies cannot use cloud products or technologies that are not cleared.
Months later, Zoom was forced to patch its Mac app after a security researcher found a flaw that could be abused to remotely switch on a user’s webcam without their permission. Apple was forced to intervene since users were still affected by the vulnerabilities even after uninstalling Zoom. As the pandemic spread and lockdowns were enforced, Zoom’s popularity skyrocketed — as did the scrutiny — including a technical analysis by reporters that found Zoom was not truly end-to-end encrypted as the company long claimed.
Wyden wrote to the GSA to say he found it “extremely concerning” that the security bugs were discovered after Zoom’s clearance. In the letter, the senator requested the documents known as the “security package,” which Zoom submitted as part of the FedRAMP authorization process, to understand how and why the app was cleared by GSA.
The GSA declined Wyden’s first request in July 2020 on the grounds that he was not a committee chair. In the new Biden administration, Wyden was named chair of the Senate Finance Committee and requested Zoom’s security package again.
But in a new letter sent to Wyden’s office late last month, GSA declined the request for the second time, citing security concerns.
“GSA’s refusal to share the Zoom audit with Congress calls into question the security of the other software products that GSA has approved for federal use.” Sen. Ron Wyden (D-OR)
“The security package you have requested contains highly sensitive proprietary and other confidential information relating to the security associated with the Zoom for Government product. Safeguarding this information is critical to maintaining the integrity of the offering and any government data it hosts,” said the GSA letter. “Based on our review, GSA believes that disclosure of the Zoom security package would create significant security risks.”
In response to the GSA’s letter, Wyden told TechCrunch that he was concerned that other flawed software may have been approved for use across the government.
“The intent of GSA’s FedRAMP program is good — to eliminate red tape so that multiple federal agencies don’t have to review the security of the same software. But it’s vitally important that whichever agency conducts the review do so thoroughly,” said Wyden. “I’m concerned that the government’s audit of Zoom missed serious cybersecurity flaws that were subsequently uncovered and exposed by security researchers. GSA’s refusal to share the Zoom audit with Congress calls into question the security of the other software products that GSA has approved for federal use.”
Of the people we spoke with who have first-hand knowledge of the FedRAMP process, either as a government employee or as a company going through the certification, FedRAMP was described as a comprehensive but by no means an exhaustive list of checks that companies have to meet in order to meet the security requirements of the federal government.
Others said that the process had its limits and would benefit from reform. One person with knowledge of how FedRAMP works said the process was not a complete audit of a product’s source code but akin to a checklist of best practices and meeting compliance requirements. Much of it relies on trusting the vendor, said the person, describing it like ” an honor system.” Another person said the FedRAMP process cannot catch every bug, as evidenced by executive action taken by President Biden this week aimed at modernizing and improving the FedRAMP process.
Most of the people we spoke to weren’t surprised that Wyden’s office was denied the request, citing the sensitivity of a company’s FedRAMP security package.
The people said that companies going through the certification process have to provide highly technical details about the security of their product, which if exposed would almost certainly be damaging to the company. Knowing where security weaknesses might be could tip off cyber-criminals, one of the people said. Companies often spend millions on improving their security ahead of a FedRAMP audit but companies wouldn’t risk going through the certification if they thought their trade secrets would get leaked, they added.
When asked by GSA why it objected to Wyden’s request, Zoom’s head of U.S. government relations Lauren Belive argued that handing over the security package “would set a dangerous precedent that would undermine the special trust and confidence” that companies place in the FedRAMP process.
GSA puts strict controls on who can access a FedRAMP security package. You need a federal government or military email address, which the senator’s office has. But the reason for GSA denying Wyden’s request still isn’t clear, and when reached a GSA spokesperson would not explain how a member of Congress would obtain a company’s FedRAMP security package
“GSA values its relationship with Congress and will continue to work with Senator Wyden and our committees of jurisdiction to provide appropriate information regarding our programs and operations,” said GSA spokesperson Christina Wilkes, adding:
“GSA works closely with private sector partners to provide a standardized approach to security authorizations for cloud services through the [FedRAMP]. Zoom’s FedRAMP security package and related documents provide detailed information regarding the security measures associated with the Zoom for Government product. GSA’s consistent practice with regard to sensitive security and trade secret information is to withhold the material absent an official written request of a congressional committee with jurisdiction, and pursuant to controls on further dissemination or publication of the information.”
GSA wouldn’t say which congressional committee had jurisdiction or whether Wyden’s role as chair of the Senate Finance Committee suffices, nor would the agency answer questions about the efficacy of the FedRAMP process raised by Wyden.
Zoom spokesperson Kelsey Knight said that cloud companies like Zoom “provide proprietary and confidential information to GSA as part of the FedRAMP authorization process with the understanding that it will be used only for their use in making authorization decisions. While we do not believe Zoom’s FedRAMP security package should be disclosed outside of this narrow purpose, we welcome conversations with lawmakers and other stakeholders about the security of Zoom for Government.”
Zoom said it has “engaged in security enhancements to continually improve its products,” and received FedRAMP reauthorization in 2020 and 2021 as part of its annual renewal. The company declined to say to what extent the Zoom app was audited as part of the FedRAMP process.
Over two dozen federal agencies use Zoom, including the Defense Department, Homeland Security, U.S. Customs and Border Protection, and the Executive Office of the President.
Richard Branson’s Virgin Galactic went to space (or the vicinity of space) in a PR-suffused event over the weekend. It was all rather twee, packed with maudlin riffs about childhood dreams and riddled with hero worship. And the stream kept stuttering while some of the planned vehicle-to-Earth communications failed.
But the launch accomplished what it set out to do: A few folks made it to into zero gravity after launching their rocket-powered space plane from a larger aircraft, flipping it around at the top of its arc so that its passengers could get a good view of our home while floating. Then it came back to the surface and, we’re sure, much champagne was consumed.
In the aftermath of the event, lots of folks are pissed. Complaints have rolled in, dissing the event and generally mocking the expense involved when there are other issues to manage. A sampling follows. Note that these are merely illustrative examples of a general vibe. I have precisely zero beef with anyone in the following tweets or articles:
How’s this headline:
Branson, Musk, and Bezos who could tackle child hunger, climate change, racial injustice, health care, the rise of fascism etc and still be richer than 99.9999% of us choose to be narcissistic assholes and shoot their money into space.
The Biden administration is outlining new plans to combat domestic terrorism in light of the January 6 attack on the U.S. Capitol and social media companies have their own part to play.
The White House released a new national strategy on countering domestic terrorism Tuesday. The plan acknowledges the key role that online platforms play in bringing violent ideas into the mainstream, going as far as calling social media sites the “front lines” of the war on domestic terrorism.
“The widespread availability of domestic terrorist recruitment material online is a national security threat whose front lines are overwhelmingly private–sector online platforms, and we are committed to informing more effectively the escalating efforts by those platforms to secure those front lines,” the White House plan states.
The Biden administration committed to more information sharing with the tech sector to fight the tide of online extremism, part of a push to intervene well before extremists can organize violence. According to a fact sheet on the new domestic terror plan, the U.S. government will prioritize “increased information sharing with the technology sector,” specifically online platforms where extremism is incubated and organized.
“Continuing to enhance the domestic terrorism–related information offered to the private sector, especially the technology sector, will facilitate more robust efforts outside the government to counter terrorists’ abuse of Internet–based communications platforms to recruit others to engage in violence,” the White House plan states.
In remarks timed with the release of the domestic terror strategy, Attorney General Merrick Garland asserted that coordinating with the tech sector is “particularly important” for interrupting extremists who organize and recruit on online platforms and emphasized plans to share enhanced information on potential domestic terror threats.
In spite of the new initiatives, the Biden administration admits that that domestic terrorism recruitment material will inevitably remain available online, particularly on platforms that don’t prioritize its removal — like most social media platforms, prior to January 2021 — and on end-to-end encrypted apps, many of which saw an influx of users when social media companies cracked down on extremism in the U.S. earlier this year.
