Further Reading, Other Developments, and Coming Events (21 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” The agency has released its agenda and explained:
    • The workshop will also feature four panel discussions that will focus on: case studies on data portability rights in the European Union, India, and California; case studies on financial and health portability regimes; reconciling the benefits and risks of data portability; and the material challenges and solutions to realizing data portability’s potential.
  • The Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing on 23 September titled “Examining Threats to American Intellectual Property: Cyber-attacks and Counterfeits During the COVID-19 Pandemic” with these witnesses:
    • Adam Hickey, Deputy Assistant Attorney General National Security Division, Department of Justice
    • Clyde Wallace, Deputy Assistant Director Cyber Division, Federal Bureau of Investigation
    • Steve Francis, Assistant Director, HSI Global Trade Investigations Division Director, National Intellectual Property Rights Center, U.S. Immigration and Customs Enforcement, Department of Homeland Security
    • Bryan S. Ware, Assistant Director for Cybersecurity Cyber Security and Infrastructure Security Agency, Department of Homeland Security
  • On 23 September, the Commerce, Science, and Transportation Committee will hold a hearing titled “Revisiting the Need for Federal Data Privacy Legislation,” with these witnesses:
    • The Honorable Julie Brill, Former Commissioner, Federal Trade Commission
    • The Honorable William Kovacic, Former Chairman and Commissioner, Federal Trade Commission
    • The Honorable Jon Leibowitz, Former Chairman and Commissioner, Federal Trade Commission
    • The Honorable Maureen Ohlhausen, Former Commissioner and Acting Chairman, Federal Trade Commission
  • The House Energy and Commerce Committee’s Consumer Protection and Commerce Subcommittee will hold a virtual hearing “Mainstreaming Extremism: Social Media’s Role in Radicalizing America” on 23 September with these witnesses:
    • Marc Ginsburg, President, Coalition for a Safer Web
    • Tim Kendall, Chief Executive Officer, Moment
    • Taylor Dumpson, Hate Crime Survivor and Cyber-Harassment Target
    • John Donahue, Fellow, Rutgers University Miler Center for Community Protection and Resiliency, Former Chief of Strategic Initiatives, New York City Police Department
  • On 23 September, the Senate Homeland Security and Governmental Affairs will hold a hearing to consider the nomination of Chad Wolf to be the Secretary of Homeland Security.
  • The Senate Armed Services Committee will hold a closed briefing on 24 September “on Department of Defense Cyber Operations in Support of Efforts to Protect the Integrity of U.S. National Elections from Malign Actors” with:
    • Kenneth P. Rapuano, Assistant Secretary of Defense for Homeland Defense and Global Security
    • General Paul M. Nakasone, Commander, U.S. Cyber Command and Director, National Security Agency / Chief, Central Security Service
  • On 24 September, the Homeland Security and Governmental Affairs will hold a hearing on “Threats to the Homeland” with:
    • Christopher A. Wray, Director, Federal Bureau of Investigation
    • Christopher Miller, Director, National Counterterrorism Center
    • Kenneth Cuccinelli, Senior Official Performing the Duties of the Deputy Secretary of Homeland Security
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled “Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.

Other Developments

  • The Court of Justice of the European Union (CJEU) ruled for the first time on the European Union’s (EU) open internet access rules, Regulation 2015/2120, “which enshrines the fundamental principle of an open internet (more colloquially known as ‘net neutrality’)” according to the court’s summary of its decision. The CJEU found that a zero rating plan offered by a Hungarian telecommunications carrier that provided preference to certain apps and websites even when users had exhausted their data allowances was counter to these regulations. Moreover, the CJEU found it is not necessary to show that other apps and websites are being harmed or effected in order to punish a violator. This ruling puts the EU at odds with the United States in terms of policy, for the Federal Communications Commission (FCC) rescinded Obama Administration net neutrality regulations and tried to preempt state net neutrality measures. However, a Biden Administration FCC may reinstall such regulations.  
  • The United States Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released an alert finding that:
    • Chinese Ministry of State Security (MSS)-affiliated cyber threat actors use open-source information to plan and conduct cyber operations.
    • Chinese MSS-affiliated cyber threat actors use readily available exploits and exploit toolkits to quickly engage target networks.
    • Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks.
    • If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.
    • This Advisory identifies some of the more common—yet most effective— tactics, techniques, and procedures (TTPs) employed by cyber threat actors, including Chinese MSS-affiliated cyber threat actors.
