Other Developments, Further Reading, and Coming Events (24 May 2021)

Subscribe to my newsletter, The Wavelength, if you want updates on global technology developments four times a week.

Other Developments

• In an overwhelming vote, the European Parliament urged the European Commission (EC) to craft “clear” transfer guidelines under the next adequacy decision allowing for the transfer of personal data to the United States (U.S.) in a resolution. In its press release, the Parliament asserted:
  • In a resolution adopted with 541 in favour, 1 against and 151 abstaining, the European Parliament urges the Commission to issue guidelines on making data transfers compliant with recent EU Court of Justice rulings. The court considered US data transfers to be inconsistent with the General Data Protection Regulation (GDPR), notably because US authorities may access personal data in bulk.
  • MEPs stress the Commission should not conclude new adequacy decisions with third countries without taking into account the implications of EU court rulings and ensuring full GDPR compliance. Data storage capabilities must be developed within Europe, MEPs point out, to achieve true autonomy in data management.
  • MEPs welcome the EDPB’s guidelines (e.g. its recommendations for data transfers and a Joint Opinion with the European Data Protection Supervisor on the issue) for safeguards related to third country data transfers and call on the Commission to fully integrate these in its proposals, alongside relevant EU court judgments. In the end, businesses and individuals should have at their disposal a toolbox of measures to bring protection up to the level required by the GDPR.
• The United States (U.S.) Department of Defense (DOD) published a memorandum “Creating Data Advantage.” The DOD declared “[d]ata is a strategic asset” and stated “[t]ransforming the DOD to a data­centric organization is critical to improving performance and creating decision advantage at all echelons from the battlespace to the board room, ensuring U.S. competitive advantage.” The DOD stated “[t]o accelerate the Department’s efforts, leaders must ensure all DOD data is visible, accessible, understandable, linked, trustworthy, interoperable, and secure.” The DOD said “[t]o generate the transformative proficiency and efficiency gains across the DOD Data Strategy’s focus areas of Joint All Domain Operations, Senior Leader Decision Support, and Executive Analytics, the Department will apply the following five ‘DOD Data Decrees’:
  • 1. Maximize data sharing and rights for data use: all DOD data is an enterprise resource.
  • 2. Publish data assets in the DOD federated data catalog along with common interface specifications.
  • 3. Use automated data interfaces that are externally accessible and machine-readable; ensure interfaces use industry-standard, non-proprietary, preferably open-source, technologies, protocols, and payloads.
  • 4. Store data in a manner that is platform and environment-agnostic, uncoupled from hardware or software dependencies.
  • 5. Implement industry best practices for secure authentication, access management, encryption, monitoring, and protection of data at rest, in transit, and in use.
• The General Services Administration (GSA) “is asking for industry feedback through the release of a Request for Information (RFI)…[that] will detail GSA’s acquisition strategy to deliver a multiple-award blanket purchase agreement (BPA) for commercial Software-As-A-Service (SaaS), Platform-As-A-Service (PaaS), and Infrastructure-As-A-Service (IaaS) on a pay-as-you-go basis.” GSA stated “[a]nything-As-A-Service (XaaS) offerings may be considered, as new innovations are developed in future procurement offerings.” GSA also made available a draft Market Research Cloud Strategy and a Market Research Notice.
• The Government Accountability Office (GAO) published a report the Senate Armed Services Committee requested titled “Defense Navigation Capabilities: DOD is Developing Positioning, Navigation, and Timing Technologies to Complement GPS.” The GAO stated:
  • The Department of Defense (DOD) plans to keep the Global Positioning System (GPS) at the core of its positioning, navigation, and timing (PNT) solution, using other PNT technology to complement GPS or as an alternative for when GPS is degraded or unavailable. DOD’s alternative PNT science and technology portfolio explores two approaches: improved sensors to provide relative PNT information, and external sources to provide absolute positioning and navigation. Relative PNT technologies include inertial sensors and clocks to allow a platform to track its position and keep track of time without an external signal like GPS. However, relative PNT technologies require another PNT technology to correct errors that can accumulate with such systems. Absolute PNT technologies allow a platform to use external sources of information to determine its position but rely on the availability of those external sources. Absolute PNT technologies include celestial and magnetic navigation as well as the use of very low radiofrequencies or low Earth orbit satellites to transmit information.
  • The GAO offered the following suggestions:
    • Increase Collaboration. Policymakers could consider mechanisms to coordinate across DOD to clarify responsibilities and authorities in prioritizing the need for alternative PNT technologies
    • Focus on Resiliency. Policymakers could consider selecting the most resilient technologies as the cornerstone of   the PNT suite for military missions, rather than defaulting to GPS.
    • Clarify Requirements. Policymakers could consider opportunities for DOD to clarify what level of PNT performance is actually needed for missions, rather than defaulting to requirements that match GPS performance.
    • Coordinate with Industry. Policymakers could consider ensuring that DOD and commercial industry coordinate so industry is prepared to meet DOD’s needs, and DOD can leverage industry advances
    • Institutionalize Open Architecture. Policymakers could consider making the open architecture initiative more permanent, including providing funding.
    • Analyze Vulnerabilities. Policymakers could consider having DOD conduct ongoing analysis of vulnerabilities of different PNT systems.
• Representative Lori Trahan (D-MA), Senator Ed Markey (D-MA), Representative Kathy Castor (D-FL), Senator Richard Blumenthal (D-CT) issued a statement “calling on Facebook to abandon its plans to develop a version of Instagram for children after the company failed to make meaningful commitments to protecting kids online in a recent response to the lawmakers’ query.” They stated:
  • Facebook has a clear record of failing to protect children on its platforms. In its response to our recent letter, the company refused to make meaningful commitments about how it will ensure that its proposed Instagram Kids app does not harm young users’ mental health and threaten their privacy. When it comes to putting people before profits, Facebook has forfeited the benefit of the doubt, and we strongly urge Facebook to abandon its plans to launch a version of Instagram for kids
