Other Developments, Further Reading, and Coming Events (15, 16, and 17 March 2021)

Other Developments

  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a Joint Cybersecurity Advisory (CSA) on the “Compromise of Microsoft Exchange Server.” The agencies stated:
    • The FBI and CISA assess that nation-state actors and cyber criminals are likely among those exploiting these vulnerabilities. The exploitation of Microsoft Exchange on-premises products poses a serious risk to Federal Civilian Executive Branch agencies and private companies. Successful exploitation of these vulnerabilities allows an attacker to access victims’ Exchange Servers, enabling them to gain persistent system access and control of an enterprise network. It has the potential to affect tens of thousands of systems in the United States and provides adversaries with access to networks containing valuable research, technology, personally identifiable information (PII), and other sensitive information from entities in multiple U.S. sectors. FBI and CISA assess that adversaries will continue to exploit this vulnerability to compromise networks and steal information, encrypt data for ransom, or even execute a destructive attack. Adversaries may also sell access to compromised networks on the dark web
  • 23 Democrats on the House Energy and Commerce Committee, including the chair and five of the six subcommittee chairs wrote Facebook CEO Mark Zuckerberg” demanding answers for Facebook’s advertising practices, which reports show promoted violence and disinformation both leading up to and after the violent insurrection at the United States Capitol” according to their press release. They asserted:
    • According to recent troubling reports, Facebook ran ads showing gun accessories and protective equipment next to content that amplified election misinformation. Furthermore, similar advertising was shown next to news about the Capitol siege after January 6. Targeting ads in this way is dangerous and has the potential to encourage acts of violence.
    • Facebook must immediately examine its advertising practices and make substantive changes to its policies to avoid future instances of ad placements and targeting that promote violence. We strongly believe Facebook has a moral obligation to take action regarding ads that stoke aggression. We also believe Facebook h a s a moral responsibility to provide transparency and tools to advertisers so they can avoid supporting purveyors of misinformation and disinformation, and promoters of violence.
    • To assist the Committee’s ongoing oversight efforts, please provide written answers to the following questions by March 22, 2021:
      • What steps does Facebook plan to take to ensure that advertisements for weapons or other tactical military equipment are not targeted in a manner that jeopardizes public safety?
      • What procedures and processes does Facebook have in place for reviewing the audience of these types of advertisements?
      • Does Facebook have dedicated staff to monitor and approve the targeting of advertisements for weapons or military equipment on its platform?
      • Are companies whose advertisements appear on Facebook aware or notified that their ads are being placed next to content that includes misinformation, disinformation, violence, hate speech, or voter suppression?anki
      • Have any companies expressed concerns regarding the placement of their advertisements next to content that includes misinformation, disinformation, violence, hate speech, or voter suppression
  • The United States (U.S.) Consumer Financial Protection Bureau (CFPB) rescinded a Trump Administration policy statement that would have limited the agency’s use of its power to punish abusive behavior. Like the Federal Trade Commission (FTC), the CFPB may punish unfair and deceptive practices but has the further jurisdiction the FTC lacks to also police abusive practices. Of course, the CFPB’s powers are limited to “any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.” It was always very likely Democratic leadership at the CFPB would dispense with this policy statement.
    • In its press release, the CFPB noted “Congress defined abusive acts or practices in section 1031(d) of the Dodd-Frank Act. Paraphrasing Congress, that standard prohibits companies from:
      • Materially interfering with someone’s ability to understand a product or service
      • Taking unreasonable advantage of someone’s lack of understanding
      • Taking unreasonable advantage of someone who cannot protect themself, and
      • Taking unreasonable advantage of someone who reasonably relies on a company to act in their interests.
    • In the pre-publication notice, the CFPB or Bureau noted:
      • Based on its review of, and experience in applying, the [Trump Administration] Policy Statement, however, the Bureau has concluded that the principles set forth in the Policy Statement do not actually deliver clarity to regulated entities. In fact, the Policy Statement’s intended principles, including “making a good-faith effort to comply with the abusiveness standard,” themselves afford the Bureau considerable discretion in its application and add uncertainty to market participants. Additionally, the Bureau’s further consideration of and experience under the Policy Statement have led it to conclude that the intended principles have the effect of hampering certainty over time. Not asserting abusiveness claims solely because of their overlap with unfair or deceptive conduct or based on the other intended principles articulated in the Policy Statement has the effect of slowing the Bureau’s ability to clarify the statutory abusiveness standard by articulating abusiveness claims as well as through the ensuing issuance of judicial and administrative decisions.  It is thus counterproductive to the purpose of the original Policy Statement.
      • The Policy Statement also provided that the Bureau intended to focus on citing conduct as abusive in supervision and challenging conduct as abusive in enforcement if the Bureau concluded that the harms to consumers from the conduct outweighed its benefits to consumers.  This principle was intended to “ensure[] that the Bureau is committed to using its scarce resources to address conduct that harms consumers” and to ensure consistency across supervisory and enforcement matters.10  The Bureau has concluded, however, that there is no basis to    treat application of the abusiveness standard differently from the normal considerations that guide the Bureau’s general use of its enforcement and supervisory discretion.  The Bureau also did not find this principle helpful in practice.
  • The New York City Chief Technology Officer (CTO) issued the “The New York City Internet of Things (IOT) Strategy,” that “fulfills [Mayor Bill De Blasio’s] commitment in OneNYC 2050 by providing an update on the current IOT landscape and a bold vision for the future.” The CTO explained:
    • The NYC IOT Strategy describes the landscape of IOT usage across society. It explores treatments of the technology in educational and policy settings. It outlines the state of New York City’s IOT ecosystem. And it establishes a set of critical near-term actions toward creating a healthy, cross-sector IOT ecosystem in New York City – one that is productive, responsible, and fair.
    • The NYC IOT Strategy is built around six key principles:
      • Governance + Coordination
      • Privacy + Transparency
      • Security + Safety
      • Fairness + Equity
      • Efficiency + Sustainability
      • Openness + Public Engagement
    • These principles structure the City’s approach, acting as guideposts for the analysis, recommendations, and actions set forth in this document. 
    • Today, New York City faces a range of opportunities and challenges in fostering a healthy IOT ecosystem. Within City government, there are opportunities to build capacity to use and innovate with IOT, foster collaboration among agencies, boost partnership opportunities across sectors, and strengthen governance and coordination throughout the City. In the private and non-profit sectors, there are opportunities to support industry standards and best practices around IOT, coordinate on emerging workforce and IOT literacy needs, and support local economies and communities. In addition, there are opportunities to engage and empower residents in their interactions with IOT across society, as consumers, residents, or workers
    • The NYC IOT Strategy offers recommendations to address these issues and outlines five broad goals for near-term City action:
      • Foster Innovation by creating structures and programs that support research, testing, and experimentation with IOT technologies
      • Promote Data Sharing and Transparency around City IOT use by engaging residents about IOT initiatives, and aggregating information and data from the City’s work to make them available across agencies, and for the public, where appropriate
      • Improve Governance and Coordination of the City’s use of connected technologies through new policies and processes
      • Derive Value from Cross-Sector Partnerships by supporting and pursuing new opportunities for collaboration
      • Engage with Industry and Advocate for Communities by creating new channels for exchange and advocating for digital rights
  • The Tech Transparency Project (TTP) released an investigation that “provides fresh evidence that one of the industry’s primary regulators, the Federal Trade Commission (FTC), has effectively been captured by the very companies it is charged with overseeing” according to the organization’s statement. TTP claimed:
    • With anticipation running high that the Biden administration will take steps to rein in the power of Big Tech, a new TTP investigation provides fresh evidence that one of the industry’s primary regulators, the Federal Trade Commission, has effectively been captured by the very companies it is charged with overseeing.
    • It’s long been known that Google, Qualcomm, and other tech giants have had a close relationship with the George Mason University (GMU) law school, often funding white papers and conferences organized by Joshua Wright, a former Republican FTC commissioner who has argued that government should take a hands-off approach to the tech industry.
