Other Developments, Further Reading, and Coming Events (3 May 2021)

First, my first Lawfare article has been posted on data brokering and national security.

Second this piece has been cross posted at The Wavelength, my subscription newsletter. Subscribe today if you want to receive these posts in your inbox.

Other Developments

  • President Joe Biden gave his first State of the Union address and naturally touched upon some of the technology components of his “American Jobs Plan:”
    • And finally, the American Jobs Plan will be the biggest increase in nondefense research and development on record.  We will see more technological change — and some of you know more about this than I do — we’ll see more technological change in the next 10 years than we saw in the last 50.  That’s how rapidly artificial intelligence and so much more is changing.
    • And we’re falling behind the competition with the rest of the world.
    • Decades ago, we used to invest 2 percent of our gross domestic product in America — 2 percent of our gross domestic product — in research and development.
    • Today, Mr. Secretary, that’s less than 1 percent.  China and other countries are closing in fast.  We have to develop and dominate the products and technologies of the future: advanced batteries, biotechnology, computer chips, clean energy.
    • The Secretary of Defense can tell you — and those of you on — who work on national security issues know — the Defense Department has an agency called DARPA — the Defense Advanced Research Project Agency.  The people who set up before I came here — and that’s been a long time ago — to develop breakthroughs that enhance our national security -– that’s their only job.  And it’s a semi-separate agency; it’s under the Defense Department.  It’s led to everything from the discovery of the Internet to GPS and so much more that has enhanced our security.
    • The National Institute of Health — the NIH –- I believe, should create a similar Advanced Research Projects Agency for Health.
    • And that would — here’s what it would do.  It would have a singular purpose: to develop breakthroughs to prevent, detect, and treat diseases like Alzheimer’s, diabetes, and cancer.
    • I’ll still never forget when we passed the cancer proposal the last year I was Vice President — almost $9 million going to NIH.  And if you excuse the point of personal privilege, I’ll never forget you standing and mentioning — saying you’d name it after my deceased son.  It meant a lot.
    • But so many of us have deceased sons, daughters, and relatives who died of cancer.  I can think of no more worthy investment.  I know of nothing that is more bipartisan.  So, let’s end cancer as we know it. It’s within our power. It’s within our power to do it.
    • Biden also turned to foreign policy:
      • The investments I’ve proposed tonight also advance the foreign policy, in my view, that benefits the middle class.  That means making sure every nation plays by the same rules in the global economy, including China.
      • In my discussions — in my discussions with President Xi, I told him, “We welcome the competition.  We’re not looking for conflict.”  But I made absolutely clear that we will defend America’s interests across the board.  America will stand up to unfair trade practices that undercut American workers and American industries, like subsidies from state — to state-owned operations and enterprises and the theft of American technology and intellectual property.
      • I also told President Xi that we’ll maintain a strong military presence in the Indo-Pacific, just as we do with NATO in Europe — not to start a conflict, but to prevent one.
      • I told him what I’ve said to many world leaders: that America will not back away from our commitments — our commitment to human rights and fundamental freedoms and to our alliances.
      • And I pointed out to him: No responsible American President could remain silent when basic human rights are being so blatantly violated.  An American President — President has to represent the essence of what our country stands for.  America is an idea — the most unique idea in history: We are created, all of us, equal.  It’s who we are, and we cannot walk away from that principle and, in fact, say we’re dealing with the American idea.
      • With regard to Russia, I know it concerns some of you, but I made very clear to Putin that we’re not going to seek esca- — ecala- — exc- — excuse me — escalation, but their actions will have consequence if they turn out to be true.  And they turned out to be true, so I responded directly and proportionally to Russia’s interference in our elections and the cyberattacks on our government and our business.  They did both of these things, and I told them we would respond, and we have.
      • But we can also cooperate when it’s in our mutual interest.  We did it when we extended the New START Treaty on nuclear arms, and we’re working to do it on climate change.  But he understands we will respond.
      • On Iran and North Korea — nuclear programs that present serious threats to American security and the security of the world — we’re going to be working closely with our allies to address the threats posed by both of these countries through di- — through diplomacy, as well as stern deterrence.
  • On 28 April, the Senate Commerce, Science, and Transportation Committee marked up a number of bills, sending them to the full Senate. However, the committee pulled two of the technology bills it had planned on marking up: S.326, Measuring the Economic Impact of Broadband Act; Sponsors: Sens. Amy Klobuchar (D-MN), Shelley Moore Capito (R-WV), Dan Sullivan (R-AK) and S.1260, Endless Frontier Act; Sponsors: Sens. Chuck Schumer (D-NY), Todd Young (R-IN). The committee also approved two nominations: Don Graves to be Deputy Secretary of Commerce and former Senator Bill Nelson to be the National Aeronautics and Space Administration Administrator. The bills the committee did act upon include:
    • S.120, Safe Connections Act; Sponsors: Sens. Brian Schatz (D-HI), Deb Fischer (R-NE), Rick Scott (R-FL), Richard Blumenthal (D-CT), Jacky Rosen (D-NV), Shelley Moore Capito (R-WV)
    • S.163, Telecommunications Skilled Workforce Act; Sponsors: Sens. John Thune, (R-SD) Jon Tester (D-MT), Gary Peters (D-MI), Roger Wicker (D-MS), Jerry Moran (R-KS)
    • S.198, Data Mapping to Save Mom’s Lives Act; Sponsors: Sens. Jacky Rosen (D-NV), Deb Fischer (R-NE), Todd Young (IN), Brian Schatz (D-HI), Ed Markey (D-MA), Richard Blumenthal (D-CT), Amy Klobuchar (D-MN), Gary Peters (D-MI)
    • S.735, Advanced Technological Manufacturing Act; Sponsors: Sens. Roger Wicker (R-MS), Maria Cantwell (D-WA), Jacky Rosen (D-NV)
  • The Federal Communications Commission (FCC) held an open meeting and approved the following matters:
  • Israel’s Supreme Court has denied a challenge (in Hebrew only) to the Israeli State Attorney’s Cyber Unit’s practice of asking social media platforms to remove content. Adalah – The Legal Center for Arab Minority Rights in Israel and the Association for Civil Rights in Israel (ACRI) brought the action and claimed in their press release:
    • Israel’s Cyber Unit uses an “alternative enforcement” mechanism to essentially censor social media platforms and muzzle users: it flags and submits social media posts – without legal proceedings and often without even the knowledge of the individual user – to social media giants and requests their removal. 
    • This Israeli state practice is aimed at clamping down on social media dissent, and frequently even results in the suspension or removal of users. This censorship is conducted in collaboration and coordination with social media outlets, including U.S.-based giants Facebook and Twitter.
    • Similar units operating in countries around the world are known as Internet Referral Units (IRUs).
    • Adalah attorneys Fady Khoury and Rabea Eghbariah had filed the petition against the Cyber Unit to the Israeli Supreme Court on 26 November 2019. They stressed that the Cyber Unit’s “alternative enforcement” mechanism violates the constitutional rights of freedom of expression and due process, and that the unit is operating without any legal authority.
    • Israeli Supreme Court Justice Hanan Melcer announced the decision on Monday morning in Jerusalem, in his final ruling before retirement.
    • In its decision, the court granted unchecked and unauthorized power to the Israeli state, allowing it to govern online speech by using informal channels with social media corporations. The court essentially privatized the judicial process, allowing private corporations to decide upon censorship of social media content based on ostensibly unbinding requests from Israeli state authorities.
    • Israel’s State Attorney did not issue a press release but provides on its website a general explanation of how the Cyber Unit works:
      • The Cyber Unit at the Office of the State Attorney is a new national unit which was established in 2015, in view of the need recognized by the State Attorney to coordinate efforts in dealing with crime and terrorism in cyberspace.
      • In recent years cybercrime has been on a sharp upward trend from the quantitative and qualitative aspect. This crime is complex and has unique characteristics that distinguish it from familiar crime in the physical space. Cybercrime raises unique legal questions and requires special proficiency in handling it. In view of the structure of the internet which makes it difficult to collect digital evidence and locate the perpetrators of the offenses and in view of the increasing dependency on cyberspace, much more crimes are committed inside cyberspace or via it.
      • Following the headquarters’ work carried out in conjunction with the National Cyber Bureau at the Prime Minister’s Office, adopted by the Attorney General and the State Attorney, it was decided to form the Cyber Unit at the Office of the State Attorney.
      • Cybercrime is varied and includes the following types of offenses:
        • Offenses against computer and against information – infiltration into computer material, circulating viruses, Trojan horses and worms, interference with computer activity (such as by way of DDoS attacks), stealing computerized information (personal information, information of economic value, information of national security importance) and more. The motives for committing these offenses may be varied: terrorism, business espionage or personal motives.
        • Classic offenses copied in full into the computerized space – these are varied offenses (fraud, forgery, gambling, pornographic pedophilic publications, sexual harassment, etc.) that have been copied form the physical space to the computerized space, while exploiting the features of the space so as to allow them to be committed more easily and with less fear of being caught.
        • Expression offenses in the computerized space – this is a variety of forbidden publications – incitement to racism and violence, a breach of gag orders, defamation, harm to privacy and also phenomena such as cyberbullying and shaming that are presently committed online.
  • The Senate passed the “Drinking Water and Wastewater Infrastructure Act of 2021” (S.914) and sent it to the House. The White House expressed its support for the bill in a Statement of Administration Policy. This bill addresses the perceived cyber insecurity of United States (U.S.) water systems through a variety of means:
    • A Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program would be established in the Environmental Protection Agency (EPA) to reduce cybersecurity vulnerabilities and increase resilience to natural hazards and extreme weather events.
    • The EPA would also need to “carry out a study that examines the state of existing and potential future technology, including technology that could address cybersecurity vulnerabilities, that enhances or could enhance the treatment, monitoring, affordability, efficiency, and safety of drinking water provided by a public water system.” An advanced drinking water technology grant program would thereafter be established at the EPA to address a number of problems, including cybersecurity.
    • The EPA and the Cybersecurity and Infrastructure Security Agency (CISA) would “develop a prioritization framework to identify public water systems (including sources of water for those public water systems) that, if degraded or rendered inoperable due to an incident, would lead to significant impacts on the health and safety of the public.” The agencies would also develop a Technical Cybersecurity Support Plan for public water systems.
    • The EPA must “establish a clean water infrastructure resilience and sustainability program under which the Administrator shall award grants to eligible entities for the purpose of increasing the resilience of publicly owned treatment works to a natural hazard or cybersecurity vulnerabilities.”
  • The Department of Justice (DOJ) announced that “Software company, SAP SE, headquartered in Walldorf, Germany, has agreed to pay combined penalties of more than $8 million as part of a global resolution with the U.S. Departments of Justice (DOJ), Commerce and Treasury.” The DOJ entered into a non-prosecution agreement with SAP and explained:
    • In voluntary disclosures the company made to the three agencies, SAP acknowledged violations of the Export Administration Regulations and the Iranian Transactions and Sanctions Regulations. As a result of its voluntary disclosure to DOJ, extensive cooperation and strong remediation costing more than $27 million, DOJ’s National Security Division (NSD) and the U.S. Attorney’s Office for the District of Massachusetts entered into a Non-Prosecution Agreement with SAP. Pursuant to that agreement, SAP will disgorge $5.14 million of ill-gotten gain.
