Other Developments, Further Reading, and Coming Events (24 March 2021)

Other Developments

  • The Biden Administration announced it had triggered the response framework laid out in Presidential Policy Directive 41 (PPD-41) in response to the Microsoft Exchange hack that includes private sector stakeholders for the first time. In a statement, White House Press Secretary Jen Psaki stated that “the National Security Council (NSC) established a Unified Coordination Group (UCG), a task force composed of representatives from the Federal Bureau of Investigation (FBI), the Cybersecurity Security and Infrastructure Agency (CISA), and the Office of the Director of National Intelligence (ODNI), with support from the National Security Agency (NSA), to drive a whole-of-government response to the Microsoft Exchange vulnerabilities.” Psaki added:
    • On Monday, the NSC convened a UCG leadership meeting, which included private sector members for the first time, coordinating our respective response efforts. We invited the private sector partners based on their specific insights to this incident, an approach the NSC will take going forward as appropriate. The UCG discussed the remaining number of unpatched systems, malicious exploitation, and ways to partner together on incident response, including the methodology partners could use for tracking the incident, going forward. 
    • The cost of cyber incident response weighs particularly heavily on small businesses. Hence, we requested that Microsoft help small businesses with a simple solution to this incident. In response, Microsoft has released a one-click mitigation tool. We encourage every business or organization that has not yet fully patched and scanned their Exchange Server to download and run this free tool. 
  • British Prime Minister Boris Johnson made remarks to the House of Commons in the United Kingdom’s Parliament on his government’s “Integrated Review of Security, Defence, Development and Foreign Policy,” the purpose of which “is to make the United Kingdom stronger, safer and more prosperous while standing up for our values.” Johnson announced the government will issue a new cybersecurity strategy this year as part of its ambitions. The British government stated “the Integrated Review sets out four overarching objectives:
    • Sustaining strategic advantage through science and technology: we will incorporate S&T as an integral element of our national security and international policy, fortifying the position of the UK as a global S&T and responsible cyber power. This will be essential in gaining economic, political and security advantages in the coming decade and in shaping international norms in collaboration with allies and partners. It will also drive prosperity at home and progress towards the three objectives that follow.
    • Shaping the open international order of the future: we will use our convening power and work with partners to reinvigorate the international system. In doing
      so, we will ensure that it is one in which open societies and open economies can flourish as we move further into the digital age – creating a world that is more favourable to democracies and the defence of universal values. We will seek to reinforce and renew existing pillars of the international order – such as the UN and the global trading system – and to establish norms in the future frontiers of cyberspace, emerging technology, data and space.
    • Strengthening security and defence at home and overseas: we will work with allies and partners to address challenges to our security in the physical world and online. NATO will remain the foundation of collective security in our home region of the Euro-Atlantic, where Russia remains the most acute threat to our security. We will also place greater emphasis on building our capacity and that of like-minded nations around the world in responding to a growing range of transnational state threats, radicalisation and terrorism, SOC and weapons proliferation.
    • Building resilience at home and overseas: we will place greater emphasis on resilience, recognising that it is not possible to predict or prevent every risk to our security and prosperity – whether natural hazards such as extreme weather events or threats such as cyber-attacks. We will improve our own ability to anticipate, prevent, prepare for, respond to and recover from risks – as well as that of our allies and partners, recognising the closely interconnnected nature of our world. And we will prioritise efforts to tackle climate change and biodiversity loss, long-term challenges that if left unchecked threaten the future of humanity – in addition to building global health resilience.
    • In the Review, the government explained it “will publish the UK’s new cyber strategy in 2021…[and its] priority actions will be:
      • To strengthen the UK’s cyber ecosystem, enabling a whole-of-nation approach to cyber and deepening the partnership between government, academia and industry. We will take a more coherent approach to skills, recruitment, R&D, exercising and innovation across defensive and offensive cyber: investing in an integrated education and training system to grow diverse talent; supporting a
      • UK research base that can compete with allies and adversaries, as well as an industrial base that delivers innovative and effective cyber security products and services that help everyone stay safe in cyberspace; and developing regulations and policies that encourage a world-class cyber security ecosystem.
      • To build a resilient and prosperous digital UK, where citizens feel safe online and confident that their data is protected. We will enable the digital transformation of the UK economy, bolstering our cyber security and ensuring our people, businesses and organisations are empowered to adopt new technology, and are able to withstand and recover from cyber-attacks. We will continue to invest in the NCSC, address critical vulnerabilities in the public sector and our CNI, including our data and digital infrastructure, and ensure the lessons from cyber-attacks are acted upon.