    • Now, TTP’s investigation is revealing new details about Wright’s behind-the-scenes dealings at the FTC—and the extent to which GMU has shaped the agency’s workforce through an extensive revolving door and internship pipeline. The findings show how tech companies can count on an army of GMU allies, including current and former FTC officials with inside knowledge of the agency, to defend them against accusations of anticompetitive behavior.
    • TTP enumerated these “main takeaways:”
      • A May 2019 report by the Federal Trade Commission’s Office of Inspector General (OIG) concluded that a former senior FTC official, now confirmed to be Wright, met or attempted to meet with FTC officials on at least six different occasions between April and May 2017 to push a settlement with Qualcomm. That amounted to a legal violation, according to the report, because Wright had participated “personally and substantially” in the Qualcomm antitrust case while serving as an FTC commissioner and was thus subject to a lifetime ban on lobbying his former colleagues on the matter. The OIG’s conclusions were later forwarded to the Department of Justice’s Public Integrity Section, which declined to prosecute the case.
      • At least 14 senior officials at the FTC during the Trump administration had ties to GMU. They included attorneys, economists, analysts, and those serving in senior positions as bureau directors or deputy directors.
      • At least six FTC officials have taken a full trip through the “revolving door,” cycling back and forth between the Washington, D.C., agency and teaching positions at the GMU law school in nearby Arlington, Virginia, including several who have made the trip multiple times.
      • There are 17 examples of FTC officials who served as GMU law school professors or left professorships at GMU to join the FTC. In at least four cases, GMU professors left the law school to serve in senior roles at the FTC only to return to their teaching positions at the end of their government service. At least seven FTC officials appear to have served as GMU professors or adjunct professors at the same time they also worked at the FTC.
      • Big Tech executives from Google, Facebook, and Qualcomm and the law firms representing the companies are featured as guest speakers, lecturers and even teachers of several GMU law courses. In one case, Google’s in-house counsel for patent issues has been teaching a GMU law course in recent years. In other examples, lawyers representing Google and Qualcomm have taught antitrust and privacy courses or served as guest lecturers at the law school while the companies faced active FTC investigations for anticompetitive behavior. 
      • At least 50 GMU students, most from the law school, have served as FTC interns or law clerks. In several cases, GMU law students appear to have served as FTC interns at the same time they were working for GMU academic centers or professors funded by Big Tech. After graduation, many were hired by top law firms representing Google, Qualcomm, Facebook, and GMU’s other Big Tech funders.
  • Senators Michael Bennet (D-CO), Angus King (I-ME), Rob Portman (R-OH), and Joe Manchin (D-WV) wrote Secretary of Agriculture Tom Vilsack, Secretary of Commerce Gina  Raimondo, acting Federal Communications Commission Chair Jessica Rosenworcel, and National Economic Council Director Brian Deese “urging [them] to update federal standards for high-speed broadband to reflect modern uses and align those standards across the government” per the press release. Bennet, King, Portman, and Manchin asserted:
    • Going forward, we should make every effort to spend limited federal dollars on broadband networks capable of providing sufficient download and upload speeds and quality, including low latency, high reliability, and low network jitter, for modern and emerging uses, like two-way videoconferencing, telehealth, remote learning, health IoT, and smart grid applications. Our goal for new deployment should be symmetrical speeds of 100 megabits per second (Mbps), allowing for limited variation when dictated by geography, topography, or unreasonable cost. While we recognize that in truly hard-to-reach areas, we need to be flexible in order to reach unserved Americans, we should strive to ensure that all members of a typical family can use these applications simultaneously. There is no reason federal funding to rural areas should not support the type of speeds used by households in typical well-served urban and suburban areas (e.g., according to speed test. net’s January 2021 analysis, average service is currently 180 Mbps download / 65 Mbps upload with 24 milli-sec latency).
    • The pandemic has reinforced the importance of high-speed broadband and underscored the cost of the persistent digital divide in our country. According to the Federal Communications Commission (FCC), roughly14.5millionAmericans still lack access to broadband, and other studies estimate this number could be as high as 162 million. Unfortunately, the FCC data continually overestimates broadband connectivity due to outdated mapping and poor data collection methods. We now have multiple definitions across federal agencies for what constitutes an area as served with broadband, resulting in a patchwork without one consistent standard for broadband. For example, the FCC defines high-speed broadband as download speeds of up to 25 megabits per second and upload speeds of up to 3 megabits per second (25/3 Mbps). Alternatively, the U.S. Department of Agriculture (USDA) defines it as just 10/1 Mbps. While it is important to update standards for federally funded projects, we also recognize that there are many Americans who lack access to even minimal service. If we do not prioritize unserved Americans before upgrading to higher speeds, then we will only increase the digital divide further.
    • We need a new approach. We urge you to work together to establish one consistent, modern baseline definition of high-speed broadband service and underlying infrastructure specifications across the federal government and a coordinated approach to deploy funding efficiently where it is most needed. This would also reduce redundancy and make it easier for state, local, and private partners applying for support, while complementing provisions in the end of year relief COVID-19 relief bill directing the National Telecommunications Information Agency to work with federal agencies to streamline existing broadband programs.
  • Representative Angie Craig (D-MN) introduced “legislation to provide consumers with transparent information on broadband services available in the marketplace…[and] [t]he “Broadband Consumer Transparency Act of 2021” (H.R.1555) would require sellers of broadband services to display information in a uniform and clear manner at the point of sale to allow consumers to easily compare plans and to understand what they are purchasing” according to her press release. Craig claimed:
    • Specifically, the Broadband Consumer Transparency Act would require sellers of broadband services to provide the following information to all consumers:
      • Price: Price points, including various charges like overage, equipment, early termination and administrative fees.
      • Data Allowances: This is the carrier-defined plan limit after which consumers will face some consequence, such as additional charges or slowed data speeds.
      • Performance: Broadband speed and other performance metrics.
  • The Government Accountability Office (GAO) issued a report titled “Weapon Systems Cybersecurity: Guidance Would Help DOD Programs Better Communicate Requirements to Contractors” that provides an update on the Department of Defense’s (DOD) efforts “to make its network of high-tech weapon systems less vulnerable to cyberattacks.” In 2018, the GAO found the “DOD has recently taken several steps to improve weapon systems cybersecurity, including issuing and revising policies and guidance to better incorporate cybersecurity considerations.”  The GAO is now stating:
    • Since our 2018 report, DOD has made progress incorporating cybersecurity into the acquisition process. At the macro level, additional cybersecurity guidance and resources have helped to further ingrain cybersecurity practices into the DOD culture. However, additional guidance has not addressed an area where we found programs struggled—how to effectively translate cybersecurity concepts into detailed and specific cybersecurity requirements for contracts, on par with other system requirements. In particular, the services’ guidance on incorporating cybersecurity into acquisitions does not address the way programs should include cybersecurity requirements in contracts with clear acceptance criteria and methods to verify requirements have been met. The Air Force has taken positive actions to remedy this by developing internal guidance on how to incorporate program-specific cybersecurity requirements. The Army, Navy, and Marine Corps would benefit from a similar approach. Just as the Air Force leveraged and consolidated existing policies and guidance, the Army, Navy, and Marine Corps have opportunities to adapt existing practices, such as those in the Air Force, to fit their respective acquisition community. Until these actions are taken, programs will continue to face cybersecurity risks and contracts may not include detailed and specific cybersecurity requirements.
    • The GAO recommended:
      • The Secretary of the Army should develop guidance for acquisition programs on how to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts. (Recommendation 1)
      • The Secretary of the Navy should develop guidance for acquisition programs on how to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts. (Recommendation 2)
      • The Secretary of the Navy should take steps to ensure the Marine Corps develops guidance for acquisition programs on how to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts. (Recommendation 3)
  • The Environmental Protection Agency’s (EPA) Office of Inspector General (OIG) found the “EPA spent $52.5 million in taxpayer dollars without the proper approvals required under the Federal Information Technology Acquisition Reform Act and purchased $641,680 of equipment under an expiring contract.”