“Dealing with the supply is therefore necessary but not sufficient: we must address the demand too,” the White House plan states. “Today’s digital age requires an American population that can utilize essential aspects of Internet–based communications platforms while avoiding vulnerability to domestic terrorist recruitment and other harmful content.”
The Biden administration will also address vulnerability to online extremism through digital literacy programs, including “educational materials” and “skills–enhancing online games” designed to inoculate Americans against domestic extremism recruitment efforts, and presumably disinformation and misinformation more broadly.
The plan stops short of naming domestic terror elements like QAnon and the “Stop the Steal” movement specifically, though it acknowledges the range of ways domestic terror can manifest, from small informal groups to organized militias.
A report from the Office of the Director of National Intelligence in March observed the elevated threat to the U.S. that domestic terrorism poses in 2021, noting that domestic extremists leverage mainstream social media sites to recruit new members, organize in-person events and share materials that can lead to violence.
Xiaomi, one of China’s high-profile tech firms that fell in the crosshairs of the Trump administration, has been removed from a U.S. government blacklist that designated it as a Communist Chinese Military Company.
The U.S. District Court for the District of Columbia has vacated the Department of Defence’s designation of Xiaomi as a CCMC in January, a document filed on May 25 shows.
In February, Xiaomi sued the U.S. government over its inclusion in the military blacklist. In March, the D.C. court granted Xiaomi a preliminary injunction against the DoD designation, which would have forbidden all U.S. persons from purchasing or possessing Xiaomi’s securities, saying the decision was “arbitrary and capricious.” The ruling was made to prevent “irreparable harm” to the Chinese phone maker.
Xiaomi has this to say about getting off the blacklist:
The Company is grateful for the trust and support of its global users, partners, employees and shareholders. The Company reiterates that it is an open, transparent, publicly traded, independently operated and managed corporation. The Company will continue to provide reliable consumer electronics products and services to users, and to relentlessly build amazing products with honest prices to let everyone in the world enjoy a better life through innovative technology.
Xiaomi’s domestic competitor Huawei is still struggling with its inclusion in the U.S. trade blacklist, which bans it from accessing critical U.S. technologies and has crippled its smartphone sales around the world.
This story was reported in partnership with video surveillance news site IPVM.
At least a hundred U.S. counties, towns, and cities have bought China-made surveillance systems that the U.S. government has linked to human rights abuses, according to contract data seen by TechCrunch.
Some municipalities have spent tens of thousands of dollars or more to buy surveillance equipment made by two Chinese technology companies, Hikvision and Dahua, after the companies were added to the U.S. government’s economic backlist in 2019 after the companies were linked to China’s ongoing efforts to suppress ethnic minorities in Xinjiang, where most Uighur Muslims live. Congress also banned U.S. federal agencies from buying new Hikvision and Dahua technology or renewing contracts over fears that it could help the Chinese government to conduct espionage.
But those federal actions broadly do not apply at the state and city level, allowing local governments to buy these China-made surveillance systems — including video cameras and thermal imaging scanners — largely uninhibited, so long as federal funds are not used to buy the equipment.
Details of the contracts were provided by GovSpend, which tracks federal and state government spending, to TechCrunch via IPVM, a leading news publication on video surveillance, which has followed the Hikvision and Dahua bans closely.
The biggest spender, according to the data and as previously reported by IPVM, showed that the Board of Education in Fayette County, Georgia spent $490,000 in August 2020 on dozens of Hikvision thermal cameras, used for temperature checks at its public schools.
A statement provided by Fayette County Public Schools spokesperson Melinda Berry-Dreisbach said the cameras were purchased from its longtime security vendor, authorized dealer for Hikvision. The statement did not address whether the Board of Education was aware of Hikvision’s links to human rights abuses. Berry-Dreisbach did not respond to our follow-up questions.
IPVM research found many thermal scanners, including Hikvision and Dahua models, produced inaccurate readings, prompting the U.S. Food and Drug Administration to issue a public health alert warning that misreported readings could present “potentially serious public health risks.”
Nash County in North Carolina, which has a population of 95,000 residents, spent more than $45,000 between September and December 2020 to buy Dahua thermal cameras. County Manager Zee Lamb forwarded emails that confirmed the purchases and that the gear was deployed at the county’s public schools, but did not comment.
The data also shows that the Parish of Jefferson in Louisiana, which includes part of the city of New Orleans, spent $35,000 on Hikvision surveillance cameras and video storage between October 2019 and September 2020. A parish spokesperson did not comment.
Only one municipality we contacted addressed the links between the technology they bought and human rights abuses. Kern County in California spent more than $15,000 on Hikvision surveillance cameras and video recording equipment in June 2020 for its probation department offices. The contract data showed a local vendor, Tel Tec Security, supplied the Hikvision technology to the county.
Ryan Alsop, chief administrative officer for Kern County, said he was “not familiar at all with the issues you’re referencing with regard to Hikvision,” when asked about Hikvision’s links to human rights abuses.
“Again, we didn’t contract with Hikvision, we contracted with Tel Tec Security,” said Alsop.
Kern County spent more than $15,000 on Hikvision equipment at its county probation service offices. (Data: GovSpend/supplied)
A spokesperson for the City of Hollywood in Florida, which spent close to $30,000 on Hikvision thermal cameras, said the Chinese technology maker “was the only major manufacturer with a viable solution that was ready for delivery; would serve the defined project scope; and was within the project budget.” The cameras were used to take employees’ body temperatures to curb the spread of COVID-19. The spokesperson did not address the links to human rights abuses but noted that the federal ban did not apply to the city.
Maya Wang, a senior researcher at Human Rights Watch, said a lack of privacy regulations at the local level contributed to municipalities buying this technology.
“One of the problems is that these kinds of cameras, regardless of the country of origin and regardless of whether or not they’re even linked to human rights abuses, have been introduced to various parts of the country — especially at state and city levels — without any kind of regulation to ensure that they comply with privacy standards,” said Wang in a call. “There is, again, no kind of regulatory framework to vet the companies based on their track record, whether or not they have abused human rights in their practices, such that we can evaluate or choose better companies, and encourage the ones with better privacy protections to win, essentially.”
Chief among the U.S. government’s allegations are that Beijing has relied heavily on Hikvision, Dahua, and others to supply the surveillance technology it uses to monitor the Uighur population as part of the government’s ongoing efforts to suppress the ethnic group, which it has repeatedly denied.
United Nations watchdogs say Beijing has detained more than a million Uighurs in internment camps in recent years as part of these efforts, which led to the U.S. blacklisting of the two surveillance technology makers.
In adding the companies to the government’s economic blacklist, the Commerce Department said Hikvision and Dahua “have been implicated in human rights violations and abuses in the implementation of China’s campaign of repression, mass arbitrary detention, and high-technology surveillance against Uighurs, Kazakhs, and other members of Muslim minority groups.” The Biden administration called the human rights abuses a “genocide.”
IPVM has also reported extensively on how the companies’ surveillance technology has been used to suppress the Uighurs. Dahua was found to have race detection in its code for providing “real-time Uighur warnings” to police.
Earlier this year, the Thomson Reuters Foundation found half of London’s councils and the largest 20 U.K. cities were using the technology linked to Uighur abuses. The Guardian also found that Hikvision surveillance technology was used in U.K. schools.
When reached, Dahua pointed to a blog post with a statement, and claimed that “contrary to some reporting in the media, our company has never developed any technology or solution that seeks to target a specific ethnic group.” The statement added: “Claims to the contrary are simply false and we are aware of no evidence that has ever been put forward to support such claims.”
Hikvision did not respond to a request for comment.
Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.
The UK government has intervened to trigger public interest scrutiny of chipmaker’s Nvidia’s planned to buy Arm Holdings.
The secretary of state for digital issues, Oliver Dowden, said today that the government wants to ensure that any national security implications of the semiconductor deal are explored.
Nvidia’s $40BN acquisition of UK-based Arm was announced last September but remains to be cleared by regulators.
The UK’s Competition and Markets Authority (CMA) began to solicit views on the proposed deal in January.
