Further Reading, Other Developments, and Coming Events (28 August)

Here is today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • Members of the British Parliament have written the United Kingdom’s (UK) Information Commissioner’s Office (ICO) “about the Government’s approach to data protection and privacy during the COVID-19 pandemic, and also the ICO’s approach to ensuring the Government is held to account.” The MPs argued in the letter addressed to UK ICO Commissioner Elizabeth Denham
    • During the crisis, the Government has paid scant regard to both privacy concerns and data protection duties. It has engaged private contractors with problematic reputations to process personal data, as highlighted by Open Democracy and Foxglove. It has built a data store of unproven benefit. It chose to build a contact tracing proximity App that centralised and stored more data than was necessary, without sufficient safeguards, as highlighted by the Human Rights Committee. On releasing the App for trial, it failed to notify yourselves in advance of its Data Protection Impact Assessment – a fact you highlighted to the Human Rights Committee.
    • Most recently, the Government has admitted breaching their data protection obligations by failing to conduct an impact assessment prior to the launch of their Test and Trace programme. They have only acknowledged this failing in the face of a threat of legal action by Open Rights Group. The Government have highlighted your role at every turn, citing you as an advisor looking at the detail of their work, and using you to justify their actions.
    • The MPs added:
      • In this context, Parliamentarians and the public need to be able to rely on the Regulator. However, the Government not only appears unwilling to understand its legal duties, it also seems to lack any sense that it needs your advice, except as a shield against criticism.
      • Regarding Test and Trace, it is imperative that you take action to establish public confidence – a trusted system is critical to protecting public health. The ICO has powers to compel documents to understand data processing, contractual relations and the like (Information Notices). The ICO has powers to assess what needs to change (Assessment Notices). The ICO can demand particular changes are made (Enforcement notices). Ultimately the ICO has powers to fine Government, if it fails to adhere to the standards which the ICO is responsible for upholding.
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has released a 5G strategy that flows from a Trump Administration strategy released earlier this year. CISA is not asserting it has much authority in how the private sector will build, roll out, source, and secure 5G and is instead looking to capitalize on its role as the United States government’s cybersecurity agency for the civilian part of the government. As such, CISA is proposing to advise private sector stakeholders and provide its expertise so that the next generation of wireless communications in the U.S. is safe, stable, and secure. CISA is putting forth five initiatives that seeks to position CISA as a key stakeholder in assisting the larger U.S. efforts and individual companies and entities.
    • In the “National Strategy To Secure 5G,” the Trump Administration tied its overarching effort to foster 5G development and to cement the U.S.’s role as the preeminent technological power in the world to its 2018 United States National Cyber Strategy.
    • The Administration asserted
      • This National Strategy to Secure 5G expands on how the United States Government will secure 5G infrastructure domestically and abroad. 5G infrastructure will be an attractive target for criminals and foreign adversaries due to the large volume of data it transmits and processes as well as the support that 5G will provide to critical infrastructure. Criminals and foreign adversaries will seek to steal information transiting the networks for monetary gain and exploit these systems and devices for intelligence collection and surveillance. Adversaries may also disrupt or maliciously modify the public and private services that rely on communications infrastructure. Given these threats, 5G infrastructure must be secure and reliable to maintain information security and address risks to critical infrastructure, public health and safety, and economic and national security.
    • CISA noted the four lines of efforts from the “National Strategy To Secure 5G” are:
      • Facilitating domestic 5G rollout;
      • Assessing the risks and identifying core security principles for 5G infrastructure;
      • Managing the risks to our economic and national security from the use of 5G infrastructure; and
      • Promoting responsible global development and deployment of 5G infrastructure.
    • CISA stated
      • [it] leads 5G risk management efforts so the United States can fully benefit from all the advantages 5G connectivity promises to bring. In support of CISA’s operational priority to secure 5G, as outlined in the CISA Strategic Intent, the CISA 5G Strategy establishes five strategic initiatives that stem from the four lines of effort defined in the National Strategy to Secure 5G. Guided by three core competencies: Risk Management, Stakeholder Engagement, and Technical Assistance, these initiatives include associated objectives to ensure there are policy, legal, security, and safety frameworks in place to fully leverage 5G technology while managing its significant risks. With the support of CISA and its partners, the CISA 5G Strategy seeks to advance the development and deployment of a secure and resilient 5G infrastructure, one that enables enhanced national security, technological innovation, and economic opportunity for the United States and its allied partners.