  • The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) “has identified extensive targeting, and has confirmed compromises, of Australian organisations with vulnerable Microsoft Exchange deployments…[and] is assisting affected organisations with their incident response and remediation” as explained in an update to its alert on the hacking of Microsoft’s Exchange product. The ASCS stated it “has identified a large number of Australian organisations are yet to patch vulnerable versions of Microsoft Exchange, leaving them vulnerable to compromise.” The ACSC urged “these organisations to do so urgently.” The ACSC stated:
    • The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) advises organisations using Microsoft Exchange to urgently patch the following Common Vulnerabilities and Exposures (CVEs):
      • CVE-2021-26855 – server-side request forgery (SSRF) vulnerability in Exchange.
      • CVE-2021-26857 – insecure deserialization vulnerability in the Unified Messaging service.
      • CVE-2021-26858 – post-authentication arbitrary file write vulnerability in Exchange.
      • CVE-2021-27065 – post-authentication arbitrary file write vulnerability in Exchange.
    • Microsoft has identified that if successfully exploited, these CVEs together would allow an unauthenticated attacker to write files and execute code with elevated privileges on the underlying Microsoft Windows operating system. Microsoft has observed instances where the attacker has uploaded web shells to maintain persistent access to compromise Exchange servers.
    • Microsoft has released security patches for the following versions of Microsoft Exchange:
      • Microsoft Exchange Server 2013
      • Microsoft Exchange Server 2016
      • Microsoft Exchange Server 2019
    • The key defensive measure that Australian organisations can take is deploy these security patches to their systems as soon as possible and then undertake the detection steps outlined in the Microsoft blog post. Alternatively, if you are unable to deploy the patches in a timely manner, consider preventing internet access to the exchange web server or removing the product from your network. The ACSC also recommends that organisations implement web shell mitigation steps available here.
  • A bill to regulate application stores has advanced out of the Arizona House of Representatives to the State Senate. HB2005, as amended, “[r]estricts the ability of certain digital application distribution platforms to require use of a specific in-application payment system” according to a memorandum on the bill. It was further explained:
    • Prohibits a provider of a digital application distribution platform whose cumulative downloads from Arizona users in a calendar year exceed 1,000,000 from:
      • a)  Requiring an Arizona-domiciled developer or Arizona user to use a specific in-application payment system as the sole method of accepting payments for either a software download or a digital or physical product; or
      • b)  Retaliating against an Arizona-domiciled developer or Arizona user for using an in-application payment system or digital application distribution platform not associated with the provider. (Sec. 1)
    • Exempts from the prohibitions digital distribution platforms that are:
      • a)  Established primarily for use by public safety agencies; or
      • b)  Used for specialized categories of applications that are provided to users of hardware intended for specific purposes (such as gaming consoles and music players). (Sec. 1)
    • Allows the Attorney General to receive complaints, investigate and bring an action on behalf of aggrieved parties to seek legal or equitable relief on their behalf. (Sec. 1)
    • Permits an aggrieved party to bring a civil action to seek legal or equitable relief if the Attorney General does not bring an action within 60 days after receiving notice from the aggrieved party. (Sec. 1)
  • The top Republican on the House Homeland Security Committee “to solidify the Cybersecurity & Infrastructure Security Agency’s (CISA) lead role in protecting our nation’s critical infrastructure, particularly industrial control systems (ICS), from cyber threats” according to his press release. Representative John Katko (R-NY) was joined by House Homeland Security Committee Chair Bennie Thompson (D-MS), Cybersecurity Subcommittee Chair Yvette Clarke (D-NY), Cybersecurity Subcommittee Ranking Member Andrew Garbarino (R-NY), and Representatives Don Bacon (R-NE), Kat Cammack (R-FL), Carlos Gimenez (R-FL), Jim Langevin (D-RI), and John Rutherford (R-FL) in introducing the “DHS Industrial Control Systems Enhancement Act of 2021” (H.R.1833). They asserted:
    • Specifically, the bill amends the Homeland Security Act to require the Director of CISA to maintain capabilities to detect and mitigate threats and vulnerabilities affecting automated control of critical infrastructure, particularly industrial control systems. This includes maintaining cross-sector incident response capabilities to respond to cybersecurity incidents and providing cybersecurity technical assistance to stakeholders. Lastly, the CISA Director is required to collect, coordinate, and provide vulnerability information to the industrial control systems community.
  • Twitter sued Texas Attorney General Ken Paxton over a civil investigative demand he filed against the company related to the company’s permanent ban of former President Donald Trump. Interestingly, Paxton’s press release on the civil investigative demand is no longer posted on his website. Nonetheless, in its lawsuit, Twitter asserted:
    • Twitter seeks to stop AG Paxton from unlawfully abusing his authority as the highest law-enforcement officer of the State of Texas to intimidate, harass, and target Twitter in retaliation for Twitter’s exercise of its First Amendment rights. The rights of free speech and of the press afforded Twitter under the First Amendment of the U.S. Constitution include the right to make decisions about what content to disseminate through its platform. This right specifically includes the discretion to remove or otherwise restrict access to Tweets, profiles, or other content posted to Twitter. AG Paxton may not compel Twitter to publish such content over its objection, and he may not penalize Twitter for exercising its right to exclude such content from its platform.
    • AG Paxton has long disagreed with Twitter’s content moderation decisions, and made that displeasure widely known. But this disagreement turned to official action against the company after Twitter suspended President Trump’s account on January 8, 2021. Just five days later, on January 13, 2021, AG Paxton issued a civil investigative demand (“CID”) to Twitter seeking volumes of highly confidential documents concerning Twitter’s internal content moderation processes—the public disclosure of which would undermine their effectiveness, and compromise Twitter’s ability to effectively and efficiently moderate content on its platform.
    • Twitter sought for weeks to reach an agreement with AG Paxton that would put reasonable limits on the scope of this demand, but to no avail. Instead, AG Paxton made clear that he will use the full weight of his office, including his expansive investigatory powers, to retaliate against Twitter for having made editorial decisions with which he disagrees. Now Twitter, already targeted because of its protected activity, is left with the untenable choice to turn over highly sensitive documents or else face legal sanction.
    • The First Amendment prohibits such acts. Any “[o]fficial reprisal for protected speech” runs afoul of the Constitution because it “threatens to inhibit exercise of the protected right.” Hartman v. Moore, 547 U.S. 250, 256 (2006) (internal quotation marks omitted). Accordingly, there is “a longstanding, clearly established right . . . to be free from retaliation in the form of threatened legal sanctions and other similar means of coercion, persuasion, and intimidation.” Sampson v. Cty. Of Los Angeles by & through Los Angeles Cty. Dep’t of Children & Family Servs., 974 F.3d 1012, 1020 (9th Cir. 2020). As set forth in this Complaint, AG Paxton’s retaliatory investigation and intrusive CID are precisely the sort of “threatened legal sanctions,” “coercion,” and “intimidation” forbidden by the First Amendment. The investigation and CID unlawfully intrude on Twitter’s internal editorial processes and burden its protected activity, and do so solely because Twitter exercised its First Amendment rights in a way disagreeable to AG Paxton. This retaliatory conduct violates the Constitution.
  • The chairs of the Senate Intelligence and Foreign Relations Committees and the Senate Majority Leader along with a bipartisan group of colleagues have introduced the “Democracy Technology Partnership Act” (S.604) and made available a section-by-section and a two page summary. The sponsors argued:
    • Leadership and competitiveness in emerging and critical technologies will determine the political, economic, and military strength of countries in the 21st century. Currently, the People’s Republic of China (PRC) is using every tool in its arsenal to achieve dominance in key technologies such as 5G, artificial intelligence, quantum computing, semiconductors and more. Its approach to technology includes heavily subsidizing Chinese companies, investing extensively in research and development, incentivizing foreign countries to adopt its technologies, leveraging international standard-setting bodies to advance its vision, imposing unfair restrictions on foreign companies, and accessing technologies through illicit means. 
    • Simply put, the U.S. cannot counter these practices or compete with the PRC and other authoritarian governments on its own. To compete against these technological advancements, the Democracy Technology Partnership Act would establish an interagency office at the U.S. Department of State to lead in the creation of a new partnership among the world’s tech-leading democracies. The partnership between the democratic countries would ensure that these technologies advance democratic institutions, norms, and values, contributing to global peace and prosperity.  
