Other Developments, Further Reading, and Coming Events (4 May 2021)

Other Developments

  • The G7 nations have issued a ministerial declaration regarding their recent meeting “to discuss the digital and technology agenda under the theme of ‘building back better’.’” Clearly, the United States (U.S.) set the theme of the meeting even though the United Kingdom (UK) holds the presidency of the G7 at present. The G7 explained:
    • Our collective recovery from COVID-19 must be rooted in a desire to build back a better, more productive and resilient global economy, with digital technology at its heart. This should support open societies in the digital and data-driven age, and be guided by our shared democratic values of open and competitive markets, strong safeguards including for human rights and fundamental freedoms, and international cooperation which drives benefits for our citizens, economies and global well-being.
    • We have therefore decided to place the needs of open, democratic societies at the centre of the technology debate and to work together towards a trusted, values-driven digital ecosystem. We believe that such ecosystems must enhance prosperity in a way that is sustainable, inclusive and human-centric. We have also affirmed our opposition to measures which may undermine these democratic values, such as government-imposed Internet shutdowns and network restrictions.
    • This will be delivered through six important interventions at every level of the technology stack, from the physical infrastructure and digital technical standards that underpin it, to the data that fuels it, and the applications and content with which consumers and businesses interact on a daily basis in order to harness the opportunities that the digital economy presents. The interventions address:
    • Promoting Secure, Resilient, and Diverse Digital, Telecoms, and ICT Infrastructure Supply Chains
      • To support this objective, we discussed options for promoting a more secure, resilient, diverse, competitive, transparent and sustainable digital and ICT infrastructure supply chain, particularly in global telecoms. We discussed that such infrastructures require a rigorous evaluation of equipment, consistent with existing measures such as those outlined in the Prague Proposals, and the EU’s 5G toolbox. We also considered how to encourage innovation, and to actively explore the potential of emerging open and interoperable network architectures, alongside current technological offers. We noted that such approaches should maintain or enhance security, performance, energy efficiency and resilience, and could stimulate the emergence of new entrants to the market both now and in the future.
    • A Framework for G7 Collaboration on Digital Technical Standards
      • To deliver this, we have endorsed a Framework for Collaboration (Annex 1) which sets out areas for G7 and like minded partners’ collaboration on digital technical standards and offers a pathway for constructive engagement.
    • A G7 Roadmap for Cooperation on Data Free Flow with Trust
      • To deliver this, we endorse a Roadmap for Cooperation on Data Free Flow with Trust (Annex 2) which sets out our plan for delivering tangible progress on this agenda, building confidence for businesses and individuals to use technology, as well as driving economic and social value. As part of this Roadmap, we will work to accelerate the development of mutually acceptable data sharing practices for agreed priority sectors, and we will build evidence on the economic and societal impacts of data localisation measures. We will also champion progress of the OECD’s work on ‘Mapping commonalities in regulatory approaches to cross-border data transfers’ and on trusted ‘Government access to personal data held by the private sector’.
    • G7 Internet Safety Principles
      • We endorse the G7 Internet Safety Principles (Annex 3) which demonstrate our support for a set of underpinning principles to guide G7 approaches to improving online safety, and a set of operational principles where consensus exists for specific action.
    • Deepening Cooperation on Digital Competition
      • To support existing workstreams on enforcement and policy related to digital competition, we will invite the UK’s Competition and Markets Authority to convene a meeting of G7 competition authorities in 2021. The purpose of the meeting will be to discuss long term coordination and cooperation to better understand enforcement approaches, market characteristics and policy initiatives related to competition in digital markets, including in existing international and multilateral fora.
    • A Framework for G7 Collaboration on Electronic Transferable Records
      • We endorse our Framework for G7 collaboration on Electronic Transferable Records (Annex 4), through which we will initiate a dialogue between experts to work to achieve compatible domestic reforms, and provide collective support to other international initiatives seeking to facilitate and enable the adoption of electronic transferable records.
  • The two House Members who serve on the Cyberspace Solarium Commission (CSC) are asking that the House Appropriations Committee increase funding for the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) by at least $400 million. In the Biden Administration’s first budget request, CISA would be provided with $2.1 billion, a $110 million increase above FY 2021. The White House noted, however, that this modest raise is augmented by the $650 million given to CISA in the “American Rescue Plan Act of 2021.” And while that is true, when the time comes to submit the FY 2023 budget request in February 2022, it is not likely the White House will use the total CISA funding as the basis for its request ($2.1 billion plus $650 million). In their letter, Representatives Mike Gallagher (R-WI) and James Langevin (D-RI) asserted:
    • We estimate that funding appropriated to CISA will need to grow from just over $2 billion included in the Consolidated Appropriations Act for FY21 to no less than $2.425 billion for FY22. This is despite the fact that total budget authority for FY21 and FY22 will be higher than regularly appropriated amounts due to ARPA funding. In addition to expected increases to base funding due to normal maturation at the agency, expansions to the agency’s role due to new authorizations and as a response to emerging cybersecurity incidents place new funding requirements on CISA. We recommend an increase of at least $400 million for the FY22 appropriation to respond to these changing requirements. This would mean the overall 050 allocation to the Subcommittee on Homeland Security would increase from $2.551 billion, as specified in the FY21 appropriations agreement, to no less than $2.951 billion for FY22. It is worth noting that cost escalation in the U.S. Coast Guard and Federal Emergency Management Agency portions of the 050 funding — as well as the need to recapitalize Coast Guard assets — will likely necessitate an even greater increase in the national defense budget function allocation.
  • The United Kingdom’s (UK) Department for Digital, Culture, Media & Sport (DCMS) unveiled high level plans to change the UK’s cybersecurity laws for “smart devices” but no actual legislation. Nonetheless the DCMS issued its response to the call for views “on consumer connected product cyber security legislation” and other materials. In its response, the DCMS explained:
    • The government has been working with the tech industry to better secure consumer connected products for several years. In 2018 we published a Code of Practice, setting out the security principles that should be applied by manufacturers and other relevant industry stakeholders. Since then we have been continuing discussions with industry on how to ensure the code is applied, and have been engaging internationally to persuade other states to adopt better security. In 2020, a new European Standard on connected product security, EN 303 645[footnote 1], was adopted, with the UK government contributing significantly to its development. Similar standards are now being adopted across the world.
    • Now that internationally accepted standards are in place, the government believes that the time has come to start to enforce these standards. Too many insecure consumer connected products remain on the market and we need to take steps to ensure that in future, consumers can use these products with confidence.
    • Whilst consumer products (including consumer connected products) are already subject to a regulatory framework in relation to safety and environmental requirements, in particular the Electrical Equipment (Safety) Regulations and Radio Equipment Regulations, new regulation is needed to ensure that products made available to UK consumers comply with a minimum baseline level of cyber security.
    • From 16 July 2020 to 6 September 2020, the government ran a call for views on proposals for UK domestic legislation to regulate the cyber security of these products, rendering products like televisions, cameras and household appliances which connect to the internet safer and more secure for people to use.
    • The government will now legislate, when parliamentary time allows, to create a new robust scheme of regulation to protect consumers from insecure connected products. The regulation will apply to all consumer connected products such as smart speakers, smart televisions, connected doorbells and smartphones. A number of devices will be exempt due to the specific circumstances of how they are constructed and secured, including desktop computers and laptops. The security requirements will align with international standards and are familiar to all manufacturers and other relevant parties across the industry. An enforcement body will be equipped with powers to investigate allegations of non-compliance and to take steps to ensure compliance.
    • This legislation, which will apply across the whole of the UK, will protect consumers at home, but also demonstrate our continued global leadership in cyber security. In 2016 our objective within our National Cyber Security Strategy was that the majority of online products and services coming into use become ‘secure by default’ by 2021. We have seen successes through the publication of our Code of Practice, and the adoption of these thirteen principles abroad and within globally applicable standards from international standards bodies. However, aspects of industry still persist in using out-of-date and dangerous practices (such as universal default passwords), and the risk to consumers can no longer be tolerated. Our proposed legislation will further close the door on insecure technology.
  • A California appeals court has ruled that Amazon is liable for defective products that third parties sell on its platform under the state’s laws that impose strict liability, a special class of legal obligation. The appeals court reversed the trial court’s ruling for Amazon and noted a case decided last year another California appeals court also ruled against Amazon in a similar case. Now the case goes back to the trial court where there may be a trial in line with the appeals court’s instruction and elucidation of the law. In this case, the court summarized its ruling:
    • Kisha Loomis brought suit against Amazon.com LLC (Amazon) for injuries she suffered from an allegedly defective hoverboard. The hoverboard was sold by a third party seller named TurnUpUp through the Amazon website. The trial court granted summary judgment in favor of Amazon. The primary issue on appeal is whether Amazon may be held strictly liable for Loomis’s injuries from the defective product. Recently, the Fourth District addressed this issue as a matter of first impression in Bolger v. Amazon.com, LLC (2020) 53 Cal.App.5th 431 (Bolger), review denied November 18, 2020. Bolger held Amazon “is an ‘integral part of the overall producing and marketing enterprise that should bear the cost of injuries resulting from defective products.’ ” (Id. at p. 453.) Our own review of California law on strict products liability persuades us that Bolger was correctly decided and that strict liability may attach under the circumstances of this case. We reverse and remand with directions.
  • The National Institute of Standards and Technology (NIST) has issued another of its guidance documents on controlled unclassified information (CUI) that supplement NIST Special Publication 800-171, recommendations that have been incorporated into federal regulation that are binding on many federal contractors. NIST is seeking comments on Draft NIST SP 800-172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, that “provides federal agencies and nonfederal organizations with assessment procedures that can be used to carry out assessments of the requirements in NIST SP 800-172.” NIST claimed:
    • The generalized assessment procedures are flexible, provide a framework and starting point to assess the enhanced security requirements, and can be tailored to the needs of organizations and assessors. Organizations tailor the assessment procedures by selecting specific assessment methods and objects to achieve the assessment objectives and by determining the scope of the assessment and the degree of rigor applied during the assessment process. The assessment procedures can be employed in self-assessments, independent third-party assessments, or assessments conducted by sponsoring organizations (e.g., government agencies). Such approaches may be specified in contracts or in agreements by participating parties. The findings and evidence produced during assessments can be used by organizations to facilitate risk-based decisions related to the CUI enhanced security requirements. In addition to developing determination statements for each enhanced security requirement, Draft NIST SP 800-172A introduces an updated structure to incorporate organization-defined parameters into the determination statements.
    • NIST is seeking feedback on the assessment procedures, including the assessment objectives, determination statements, and the usefulness of the assessment objects and methods provided for each procedure. We are also interested in the approach taken to incorporate organization-defined parameters into the determination statements for the assessment objectives.
  • The High Court of Delhi ruled that information technology intermediaries (i.e. search engines such as Google, Bing, etc.) must take down offending content within 24 hours and must proactively search for and de-index and de-reference such materials under India’s Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 and related laws. The case arose when a woman’s Facebook and Instagram profile pages were scraped, and her pictures were posted on a pornography website. The court spelled out other obligations these companies must need under India’s laws regarding content moderation.
  • A United States (U.S.) federal court has thrown out Microsoft and the Department of Defense’s motions to end Amazon’s challenge to the $10 billion Joint Enterprise Defense Infrastructure (JEDI) cloud computing contract. The JEDI contracting process has been epic to say the least with allegations that former President Donald Trump influenced the process because of his animus towards Amazon’s former CEO Jeff Bezos. There were also claims that a JEDI contracting officer left the DOD to join Amazon that prejudiced the procurement. Through it all, Microsoft and its team of subcontractors won the JEDI contract in 2019, and Amazon Web Services has been fighting to overturn this decision ever since. This most recent decision means more litigation.
  • The former Children’s Commissioner for England Anne Longfield OBE is leading a lawsuit against TikTok and ByteDance “for deliberately violating United Kingdom (UK) and European Union (EU) children’s data protection law.” If TikTok and ByteDance lose, they could face billions of pounds in liability. Longfield and Scott + Scott, the firm bringing the litigation, asserted:
    • The legal claim has been brought on behalf of millions of children using TikTok in the UK and European Economic Area who have been impacted by the app’s actions. Research conducted in support of the legal claim estimates that over 3.5 million children are affected in the UK alone.
    • The claim alleges that TikTok and ByteDance have violated the UK Data Protection Act and the EU General Data Protection Regulation (GDPR), namely articles 5, 12, 14, 17, 25, 35 and 44 of the GDPR.
    • TikTok and ByteDance have displayed a troubling pattern of breaking child data protection laws. In 2019, TikTok was issued a record fine for a case involving child data in the United States. This was followed by similar penalties in South Korea in 2020.
    • TikTok has subsequently implemented measures for its users in the United States to verify their age when they open the App. Despite this, TikTok has refrained from introducing a similar age verification policy in the UK or other European countries.
    • Concerns have also been raised among by UK MPs about alleged information sharing between TikTok users in the UK and ByteDance, which could be subject to China’s National Intelligence Law.
  • The European Union Agency for Cybersecurity (ENISA) “identified key research directions and innovation topics in cybersecurity to support the efforts of the European Union (EU) towards a Digital Strategic Autonomy.” In the report, ENISA stated:
    • The term ‘digital strategic autonomy’ can have different meanings in different contexts. In this report, it is defined as the ability of Europe (2) to source products and services that meet its needs and values, without undue influence from the outside world.
    • This mission-driven roadmap presents seven prioritised challenges to support research, development and innovation in relation to the EU’s digital strategic autonomy. These priorities were derived from a set of 17 topics, which in turn were extracted and synthesised from recent research roadmaps. To finalise these priorities, an open survey took place, which was completed by 94 members of the European cybersecurity research and industrial community. For each of these seven priorities, this document (i) explores the origins of the problem and its importance, (ii) describes the state of the art and the long-term objective of the topic and (iii) recommends the necessary steps to reach this long-term objective.
    • The open consultation revealed that the highest priority is related to data security, with an emphasis on privacy, data protection, trust in algorithms and artificial intelligence. The most important research and innovation challenges also include software and hardware security, digital communications security, cryptography, and detection of and response to cyberattacks. Finally, user-centric aspects related to the overall acceptance of digital services, including understanding the consequences of decisions to enforce or bypass security mechanisms, is a knowledge area that should be included in future research.
    • Based on our findings, digital strategic autonomy will require an overarching vision of the information and communications technology landscape, driven by ambitious policies that aim to (i) protect European values and (ii) satisfy European needs for advanced and resilient services.