Domestic opposition to Nvidia’s plan has been swift, with one of the original Arm co-founders kicking off a campaign to ‘save Arm’ last year. Hermann Hauser warned that Arm’s acquisition by a U.S. entity would end its position as a company independent of U.S. interests — risking the U.K.’s economic sovereignty by surrendering its most powerful trade weapon.
The intervention by Department of Digital, Media, Culture and Sport (DCMS) — using statutory powers set out in the Enterprise Act 2002 — means the competition regulator has been instructed to begin a phase 1 investigation.
The CMA has a deadline of July 30 to submit its report to the secretary of state.
Commenting in a statement, Dowden said: “Following careful consideration of the proposed takeover of ARM, I have today issued an intervention notice on national security grounds. As a next step and to help me gather the relevant information, the UK’s independent competition authority will now prepare a report on the implications of the transaction, which will help inform any further decisions.”
“We want to support our thriving UK tech industry and welcome foreign investment but it is appropriate that we properly consider the national security implications of a transaction like this,” he added.
At the completion of the CMA’s phase 1 investigation Dowden will have an option to clear the deal, i.e. if no national security or competition concerns have been identified; or to clear it with remedies to address any identified concerns.
He could also refer the transaction for further scrutiny by instructing the CMA to carry out an in-depth phase 2 investigation.
After the phase 1 report has been submitted there is no set period when the secretary of state must make a decision on next steps — but DCMS notes that a decision should be made as soon as “reasonably practicable” to reduce uncertainty.
While Dowden’s intervention has been made on national security grounds, additional concerns have been raised about impact of an Nvidia take-over of Arm — specifically on U.K. jobs and on Arm’s open licensing model.
Nvidia sought to address those concerns last year, claiming it’s committed to Arm’s licensing model and pledging to expand the Cambridge, UK offices of Arm — saying it would create “a new global center of excellence in AI research” at the UK campus.
However it’s hard to see what commercial concessions could be offered to assuage concern over the ramifications of an Nvidia-owed Arm on the UK’s economic sovereignty. That’s because it’s a political risk, which would require a political solution to allay, such as at a treaty level — something which isn’t in Nvidia’s gift (alone) to give.
National security concerns are a rising operational risk for tech companies involved in the supply of cutting edge infrastructure, such as semiconductor design and next-gen networks — where a relative paucity of competitors not only limits market choice but amps up the political calculations.
Proposed mergers are one key flash point as market consolidation takes on an acute politico-economic dimension.
However tech companies’ operations are being more widely squeezed in the name of national security — such as, in recent years, the U.S. government’s attacks on China-based 5G infrastructure suppliers like Huawei, with former president Trump seeking to have the company barred from supplying next-gen networks not only within the U.S. but to national networks of Western allies.
Nor has (geo)political pressure been applied purely over key infrastructure companies in recent years; with Trump claiming a national security justification to try and shake down the Chinese-owned social networking company, TikTok — in another example that speaks to how tech tools are being coopted into wider geopolitical power-plays, fuelled by countries’ economic and political self-interest.
Elon Musk famously said any company relying on lidar is “doomed.” Tesla instead believes automated driving functions are built on visual recognition and is even working to remove the radar. China’s Xpeng begs to differ.
Founded in 2014, Xpeng is one of China’s most celebrated electric vehicle startups and went public when it was just six years old. Like Tesla, Xpeng sees automation as an integral part of its strategy; unlike the American giant, Xpeng uses a combination of radar, cameras, high-precision maps powered by Alibaba, localization systems developed in-house, and most recently, lidar to detect and predict road conditions.
“Lidar will provide the 3D drivable space and precise depth estimation to small moving obstacles even like kids and pets, and obviously, other pedestrians and the motorbikes which are a nightmare for anybody who’s working on driving,” Xinzhou Wu, who oversees Xpeng’s autonomous driving R&D center, said in an interview with TechCrunch.
“On top of that, we have the usual radar which gives you location and speed. Then you have the camera which has very rich, basic semantic information.”
Xpeng is adding lidar to its mass-produced EV model P5, which will begin delivering in the second half of this year. The car, a family sedan, will later be able to drive from point A to B based on a navigation route set by the driver on highways and certain urban roads in China that are covered by Alibaba’s maps. An older model without lidar already enables assisted driving on highways.
The system, called Navigation Guided Pilot, is benchmarked against Tesla’s Navigate On Autopilot, said Wu. It can, for example, automatically change lanes, enter or exit ramps, overtake other vehicles, and maneuver another car’s sudden cut-in, a common sight in China’s complex road conditions.
“The city is super hard compared to the highway but with lidar and precise perception capability, we will have essentially three layers of redundancy for sensing,” said Wu.
By definition, NGP is an advanced driver-assistance system (ADAS) as drivers still need to keep their hands on the wheel and take control at any time (Chinese laws don’t allow drivers to be hands-off on the road). The carmaker’s ambition is to remove the driver, that is, reach Level 4 autonomy two to four years from now, but real-life implementation will hinge on regulations, said Wu.
“But I’m not worried about that too much. I understand the Chinese government is actually the most flexible in terms of technology regulation.”
The lidar camp
Musk’s disdain for lidar stems from the high costs of the remote sensing method that uses lasers. In the early days, a lidar unit spinning on top of a robotaxi could cost as much as $100,000, said Wu.
“Right now, [the cost] is at least two orders low,” said Wu. After 13 years with Qualcomm in the U.S., Wu joined Xpeng in late 2018 to work on automating the company’s electric cars. He currently leads a core autonomous driving R&D team of 500 staff and said the force will double in headcount by the end of this year.
“Our next vehicle is targeting the economy class. I would say it’s mid-range in terms of price,” he said, referring to the firm’s new lidar-powered sedan.
The lidar sensors powering Xpeng come from Livox, a firm touting more affordable lidar and an affiliate of DJI, the Shenzhen-based drone giant. Xpeng’s headquarters is in the adjacent city of Guangzhou about 1.5 hours’ drive away.
Xpeng isn’t the only one embracing lidar. Nio, a Chinese rival to Xpeng targeting a more premium market, unveiled a lidar-powered car in January but the model won’t start production until 2022. Arcfox, a new EV brand of Chinese state-owned carmaker BAIC, recently said it would be launching an electric car equipped with Huawei’s lidar.
Musk recently hinted that Tesla may remove radar from production outright as it inches closer to pure vision based on camera and machine learning. The billionaire founder isn’t particularly a fan of Xpeng, which he alleged owned a copy of Tesla’s old source code.
In 2019, Tesla filed a lawsuit against Cao Guangzhi alleging that the former Tesla engineer stole trade secrets and brought them to Xpeng. XPeng has repeatedly denied any wrongdoing. Cao no longer works at Xpeng.
While Livox claims to be an independent entity “incubated” by DJI, a source told TechCrunch previously that it is just a “team within DJI” positioned as a separate company. The intention to distance from DJI comes as no one’s surprise as the drone maker is on the U.S. government’s Entity List, which has cut key suppliers off from a multitude of Chinese tech firms including Huawei.
Other critical parts that Xpeng uses include NVIDIA’s Xavier system-on-the-chip computing platform and Bosch’s iBooster brake system. Globally, the ongoing semiconductor shortage is pushing auto executives to ponder over future scenarios where self-driving cars become even more dependent on chips.
Xpeng is well aware of supply chain risks. “Basically, safety is very important,” said Wu. “It’s more than the tension between countries around the world right now. Covid-19 is also creating a lot of issues for some of the suppliers, so having redundancy in the suppliers is some strategy we are looking very closely at.”
Xpeng could have easily tapped the flurry of autonomous driving solution providers in China, including Pony.ai and WeRide in its backyard Guangzhou. Instead, Xpeng becomes their competitor, working on automation in-house and pledges to outrival the artificial intelligence startups.
“The availability of massive computing for cars at affordable costs and the fast dropping price of lidar is making the two camps really the same,” Wu said of the dynamics between EV makers and robotaxi startups.
“[The robotaxi companies] have to work very hard to find a path to a mass-production vehicle. If they don’t do that, two years from now, they will find the technology is already available in mass production and their value become will become much less than today’s,” he added.