    • Specifically, the interagency office would be responsible for:
      • Creating a technology-based partnership of democratic countries to develop harmonized technology governance regimes and to fill gaps on specific technologies;
      • Identifying existing, and when needed, new multilateral mechanisms to advance the objectives of the Technology Partnership; 
      • Coordinating with such countries regarding shared technology strategies; and
      • Developing strategies to provide alternatives to countries who are at risk of acquiring technologies from authoritarian regimes. 
    • The criteria for participation in the global partnership – as laid out by the legislation – requires that the country be a democratic national government with a strong commitment to democratic values, have an economy with advanced technology sectors, and have a demonstrated record of interest or expressed interest in international cooperation and coordination with the U.S. on defense and intelligence issues. 
  • The United Kingdom’s (UK) Information Commissioner Elizabeth Denham and the Information Commissioner’s Office (ICO) issued guidance on the use of personal data in political campaigning. The ICO stated the guidance “provides clarity and practical advice to help those processing personal data in political campaigning to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations (PECR)…[but] does not introduce any new obligations or responsibilities for campaigners above existing data protection and electronic marketing laws.” In her blog post, Denham claimed:
    • Electoral Commission data has already shown a rapid acceleration in the use of digital political advertising over the past five years. The limitations on traditional door-to-door canvassing and static advertising due to the pandemic will make technological approaches even more essential this time around.
    • There are clear benefits to society from a hybrid online/offline approach to campaigning, creating opportunities for campaigners and the electorate. It allows political parties to keep in touch with people efficiently, promotes more informed voting decisions, and facilitates better engagement with hard to reach groups. All of this contributes to the potential for increased engagement in democratic processes.
    • The ICO has a role where people’s information is being used to support campaigning, for instance around profiling voters for targeted digital advertising.
    • It is in everyone’s interest that where new techniques are used, there is a consistent application of data protection standards. By following processes built on trust and transparency, campaigners can comply with the law in a way that maintains public support. In this way, campaigners can maximise the societal benefits of greater democratic engagement that digital campaigning confers; and voters can have confidence that they are engaging in a process that is transparent and safeguards their right to know how their personal information is being used.
    • The guidance has been updated to reflect the UK General Data Protection Regulation (GDPR), the data protection law now the UK has left the EU. It takes into account the use of personal data in modern campaigning practices. This will help ensure that election campaigns relying on digital techniques to engage with voters are conducted transparently and lawfully.
    • The new guidance covers the full lifecycle of a campaign; from collecting and processing personal data of the electorate to using targeted messages during a campaign, to what to do with that data once a campaign is concluded. It includes useful examples on ways campaigners can carry out common political campaigning activities whilst complying with their obligations under data protection law. It also gives specific advice on complex areas such as the processing of sensitive categories of data that need special protection, for example data that relates to racial or ethnic origin, health or political opinions.
    • The guidance is the latest step in our ongoing work to support transparent and lawful digital democracy. Our investigation into the ecosystem of digital campaigning gave us a clear picture of how central the collection and use of data was to parties and campaigners. And our audits of seven political parties gave us even greater insight. This work has informed the drafting of our guidance published today.
    • I will be writing to the political parties and other campaigners to draw attention to the updated guidance. Adherence to the guidance in the upcoming election campaigns is the best way to achieve compliance with the law. My experience has been that parties want to get this right: the value of digital engagement, supported by public trust, is clear for all to see.
  • The Senate Judiciary Committee’s Competition Policy, Antitrust, and Consumer Rights Subcommittee Ranking Member Mike Lee (R-UT) reintroduced the “One Agency Act” (S.633) “that would improve antitrust enforcement by putting all antitrust enforcement under one roof, at the Department of Justice…[and] will also prohibit the Federal Communications Commission from undertaking duplicative competitive analyses of deals under its purview” per Lee’s press release. Senator Thom Tillis (R-NC) cosponsored the bill.
  • Europol announced that “[j]udicial and law enforcement authorities in Belgium, France and the Netherlands have in close cooperation enabled major interventions to block the further use of encrypted communications by large-scale organised crime groups (OCGs), with the support of Europol and Eurojust.” Europol stated:
    • The continuous monitoring of the criminal use of the Sky ECC communication service tool by investigators in the three countries involved has provided invaluable insights into hundreds of millions of messages exchanged between criminals. This has resulted in the collection of crucial information on over a hundred of planned large-scale criminal operations, preventing potential life threatening situations and possible victims.
    • During an action day on 9 March 2021, a large number of arrests were made, as well as numerous house searches and seizures in Belgium and the Netherlands.  The operation is an essential part of the continuous effort of judiciary and law enforcement in the EU and third countries to disrupt the illegal use of encrypted communications, as was already displayed last year following the successful de-encryption of the EncroChat communication platform. 
  • California Attorney General and Secretary of Health and Human Services-designate Xavier Becerra announced the finalization of the latest round of “California Consumer Privacy Act” regulations. In his press release, Becerra stated “approved by the Office of Administrative Law (OAL) that advance protections for Californians seeking to control the sale of their personal information. In mid-December, Becerra’s office proposed further revisions to the changes proposed in October. Becerra contended:
    • CCPA grants California consumers the right to know, the right to delete, and the right to opt-out of the sale of the personal information collected by businesses. It also affords additional protections for minors. The initial set of regulations went into effect on August 14, 2020. However, the Department had withdrawn certain provisions to clarify processes for businesses subject to the law. Today marks OAL’s approval of the Department’s amendments, the final step in making these regulations effective as law.
    • The newly-approved regulations ban so-called “dark patterns” that delay or obscure the process for opting out of the sale of personal information. Specifically, it prohibits companies from burdening consumers with confusing language or unnecessary steps such as forcing them to click through multiple screens or listen to reasons why they shouldn’t opt out.
    • The new regulations also provide businesses with an optional Privacy Options icon. The blue icon was designed by Carnegie Mellon University’s Cylab and the University of Michigan’s School of Information and tested against other icons to determine the best design for communicating the privacy choices available to consumers:
https://oag.ca.gov/system/files/attachments/press-docs/CCPA-Privacy-Options-icon.png
  • The Federal Communications Commission’s (FCC) Wireline Competition Bureau (Bureau) has laid out the “Initial Milestones for the Emergency Broadband Benefit Program.” The Bureau stated:
    • By this Public Notice, the Wireline Competition Bureau (Bureau) announces upcoming milestone dates for the Emergency Broadband Benefit Program (EBB Program), a $3.2 billion federal initiative created by Congress in the Consolidated Appropriations Act of 2021, to help lower the cost of high-speed internet for eligible households during the on-going COVID-19 pandemic.
    • On February 25th, the Federal Communications Commission (Commission) unanimously adopted a Report and Order that established the EBB Program.  The EBB Program Order directed the Bureau within seven days of adoption to announce a timeline for submission of information by broadband providers required by the Consolidated Appropriations Act to participate in the EBB Program.
    • As adopted in the EBB Program Order and required by the Consolidated Appropriations Act, to participate in the EBB Program, broadband providers must submit information to the Bureau and the Universal Service Administrative Company (USAC) depending on the regulatory status of the broadband provider. Eligible telecommunications carriers (ETCs) and their affiliates in the states or territories where the ETC is designated can elect to participate in the EBB Program by filing the appropriate information with USAC and do not need to seek approval from the Bureau in those states.  All other broadband providers need to seek approval from the Bureau to participate in the EBB Program. Additionally, any provider seeking to use an alternative verification process to make household eligibility determinations in the EBB Program must seek approval from the Bureau.
