Other Developments, Further Reading, and Coming Event (10 May 2021)

Other Developments

  • The Facebook Oversight Board has “upheld” Facebook’s decision to shutter former President Donald Trump’s Facebook and Instagram account. The Board stated Facebook needs to decide within six months on a penalty appropriate to Trump’s violations instead of the indefinite suspension it levied after the attack on the United States Capitol on 6 January fomented by Trump’s lies. The Board stated:
    • However, it was not appropriate for Facebook to impose the indeterminate and standardless penalty of indefinite suspension. Facebook’s normal penalties include removing the violating content, imposing a time-bound period of suspension, or permanently disabling the page and account.
    • The Board insists that Facebook review this matter to determine and justify a proportionate response that is consistent with the rules that are applied to other users of its platform. Facebook must complete its review of this matter within six months of the date of this decision. The Board also made policy recommendations for Facebook to implement in developing clear, necessary, and proportionate policies that promote public safety and respect freedom of expression.
  • The European Union’s Parliament passed a law that will require online platforms to remove terrorist content within one hour after receiving a removal order. The Parliament explained:
    • The new regulation will target content such as texts, images, sound recordings or videos, including live transmissions, that incite, solicit or contribute to terrorist offences, provide instructions for such offences or solicit people to participate in a terrorist group. In line with the definitions of offences included in the Directive on combating terrorism, it will also cover material that provides guidance on how to make and use explosives, firearms and other weapons for terrorist purposes.
    • Terrorist content must be removed within one hour
    • Hosting service providers will have to remove or disable access to flagged terrorist content in all member states within one hour of receiving a removal order from the competent authority. Member states will adopt rules on penalties, the degree of which will take into account the nature of the breach and the size of company responsible.
    • Protection of educational, artistic, research and journalistic material
    • Content uploaded for educational, journalistic, artistic or research purposes, or used for awareness-raising purposes, will not be considered terrorist content under these new rules.
    • No general obligation to monitor or filter content
    • Internet platforms will not have a general obligation to monitor or filter content. However, when competent national authorities have established a hosting service provider is exposed to terrorist content, the company will have to take specific measures to prevent its propagation. It will then be up to the service provider to decide what specific measures to take to prevent this from happening, and there will be no obligation to use automated tools. Companies should publish annual transparency reports on what action they have taken to stop the dissemination of terrorist content.
  • The National Security Agency (NSA) issued a cybersecurity advisory (CSA) titled “Stop Malicious Cyber Activity Against Connected Operational Technology” “for National Security System (NSS), Department of Defense (DOD), and Defense Industrial Base (DIB) operational technology (OT) owners and operators.” The NSA asserted:
    • The CSA details how to evaluate risks to systems and improve the security of connections between OT and enterprise networks. Information technology (IT) exploitation can serve as a pivot point for OT exploitation, so carefully evaluating the risk of connectivity between IT and OT systems is necessary to ensure unique cybersecurity requirements are met.
    • This guidance provides a pragmatic evaluation methodology to assess how to best improve OT and control system cybersecurity for mission success, to include understanding necessary resources for secure systems:
      • First, NSA encourages NSS, DOD, and DIB system owners, operators, and administrators to evaluate the value against risk and costs for enterprise IT to OT connectivity. While the safest OT system is one that is not connected to an IT network, mission critical connectivity may be required at times. Review the connections and disconnect those that are not truly needed to reduce the risk to OT systems and functions.
      • Next, NSA recommends taking steps to improve cybersecurity for OT networks when IT-OT connectivity is mission critical, as appropriate to their unique needs. For IT-OT connections deemed necessary, steps should be taken to mitigate risks of IT-OT exploitation pathways. These mitigations include fully managing all IT-OT connections, limiting access, actively monitoring and logging all access attempts, and cryptographically protecting remote access vectors.
  • The Institute for Security & Technology’s (IST) Ransomware Task Force (RTF) issued its report “Combating Ransomware: A Comprehensive Framework for Action: Key Recommendations from the  Ransomware Task Force.” The RTF consists of United States (U.S.) government agencies, industry groups, companies, and others. At the public rollout of the report, United States Secretary of Homeland Security Alejandro Mayorkas said his agency would work with RTF to implement recommendations. The RTF made the following priority recommendations:
    • Coordinated, international diplomatic and law enforcement efforts must proactively prioritize ransomware through a comprehensive, resourced strategy, including using a carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals.
    • The United States should lead by example and execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House. In the U.S., this must include the establishment of 1) an Interagency Working Group led by the National Security Council in coordination with the nascent National Cyber Director; 2) an internal U.S. Government Joint Ransomware Task Force; and 3) a collaborative, private industry-led informal Ransomware Threat Focus Hub.