“We know how to mass-produce a technology up to the safety requirement and the quarantine required of the auto industry. This is a super high bar for anybody wanting to survive.”
Xpeng has no plans of going visual-only. Options of automotive technologies like lidar are becoming cheaper and more abundant, so “why do we have to bind our hands right now and say camera only?” Wu asked.
“We have a lot of respect for Elon and his company. We wish them all the best. But we will, as Xiaopeng [founder of Xpeng] said in one of his famous speeches, compete in China and hopefully in the rest of the world as well with different technologies.”
5G, coupled with cloud computing and cabin intelligence, will accelerate Xpeng’s path to achieve full automation, though Wu couldn’t share much detail on how 5G is used. When unmanned driving is viable, Xpeng will explore “a lot of exciting features” that go into a car when the driver’s hands are freed. Xpeng’s electric SUV is already available in Norway, and the company is looking to further expand globally.
The U.S. government has cut trade ties to Myanmar, two months after the country’s military staged a coup overthrowing the country’s president and also its de-facto leader, Aung San Suu Kyi, and killed at least 200 protesters resulting from its offensive.
In a statement, U.S. Trade Representative Katherine Tai said the trade suspension would be “effective immediately” and will remain in place “until the return of a democratically elected government.”
“The United States supports the people of Burma in their efforts to restore a democratically elected government, which has been the foundation of Burma’s economic growth and reform,” said Tai. “The United States strongly condemns the Burmese security forces’ brutal violence against civilians. The killing of peaceful protestors, students, workers, labor leaders, medics, and children has shocked the conscience of the international community. These actions are a direct assault on the country’s transition to democracy and the efforts of the Burmese people to achieve a peaceful and prosperous future,” the statement read.
The trade suspension is designed to target the ruling military junta, but leaves millions of internet users across Myanmar in uncertainty as U.S. cloud and internet companies wrangle with the U.S. government order, at a time where protesters are struggling to stay online amid government-ordered internet shutdowns across the country.
Myanmar already blocked Facebook, Twitter, and Instagram “until further notice.”
Sanctions are designed to prevent the shipping of goods, money and certain services to other countries. Companies operating in the U.S. have to follow U.S. sanctions or face heavy financial penalties. ZTE pleaded guilty in 2017 to violating U.S. sanctions against Iran by knowingly shipping products to the country, and agreed to pay a near-$1 billion fine.
But cloud companies fall into a gray area and have different interpretations of the rules. Quartz reported in 2016 that internet users across Syria, Cuba, and Iran — all subject to U.S. trade sanctions — couldn’t access sites hosted by IBM, because the U.S. cloud host blocked visitors from those countries from accessing its services. Rackspace and Linode, two other large cloud providers, do not block internet traffic to users in embargoed countries but instead prevented users from those countries from signing up for their service.
Myamnar has about 17 million internet users, some 30% of the wider population. A spokesperson for the Office of the U.S. Trade Representative did not immediately return a request for comment.
Microsoft is warning customers that a new China state-sponsored threat actor is exploiting four previously undisclosed security flaws in Exchange Server, an enterprise email product built by the software giant.
The technology company said Tuesday that it believes the hacking group, which it calls Hafnium, tries to steal information from a broad range of U.S.-based organizations, including law firms and defense contractors, but also infectious disease researchers and policy think tanks.
Microsoft said Hafnium used the four newly discovered security vulnerabilities to break into Exchange email servers running on company networks, granting the attackers to steal data from a victim’s organization — such as email accounts and address books — and the ability to plant malware. When used together, the four vulnerabilities create an attack chain that can compromise vulnerable servers running on-premise Exchange 2013 and later.
Hafnium operates out of China, but uses servers located in the U.S. to launch its attacks, the company said. Microsoft said that Hafnium was the only threat group it has detected using these four new vulnerabilities.
Microsoft declined to say how many successful attacks it had seen, but described the number as “limited.”
Patches to fix those four security vulnerabilities are now out, a week earlier than the company’s typical patching schedule, usually reserved for the second Tuesday in each month.
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” said Tom Burt, Microsoft’s vice president for customer security.
The company said it has also briefed U.S. government agencies on its findings, but that the Hafnium attacks are not related to the SolarWinds-related espionage campaign against U.S. federal agencies. In the last days of the Trump administration, the National Security Agency and the FBI said that the SolarWinds campaign was “likely Russian in origin.”
The SPAC run is on for space startups, which have been relatively slow in their overall exit pace before the current special purpose acquisitions company merger craze got underway. Rocket Lab is the latest, and likely the most notable to jump on the trend, with a deal that will see it combine with a SPAC called Vector and subsequently list on the NASDAQ under the ticker RKLB, with the transaction expected to close in the second quarter of this year.
Rocket Lab, which got its start in New Zealand, and which still launches rockets there with its HQ now shifted to LA, will have a pro forma enterprise value of $4.1 billion via the transaction, with a total cash balance of $750 million once the deal goes through thanks to a PIPE of $470 million with funds invested via Vector, BlackRock and others. At close, existing Rocket Lab shareholders will retain 82% of the total equity in the combined company.
The launch company was founded in 2006, and is led by founder Peter Beck. In 2013, it opened its California headquarters, and it has already completed its first U.S. launch facility at Wallops Island, Virginia. The company’s Electron launch vehicle can carry small payloads to orbit, and is designed to cater to the growing small satellite market, with a focus on responsive and flexible launch options.
Rocket Lab has performed launches on behalf of the U.S. government, including national security payloads, and that’s a key revenue opportunity for it gown forward. Currently, it says it has a backlog of customers, with a projection that it will be ‘EBITDA positive’ in 2023 after adjustments, and fully cash-flow positive by 2024, with a projected run rate of over $1 billion in revenue by 2026.
The company has focused on increasing its ability to launch more frequently in a number of ways. It’s been steadily improving its production capacity, with a focus on its large automated carbon fiber production capabilities. It has also established its U.S. launch site, as mentioned, and will soon open its second launch pad at its existing New Zealand launch site, which is fully privately-owned by Rocket Lab itself. It’s also working on making its Electron vehicle partially reusable, which founder Beck says will help it turn around launches more quickly.
Finally, it has just announced a new heavier-lift launch vehicle called Neutron, with a launch payload capacity of 8 tons – around 16,000 lbs.
Hackers are said to have broken into the networks of U.S. space agency NASA and the Federal Aviation Administration as part of a wider espionage campaign targeting U.S. government agencies and private companies.
Spokespeople for the agencies did not immediately respond to a request for comment, but did not deny the breach in remarks to the Post.
It’s believed NASA and the FAA are the two remaining unnamed agencies of the nine government agencies confirmed to have been breached by the attack. The other seven include the Departments of Commerce, Energy, Homeland Security, Justice, and State, the Treasury, and the National Institutes of Health, though it’s not believed the attackers breached their classified networks.
FireEye, Microsoft, and Malwarebytes were among a number of cybersecurity companies also breached as part of the attacks.
The Biden administration is reportedly preparing sanctions against Russia, in large part because of the hacking campaign, the Post also reported.
The attacks were discovered last year after FireEye raised the alarm about the hacking campaign after its own network was breached. Each victim was a customer of the U.S. software firm SolarWinds, whose network management tools are used across the federal government and Fortune 500 companies. The hackers broke into SolarWinds’ network, planted a backdoor in its software, and pushed the backdoor to customer networks with a tainted software update.
It wasn’t the only way in. The hackers are also said to have targeted other companies by breaking into other devices and appliances on their victims’ networks, as well as targeting Microsoft vendors to breach other customers’ networks.
Last week, Anne Neuberger, the former NSA cybersecurity director who last month was elevated to the White House’s National Security Council to serve as the deputy national security adviser for cyber and emerging technology, said that the attack took “months to plan and execute,” and will “take us some time to uncover this layer by layer.”
The insane saga of a potential forced sale of TikTok’s US operations is reportedly ending — another victim of the transition to methodical and rational policymaking that appears to be the boring new normal under the Presidency of Joe Biden.
