Other Developments, Further Reading, and Coming Events (22 April 2021)

Other Developments

  • In response to new vulnerabilities turned up by FireEye, the United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 21-03 “requiring federal civilian departments and agencies running Pulse Connect Secure products to assess and mitigate any anomalous activity or active exploitation detected on their networks.” Media accounts describe persistent threat actors using zero-day exploits and other vulnerabilities to penetrate Pulse Secure VPN, which is widely used by the U.S. Defense Industrial Base. In its press release, CISA stated “[t]he directive is in response to observed active exploitation using disclosed vulnerabilities in Pulse Connect Secure products…[and] [s]uccessful exploitation of these vulnerabilities allows an attacker to gain persistent system access and control of the enterprise network operating the vulnerable Pulse Connect Secure appliance.” FireEye voiced its suspicions that the hackers are affiliated with the People’s Republic of China (PRC). CISA is directing all civilian agencies to take mitigation measures by 23 April. In ED 21-03, CISA explained:
    • CISA has observed active exploitation of vulnerabilities in Pulse Connect Secure products, a widely used SSL remote access solution. Successful exploitation of these vulnerabilities could allow an attacker to place webshells on the appliance to gain persistent system access into the appliance operating the vulnerable software. CISA has no knowledge of other affected Pulse Secure products (including the Pulse Secure Access client).
    • CISA has determined that this exploitation of Pulse Connect Secure products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of these vulnerabilities by threat actors in external network environments, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.
  • The European Commission (EC) proposed “new rules and actions aiming to turn Europe into the global hub for trustworthy Artificial Intelligence (AI).” The EC contended:
    • The combination of the first-ever legal framework on AI and a new Coordinated Plan with Member States will guarantee the safety and fundamental rights of people and businesses, while strengthening AI uptake, investment and innovation across the EU. New rules on Machinery will complement this approach by adapting safety rules to increase users’ trust in the new, versatile generation of products.
    • The European Parliament and the Member States will need to adopt the Commission’s proposals on a European approach for Artificial Intelligence and on Machinery Products in the ordinary legislative procedure. Once adopted, the Regulations will be directly applicable across the EU. In parallel, the Commission will continue to collaborate with Member States to implement the actions announced in the Coordinated Plan.
  • Senators Steve Daines (R-MT) and Mark Kelly (D-AZ) introduced the “Accelerating Rural Broadband Deployment Act” to increase access to existing infrastructure that will allow easier and faster installation of broadband services.” Daines and Kelly claimed “[t]he bill would:
    • Make it easier for broadband companies to receive federal-right-of-way licenses allowing them to install broadband alongside existing infrastructure like federal highways.
    • Ensure costs of federal-right-of-way licenses are fair market prices.
    • Increase transparency into the federal right-of-way license awarding process.
  • A number of American technology trade associations have written the top Democrats and Republicans in Congress to argued that appropriations be made “for the CHIPS for America Act to support the diversification, expansion, and resiliency of the U.S. semiconductor supply chain.” This letter follows one sent by a bipartisan group of Members of Congress to President Joe Biden asking for the same. The CHIPs for America Act was folded into the the FY 2021 National Defense Authorization Act (NDAA) (P.L. 116-283) and would provide funding to stimulate domestic production of semiconductors. Information Technology Industry Council (ITI), Alliance for Digital Innovation, Associated General Contractors of America, BSA | The Software Alliance, CTIA, GovEvolve, Security Industry Association (SIA), Software and Information Industry Association (SIIA), Tech CEO Council, and USTelecom – The Broadband Association signed the letter and asserted:
    • We support President Biden’s $50 billion funding request for the CHIPS for America Act, and we request that you ensure the incentives made available through the appropriations of these programs be accessible to all U.S. and multi-national chip manufacturers that meet the eligibility requirements set forth in the CHIPS for America Act. The primary policy motivation behind the CHIPS for America Act is to increase and make resilient the semiconductor supply chain as it relates to long-term national security and economic competitiveness. The U.S. should welcome and encourage the investment in and production of semiconductor technology by all eligible companies to achieve this goal.
