Other Developments, Further Reading, and Coming Events (22 June 2021)

Subscribe to my newsletter, The Wavelength, if you want updates on global technology developments four times a week.

Other Developments

  • House Judiciary Committee Antitrust, Commercial, and Administrative Law Subcommittee Chair David Cicilline (D-RI) and Ranking Member Ken Buck (R-CO) released five antitrust and competition bills as a result of the subcommittee’s investigation of competition in digital markets. They stated:
    • “A Stronger Online Economy: Opportunity, Innovation, Choice” consists of five bipartisan bills drafted by lawmakers on the Antitrust Subcommittee, which last year completed a 16-month investigation into the state of competition in the digital marketplace and the unregulated power wielded by Amazon, Apple, Facebook, and Google.
    • The “American Innovation and Choice Online Act” to prohibit discriminatory conduct by dominant platforms, including a ban on self-preferencing and picking winners and losers online. The bill is sponsored by Chairman Cicilline and co-sponsored by U.S. Rep. Lance Gooden (TX-05).
    • The “Platform Competition and Opportunity Act” prohibits acquisitions of competitive threats by dominant platforms, as well acquisitions that expand or entrench the market power of online platforms. The bill is sponsored by U.S. Rep. Hakeem Jeffries (NY-08) and co-sponsored by Ranking Member Buck.
    • The “Ending Platform Monopolies Act” eliminates the ability of dominant platforms to leverage their control over across multiple business lines to self-preference and disadvantage competitors in ways that undermine free and fair competition. The bill is sponsored by U.S. Rep. Pramila Jayapal (WA-07) and co-sponsored by U.S. Rep. Lance Gooden (TX-05).
    • The “Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act” promotes competition online by lowering barriers to entry and switching costs for businesses and consumers through interoperability and data portability requirements. This bill is sponsored by U.S. Rep. Mary Gay Scanlon (PA-05) and co-sponsored by U.S. Rep. Burgess Owens (UT-04).
    • The “Merger Filing Fee Modernization Act” updates filing fees for mergers for the first time in two decades to ensure that Department of Justice and Federal Trade Commission have the resources they need to aggressively enforce the antitrust laws. This bill is sponsored by U.S. Rep. Joe Neguse (CO-02) and co-sponsored by U.S. Rep. Victoria Spartz (IN-05).
  • The Court of Justice of the European Union (CJEU) ruled that non-lead supervisory authorities (LSA) may bring actions under the General Data Protection Regulation (GDPR), possibly clearing the way for more enforcement actions against companies with what critics characterize as law or lenient LSAs. This case arose when Belgium’s data protection authority sought to bring an action against Facebook for its alleged violations of the GDPR even though Ireland’s Data Protection Commission is the LSA in the ongoing Schrems I and II cases. In a press statement, the CJEU explained its decision:
    • In the first place, the Court specifies the conditions governing whether a national supervisory authority, which does not have the status of lead supervisory authority in relation to an instance of cross-border processing, must exercise its power to bring any alleged infringement of the GDPR before a court of a Member State and, where necessary, to initiate or engage in legal proceedings in order to ensure the application of that regulation. Thus, the GDPR must confer on that supervisory authority a competence to adopt a decision finding that that processing infringes the rules laid down by that regulation and, in addition, that power must be exercised with due regard to the cooperation and consistency procedures provided for by that regulation.
    • With respect to cross-border processing, the GDPR provides for the ‘one-stop shop’ mechanism, which is based on an allocation of competences between one ‘lead supervisory authority’ and the other national supervisory authorities concerned. That mechanism requires close, sincere and effective cooperation between those authorities, in order to ensure consistent and homogeneous protection of the rules for the protection of personal data, and thus preserve its effectiveness. As a general rule, the GDPR guarantees in this respect the competence of the lead supervisory authority for the adoption of a decision finding that an instance of cross-border processing is an infringement of the rules laid down by that regulation, whereas the competence of the other supervisory authorities concerned for the adoption of such a decision, even provisionally, constitutes the exception to the rule. However, in the exercise of its competences, the lead supervisory authority cannot eschew essential dialogue with and sincere and effective cooperation with the other supervisory authorities concerned. Accordingly, in the context of that cooperation, the lead supervisory authority may not ignore the views of the other supervisory authorities, and any relevant and reasoned objection made by one of the other supervisory authorities has the effect of blocking, at least temporarily, the adoption of the draft decision of the lead supervisory authority.
    • The Court also adds that the fact that a supervisory authority of a Member State which is not the lead supervisory authority with respect to an instance of cross-border data processing may exercise the power to bring any alleged infringement of the GDPR before a court of that State and to initiate or engage in legal proceedings only when that exercise complies with the rules on the allocation of competences between the lead supervisory authority and the other supervisory authorities is compatible with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, which guarantee data subjects the right to the protection of his or her personal data and the right to an effective remedy, respectively.
