Cybersecurity Weakness at U.S. Water Facilities Raises Concerns

[00:00:23] [SPEAKER_02]: Welcome to Tech News Briefing. It's Wednesday, October 2nd. I'm Zoe Thomas for The Wall Street Journal.

[00:00:30] [SPEAKER_02]: Epic Games claims that Google and Samsung colluded to keep third-party app stores off new phones. This is the latest antitrust lawsuit Epic has brought over app store issues. We'll tell you what's behind the allegations.

[00:00:46] [SPEAKER_02]: And then, the White House wants to boost cybersecurity for water facilities around the U.S. Our reporter James Rundle will tell us about a recent incident and why there are growing concerns about the need to act.

[00:01:03] [SPEAKER_02]: But first, Fortnite maker Epic Games says it filed an antitrust lawsuit against Google and Samsung, claiming the two tech giants secretly colluded and imposed quote,

[00:01:15] [SPEAKER_02]: onerous restrictions on new third-party app stores. Users of Samsung's newest smartphones have to take 21 steps to download a new app store, according to Epic, which has its own app marketplace.

[00:01:29] [SPEAKER_02]: This isn't the first battle Epic has had over app accessibility. Here to tell us more about this lawsuit and its possible impact is our reporter Sarah Needleman.

[00:01:39] [SPEAKER_02]: Sarah, what restrictions does Epic say Google and Samsung put in place?

[00:01:43] [SPEAKER_00]: They claim that the two companies colluded to make it so that when you buy one of Samsung's new phones, a feature is automatically turned on by default called auto blocker. And this feature prevents users from downloading alternative app stores.

[00:02:04] [SPEAKER_00]: So if you want to go ahead and download Epic's game store, for example, you would have to take a number of steps to find out where you can turn off that feature. Epic claims that there are a lot of warnings that try to scare people not to do it about potential malware.

[00:02:23] [SPEAKER_00]: And altogether, they claim it takes about 21 steps to turn the feature off and install a third party app, which they say is way too onerous for the average consumer. And that most people when they try even just installing a third party app, regardless of that blocker being on, it's a lot of friction. So people give up and therefore it's not really effective.

[00:02:44] [SPEAKER_00]: The other point I'd say is that Google Play comes preloaded on all Android smartphones outside of the US and Samsung is the world's largest Android smartphone maker. So we're talking about a very large market here.

[00:02:56] [SPEAKER_00]: How have Samsung and Google responded to the lawsuit?

[00:02:59] [SPEAKER_00]: We'll start with Samsung. They said that the company conducts its operations fairly and that they put something like auto blocker in place as part of its principles of security, privacy and user control, and also point out that users do have the option to disable the auto blocker at any time.

[00:03:17] [SPEAKER_00]: Google said that they think the lawsuit is meritless. And in the past, Google said that the protections it has in place are meant to safeguard users from malicious apps.

[00:03:26] [SPEAKER_00]: Epic's argued that malware isn't the issue here and that consumers should have the ability to make that choice of whether or not they think it's safe to download a third party app store.

[00:03:36] [SPEAKER_00]: And certainly Epic has argued that their app store is perfectly safe. So they don't believe the malware argument that both Samsung and Google have made. Google said that auto blocker is a Samsung product.

[00:03:48] [SPEAKER_02]: For listeners who don't remember, in 2020, Epic's game Fortnite was kicked off of Google's and Apple's app stores after Epic encouraged players to pay it directly for in-game purchases rather than using systems developed by the tech giants.

[00:04:04] [SPEAKER_02]: And that prompted Epic to file antitrust lawsuits against Google and Apple. What groundwork did those cases lay for this one and the situation that exists now?

[00:04:16] [SPEAKER_00]: In both of those cases, Epic alleged that the companies, both Google and Apple, use their dominant positions in the app store market to squeeze excess profits from app developers.

[00:04:26] [SPEAKER_00]: But Epic has a mixed success on that front. It did win its case against Google, but it mostly lost its case against Apple. And Apple has said that it plans to appeal that verdict. So basically, Epic is still in a pickle here because neither of them are really kind of backing down from keeping their app stores as the dominant place for people to go to download apps to their devices.

[00:04:51] [SPEAKER_02]: And Google is also appealing that ruling. All right, that was our reporter Sarah Needleman.

[00:04:58] [SPEAKER_02]: Coming up, fears about cybersecurity weakness at water facilities in the U.S. are growing. How prepared are the country's water plants? We'll tell you after the break.

[00:05:15] [SPEAKER_03]: Robert Half research indicates nine out of 10 hiring managers are having difficulty hiring. Robert Half is here to help. Our recruiting professionals utilize our proprietary AI to connect businesses with highly skilled talent. At Robert Half, we know talent. Visit roberthalf.com today.

[00:05:39] [SPEAKER_02]: Late last month, a water plant in Arkansas City, Kansas, switched its facility to manual operations after detecting what it called a quote, cybersecurity issue. The incident follows multiple cyber attacks on water facilities across the country.

[00:05:57] [SPEAKER_02]: And now the Biden administration is working on a new attempt to put in place cybersecurity standards for water systems after earlier efforts were met with pushback. Here to tell us more is James Rundle, a reporter for WSJ Pro Cybersecurity. So James, tell us more about this event in Arkansas City. What do we know?