    • Governments should establish Cyber Response and Recovery Funds to support ransomware response and other cybersecurity activities; mandate that organizations report ransom payments; and require organizations to consider alternatives before making payments.
    • An internationally coordinated effort should develop a clear, accessible, and broadly adopted framework to help organizations prepare for, and respond to, ransomware attacks. In some under-resourced and more critical sectors, incentives (such as fine relief and funding) or regulation may be required to drive adoption.
    • The cryptocurrency sector that enables ransomware crime should be more closely regulated. Governments should require cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading “desks” to comply with existing laws, including Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws.
  • Senators Catherine Cortez Masto (D-NV) and Rob Portman (R-OH) introduced legislation (S.1498) “to make sure the United States is positioned to lead international standards-setting, counter the Chinese government’s influence and protect American jobs.” They asserted “[t]his legislation would require the White House Office of Science and Technology Policy (OSTP) to create a task force that would counter Chinese influence and ensure the United States is leading the emerging technology standards-setting process, and builds on Cortez Masto and Portman’s bipartisan “Ensuring American Leadership over International Standards Act,”which was signed into law last year.” They added:
    • This legislation intends to stop the Chinese government from dominating international standards-setting – which would allow them to continue to lead in the development of new technologies – and protect American jobs by strengthening the United States’ position as a leader in this space. This legislation would protect American competitiveness and protect American jobs by creating an Emerging Technology Standards-Setting Task Force, led by OSTP, which would include representation from Department of Commerce, the National Institute of Standards and Technology (NIST), the Department of State, the Department of Defense, the Department of Energy, Department of Labor. The Task Force would engage with academia and the private sector to develop a long-term strategic plan to assess which technology standards (5G, artificial intelligence, etc.) have the greatest impact on national security and economic competitiveness, and to craft a strategy to credibility and engagement with international institutions on standards-setting.
  • The United Kingdom’s National Cyber Security Centre (NCSC), the United States (U.S.) Department for Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) “published a report to provide further details of Tactics, Techniques and Procedures (TTPs) associated with SVR cyber actors…known and tracked in open source as APT29, Cozy Bear, and The Dukes.” The agencies stated:
    • UK and US governments recently attributed SVR’s responsibility for a series of cyber-attacks, including the compromise of SolarWinds and the targeting of COVID-19 vaccine developers.
    • Alongside this attribution, the United States’ National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) released an advisory detailing the exploits most recently used by the group. The FBI, Department of Homeland Security (DHS) and CISA also issued an alert providing information on the SVR’s cyber tools, targets, techniques and capabilities.
    • The SVR is Russia’s civilian foreign intelligence service. The group uses a variety of tools and techniques to predominantly target overseas governmental, diplomatic, think-tank, healthcare and energy targets globally for intelligence gain. The SVR is a technologically sophisticated and highly capable cyber actor. It has developed capabilities to target organisations globally, including in the UK, US, Europe, NATO member states and Russia’s neighbours.
    • The NCSC, NSA, CISA and CSE previously issued a joint report regarding the group’s targeting of organisations involved in COVID-19 vaccine development throughout 2020 using WellMess and WellMail malware.
    • SVR cyber operators appear to have reacted to this report by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders.
  • The United States Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published Bug Bytes, “the second graphic novel in CISA’s Resilience Series, communicates the dangers and risks associated with threat actors using social media and other communication platforms to spread mis-, dis-, and malinformation (MDM) for the sole purpose of planting doubt in the minds of targeted audiences to steer their opinion.”
  • The Government Accountability Office (GAO) assessed the National Nuclear Security Administration’s (NNSA) $600 million acquisition of high-performance computing (HPC) “to analyze and predict the performance, safety, and reliability of nuclear weapons and to help certify their functionality in the absence of nuclear testing.” The GAO concluded:
    • For over two decades, the Advanced Simulation and Computing (ASC) program has played a key role in supporting NNSA’s Stockpile Stewardship Program by developing modeling and simulation capabilities and deploying HPC systems to analyze and predict the performance, safety, and reliability of nuclear weapons and help certify their functionality in the absence of nuclear testing. To support the Stockpile Stewardship Program, the ASC program has developed some of the world’s most powerful computers. The most recent computing system acquisition, El Capitan, is estimated to cost $600 million—more than NNSA’s three predecessor systems combined. Because of the importance and cost, it is imperative that NNSA follow best practices for HPC acquisition wherever practicable.
