Further Reading and Other Developments (30 May)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Other Developments

  • The Commodity Futures Trading Commission released a final rule earlier this month “to restore the inadvertently deleted Detailed Requirements” to its Gramm-Leach-Bliley Act for the establishment of appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical and physical safeguards” that were removed in 2011.
  • The National Institute of Standards and Technology (NIST) asked “organizations to provide products and technical expertise to support and demonstrate security platforms for the 5G Cybersecurity: Preparing a Secure Evolution to 5G project” by 19 June.
  • The Federal Communications Commission (FCC) proposed
    • to expand its video description regulations by phasing them in for an additional 10 designated market areas (DMAs) each year for four years, beginning on January 1, 2021.
    • to modernize the terminology in our regulations to use the term “audio description” rather than “video description.”
    • to make a non-substantive edit to the video description rules, to delete outdated references to compliance deadlines that have passed.
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), the Department of Energy, and the United Kingdom’s Government Communications Headquarters’ (GCHQ) National Cyber Security Centre (NCSC) released an infographic on best practices for Industrial Control Systems (ICS). The agencies stated ICS “are important to supporting US critical infrastructure and maintaining national security…[and] ICS owners and operators face threats from a variety of adversaries whose intentions include gathering intelligence and disrupting National Critical Functions.” The agencies stated that “[a]s ICS owners and operators adopt new technologies to improve operational efficiencies, they should be aware of the additional cybersecurity risk of connecting operational technology (OT) to enterprise information technology (IT) systems and Internet of Things (IoT) devices.”
  • The Government Accountability Office’s priority recommendations to the General Services Administration (GSA) reiterated two from last year related to cybersecurity:
    • One priority recommendation, from July 2019, would help ensure consistent cybersecurity risk management and oversight across the agency. We recommended that GSA designate and document a risk executive function with responsibilities for organization-wide cybersecurity risk management. To implement this recommendation, GSA needs to update its policies and procedures to document GSA’s designated cybersecurity-risk executive function, including a description of the risk executive’s responsibility for organization-wide cybersecurity risk management.
    • Another priority recommendation, also from July 2019, would help GSA consider the totality of risk derived from the operation and use of its information systems and from information exchanges and connections with other internally and externally owned systems. We recommended that GSA establish a process for conducting an organization-wide cybersecurity risk assessment. To implement this recommendation, GSA needs to ensure that its process provides for aggregating information from system-level risk assessment results, continuous monitoring, and any relevant strategic risk considerations.
  • The Election Assistance Commission (EAC) “determined that HAVA Election Security funds are available to the states until they are expended…[and] [p]revious guidance requiring 2018 and 2020 HAVA Election Security funds to be expended within a five-year period no longer applies.” Consequently, states may feel no need to rush these funds out the door, unless of course the Government Accountability Office’s review is contrary to the EAC’s, which said it relied on an Office of Management and Budget legal opinion.
  • The National Security Agency (NSA) warned in a Cybersecurity Advisory that “Russian military cyber actors, publicly known as Sandworm Team, have been exploiting a vulnerability in Exim mail transfer agent (MTA) software since at least last August.”
  • Amnesty International’s (AI) Security Lab “discovered the critical weakness in the configuration of Qatar’s EHTERAZ contact tracing app.” The international organization stated “[n]ow fixed, the vulnerability would have allowed cyber attackers to access highly sensitive personal information, including the name, national ID, health status and location data of more than one million users.” AI informed Qatari authorities last week who had the weakness fixed a day later. Qatar is mandating that all citizens download the app or face the possibility of a 3 year prison sentence and fines of up to $55,000 USD.