    • In establishing these review processes, the Commission directed the Bureau to designate a priority application deadline by which non-ETC providers seeking approval to participate in the EBB Program will have the opportunity to obtain that approval prior to commencement of household enrollments. Applications received after the priority application deadline will be expeditiously reviewed on a rolling basis. Accordingly, the Bureau announces the following milestone dates for the provider application and election processes:
EBB Program MilestoneFiling LocationDate
Non-ETC Provider Application & Alternative Eligibility Verification Process Portal OpensBureauMarch 8, 2021
Provider Election Notice Inbox OpensUSACMarch 11, 2021
Non-ETC Provider Priority Application & Alternative Eligibility Verification Process DeadlineBureauMarch 22, 2021
  • Parler is trying to move its suit against Amazon Web Services (AWS) to state court, a venue it thinks will be more conducive to its action after the latter shut down the former’s website for repeated violations of their contract, including the use of the conservative tilting platform during the 6 January 2021 insurrection at the United States Capitol. On 9 January, AWS emailed Parler, letting them know they had violated the terms of service under which the former was hosting the latter’s website. Consequently, Amazon informed Parler “[r]ecently, we’ve seen a steady increase in this violent content on your website, all of which violates our terms.” Amazon added “[i]t’s clear that Parler does not have an effective process to comply with the AWS terms of service.” On 11 January, Parler sued Amazon, alleging AWS engaged in anti-competitive conduct in pulling its web-hosting services. In its 12 January response, Amazon disagreed and asserted “this case is about Parler’s demonstrated unwillingness and inability to remove from the servers of AWS content that threatens the public safety, such as by inciting and planning the rape, torture, and assassination of named public officials and private citizens.” In late January, a United States (U.S.) federal court denied Parler’s request for a preliminary injunction against AWS. Most recently, Parler filed a motion to dismiss the federal suit and filed a suit in a Washington state court, claiming:
    • Parler is merely the latest casualty—a victim of Amazon’s efforts to destroy an up-and-coming technology company through deceptive, defamatory, anticompetitive, and bad faith conduct.
    • Before the actions complained of here, Plaintiff Parler LLC had one of the hottest rising apps on the internet. A young start-up company that sought to disrupt the digital advertising and microblogging markets with a unique approach, Parler positioned itself as an alternative to the likes of Twitter or Facebook. To do so, Parler did not employ what some have called “surveillance capitalism”: Unlike its social-media competitors, Parler refused to track and sell its users’ private data and target advertising based on that data. This made Parler a beacon to those who sought a free and safe place to espouse political and other views that other microblogging and social media platforms sought to censor. And it allowed Parler to offer lower rates to digital advertisers.
    • But this rising popularity and alternative business model also made Parler a competitive threat to the likes of Amazon, Twitter, Facebook, and Google—four giants of the internet who derive enormous revenue from digital advertising. And that threat grew very real in late 2020 and early 2021 when Parler was poised to explode in growth.
  • The Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) audited how well United States (U.S.) Customs and Border Protection (CBP) has used new authority and funding to implement technology on the U.S.-Mexico border, and the answer is not well. The OIG explained:
    • In response to Executive Order 13767, CBP has implemented an array of new tools and technologies that have enhanced Border Patrol’s surveillance capabilities and efficiency along the southwest border. However, these upgrades are incomplete as CBP has deployed about 28 percent of the surveillance and subterranean technology solutions planned, even after receiving more than $700 million in funding since fiscal year 2017. Shifting priorities, construction delays, a lack of available technology solutions, and funding constraints hindered CBP’s planned deployments.
    • Consequently, most southwest Border Patrol sectors still rely predominantly on obsolete systems and infrastructure with limited capabilities. CBP faced additional challenges that reduced the effectiveness of its existing technology. Border Patrol officials stated they had inadequate personnel to fully leverage surveillance technology or maintain current information technology systems and infrastructure on site. Further, we identified security vulnerabilities on some CBP servers and workstations not in compliance due to disagreement about the timeline for implementing DHS configuration management requirements. CBP is not well-equipped to assess its technology effectiveness to respond to these deficiencies.
    • CBP has been aware of this challenge since at least 2017 but lacks a standard process and accurate data to overcome it.
    • Overall, these deficiencies have limited CBP’s ability to detect and prevent the illegal entry of noncitizens who may pose threats to national security. Deploying adequate technologies is essential for CBP to ensure complete operational control of the southern border.
    • The OIG concluded:
      • To achieve complete operational control of the southwest border, CBP requires effective technologies complementing the physical wall as deterrents to people, terrorists, terrorist weapons, and contraband entering the country between lawful ports of entry. However, much work remains for CBP to meet the Federal requirement for deploying the most effective technologies and tools to support the border wall system and further enhance situational awareness by closing existing gaps in border surveillance coverage. Given an environment of limited funding, CBP must deploy new technology in balance with adequate staffing to ensure full utilization of the advanced surveillance capabilities. Leveraging technology to its full capability will improve patrol agents’ information sharing as well as situational awareness in border areas lacking coverage. However, fundamental to achieving these objectives is establishing a formal process with reliable data as a means of evaluating technology to ensure limited financial resources are invested wisely. Until progress is made in these areas, CBP will struggle in carrying out its mission of detecting illegal border activities, while also exposing its agents to undue risk.
    • The OIG recommended:
      • We recommend the Acting Commissioner of CBP update the 2014 Southwest Border Technology Plan to identify and prioritize the appropriate technology and funding required to enhance operational control of the southern border.
      • We recommend the Acting Commissioner of CBP develop and implement a comprehensive process for measuring technology’s performance to assess its effectiveness in providing situational awareness to fulfill border security mission requirements.
      • We recommend the Acting Assistant Commissioner of CBP’s Office of Information and Technology coordinate directly with the DHS Office of the Chief Information Officer to ensure patch and configuration management controls for all information technology systems comply with documented DHS requirements.
  • A group of advocacy organizations are suing Clearview AI in a California state court, seeking an injunction to stop the company “from illegally acquiring, storing, and selling their likenesses, and the likenesses of millions of Californians, in its quest to create a cyber surveillance state.” The plaintiffs further argued:
    • Clearview built its database by violating the privacy rights of Plaintiffs and all California residents and making commercial use of their likenesses. Clearview illicitly gathers, copies, and saves images by “scraping” them from websites, like Facebook, Twitter, and Venmo.
    • Clearview persists despite having received multiple requests to stop this practice, which violates many of the websites’ terms of service and the contracts between the sites and their users.
    • After obtaining these images, Clearview uses algorithms to extract the unique facial geometry of each individual depicted in the images, creating a purported “faceprint” that serves as a key for recognizing that individual in other images, even in photographs taken from different angles. Clearview’s “faceprints” rely on an individual’s immutable biological characteristics—for example, the position, size, and shape of the eyes, nose, cheekbones, and jaw—to purportedly capture their biometric signature.
    • Plaintiffs are activists, including immigrants, who have engaged in political speech critical of the police, ICE, and immigration policy in both their personal and professional capacities. Plaintiffs Mijente Support Committee (“Mijente”) and NorCal Resist Fund (“NorCal Resist”) are two immigrant rights, membership-based organizations representing the interests of thousands of California residents. The ability to control their likenesses and biometric identifiers—and to continue to engage in political speech critical of the police and immigration policy, free from the threat of clandestine and invasive surveillance—is vital to Plaintiffs, their members, and their missions.
  • The United States (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) announced “it will begin overseeing the .gov top-level domain (TLD) in April 2021…[and] is working closely with the U.S. General Services Administration (GSA), who currently oversees the TLD, to ensure a seamless transition of daily operations for .gov customers.” At the DotGov website, they explained:
    • [The transfer from GSA to CISA] is happening under the DOTGOV Act of 2020, legislation that was part of the recently enacted Consolidated Appropriations Act of 2021. For more than 20 years, GSA has supported government organizations and worked to make .gov a trusted space. CISA is committed to that aim, too.
    • In the coming months and years, CISA intends to provide a user-centered platform for DNS management, help government organizations maintain better awareness of the security threats their .gov systems are exposed to, and offer additional services to support the privacy, reliability, accessibility, and speed of .gov domains.
    • The DOTGOV Act reports Congress’ finding that “the .gov internet domain should be available at no cost or a negligible cost” to U.S.-based government organizations. CISA is working on this – and we ask for your patience. The way .gov domains are priced is tied closely with the service contract to operate the TLD, and change in the price of a domain is not expected until next year. The Act also contemplates the use of Homeland Security Grants for “migrating any online service” to .gov, a process we will work out with FEMA.
