Other Developments, Further Reading, and Coming Events (7 May 2021)

Other Developments

  • The New York State Department of Financial Services (NYDFS) published a “Report on the SolarWinds Cyber Espionage Attack and Institutions’ Response.” The NYDFS stated:
    • The report summarizes the SolarWinds Attack, the response by DFS-regulated companies, and key measures to prevent or mitigate against future supply chain attacks.    
    • The Department found that DFS-regulated companies generally responded quickly.  For example, 94% of the reporting companies removed the vulnerabilities from their IT systems within three days of the SolarWinds Attack’s announcement.  However, the Department also found that some companies were not applying patches as regularly as needed to ensure timely remediation of high-risk cyber exposure.   
    • In the report, DFS identifies the following cybersecurity measures as critical practices:   
      • Fully assess and address third party risk.  
      • Adopt a “zero trust” approach and implement multiple layers of security. 
      • Timely address vulnerabilities through patch deployment, testing, and validation. 
      • Address supply chain compromise in incident response plans.  
    • The report furthers DFS’s commitment to improving cybersecurity and sharing information to protect consumers and the industry.  DFS has also issued multiple alerts regarding ongoing cyber threats, including the SolarWinds Attack, weaknesses in Microsoft Exchange Server, and an ongoing cyber fraud campaign identified by the Department. 
  • The American Civil Liberties Union (ACLU) has filed a petition for the Supreme Court of the United States to consider whether the court that oversees the United States’ (U.S.) foreign surveillance can release legally significant decisions and if the First Amendment provides such a right. Former U.S. Solicitor General Ted Olson is representing the ACLU. In the petition, the ACLU asserted:
    • Congress created the Foreign Intelligence Surveillance Court (“FISC”) in 1978 to oversee electronic surveillance conducted for foreign intelligence purposes. The FISC’s role was originally narrow, but today, as a result of legislative changes and new technology, the court evaluates broad programs of surveillance that can have profound implications for Americans’ privacy, expressive, and associational rights. The court’s opinions frequently include significant interpretations of statutory and constitutional law. Petitioner filed motions with the FISC asserting that the First Amendment provides a qualified right of public access to FISC opinions containing significant legal analysis—even if portions of the published opinions must be redacted. The FISC rejected one of these motions on the merits. Subsequently, in this case, the FISC and the Foreign Intelligence Surveillance Court of Review (“FISCR”) both held that they lack jurisdiction even to rule on Petitioner’s constitutional claim.
    • The questions presented are:
      • 1. Whether the FISC, like other Article III courts, has jurisdiction to consider a motion asserting that the First Amendment provides a qualified public right of access to the court’s significant opinions, and whether the FISCR has jurisdiction to consider an appeal from the denial of such a motion.
      • 2. Whether the First Amendment provides a qualified right of public access to the FISC’s significant opinions.
  • Thirteen Senators wrote [XXXXX], T-Mobile, and AT&T about plans to shut down their 2G and 3G networks. They asserted:
    • Researchers estimate that approximately 13% of Americans rely on older 2G or 3G technology, with other estimates putting that number higher.2 In some areas, 2G and 3G services are the only mobile wireless service available, and this is particularly true in rural and secluded areas where 4G and 5G technologies have not yet been deployed. For many customers who live in these areas, a mobile wireless connection is their only tool for staying in touch with friends and family, doing homework, or making a living. Shutting down 2G and 3G services in these areas without adequate notice, or before 4G or 5G services are available as a replacement, risks leaving millions of Americans completely disconnected.
    • [XXXXX]’s transition away from 2G and 3G services may also create new financial hardships for customers, who need to use 2G or 3G because of its lower cost or capabilities. This is particularly true for seniors, many of whom continue to use older devices for emergency use, and only need voice capabilities. Moreover, a typical 3G device and subscription is much less expensive than a 4G enabled phone and subscription, and requiring customers to purchase new 4G and 5G plans will result in thousands of dollars in additional expense. This could be excessively burdensome for families who have already been hard hit by the pandemic.
    • They Senators asked:
      • 1)  How many [XXXXX] customers currently rely on 2G and 3G services? Which states have the highest numbers of 2G and 3G customers, both as a total number and as a portion of [XXXXX] total subscribers?
      • 2)  What information have you provided to your current 2G and 3G customers regarding the transition to 4G and 5G services? Has [XXXXX] provided its customers with the date on which it intends end their 2G and 3G services?
      • 3)  Does [XXXXX] have any services or offerings designed for customers transitioning from 2G and 3G services? Is [XXXXX] offering any financial support for customers who may not be able to afford more expensive 4G and 5G devices and services? How will [XXXXX] support customers who currently do not have a 4G or 5G handset?