      • To take the lead in the technologies vital to cyber power, such as microprocessors, secure systems design, quantum technologies and new forms of data transmission. We will support our growing industrial base, working within the own-collaborate-access framework to build advantage in critical technologies, pursue economic opportunities and, where needed, mitigate the risks of dependence on non-allied sources of supply. We will put in place the cutting- edge policy, regulatory and legal frameworks to enable the adoption of emerging applications of digital technology – for example in smart cities. We will also work with others to ensure the rules and standards governing digital technologies are rooted in democratic values.
      • To promote a free, open, peaceful and secure cyberspace, as described
        in 2.3, working with other governments and industry, and drawing on the UK’s thought leadership in cyber security. We will also deepen and broaden our international partnerships to advance our shared security, prosperity and values, through stronger cyber resilience and joint action to uphold international norms, holding adversaries to account for breaches.
      • To detect, disrupt and deter our adversaries. We will build seamless systems to detect and act with industry on cyber threat information at scale and pace.
        We will also make much more integrated, creative and routine use of the UK’s full spectrum of levers – our diplomatic, military, intelligence, economic, legal and strategic communications tools, and the new NCF (see textbox) – to impose costs on our adversaries, deny their ability to harm UK interests, and make the UK a more difficult operating environment. This will include tackling malicious activity
      • in cyberspace and taking action online with real-world effect, for example in countering terrorist or organised crime groups, and to support military operations. We will also strengthen our criminal justice response to cyber-attacks.
  • In its press statement, the Australian Competition and Consumer Commission (ACCC) “released an issues paper…seeking views on the operation of browsers and general search services in Australia” with an eye to drafting and releasing a report in September 2021 as part of its Digital Platform Services Inquiry. The ACCC set a deadline of 15 April 2021 for submissions. The ACCC’s inquiry has launched some of Australia’s recent legislative changes to address the power and dominance of technology companies. The ACCC stated:
    • The ACCC will be examining the provision of web browsers and general search services to Australian consumers and the effectiveness of choice screens in facilitating competition and improving consumer choice. The ACCC will also be providing its advice to the Australian Government on Google’s rollout of search engine choice options on new Android devices in Europe. Issues to be examined include:
      • the impact of pre-installation and default settings on consumer choice and competition
      • trends in digital ecosystems and supplier behaviour in search services and web browsers
      • the extent to which consumer harm can arise from the design of default arrangements
      • the effectiveness of Google’s choice screen roll out in Europe and whether it is fit for purpose in Australia
      • any proposals, other than choice screens, that may facilitate competition and improve consumer choice in the supply of general search services and potentially, web browsers.
    • The third interim report for the Digital Platform Services Inquiry will be due to the Treasurer by 30 September 2021.
    • In the issues paper, the ACCC went into more detail:
      • The Australian Competition and Consumer Commission (ACCC) seeks your views on potential competition and consumer issues in the provision of web browsers and general search services to Australian consumers and in particular, the impact of default arrangements. The ACCC also seeks views on the use of choice screens to address identified concerns.
      • Businesses and consumers use mobile devices (defined in this paper as being smartphones and tablet devices) and desktop computers enabled with web browsers (browsers) to access websites, and search engines (search) to locate information on the internet. Browsers are typically pre-installed on the software operating systems (operating system) of desktop and mobile devices and, in turn, a chosen search service is usually embedded within a browser to enable a user to search for information without a website address.
      • The ACCC’s Digital Platforms Inquiry Final Report (July 2019) (DPI Final Report) found that Google had substantial market power in search services and search advertising. As part of this analysis, the ACCC concluded that customer inertia and the effect of default settings is a barrier to expansion for smaller search engines. To facilitate competition in the supply of search services and search advertising and improve consumer choice, the ACCC recommended that:
        • ‘Google should provide Australian users of Android devices with the same options being rolled out to existing Android users in Europe; that is, the ability to choose their default search engine and default internet browser from a number of options. If Google does not introduce similar options for Australian Android users by six months from the date of the Report, the ACCC will submit to the Government that it should consider compelling Google to offer this choice.’ (recommendation 3)
      • This recommendation was based on Google’s proposal to offer users of new and existing Android devices in Europe the choice of internet browser and search service on their devices.
      • In its response to the DPI Final Report, the Australian Government asked that the ACCC monitor and report back to the Government in 2021 on Google’s rollout of default internet browser and search engine choice options on Android devices in Europe.