  • The chair and ranking members of the House Armed Services Committee announced the formation of the Defense Critical Supply Chain Task Force “chartered to review the industrial base supply chain to identify and analyze threats and vulnerabilities.” Chair Adam Smith (D-WA) and Ranking Member Mike Rogers (R-AL) named Representatives Elissa Slotkin (D-MI and Mike Gallagher (R-WI) as co-chairs and the following to the task force:
    • Representative Donald Norcross (D-NJ)
    • Representative Chrissy Houlahan (D-PA)
    • Representative Mikie Sherrill (D-NJ)
    • Representative Don Bacon (R-NE)
    • Representative Michael Waltz (R-FL)
    • Representative Stephanie Bice (R-OK)
  • The Government Accountability Office (GAO) issued a report titled “Defined Contribution Plans: Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans” in response to a request from Senate Health, Education, Labor, and Pensions Committee Chair Patty Murray (D-WA), House Education and Labor Committee Chair Bobby Scott (D-VA), and Senator Maggie Hassan (D-NH), who asked the GAO “to review issues related to the cybersecurity of retirement plans” and based on the lack of effective oversight by the United States Department of Labor, the results of this assessment could spur pressure from Congress and/or legislation making clear fiduciary duties include proper cybersecurity and data security. The GAO stated:
    • In their role administering private sector employer-sponsored defined contribution (DC) retirement plans, such as 401(k) plans, plan sponsors and their service providers—record keepers, third party administrators, custodians, and payroll providers—share a variety of personally identifiable information (PII) and plan asset data among them to assist with carrying out their respective functions (see figure). The PII exchanged for DC plans typically include participant name, Social Security number, date of birth, address, username/password; plan asset data typically includes numbers for both retirement and bank accounts. The sharing and storing of this information can lead to significant cybersecurity risks for plan sponsors and their service providers, as well as plan participants.
    • Federal requirements and industry guidance exist that could mitigate cybersecurity risks in DC plans, such as requirements that pertain to entities that directly engage in financial activities involving DC plans. However, not all entities involved in DC plans are considered to have such direct engagement, and other cybersecurity mitigation guidance is voluntary. Federal law nevertheless requires plan fiduciaries to act prudently when administering plans. However, the Department of Labor (DOL) has not clarified fiduciary responsibility for mitigating cybersecurity risks, even though 21 of 22 stakeholders GAO interviewed expressed the view that cybersecurity is a fiduciary duty. Further, DOL has not established minimum expectations for protecting PII and plan assets. DOL officials told GAO that the agency intends to issue guidance addressing cybersecurity-related issues, but they were unsure when it would be issued. Until DOL clarifies responsibilities for fiduciaries and provides minimum cybersecurity expectations, participants’ data and assets will remain at risk.
    • The GAO concluded:
      • Private sector employer-sponsored DC retirement plans are a crucial component of retirement security for millions of Americans. In many cases, they may hold a participant’s life savings. A single cyber attack at any point in the complex web of entities working together to administer a retirement plan could cause enormous losses of both PII and plan assets, which could lead to identity theft or severe financial and other ramifications for plan participants. Accordingly, it has become imperative that industry and government prevention and mitigation efforts evolve to keep pace with these threats.
      • While federal and private sector industry partners have efforts to help mitigate cybersecurity risks, many of these efforts do not directly apply to several of the various entities that administer DC plans. As a result, plan fiduciaries and their service providers rely on a patchwork of federal regulations, guidance, and industry leading practices to help them mitigate cybersecurity risk in DC plans. If DOL is to have reasonable assurance that plans have effective cybersecurity measures in place, it must be sure that plan fiduciaries understand their responsibilities in protecting PII and plan assets. Until DOL formally clarifies plan fiduciaries’ responsibilities and provides minimum expectations related to cybersecurity, fiduciaries may not realize that they could be liable for losses they were obligated to prevent, and plans and their participants will continue to be vulnerable to financial losses and PII breaches. Such risks could lead to the erosion of confidence in our nation’s private pension system.
    • The GAO recommended:
      • The Secretary of Labor should formally state whether cybersecurity for private sector employer-sponsored defined contribution retirement plans is a plan fiduciary responsibility under ERISA. (Recommendation 1)
      • The Secretary of Labor should develop and issue guidance that identifies minimum expectations for mitigating cybersecurity risks that outline the specific requirements that should be taken by all entities involved in administering private sector employer-sponsored defined contribution retirement plans. (Recommendation 2)
  • The New York State Department of Financial Services (NYDFS) “issued the following industry letter to all of its regulated entities following the recent discovery of cybersecurity vulnerabilities in Microsoft Exchange Server.” The NYDFS “urge[d] all regulated entities with vulnerable Microsoft Exchange services to act immediately” and asserted “[r]egulated entities should immediately patch or disconnect vulnerable servers, and use the tools provided by Microsoft to identify and remediate any compromise exploiting these zero-day vulnerabilities.”
  • The United States (U.S.) Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) has extended the due date for comments for its proposed major rewrite of the regulations governing medical privacy in the U.S. As the U.S. lacks a unified privacy regime, the proposed changes would affect those entities in the medical sector subject to the regime, which is admittedly many such entities. In its press release, OCR “announces a 45-day extension of the public comment period” making 6 May the date by which comments should be submitted. OCR did not give a reason for the extension other than to “give the public a full opportunity to consider the proposals and submit comments to inform future policy.”
    • In December 2020, HHS issued a notice of proposed rulemaking “to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).”
    • HHS continued:
      • The Privacy Rule is one of several rules, collectively known as the HIPAA Rules, that protect the privacy and security of individuals’ medical records and other protected health information (PHI), i.e., individually identifiable health information maintained or transmitted by or on behalf of HIPAA covered entities (i.e., health care providers who conduct covered health care transactions electronically, health plans, and health care clearinghouses).
      • The proposals in this NPRM support the Department’s Regulatory Sprint to Coordinated Care (Regulatory Sprint), described in detail below. Specifically, the proposals in this NPRM would amend provisions of the Privacy Rule that could present barriers to coordinated care and case management –or impose other regulatory burdens without sufficiently compensating for, or offsetting, such burdens through privacy protections. These regulatory barriers may impede the transformation of the health care system from a system that pays for procedures and services to a system of value-based health care that pays for quality care.
    • In a press release, OCR asserted:
      • The proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.

Further Reading

  • Why Was SolarWinds So Vulnerable to a Hack?” By Bruce Schneier — The New York Times. This piece makes the case that misaligned market incentives for companies that contract with the federal government and other companies to provide cybersecurity products and services are leading to results like SolarWinds and Microsoft Exchange. He recommends the government changes the incentives such that risks and externalities are born by the firms selling software, hardware, and cybersecurity products.
  • How interoperability could end Facebook’s death grip on social media” By Mark Sullivan — Fast Company. Perhaps part of the answer to so-called Big Tech are interoperability and data portability standards. It has worked in the past to decrease the dominance of firms and increase competition.
  • How to Fix Facebook Groups” By Shira Ovide — The New York Times. This tech columnist canvassed experts on how one might detox Facebook Groups, and they suggested ending automated recommendations to stop the pushing of fringe and extremist ideas, closer oversight of private groups, many of which are essentially opaque, target those people and groups that consistently break rules, and hiring a staff of subject matter experts that would counter the lies, misinformation, and disinformation that is often spread.
  • Fears for children’s privacy as Delhi schools install facial recognition” By Rina Chandran — Reuters. CCTV is already widely used in some Indian schools and now facial recognition technology has been introduced in some places, too, despite the well documented problems the technology has (e.g., poor identification rates for all save for white men.)
  • Fears online safety law could censor all adult content and force sex workers off internet” By Josh Taylor — The Guardian. There are concerns that the “Online Safety Bill 2021” will have the unintended effect of forcing sex workers offline, harming their income and placing them at greater risk. The government claims the legislation is not aimed at this market.
