Messaging app Signal's president Meredith Whittaker criticized rival Telegram's security on Friday, saying Telegram founder Pavel Durov is "full of s---" in his claims about Signal. "Telegram is a social media platform, it's not encrypted, it's the least secure of messaging and social media services out there," Whittaker told TechCrunch in an interview. The comments come amid a war of words between Whittaker, Durov and Twitter owner Elon Musk over the security of their respective platforms. Whittaker said Durov's amplification of claims questioning Signal's security was "incredibly reckless" and "actually harms real people."

"Play your games, but don't take them into my court," Whittaker said, accusing Durov of prioritizing being "followed by a professional photographer" over getting facts right about Signal's encryption. Signal uses end-to-end encryption by default, while Telegram only offers it for "secret chats." Whittaker said many in Ukraine and Russia use Signal for "actual serious communications" while relying on Telegram's less-secure social media features. She said the "jury is in" on the platforms' comparative security and that Signal's open source code allows experts to validate its privacy claims, which have the trust of the security community.

Hackers have compromised a popular courtroom recording software, JAVS, gaining full control through a backdoored update. Louisville, Kentucky-based Justice AV Solutions, its maker, pulled the compromised software, reset passwords, and audited its systems. Cybersecurity firm Rapid7 found that the corrupted installer grants attackers full access and transmits host system data to a command-and-control server. The Record adds: In its advisory, Rapid7 stressed the need to reimage all endpoints where the software was installed, and to reset credentials on web browsers and for any accounts logged into affected endpoints, both local and remote. "Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate," they wrote. "Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials."

An anonymous reader quotes a report from NPR: Hospital staff are forced to write notes by hand and deliver orders for tests and prescriptions in person in the ongoing fallout from a recent ransomware attack at the national health system Ascension. Ascension is one of the largest health systems in the United States, with some 140 hospitals located across 19 states and D.C. A spokesperson said in a statement that "unusual activity" was first detected on multiple technology network systems Ascension uses on Wednesday, May 8. Later, representatives confirmed that some of Ascension's electronic health records systems had been affected, along with systems used "to order certain tests, procedures and medications."

Some phone capabilities have also been offline, and patients have been unable to access portals used to view medical records and get in touch with their doctors. Due to these interruptions, hospital staff had to shift to "manual and paper based" processes. "Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible," an Ascension spokesperson said in a May 8 statement. Kris Fuentes, who works in the neonatal intensive care unit at Ascension Seton Medical Center in Austin, said she remembers when paper charting was the norm. But after so many years of relying on digital systems, she said her hospital wasn't ready to make such an abrupt shift. "It's kind of like we went back 20 years, but not even with the tools we had then," Fuentes said. "Our workflow has just been really unorganized, chaotic and at times, scary."

Fuentes said orders for medication, labs and imaging are being handwritten and then distributed by hand to various departments, whereas typically these requests are quickly accessed via computer. A lack of safety checks with these backup methods has introduced errors, she said, and every task is taking longer to complete. "Medications are taking longer to get to patients, lab results are taking longer to get back," she said. "Doctors need the lab results, often, to decide the next treatment plan, but if there's a delay in access to the labs, there's a delay in access to the care that they order." As of Tuesday, Ascension still had no timeline for when the issues might be resolved, and reported that it continued to work with "industry-leading cybersecurity experts" to investigate the ransomware attack and restore affected systems. The FBI and Cybersecurity and Infrastructure Security Agency are also involved in the investigation. "While Ascension facilities remain open, a health system representative said on May 9 that in some cases, emergency patients were being triaged to different hospitals, and some non-emergent appointments and procedures were postponed," reports NPR. "Certain Ascension pharmacies are not operational, and patients are being asked to bring in prescription bottles or numbers."

"Individuals who are enrolled in Ascension health insurance plans are being directed to mail in monthly payments while the electronic payment system is down."

An anonymous reader shares a report: Did your company recently send you a phishing email? Employers will sometimes simulate phishing messages to train workers on how to spot the hacking threat. But one Google security manager argues the IT industry needs to drop the practice, calling it counterproductive. "PSA for Cybersecurity folk: Our co-workers are tired of being 'tricked' by phishing exercises y'all, and it is making them hate us for no benefit," tweeted Matt Linton, a security incident manager at Google.