  • A group of civil rights and human rights groups have published an open letter calling for the abolition of facial recognition technology. They argued:
    • Using biometric surveillance technology in retail stores, hospitals, and healthcare settings, at concerts and sporting events, or in restaurants and bars will exacerbate existing discrimination. In the same way that Black and brown communities are targeted by police, companies can target certain communities with their facial recognition surveillance. A store could use a publicly available mugshot database to ban everyone with a criminal record from the store, which would disproportionately harm Black and brown people who are over-policed and over-represented in these databases. The impact of this would be compounded by the fact that facial recognition is notoriously bad at correctly identifying Black and brown faces. Overall this feeds a system of mass criminalization, where Black and brown people are treated as guilty everywhere they go.
    • Biometric surveillance is more like lead paint or nuclear weapons than firearms or alcohol. The severity and scale of harm that facial recognition technology can cause requires more than a regulatory framework. The vast majority of uses of this technology, whether by governments, private individuals, or institutions, should be banned. Facial recognition surveillance is inherently discriminatory. It cannot be reformed or regulated; it should be abolished.
    • n 2020, Portland, OR, passed a groundbreaking ban on private use of facial recognition, which smartly bans use in places of public accommodation as defined by the Americans with Disabilities Act. We believe this ordinance should be used as a template for more city, state, and federal legislation that bans private and corporate use of facial recognition surveillance. 
    • In a world where private companies are already collecting our data, analyzing it, and using it to manipulate us to make a profit, we can’t afford to naively believe that private entities can be trusted with our biometric information. A technology that is inherently unjust, that has the potential to exponentially expand and automate discrimination and human rights violations, and that contributes to an ever growing and inescapable surveillance state is too dangerous to exist.
    • We call on all local, state, and federal elected officials, as well as corporate leaders, to ban the use of facial recognition surveillance by private entities. The dangers of facial recognition far outweigh any potential benefits, which is why banning both government and private use of facial recognition is the only way to keep everyone safe.
  • Federal Trade Commission staff published a report “highlighting the agency’s ongoing efforts to protect consumers during the COVID-19 pandemic.” Staff claimed this offers “a snapshot of the FTC’s actions to protect consumers during the COVID-19 pandemic:
    • Filed 13 enforcement actions against companies that, among other things, failed to deliver personal protective equipment or made deceptive health or earnings claims.
    • Directed more than 350 companies to remove deceptive claims related to COVID-19treatments, potential earnings, financial relief for small business and students, and warned companies that it is illegal to assist and facilitate deceptive COVID-19 calls.
    • Prioritized privacy enforcement actions addressing the types of conduct that have been exacerbated in the transformation to digital work and schooling, including videoconferencing, ed-tech and health-tech.
    • Collected and tracked more than 436,000 reports associated with COVID-19 between January 2020 and April 7, 2021, in which consumers reported $399 million in fraud losses.
    • Issued more than 100 consumer and business alerts on COVID-related topics.
  • The United States (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure and Security Agency (CISA) issued an October 2020 study undertaken by CISA’s Office of the Chief Economist (OCE) “to understand the impacts, costs, and losses from cyber incidents to enable cyber risk analysis and inform cybersecurity resource allocation decisions.” In its press statement, CISA explained:
    • In order to support stakeholders with understanding the impacts, costs, and losses from cyber incidents, CISA has cleared for release this October 2020 study.  The objectives of the study are to enable cyber risk analysis, understand the benefits of cybersecurity investments, and inform cybersecurity resource allocation decisions.  To achieve these objectives CISA’s study reviews cost and loss estimates for a wide range of incidents.  While the data analyzed in CISA’s Cost Study can inform the order of magnitude of the potential costs associated with more recent events such as the SolarWinds compromise and Microsoft Exchange server exploit, the impacts associated with these events are not included in the study.
    • In the study, OCE stated:
      • Given limited resources, important decisions must be made about how much the Federal Government should invest in cybersecurity. Furthermore, important decisions must be made about prioritizing prevention, detection, and other cybersecurity functions. In addition, resource allocation decisions require careful consideration regarding which assets and systems should be prioritized for improving cyber defenses and to what degree cybersecurity should be enhanced. Understanding the impacts and costs of eradication and recovery as well as the indirect losses from cyber incidents can help to inform these and other essential decisions.