  • European Banking Authority hit by Microsoft Exchange hack” — BBC. The Microsoft Exchange hack has hit a European Union body that had to pull its entire system offline while it assessed damage and risks. Unites States (U.S.) officials have pointed the finger at Hafnium, a hacking entity from the People’s Republic of China (PRC). While Microsoft is saying that targets traditionally thought of as high value as being targeted through the vulnerability in its Exchange system, at least one smaller cybersecurity firm is claiming all sorts of firms have been targeted thus far, suggesting more hackers than Hafnium are exploiting this vulnerability.
  • White House fears significant number of organisations caught in Microsoft hack” — ABC News. The size and scope of the Microsoft Exchange hack continues to grow. Now Microsoft and the United States (U.S.) government are telling effected and potentially compromised entities that even installing the Microsoft patches may not be enough because they do not address back doors hackers may have installed. Locating and removing them takes much more time and effort. Nonetheless, at the time this article was written only 10% of targets had installed the Microsoft patch. And, of course, this hack is affecting those who do not use Microsoft cloud email products and instead use the on-premises Exchange product. Predictably, Microsoft and its cloud competitors will be hawking the superior technology of the cloud until one of those platforms is hacked.
  • Casting a wide intrusion net: Dozens burned with single hack” By Frank Bajak — Associated Press. Normally a hack that compromises the “New Zealand’s central bank, Harvard Business School, Australia’s securities regulator, the high-powered U.S. law firm Jones Day — whose clients include former President Donald Trump — the rail freight company CSX…the Kroger supermarket and pharmacy chain…[and the] Washington state’s auditor’s office” would be the topic du jour in cybersecurity and technology circles, but the December 2020 Accellion came in the aftermath of the SolarWinds hack and now before the even bigger Microsoft Exchange. Worse than being breached and having valuable data extracted, a Russian criminal organization is now ransoming some of the data. A former client I was registered to lobby for, Bombardier, was hacked and reportedly had its data put on a dark web site. This seems to be in another in a line of supply chain hacks, and worse still this hack follows a familiar pattern of a firm being breached and vowing to do better amid the fallout.
    • In a late February joint cybersecurity advisory, the Australian Cyber Security Centre (ACSC), the New Zealand National Cyber Security Centre (NZ NCSC), the Singapore Cyber Security Agency (CSA), the United Kingdom National Cyber Security Centre (UK NCSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), and the United States Multi-State Information Sharing and Analysis Center (MS-ISAC) asserted:
      • This joint advisory is the result of a collaborative effort by the cybersecurity authorities of Australia, New Zealand, Singapore, the United Kingdom, and the United States. These authorities are aware of cyber actors exploiting vulnerabilities in Accellion File Transfer Appliance (FTA). This activity has impacted organizations globally, including those in Australia, New Zealand, Singapore, the United Kingdom, and the United States. Worldwide, actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal, and territorial (SLTT) government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors. According to Accellion, this activity involves attackers leveraging four vulnerabilities to target FTA customers. In one incident, an attack on an SLTT organization potentially included the breach of confidential organizational data. In some instances observed, the attacker has subsequently extorted money from victim organizations to prevent public release of information exfiltrated from the Accellion appliance.
  • Twitter and Twitch added to list of those concerned with Australia’s Online Safety Bill” By Asha Barbaschow — ZDNet. A number of tech companies have taken issue with the “Online Safety Bill 2021” and “Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021”, bills that would remake how Australia monitors and takes down online content. There has been concern articulated by sex workers and the pornography industry they will likely be targeted, a claim the nation’s eSafety Commissioner has denied.  Nonetheless, the Senate Standing Committees on Environment and Communications has received numerous submissions from tech companies decrying a number of provisions they claim make the new scheme unworkable and possibly in violation of Australian law and rights.
  • Tech spent years fighting foreign terrorists. Then came the Capitol riot.” By Issie Lapowsky — Protocol. This detailed history shows how online platforms addressed abusive child sexual material and foreign terrorism in response to pressure and encouragement from governments. The same may be happening now with domestic terrorism in the United States (U.S.) despite some challenges.
  • Russia sues Google, Facebook, Twitter for not deleting protest content – Ifax” — Reuters. Moscow is using Twitter, Google, Facebook, Tiktok and Telegram over posts regarding the imprisonment of Alexei Navalny, the leader of opposition to Russian Federation President Vladimir Putin.
  • The White House’s use of Zoom for meetings raises China-related security concerns” By Josh Rogin —The Washington Post. The Biden White House continues the use of Zoom for meetings despite a December Department of Justice (DOJ) indictment of a Zoom employee for coordinating censorship of meetings about the 1989  Tiananmen Square massacre among other concerns about Beijing’s influence over and access to Zoom calls. The House’s Republican Study Committee wrote White House Chief of Staff Ronald Klain in late February asking the White House about its Zoom usage. The Biden Administration is saying they inherited the contract from the previous White House for use of Zoom for Government, an allegedly more secure platform that “are processed exclusively in continental U.S. data centers that are managed solely by U.S.-based, U.S. people” according to a Zoom spokesperson. White House officials claim Zoom for Government is used only for non-classified meetings, suggesting the use of a different platform for classified meetings. So, it appears the White House recognizes the risk of even the more secure version of Zoom. To be fair, last spring, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the General Service Administration’s Federal Risk and Authorization Management Program issued a joint statement: “[w]e advise federal government users to not initiate video conferences using Zoom’s free/commercial offering, but instead to use Zoom for Government.” This is, of course, less than a ringing endorsement, and other nations, notably, Canada and Taiwan banned the use of the platform for government meetings.
  • Wikipedia Is Finally Asking Big Tech to Pay Up” By Noam Cohen — WIRED. The Wikipedia Foundation will launch Wikipedia Enterprise later this year that will essentially charge the large tech platforms that use Wikipedia’s content for free. Still, the free version will remain as is and accessible to all. However, one wonders if this will remain the status quo. Wikipedia says it expects that its current revenue stream of donations and similar funding will continue to pay the bills.
    • In an announcement, Wikipedia Enterprise stated:
      • Wikimedia Enterprise is a new product from the Wikimedia Foundation, the nonprofit that operates Wikipedia and other Wikimedia projects. Wikimedia Enterprise provides paid developer tools and services that make it easier for companies and organizations to consume and re-use Wikimedia data.
  • Facebook Agrees to Pay for Murdoch’s Australia News Content” By Livia Albeck-Ripka — The New York Times. One of Australia’s biggest news media conglomerates, Rupert Murdoch’s News Corp., has reached undisclosed terms with Facebook a few weeks after Australia enacted the “Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Bill 2021.” Critics are saying the deal will merely benefit an ally of the conservative government in Canberra and will not appreciably contribute to a vibrant, objective media.
  • Pennsylvania Woman Accused of Using Deepfake Technology to Harass Cheerleaders” By Christina Morales — The New York Times. As experts have predicted would start happening, the mother a cheerleader apparently used deepfake technology to create fake but harassing videos of other cheerleaders she then sent to people in their cheerleading community. The harassment included text messages. The local prosecutor and police used warrants and requests to locate the IP address from where the material was sent, and it led them to the defendant’s home. The deepfakes were apparently not the best quality, but one expert claimed much better quality deepfakes will be available in the next five years, arguing this problem will get worse.
  • India Threatens Jail for Facebook, WhatsApp and Twitter Employees” By Jeff Horwitz and Newley Purnell — The Wall Street Journal. Facebook, WhatsApp, and Twitter face a bind in the world’s second most populous nation. The government is telling them to take down content related to agricultural protests and other dissent, and the platforms have largely refused. New Delhi may next arrest their in-country representatives for failing to comply with the government orders that apparently cannot be appealed in court. Worse still, the Indian market is the single biggest in the world for Facebook/WhatsApp and the best growth potential for Twitter. It is possible these companies pull the plug on Indian operations much in the same way tech companies did in the People’s Republic of China (PRC) last decade in response to government demands.