      • For its third interim report for the Digital Platform Services Inquiry (Report), due to the Treasurer by 30 September 2021, the ACCC will seek to provide its advice to the Government on Google’s rollout of choice options on Android devices in Europe. In doing so, it will examine the provision of browsers and general search services to Australian consumers, the impact of default arrangements on these service offerings and the effectiveness of choice screens to address identified issues.
  • The Federal Communications Commission (FCC) finalized a $225 million fine for spoofed robocalls trying to sell Americans fake health care plans. Acting FCC Chair Jessica Rosenworcel also announced measures to address robocalls over the longer term:
    • [T]he creation of a Robocall Response Team at the Federal Communications Commission. The Robocall Response Team will consist of over 50 attorneys, economists, engineers, and analysts from the agency, including the Enforcement Bureau, the Consumer and Governmental Affairs Bureau, the International Bureau, the Wireline Competition Bureau, the Office of Economics and Analytics, and the Office of General Counsel. Many of these folks have worked on robocall issues in the past, but coordination has been case-by-case and far too scarce. So we are putting in place a structure that allows us to think more broadly and act more boldly.
    • I am sending letters to the Department of Justice, Federal Trade Commission and National Association of State Attorneys General to reaffirm our interest in coordinating to crack down on robocalls. I look forward to working with them to leverage the knowledge, skills, and jurisdictional reach we each have to address this problem. I also hope that we can expand these efforts to include additional law enforcement partners in the near future.
    • In the Forfeiture Order, the FCC asserted:
      • John C. Spiller and Jakob A. Mears, doing business under the names Rising Eagle Capital Group LLC, JSquared Telecom LLC, Only Web Leads LLC, Rising Phoenix Group, Rising Phoenix Holdings, RPG Leads, and Rising Eagle Capital Group – Cayman (collectively, Rising Eagle or the Company), made approximately one billion health insurance-related robocalls in the first four-and-a-half months of 2019. Moreover, in making calls, Rising Eagle used spoofed caller ID with the intent to defraud, cause harm, and wrongfully obtain something of value in violation of the Truth in Caller ID Act.
      • The Notice of Apparent Liability for Forfeiture (Notice or Rising Eagle Notice) proposed a $225,000,000 penalty for violations of the Truth in Caller ID Act. After reviewing Rising Eagle’s response to the Notice, we find no reason to cancel, withdraw, or reduce the proposed penalty, and we therefore assess a $225,000,000 forfeiture.
      • The Bureau uncovered evidence that many of the robocalls included false or misleading statements about the identity of the caller and the products being offered. Rising Eagle made spoofed robocalls on behalf of clients that sell short-term, limited-duration health insurance plans. The prerecorded messages purported to offer health insurance plans from well-known health insurance companies such as Aetna, Blue Cross Blue Shield, Cigna, and UnitedHealth Group. In fact, we have confirmed that Rising Eagle had no connection with at least two of the insurance companies—Blue Cross Blue Shield and Cigna—and we have no evidence that Rising Eagle was connected with any of the other insurance companies mentioned.
  • The National Institute of Standards and Technology (NIST) issued for comment Draft NIST Interagency or Internal Report (NISTIR) 8355, NICE Framework Competencies: Assessing Learners for Cybersecurity Work, which is “draft supplemental content to the Workforce Framework for Cybersecurity (NICE Framework).” NIST is accepting comment through 3 May 2021. NIST explained in the abstract:
    • This publication from the National Initiative for Cybersecurity Education (NICE) describes Competencies as included in the Workforce Framework for Cybersecurity (NICE Framework), NIST Special Publication 800-181, Revision 1, a fundamental reference for describing and sharing information about cybersecurity work. The NICE Framework defines Task, Knowledge, and Skill (TKS) statement building blocks that provide a foundation for learners, including students, job seekers, and employees. Competencies are provided as a means to apply those core building blocks by grouping related TKS statements for form a higher-level statement of competency. This document shares more detail about what Competencies are, including their evolution and development. Additionally, the publication provides example uses from various stakeholder perspectives. Finally, the publication identifies where the NICE Framework Competencies list is published separate from this publication and provides the rationale for why they will be maintained as a more flexible and contemporary reference resource.
  • A British advocacy organization is claiming Uber’s recent pay and labor changes in response to an adverse decision in Britain’s highest court fall short of what the court ordered. The United Kingdom’s (UK) Supreme Court ruled against Uber in its appeal of a lower court’s finding that people driving for the company are to be considered workers and must have the rights afforded to workers in the UK. Fairwork argued:
    • A month after the UK Supreme Court ruled that Uber drivers are Limb (b) workers, the ride hailing platform announced yesterday that it will pay its drivers a minimum hourly wage, holiday pay and a pension scheme as mandated by the court. Though this might seem like a landmark change in Uber’s working model, the company is still refusing to comply with the legal mandate and compensate drivers for time spent waiting for trips. 