Linton also published a post on the Google Security blog about the pitfalls of today's simulated phishing tests. The company is required to send fake phishing emails to its employees to meet the US government's security compliance requirements. In these tests, Google sends an employee a phishing email. If the worker clicks a link in the email, they'll be told they failed the test and will usually be required to take some sort of training course. However, Linton argues that simulated phishing tests can lead to harmful side effects, which can undermine a company's security. "There is no evidence that the tests result in fewer incidences of successful phishing campaigns," Linton said, noting that phishing attacks continue to help hackers gain a foothold inside networks, despite such training. He also pointed to a 2021 study that ran for 15 months and concluded that these phishing tests don't "make employees more resilient to phishing."

A server maintained by Cogent Communications, one of the 13 root servers crucial to the Internet's domain name system, fell out of sync with its peers for over four days due to an unexplained glitch. This issue, which could have caused worldwide stability and security problems, was resolved on Wednesday.

The root servers store cryptographic keys necessary for authenticating intermediate servers under the DNSSEC mechanism. Inconsistencies in these keys across the 13 servers could lead to an increased risk of attacks such as DNS cache poisoning. Engineers postponed planned updates to the .gov and .int domain name servers' DNSSEC to use ECDSA cryptographic keys until the situation stabilized. Cogent stated that it became aware of the issue on Tuesday and resolved it within 25 hours. ArsTechnica, which has a great writeup about the incident, adds: Initially, some people speculated that the depeering of Tata Communications, the c-root site outage, and the update errors to the c-root itself were all connected somehow. Given the vagueness of the statement, the relation of those events still isn't entirely clear.

A hacker claims to have breached a scam call center, stolen the source code for the company's tools, and emailed the company's scam victims, according to multiple screenshots and files provided by the hacker to 404 Media. From the report: The hack is the latest in a long series of vigilante actions in which hackers take matters into their own hands and breach or otherwise disrupt scam centers. A massively popular YouTube community, with creators mocking their targets, also exists around the practice.

"Hello, everyone! If you are seeing this email then you have been targeted by a fake antivirus company known as 'Waredot,'" the hacker wrote in their alleged email to customers, referring to the scam call center. The email goes on to suggest that customers issue a chargeback "as this trash software isn't worth anywhere NEAR $300-$400 per month, and these trash idiots don't deserve your money!"

Michael Larabel reports via Phoronix: The latest RISC-V port updates have been merged for the in-development Linux 6.10 kernel. Most notable with today's RISC-V merge to Linux 6.10 is now supporting the Rust programming language within the Linux kernel. RISC-V joins the likes of x86_64, LoongArch, and ARM64 already supporting the use of the in-kernel Rust language support. The use of Rust within the mainline Linux kernel is still rather limited with just a few basic drivers so far and a lot of infrastructure work taking place, but there are a number of new drivers and other subsystem support on the horizon. RISC-V now supporting Rust within the Linux kernel will become more important moving forward.

The RISC-V updates for Linux 6.10 also add byte/half-word compare-and-exchange, support for Zihintpause within hwprobe, a PR_RISCV_SET_ICACHE_FLUSH_CTX prctl(), and support for lockless lockrefs. More details on these RISC-V updates for Linux 6.10 via this Git merge.

An anonymous reader quotes a report from The Guardian: Hopes that replacement fuels for airplanes will slash carbon pollution are misguided and support for these alternatives could even worsen the climate crisis, a new report has warned. There is currently "no realistic or scalable alternative" to standard kerosene-based jet fuels, and touted "sustainable aviation fuels" are well off track to replace them in a timeframe needed to avert dangerous climate change, despite public subsidies, the report by the Institute for Policy Studies, a progressive thinktank, found. "While there are kernels of possibility, we should bring a high level of skepticism to the claims that alternative fuels will be a timely substitute for kerosene-based jet fuels," the report said. [...]

