Further Reading, Other Developments, and Coming Events (22 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing on 23 September titled “Examining Threats to American Intellectual Property: Cyber-attacks and Counterfeits During the COVID-19 Pandemic” with these witnesses:
    • Adam Hickey, Deputy Assistant Attorney General National Security Division, Department of Justice
    • Clyde Wallace, Deputy Assistant Director Cyber Division, Federal Bureau of Investigation
    • Steve Francis, Assistant Director, HSI Global Trade Investigations Division Director, National Intellectual Property Rights Center, U.S. Immigration and Customs Enforcement, Department of Homeland Security
    • Bryan S. Ware, Assistant Director for Cybersecurity Cyber Security and Infrastructure Security Agency, Department of Homeland Security
  • On 23 September, the Commerce, Science, and Transportation Committee will hold a hearing titled “Revisiting the Need for Federal Data Privacy Legislation,” with these witnesses:
    • The Honorable Julie Brill, Former Commissioner, Federal Trade Commission
    • The Honorable William Kovacic, Former Chairman and Commissioner, Federal Trade Commission
    • The Honorable Jon Leibowitz, Former Chairman and Commissioner, Federal Trade Commission
    • The Honorable Maureen Ohlhausen, Former Commissioner and Acting Chairman, Federal Trade Commission
    • Mr. Xavier Becerra, Attorney General, State of California
  • The House Energy and Commerce Committee’s Consumer Protection and Commerce Subcommittee will hold a virtual hearing “Mainstreaming Extremism: Social Media’s Role in Radicalizing America” on 23 September with these witnesses:
    • Marc Ginsburg, President, Coalition for a Safer Web
    • Tim Kendall, Chief Executive Officer, Moment
    • Taylor Dumpson, Hate Crime Survivor and Cyber-Harassment Target
    • John Donahue, Fellow, Rutgers University Miler Center for Community Protection and Resiliency, Former Chief of Strategic Initiatives, New York City Police Department
  • On 23 September, the Senate Homeland Security and Governmental Affairs will hold a hearing to consider the nomination of Chad Wolf to be the Secretary of Homeland Security.
  • The Senate Armed Services Committee will hold a closed briefing on 24 September “on Department of Defense Cyber Operations in Support of Efforts to Protect the Integrity of U.S. National Elections from Malign Actors” with:
    • Kenneth P. Rapuano, Assistant Secretary of Defense for Homeland Defense and Global Security
    • General Paul M. Nakasone, Commander, U.S. Cyber Command and Director, National Security Agency/Chief, Central Security Service
  • On 24 September, the Homeland Security and Governmental Affairs will hold a hearing on “Threats to the Homeland” with:
    • Christopher A. Wray, Director, Federal Bureau of Investigation
    • Christopher Miller, Director, National Counterterrorism Center
    • Kenneth Cuccinelli, Senior Official Performing the Duties of the Deputy Secretary of Homeland Security
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled “Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.

Other Developments

  • The United States (U.S.) Department of Justice (DOJ) has indicted two Iranian nationals for allegedly hacking into systems in the U.S., Europe, and the Middle East dating back to 2013 to engage in espionage and sometimes theft.
    • The DOJ claimed in its press release:
      • According to a 10-count indictment returned on Sept. 15, 2020, Hooman Heidarian, a/k/a “neo,” 30, and Mehdi Farhadi, a/k/a “Mehdi Mahdavi” and “Mohammad Mehdi Farhadi Ramin,” 34, both of Hamedan, Iran, stole hundreds of terabytes of data, which typically included confidential communications pertaining to national security, foreign policy intelligence, non-military nuclear information, aerospace data, human rights activist information, victim financial information and personally identifiable information, and intellectual property, including unpublished scientific research.  In some instances, the defendants’ hacks were politically motivated or at the behest of Iran, including instances where they obtained information regarding dissidents, human rights activists, and opposition leaders.  In other instances, the defendants sold the hacked data and information on the black market for private financial gain.
      • The victims included several American and foreign universities, a Washington, D.C.-based think tank, a defense contractor, an aerospace company, a foreign policy organization, non-governmental organizations (NGOs), non-profits, and foreign government and other entities the defendants identified as rivals or adversaries to Iran.  In addition to the theft of highly protected and sensitive data, the defendants also vandalized websites, often under the pseudonym “Sejeal” and posted messages that appeared to signal the demise of Iran’s internal opposition, foreign adversaries, and countries identified as rivals to Iran, including Israel and Saudi Arabia.