Last fall, the U.S. government under President Donald Trump took a stab at “gangster capitalism” by trying to force the sale of TikTok to a group of buyers including Oracle and Walmart.
While the effort was doomed from the start, with TikTok’s parent company ByteDance winning most of the legal challenges to the government effort, a Rubicon had effectively been crossed where the U.S. government appeared willing to spend political capital to stymie the growth of a successful foreign business on its shores for the flimsiest of security reasons.
Now, The Wall Street Journal is reporting that the efforts by the U.S. government to push the deal forward “have been shelved indefinitely”, citing sources familiar with the process.
However, discussions between TikTok and U.S. national security officials are continuing because there are valid concerns around TikTok’s data collection and the potential for manipulation and censorship of content on the app.
In the meantime, the U.S. is taking a look at all of the potential threats to data privacy and security from intrusions by foreign governments or using tech developed overseas, according to Emily Horne, the spokeswoman for the National Security Council.
“We plan to develop a comprehensive approach to securing U.S. data that addresses the full range of threats we face,” Horne told the WSJ. “This includes the risk posed by Chinese apps and other software that operate in the U.S. In the coming months, we expect to review specific cases in light of a comprehensive understanding of the risks we face.”
Batteries are the latest landing pad for investors.
In the past week alone, two companies have announced plans to become publicly traded companies by merging with special purpose acquisition companies. European battery manufacturer FREYR said Friday it would become a publicly traded company through a special purpose acquisition vehicle with a valuation at $1.4 billion. Houston area startup Microvast announced Monday its own SPAC, at a $3 billion valuation.
A $4.4 billion combined valuation for two companies with a little over $100 million in revenue (FREYR has yet to manufacture a battery) would seem absurd were it not for the incredible demand for batteries that’s coming.
Legacy automakers like GM and Ford have committed billions of dollars to shifting their portfolios to electric models. GM said last year it will spend $27 billion over the next five years on the development of electric vehicles and automated technology. Meanwhile, a number of newer entrants are either preparing to begin production of their electric vehicles or scaling up. Rivian, for instance, will begin delivering its electric pickup truck this summer. The company has also been tapped by Amazon to build thousands of electric vans.
Meanwhile, some of the largest cities in the world are planning their own electrification initiatives. Shanghai is hoping to have electric vehicles represent roughly half of all new vehicle purchases by 2025 and all public buses, taxis, delivery trucks, and government vehicles will be zero-emission by the same period, according to research from the Royal Bank of Canada.
A potential windfall from China’s EV market is likely one reason for the significant investment into Microvast by investors including the Oshkosh Corp., a 100 year-old industrial vehicles manufacturer; the $8.67 trillion money management firm, BlackRock; Koch Strategic Platforms; and InterPrivate, a private equity fund manager. That’s because Microvast’s previous backers include CDH Investments and CITIC Securities, two of the most well-connected private equity and financial services firms in China.
So is the company’s focus on commercial and industrial vehicles. Microvast believes that the market for commercial electric vehicles could be $30 billion in the near term. Currently, commercial EV sales represent just 1.5% of the market, but that penetration is supposed to climb to 9% by 2025, according to the company.
“In 2008, we set out to power a mobility revolution by building disruptive battery technologies that would allow electric vehicles to compete with internal combustion engine vehicles,” said Microvast chief executive Yang Wu, in a statement. “Since that time we have launched three generations of battery technologies that have provided our customers with battery performance far superior to our competitors and that successfully satisfy, over many years of operation, the stringent requirements of commercial vehicle operators.”
Roughly 30,000 vehicles are using Microvast’s batteries and the investment in Microvast includes about $822 million in cash that will finance the expansion of its manufacturing capacity to hit 9 gigawatt hours by 2022. The money should help Microvast meet its contractual obligations which account for about $1.5 billion in total value, according to the company.
If Chinese investors stand to win big in the upcoming Microvast public offering, a clutch of American investors and one giant Japanese corporation are waiting expectantly for FREYR’s public offering. Northbridge Venture Partners, CRV, and Itochu Corp. are all going to see gains from FREYR’s exit — even if they’re not backers of the European company.
Those three firms, along with the International Finance Corp. are investors in 24m, the Boston-based startup licensing its technology to FREYR to make its batteries.
FREYR’s public offering will also be another win for Yet-Ming Chiang, a serial entrepreneur and professor who has a long and storied history of developing innovations in the battery and materials science industry.
The MIT professor has been working on sustainable technologies for the last two decades, first at the now-defunct battery startup A123 Systems and then with a slew of startups like the 3D printing company Desktop Metal; lithium-ion battery technology developer, 24m; the energy storage system designer, Form Energy; and Baseload Renewables, another early-stage energy storage startup.
Desktop Metal went public last year after it was acquired by a Special Purpose Acquisition Company, and now 24m is getting a potential boost from a big cash infusion into one of its European manufacturing partners, FREYR.
The Norwegian company, which has plans to build five modular battery manufacturing facilities around a site in its home country intends to develop up to 43 gigawatt hours of clean batteries over the next four years.
For FREYR chief executive Tom Jensen there were two main draws for the 24m technology. “It’s the production process itself,” said Jensen. “What they basically do is they mix the electrolyte with the active material, which allows them to make thicker electrodes and reduce the inactive materials in the battery. Beyond that, when you actually do that you remove the need fo a number of traditional production steps… Compared to conventional lithium battery production it reduces production from 15 steps to 5 steps.”
Those process efficiencies combined with the higher volumes of energy bearing material in the cell leads to a fundamental disruption in the battery production process.
Jensen said the company would need $2.5 billion to fully realize its plans, but that the float should get FREYR there. The company is merging with Alussa Energy Acquisition Corp. in a SPAC backed by investors including Koch Strategic Platforms, Glencore, Fidelity Management & Research Company LLC, Franklin Templeton, Sylebra Capital and Van Eck Associates.
All of these investments are necessary if the world is to meet targets for vehicle electrification on the timelines that have been established.
As the Royal Bank of Canada noted in a December report on the electric vehicle industry. “We estimate that globally, battery electric vehicles (BEVs) will represent ~3% of 2020 global demand, while plug-in hybrid-electric vehicles (PHEVs) will represent another ~1.3%,” according to RBC’s figures. “But we see robust growth off these low figures. By 2025, when growth is still primarily regulatory driven, we see ~11% BEV global penetration of new demand representing a ~40% CAGR from 2020’s levels and ~5% PHEV penetration representing a ~35% CAGR. By 2025, we see BEV penetration in Western Europe at ~20%, China at ~17.5%, and the US at 7%. Comparatively, we expect internal combustion engine (ICE) vehicles to grow (cyclically) at a 2% CAGR through 2025. On a pure unit basis, we see “peak ICE” in 2024.”
Instead it was a move to get to the basics of monitoring and accounting, of metrics and dashboards. While companies track their revenues and expenses and monitor for all sorts of risks, impacts from climate change and emissions aren’t tracked in the same way. Now, in the same way there are general principals for accounting for finance, there will be principals for accounting for the impact of climate through what’s called the social cost of carbon.
Among the flurry of paperwork coming from Biden’s desk were Executive Orders calling for a review of Trump era rule-making around the environment and the reinstitution of strict standards for fuel economy, methane emissions, appliance and building efficiency, and overall emissions. But even these steps are likely to pale in significance to the fifth section of the ninth executive order to be announced by the new White House.
That’s the section addressing the accounting for the benefits of reducing climate pollution. Until now, the U.S. government hasn’t had a framework for accounting for what it calls the “full costs of greenhouse gas emissions” by taking “global damages into account”.
All of this is part of a broad commitment to let data and science inform policymaking across government, according to the Biden Administration.
“It is, therefore, the policy of my Administration to listen to the science; to improve public health and protect our environment; to ensure access to clean air and water; to limit exposure to dangerous chemicals and pesticides; to hold polluters accountable, including those who disproportionately harm communities of color and low-income communities; to reduce greenhouse gas emissions; to bolster resilience to the impacts of climate change; to restore and expand our national treasures and monuments; and to prioritize both environmental justice and the creation of the well-paying union jobs necessary to deliver on these goals.”
