"California Governor Gavin Newsom has vetoed SB 1047, a high-profile bill that would have regulated the development of AI," reports TechCrunch. The bill "would have made companies that develop AI models liable for implementing safety protocols to prevent 'critical harms'." The rules would only have applied to models that cost at least $100 million and use 10^26 FLOPS (floating point operations, a measure of computation) during training.

SB 1047 was opposed by many in Silicon Valley, including companies like OpenAI, high-profile technologists like Meta's chief AI scientist Yann LeCun, and even Democratic politicians such as U.S. Congressman Ro Khanna. That said, the bill had also been amended based on suggestions by AI company Anthropic and other opponents.

In a statement about today's veto, Newsom said, "While well-intentioned, SB 1047 does not take into account whether an AI system is deployed in high-risk environments, involves critical decision-making or the use of sensitive data. Instead, the.." bill applies stringent standards to even the most basic functions — so long as a large system deploys it. I do not believe this is the best approach to protecting the public from real threats posed by the technology."
"Over the past 30 days, Governor Newsom signed 17 bills covering the deployment and regulation of GenAI technology..." according to a statement from the governor's office, "cracking down on deepfakes, requiring AI watermarking, protecting children and workers, and combating AI-generated misinformation... The Newsom Administration will also immediately engage academia to convene labor stakeholders and the private sector to explore approaches to use GenAI technology in the workplace."

In a separate statement the governor pointed out California " is home to 32 of the world's 50 leading Al companies," and warned that the bill "could give the public a false sense of security about controlling this fast-moving technology. Smaller, specialized models may emerge as equally or even more dangerous than the models targeted by SB 1047 — at the potential expense of curtailing the very innovation that fuels advancement in favor of the public good..."

"While well-intentioned, SB 1047 does not take into account whether an AI system is deployed in high-risk environments, involves critical decision-making or the use of sensitive data. Instead, the bill applies stringent standards to even the most basic functions — so long as a large system deploys it.

"I do not believe this is the best approach to protecting the public from real threats posed by the technology."

Interestingly, the Los Angeles Times reported that the vetoed bill had been supported by Mark Hamill, J.J. Abrams, and "more than 125 Hollywood actors, directors, producers, music artists and entertainment industry leaders" who signed a letter of support. (And that bill also cited the support of "over a hundred current and former employees of OpenAI, Google DeepMind, Anthropic, Meta, and xAI..."

The United Nations is set to vote on a treaty later this year intended to create norms for fighting cybercrime -- and the Biden administration is fretting over whether to sign on. Politico: The uncertainty over the treaty stems from fears that countries including Russia, Iran and China could use the text as a guise for U.N. approval of their widespread surveillance measures and suppression of the digital rights of their citizens. If the United States chooses not to vote in favor of the treaty, it could become easier for these adversarial nations -- named by the Cybersecurity and Infrastructure Security Agency as the biggest state sponsors of cybercrime -- to take the lead on cyber issues in the future. And if the U.S. walks away from the negotiating table now, it could upset other nations that spent several years trying to nail down the global treaty with competing interests in mind.

While the treaty is not set for a vote during the U.N. General Assembly this week, it's a key topic of debate on the sidelines, following meetings in New York City last week, and committee meetings set for next month once the world's leaders depart. The treaty was troubled from its inception. A cybercrime convention was originally proposed by Russia, and the U.N. voted in late 2019 to start the process to draft it -- overruling objections by the U.S. and other Western nations. Those countries were worried Russia would use the agreement as an alternative to the Budapest Convention -- an existing accord on cybercrime administered by the Council of Europe, which Russia, China and Iran have not joined.

The Justice Department unsealed criminal charges Friday against three Iranian operatives suspected of hacking Donald Trump's presidential campaign and disseminating stolen information to media organizations. From a report: The three accused hackers were employed by Iran's paramilitary Revolutionary Guard and their operation also targeted a broad swath of targets, including government officials, members of the media and non-governmental organizations, the Justice Department said.

The Trump campaign disclosed on Aug. 10 that it had been hacked and said Iranian actors had stolen and distributed sensitive internal documents. Multiple major news organizations that said they were leaked confidential information from inside the Trump campaign, including Politico, The New York Times and The Washington Post, declined to publish it.

Ars Technica's Dan Goodin reports: Last week, NIST released its second public draft of SP 800-63-4, the latest version of its Digital Identity Guidelines. At roughly 35,000 words and filled with jargon and bureaucratic terms, the document is nearly impossible to read all the way through and just as hard to understand fully. It sets both the technical requirements and recommended best practices for determining the validity of methods used to authenticate digital identities online. Organizations that interact with the federal government online are required to be in compliance. A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.