    • Beginning in approximately January 2010 through approximately September 2017, SAP, without a license, willfully exported, or caused the export, of its products to Iranian users. SAP’s violations occurred in two principle ways.
    • First, between 2010 and 2017, SAP and its overseas partners released U.S-origin software, including upgrades or software patches more than 20,000 times to users located in Iran. Certain SAP senior executives were aware that neither the company nor its U.S.-based content delivery provider used geolocation filters to identify and block Iranian downloads, yet for years the company did not remedy the issue. The vast majority of the Iranian downloads went to 14 companies, which SAP partners in Turkey, United Arab Emirates, Germany and Malaysia knew were Iranian-controlled front companies. The remaining downloads went to several multinational companies with operations in Iran, which downloaded SAP’s software, updates, or patches from locations in Iran.
    • Second, from approximately 2011 to 2017, SAP’s Cloud Business Group companies (CBGs) permitted approximately 2,360 Iranian users to access U.S.-based cloud services from Iran. Beginning in 2011, SAP acquired various CBGs and became aware, through pre-acquisition due diligence as well as post-acquisition export control-specific audits, that these companies lacked adequate export control and sanctions compliance processes. Yet, SAP made the decision to allow these companies to continue to operate as standalone entities after acquiring them and failed to fully integrate them into SAP’s more robust export controls and sanctions compliance program.
  • The National Institute of Standards and Technology (NIST) is asking for input on its document that provides guidance for the security of industrial control systems:
    • Since NIST Special Publication (SP) 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security, was published in 2015, many of the tools, technologies, standards, and recommended practices encompassing control system cybersecurity have changed.
    • NIST seeks input from SP 800-82 stakeholders to ensure that the future update will continue to deliver the guidance necessary to help organizations manage the cybersecurity risks associated with their control systems.
    • Specifically, NIST requests input on the following:
      • Expansion in scope of SP 800-82 from industrial control systems to control systems in general
      • Over the years, SP 800-82 has been used in areas outside the scope of traditional industrial control systems, from building automation systems to the National Airspace System. The proposed update would expand the scope to control systems in general and would enable SP 800-82 to provide cybersecurity guidance for control systems beyond traditional industrial control systems. What are the benefits and/or impacts of this expansion in scope?
      • Application of new cybersecurity capabilities in control system environments
      • The proposed update would provide guidance on the use of new technologies and cybersecurity capabilities (e.g., behavioral anomaly detection, digital twins, Internet of Things, artificial intelligence, machine learning, zero trust, cloud, edge computing) in control system environments. What new technologies and cybersecurity capabilities should be highlighted in the updated guidance?
      • Development of guidance specific to small and medium-sized control system owners and operators
      • Stakeholder feedback has indicated that there is a need for more cybersecurity guidance to enable small and medium-sized control system owners and operators to select and deploy cybersecurity tools and techniques that best fit their needs. What guidance and resources would be most beneficial to this community of interest?
      • Updates to control system threats, vulnerabilities, standards, and recommended practices
      • The proposed update would revise guidance throughout the document to align with current control system cybersecurity standards and recommended practices. Updates would also be made to the control system threat landscape, vulnerabilities, incidents that have occurred, current activities in control system cybersecurity, and the cybersecurity capabilities, tools, and mitigations sections. How can NIST best both capture theses updates and provide an ongoing reference to other resources?
      • Updates to the control system Overlay
      • The proposed update would revise the control system Overlay to align with SP 800-53, Rev. 5 and SP 800-53B, and address the change in scope to control systems in general.
      • Removal of material from the current document
      • The proposed update would consider removing material that is outdated, unneeded, or no longer applicable. Is there material that is no longer useful in the document?
  •  The developers of Signal, a messaging app, have posted their assessment of and holes they found in Cellbrite’s security roughly six months after the Israeli security firm claimed it had broken Signal’s encryption. Last year, Human rights attorneys filed suit in Tel-Aviv to force the Ministry of Defence to end exports of Cellebrite’s phone hacking technology to repressive regimes like Hong Kong and Belarus. It is not clear Israel ever granted Cellebrite an export license, and the Ministry is being closed mouth on the issue. Previous filings assert Cellebrite’s technology has been used over 4,000 times in Hong Kong to hack into the phones of dissidents and activists even though many were using device encryption. In its blog post, Signal stated:
    • Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. A few months ago, they announced that they added Signal support to their software.
    • Their products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works. Let’s take a closer look. In particular, their software is often associated with bypassing security, so let’s take some time to examine the security of their own software.
  • The American Civil Liberties Union (ACLU) filed a petition for the Supreme Court of the United States to overturn an appeals court decision that allows for suspicionless searches of electronic devices at the border and airports of the United States (U.S.). In February, the United States Court of Appeals For the First Circuit (First Circuit) overturned a district court and hewed to rulings handed down by other circuits. In November 2019, a U.S. District Court held that U.S. Customs and Border Protection (CPB) and U.S. Immigration and Customs Enforcement’s (ICE) current practices for searches of smartphones and computers at the U.S. border are unconstitutional and the agency must have reasonable suspicion before conducting such a search.