The specific section of the order addressing accounting and accountability calls for a working group to come up with three metrics: the social cost of carbon (SCC), the social cost of nitrous oxide (SCN) and the social cost of methane (SCM) that will be used to estimate the monetized damages associated with increases in greenhouse gas emissions.
As the executive order notes, “[an] accurate social cost is essential for agencies to accurately determine the social benefits of reducing greenhouse gas emissions when conducting cost-benefit analyses of regulatory and other actions.” What the Administration is doing is attempting to provide a financial figure for the damages wrought by greenhouse gas emissions in terms of rising interest rates, and the destroyed farmland and infrastructure caused by natural disasters linked to global climate change.
These kinds of benchmarks aren’t flashy, but they are concrete ways to determine accountability. That accountability will become critical as the country takes steps to meet the targets set in the Paris Agreement. It also gives companies looking to address their emissions footprints an economic framework to point to as they talk to their investors and the public.
The initiative will include top leadership like the Chair of the Council of Economic Advisers, the director of the Office of Management and Budget and the Director of the Office of Science and Technology Policy (a position that Biden elevated to a cabinet level post).
Representatives from each of the major federal agencies overseeing the economy, national health, and the environment will be members of the working group along with the representatives or the National Climate Advisor and the Director of the National Economic Council.
While the rule-making is proceeding at the federal level, some startups are already developing services to help businesses monitor their emissions output.
Biden’s plan will have the various agencies and departments working quickly. The administration expects an interim SCC, SCN, and SCM within the next 30 days, which agencies will use when monetizing the value of changes in greenhouse gas emissions resulting from regulations and agency actions. The President wants final metrics will be published by January of next year.
The executive order also restored protections to national parks and lands that had been opened to oil and gas exploration and commercial activity under the Trump Administration and blocked the development of the Keystone Pipeline, which would have brought oil from Canadian tar sands into and through the U.S.
“The Keystone XL pipeline disserves the U.S. national interest. The United States and the world face a climate crisis. That crisis must be met with action on a scale and at a speed commensurate with the need to avoid setting the world on a dangerous, potentially catastrophic, climate trajectory. At home, we will combat the crisis with an ambitious plan to build back better, designed to both reduce harmful emissions and create good clean-energy jobs,” according to the text of the Executive Order. “The United States must be in a position to exercise vigorous climate leadership in order to achieve a significant increase in global climate action and put the world on a sustainable climate pathway. Leaving the Key`12stone XL pipeline permit in place would not be consistent with my Administration’s economic and climate imperatives.”
Former U.S. cybersecurity official Chris Krebs and former Facebook chief security officer Alex Stamos have founded a new cybersecurity consultancy firm, which already has its first client: SolarWinds .
The two have been hired as consultants to help the Texas-based software maker recover from a devastating breach by suspected Russian hackers, which used the company’s software to set backdoors in thousands of organizations and to infiltrate at least 10 U.S. federal agencies and several Fortune 500 businesses.
At least the Treasury, State and the Department of Energy have been confirmed breached, in what has been described as likely the most significant espionage campaign against the U.S. government in years. And while the U.S. government has already pinned the blame on Russia, the scale of the intrusions are not likely to be known for some time.
Krebs was one of the most senior cybersecurity officials in the U.S. government, most recently serving as the director of Homeland Security’s CISA cybersecurity advisory agency from 2018, until he was fired by President Trump for his efforts to debunk false election claims — many of which came from the president himself. Stamos, meanwhile, joined the Stanford Internet Observatory after holding senior cybersecurity positions at Facebook and Yahoo. He also consulted for Zoom amid a spate of security problems.
In an interview with the Financial Times, which broke the story, Krebs said it could take years before the hackers are ejected from infiltrated systems.
SolarWinds chief executive Sudhakar Ramakrishna acknowledged in a blog post that it had brought on the consultants to help the embattled company to be “transparent with our customers, our government partners, and the general public in both the near-term and long-term about our security enhancements.”
The U.S. government says hackers “likely Russian in origin” are responsible for breaching the networks of at least 10 U.S. federal agencies and several major tech companies, including FireEye and Microsoft.
In a joint statement published Tuesday, the FBI, the NSA, and Homeland Security’s cybersecurity advisory unit, CISA, said that the government was “still working to understand the scope” of the breach, but that the breaches are likely an “intelligence gathering effort.”
The compromises are “ongoing,” the statement said.
The statement didn’t name the breached agencies, but the Treasury, State, and the Department of Energy are among those reported to be affected.
“This is a serious compromise that will require a sustained and dedicated effort to remediate,” the statement said. “The [joint agency effort] will continue taking every necessary action to investigate, remediate, and share information with our partners and the American people,”
News of the widespread espionage campaign emerged in early December after cybersecurity giant FireEye, normally the first company that cyberattack victims will call, discovered its own network had been breached. Soon after, it was reported that several government agencies had also been infiltrated.
All of the victims are customers of U.S. software firm SolarWinds, whose Orion network management tools are used across the U.S. government and Fortune 500 companies. FireEye said that hackers broke into SolarWinds’ network and pushed a tainted software update to its customers, allowing the hackers to easily break into any one of thousands of companies and agencies that installed the backdoored update.
Some 18,000 customers downloaded the backdoored software update, but the government’s joint statement said that it believes only a “much smaller number have been compromised by follow-on activity on their systems.”
Several news outlets have previously reported that the hacks were carried out by a Russian intelligence group known as APT 29, or Cozy Bear, which has been linked to several espionage-driven attacks, including attempting to steal coronavirus vaccine research.
Tuesday’s joint statement would be the first time the government acknowledged the likely culprit behind the campaign.
Russia had previously denied involvement with the hacks.
The U.S. government is one of the biggest spenders in the nascent space industry and the man who handles the money for the Air Force’s $16 billion checkbook wants startups to know that his door is open for them.
In all, Will Roper, the Assistant Secretary of the Air Force for Acquisition, Technology and Logistics, handles about $60 billion worth of budget for the Air Force — a mandate that includes spending money on the new tech initiatives the Air Force deems important.
Historically, the Department of Defense hasn’t been the greatest at working with startups — and many tech companies have been loath to work with the DoD. However, since much of modern civilian infrastructure is based on global positioning systems and other satellite technologies that fall under the Defense Department’s purview, those views on cooperation are changing on both sides.
“Space isn’t a quiet domain of communication and navigation and exploration anymore,” Roper told the audience at TechCrunch’s latest Sessions event, TC Sessions: Space 2020. “It’s increasingly becoming a hostile place… So we’re gearing up a new kind of competition the military side that could extend to space and that’s creating a lot of new space programs.”
Roper emphasized that the interest from the Air Force and the government more broadly extends well beyond offensive capabilities and military priorities. As space becomes an economic opportunity, Roper sees the Air Force as an engine for driving technology development forward in ways that have commercial benefits.
“It’s a great, great time for innovation in new technologies that could help the military, but we want to do more than just help the military. That’s the old thinking in the Pentagon . That’s all that would help us win the Cold War in the 20th Century, but it’s not going to help us in the 21st, where technology is globalized and accelerating,” Roper said.
“We want to find ways where our military mission and our funding can help accelerate commercial markets to so it’s competing on a much bigger stage. But we think it’s where we need to aspire to be, so that we’re playing the right catalyst role in this nation and with our partners around the world,” Roper said.
There are several programs that startups can tap to get those Federal dollars. Two of the easiest points of entry are through the AFWERX and its recently announced SpaceWERX arm focused entirely on space technology.
“These look like any tech company,” Roper told the audience at the TechCrunch event. “They’re outside our fence lines. They’re easy to walk into… Now you don’t have to know the mission, we will help you find the mission and the customer — the warfighter associated with it. It’s a great model because it keeps the company focuse don what they know best, which is their tech.”
Over the last three years, Roper estimated that the AFWERX program had brought 2300 companies into the Air Force and Space Force programs and most of them had never worked with the military before, he said.