    • The Supreme Court ruling said Uber drivers were entitled to worker entitlements from the time they log in to the time they log off. Uber, however, is committing to these entitlements only from the time the trip is accepted till drop-off. However, similar to how restaurants don’t only pay waiters for the time they are serving tables, ride-share drivers deserve to be paid for the time they spend between rides. Uber’s business model inherently relies on having a large pool of workers waiting to pick up passengers. Many drivers’ waiting times have become even longer during the pandemic, due to the drop in demand, directly affecting their income.
  • Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) wrote acting Federal Trade Commission (FTC) Chair Rebecca Kelly Slaughter “urging the FTC to protect domestic violence victims’ personal information online” and to “express[] concern about people-search sites, which collect personal data such as phone numbers, email addresses, and other public information – potentially revealing location and contact information to perpetrators of domestic violence on their platforms, endangering victims” per their press release. Klobuchar and Murkowski stated “[i]n light of increased reports of domestic violence during the pandemic, the Senators are calling on the FTC to provide opportunities for victims to remove their data from people-search sites.” They asked Slaughter to “respond to the following questions:
    • Does the FTC need additional resources to better protect domestic violence, sexual violence, and stalking victims from data broker sites? If so, please describe these resource needs in detail.
    • How can we help the FTC coordinate with the Department of Justice, states and localities, and private stakeholders to prevent perpetrators of violence from gaining access to the personal information of victims of domestic violence, sexual violence, and stalking?
    • What resources does the FTC offer victims of domestic violence, sexual violence, and stalking to educate them about data sharing sites and how to protect their personal information?
    • Is the FTC planning to take additional measures to better protect victims of domestic violence, sexual violence, and stalking and help ensure they have the right to review and remove their information, and assist them should they become victim to a breach of information sharing? If so, please describe these measures.
    • Is the FTC planning to help ensure data broker companies are not collecting, buying, or selling lists of vulnerable populations, including victims of domestic violence, sexual violence, and stalking?
  • Consumer Reports published a model state privacy law that sidesteps the opt-in vs. opt-out debate and “protects consumer privacy by prohibiting companies from engaging in privacy-invasive behaviors” according to its statement. Consumer Reports asserted:
    • Why States Need A Privacy Law 
      • Consumers are constantly tracked. Sensitive information is often widely traded as a matter of course. Apps, including dating and period-tracking apps, send sensitive personal information on consumers (such as location data) to dozens, if not hundreds, of companies for advertising and profiling.
      • Existing protections are inadequate. There is no comprehensive federal privacy law in the United States. A handful of sectoral laws cover some categories of data, but companies like data brokers, social media platforms, and most websites and apps are not covered by any law to keep your data private and secure.
      • Your data can be used in important decisions about you. Without protections over the sharing of data, our personal information can be sold without our permission or awareness, or otherwise disseminated in ways that could mean getting charged more for insurance, or even facing job discrimination. 
    • Rights Provided 
      • In addition to deletion, access, portability, and correction rights and a data security requirement, the Model Act provides: 
      • Data minimization and a broad prohibition on secondary data sharing. Consumers should be able to use an online service or app safely without having to take any action. This model bill ensures privacy by default by limiting data collection and sharing to what is reasonably necessary to operate the service requested by the consumer. Consumers aren’t forced to navigate countless confusing opt-outs, and can’t be bombarded with abusive consent dialogs.
      • Non-discrimination. This model bill cuts off exploitative programs that could separate consumers into privacy haves and have-nots, and clarifies that legitimate loyalty programs, that reward consumers for repeated patronage, are supported by this bill.
      • Strong enforcement. Strong enforcement is essential to make sure that companies comply. This model bill provides a private right of action, enables city and county attorneys to enforce the Act, and ensures that there is no “right to cure” in administrative enforcement. 