In the U.S., Joe Biden's administration has set a goal for 3 billion gallons of sustainable aviation fuel, which is made from non-petroleum sources such as food waste, woody biomass and other feedstocks, to be produced by 2030, which it said will cut aviation's planet-heating emissions by 20%. [...] Burning sustainable aviation fuels still emits some carbon dioxide, while the land use changes needed to produce the fuels can also lead to increased pollution. Ethanol biofuel, made from corn, is used in these fuels, and meeting the Biden administration's production goal, the report found, would require 114m acres of corn in the U.S., about a 20% increase in current land area given over to to the crop. In the UK, meanwhile, 50% of all agricultural land will have to be given up to sustain current flight passenger levels if jet fuel was entirely replaced. "Agricultural land use changes could threaten global food security as well as nature-based carbon sequestration solutions such as the preservation of forests and wetlands," the report states. "As such, SAF production may actively undermine the Paris agreement goal of achieving greatly reduced emissions by 2050." Chuck Collins, co-author of the report, said: "To bring these fuels to the scale needed would require massive subsidies, the trade-offs would be unacceptable and would take resources aware from more urgent decarbonization priorities."

"It's a huge greenwashing exercise by the aviation industry. It's magical thinking that they will be able to do this."

Phil Ansell, director of the Center for Sustainable Aviation at the University of Illinois, added: "There's an underappreciation of how big the energy problem is for aviation. We are still many years away from zero pollution flights. But it's true that the industry has been slow to pick things up. We are now trying to find solutions, but we are working at this problem and realizing it's a lot harder than we thought. We are late to the game. We are in the dark ages in terms of sustainability, compared to other sectors."

The House Foreign Affairs Committee on Wednesday voted overwhelmingly to advance a bill that would make it easier for the Biden administration to restrict the export of AI systems, citing concerns China could exploit them to bolster its military capabilities. From a report: The bill, sponsored by House Republicans Michael McCaul and John Molenaar and Democrats Raja Krishnamoorthi and Susan Wild, also would give the Commerce Department express authority to bar Americans from working with foreigners to develop AI systems that pose risks to U.S. national security. Without this legislation "our top AI companies could inadvertently fuel China's technological ascent, empowering their military and malign ambitions," McCaul, who chairs the committee, warned on Wednesday.

"As the (Chinese Communist Party) looks to expand their technological advancements to enhance their surveillance state and war machine, it is critical we protect our sensitive technology from falling into their hands," McCaul added. The Chinese Embassy in Washington did not immediately respond to a request for comment. The bill is the latest sign Washington is gearing up to beat back China's AI ambitions over fears Beijing could harness the technology to meddle in other countries' elections, create bioweapons or launch cyberattacks.

An anonymous reader quotes a report from Krebs On Security: Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally -- including non-Apple devices like Starlink systems -- and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops. At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.

Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID. Periodically, Apple and Google mobile devices will forward their locations -- by querying GPS and/or by using cellular towers as landmarks -- along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it's what allows your mobile phone to continue displaying your planned route even when the device can't get a fix on GPS.

With Google's WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths -- via an application programming interface (API) request to Google -- whose WPS responds with the device's computed position. Google's WPS requires at least two BSSIDs to calculate a device's approximate position. Apple's WPS also accepts a list of nearby BSSIDs, but instead of computing the device's location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple's API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to work out the user's location based on known landmarks.

In essence, Google's WPS computes the user's location and shares it with the device. Apple's WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own. That's according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple's API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random. They learned that while only about three million of those randomly generated BSSIDs were known to Apple's Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups. "Plotting the locations returned by Apple's WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points," the report adds. "The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America."

The researchers wrote: "We observe routers move between cities and countries, potentially representing their owner's relocation or a business transaction between an old and new owner. While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location."

A copy of the UMD research is available here (PDF).

Microsoft is adding screenshot prevention controls in Edge to block you from taking screenshots at work. "It's all designed to prevent you from sharing screenshots with competitors, relatives, and journalists using Microsoft Edge for Business," reports PCWorld. From the report: Specifically, IT managers at corporations will be able to tag web pages as protected, as defined in various Microsoft policy engines in Microsoft 365, Microsoft Defender for Cloud Apps, Microsoft Intune Mobile Application Management and Microsoft Purview, Microsoft said. The screenshot prevention feature will be available to customers in the "coming months," Microsoft said. It's also unclear whether third-party tools will be somehow blocked from taking screenshots or recording video, too.