Coming Events

  • On 16 March, the Senate Energy and Natural Resources Committee will hold a hearing titled “Transportation Technologies” with these witnesses:
    • Ms. Kelly Speakes-Backman, Principal Deputy Assistant Secretary & Acting Assistant Secretary, Energy Efficiency & Renewable Energy, U.S. Department of Energy
    • Mr. Edmund Adam Muellerweiss, Chief Sustainability Officer, Clarios
    • Mr. Janvier Désiré Nkurunziza, Officer-in-Charge, Commodities Branch and Chief, Commodity Research and Analysis Section Division on International Trade and Commodities, United Nations Conference on Trade & Development
    • Mr. Tony Satterthwaite, Vice Chairman, Cummins
    • Mr. Robert Wimmer, Director, Energy and Environmental Research Group, Toyota Motor North America
  • On 16 March, the House Armed Services Committee’s Intelligence and Special Operations Subcommittee will hold a hearing titled “Disinformation in the Gray Zone: Opportunities, Limitations, and Challenges,” with these witnesses:
    • Mr. David Taylor, PDO Under Secretary of Defense for Intelligence and Security
    • Mr. Christopher Maier, Acting Assistant Secretary of Defense, Special Operations/Low-intensity Conflict 
  • On 17 March, the Senate Homeland Security and Governmental Affairs Committee will markup a number of bills, including:
    • The “National Cybersecurity Preparedness Consortium Act of 2021”
  • The House Judiciary Committee’s Courts, Intellectual Property, and the Internet Subcommittee will hold a hearing on the “SHOP SAFE Act: Stemming the Rising Tide of Unsafe Counterfeit Products Online” on 17 March. In a March 2020 press release, the sponsors released the bill, a section by section analysis, and a one page summary and explained the version introduced last year:
    • The SHOP SAFE Act would:
      • Establish trademark liability for online marketplace platforms when a third-party sells a counterfeit product that poses a risk to consumer health or safety and that platform does not follow certain best practices;
      • Incentivize online platforms to establish best practices such as vetting sellers to ensure their legitimacy, removing counterfeit listings, and removing sellers who repeatedly sell counterfeits; and 
      • Call for online marketplaces to take steps necessary to prevent the continued sale of counterfeits by the third-party seller or face contributory liability for their actions.
  • The House Homeland Security Committee will hear testimony from Secretary of Homeland Security Alejandro Mayorkas on “The Way Forward on Homeland Security” on 17 March.
  • On 17 March, the Federal Communications Commission (FCC) will hold an open meeting with the following tentative agenda:
    • Public Drafts of Meeting Items – The FCC is publicly releasing the draft text of each item expected to be considered at this Open Commission Meeting with the exception of items involving national security matters and specific, enforcement-related matters including restricted proceedings and hearing designation orders. One-page cover sheets are included in the public drafts to help summarize each item. Links to these materials are provided below.
    • Promoting Public Safety Through Information Sharing. The Commission will consider a Second Report and Order that would provide state and federal agencies with direct, read-only access to communications outage data for public safety purposes while also preserving the confidentiality of that data. (PS Docket No. 15-80)
    • Improving the Emergency Alert System and Wireless Emergency Alerts. The Commission will consider a Notice of Proposed Rulemaking and Notice of Inquiry to implement section 9201 of the National Defense Authorization Act for Fiscal Year 2021, which is intended to improve the way the public receives emergency alerts on their mobile phones, televisions, and radios. (PS Docket Nos. 15-94, 15-91)
    • Facilitating Shared Use in the 3.45 GHz Band . The Commission will consider a Second Report and Order that would establish rules to create a new 3.45 GHz Service operating between 3.45-3.55 GHz, making 100 megahertz of mid-band spectrum available for flexible use throughout the contiguous United States. (WT Docket No. 19-348)
    • Auction of Flexible-Use Service Licenses in the 3.45-3.55 GHz Band. The Commission will consider a Public Notice that would establish application and bidding procedures for Auction 110, the auction of flexible use licenses in the 3.45-3.55 GHz band. (AU Docket No. 21-62)
    • Promoting the Deployment of 5G Open Radio Access Networks . The Commission will consider a Notice of Inquiry seeking comment on the current status of Open Radio Access Networks (Open RAN) and virtualized network environments, including potential obstacles to their development and deployment, and whether and how deployment of Open RAN-compliant networks could further the Commission’s policy goals and statutory obligations. (WT Docket No. 21-63)
    • National Security Matter. The Commission will consider a national security matter.
    • National Security Matter. The Commission will consider a national security matter.
    • Enforcement Bureau Action . The Commission will consider an Enforcement Bureau Action.
  • The House Appropriations Committee’s Homeland Security Subcommittee will hold a hearing titled “DHS Management Challenges” with two former Secretaries of Homeland Security testifying on 17 March.
  • On 17 March, the Senate Foreign Relations Committee will hold a hearing titled “Advancing Effective U.S. Policy for Strategic Competition with China in the Twenty-First Century” with the following witnesses:
    • Dr. Elizabeth Economy, Senior Fellow, Hoover Institution, Stanford University
    • Tom Shugart, Adjunct Senior Fellow, Center for New American Security
  • On 17 March, the House Science, Space, and Technology Committee’s Investigations and Oversight Subcommittee will hold a hearing, “Brain Drain: Rebuilding the Federal Scientific Workforce” with these witnesses:
    • Dr. Andrew Rosenberg, Director of the Center for Science and Democracy, Union of Concerned Scientists
    • Max Stier, President and CEO, Partnership for Public Service
    • Dr. Betsy Southerland, Former Director of Science and Technology, Office of Water, Environmental Protection Agency 
  • The Senate Commerce, Science, and Transportation may hold a hearing to examine federal efforts to increase the availability, speed, and reliability of broadband on 17 March.
  • On 18 March, the Senate Homeland Security and Governmental Affairs Committee will hold a hearing titled “Understanding and Responding to the SolarWinds Supply Chain Attack: The Federal Perspective.”
  • On 18 March, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing titled “Reviving Competition, Part 3: Strengthening the Laws to Address Monopoly Power.”
  • The House Financial Services Committee’s Diversity and Inclusion Subcommittee will hold a hearing titled “By the Numbers: How Diversity Data Can Measure Commitment to Diversity, Equity and Inclusion.”
  • On 18 March, the Senate Finance Committee will hold a hearing titled “Fighting Forced Labor: Closing Loopholes and Improving Customs Enforcement to Mandate Clean Supply Chains and Protect Worker” with these witnesses:
    • Joseph Wrona, Member, United Steelworkers
    • Martina E. Vandenberg, Founder and President, Human Trafficking Law Center
    • Julia K. Hughes, President, United States Fashion Industry Association
    • Leonardo Bonanni, Ph.D., Founder and CEO, Sourcemap
  • On 19 March, the House Armed Services Committee’s Cyber, Innovative Technologies, and Information Systems Subcommittee will hold a hearing titled “Department of Defense Electromagnetic Spectrum Operations: Challenges and Opportunities in the Invisible Battlespace,” with these witnesses:
    • Dr. Joseph Kirschbaum, Director, Government Accountability Office
    • Bryan Clark, Senior Fellow, Hudson Institute 
    • Dr. William Conley, Chief Technology Officer, Mercury Systems, Inc.
  • The U.S.-China Economic and Security Review Commission will hold a hearing titled “U.S. Investment in China’s Capital Markets and Military-Industrial Complex” on 19 March that “will examine the Chinese government’s use of capital markets to advance its technology and defense capabilities and evaluate the risks of U.S. investors’ capital being leveraged for such ends:
    • The first panel will examine the evolving role of the state in China’s capital markets, including the Chinese Communist Party’s involvement in corporate governance.
    • The second panel will review China’s financial opening and U.S. and foreign investor participation in China’s capital markets.
    • The third panel will assess U.S. national security risks posed by investment in Chinese companies.
    • The fourth panel will evaluate U.S. legal authority and current restrictions on outbound investment to China’s capital markets.
  • The House Energy and Commerce Committee’s Communications and Technology and Consumer Protection and Commerce Subcommittees will hold a joint hearing on 25 March “on misinformation and disinformation plaguing online platforms” with these witnesses: Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Twitter CEO Jack Dorsey.
  • The Federal Trade Commission (FTC) will hold a workshop titled “Bringing Dark Patterns to Light” on 29 April.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Aron Visuals on Unsplash

Photo by Aditya Joshi on Unsplash

Photo by Martin Bisof on Unsplash

Photo by JJ Ying on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s