  • Two United States (U.S.) agencies took coordinated action against an alleged cyber threat group and a front company for a “a years-long malware campaign that targeted Iranian dissidents, journalists, and international companies in the travel sector.” The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) “imposed sanctions on Iranian cyber threat group Advanced Persistent Threat 39 (APT39), 45 associated individuals, and one front company…Rana Intelligence Computing Company (Rana)” per the agency’s press release. Treasury further claimed:
    • Rana advances Iranian national security objectives and the strategic goals of Iran’s Ministry of Intelligence and Security (MOIS) by conducting computer intrusions and malware campaigns against perceived adversaries, including foreign governments and other individuals the MOIS considers a threat. APT39 is being designated pursuant to E.O. 13553 for being owned or controlled by the MOIS, which was previously designated on February 16, 2012 pursuant to Executive Orders 13224, 13553, and 13572, which target terrorists and those responsible for human rights abuses in Iran and Syria, respectively.
    • The Federal Bureau of Investigation (FBI) provided “information on numerous malware variants and indicators of compromise (IOCs) associated with Rana to assist organizations and individuals in determining whether they may have been targeted.”
  • The United States (U.S.) Department of Justice (DOJ) also released grand jury indictments against five nationals of the People’s Republic of China and two Malaysians for extensive hacking and exfiltration of commercial and business information with an eye towards profiting from these crimes. The DOJ asserted in its press release:
    • In August 2019 and August 2020, a federal grand jury in Washington, D.C., returned two separate indictments (available here and here) charging five computer hackers, all of whom were residents and nationals of the People’s Republic of China (PRC), with computer intrusions affecting over 100 victim companies in the United States and abroad, including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments, as well as pro-democracy politicians and activists in Hong Kong.
    •  The intrusions, which security researchers have tracked using the threat labels “APT41,” “Barium,” “Winnti,” “Wicked Panda,” and “Wicked Spider,” facilitated the theft of source code, software code signing certificates, customer account data, and valuable business information.  These intrusions also facilitated the defendants’ other criminal schemes, including ransomware and “crypto-jacking” schemes, the latter of which refers to the group’s unauthorized use of victim computers to “mine” cryptocurrency. 
    • Also in August 2020, the same federal grand jury returned a third indictment charging two Malaysian businessmen who conspired with two of the Chinese hackers to profit from computer intrusions targeting the video game industry in the United States and abroad.  Shortly thereafter, the U.S. District Court for the District of Columbia issued arrest warrants for the two businessmen.  On Sept. 14, 2020, pursuant to a provisional arrest request from the United States with a view to their extradition, Malaysian authorities arrested them in Sitiawan.
  • On 21 September, the House of Representatives took and passed the following bills, according to summaries provided by the House Majority Whip’s office:
    • The “Effective Assistance in the Digital Era” (H.R. 5546) (Rep. Jeffries – Judiciary) This bill requires the Federal Bureau of Prisons to establish a system to exempt from monitoring any privileged electronic communications between incarcerated individuals and their attorneys or legal representatives.
    • The “Defending the Integrity of Voting Systems Act (S. 1321) This bill broadens the definition of “protected computer” for purposes of computer fraud and abuse offenses under current law to include a computer that is part of a voting system.
    • The “Promoting Secure 5G Act of 2020” (H.R. 5698) This bill will establish as a U.S. policy within the IFIs to only finance 5G projects and other wireless technologies that include adequate security measures in furtherance of national security aims to protect wireless networks from bad actors and foreign governments.
    • The “MEDIA Diversity Act of 2020” (H.R. 5567) This bill Requires the FCC to consider market entry barriers for socially disadvantaged individuals in the communications marketplace.
    • The “Don’t Break Up the T-Band Act of 2020” as amended (H.R. 451) This bill repeals the requirement on the FCC to reallocate and auction the T-Band.  H.R. 451 also requires the FCC to adopt rules limiting the use of 9-1-1 fees by States or other taxing jurisdictions to (1) the support and implementation of 9-1-1 services and (2) operational expenses of public safety answering points.