Since then, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember. Another requirement that often does more harm than good is the required use of certain characters, such as at least one number, one special character, and one upper- and lowercase letter. When passwords are sufficiently long and random, there's no benefit from requiring or restricting the use of certain characters. And again, rules governing composition can actually lead to people choosing weaker passcodes.

The latest NIST guidelines now state that:
- Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords and
- Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. ("Verifiers" is bureaucrat speak for the entity that verifies an account holder's identity by corroborating the holder's authentication credentials. Short for credential service provider, "CSPs" are a trusted entity that assigns or registers authenticators to the account holder.) In previous versions of the guidelines, some of the rules used the words "should not," which means the practice is not recommended as a best practice. "Shall not," by contrast, means the practice must be barred for an organization to be in compliance. Several other common sense practices mentioned in the document include: 1. Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
6. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
7. Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., "What was the name of your first pet?") or security questions when choosing passwords.
9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).

"Dozens of Fortune 100 organizations" have unknowingly hired North Korean IT workers using fake identities, generating revenue for the North Korean government while potentially compromising tech firms, according to Google's Mandiant unit. "In a report published Monday [...], researchers describe a common scheme orchestrated by the group it tracks as UNC5267, which has been active since 2018," reports The Record. "In most cases, the IT workers 'consist of individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia.'" From the report: The remote workers "often gain elevated access to modify code and administer network systems," Mandiant found, warning of the downstream effects of allowing malicious actors into a company's inner sanctum. [...] Using stolen identities or fictitious ones, the actors are generally hired as remote contractors. Mandiant has seen the workers hired in a variety of complex roles across several sectors. Some workers are employed at multiple companies, bringing in several salaries each month. The tactic is facilitated by someone based in the U.S. who runs a laptop farm where workers' laptops are sent. Remote technology is installed on the laptops, allowing the North Koreans to log in and conduct their work from China or Russia.

Workers typically asked for their work laptops to be sent to different addresses than those listed on their resumes, raising the suspicions of companies. Mandiant said it found evidence that the laptops at these farms are connected to a "keyboard video mouse" device or multiple remote management tools including LogMeIn, GoToMeeting, Chrome Remote Desktop, AnyDesk, TeamViewer and others. "Feedback from team members and managers who spoke with Mandiant during investigations consistently highlighted behavior patterns, such as reluctance to engage in video communication and below-average work quality exhibited by the DPRK IT worker remotely operating the laptops," Mandiant reported.

In several incident response engagements, Mandiant found the workers used the same resumes that had links to fabricated software engineer profiles hosted on Netlify, a platform often used for quickly creating and deploying websites. Many of the resumes and profiles included poor English and other clues indicating the actor was not based in the U.S. One characteristic repeatedly seen was the use of U.S-based addresses accompanied by education credentials from universities outside of North America, frequently in countries such as Singapore, Japan or Hong Kong. Companies, according to Mandiant, typically don't verify credentials from universities overseas. Further reading: How Not To Hire a North Korean IT Spy

According to the Wall Street Journal, the U.S. Department of Justice is investigating Super Micro Computer after short-seller Hindenburg Research alleged "accounting manipulation" at the AI server maker. Super Micro's shares fell about 12% following the report. Reuters reports: The WSJ report, which cited people familiar with the matter, said the probe was at an early stage and that a prosecutor at a U.S. attorney's office recently contacted people who may be holding relevant information. The prosecutor has asked for information that appeared to be connected to a former employee who accused the company of accounting violations, the report added.

Super Micro had late last month delayed filing its annual report, citing a need to assess "its internal controls over financial reporting," a day after Hindenburg disclosed a short position and made claims of "accounting manipulation." The short-seller had cited a three-month investigation that included interviews with former senior employees of Super Micro and litigation records. Hindenburg's allegations included evidence of undisclosed related-party transactions, failure to abide by export controls, among other issues. The company had denied Hindenburg's claims.

Cybersecurity firm Kaspersky has defended its decision to automatically replace its antivirus software on U.S. customers' computers with UltraAV, a product from American company Pango, without explicit user consent. The forced switch, affecting nearly one million users, occurred as a result of a U.S. government ban on Kaspersky software.