Within AFWERX there are three programs that particularly relate to integrating startups into the procurement process, Roper said. One is the Spark program, which pairs military with private industry; one is the AFVentures program, which is designed to finance new innovations coming from private industry; and finally there’s the Prime program, which helps commercialize and certify technologies.
Roper pointed to the recent certification the Air Force gave to Joby Aviation for its flying cars. “So there’s a new military market that will hopefully generate a new commercial market,” Roper said.
In 2021, the Prime program will expand to space technologies, according to Roper.
As the demand for new tech grows, there’s no shortage of innovations Roper would like to see from private industry. From new autonomous innovations that could help co-pilot spacecraft to technology for refueling and in-space maneuverability, and reusable equipment from boosters to other components that can bring costs down.
Roper also acknowledged that the Pentagon has a long way to go to “hack the acquisition system” when it comes to dual use technologies.
Roper hopes to change that. “We want to use our military dollars, our mission, and potentially our certifications to help get you there without changing your core product,” he said. “If you succeed as a commercial success, then then we succeed as well, because now we’ve got a great tech partner, that hopefully we can continue to come to to solve problems in future. The thing that we’ll want to understand early on is how our military market and all those benefits I just mentioned, how can they help you get to commercial success? And what is it that we not need to do to pull you off that trajectory?”
Contracts with AFWERX are fixed price and progress as companies hit certain milestones on the product roadmap. These orders increase incrementally as the technology proves itself, so a contract could start with the delivery of a prototype, then experimental usage, then a commercial contract, then broad adoption. “What we’re looking to do is see if you can move the ball forward on your technology, and if you do, then we do another contract. We step you up our process,” Roper said.
Roper sees the project as nothing less than the evolution of the aerospace and defense industry.
“We have a lot of amazing companies today that helped build stealth bombers and space planes and all sorts of awesome stuff. They’re defense companies and we still need them,” Roper said. “What we’re hoping to help build in this century is a set fo new companies that are just tech companies. They’re not defense, purely, and they’re not commercial purely. They’re just technology companies and they do a bit of business on both sides.”
Lockheed Martin (LM), the US’s largest defence contractor will acquire Aerojet Rocketdyne (AR), a rocket engine and missile manufacturer, for $4.4 billion including debt and net cash, giving the company a larger stake in space and hypersonic technology. The move comes amid the context of increasing competition in the Space and Defence industries.
In a news release, the company said the proposed acquisition adds substantial expertise in propulsion to Lockheed Martin’s portfolio and that Aerojet Rocketdyne’s technologies were already ‘key components’ of Lockheed’s supply chain. It already uses Aerojet Rocketdyne’s propulsion systems in its aeronautics, missiles and fire control offerings.
Aerojet Rocketdyne’s 2019 revenues were approximately $2 billion. The company, headquartered in El Segundo, California, has nearly 5,000 employees and was formed in 2013 when GenCorp’s Aerojet and Pratt & Whitney Rocketdyne were merged. The company produces solid rocket motors as well as tactical and strategic missiles for the Defense Department.
AR makes the RL10 rocket engine that powers the upper stage of United Launch Alliance’s Delta 4 and Atlas 5 launch vehicles, and also produces the RS-25 engines for NASA’s Space Launch System.
The company’s move comes as it attempts to increase its propulsion capabilities to compete with new entrants such as SpaceX and Blue Origin for space contracts with the U.S. government. Meanwhile, rival Raytheon Co. is preparing to combine with United Technologies Corp to create an aerospace-and-defense giant.
Lockheed CEO James Taiclet said in a statement: “Acquiring Aerojet Rocketdyne will preserve and strengthen an essential component of the domestic defense industrial base and reduce costs for our customers and the American taxpayer.”
Aerojet’s CEO Eileen Drake said: “As part of Lockheed Martin, we will bring our advanced technologies together with their substantial expertise and resources to accelerate our shared purpose: enabling the defense of our nation and space exploration.”
The acquisition is expected to close in the second half of 2021 but will be subject to the usual requirement for approvals by regulators and Aerojet Rocketdyne’s stockholders.
Let’s preface this year’s predictions by acknowledging and admitting how hilariously wrong we were when this time last year we said that 2020 “showed promise.”
In fairness (almost) nobody saw a pandemic coming.
With 2020 wrapping up, much of the security headaches exposed by the pandemic will linger into the new year.
The pandemic is, and remains, a global disaster of epic proportions that’s forced billions of people into lockdown, left economies in tatters with companies (including startups) struggling to stay afloat. The mass shifting of people working from home brought security challenges with it, like how to protect your workforce when employees are working outside the security perimeter of their offices. But it’s forced us to find and solve solutions to some of the most complex challenges, like pulling off a secure election and securing the supply chain for the vaccines that will bring our lives back to some semblance of normality.
With 2020 wrapping up, much of the security headaches exposed by the pandemic will linger into the new year. This is what to expect.
Working from home has given hackers new avenues for attacks
The sudden lockdowns in March drove millions to work from home. But hackers quickly found new and interesting ways to target big companies by targeting the employees themselves. VPNs were a big target because of outstanding vulnerabilities that many companies didn’t bother to fix. Bugs in enterprise software left corporate networks open to attack. The flood of personal devices logging onto the network — and the influx of malware with it — introduced fresh havoc.
Sophos says that this mass decentralizing of the workforce has turned us all into our own IT departments. We have to patch our own computers, install security updates, and there’s no IT just down the hallway to ask if that’s a phishing email.
Companies are having to adjust to the cybersecurity challenges, since working from home is probably here to stay. Managed service providers, or outsourced IT departments, have a “huge opportunity to benefit from the work-from-home shift,” said Grayson Milbourne, security intelligence director at cybersecurity firm Webroot.
Ransomware has become more targeted and more difficult to escape
File-encrypting malware, or ransomware, is getting craftier and sneakier. Where traditional ransomware would encrypt and hold a victim’s files hostage in exchange for a ransom payout, the newer and more advanced strains first steal a victim’s files, encrypt the network and then threaten to publish the stolen files if the ransom isn’t paid.
This data-stealing ransomware makes escaping an attack far more difficult because a victim can’t just restore their systems from a backup (if there is one). CrowdStrike’s chief technology officer Michael Sentonas calls this new wave of ransomware “double extortion” because victims are forced to respond to the data breach as well.
The healthcare sector is under the closest guard because of the pandemic. Despite promises from some (but not all) ransomware groups that hospitals would not be deliberately targeted during the pandemic, medical practices were far from immune. 2020 saw several high profile attacks. A ransomware attack at Universal Health Services, one of the largest healthcare providers in the U.S., caused widespread disruption to its systems. Just last month U.S. Fertility confirmed a ransomware attack on its network.
These high-profile incidents are becoming more common because hackers are targeting their victims very carefully. These hyperfocused attacks require a lot more skill and effort but improve the hackers’ odds of landing a larger ransom — in some cases earning the hackers millions of dollars from a single attack.
“This coming year, these sophisticated cyberattacks will put enormous stress on the availability of services — in everything from rerouted healthcare services impacting patient care, to availability of online and mobile banking and finance platforms,” said Sentonas.
The FTC is ordering the companies behind many of the largest social and video platforms to explain how they use the treasure troves of data they harvest from users. Amazon, TikTok owner ByteDance, Facebook, WhatsApp, Discord, Reddit, Snap, Twitter and YouTube were all sent the order, with a deadline set 45 days from now.
The FTC’s focus is on how these companies “collect, use, and present personal information, their advertising and user engagement practices, and how their practices affect children and teens.” Four of the FTC’s commissioners voted in favor of the order, with Commissioner Noah Joshua Phillips dissenting.
“Despite their central role in our daily lives, the decisions that prominent online platforms make regarding consumers and consumer data remain shrouded in secrecy,” Commissioners Rohit Chopra, Rebecca Kelly Slaughter and Christine S. Wilson said in a joint statement.
“… Policymakers and the public are in the dark about what social media and video streaming services do to capture and sell users’ data and attention. It is alarming that we still know so little about companies that know so much about us.”