Further Reading

  • Warner says Senate committee working on bill to require mandatory reporting for cyber threats” By Jory Heckman — Federal News Network. As he has telegraphed throughout the year, Senate Intelligence Committee Chair Mark Warner (D-VA) is working on legislation that would require some United States (U.S.) federal government and critical infrastructure owners and operators to report security incidents (but not data breaches) in exchange for limited liability protection. Warner said he is working on a bipartisan basis and with Deputy National Security Adviser For Cyber And Emerging Technology Anne Neuberger and the Intelligence Community.
  • In secret Facebook groups, America’s best warriors share racist jabs, lies about 2020, even QAnon theories” By Carol Lee — NBC News. This article paints a terrifying picture of conspiracy thinking and white nationalist extremism that is apparently flourishing in some parts of the United States (U.S.) military with the suggestion that it runs more deeply and much higher up the command chain than is commonly believed.
  • The Slander Industry” By Aaron Krolik and Kashmir Hill — The New York Times. It sounds like the perfect scam. Set up a website where people can post about others, often in slanderous ways, and then charge a fee under a different name to remove online slander. Almost all the people in these shadowy industries profiled in this piece have criminal pasts. This seems like an area ripe for Federal Trade Commission (FTC) or state attorneys general investigation and enforcement.
  • Inside an International Tech-Support Scam” By Doug Shadel and Neil Wertheimer — AARP. A fascinating article on a white hat hacker doing his best to foil boiler rooms in India looking to scam people through fake computer virus claims.
  • Cashing in on Clubhouse” By Fadeke Adegbuyi — Cybernaut. Someone somewhere must have a formula or equation that predicts how quickly a new platform goes from organic, legitimate interaction to straight up scamming and hustling. If not, I’ll start working on Kans’ Law. In the meantime, here’s a piece on this evolution on Clubhouse.
  • The Crusade Against Pornhub Is Going to Get Someone Killed” By Samantha Cole — Vice.

Coming Events

  • On 5 May, the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee will hold a hearing titled “Responding to Ransomware: Exploring Policy Solutions to a Cybersecurity Crisis.”
  • On 6 May, the House Science, Space, and Technology Committee’s Research and Technology Subcommittee will hold a hearing titled “National Science Foundation: Advancing Research for the Future of U.S. Innovation Part II.”
  • The House Energy and Commerce Commerce’s Communications and Technology Subcommittee will hold a hearing titled “Broadband Equity: Addressing Disparities in Access and Affordability” on 6 May.
  • On 6 May, the House Appropriations Committee’s Commerce, Justice, Science Subcommittee will hold a hearing on the FY 2022 Department of Commerce budget request with Secretary of Commerce Gina Raimondo.
  • On 20 May, the Federal Communications Commission (FCC) will hold an open meeting with this tentative agenda:
    • Reducing Interstate Rates and Charges for Incarcerated People – The Commission will consider a Third Report and Order, Order on Reconsideration, and Fifth Notice of Proposed Rulemaking that, among other actions, will lower interstate rates and charges for the vast majority of incarcerated people, limit international rates for the first time, and seek comment on further reforms to the Commission’s calling services rules, including for incarcerated people with disabilities. (WC Docket No. 12-375)
    • Strengthening Support for Video Relay Service – The Commission will consider a Notice of Proposed Rulemaking and Order to set Telecommunications Relay Services (TRS) Fund compensation rates for video relay service (VRS). (CG Docket Nos. 03-123, 10-51)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Pete 😀 from Pixabay

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s