Kaspersky spokesperson Francesco Tius told TechCrunch that the company informed eligible U.S. customers via email about the migration, which began in early September. Windows users experienced an automatic transition to ensure continuous protection, while Mac and mobile users were instructed to manually install UltraAV. Some customers expressed alarm at the unannounced software swap. Kaspersky blamed missed notifications on unregistered email addresses, directing users to in-app messages and an online FAQ. The abrupt change raises concerns about user autonomy and privacy in software updates, particularly as UltraAV lacks an established security track record.

An anonymous reader quotes a report from Bloomberg: OpenAI has pitched the Biden administration on the need for massive data centers that could each use as much power as entire cities, framing the unprecedented expansion as necessary to develop more advanced artificial intelligence models and compete with China. Following a recent meeting at the White House, which was attended by OpenAI Chief Executive Officer Sam Altman and other tech leaders, the startup shared a document with government officials outlining the economic and national security benefits of building 5-gigawatt data centers in various US states, based on an analysis the company engaged with outside experts on. To put that in context, 5 gigawatts is roughly the equivalent of five nuclear reactors, or enough to power almost 3 million homes. OpenAI said investing in these facilities would result in tens of thousands of new jobs, boost the gross domestic product and ensure the US can maintain its lead in AI development, according to the document, which was viewed by Bloomberg News. To achieve that, however, the US needs policies that support greater data center capacity, the document said. "Whatever we're talking about is not only something that's never been done, but I don't believe it's feasible as an engineer, as somebody who grew up in this," said Joe Dominguez, CEO of Constellation Energy Corp. "It's certainly not possible under a timeframe that's going to address national security and timing."

Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information, WSJ reported Wednesday, citing people familiar with the matter. From the report: The hacking campaign, called Salt Typhoon by investigators, hasn't previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success Beijing's massive digital army of cyberspies has had breaking into valuable computer networks in the U.S. and around the globe.

In Salt Typhoon, the actors linked to China burrowed into America's broadband networks. In this type of intrusion, bad actors aim to establish a foothold within the infrastructure of cable and broadband providers that would allow them to access data stored by telecommunications companies or launch a damaging cyberattack. Last week, U.S. officials said they had disrupted a network of more than 200,000 routers, cameras and other internet-connected consumer devices that served as an entry point into U.S. networks for a China-based hacking group called Flax Typhoon. And in January, federal officials disrupted Volt Typhoon, yet another China-linked campaign that has sought to quietly infiltrate a swath of U.S. critical infrastructure.

"The cyber threat posed by the Chinese government is massive," said Christopher Wray, the Federal Bureau of Investigation's director, speaking earlier this year at a security conference in Germany. "China's hacking program is larger than that of every other major nation, combined." U.S. security officials allege that Beijing has tried and at times succeeded in burrowing deep into U.S. critical infrastructure networks ranging from water-treatment systems to airports and oil and gas pipelines. Top Biden administration officials have issued public warnings over the past year that China's actions could threaten American lives and are intended to cause societal panic. The hackers could also disrupt the U.S.'s ability to mobilize support for Taiwan in the event that Chinese leader Xi Jinping orders his military to invade the island.

The FAA's air traffic control systems are significantly out of date and won't be updated until the 2030s, according to a report from the U.S. Government Accountability Office (GAO). The Register reports: In a report released Monday, the GAO said that 51 of the FAA's 138 ATC systems -- more than a third -- were unsustainable due to a lack of parts, shortfalls in funding to sustain them, or a lack of technology refresh funding to replace them. A further 54 systems were described as "potentially unsustainable" for similar reasons, with the added caveat that tech refresh funding was available to them. "FAA has 64 ongoing investments aimed at modernizing 90 of the 105 unsustainable and potentially unsustainable systems," the GAO said in its report. "However, the agency has been slow to modernize the most critical and at-risk systems."

The report said the seemingly perilous status of 17 systems was "especially concerning" as these are deemed to have critical operational impact at the same time as being unsustainable and having extended completion dates -- the first of them won't be modernized until 2030 at the earliest. Others aren't planned to be complete until 2035, and four of the 17 "most critical and at-risk FAA ATC systems" have no modernization plans at all. Of the systems on the list, two are more than 40 years old, and a further seven have been in service for more than 30 years.

Caroline Ellison, the former CEO of Alameda Research, must serve 24 months in prison and forfeit $11 billion. "I've seen a lot of cooperators in 30 years. I've never seen one quite like Ms. Ellison," said Judge Lewis Kaplan during the sentencing hearing today. The Verge reports: Ellison pleaded guilty to two counts of wire fraud and five conspiracy counts in December 2022 as part of a cooperation agreement with the government. Prosecutors had recommended a lenient sentence because of Ellison's "extraordinary" and "very timely" cooperation. Her own lawyers asked for no jail time, as did the federal Probation Department.