The FTC’s new fact-finding mission is the latest federal action to put tech in its crosshairs, following last week’s news that the agency would sue Facebook over antitrust violations. The new order was issued under Section 6(b) of the FTC Act as a study of tech industry practices. It isn’t coupled with any law enforcement action, but that doesn’t preclude the agency from pursuing enforcement options with what it finds.
Last year the FTC signaled a deeper interest in tech, particularly on antitrust issues. The agency launched a purpose-built tech task force to monitor acquisitions and other potential competition-crushing behavior that raises red flags. In early 2020, the FTC launched an extensive separate study examining nearly a decade’s worth of acquisitions made by Alphabet, Amazon, Apple, Facebook and Microsoft.
Google researcher finds a major iPhone security bug, now fixed
What happens when you leave one of the best security researchers alone for six months? You get one of the most devastating vulnerabilities ever found in an iPhone — a bug so damaging that it can be exploited over-the-air and requires no interaction on the user’s part.
The AWDL bug under attack using a proof-of-concept exploit developed by a Google researcher. Image Credits: Ian Beer/Google Project Zero
The vulnerability was found in Apple Wireless Direct Link (AWDL), an important part of the iPhone’s software that among other things allows users to share files and photos over Wi-Fi through Apple’s AirDrop feature.
“AWDL is enabled by default, exposing a large and complex attack surface to everyone in radio proximity,” wrote Google’s Ian Beer in a tweet, who found the vulnerability in November and disclosed it to Apple, which pushed out a fix for iPhones and Macs in January.
But exploiting the bug allowed Beer to gain access to the underlying iPhone software using Wi-Fi to gain control of a vulnerable device — including the messages, emails and photos — as well as the camera and microphone — without alerting the user. Beer said that the bug could be exploited over “hundreds of meters or more,” depending on the hardware used to carry out the attack. But the good news is that there’s no evidence that malicious hackers have actively tried to exploit the bug.
News of the bug drew immediate attention, though Apple didn’t comment. NSA’s Rob Joyce said the bug find is “quite an accomplishment,” given that most iOS bugs require chaining multiple vulnerabilities together in order to get access to the underlying software.
Wow. An iOS exploit that doesn’t involve chaining multiple vulnerabilities together is quite an accomplishment. https://t.co/ZccMcVTIch
Another federal judge has issued a preliminary injunction against U.S. government restrictions that would have effectively banned TikTok from operating in the United States.
The ruling (embedded below) was made by U.S. District Court Judge Carl Nichols in a lawsuit filed by TikTok and ByteDance against President Donald Trump, Secretary of Commerce Wilbur Ross and the Commerce Department. Judge Nichols wrote the government “likely exceeded IEEPA’s [the International Emergency Economic Powers Act] express limitations as part of an agency action that was arbitrary and capricious.”
This is the second time a federal judge has issued an injunction against Trump administration restrictions that would have prevented U.S. companies, including internet hosting services, from transactions with TikTok and ByteDance. The first injunction was granted in October by U.S. District Court Judge Wendy Beetlestone, in a separate lawsuit brought against the President Trump and the U.S. Commerce Department by three TikTok creators.
In today’s ruling, Judge Nichols wrote TikTok and ByteDance are likely to succeed in their claims that Secretary Ross’ prohibitions against TikTok and ByteDance, which were originally supposed to go into effect on November 12, violated limits in the IEEPA and the Administrative Procedures Act.
ByteDance is also facing a divestiture order that would force it to sell TikTok’s U.S. operations. While it has reached a proposed agreement with Oracle and Walmart, ByteDance also asked the federal appeals court to vacate the order last month. On November 26, the Trump administration extended the order’s deadline to December 4, but allowed it to lapse without setting a new one.
In an email to TechCrunch, a TikTok spokesperson said, “We’re pleased that the court agreed with us and granted a preliminary injunction against all the prohibitions of the Executive Order. We’re focused on continuing to build TikTok as the home that 100 million Americans, including families and small businesses, rely upon for expression, connection, economic livelihood, and true joy.”
TechCrunch has also contacted the Commerce Department for comment.
To keep track of the often overlapping developments in ByteDance and TikTok’s fight with the U.S. government, we have compiled a comprehensive timeline and will keep it updated.
Launching things to space doesn’t have to mean firing a large rocket vertically using massive amounts of rocket-fuel powered thrust – startup Aevum breaks the mould in multiple ways, with an innovative launch vehicle design that combines uncrewed aircraft with horizontal take-off and landing capabilities, with a secondary stage that deploys at high altitude and can take small payloads the rest of the way to space.
Aevum’s model actually isn’t breaking much new ground in terms of its foundational technology, according to founder and CEO Jay Skylus, who I spoke to prior to today’s official unveiling of the startup’s Ravn X launch vehicle. Skylus, who previously worked for a range of space industry household names and startups including NASA, Boeing, Moon Express and Firefly, told me that the startup has focused primarily on making the most of existing available technologies to create a mostly reusable, fully automated small payload orbital delivery system.
To his point, Ravn X doesn’t look too dissimilar from existing jet aircraft, and bears obvious resemblance to the Predator line of UAVs already in use for terrestrial uncrewed flight. The vehicle is 80 feet long, and has a 60-foot wingspan, with a total max weight of 55,000 lbs including payload. 70% of the system is fully reusable today, and Skylus says that the goal is to iterate on that to the point where 95% of the launch system will be reusable in the relatively near future.
Image Credits: Aevum
Ravn X’s delivery system is design for rapid response delivery, and is able to get small satellites to orbit in as little as 180 minutes – with the capability of having it ready to fly and deliver another again fairly shortly after that. It uses traditional jet fuel, the same kind used on commercial airliners, and it can take off and land in “virtually any weather,” according to Skylus. It also takes off and lands on any 1-mile stretch of traditional aircraft runway, meaning it can theoretically use just about any active airport in the world as a launch and landing site.
One of they key defining differences of Aevum relative to other space launch startups is that what they’re presenting isn’t theoretical, or in development – the Ravn X already has paying customers, including over $1 billion in U.S. government contracts. It’s first mission is with the U.S. Space Force, the ASLON-45 small satellite launch mission (set for late 2021), and it also has a contract for 20 missions spanning 9 years with the U.S. Air Force Space and Missile Systems Center. Deliveries of Aevum’s production launch vehicles to its customers have already begun, in fact, Skylus says.
The U.S. Department of Defense has been actively pursuing space launch options that provide it with responsive, short turnaround launch capabilities for quite some time now. That’s the same goal that companies like Astra, which was originally looking to win the DARPA challenge for such systems (since expired) with its Rocket small launcher. Aevum’s system has the added advantage of being essentially fully compatible with existing airfield infrastructure – and also of not requiring that human pilots be involved or at risk at all, as they are with the superficially similar launch model espoused by Virgin Orbit.
Aevum isn’t just providing the Ravn X launcher, either; its goal is to handle end-to-end logistics for launch services, including payload transportation and integration, which are parts of the process that Skylus says are often overlooked or underserved by existing launch providers, and that many companies creating payloads also don’t realize are costly, complicated and time-consuming parts of actually delivering a working small satellite to orbit. The startup also isn’t “re-inventing the wheel” when it comes to its integration services – Skylus says they’re working with a range of existing partners who all already have proven experience doing this work but who haven’t previously had the motivation or the need to provide these kinds of services to the customers that Skylum sees coming online, both in the public and private sector.
The need isn’t for another SpaceX, Skylus says; rather, thanks to SpaceX, there’s a wealth of aerospace companies who previously worked almost exclusively with large government contracts and the one or two massive legacy rocket companies to put missions together. They’re now open to working with the greatly expanded market for orbital payloads, including small satellites that aim to provide cost-effective solutions in communications, environmental monitor, shipping and defense.
Aevum’s solution definitely sounds like it addresses a clear and present need, in a way that offers benefits in terms of risk profile, reusability, cost and flexibility. The company’s first active missions will obviously be watched closely, by potential customers and competitors alike.