Microsoft will also roll out a way to force Edge for Business users to automatically update their browsers. The feature will enter a preview phase over the next few weeks, Microsoft said. "The Edge management service will enable IT admins to see which devices have Edge instances that are out of date and at risk," Microsoft said. "It will also provide mitigating controls, such as forcing a browser restart to install updates, enabling automatic browser updates or enabling enhanced security mode for added protections."

A consumer-grade spyware app has been found running on the check-in systems of at least three Wyndham hotels across the United States, TechCrunch reported Wednesday. From the report: The app, called pcTattletale, stealthily and continually captured screenshots of the hotel booking systems, which contained guest details and customer information. Thanks to a security flaw in the spyware, these screenshots are available to anyone on the internet, not just the spyware's intended users.

This is the most recent example of consumer-grade spyware exposing sensitive information because of a security flaw in the spyware itself. It's also the second known time that pcTattletale has exposed screenshots of the devices that the app is installed on. Several other spyware apps in recent years had security bugs or misconfigurations that exposed the private and personal data of unwitting device owners, in some cases prompting action by government regulators. pcTattletale allows whomever controls it to remotely view the target's Android or Windows device and its data, from anywhere in the world. pcTattletale's website says the app "runs invisibly in the background on their workstations and can not be detected."

WhatsApp's security team warned that despite the app's encryption, users are vulnerable to government surveillance through traffic analysis, according to an internal threat assessment obtained by The Intercept. The document suggests that governments can monitor when and where encrypted communications occur, potentially allowing powerful inferences about who is conversing with whom. The report adds: Even though the contents of WhatsApp communications are unreadable, the assessment shows how governments can use their access to internet infrastructure to monitor when and where encrypted communications are occurring, like observing a mail carrier ferrying a sealed envelope. This view into national internet traffic is enough to make powerful inferences about which individuals are conversing with each other, even if the subjects of their conversations remain a mystery. "Even assuming WhatsApp's encryption is unbreakable," the assessment reads, "ongoing 'collect and correlate' attacks would still break our intended privacy model."

The WhatsApp threat assessment does not describe specific instances in which it knows this method has been deployed by state actors. But it cites extensive reporting by the New York Times and Amnesty International showing how countries around the world spy on dissident encrypted chat app usage, including WhatsApp, using the very same techniques. As war has grown increasingly computerized, metadata -- information about the who, when, and where of conversations -- has come to hold immense value to intelligence, military, and police agencies around the world. "We kill people based on metadata," former National Security Agency chief Michael Hayden once infamously quipped. Meta said "WhatsApp has no backdoors and we have no evidence of vulnerabilities in how WhatsApp works." Though the assessment describes the "vulnerabilities" as "ongoing," and specifically mentions WhatsApp 17 times, a Meta spokesperson said the document is "not a reflection of a vulnerability in WhatsApp," only "theoretical," and not unique to WhatsApp.

Companies working with the US government may be required to start protecting their data and technology from attacks by quantum computers as soon as July. From a report: The National Institute for Standards and Technology, part of the Department of Commerce, will in July stipulate three types of encryption algorithms the agency deems sufficient for protecting data from quantum computers, setting an internationally-recognized standard aimed at helping organizations manage evolving cybersecurity threats. The rollout of the standards will kick off "the transition to the next generation of cryptography," White House deputy national security adviser Anne Neuberger told Bloomberg in Cambridge, England on Tuesday. Breaking encryption not only threatens "national security secrets" but also the the way we secure the internet, online payments and bank transactions, she added.

Neuberger was speaking at an event organized by the University of Cambridge and Vanderbilt University, hosting academics, industry professionals and government officials to discuss the threats posed to cybersecurity by quantum computing, which vastly accelerates processing power by performing calculations in parallel rather than sequentially and will make existing encryption systems obsolete.

The U.S. Environmental Protection Agency on Monday urged water utilities to take action to improve their digital defenses, following a spate of recent cyberattacks. From a report: The agency's "enforcement alert" said that recent inspections of water systems found that more than 70 percent fail to meet basic cybersecurity standards, including some with "critical" vulnerabilities, such as relying on default passwords that haven't been updated and single logins that "can easily be compromised." The notice comes after a Russian hacktivist group claimed credit for digital assaults on water sites in Texas and Indiana. Late last year, Iran-linked Cyber Av3ngers group took responsibility for striking a water authority in Pennsylvania.