Further Reading

  • Right to Privacy Extends to Foreign Internet Users, German Court Rules“ – The New York Times. Germany’s top court, the Bundesverfassungsgericht, ruled that the country’s foreign intelligence agency, the Bundesnachrichtendienst (BND), cannot engage in unlimited, indiscriminate electronic surveillance of non-Germans outside of Germany, for the privacy rights that apply inside of Germany are also binding on the BND’s surveillance outside the country. The court found the BND is bound by the fundamental rights of the Basic Law when conducting telecommunications surveillance of foreigners in other countries, and that the statutory bases in their current design violate the fundamental right to privacy of telecommunications (Art. 10(1) of the Basic Law, Grundgesetz – GG) and the freedom of the press (Art. 5(1) second sentence GG)…[and] [t]his applies to the collection and processing of data, the transfer of data thus obtained to other entities and the cooperation with foreign intelligence services.” However, the court will allow surveillance to continue as is until the end of 2021 to give the Bundestag time to craft a constitutional statute, which would allow for “strategic telecommunications surveillance of strangers” in harmony with German law.
  • American nationalists’ European vacation“ – Politico. Right-wing, white supremacist, Neo-Nazi, and Trump activists have been road-testing social media strategies to sway people in Europe, often to negligible effect, with an eye for honing their skills for this year’s presidential election in the United States. In Ireland, the use of social media platforms became so pronounced that a month before a referendum on abortion, both Facebook and Google banned political ads bought by foreign nationals. It is possible these platforms take similar steps in the U.S. as was seen this week when Twitter factchecked claims made by President Donald Trump regarding mail-in voting.
  • Tech’s long hot summer of antitrust“ – Axios. This overview of the various federal and state antitrust investigations of big tech companies argues the first action could occur this summer with possible lawsuits being filed against the companies.
  • DHS’s cyber division has stepped up protections for coronavirus research, official says“ – CyberScoop. The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Assistant Director Bryan Ware assured entities in the health care and CIVD-19-related fields that CISA has reoriented to help them stave off the barrage of attacks they are facing. CISA is also concerned about ransomware, which has been a problem in the Czech Republic and Germany.
  • German intelligence agencies warn of Russian hacking threats to critical infrastructure“ – CyberScoop. Three German agencies advised German entities in the energy, water, and power sectors that a Russian hacking group is trying to utilize supply chain weaknesses to establish beachheads on their systems. The Bundesnachrichtendienst (BND), Bundesamt für Verfassungsschutz (BfV), and Bundesamt für Sicherheit in der Informationstechnik (BSI) warned that Berserk Bear, a hacking group reputedly associated with Federal’naya sluzhba bezopasnosti Rossiyskoy Federatsii (FSB), Russia’s main security agency, is targeting those sectors through a combination of various types of attacks. The warnings come a few weeks after Chancellor Angela Merkel confirmed that Russian hackers penetrated her office. Russia’s cyber onslaught against Germany is not likely to cease anytime soon.
  • Israel thwarted attack on water systems: cyber chief“ – Deutsche Welle. The head of Israel’s Cyber Directorate confirmed what was reported last month: Iran attacked part of Israel’s water systems. However, while Iran was not named, Yigal Unna claimed this was the first cyber attack with so-called real world consequences in that the attack would have resulted in chemicals being mixed in the wrong levels in the nation’s water supply, causing chaos and possibly shutting down Israel’s water systems. The article also revealed that Israel struck back against an Iranian port, as rumored earlier in the month. A former head of Israel Defense Force Military Intelligence Directorate claimed the attack was waged by Israelis in retaliation and to warn Iran against future action.
  • Are AI-Powered Killer Robots Inevitable?” – WIRED. The Center for a New American Security’s Senior Fellow Paul Scharre provides a survey of the current state of autonomous weapons systems in current use. He spins a few different future scenarios under which a nation’s military’s system become completely autonomous, and the implications are terrifying and seemingly science fiction. By the way, is it possible to write an article on the military, AI, and robots without invoking the Terminator?
  • Calls grow for European regulators to investigate Apple, accused of bullying smaller rivals” – The Washington Post. A firm that make Bluetooth trackers is asking the European Union to investigate Apple for anticompetitive practices. Tile sent a letter last week to EU Commissioner Margrethe Vestager, claiming “Apple has taken several steps to competitively disadvantage Tile, including by making it more difficult for consumers to use our products and services.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s