Further Reading

  • The government’s lawyers saw a Google monopoly coming. Their bosses refused to sue.” and “How Washington fumbled the future” By Leah Nylen — Politico. This major story shows how behind the curve the Obama Administration’s Federal Trade Commission (FTC) was on monopoly issues. Politico came to have 2013 memoranda detailing the staff case to sue Google for deals to be the default search engine on Apple and its Android systems and its apparently now realized ambitions to be the dominant player in mobile online searches and advertising. Then then FTC, led by Chair Jon Leibowitz, declined to move forward with essentially the same case the United States (U.S.) Department of Justice (DOJ) is now bringing against Google. To be fair, if the FTC had done so, the agency would have been sailing into very heavy political winds, for tech companies were seen much more positively under President Barack Obama. Moreover, the FTC’s economists were arguing against the agency’s lawyers, noting Google’s then small market share and viable competitors Yahoo and Microsoft. Obviously, the economists got it wrong. One interested party in Silicon Valley offered his perspective that Apple, Amazon, and Facebook would have gotten the message and not set out on similar paths if Google had been sued. However, it is interesting the FTC’s lawyers did not recommend suing Google for the bias in its algorithm that preferred its own products, which is now seen as definitely anti-competitive behavior.
  • Quad tightens rare-earth cooperation to counter China” — Nikkei Asia. Through the Quadrilateral Security Dialogue, the United States (U.S.), Japan, Australia, and India are aiming to cooperate in order to blunt the People’s Republic of China’s (PRC) dominance of rare earth markets among other areas of cooperation. Rare earths are crucial for batteries for electronics and electric vehicles, and while the U.S. was a major producer as recently as the 1980’s, the PRC is now the world’s leader. However, a considerable proportion of rare earths are still mined in the U.S. and then processed and refined in the PRC, presenting the possibility of diminishing the latter’s control of these markets. Additionally, increased U.S. and Australian production have already brought down the PRC’s worldwide share from 90% a few years ago to less than 60% in 2020.
  • Facebook Drops Plan to Run Fiber Cable to Hong Kong Amid U.S. Pressure” By Drew FitzGerald and Newley Purnell — The Wall Street Journal. The social media giant has read the tea leaves and will no longer pursue approval of the Hong Kong-Americas project, an undersea fiber optic cable running from California to Taiwan and Hong Kong given the People’s Republic of China’s (PRC) crackdown on the latter. The company is withdrawing its application to the Federal Communications Commission (FCC) as the United States (U.S.) government has brought much greater scrutiny to bear on any deals involving the PRC. Another trans-Pacific cable project is also in limbo, the Pacific Light Cable Network, as the U.S. government reviews it.
  • YouTube removed 30,000 videos with COVID misinformation” By Ashley Gold — Axios. This piece makes the point that platforms boasting in raw numbers about how much misinformation they take down is of low value without context, namely the amount of misinformation currently circulating on YouTube.
  • Anatomy of a conspiracy theory: how misinformation travels on Facebook” By Nick Evershed, Michael McGowan and Andy Ball — The Guardian. This piece shows how true Virgil’s characterization of rumor lapping the globe while the truth is still in bed on social media platforms, and in this case, an Australian Member of Parliament’s false assertions about medication for treating COVID-19 without substantial evidence was spread widely.

Coming Events

  • On 24 March, the Senate Armed Services Committee will hold a closed briefing on Department of Defense cyber operations with these witnesses:
    • Mieke Eoyang, Deputy Assistant Secretary of Defense for Cyber Policy, Office of the Under Secretary of Defense for Policy
    • Jeffrey R. Jones, Vice Director, Command, Control, Communications and Computers/Cyber Joint Staff, J-6
    • Major General Kevin B. Kennedy, Jr., USAF, Director of Operations, United States Cyber Command
    • Rear Admiral Jeffrey J. Czerewko, USN, Deputy Director, Global Operations, J39, Joint Staff, J-3
  • The Senate Armed Services Committee will hold an open hearing and a closed hearing on the “United States Special Operations Command and United States Cyber Command in review of the Defense Authorization Request for Fiscal Year 2022 and the Future Years Defense Program” on 25 March with these witnesses:
    • Christopher P. Maier, Acting Assistant Secretary of Defense for Special Operations and Low-Intensity Conflict
    • General Richard D. Clarke, USA, Commander, United States Special Operations Command
    • General Paul M. Nakasone, USA, Commander, United States Cyber Command/Director, National Security Agency/Chief, Central Security Service
  • The House Energy and Commerce Committee’s Communications and Technology and Consumer Protection and Commerce Subcommittees will hold a joint hearing on 25 March “on misinformation and disinformation plaguing online platforms” with these witnesses: Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Twitter CEO Jack Dorsey.
  • The Federal Trade Commission (FTC) will hold a workshop titled “Bringing Dark Patterns to Light” on 29 April.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by kalhh from Pixabay

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s