• The National Institute of Standards and Technology (NIST) posted a solicitation for a contractor “to collect, assess, compile, and make recommendations on information that will be received in response to a Federal Register Request for Information (RFI).” NIST explained that “[t]he RFI will seek information on the policies of the People’s Republic of China and coordination among industrial entities within the People’s Republic of China on international bodies engaged in developing and setting international standards for emerging technologies.” NIST added “[a] firm fixed price purchase order with a one year period of performance is anticipated for the Contractor to perform a qualitative review of information, compile the information into a comprehensive report and incorporate derived conclusions and recommendations regarding the following:
  • The role of the People’s Republic of China in international standards setting organizations over the previous 10 years, including leadership roles in standards drafting technical committees, and the quality or value of that participation;
  • The effect of the standardization strategy of the People’s Republic of China, as identified in the ‘‘Chinese Standard 2035’’, on international bodies engaged in developing and setting standards for select emerging technologies, such as advanced communication technologies or cloud computing and cloud services;
  • An examination of whether international standards for select emerging technologies are being designed to promote interests of the People’s Republic of China that are expressed in the ‘‘Made in China 2025’’ plan to the exclusion of other participants;
  • An examination of how the previous practices that the People’s Republic of China has used, while participating in international standards setting organizations, may foretell how the People’s Republic of China is likely to engage in international standardization activities of critical technologies like artificial intelligence and quantum information science, and what may be the consequences; and/or
  • Recommendations on how the United States can take steps to mitigate the influence of the People’s Republic of China and bolster United States public and private sector participation in international standards-setting bodies.
• Verizon released its 2021 Data Breach Investigations Report (DBIR) and explained:
  • This year we analyzed 79,635 incidents, of which 29,207 met our quality standards and 5,258 were confirmed data breaches, sampled from 88 countries around the world. Once again, we include breakouts for 11 of the main industries, the SMB section, and we revisit the various geographic regions studied in the prior report to see how they fared over the last year. We also include our Center for Internet Security (CIS) Controls® recommendation mapping, because the world being unpredictable and uncertain doesn’t mean your security strategy has to be.
• The Federal Trade Commission (FTC) explained that “[r]eports to the FTC’s Consumer Sentinel suggest scammers are cashing in on the buzz around cryptocurrency and luring people into bogus investment opportunities in record numbers.” The FTC stated:
  • Since October 2020, reports have skyrocketed, with nearly 7,000 people reporting losses of more than $80 million on these scams. Their reported median loss? $1,900. Compared to the same period a year earlier, that’s about twelve times the number of reports and nearly 1,000% more in reported losses.
• The United States (U.S.) Department of Defense (DOD) extended the duration of its directive-type memorandum “Interim Policy and Guidance for Defense Support to Cyber Incident Response.” The DOD explained the document “[p]rovides supplementary policy guidance, assigns responsibilities, and details procedures for providing Defense Support to Cyber Incident Response (DSCIR).”
• The Microsoft Security Response Center announced:
  • Microsoft’s Section 52, the Azure Defender for IoT security research group, recently uncovered a series of critical memory allocation vulnerabilities in IoT and OT devices that adversaries could exploit to bypass security controls in order to execute malicious code or cause a system crash.
  • These remote code execution (RCE) vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems.
  • The vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. These findings have been shared with vendors through responsible disclosure led by the Microsoft Security Response Center (MSRC) and the Department of Homeland Security (DHS), enabling these vendors to investigate and patch the vulnerabilities.
  • For a full list of affected products and CVEs, please visit the DHS website: ICSA-21-119-04 Multiple RTOS .
• The RAND Corporation published a report titled “Detecting Conspiracy Theories on Social Media: Improving Machine Learning to Detect and Understand Online Conspiracy Theories.” RAND explained:
  • Conspiracy theories circulated online via social media contribute to a shift in public discourse away from facts and analysis and can contribute to direct public harm. Social media platforms face a difficult technical and policy challenge in trying to mitigate harm from online conspiracy theory language. As part of Google’s Jigsaw unit’s effort to confront emerging threats and incubate new technology to help create a safer world, RAND researchers conducted a modeling effort to improve machine-learning (ML) technology for detecting conspiracy theory language. They developed a hybrid model using linguistic and rhetorical theory to boost performance. They also aimed to synthesize existing research on conspiracy theories using new insight from this improved modeling effort. This report describes the results of that effort and offers recommendations to counter the effects of conspiracy theories that are spread online.
  • Key Findings
    • The hybrid ML model improved conspiracy topic detection.
    • The hybrid ML model dramatically improved on either single model’s ability to detect conspiratorial language.
    • Hybrid models likely have broad application to detecting any kind of harmful speech, not just that related to conspiracy theories.
    • Some conspiracy theories, though harmful, rhetorically invoke legitimate social goods, such as health and safety.
    • Some conspiracy theories rhetorically function by creating hate-based “us versus them” social oppositions.
    • Direct contradiction or mockery is unlikely to change conspiracy theory adherence.
  • Recommendations
    • Engage transparently and empathetically with conspiracists.
    • Correct conspiracy-related false news.
    • Engage with moderate members of conspiracy groups.
    • Address fears and existential threats.