      • 4)  Will [XXXXX] immediately provide 4G and 5G services in areas where it plans to shut down its 2G and 3G networks? If not, how long will it take for [XXXXX] to deliver 4G and 5G services in those areas? How will [XXXXX] ensure that the shutdown of its 2G and 3G networks do not leave some customers without mobile wireless service?
      • 5)  How will the 2G and 3G shutdown impact access to public safety and 9-1-1 services?
      • 6)  How will the 2G and 3G shutdown impact non-cellular devices and other devices and systems that are not mobile phones on your networks? How many of these devices will be impacted in each state?
      • 7)  How will the shutdown of 2G and 3G services impact the ability of other carriers to use [XXXXX]’s network for roaming traffic or wholesale services? What is [XXXXX] doing to ensure that the voice traffic of roaming carriers will not be impacted?
      • 8)  Can current 2G and 3G customers change service providers during this transition without incurring additional fees? If so, what information have you provided customers on how to do this?
      • 9)  How has [XXXXX] trained its customer service representatives to assist and provide resources to 2G and 3G customers during the transition? What are these resources and when will they be available to customers?
      • 10)  What other steps, if any, is [XXXXX] taking or has planned to take to ensure that this transition closes rather than widens the digital divide? Please describe in terms of both availability and affordability.
  • New Zealand’s Reserve Bank issuedGuidance on Cyber Resilience” “on what regulated entities should consider when building their cyber resilience.” The bank stated:
    • The guidance outlines the Reserve Bank’s expectations around cyber resilience, and draws heavily from leading international and national cybersecurity standards and guidelines. The guidance applies to all entities the Reserve Bank regulates, including registered banks, licensed non-bank deposit takers, licensed insurers and designated financial market infrastructures
    • The finalised guidance on cyber resilience aims to raise awareness of, and ultimately promote, the cyber resilience of the financial sector, especially at the board and senior management level of regulated entities.
    • The guidance provides high-level principle-based recommendations for entities and primarily serves as an overarching framework for the governance and management of cyber risk, which entities can tailor to their own specific needs and technologies, rather than as an explicitly detailed or technical set of instructions. 
    • The intention is to illustrate current best practice and encourage continual improvement beyond these practices into all areas where entities can further strengthen their cyber resilience.
  • The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) is accepting comments on “a preliminary draft” of NIST SP 1800-32, Securing the Industrial Internet of Things: Cybersecurity for Distributed Energy Resources. NCCoE stated:
    • In this practice guide, the NCCoE applies standards, best practices, and commercially available technology to protect the digital communication, data, and control of cyber-physical grid-edge devices. The guide demonstrates an example solution for monitoring and detecting anomalous behavior of connected industrial internet of things (IIoT) devices and building a comprehensive audit trail of trusted IIoT data flows.
    • By releasing Volumes A and B as a preliminary draft, we are sharing our progress made to date, using the feedback received to shape future drafts of the practice guide, and featuring technologies and practices that organizations can use to monitor, trust, and protect information exchanges between commercial- and utility-scale distributed energy resources (DERs).
  • The  Information Technology Industry Council (ITI) has released “first-of-its-kind recommendations for policymakers worldwide considering adopting cybersecurity labeling as a means of better communicating security features in information and communications technology (ICT) products and services.” ITI recommended that “[t]o better inform ongoing discussions around cybersecurity labeling” policymakers should:
    • Embrace stakeholders, ensure clarity, and balance responsibilities to ensure that labeling programs bring value to consumers and that both end-users and manufacturers understand their respective roles in maintaining security.
    • Ensure the labeling format is flexible and the content is effective, such as through the use of e-labels or machine-readable codes and reasonably simple, clear language that does not overwhelm or distract consumers.
    • Ensure that the labeling does not convey a false sense of security, in recognition of the fact that cybersecurity is a continuous process and a label only reflects security at a specific point in time.
    • Align labeling with consensus-based, voluntary, industry-led international standards, to facilitate mutual recognition of labeling schemes across jurisdictions and prevent potential barriers to trade.
  • The American Medical Association (AMA) has made available “newly developed online educational resources to help physicians navigate the complex federal regulation aimed at ending information-blocking practices that impede access, exchange or use of patients’ electronic health information.” The AMA explained “[t]he federal regulation from the Office of the National Coordinator for Health Information Technology (ONC) took effect on April 5 and implements the interoperability provisions of the 21st Century Cures Act to promote patient control over their own health information.” The AMA published these materials:
    • HIPAA (Health Insurance Portability and Accountability Act) provides patients with the right to obtain copies of medical records in their preferred form and format when a practice is able to do so.