    • The ASC program conducted the El Capitan analysis of alternatives (AOA) process largely as a pro forma activity to meet management requirements because officials believed the only viable alternative was the acquisition of an HPC system. In doing so, they did not follow agency policy and guidance that state that AOA processes should be consistent with GAO best practices where possible and, if these practices cannot be followed, deviations must be justified and documented. In the future, the ASC program is likely to acquire additional HPC systems to meet the need to assess the performance of current and future weapons systems against the growing capabilities of adversaries to use advanced defensive systems. Without taking steps to ensure that the ASC program follows GAO best practices for its AOA processes, where possible, and justifies and documents any deviations, the ASC program cannot be assured that the AOA processes are high quality and reliable and that the chosen alternatives meet mission needs and are the best solutions to support the modeling and simulation of nuclear weapons in the absence of nuclear testing.
    • In addition, El Capitan’s AOA process was conducted by Livermore, the contractor managing and executing the El Capitan system, as well as managing and operating the site where the system will be installed. This runs counter to Defense Programs policy and guidance that AOAs must be conducted independently of the contracting organization responsible for managing or executing the program, and of any party that will benefit from the execution of the program, to avoid conflicts of interest and potential bias. By ensuring that ASC HPC acquisition programs’ AOA processes are performed by an independent entity, the agency can reduce the risk of conflicts of interest and potential biases that may lead to decisions that are not in the agency’s best interest.
    • In carrying out the El Capitan acquisition program, NNSA has fully implemented all five selected key practices related to program monitoring and control. However, NNSA has only partially implemented key practices related to managing changes, maintaining traceability, and ensuring that program plans remain aligned to requirements. Until NNSA officials update and maintain program documents to include current El Capitan requirements and clearly document the relationship between El Capitan’s mission requirements and functional requirements, agency officials may be limited in their ability to ensure that all mission requirements are met in the final system.
    • The GAO made three recommendations:
      • The Administrator of NNSA should take steps to ensure that, for future HPC acquisitions, the ASC program follows GAO best practices for AOA processes, where possible, and justifies and documents any deviations, as required by agency policy. (Recommendation 1)
      • The Administrator of NNSA should ensure that the ASC program’s future AOA processes are performed by an entity independent of the contractor organization managing and executing the program. (Recommendation 2)
      • The Administrator of NNSA should update and maintain its acquisition program documents to include current El Capitan requirements and clearly document the relationship between El Capitan’s mission and functional requirements. (Recommendation 3)

Further Reading

  • What the Big Tech hearings really accomplished” By Margaret Harding McGill, Ashley Gold — Axios. t’s easy to dismiss the Big Tech hearings as political spectacles with no concrete results. But even without new laws, company behavior has evolved under the heat of the spotlight.
  • Epic v. Apple: Everything you need to know about the biggest trial in tech” By Nick Statt, Ben Brody, and David Pierce — Protocol. On Monday, Apple and Epic Games will meet in court to decide one of the most consequential antitrust arguments in the history of the tech industry. The trial has been nearly a year in the making, following Apple’s removal of Fortnite from the App Store in August 2020. It’s arguably the biggest courtroom showdown Apple has engaged in since its smartphone patent war with Samsung nearly a decade ago.
  • Homeland Security Secretary Backs Call for Mandatory Disclosure of Ransomware Payments” By Mariam Baksh — Nextgov. The Department of Homeland Security will work with a private-sector think tank to implement a report of recommendations for slowing the scourge of ransomware, including one that would require victims to report when they give in and make a payment, according to DHS Secretary Alejandro Mayorkas.
  • What I Learned on My Quest to Fix America’s Social Media Problem” By L. Gordon Crovitz — Politico. One of the humbling experiences of starting a company in a new industry is that sometimes you don’t know the industry you’re in. In the case of NewsGuard, which I co-founded with fellow journalism veteran Steven Brill three years ago to help people protect themselves from the misinformation being fed them on the digital platforms, it took a group of Stanford academics to tell us what we were doing.
  • Apple’s New Software Update Will Let You Opt Out Of Being Tracked For Ads” By Pranav Dixit — BuzzFeed News. Last week, Apple announced brand-new hardware — souped-up iPad Pros, revamped iMacs, a new Apple TV, and AirTags. Today, it dropped iOS 14.5, a new software update for your iPhone and iPad. To get the new update, head on over to Settings, then General, and tap Software Update on your iPhone or iPad.
  • Your Smartphone Should Be Built to Last” By Damon Beres — The New York Times. Years from now, what creature will digest the new iPads and AirTags that Apple announced on Tuesday? What soil will absorb their metals? The shiny gadgets of today will be waste tomorrow. As you eye that upgraded tablet, consider that Apple shipped so many new iPads last year that if they were all laid flat and stacked, they would be about as tall as 862 Empire State Buildings. Then think about whatever old iPad of yours is languishing now in some unknown place. Manufacturers don’t talk much about this turnover when they announce the big new thing that will replace your mostly just as good old thing. This is all by design. There’s a term for it: planned obsolescence, or designing a product with an intentionally limited life span. Ever try to get your TV repaired?