Further Reading

• “White House, Republicans remain far apart on infrastructure” By Jessica Wehrman — Roll Call. The White House on Friday lowered its original $2.2 trillion infrastructure proposal by roughly $500 billion, calling it an effort to attract bipartisan support. Republican lawmakers said the parties remain far apart.
• “How Apple screwed Facebook” By Margaret Taylor — WIRED. It is not unusual for the bosses of Apple and Facebook to be at loggerheads with each other over privacy. Back in 2018 Facebook chief executive Mark Zuckerberg accused his Apple counterpart Tim Cook of being “extremely glib” for making scathing remarks about Facebook’s involvement in the Cambridge Analytica scandal. Weeks later Apple introduced privacy controls that hampered Facebook’s ability to collect user data via Apple devices.
• “German Intelligence Puts Coronavirus Deniers Under Surveillance” By Christopher F. Schuetze — The New York Times. Germany’s domestic intelligence service said on Wednesday that it would surveil members of the increasingly aggressive coronavirus denier movement because they posed a risk of undermining the state.
• “China Warns Large Tech Firms as Industry Faces Rising Oversight” By Lingling Wei and Stephanie Yang — The New York Times. China is reining in the ability of the country’s internet giants to use big data for lending, money-management and similar businesses, ending an era of rapid growth that authorities said posed dangers for the financial system.
• “RCMP Secret Facial Recognition Tool Looked for Matches with 700,000 ‘Terrorists’” By Bryan Carney — The Tyee. RCMP units in British Columbia broke the force’s own rules when they secretly subscribed to a facial recognition service that claims to help identify terrorists, documents newly obtained by The Tyee show.
• “Delivery Drivers Are Using Grey Market Apps to Make Their Jobs Suck Less” By Rida Qadri — Vice. The McDonald’s on Jalan Salemba Raya, Jakarta’s crowded main thoroughfare, is a magnet for food delivery orders. On any given day, a dozen or so app-based delivery drivers—locally called ojol—wait in the parking lot. Inch by inch, they try to move as close as they can to the center of the lot, desperate to have the matching algorithms recognize their proximity and assign them an order. 
• “Oracle VP Ken Glueck Suspended by Twitter for Doxing an Intercept Reporter” By Shoshana Wodinsky — Gizmodo. A tweet from Oracle Executive VP Ken Glueck goading his followers into harassing a female reporter was found to violate Twitter’s policies, the company told Gizmodo on Wednesday. Glueck, who’s previously made headlines as one of the top lobbyists under Oracle, was forced to take down the tweet and have his account suspended in a read-only mode for the next 12 hours, a Twitter spokesperson said.
• “Progressive Lawmakers Praise Biden’s Plan for Cybersecurity Labels” By Mariam Baksh — Nextgov. Sen. Ed Markey, D-Mass, and Rep. Ted Lieu, D-Calif., were pleased to see flashes of legislation they’ve proposed—the Cyber Shield Act—in an executive order the Biden administration released to address widespread hacking campaigns that affected federal agencies and private-sector organizations.
• “German Authorities Break Up International Child Sex Abuse Site” By Melissa Eddy — The New York Times. German prosecutors have broken up an online platform for sharing images and videos showing the sexual abuse of children, mostly boys, that had an international following of more than 400,000 members, they said on Monday. The site, named “Boystown,” had been around since at least June 2019 and included forums where members from around the globe exchanged images and videos showing children, including toddlers, being sexually abused. In addition to the forums, the site had chat rooms where members could connect with one another in various languages.
• “Belgium’s government network goes down after massive DDoS attack” By Catalin Cimpanu — The Record. Most of the Belgium government’s IT network has been down today after a massive distributed denial of service (DDoS) attack knocked offline both internal systems and public-facing websites. The attack targeted Belnet, a government-funded ISP that provides internet connectivity for Belgian government organizations, such as its Parliament, educational institutes, ministries, and research centers.