    • CISA laid out the five initiatives:
      • Strategic Initiative 1: Support 5G policy and standards development by emphasizing security and resilience
        • The development of 5G policies and standards serve as the foundation for securing 5G’s future communications infrastructure. Those entities that shape the future of these policies and standards position themselves as global leaders and help facilitate secure deployment and commercialization of 5G technologies. To prevent attempts by threat actors to influence the design and architecture of 5G networks, it is critical that these foundational elements be designed and implemented with security and resilience from the start.
        • DESIRED OUTCOME: Threat actors are unable to maliciously influence the design and architecture of 5G networks.
      • Strategic Initiative 2: Expand situational awareness of 5G supply chain risks and promote security measures
        • Between untrusted components, vendors, equipment, and networks, 5G supply chain security is under constant threat. For example, while certain 5G equipment may be from a trusted vendor, supporting components manufactured or handled by untrusted partners or malicious actors could negate any security measures in place. These compromised components have the potential to affect the connectivity and security of transmitted data and information.
        • DESIRED OUTCOME: Malicious or inadvertent vulnerabilities within the 5G supply chain are successfully prevented or mitigated.
      • Strategic Initiative 3: Partner with stakeholders to strengthen and secure existing infrastructure to support future 5G deployments
        • Before moving to a standalone infrastructure, the first iterations of 5G deployment will work alongside existing 4G LTE infrastructure and core networks. While 5G architecture is designed to be more secure, 5G’s specifications and protocols stem from previous networks, which contain legacy vulnerabilities. For example, the overlay of 4G and 5G networks has the potential for a malicious actor to carry out a downgrade attack, where they could force a user on a 5G network to use 4G in order to exploit known vulnerabilities against them. These inherent vulnerabilities, along with new and unidentified risks, will require the collaboration of industry and government to develop and communicate security enhancements to support secure 5G deployments.
        • DESIRED OUTCOME: Secure 5G deployment, void of legacy vulnerabilities and untrusted components.
      • Strategic Initiative 4: Encourage innovation in the 5G marketplace to foster trusted 5G vendors
        • As 5G is deployed, there is an emphasis on ensuring that state-influenced entities do not dominate the 5G marketplace. To address this concern, CISA will work with its partners to support R&D initiatives and prize programs that result in secure and resilient 5G technologies and capabilities. By supporting these types of efforts, CISA will help drive innovation and establish a trusted vendor community for the future of 5G.
        • DESIRED OUTCOME: Increased number of trusted vendors in the 5G marketplace to address risks posed by limited competition and proprietary solutions.
      • Strategic Initiative 5: Analyze potential 5G use cases and share information on identified risk management strategies
        • The enhanced capabilities of 5G technologies will support an array of new functions and devices, introducing a plethora of potential use cases. With the potential for the connection of billions of devices on a network, also known as massive Machine-Type Communication (mMTC), applications like smart cities will require increased security to safeguard connected devices from potential threats and vulnerabilities. To ensure the security and integrity of these devices, CISA will communicate known vulnerabilities and risk management strategies for use cases associated with securing the Nation’s critical functions.
        • DESIRED OUTCOME: New vulnerabilities introduced by deployments of 5G technology are clearly understood and managed.
  • The Office of Management and Budget (OMB) released new guidance on grants and agreements federal agencies must generally follow that further implements a ban on using United States (U,S.) government funds on buying services or equipment from Huawei, ZTE, and other companies from the People’s Republic of China (PRC). Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) bars federal agencies, federal contractors, and recipients of federal funds from buying or using these services. Two regulations have been issued previously pertaining to agencies and contractors, and this notice governs the recipients of federal funding. However, the explanatory portion of the notice that discusses Section 889 differs from the actual regulatory text, giving rise to possible confusion over the scope and extent of the ban on the recipients of federal funding from buying or paying for banned services and equipment.