Further Reading

Coming Events

  • On 5 May, the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee will hold a hearing titled “Responding to Ransomware: Exploring Policy Solutions to a Cybersecurity Crisis.”
  • On 6 May, the House Science, Space, and Technology Committee’s Research and Technology Subcommittee will hold a hearing titled “National Science Foundation: Advancing Research for the Future of U.S. Innovation Part II.”
  • The House Energy and Commerce Commerce’s Communications and Technology Subcommittee will hold a hearing titled “Broadband Equity: Addressing Disparities in Access and Affordability” on 6 May.
  • On 6 May, the House Appropriations Committee’s Commerce, Justice, Science Subcommittee will hold a hearing on the FY 2022 Department of Commerce budget request with Secretary of Commerce Gina Raimondo.
  • On 20 May, the Federal Communications Commission (FCC) will hold an open meeting with this tentative agenda:
    • Reducing Interstate Rates and Charges for Incarcerated People – The Commission will consider a Third Report and Order, Order on Reconsideration, and Fifth Notice of Proposed Rulemaking that, among other actions, will lower interstate rates and charges for the vast majority of incarcerated people, limit international rates for the first time, and seek comment on further reforms to the Commission’s calling services rules, including for incarcerated people with disabilities. (WC Docket No. 12-375)
    • Strengthening Support for Video Relay Service – The Commission will consider a Notice of Proposed Rulemaking and Order to set Telecommunications Relay Services (TRS) Fund compensation rates for video relay service (VRS). (CG Docket Nos. 03-123, 10-51)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Haley Black from Pexels

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s