  • The Postal Service is running a ‘covert operations program’ that monitors Americans’ social media posts” By Jana Winter — yahoo! news. The law enforcement arm of the U.S. Postal Service has been quietly running a program that tracks and collects Americans’ social media posts, including those about planned protests, according to a document obtained by Yahoo News. The details of the surveillance effort, known as iCOP, or Internet Covert Operations Program, have not previously been made public. The work involves having analysts trawl through social media sites to look for what the document describes as “inflammatory” postings and then sharing that information across government agencies.
  • Basecamp implodes as employees flee company, including senior staff” By Kim Lyons — The Verge. After a controversial blog post in which CEO Jason Fried outlined Basecamp’s new philosophy that prohibited, among other things, “societal and political discussions” on internal forums, company co-founder David Heinemeier Hansson said the company would offer generous severance packages to anyone who disagreed with the new stance. On Friday, it appears a large number of Basecamp employees are taking Hansson up on his offer: according to The Verge contributing editor Casey Newton’s sources, roughly a third of the company’s 57 employees accepted buyouts today. As of Friday afternoon, 18 people had tweeted they were planning to leave.
  • U.S. banks deploy AI to monitor customers, workers amid tech backlash” By Paresh Dave and Jeffrey Dastin — Reuters. Several U.S. banks have started deploying camera software that can analyze customer preferences, monitor workers and spot people sleeping near ATMs, even as they remain wary about possible backlash over increased surveillance, more than a dozen banking and technology sources told Reuters.
  • Report: China, Russia fueling QAnon conspiracy theories” By Michael Isikoff — yahoo! news. Foreign-based actors, principally in China and Russia, are spreading online disinformation rooted in QAnon conspiracy theories, fueling a movement that has become a mounting domestic terrorism threat, according to new analysis of online propaganda by a security firm.
  • The Incredible Rise of North Korea’s Hacking Army” By Ed Caesar — The New Yorker. Shimomura was a member of the Yamaguchi-gumi, the largest yakuza crime family in Japan. When one of his superiors asked him if he wanted to make a pile of fast money, he naturally said yes. It was May 14, 2016, and Shimomura was living in the city of Nagoya. Thirty-two years old and skinny, with expressive eyes, he took pride in his appearance, often wearing a suit and mirror-shined loafers. But he was a minor figure in the organization: a collector of debts, a performer of odd jobs.
  • Microsoft’s app store changes crank up the Apple pressure” By Tom Warren — The Verge. Microsoft shook up the PC gaming industry this week with the announcement that it was cutting the fee it takes from game sales on the Windows store. On the surface, it’s a welcome move, with Microsoft matching the 12 percent cut that Epic Games takes, and putting more pressure on Valve, which still takes a 30 percent cut on most Steam purchases. But the cut is also a tactical move: Microsoft wants to help pressure Apple, and this week’s changes could play a role in the bigger app store battles kicking off next week.

Coming Events

  • On 11 May, the Senate Homeland Security and Governmental Affairs Committee will hold a hearing titled “Prevention, Response, and Recovery: Improving Federal Cybersecurity Post-SolarWinds.”
  • On 12 May, the Senate Commerce, Science, and Transportation Committee will hold a markup to consider the following matters among others:
    • Nomination of Lina M. Khan, of New York, to be Commissioner of the Federal Trade Commission
    • Nomination of Leslie B. Kiernan, of Maryland, to be General Counsel of the Department of Commerce
    • S.1260, Endless Frontier Act; Sponsors: Sens. Chuck Schumer (D-NY), Todd Young (R-IN)
  • On 14 May, the House Armed Services Committee’s Cyber, Innovative Technologies, and Information Systems Subcommittee will hold a hearing titled “Operations in Cyberspace and building Cyber Capabilities Across the Department of Defense.”
  • On 20 May, the Federal Communications Commission (FCC) will hold an open meeting with this tentative agenda:
    • Reducing Interstate Rates and Charges for Incarcerated People – The Commission will consider a Third Report and Order, Order on Reconsideration, and Fifth Notice of Proposed Rulemaking that, among other actions, will lower interstate rates and charges for the vast majority of incarcerated people, limit international rates for the first time, and seek comment on further reforms to the Commission’s calling services rules, including for incarcerated people with disabilities. (WC Docket No. 12-375)
    • Strengthening Support for Video Relay Service – The Commission will consider a Notice of Proposed Rulemaking and Order to set Telecommunications Relay Services (TRS) Fund compensation rates for video relay service (VRS). (CG Docket Nos. 03-123, 10-51)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s