      • The goal is to provide a systematic review that contains a thorough characterization of the current state of the literature and a meaningful synthesis of the published results. More specifically, OCE’s analysis has three primary objectives. The first objective is to conduct an in-depth survey of the cyber loss literature and to identify the extent to which the costs of cyber incident losses have been tracked and analyzed within the private and public sectors. The second objective is to identify defensible estimates of cyber losses that are based on historical data and can be used to inform prospective analyses of cybersecurity investment benefits. The third objective is to clearly understand the limitations of the currently available estimates and identify a potential approach to resolving the informational and methodological gaps.
      • This report aims to compare and reconcile the estimates of cyber incident costs for three sets of studies (i.e., per-incident, national or sectoral, and hypothetical scenario-based) by analyzing hundreds of publications from multiple sources. In addition, the report pursues an explicit cross-validation of the loss estimates from secondary data sources with the primary cost and loss data independently collected by OCE for large and small cyber incidents.
  • 28 groups wrote President Joe Biden asking him to appoint people to positions at the Department of Justice (DOJ) and the Federal Trade Commission (FTC) without ties to large technology companies. They asserted:
    • we urge you and your administration to hold these platforms accountable, and strongly enforce U.S. antitrust laws. We commend the administration for appointing strong antitrust experts to the National Economic Council and Federal Trade Commission (FTC). This same approach will be even more important in selecting leadership for antitrust enforcement at the Department of Justice and for further appointments at the FTC. These appointments should include only those able and willing to fearlessly investigate and litigate against the large tech firms without conflicts of interest from previous employment or representation.
    • Personnel is policy, and it is critical that the Biden Administration appoint leaders committed to enforcing our nation’s antitrust laws to the fullest degree. We must not go back to business as usual. Privacy, civil liberties, public health, truth, and the strength of U.S. democracy are at stake.
  • The Federal Communications Commission (FCC) will co-lead a workshop with the National Counterintelligence and Security Center (NCSC) in the Office of the Director of National Intelligence on 26 April. The FCC stated:
    • The day-long workshop will feature panels that explore initiatives to promote the supply chain integrity of small and medium-sized businesses and efforts to protect the software supply chain. Acting Chairwoman Rosenworcel will provide opening remarks, and officials with NCSC, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and the Department of Commerce’s National Telecommunications and Information Administration will deliver keynotes. Representatives from the FCC’s Public Safety and Homeland Security, Wireless Telecommunications, and Wireline Competition Bureaus will also participate
  • The Campaign for a Commercial-Free Childhood and other groups wrote Facebook CEO Mark Zuckerberg urging him “to cancel plans to launch a version of Instagram for children under 13.” They asserted:
    • According to an internal memo published by BuzzFeed, Facebook plans to build “a version of Instagram that allows people under the age of 13 to safely use Instagram for the first time.”
    • We agree that the current version of Instagram is not safe for children under 13 and that something must be done to protect the millions of children who have lied about their age to create Instagram accounts, especially since their presence on the platform could be a violation of the Children’s Online Privacy Protection Act (COPPA) and other nations’ privacy laws.
    • However, launching a version of Instagram for children under 13 is not the right remedy and would put young users at great risk.

Further Reading

  • Why the Chip Shortage Is So Hard to Overcome” By Eun-Young Jeong and Dam Strumpf — The Wall Street Journal. A confluence of unforeseeable events has caused the worldwide shortage of semiconductor chips, and this industry is telling stakeholders it may be some time before production can be increased to meet the current boom. Among the possibly unforeseeable events that have hampered semiconductor production are the ongoing United States (U.S.)-People’s Republic of China (PRC) trade war, water shortages in Taiwan, unseasonably low temperatures in the U.S. south, and demand for older, lower end chips for cars, computer screens, and other lower tech manufactured devices. The time it takes to build a semiconductor fabrication plant (up to two years) and to produce chips (usually at least three months and longer for advanced chips) means the shortage might not abate soon. It may occur that if the semiconductor industry invests more in production capacity, there may be too many producers chasing too few customers. But, that is a longer term concern.
  • America’s digital defender is underfunded, outmatched and ‘exhausted’” By Eric Geller — Politico. This piece does not paint a pretty picture of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), the federal government’s lead on civilian cybersecurity. Former and current employees and officials see the agency as overextended and under-resourced given its missions. CISA has been an integral part of the government’s response to the SolarWinds and Microsoft Exchange hacks, helping both federal and private sector partners. It is currently budgeted at about $2.1billion for this year (plus $650 million in the “American Rescue Plan Act”), with some in Congress arguing it should get double that funding. However, the Biden Administration is only asking for a modest increase above $2.1 billion for next year.