    • If your electronic health record (EHR) is certified by the Office of the National Coordinator for Health Information Technology (ONC), it should have certain minimum capabilities. But those capabilities will not do much good if you are not familiar with them.
    • Read topic briefs, including real-world scenarios, about barriers associated with accessing images, records of the deceased and records from practices that are closed.
    • Patient-facing smartphone apps can help patients access health information, but privacy should be top of mind for patients since apps vary widely in the extent to which they keep one’s information private and secure.
    • Questions and answers about patient access, EHRs and more.
    • Federal regulation prohibits medical providers and EHR vendors from standing in the way of patients receiving their own health information, a process known as “information blocking.”
    • With patient access, there are many important things to keep in mind, from patient rights to delivery to considerations for non-clinical caregivers.
    • An instructive diagram outlining the steps and choices involved in patient access.
  • In concert with the roll out of its proposed legislation for regulating artificial intelligence (AI), the European Commission (EC) issued a “Study to Support an Impact Assessment of Regulatory Requirements for Artificial Intelligence”  written by the Centre for European Policy Studies (CEPS), ICF International Inc., and Wavestone.

Further Reading

  • The Crusade Against Pornhub Is Going to Get Someone Killed” By Samantha Cole — Vice. Sex trafficking is a real and tragic issue, but anti-trafficking groups frequently equate the entire adult industry, including pornography, with exploitation and paint sex workers as victims in need of rescue. “Anti-sex trafficking” is a topic that’s easy to gain political backing, fundraising, and popular support for. By couching the conversation as being against “sexual slavery,” it’s easy to shut down the more nuanced and difficult conversations about the ways that politicians, businesses, antiquated laws, poorly written sex trafficking legislation, and an anti-sex-work culture more broadly have hurt and killed people who are working in the consensual porn and sex work industries. No reasonable human is pro-trafficking, but anti-trafficking groups use the issue to advance legislation and policies, and real-world stigma against sex workers, to further their cause. Frequently, these “anti-sex trafficking” groups want to end the entire adult industry altogether.
  • A Global Tipping Point for Reining In Tech Has Arrived” By Paul Mozur, Cecilia Kang, Adam Satariano and David McCabe — The New York Times. China fined the internet giant Alibaba a record $2.8 billion this month for anticompetitive practices, ordered an overhaul of its sister financial company and warned other technology firms to obey Beijing’s rules Now the European Commission plans to unveil far-reaching regulations to limit technologies powered by artificial intelligence. And in the United States, President Biden has stacked his administration with trustbusters who have taken aim at Amazon, Facebook and Google.
  • Global chip shortage likely to last through 2021 and even into 2022 as industry grapples with increasingly complex market forces” By Che Pan — South China Morning Post. A global shortage of chips, the tiny devices at the heart of every electronics gadget, is having a ripple effect across the wider consumer electronics industry and analysts say the squeeze could last through 2021 and into 2022 given the multiple factors at play.
  • Justice Department launches review of cyber policies after ransomware, supply chain scourges” By Sean Lyngaas — cyberscoop. The Justice Department is undertaking a four-month review of its approach to combatting a range of malicious cyber activity from foreign governments and criminals amid a spate of ransomware attacks and supply chain compromises.
  • How A Chinese Surveillance Broker Became Oracle’s “Partner Of The Year” By Mara Hvistendahl — The Intercept. Banners printed for the occasion read, “Build a new type of strategic partnership.” Artfully made cutouts of the two companies’ logos adorned the stage. And the frosting on the massive sheet cake curled into a red “20,” to celebrate two decades of cooperation between Oracle and one of its most important Chinese resellers.
  • Suspected Chinese hackers are breaking into nearby military targets” By Shannon Vavra — cyberscoop. Chinese hackers with suspected ties to the People’s Liberation Army have been hacking into military and government organizations in Southeast Asia over the course of the last two years, according to Bitdefender research published Wednesday.
  • Apple’s $64 Billion-A-Year App Store Isn’t Catching The Most Egregious Scams” By Sean Hollister — The Verge. Recently, I reached out to the most profitable company in the world to ask a series of basic questions. I wanted to understand: how is a single man making the entire Apple App Store review team look silly? Particularly now that Apple’s in the fight of its life, both in the courts and in Congress later today, to prove its App Store is a well-run system that keeps users safe instead of a monopoly that needs to be broken up.