An anonymous reader shares a report: Google is pouncing on Microsoft's weathered enterprise security reputation by pitching its services to government institutions. Pointing to a recent report from the US Cyber Safety Review Board (CSRB) that found that Microsoft's security woes are the result of the company "deprioritizing" enterprise security, Google says it can help. The company's pitch isn't quite as direct as Microsoft CEO Satya Nadella saying he made Google dance, but it's spicy all the same. Repeatedly referring to Microsoft as "the vendor" throughout its blog post on Monday, Google says the CSRB "showed that lack of a strong commitment to security creates preventable errors and serious breaches." Platforms, it added, "have a responsibility" to hold to strong security practices. And of course, who is more responsible than Google?

Microsoft today unveiled Recall, a new AI-powered feature for Windows 11 PCs, at its Build 2024 conference. Recall aims to improve local searches by making them as efficient as web searches, allowing users to quickly retrieve anything they've seen on their PC. Using voice commands and contextual clues, Recall can find specific emails, documents, chat threads, and even PowerPoint slides.

The feature uses semantic associations to make connections, as demonstrated by Microsoft Product Manager Caroline Hernandez, who searched for a blue dress and refined the query with specific details. Microsoft said that Recall's processing is done locally, ensuring data privacy and security. The feature utilizes over 40 local multi-modal small language models to recognize text, images, and video.

"$5,000 in cash had been withdrawn from my checking account — but not by me," writes journalist Linda Matchan in the Boston Globe. A police station manager reviewed footage from the bank — which was 200 miles away — and deduced that "someone had actually come into the bank and spoken to a teller, presented a driver's license, and then correctly answered some authentication questions to validate the account..." "You're pitting a teller against a national crime syndicate with massive resources behind them," says Paul Benda, executive vice president for risk, fraud, and cybersecurity at the American Bankers Association. "They're very well-funded, well-resourced criminal gangs doing this at an industrial scale."
The reporter writes that "For the past two years, I've worked to determine exactly who and what lay behind this crime..." [N]ow I had something new to worry about: Fraudsters apparently had a driver's license with my name on it... "Forget the fake IDs adolescents used to get into bars," says Georgia State's David Maimon, who is also head of fraud insights at SentiLink, a company that works with institutions across the United States to support and solve their fraud and risk issues. "Nowadays fraudsters are using sophisticated software and capable printers to create virtually impossible-to-detect fake IDs." They're able to create synthetic identities, combining legitimate personal information, such as a name and date of birth, with a nine-digit number that either looks like a Social Security number or is a real, stolen one. That ID can then be used to open financial accounts, apply for a bank or car loan, or for some other dodgy purpose that could devastate their victims' financial lives.



And there's a complex supply chain underpinning it all — "a whole industry on the dark web," says Eva Velasquez, president and CEO of the Identity Theft Resource Center, a nonprofit that helps victims undo the damage wrought by identity crime. It starts with the suppliers, Maimon told me — "the people who steal IDs, bring them into the market, and manufacture them. There's the producers who take the ID and fake driver's licenses and build the facade to make it look like they own the identity — trying to create credit reports for the synthetic identities, for example, or printing fake utility bills." Then there are the distributors who sell them in the dark corners of the web or the street or through text messaging apps, and finally the customers who use them and come from all walks of life. "We're seeing females and males and people with families and a lot of adolescents, because social media plays a very important role in introducing them to this world," says Maimon, whose team does surveillance of criminals' activities and interactions on the dark web. "In this ecosystem, folks disclose everything they do."
The reporter writes that "It's horrifying to discover, as I have recently, that someone has set up a tech company that might not even be real, listing my home as its principal address."

Two and a half months after the theft the stolen $5,000 was back in their bank account — but it wasn't until a year later that the thief was identified. "The security video had been shared with New York's Capital Region Crime Analysis Center, where analysts have access to facial recognition technology, and was run through a database of booking photos. A possible match resulted.... She was already in custody elsewhere in New York... Evidently, Deborah was being sought by law enforcement in at least three New York counties. [All three cases involved bank-related identity fraud.]"

Deborah was finally charged with two separate felonies: grand larceny in the third degree for stealing property over $3,000, and identity theft. But Deborah missed her next two court dates, and disappeared. "She never came back to court, and now there were warrants for her arrest out of two separate courts."