[00:06:17] [SPEAKER_01]: Not very much, frankly. So there was a cyber incident at the city of Arkansas, which is in Kansas, water treatment facility, and it forced the plants to go into manual operations. I mean, they disconnected the systems and everything had to be done by hand out of an abundance of caution. The city manager said that the drinking supply is safe and nothing else is affected. But it's another warning shot across the bow for the water sector in general, which has been the target of attacks quite frequently over the last few years.

[00:06:42] [SPEAKER_02]: This isn't the first kind of attack like this. Can you tell us a little bit about why this is such a longstanding concern?

[00:06:48] [SPEAKER_01]: It's a real problem across the US and part of it is due to the way in which water systems are set up across the country, which is a mix of public ownership, private ownership, a lot of very large systems that serve big municipal areas such as New York City, a lot of very small ones that serve rural communities and such. Over 150,000 drinking water systems in the US alone, around 15,000 wastewater management systems. And the problem is that people just don't know who is operating what half the time.

[00:07:15] [SPEAKER_01]: When you talk to the Water Information Sharing and Analysis Center, which is designed to share threat intelligence among water facilities, they readily admit that they don't know. The federal government doesn't always know. The people who do know are at the state level, but it's very, very difficult to reach these people.

[00:07:30] [SPEAKER_01]: And then secondly, the problem is also that a lot of these places are critically under-resourced. Their job is to maintain pipes and provide water. It's not necessarily to invest in cybersecurity. They often think that they're too small to be a target of Iran or Russia or North Korea, but recent events have proved otherwise.

[00:07:45] [SPEAKER_01]: We don't know who targeted the facility in the city of Arkansas, but we do know from previous attacks in a suburb just outside of Pittsburgh, for instance, last year called Alequipa, which was targeted by an Iranian-backed group. Also in North Texas as well that these systems are the targets of nation state-backed actors.

[00:08:03] [SPEAKER_02]: What have the White House and the EPA done to get a handle on this and make sure that these water systems are safe?

[00:08:10] [SPEAKER_01]: So to their credit, they have tried. A couple years back, the EPA did try to introduce cybersecurity assessments as part of the annual mandatory sanitary audits that water systems have to perform every year. But that meant with a pretty significant opposition from this Attorney's General of states such as Iowa, Missouri, who said it would be onerous that the EPA overstepped their authority, that it would cost too much, and the EPA withdrew the rule as a result.

[00:08:34] [SPEAKER_01]: The White House hasn't quite let it go, though. They did send a letter out earlier this year to all 50 states asking the governors to perform risk assessments on their cybersecurity, their water systems. And Neuberger, the National Security Advisor for Cyber Emergency Technology, did say that she had around 40 responses back and they are working now to kind of look through them and see where they can perhaps take a second stab at introducing standards in the sector.

[00:08:57] [SPEAKER_02]: So are there any security standards right now?

[00:08:59] [SPEAKER_01]: Not really. A lot of these systems don't have dedicated IT staff either. The guy who runs the computers will be the guy who cuts the lawn on a Wednesday. And for them, they often use outsourced technology providers or just try and hope for the best, really.

[00:09:14] [SPEAKER_02]: Are attacks on water systems or water waste systems common, though?

[00:09:18] [SPEAKER_01]: Common in the sense that there have been some recently and probably enough to raise eyebrows, and potentially dangerous ones as well. There was an attempted breach at a water plant in Oldsmar in Florida back in 2021 where an engineer saw someone change the levels of lye in the drinking water to potentially lethal levels and then immediately corrected it. Thankfully, no one was hurt. But it does go to show that if you let your guard down, this could have potentially catastrophic consequences.

[00:09:41] [SPEAKER_02]: James, we talked about how the White House is planning a second attempt at cyber regulations for water systems. But zooming out, what are the challenges when it comes to regulating critical infrastructure like water?

[00:09:54] [SPEAKER_01]: The problem with instituting regulations for critical infrastructure sectors is that there are 16 of them. And they all have their own regulators, they all have their own stakeholders, they all have their own powerful lobby groups and political allies, some of whom don't necessarily want to see minimum standards in place. And you see the same thing happening in healthcare, you see the same thing happening in financial services, in other sectors as well.

[00:10:14] [SPEAKER_01]: It's just a very difficult, very complicated system that we have. And it takes a lot of diplomacy, a lot of time and a lot of efforts to convince people to get on board with it. But unfortunately, all it takes is one big breach to really convince everyone, but by then it's too late.

[00:10:27] [SPEAKER_02]: All right, that was our reporter James Rundle. And that's it for Tech News Briefing. Today's show was produced by Julie Chang with supervising producer Kathryn Millsop. I'm Zoe Thomas for The Wall Street Journal. We'll be back this afternoon with TNB Tech Minute. Thanks for listening.

[00:11:03] [SPEAKER_03]: OCI is the single platform for your infrastructure, database, application development and AI needs. Do more and spend less like Uber, 8x8 and Databricks Mosaic. Take a free test drive of OCI at oracle.com slash wallstreet. oracle.com slash wallstreet.