Ellison was the key witness at the trial of FTX cofounder Sam Bankman-Fried, where she testified for three days. A statement submitted by the prosecution before Ellison's sentencing said the speed at which she came clean made it possible to indict her ex-boyfriend Bankman-Fried quickly, "ensuring that he did not flee the Bahamas or further obstruct the government's investigation." The document also noted that Ellison was completely and immediately forthcoming in her meetings with the government.

Ellison was also prompt in assisting John J. Ray, the new CEO charged with cleaning up the FTX mess, in locating and recovering customer assets, according to a statement written by Ray submitted by the defense. Her "early cooperation" was "valuable" in recovering debtors' assets, he wrote. Ellison is working on a deal where she will turn over "substantially all of her remaining assets after satisfying her forfeiture obligations" to the FTX debtors.

An anonymous reader quotes a report from Ars Technica: California Gov. Gavin Newsom vetoed a bill that would have required makers of web browsers and mobile operating systems to let consumers send opt-out preference signals that could limit businesses' use of personal information. The bill approved by the State Legislature last month would have required an opt-out signal "that communicates the consumer's choice to opt out of the sale and sharing of the consumer's personal information or to limit the use of the consumer's sensitive personal information." It would have made it illegal for a business to offer a web browser or mobile operating system without a setting that lets consumers "send an opt-out preference signal to businesses with which the consumer interacts."

In a veto message (PDF) sent to the Legislature Friday, Newsom said he would not sign the bill. Newsom wrote that he shares the "desire to enhance consumer privacy," noting that he previously signed a bill "requir[ing] the California Privacy Protection Agency to establish an accessible deletion mechanism allowing consumers to request that data brokers delete all of their personal information." But Newsom said he is opposed to the new bill's mandate on operating systems. "I am concerned, however, about placing a mandate on operating system (OS) developers at this time," the governor wrote. "No major mobile OS incorporates an option for an opt-out signal. By contrast, most Internet browsers either include such an option or, if users choose, they can download a plug-in with the same functionality. To ensure the ongoing usability of mobile devices, it's best if design questions are first addressed by developers, rather than by regulators. For this reason, I cannot sign this bill." Vetoes can be overridden with a two-thirds vote in each chamber. The bill was approved 59-12 in the Assembly and 31-7 in the Senate. But the State Legislature hasn't overridden a veto in decades. "It's troubling the power that companies such as Google appear to have over the governor's office," said Justin Kloczko, tech and privacy advocate for Consumer Watchdog, a nonprofit group in California. "What the governor didn't mention is that Google Chrome, Apple Safari and Microsoft Edge don't offer a global opt-out and they make up for nearly 90 percent of the browser market share. That's what matters. And people don't want to install plug-ins. Safari, which is the default browsers on iPhones, doesn't even accept a plug-in."

The Department of Justice has filed an antitrust lawsuit against Visa, alleging that the financial services firm has an illegal monopoly over debit network markets and has attempted to unlawfully crush competitors, including fintech companies like PayPal and Square. From a report: The lawsuit follows a multiyear investigation of Visa which the company disclosed in 2021. "We allege that Visa has unlawfully amassed the power to extract fees that far exceed what it could charge in a competitive market," Attorney General Merrick Garland said in a statement. "Merchants and banks pass along those costs to consumers, either by raising prices or reducing quality or service. As a result, Visa's unlawful conduct affects not just the price of one thing -- but the price of nearly everything."

Visa makes more than $7 billion a year in payment processing fees alone, and more than 60 percent of debit transactions in the United States run on Visa's network, the complaint claims. The government alleges that Visa's market dominance is partly due to the "web of exclusionary agreements" it imposes on businesses and banks. Visa has also attempted to "smother" competitors -- including smaller debit networks and newer fintech companies -- the complaint alleges. Visa executives allegedly feel particularly threatened by Apple, which the company has described as an "existential threat," the DOJ claims.

An anonymous reader quotes a report from the New York Times: Paper or paper? In California, shoppers will have only one bag option at the checkout line starting in 2026. A decade ago, California became the first U.S. state to ban single-use plastic bags, the flimsy sacks that regularly blew into waterways, littered streets and collected in landfills. The prohibition, in the nation's most populous state, was considered a turning point in the effort to reduce plastic waste. But the move backfired in a way that few supporters expected. Californians in 2021 actually tossed nearly 50 percent more plastic bags, by weight, than when the law first passed in 2014, according to data from CalRecycle, California's recycling agency. A loophole in the initial ban allowed retailers to provide thick-walled plastic bags and charge 10 cents a piece for them. Though technically reusable and recyclable, the heavier-duty sacks still ended up in many trash cans after a shopping trip.