    • In the body of the notice, OMB stated:
      • OMB revised 2 CFR to align with section 889 of the NDAA for FY 2019 (NDAA 2019). The NDAA 2019 prohibits the head of an executive agency from obligating or expending loan or grant funds to procure or obtain, extend or renew a contract to procure or obtain, or enter into a contract (or extend or renew a contract) to procure or obtain the equipment, services, or systems prohibited systems as identified in NDAA 2019. To implement this requirement, OMB is adding a new section, 2 CFR 200.216 Prohibition on certain telecommunication and video surveillance services or equipment, which prohibit Federal award recipients from using government funds to enter into contracts (or extend or renew contracts) with entities that use covered telecommunications equipment or services. This prohibition applies even if the contract is not intended to procure or obtain, any equipment, system, or service that uses covered telecommunications equipment or services. As described in section 889 of the NDAA 2019, covered telecommunications equipment or services includes:
        • Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities).
      • For the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities).
      • Telecommunications or video surveillance services provided by such entities or using such equipment.
      • Telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense, in consultation with the Director of the National Intelligence or the Director of the Federal Bureau of Investigation, reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country.
    • In the rule itself, it is provided that the ban extends to the recipients and subrecipients themselves and not contractors using the banned services or equipment:
      • (a) Recipients and subrecipients are prohibited from obligating or expending loan or grant funds to:
        • (1) Procure or obtain;
        • (2) Extend or renew a contract to procure or obtain; or
        • (3) Enter into a contract (or extend or renew a contract) to procure or obtain equipment, services, or systems that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.
  • The United States (U.S.) Department of Justice (DOJ) announced a major reorganization of its Antitrust Division through the creation of “the Office of Decree Enforcement and Compliance and a Civil Conduct Task Force” and a shuffling of subject area matters “among its six civil sections in order to build expertise based on current trends in the economy.”
    • The DOJ explained
      • The Office of Decree Enforcement and Compliance will have primary responsibility for enforcing judgments and consent decrees in civil matters.  It will also advise the Antitrust Division’s criminal sections when parties seek credit at the charging stage for their corporate compliance programs.  The office will work closely with division attorneys, monitors, and compliance officers to ensure the effective implementation of and compliance with antitrust judgments.  Additionally, the office will be the Antitrust Division’s primary contact for complainants who have information regarding potential violations of those final judgments.
      • The second change to the Antitrust Division’s civil enforcement program is the creation of the Civil Conduct Task Force.  This dedicated group of Division attorneys will work across the civil sections and field offices to identify conduct investigations that require additional focus and resources.  As an independent group, the task force will have the dedicated resources and a consistent mandate to investigate and, ultimately, prosecute civil conduct violations of the antitrust laws.
      • The third change announced today is the realignment of certain responsibilities within the Antitrust Division’s six civil sections. The allocation of commodities among sections has evolved over the years, and today’s announcement is a recognition that technology has reshaped the competitive dynamics in several industries that the Antitrust Division analyzes on a regular basis.
      • Specifically, the currently named Media, Entertainment, and Professional Services Section will shift attention to financial services, fintech, and banking.  Those commodities were previously divided across three other civil sections.  The currently named Telecommunications and Broadband Section will expand its portfolio to concentrate on media, entertainment, and telecommunications industries. Lastly, the currently named Technology and Financial Services section will focus full time on technology markets and the competitive characteristics of platform business models.
  • A class action was filed in British court against Marriott for data breaches between 2014 and 2018 exposed the personal data of people worldwide. This action follows the United Kingdom’s (UK) Information Commissioner’s Office’s (ICO) intention to fine Marriott “£99,200,396 for infringements of the General Data Protection Regulation (GDPR)” in 2019, but this enforcement action was extended through mid-2020 by the ICO. It is unclear when, or even if, the ICO will conclude its investigation and action against Marriott given the UK’s pending exit from the European Union and the GDPR. Theoretically, the ICO may be able to use the UK’s data protection law, and it is telling the class action is filed under both the GDPR and the UK’s data protection law in effect during most of the period in which the breaches occurred.
    • The law firm handling the class action asserted
      • It is believed the data breach began when the systems of the Starwood Hotels group were compromised following a hack on its reservation network, which is believed to have first occurred in 2014. Marriott International acquired the Starwood Hotels group in 2016 but the exposure of customer information was not discovered until 2018. The guests’ personal data affected by the breach included information such as guests’ names, email and postal addresses, telephone numbers, gender and credit card information.
