Other Developments, Further Reading, and Coming Events (11 May 2021)

First, subscribe to my newsletter, The Wavelength, if you want all the content on my blog delivered to your inbox four times a week.

Other Developments

  • The Federal Communications Commission (FCC) “unanimously adopted final rules to implement the Emergency Connectivity Fund Program.” The FCC stated “[t]his $7.17 billion program, funded by the American Rescue Plan Act of 2021, will enable schools and libraries to purchase laptop and tablet computers, Wi-Fi hotspots, and broadband connectivity for students, school staff, and library patrons in need during the COVID-19 pandemic.” Acting FCC Chair Jessica Rosenworcel explained that her draft Report and Order would:
    • Establish the necessary rules and policies governing the Emergency Connectivity Fund Program.
    • Set performance goals and metrics to measure the Commission’s and Universal Service Administrative Company’s (USAC) success in efficiently and effectively administering the Emergency Connectivity Fund Program.
    • Adopt rules for eligible equipment and services; service locations; eligible uses; and reasonable support amounts for funding provided through the Emergency Connectivity Fund Program.
    • Streamline and simplify the processes eligible schools and libraries use to apply for and receive reimbursements through the Emergency Connectivity Fund Program.
    • Designate USAC as the administrator of the Emergency Connectivity Fund Program.
    • Adopt procedures to protect the limited funding from waste, fraud, and abuse, including: asset and service inventories; document retention requirements; prohibition on gifts; certifications, including compliance with the Children’s Internet Protection Act; audits; and treatment of equipment after the emergency period.
    • Delegate authority to oversee and administer the Fund to the Office of the Managing Director and the Wireline Competition Bureau.
  • Senator Jerry Moran (R-KS) has reintroduced his data privacy bill, the “Consumer Data Privacy and Security Act,” that is identical to his bill from the last Congress of the same name (S.3456) (see here for more detail and analysis.) Moran asserted his bill would:
    • Establish a clear federal standard for data privacy protection, giving businesses a uniform standard rather than a patchwork of confusing state laws.
    • Provide consumers with control over their own data to access, correct and erase their personal data.
    • Require businesses that collect and process a significant amount of personal data to take extra precautionary steps to protect and responsibly process that data.
    • Prohibit companies from collecting data without consumers’ consent with limited and specific exceptions.
    • Require businesses to develop and implement robust data security programs to protect personal data from unauthorized access and disclosure.
    • Equip the Federal Trade Commission (FTC) and state attorneys general with authority to uniformly enforce federal consumer privacy protections while providing the FTC the resources necessary to carry out those authorities.
  • The United Kingdom’s (UK) National Cyber Security Centre (NCSC) published a new set of security principles “to help all UK authorities secure smart cities and their underlying infrastructure.” The NCSC stated:
    • Connected places – which include smart cities and connected rural environments – use networked technology like Internet of Things (IoT) devices and sensors to improve the efficiency of services and therefore the quality of citizens’ lives.
    • Examples of smart city technology include the use of sensors to monitor pollution levels to reduce emissions, parking sensors to offer real-time information on space availability and traffic lights configured to cut congestion. This technology can help councils work towards net zero carbon, deliver a more sustainable environment and improve service efficiency.
    • While smart cities offer significant benefits to citizens, they are also potential targets for cyber attacks due to the critical functions they provide and sensitive data they process, often in large volumes. The compromise of a single system in a smart city could potentially have a negative impact across the network, if badly designed.
    • The publication of ‘Connected Places Cyber Security Principles’ is intended to mitigate these risks by helping CISOs, cyber security architects and other relevant personnel consider the high level security requirements and principles that should govern smart cities in the UK.