    • CISA and the FBI added:
      • The continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust configuration and patch management programs would greatly increase network security. It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.
  • As requested by the chair and ranking members of the House Oversight Committee and its Government Operations Subcommittee, the Government Accountability Office (GAO) investigated and reported on “essential mission-critical information technology (IT) acquisitions across the federal government and determine their key attributes.” The GAO noted “[e]leven of the 16 selected acquisitions were rebaselined during their development, meaning that the project’s cost, schedule, or performance goals were modified to reflect new circumstances.” The GAO stated “[t]en agencies reported delays in defining the cost, schedule, and scope; one agency reported budget cuts and hiring freezes; four agencies reported technical challenges; and five agencies reported changes in development approach as a cause for rebaselining.” The GAO reported “[t]he amount agencies expect to spend on the selected acquisitions vary greatly depending on their scope and complexity, as well as the extent of transformation and modernization that agencies envision once the acquisitions are fully deployed.” The GAO stated “[a]gencies reported potential cost savings associated with 13 of the 16 mission-critical acquisitions after deployment.”
    • The GAO added
      • In general, these agencies reported that they expect cost savings and cost avoidance due to a number of factors. Six agencies reported expected cost savings as a result of multiple legacy systems being shut down, and two agencies reported expected cost savings from the use of cloud-based capabilities. Seven agencies cited improved efficiencies in streamlined processes as an expected savings in costs, while three agencies cited the elimination of physical paper processing as the source of expected cost savings. Three agencies also reported that they expected cost savings through improving security, monitoring, and management.
  • The United Kingdom announced a “National Data Strategy” that “will put data at the heart of the country’s recovery from the pandemic so companies and organisations can use it to drive digital transformation, innovate and boost growth across the economy.” The Department for Digital, Culture, Media & Sport explained the new strategy “asks fundamental questions about what data should and should not be made available…[and] sets out how to maintain a regulatory regime that is not too burdensome for smaller business and supports responsible innovation…through five priority missions:
    • Unlocking the value of data across the economy
    • Securing a pro-growth and trusted data regime
    • Transforming government’s use of data to drive efficiency and improve public services
    • Ensuring the security and resilience of the infrastructure on which data relies
    • Championing the international flow of data
  • The United States Department of Homeland Security’s the Cybersecurity and Infrastructure Security Agency (CISA), with contributions from the Federal Bureau of Investigation (FBI), issued an alert titled “Iran-Based Threat Actor Exploits VPN Vulnerabilities” regarding “an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks.” The agencies stated
    • Analysis of the threat actor’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.
  • Senator Mike Lee (R-UT) released a statement after big technology companies responded to his letter “asking each company to justify anti-conservative bias in their content moderation process.” Lee asserted:
    • The responses received from the tech companies about bias against conservatives at their firms were completely unpersuasive. I continue to be concerned about the ideological discrimination going on at these firms and I believe further oversight will be necessary in order to obtain the facts and answers that the American people deserve.
  • The Government Accountability Office (GAO) issued a report in response to a provision in the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) on defense “contractors’ independent R&D projects fit into the [Department of Defense’s] technology goals.” The report was sent to the chairs and ranking members of the Armed Services Committees and Appropriations Committees’ Defense Subcommittees. The GAO concluded:
    • DOD’s investments in research and development, particularly science and technology, are key to maintaining our military’s technological superiority over potential adversaries. However, the growing capability needs of the military departments, coupled with modest increases in DOD’s science and technology budget, threaten to erode this superiority. DOD has taken initial steps to confront this imbalance, including strategic planning to identify its top modernization priorities. Nonetheless, the DOD instruction that guides this planning does not require DOD to account for the billions of dollars that industry invests in IR&D projects annually at industry’s own discretion—nor the innovation outcomes that industry obtains from these IR&D projects. Although the Independent Research and Development (IR&D) statute and policy prohibit DOD from requiring what IR&D projects contractors undertake, they require DOD to communicate its science and technology needs to industry. Correspondingly, our analysis of IR&D project data covering a single year showed that industry has responded to the modernization priorities DOD set forth in 2018 by investing almost 40 percent of its IR&D funding on related technologies. However, the extent to which this will continue in future years is not something we can forecast. DOD can achieve this visibility by initiating its own annual reviews of IR&D project data. Such assessments would provide DOD with important information needed to develop more comprehensive strategic plans for defense science and technology investment.