  • Revealed: the Facebook loophole that lets world leaders deceive and harass their citizens” By Julia Carrie Wong — The Guardian. Allegations continue to be made that Facebook prioritizes content moderation for certain nations above others where abuse of the platform can sometimes exist without action for more than a year.
  • How Amazon Strong-Arms Partners Using Its Power Across Multiple Businesses” By Dana Mattioli and Joe Flint — The Wall Street Journal. A number of companies are saying that Amazon has used its leverage to force them to buy additional services they did not want, including large players like Viacom which was strong armed into buying advertising in order to seal a deal to place its media content on Amazon Prime. However, proving that such tying arrangements exist and violate antitrust law is very difficult.
  • House inches toward Big Tech antitrust reform” By Ashley Gold — Axios. This piece is not terribly persuasive that bipartisan legislation is coming anytime soon.
  • Hunting the hunters: How Russian hackers targeted US cyber first responders in SolarWinds breach” By Zachary Cohen, Alex Marquardt and Geneva Sands — CNN. This is another piece of the SolarWinds puzzle adjacent to the reporting of the Associated Press that revealed the hacking accessed the email and calendars of top Department of Homeland Security (DHS) officials including acting Secretary Chad Wolf. This latest article is alleging the Russian hackers also monitored DHS officials and employees, some of which are in the Cybersecurity and Infrastructure Security Agency (CISA), that are key in responding to hacks, possibly as a means of determining when or if the hack had been uncovered. DHS continues to maintain a “small number of employees’ accounts were targeted in the breach,” which does not answer the question of whether this targeting succeeded.
  • Gov. Greg Abbott publicly slammed Facebook. Privately, he’s courting the social media giant to build a second data center in Texas.” By Shawn Mulcahy — Texas Tribune. It seems very on brand for the governor of Texas and other Republicans to blast and legislate against social media companies that are “censoring” conservatives while courting them to come to Texas.

Coming Events

  • The Federal Communications Commission (FCC) will hold an open meeting on 22 April with this draft agenda:
    • Text-to-988. The Commission will consider a Further Notice of Proposed Rulemaking to increase the effectiveness of the National Suicide Prevention Lifeline by proposing to require covered text providers to support text messaging to 988. (WC Docket No. 18-336)
    • Commercial Space Launch Operations. The Commission will consider a Report and Order and Further Notice of Proposed Rulemaking that would adopt a new spectrum allocation for commercial space launch operations and seek comment on additional allocations and service rules. (ET Docket No. 13-115)
    • Wireless Microphones. The Commission will consider a Notice of Proposed Rulemaking that proposes to revise the technical rules for Part 74 low-power auxiliary station (LPAS) devices to permit a recently developed, and more efficient, type of wireless microphone system. (RM-11821; ET Docket No. 21-115)
    • Improving 911 Reliability. The Commission will consider a Third Notice of Proposed Rulemaking to promote public safety by ensuring that 911 call centers and consumers receive timely and useful notifications of disruptions to 911 service. (PS Docket Nos. 13-75, 15-80; ET Docket No. 04-35
    • Concluding the 800 MHz Band Reconfiguration. The Commission will consider an Order to conclude its 800 MHz rebanding program due to the successful fulfillment of this public safety mandate. (WT Docket No. 02-55)
    • Enhancing Transparency of Foreign Government-Sponsored Programming. The Commission will consider a Report and Order to require clear disclosures for broadcast programming that is sponsored, paid for, or furnished by a foreign government or its representative. (MB Docket No. 20-299)
    • Imposing Application Cap in Upcoming NCE FM Filing Window. The Commission will consider a Public Notice to impose a limit of ten applications filed by any party in the upcoming 2021 filing window for new noncommercial educational FM stations. (MB Docket No. 20-343)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.
  • On 29 April, the Commerce, Science, and Transportation Committee will consider the nomination of Eric Lander to be Director of the Office of Science and Technology Policy (OSTP).
  • The Federal Trade Commission (FTC) will hold a workshop titled “Bringing Dark Patterns to Light” on 29 April.
  • The Department of Commerce’s National Telecommunications and Information Administration (NTIA) will hold “a virtual meeting of a multistakeholder process on promoting software component transparency” on 29 April.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Gautier Salles on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s