    • It bears note that S. 1321 has passed the Senate, and so it is off to the White House for the only election security bill that has made it through both house of Congress.

Further Reading

  • Justice Department expected to brief state attorneys general this week on imminent Google antitrust lawsuit” By Tony Romm — The Washington Post; “Justice Dept. Case Against Google Is Said to Focus on Search Dominance” By Cecilia Kang, Katie Benner, Steve Lohr and Daisuke Wakabayashi — The New York Times; “Justice Department, states to meet in possible prelude to Google antitrust suit” By Leah Nylen — Politico. Tomorrow, the United States Department of Justice (DOJ) will outline its proposed antitrust case against Google with state attorneys general, almost all of whom are investigating Google on the same grounds. Reportedly, the DOJ case is focused on the company’s dominance of online searches, notably its arrangement to make Google the default search engine on iPhones and Androids, and not on its advertising practices. If the DOJ goes this road, then it will be similar to the European Union’s (EU) 2018 case against Google for the same, which resulted in EU residents being offered a choice on search engines on Android devices and a €4.34 billion fine. This development comes after articles earlier this month that Attorney General William Barr has been pushing the DOJ attorneys and investigators against the wishes of many to wrap up the investigation in time for a pre-election filing that would allow President Donald Trump to claim he is being tough on big technology companies. However, if this comes to pass, Democratic attorneys general may decline to join the suit and may bring their own action also alleging violations in the online advertising realm that Google dominates. In this vein, Texas Attorney General Ken Paxton has been leading the state effort to investigate Google’s advertising business, which critics argue is anti-competitive. Also, according to DOJ attorneys who oppose what they see as Barr rushing the suit, this could lead to a weaker case Google may be able to defeat in court. Of course, this news comes shortly after word leaked from the Federal Trade Commission (FTC) that its case against Facebook could be filed regarding its purchase of rivals WhatsApp and Instagram.
  • Why Japan wants to join the Five Eyes intelligence network” By Alan Weedon — ABC News. This piece makes the case as to why the United States, United Kingdom, Canada, Australia, and New Zealand may admit a new member to the Five Eyes soon: Japan. The case for the first Asian country is that it is a stable, western democracy, a key ally in the Pacific, and a bulwark against the influence of the People’s Republic of China (PRC). It is really this latter point that could carry the day, for the Five Eyes may need Japan’s expertise with the PRC and its technology to counter the former’s growing ambitions.
  • The next Supreme Court justice could play a major role in cybersecurity and privacy decisions” By Joseph Marks — The Washington Post. There are a range of cybersecurity and technology cases that the Supreme Court will decide in the near future, and so whether President Donald Trump gets to appoint Justice Ruth Bader Ginsburg’s successor will be very consequential for policy in these areas. For example, the court could rule on the Computer Fraud and Abuse Act for the first time regarding whether researchers are violating the law by probing for weak spots in systems. There are also Fourth Amendment and Fifth Amendment cases pending with technology implications as the former pertains to searches of devices by border guards and the latter to self-incrimination visa vis suspects being required to unlock devices.
  • Facebook Says it Will Stop Operating in Europe If Regulators Don’t Back Down” By David Gilbert —VICE. In a filing in its case against Ireland’s Data Protection Commission (DPC), Facebook made veiled threats that if the company is forced to stop transferring personal data to the United States, it may stop operating in the European Union altogether. Recently, the DPC informed Facebook that because Privacy Shield was struck down, it would need to stop transfers even though the company has been using standard contractual clauses, another method permitted in some case under the General Data Protection Regulation. Despite Facebook’s representation, it seems a bit much that the company would leave the EU to any competitors looking to its fill its shoes.
  • As U.S. Increases Pressure, Iran Adheres to Toned-Down Approach” By Julian E. Barnes, David E. Sanger, Ronen Bergman and Lara Jakes — The New York Times. The Islamic Republic of Iran is showing remarkable restraint in its interactions with the United States in the face of continued, punitive actions against Tehran. And this is true also of its cyber operations. The country has made the calculus that any response could be used by President Donald Trump to great effect in closing the gap against front runner former Vice President Joe Biden. The same has been true of its cyber operations against Israel, which has reportedly conducted extensive operations inside Iran with considerable damage.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s