  • The Federal Trade Commission (FTC) published a blog post on whether “the typical corporate Board of Directors giving data security the attention it deserves.” The FTC advised:
    • Contrary to popular belief, data security begins with the Board of Directors, not the IT Department. A corporate board that prioritizes data security can set the tone throughout an organization by instilling a culture of security, establishing strong security expectations, and breaking down internal silos to facilitate technical and strategic collaboration. While there’s no one-size-fits-all formula, here are strategies some companies have implemented to make security a priority.
    • Build a team of stakeholders from across your organization. Despite a 2018 study that found that 89% of CEOs treat cybersecurity as an IT function, experience suggests that cyber risk management is a “whole business” issue. A sound data security program should incorporate stakeholders from business, legal, and technology departments across the company – both high-level executives and operational experts. Of course, many committees include the Chief Information Officers and the Chief Information Security Officer, but other companies promote practical synergies by also including executives who bring a different perspective to the issues – for example, the CEO, CFO, or General Counsel. A broad and diverse range of voices can provide the board with cross-cutting information about cyber risks and solutions.
    • Establish board-level oversight. Some corporate boards delegate their cyber risk oversight duties to an audit committee. Others have a stand-alone cybersecurity committee at the board level. Irrespective of how an organization structures its cyber risk oversight duties, the key takeaway is that cyber risks should be a priority within the board room. Board-level oversight helps to ensure that cybersecurity threats, defenses, and responses have the attention of those at upper echelons and get the resources needed to do the job right.
    • Hold regular security briefings. When it comes to security, board members need to be in the know, but research suggests many of them are out of the loop. A 2012 survey found that fewer than 40% of corporate boards regularly received reports about privacy and security risks and 26% rarely or never got that information. According to another study, only 12% of boards frequently received cyber threat briefings. A survey of public companies conducted six years later in 2018 didn’t suggest much progress. Only 37% of board members said they felt “confident” or “very confident” that their company was properly secured against cyberattack. Of course, cybersecurity isn’t a one-and-done proposition. It’s a dynamic process that requires board members to be informed, engaged, and updated. Regular briefings prepare boards to carry out their oversight responsibility, navigate the security landscape, and prioritize threats to the company.
  • The ranking member of the Senate Energy and Natural Resources Committee reintroduced the “Protecting Resources On The Electric grid with Cybersecurity Technology (PROTECT) Act” (S.1400), “which enhances electric grid security by incentivizing electric utilities to make cybersecurity investments…[and] also establishes a Department of Energy (DOE) grant and technical assistance program to deploy advanced cybersecurity technology for utilities that are not regulated by the Federal Energy Regulatory Commission (FERC).” Senator Lisa Murkowski (R-AK) was joined by Senate Energy and Natural Resources Committee Chair Joe Manchin (D-WV), and Senators James Risch (R-ID), Angus King (I-ME), and Jacky Rosen (D-NV).
  • The National Institute of Standards and Technology (NIST) “is inviting comments on a major revision to Cyber Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161).” NIST stated:
    • The updates are designed to better help organizations identify, assess, and respond to cyber supply chain risks while still aligning with other fundamental NIST cybersecurity risk management guidance.
    • The revision to this foundational NIST publication represents a 1-year effort to incorporate next generation cyber supply chain risk management (C-SCRM) controls, strategies, policies, plans, and risk assessments into broader enterprise risk management activities by applying a multi-level approach. The changes focus on making implementation guidance more modular and consumable for acquirers, suppliers, developers, system integrators, external system service providers, and other information and communications technology (ICT)/operational technology (OT)-related service providers. Additionally, the references have been updated and expanded.