  • The Federal Highway Administration (FHWA), a component agency of the United States (U.S.) Department of Transportation (DOT), asked for input on a draft rule “to ensure that States meet specific registration, notification, and coordination requirements to facilitate broadband infrastructure deployment in the right-of-way (ROW) of applicable Federal-aid highway projects.” The agency was directed to undertake this rulemaking by language in the “MOBILE NOW Act” that was enacted as part of “The Consolidated Appropriations Act, 2018” (P.L. 115-141). The FHWA explained “[o]nce the regulations take effect, the Section 607 requirements will apply to each State that receives funds under [the section of the United States Code that governs highway funding and projects], including the District of Columbia and the Commonwealth of Puerto Rico.” The agency added:
    • FHWA recognizes that it is in the public interest for utility facilities to use jointly the ROW of public roads and streets when such use and occupancy do not adversely affect highway or traffic safety, or otherwise impair the highway or its aesthetic quality, and does not conflict with Federal, State, or local laws and regulations. The opportunity for such joint use avoids the additional cost of acquiring separate ROW for the exclusive accommodation of utilities. As a result, the ROW of highways is often used to provide public services to abutting residents as well as to serve conventional highway needs.
    • Utility facilities, unlike most other fixed objects that may be present within the highway environment, are not owned nor are their operations directly controlled by State or local public agencies. Federal laws and FHWA regulations contained in 23 U.S.C. 109, 111, 116, and 123 and 23 CFR parts 1, 635, 645, and 710 regulate the accommodation, relocation, and reimbursement of utilities located within the highway ROW. State departments of transportation (State DOT) are required to develop Utility Accommodation policies that meet these regulations. 23 CFR 645.211.

Further Reading

  • New Zealand stock exchange hit by cyber attack for second day” By Martin Farrer – The Guardian. A powerful offshore Distributed Denial of Service (DDoS) attack took down the nation’s stock exchange for the second day in a row. Given the apparent sophistication and resources necessary to execute this attack, according to experts, one wonders if either of the Pacific Rim’s most active, capable nation-state hackers may be responsible: the People’s Republic of China or the Democratic People’s Republic of Korea.
  • Israeli phone hacking company faces court fight over sales to Hong Kong” by Patrick Howell O’Neill – MIT Technology Review. Human rights attorneys have filed suit in Tel-Aviv to force the Ministry of Defence to end exports of Cellebrite’s phone hacking technology to repressive regimes like Hong Kong and Belarus. It is not clear Israel ever granted Cellebrite an export license, and the Ministry is being closed mouth on the issue. Previous filings assert Cellebrite’s technology has been used over 4,000 times in Hong Kong to hack into the phones of dissidents and activists even though many were using device encryption. Given that Cellebrite sells its technology widely throughout the world, perhaps the claims of some Five Eyes nations, including the United States, United Kingdom, and Australia, are overblown?
  • Armed militias mobilize on social media hours before deadly Kenosha shooting” – The Atlantic Counsel’s Digital Forensic Research Lab. As it turns out, Facebook and reddit posts and pages were encouraging armed individuals and militias to go to Kenosha, Wisconsin ostensibly to ensure protests over the police shooting of an African American man in the back did not result in violence or looting. An alarming number of these posts called for violence against the protestors, and at least one person heeded this call by shooting and killing two protestors.
  • Facebook chose not to act on militia complaints before Kenosha shooting” By Russell Brandom – The Verge. Even with people submitting complaints that various users and groups were inciting violence in Kenosha, Wisconsin, Facebook moderators declined to take down most of the material…until the day after a person shot and killed two protestors.
  • Tech’s deepening split over ads and privacy” By Kyle Daly – Axios. This piece summarizes some of the internecine fighting in Silicon Valley over privacy, which, as the author points out is driven by, or perhaps more kindly, happens to coincide with each companies’ interest. For example, Apple faces antitrust scrutiny in the United States and European Union and does not earn much revenue from advertising, so it is easy for them to propose changes to their iOS that would give users much more control over the data companies could collect. This would hurt some of Apple’s rivals like Facebook. What is not mentioned here is that should Microsoft win the TikTok sweepstakes, it is all but certain it’s position on stricter privacy controls will change, for the video sharing app s built on harvesting data from users.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Free-Photos from Pixabay

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s