  • Breaking Point: How Mark Zuckerberg and Tim Cook Became Foes” By Mike Isaac and Jack Nicas — The New York Times. At a confab for tech and media moguls in Sun Valley, Idaho, in July 2019, Timothy D. Cook of Apple and Mark Zuckerberg of Facebook sat down to repair their fraying relationship. For years, the chief executives had met annually at the conference, which was held by the investment bank Allen & Company, to catch up. But this time, Facebook was grappling with a data privacy scandal. Mr. Zuckerberg had been blasted by lawmakers, regulators and executives — including Mr. Cook — for letting the information of more than 50 million Facebook users be harvested by a voter-profiling firm, Cambridge Analytica, without their consent. At the meeting, Mr. Zuckerberg asked Mr. Cook how he would handle the fallout from the controversy, people with knowledge of the conversation said. Mr. Cook responded acidly that Facebook should delete any information that it had collected about people outside of its core apps.
  • Facebook now has to ask permission to track your iPhone. Here’s how to stop it.” By Geoffrey Fowler — The Washington Post. If you haven’t already, you’ll see a surprising message pop up on your iPhone from Facebook in the next few weeks: Do you give it permission to track you? When apps, like the one from Shake Shack, pop up a question about tracking, tap “Ask App not to Track” to better protect your privacy. To make your iPhone more private, tap “Ask App not to Track.” Do not tap “Allow,” unless you love creepy online ads.
  • Apple fined $12M by Russian regulator over App Store monopoly abuse” By Jon Porter — The Verge. Russia’s antitrust regulator, the Federal Antimonopoly Service (FAS), has fined Apple $12 million over complaints it unfairly cracked down on third-party parental control apps, the regulator has announced. The FAS started its investigation after receiving a complaint from Kaspersky Lab in March 2019, which claimed Apple had forced it to limit the functionality of its Safe Kids app shortly after Apple added the Screen Time feature to iOS 12.
  • Microsoft Sales Show Strong Growth in Gaming, Cloud” By Aaron Tilley — Wall Street Journal. Microsoft Corp. MSFT -0.53% extended its pandemic-fueled run of strong quarterly earnings that have bolstered investor enthusiasm in the software giant, bringing the company near a $2 trillion valuation. Microsoft has seen massive growth across its professional and consumer businesses with people stuck at home and remote work and distance education becoming the norm for many. That has driven rapid uptake of its cloud-computing services and supercharged the company’s videogaming sales. Microsoft’s stock is up around 50% over the past year, driving the company’s valuation to about $1.97 trillion, second only to Apple Inc.
  • Facebook expects ad tracking problems from regulators and Apple” By Jacob Kastrenakes — The Verge. Facebook’s ad revenue was up more than 45 percent during the first three months of 2021, soaring to $25.4 billion — or about seven times what Twitter makes in an entire year. But the company sees some potential problems on the horizon that could limit continued growth: regulators are closing in on ad tracking practices, and a feature launched this week by Apple could harm its ability to target ads.

Coming Events

  • On 11 May, the Senate Homeland Security and Governmental Affairs Committee will hold a hearing titled “Prevention, Response, and Recovery: Improving Federal Cybersecurity Post-SolarWinds.”
  • On 12 May, the Senate Commerce, Science, and Transportation Committee will hold a markup to consider the following matters among others:
    • Nomination of Lina M. Khan, of New York, to be Commissioner of the Federal Trade Commission
    • Nomination of Leslie B. Kiernan, of Maryland, to be General Counsel of the Department of Commerce
    • S.1260, Endless Frontier Act; Sponsors: Sens. Chuck Schumer (D-NY), Todd Young (R-IN)
  • On 14 May, the House Armed Services Committee’s Cyber, Innovative Technologies, and Information Systems Subcommittee will hold a hearing titled “Operations in Cyberspace and building Cyber Capabilities Across the Department of Defense.”
  • On 20 May, the Federal Communications Commission (FCC) will hold an open meeting with this tentative agenda:
    • Reducing Interstate Rates and Charges for Incarcerated People – The Commission will consider a Third Report and Order, Order on Reconsideration, and Fifth Notice of Proposed Rulemaking that, among other actions, will lower interstate rates and charges for the vast majority of incarcerated people, limit international rates for the first time, and seek comment on further reforms to the Commission’s calling services rules, including for incarcerated people with disabilities. (WC Docket No. 12-375)
    • Strengthening Support for Video Relay Service – The Commission will consider a Notice of Proposed Rulemaking and Order to set Telecommunications Relay Services (TRS) Fund compensation rates for video relay service (VRS). (CG Docket Nos. 03-123, 10-51)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Alexander Andrews on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s