  • New Zealand’s Government Communications Security Bureau’s National Cyber Security Centre (NCSC) has issued a “new resource Supply Chain Cyber Security: In Safe Hands,” “the third release in a guidance series based on analysis of 250 New Zealand organisations’ cyber security resilience.” The NCSC “produced this guidance for business leaders and cyber security professionals to better understand and manage the cyber risks in supply chains.” The NCSC stated:
    • This guidance is designed for both government and non-government organisations of varying sizes and capabilities. It is not a complete framework, but provides an introduction to understanding and managing supply chain cyber risk. This guide accompanies the NCSC’s Charting Your Course series of publications on Cyber Security Governance1 and Incident Management.
  • The Payment Card Industry Security Standards Council (PCI SSC) “published version 1.1 of the PCI Secure Software Standard and its supporting program documentation…one of two standards that are part of the PCI Software Security Framework (SSF).” PCI SCC stated:
    • Vendors and assessors should download the current program documentation and reference v1.1 of the Program Guide when working with v1.1 of the Standard. The following documents can be found in the PCI SSC document library:
  • The Council of Europe adopted a declaration “on the need to protect children’s privacy in the digital environment.”  The Council said:
    • The Committee of Ministers reminded that while information and communication technologies (ICTs), in general, are an important tool in children’s lives with many benefits and opportunities, their use can at the same time generate risks. This is particularly true in the current context of COVID-19 pandemic which put children at a greater risk with due to the increased use of ICTs and also seriously impacted the full enjoyment of their human rights. Notably, the traceability of children’s activities in the digital environment may expose them to criminal activities, such as the solicitation of children for sexual purposes, sexual extortion, child sexual exploitation (including exploitation of sexually explicit content generated by children), or otherwise illegal or harmful activities, such as discrimination, bullying, stalking and other forms of harassment.
    • Personal data can be used to the benefit, but also to the detriment of the child, and at present the understanding of the impact of processing biometric data, digital tracking and surveillance, automated decision-making and profiling is still limited. The increasing reliance on systems based on artificial intelligence (AI) can bring both challenges and opportunities for children’s full enjoyment of human rights, the Committee of Ministers noted, underlining the fundamental importance of achieving a high level of digital literacy among children, as well as among parents, in addressing these challenges.
    • The Committee of Ministers called on the member States of the Council of Europe, inter alia, to ratify and implement Convention 108+ (the modernised Convention for the Protection of Individuals with regard to Processing of Personal Data), to step up efforts to promote the rights of the child in the digital environment as one of the key priorities of the Council Europe’s Strategy for the Rights of the Child, including children’s data protection in an education setting, as well as to develop and promote critical digital literacy, youth empowerment initiatives and parenting skills. Besides, states should co-operate to jointly address the risks posed by the development of AI systems and take any further measures to ensure that the sharing of, access to and use of children’s data are undertaken in accordance with the child’s best interests.
  • The National Institute of Standards and Technology (NIST) is planning on updating NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (“Resource Guide”). NIST explained:
    • The list of topics in the call for comments covers the major areas in which NIST is considering updates, including improvements to the guide and awareness, applications, and uses for the guide. NIST is seeking stakeholder input on the purpose of the Resource Guide to educate readers about information security terms used in the HIPAA Security Rule, amplify awareness of NIST cybersecurity resources relevant to the HIPAA Security Rule, amplify awareness of non-NIST resources relevant to the HIPAA Security Rule, and provide detailed implementation guidance for covered entities and business associates.