Gov. Gavin Newsom signed legislation on Sunday banning the sale at grocery checkouts of all plastic bags (Warning: source may be paywalled; alternative source), regardless of thickness. The only option for customers who lack their own reusable shopping bags will be buying paper bags for 10 cents each. "We deserve a cleaner future for our communities, our children and our earth," said Rebecca Bauer-Kahan, a Democratic assemblywoman and co-author of the bill, in a statement. "It's time for us to get rid of these plastic bags and continue to move forward with a more pollution-free environment." Plastic bags are typically used for 12 minutes before being discarded, according to the California Public Interest Research Group, a consumer advocacy group. But those bags live in oceans and landfills for hundreds of years, and can contaminate drinking water and food in the form of microplastics. SB 1053 will go into effect on January 1st, 2026. It also changes the definition of a "recycled paper bag," requiring all bags with that label to be made of at least 50% post-consumer recycled materials starting January 1st, 2028.

Customers of Kaspersky antivirus in the United States found out in the last few days that their cybersecurity software was automatically replaced with a new one called UltraAV, according to several customers. And while Kaspersky said earlier this month that its U.S. customers would be transitioned to UltraAV, many of its customers said they had no idea this was going to happen and that it would automatically be forced upon them. From a report: "Woke up to Kasperky [sic] completely gone from my system with Ultra AV and Ultra VPN freshly installed (not by me, just automatically while I slept)," a user on Reddit wrote. Others reported having the same experience in the same Reddit thread, as well as in other threads. A reseller, who until recently sold Kaspersky products prior to the recent sales ban, told TechCrunch that he was left "annoyed" by the move to automatically remove Kaspersky software and replace it with an entirely different antivirus. A former senior U.S. government cybersecurity official said that this was an example of the "huge risk" posed by the access granted by Kaspersky software. It's worth noting that, on the other hand, other customers did report receiving an email from Kaspersky about the transition to UltraAV.

The government of Bhutan is currently holding over $828 million in bitcoin, according to onchain data by Arkham Intelligence. From a report: "Unlike most governments, Bhutan's BTC does not come from law enforcement asset seizures, but from bitcoin mining operations, which have ramped up dramatically since early 2023," the crypto intelligence firm explained. Crypto intelligence firm Arkham highlighted the Kingdom of Bhutan's bitcoin holdings on social media platform X last week. Bhutan is a small, landlocked kingdom located in the eastern Himalayas, bordered by China to the north and India to the south. The country currently has a population of less than 800,000 people. We learned last year that Bhutan had been secretly mining bitcoin using its abundant hydroelectric resources since around 2019. The operation, which began when bitcoin was priced at approximately $5,000, aims to harness the country's vast renewable energy reserves to power mining rigs.

Hydroelectricity already accounts for 30% of Bhutan's GDP and powers nearly all of its 800,000 residents. The government claimed last year that mining profits are used to subsidize power and hardware costs. This revelation makes Bhutan one of the few countries globally to run a state-owned bitcoin mine, alongside El Salvador.

At over $800 million in Bitcoin holdings, the reserve accounts for nearly a third of Bhutan's 2022-calculated GDP.

Microsoft unveiled detailed security reforms Monday, five months after CEO Satya Nadella pledged to prioritize cybersecurity following major breaches. The 25-page Secure Future Initiative report [PDF] outlines technical and governance changes addressing criticisms in an April 2024 Cyber Safety Review Board report that deemed Microsoft's security culture "inadequate."

Microsoft said it implemented significant security upgrades to its Entra ID and Microsoft Account systems, introducing Azure-managed hardware security modules for access token signing keys. The company has also purged 5.75 million inactive tenants to minimize potential attack vectors and adopted a new testing system with secure defaults to prevent legacy-related security issues. Concurrently, Microsoft has enhanced its network tracking capabilities, now monitoring over 99 percent of its physical network through a centralized inventory system, which aids in firmware compliance and logging.

Internal security measures have been tightened, with engineering teams facing stricter access controls. Personal access tokens are now limited to seven days, SSH access has been disabled for internal engineering repositories, and access to critical engineering systems has been restricted to fewer groups. Additionally, Microsoft has extended its audit log retention period to a minimum of two years, bolstering its ability to investigate and respond to potential security incidents.