After speaking to police officials the reporter concludes "There was a good chance she was only doing the grunt work for someone else, maybe even a domestic or foreign-organized crime syndicate, and then suffering all the consequences."

The UK minister of state for security even says that "in some places people are literally captured and used as unwilling operators for fraudsters."

An anonymous reader shared this report from the blog OMG Ubuntu: Ubuntu first switched to using Wayland as its default display server in 2017 before reverting the following year. It tried again in 2021 and has stuck with it since. But while Wayland is what most of us now log into after installing Ubuntu, anyone doing so on a PC or laptop with an NVIDIA graphics card present instead logs into an Xorg/X11 session.

This is because NVIDIA's proprietary graphics drivers (which many, especially gamers, opt for to get the best performance, access to full hardware capabilities, etc) have not supported Wayland as well as as they could've. Past tense as, thankfully, things have changed in the past few years. NVIDIA's warmed up to Wayland (partly as it has no choice given that Wayland is now standard and a 'maybe one day' solution, and partly because it wants to: opportunities/benefits/security).

With the NVIDIA + Wayland sitch' now in a better state than before — but not perfect — Canonical's engineers say they feel confident enough in the experience to make the Ubuntu Wayland session default for NVIDIA graphics card users in Ubuntu 24.10.

Earlier this week the Washington Post reported that America's Defense department "is growing concerned that the United Launch Alliance, one of its key partners in launching national security satellites to space, will not be able to meet its needs to counter China and build its arsenal in orbit with a new rocket that ULA has been developing for years." In a letter sent Friday to the heads of Boeing's and Lockheed Martin's space divisions, Air Force Assistant Secretary Frank Calvelli used unusually blunt terms to say he was growing "concerned" with the development of the Vulcan rocket, which the Pentagon intends to use to launch critical national security payloads but which has been delayed for years. ULA, a joint venture of Boeing and Lockheed Martin, was formed nearly 20 years ago to provide the Defense Department with "assured access" to space. "I am growing concerned with ULA's ability to scale manufacturing of its Vulcan rocket and scale its launch cadence to meet our needs," he wrote in the letter, a copy of which was obtained by The Washington Post. "Currently there is military satellite capability sitting on the ground due to Vulcan delays...."

ULA originally won 60 percent of the Pentagon's national security payloads under the current contract, known as Phase 2. SpaceX won an award for the remaining 40 percent, but it has been flying its reusable Falcon 9 rocket at a much higher rate. ULA launched only three rockets last year, as it transitions to Vulcan; SpaceX launched nearly 100, mostly to put up its Starlink internet satellite constellation. Both are now competing for the next round of Pentagon contracts, a highly competitive procurement worth billions of dollars over several years. ULA is reportedly up for sale; Blue Origin is said to be one of the suitors...

In a statement to The Post, ULA said that its "factory and launch site expansions have been completed or are on track to support our customers' needs with nearly 30 launch vehicles in flow at the rocket factory in Decatur, Alabama." Last year, ULA CEO Tory Bruno said in an interview that the deal with Amazon would allow the company to increase its flight rate to 20 to 25 a year and that to meet that cadence it was hiring "several hundred" more employees. The more often Vulcan flies, he said, the more efficient the company would become. "Vulcan is much less expensive" than the Atlas V rocket that the ULA currently flies, Bruno said, adding that ULA intends to eventually reuse the engines. "As the flight rate goes up, there's economies of scale, so it gets cheaper over time. And of course, you're introducing reusability, so it's cheaper. It's just getting more and more competitive."
The article also notes that years ago ULA "decided to eventually retire its workhorse Atlas V rocket after concerns within the Pentagon and Congress that it relied on a Russian-made engine, the RD-180. In 2014, the company entered into a partnership with Jeff Bezos' Blue Origin to provide its BE-4 engines for use on Vulcan. However, the delivery of those engines was delayed for years — one of the reasons Vulcan's first flight didn't take place until earlier this year."

The article says Cavelli's letter cited the Pentagon's need to move quickly as adversaries build capabilities in space, noting "counterspace threats" and adding that "our adversaries would seek to deny us the advantage we get from space during a potential conflict."

"The United States continues to face an unprecedented strategic competitor in China, and our space environment continues to become more contested, congested and competitive."