Further Reading

  • Verizon to Sell Yahoo, AOL for $5 Billion to Apollo” By Miriam Gottfried and Drew FitzGerald — The Wall Street Journal. Apollo Global Management Inc. APO -1.01% agreed to pay about $5 billion to acquire Yahoo and AOL from Verizon Communications Inc. VZ 1.36% as the wireless company exits its ill-fated foray into the media business. The private-equity firm is paying $4.25 billion in cash for a 90% share of the media assets. Verizon VZ 1.36% will keep a 10% stake and $750 million of additional preferred stock in the new company, called Yahoo, that will be formed to operate the business.
  • Why Verizon sold AOL and Yahoo for about 1% of their peak valuation” By Sara Fischer and Dan Primack — Axios. The upcoming sale of Yahoo and AOL to a private equity firm for $5 billion represents a massive media markdown. By the numbers: At their dotcom bubble peaks, Yahoo and AOL were valued at more than $125 billion and $200 billion, respectively, or $193 billion and $318 billion in 2021 dollars. Yahoo twice turned down offers to buy Google at a fraction of its cost today. AOL held conversations with Facebook and YouTube in 2006, but ultimately failed to buy either company. The combined value of both companies is now 187 times less than Facebook’s market cap and 318 times less than Google’s.
  • Ransomware Targeted by New Justice Department Task Force” By Dustin Volz — The Wall Street Journal. The Justice Department has formed a task force to curtail the proliferation of ransomware cyberattacks, in a bid to make the popular extortion schemes less lucrative by targeting the entire digital ecosystem that supports them. In an internal memorandum issued this week, Acting Deputy Attorney General John Carlin said ransomware poses not just an economic threat to businesses but “jeopardizes the safety and health of Americans.”
  • How A Chinese Surveillance Broker Became Oracle’s “Partner Of The Year” By Mara Hvistendahl — The Intercept. Banners printed for the occasion read, “Build a new type of strategic partnership.” Artfully made cutouts of the two companies’ logos adorned the stage. And the frosting on the massive sheet cake curled into a red “20,” to celebrate two decades of cooperation between Oracle and one of its most important Chinese resellers.
  • A leaked Walmart memo highlights the daunting challenges facing the world’s largest retailer” By Jason Del Rey — recode. Walmart is still the world’s largest retailer, but a recent company memo highlights its struggles to overcome competitors like Amazon, Instacart, and Target. The document also hints at challenges the company’s new subscription service Walmart+ is facing in retaining new members.
  • Australia’s move to scrap Victoria-China Belt and Road agreement goes viral on Weibo” By Wing Kuang, Jason Fang and Hannah Jose — ABC News. The federal government’s decision to dump Victoria’s Belt and Road (BRI) agreement has apparently struck a nerve in China — or at least in Beijing — with a hashtag on social media network Weibo getting more than 260 million views. 
  • Nations Need Ambassadors to Big Tech” By Alexis Wichowski — WIRED. We live in two worlds: We’re citizens of countries but also visitors of “ net states,” massive tech companies that wield global powers. Despite being both digital and physical creatures, we do a pretty good job sorting out how to navigate the two spaces. We follow laws according to where we park our physical selves, and we follow net state rules according to which sites and apps we log on to.
  • No, Russia and China Didn’t ‘Weaponize’ QAnon. It’s a Homegrown Nightmare.” By David Gilbert — Vice. A new report published this week makes the bombshell claim that the Russian and Chinese governments have helped fuel much of the QAnon activity we’ve seen over the last year. 
  • Research Uncovers New Command Servers Used in SolarWinds Campaign” By Kim Zetter — Zero Day. Researchers have uncovered eighteen additional command-and-control servers used in the SolarWinds hacking campaign, indicating that the operation was broader in scope than previously known. The servers — which the hackers used to communicate with infected machines and send additional malware to them — may help point investigators to previously unidentified victims, according to researchers with RiskIQ’s Atlas Team, who are releasing the findings today.
  • Inside ‘Facebook Jail’: The Secret Rules That Put Users in the Doghouse” By Kirsten Grind — The Wall Street Journal. In Facebook Jail, many users are serving time for infractions they don’t understand. Colton Oakley was restricted after ranting about student debt. The recent graduate of the State University of New York at New Paltz posted that anyone who was mad about loan cancellation was “sad and selfish.” His sentence: three days without posting on Facebook. Alex Gendler, a freelance writer in Brooklyn, N.Y., got a similar ban after sharing a link to a story in Smithsonian magazine about tribal New Guinea. Nick Barksdale, a history teacher in Oklahoma, served 30 days recently after jokingly telling a friend “man, you’re spewing crazy now!” None of the three quite understand what they did wrong.

Coming Events

  • On 11 May, the Senate Homeland Security and Governmental Affairs Committee will hold a hearing titled “Prevention, Response, and Recovery: Improving Federal Cybersecurity Post-SolarWinds.”
  • On 12 May, the Senate Commerce, Science, and Transportation Committee will hold a markup to consider the following matters among others:
    • Nomination of Lina M. Khan, of New York, to be Commissioner of the Federal Trade Commission
    • Nomination of Leslie B. Kiernan, of Maryland, to be General Counsel of the Department of Commerce
    • S.1260, Endless Frontier Act; Sponsors: Sens. Chuck Schumer (D-NY), Todd Young (R-IN)
  • On 14 May, the House Armed Services Committee’s Cyber, Innovative Technologies, and Information Systems Subcommittee will hold a hearing titled “Operations in Cyberspace and building Cyber Capabilities Across the Department of Defense.”
  • On 20 May, the Federal Communications Commission (FCC) will hold an open meeting with this tentative agenda:
    • Reducing Interstate Rates and Charges for Incarcerated People – The Commission will consider a Third Report and Order, Order on Reconsideration, and Fifth Notice of Proposed Rulemaking that, among other actions, will lower interstate rates and charges for the vast majority of incarcerated people, limit international rates for the first time, and seek comment on further reforms to the Commission’s calling services rules, including for incarcerated people with disabilities. (WC Docket No. 12-375)
    • Strengthening Support for Video Relay Service – The Commission will consider a Notice of Proposed Rulemaking and Order to set Telecommunications Relay Services (TRS) Fund compensation rates for video relay service (VRS). (CG Docket Nos. 03-123, 10-51)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Anton Maksimov juvnsky on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s