    • At the same time, the primary tool DOD relies on for IR&D project data—the DTIC IR&D database—has several limitations in terms of the data it captures. For instance, it does not identify, whether the IR&D project is linked to a DOD modernization priority or if it constitutes disruptive or incremental innovation. However, capturing additional data could place burdens on contractors. Determining whether to collect additional information on the billions of dollars contractors spend annually on IR&D projects falls squarely within OUSD (R&E)’s responsibility to oversee DOD’s strategic planning process for science and technology investments.
    • The GAO made two recommendations:
      • The Secretary of Defense should ensure that the Under Secretary of Defense for Research and Engineering revise its IR&D instruction to require USD (R&E) personnel to annually review defense industry IR&D investments to inform DOD’s science and technology strategic planning efforts. (Recommendation 1)
      • The Secretary of Defense should ensure that the Administrator, Defense Technical Information Center, assess and determine whether the DTIC IR&D database should require contractors to include additional information on IR&D projects, such as:
        • (a) The IR&D project’s linkage, if any, to DOD’s modernization priorities;
        • (b) The allowable category (basic research, applied research, technology development, or concept study) to which the IR&D project belongs;
        • (c) The nature of the project as either potentially disruptive or potentially incremental research and development; and
        • (d) The actual IR&D project costs when the project is completed. (Recommendation 2)

Further Reading

  • The Huawei Ban Could Crush U.S. Overseas Aid Efforts” By Colum Lynch — Foreign Policy. A possible unintended consequence to the ban on Huawei, ZTE, and other People’s Republic of China (PRC) in Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) is that United States foreign aid organizations may not be able to disburse funds or provide grants to organizations throughout the world using PRC technology. Given that much of Africa already has Huawei technology, organizations like United States Agency for International Development (USAID) were granted a waiver last month along with the Department of Defense by the Director of National Intelligence (DNI). The DNI is said to be considering another such waiver, and it may turn out Congress will revisit this requirement, making an explicit carveout for international aid work. Of course the proponents of a Huawei/ZTE ban may reasonably argue will bring out all sorts of private sector entities with their own cases as to why they, too, should be exempted.
  • Exclusive: Top Huawei executives had close ties to company at center of U.S. criminal case” By Steve Stecklow and Marcelo Rochabrun — Reuters. The news outlet has turned up even more evidence that Huawei controlled a company that sold United States (U.S.) telecommunications equipment to Iran in violation of U.S. sanctions between 2007 and 2014. This case is the one that caused Canada to detain Huawei CFO Meng Wanzhou at U.S. request. Reuters has discovered documents filed in Sao Paulo, Brazil showing that high ranking Huawei officials continued to have control over Skycom Tech, the entity it claims was sold in 2007.  These documents say otherwise, and it was this company that sold the U.S. gear in violations of sanctions.
  • It’s Impossible for You to Know Which Apps Sell Your Location Data to Trump” By Jason Koebler and Joseph Cox — Vice’s Motherboard. The Trump reelection campaign’s app is hoovering up the data of those who download and install it but also from all their contacts. This way, when combined with data from other sources, the Trump campaign can reach even more potentially supportive voters and target them with ads. The truly disturbing practice of the company they are working with is that this entity bids on and loses an advertising campaign, it still gets access to the people the campaign is targeting. There are legitimate concerns that given the fungibility of personal data, the Trump Administration is harvesting and processing data along the same lines as Cambridge Analytica in 2016
  • Labeled “Research” Chemicals, Doping Drugs Sold Openly on Amazon.com” By Annie Gilbertson and Jon Keegan — The Markup. The massive online marketplace removed potentially unsafe, illegal substances used for doping in athletics only after this media outlet presented evidence it was being sold. This article follows a string of articles on how Amazon is not policing the third-party sellers on its platform that may be selling defective, unsafe, or illegal goods. Nonetheless, Amazon has asserted Section 230 protects it from claims regarding items offered by third party sellers even though the provision pertains to moderation of online content and speech. The company may face defective productive suits in the future if a recent California state case is any indication.
  • US technology embargo list gives China a blueprint for home-grown innovation over the next decade, top science official says” By Frank Tang — South China Morning Post. The People’s Republic of China is asserting that the United States’ (U.S.) list of items banned for export is providing a roadmap to developing the technology necessary to surpass the U.S.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Markus Spiske on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s