Messaging app Telegram will provide users' IP addresses and phone numbers to relevant authorities in response to valid legal requests, according to Chief Executive Officer Pavel Durov. From a report: The platform changed its terms of service to deter criminals from abusing it, Durov said in a post on Telegram Monday. The move comes less than a month after his arrest in France, where he faces charges of alleged complicity in the spread of child sexual abuse materials.

The move represents a marked difference from Telegram's approach to government requests for data and its reputation for lax moderation. The United Arab Emirates-based platform has been notoriously non-responsive to takedown requests from governments around the world, and often ignored requests for information about suspected criminals.

The US Commerce Department on Monday will propose a ban on the sale or import of smart vehicles that use specific Chinese or Russian technology because of national security concerns, according to US officials. From a report: A US government investigation that began in February found a range of national security risks from embedded software and hardware from China and Russia in US vehicles, including the possibility of remote sabotage by hacking and the collection of personal data on drivers, Secretary of Commerce Gina Raimondo told reporters Sunday in a conference call.

"In extreme situations, a foreign adversary could shut down or take control of all their vehicles operating in the United States, all at the same time, causing crashes (or) blocking roads," she said. The rule would not apply to cars already on the road in the US that already have Chinese software installed, a senior administration official told CNN. The software ban would take effect for vehicles for "model year" 2027 and the hardware ban for "model year" 2030, according to the Commerce Department. The proposed regulatory action is part of a much broader struggle between the United States and China, the world's two biggest economies, to secure the supply chains of the key computing technology of the future, from semiconductors to AI software. China, in particular, has invested heavily in the connected car market, and inroads made by Chinese manufacturers in Europe have worried US officials.

In 2022 about 346,000 electric cars were reportedly sold in California. But the same year its greenhouse gas emissions dropped a whopping 9.3 million metric tons — the amount produced by 2.2 million gas-powered cars — lowering emissions 2.4% from the year before. "The biggest drop came from transportation, due largely to the increased use of renewable fuels," according to the state's Air Resources Board, touting a newly-released report. (And electricity sector emissions also fell by 2.6 million metric tons, or 4.1%, "even as electricity usage rose," according to The Hill — "a dichotomy that the regulators attributed to an increase in solar and wind power generation.")

So despite a growing economy, "the latest data underscores a continued trend of steady emissions decline..." according to a statement from the Board. "Between 2000 to 2022, emissions fell by 20% while California's gross domestic product increased by 78%, pointing to the effectiveness of the state's climate change and air quality programs." And the amount of carbon dioxide equivalent emitted per unit of economic output ("carbon intensity") has also dropped 55% in the last 20 years: [In 2022] the electricity sector had its lowest carbon intensity since 2000. Wind and solar now represent 30% of generation and in-state solar increased by 15% from 2021, driven by requirements under the state's Cap-and-Trade Program and Renewables Portfolio Standard. Furthermore, California increased its battery storage by 757% from 2019 through 2023, bolstering its renewable energy efforts. The storage capacity is enough to power 6.6 million homes for up to four hours.

Industrial emissions declined by 2%, also falling to the lowest level in 22 years. While refinery emissions remained essentially flat, emissions from oil and gas extraction declined, as did emissions from other fuel use, cement manufacturing, and cogeneration facilities. [The Hill says 2022's industrial emissions were 21.7% below year-2000 levels, according to the report.]

Livestock emissions, which are responsible for 70% of agriculture's greenhouse gas emissions, peaked in 2012 and once again saw reductions in 2022. The decrease is driven by the use of methane digesters funded by the California Climate Investments and incentivized by the Low Carbon Fuel Standard, which capture emissions at the source and convert them to clean fuel.

Landfill methane emissions also continued to decline in 2022. This decline can be attributed in part to the state's efforts to reduce disposal of organic waste, as well as the California Landfill Methane Regulation, which requires landfill operators to monitor and capture emissions escaping from their facilities.
One local news site calls the drop in emissions "shocking," but adds that "the trend is expected to continue. In the second quarter of 2024, 118,181 zero-emission vehicles were purchased in the state, good for about one-quarter of all new car sales."

California governor Gavin Newsom said his state "is proving that climate action goes hand-in-hand with economic growth. We've slashed carbon pollution by a whopping 20% since the turn of the century all while building the world's fifth largest economy. Cleaner air, more good jobs — that's the California way."