Coming Events

• On 25 May, the House Science, Space, and Technology Committee’s Investigations and Oversight and Research and Technology Subcommittees will hold a joint hearing titled “SolarWinds and Beyond: Improving the Cybersecurity of Software Supply Chains” with these witnesses:
  • Mr. Matthew Scholl, Chief, Computer Security Division of the Information Technology Laboratory, National Institute of Standards and Technology (NIST)
  • Dr. Trey Herr, Director, Cyber Statecraft Initiative, Atlantic Council
  • Ms. Katie Moussouris, Founder and CEO, Luta Security
  • Mr. Vijay D’Souza, Director, Information Technology and Cybersecurity, Government Accountability Office (GAO)
• The Senate Appropriations Committee’s Commerce, Justice, Science Subcommittee will hold a hearing on the Department of Commerce’s FY 2022 budget request on 26 May.
• On 26 May, the Senate Appropriations Committee’s Homeland Security Subcommittee will hold a hearing on the Department of Homeland Security’s FY 2022 budget request.
• The House Financial Services Committee’s Oversight and Investigations Subcommittee will hold a 27 May hearing titled “Consumer Credit Reporting: Assessing Accuracy and Compliance” with these witnesses:
  • Ms. Beverly Anderson, President, Global Consumer Solutions, Equifax
  • Ms. Sandy Anderson, Senior Vice President, Strategy and Operations, Experian Credit Services
  • Mr. John Danaher, Executive Vice President, Consumer Interactive at TransUnion
  • Ms. Rebecca Kuehn, Partner, Hudson Cook
  • Ms. Chi Chi Wu, Staff Attorney, National Consumer Law Center (NCLC)
• On 27 May, the House Judiciary Committee’s Courts, Intellectual Property, and the Internet Subcommittee will hold a hearing titled “The SHOP SAFE Act: Stemming the Rising Tide of Unsafe Counterfeit Products Online.”
• On 27 May, the House Science, Space, and Technology Committee will hold a hearing titled “Overview of the Science and Energy Research Enterprise of the U.S. Department of Energy” with Secretary of Energy Jennifer Granholm.
• The House Energy and Commerce Committee’s Consumer Protection and Commerce Subcommittee will markup the bill to restore the Federal Trade Commission’s Section 13(b) powers, the “Consumer Protection and Recovery Act” (H.R.2668) on 27 May.
• On 2-3 June, the National Institute of Standards and Technology (NIST) will hold a virtual workshop “to enhance the security of the software supply chain and to fulfill the President’s Executive Order (EO) on improving the Nation’s Cybersecurity, issued on May 12, 2021.”
• On 9 June, the House Homeland Security Committee will hold a hearing on the Colonial Pipeline ransomware attack with the company’s CEO.
• On 17 June the Senate Appropriations Committee will hold a hearing on the Department of Defense’s FY 2022 budget request.
• On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by StockSnap from Pixabay