    • In the second place, the Court holds that, in the case of cross-border data processing, it is not a prerequisite for the exercise of the power of a supervisory authority of a Member State, other than the lead supervisory authority, to initiate or engage in legal proceedings that the controller with respect to the cross-border processing of personal data to which that action relates has a main establishment or another establishment on the territory of that Member State. However, the exercise of that power must fall within the territorial scope of the GDPR, which presupposes that the controller or the processor with respect to the cross-border processing has an establishment in the European Union.
    • In the third place, the Court rules that, in the event of cross-border data processing, the power of a supervisory authority of a Member State, other than the lead supervisory authority, to bring any alleged infringement of the GDPR before a court of that Member State and, where appropriate, to initiate or engage in legal proceedings, may be exercised both with respect to the main establishment of the controller which is located in that authority’s own Member State and with respect to another establishment of that controller, provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power.
    • However, the Court adds that the exercise of that power presupposes that the GDPR is applicable. In this instance, since the activities of the establishment of the Facebook group located in Belgium are inextricably linked to the processing of personal data at issue in the main proceedings, with respect to which Facebook Ireland is the controller within the European Union, that processing is carried out ‘in the context of the activities of an establishment of the controller’ and, therefore, does fall within the scope of the GDPR.
    • In the fourth place, the Court holds that, where a supervisory authority of a Member State which is not the ‘lead supervisory authority’ brought, before the date of entry into force of the GDPR, legal proceedings concerning an instance of cross-border processing of personal data, that action may be continued, under EU law, on the basis of the provisions of the Data Protection Directive, which remains applicable in relation to infringements of the rules laid down in that directive committed up to the date when that directive was repealed. In addition, that action may be brought by that authority with respect to infringements committed after the date of entry into force of the GDPR, provided that that action is brought in one of the situations where, exceptionally, that regulation confers on that authority a competence to adopt a decision finding that the processing of data in question is in breach of the rules laid down by that regulation, and that the cooperation and consistency procedures provided for by the regulation are respected.
    • In the fifth place, the Court recognises the direct effect of the provision of the GDPR under which each Member State is to provide by law that its supervisory authority is to have the power to bring infringements of that regulation to the attention of the judicial authorities and, where appropriate, to initiate or engage otherwise in legal proceedings. Consequently, such an authority may rely on that provision in order to bring or continue a legal action against private parties, even where it has not been specifically implemented in the legislation of the Member State concerned.
  • Privacy and Civil Liberties Oversight Board Chairman Adam Klein published a white paper titled “Oversight of the Foreign Intelligence Surveillance Act (FISA).” In a fact sheet, Klein claimed:
    • In response to a 2020 request, the Board received 19 complete, classified Title I FISA applications filed by the government in counterterrorism investigations. (The request did not seek applications from non-counter-terrorism matters, such as the counterintelligence case involving Carter Page.) All of the applications target-ed U.S. persons. The Board also received hundreds of other classified documents related to oversight of FISA.
    • Because few people outside of the FISA process have the opportunity to review counterterrorism-related applications, Chairman Klein’s White Paper offers an unclassified glimpse into the process, as well as recommendations to improve it.
    • The applications involve the use of FISA to investigate U.S. persons suspected of acting as agents of international terrorist organizations. Most of the targets were in the United States when the application was filed.
    • Overall, the facts of these cases indicate that the FBI relies on surveillance and searches un-der Titles I and III of FISA to help it detect and prevent international acts of terrorism against the U.S. homeland.
    • These applications are detailed and lengthy, and they appropriately provide the FISA court with a great deal of factual information. Applications could do more, however, to identify the most important facts and facilitate critical analysis of the need for surveillance. The White Paper proposes best practices to improve the organization and clarity of applications.
    • Oversight resources and other checks on the FISA process should assign the greatest energy and attention to matters that are most likely to affect the privacy and civil liberties of Americans.
    • Oversight reviews should focus on U.S.-person applications, with special attention given to FISA applications in cases deemed “Sensitive Investigative Matters” under FBI policy.
    • Congress should support and fund DOJ’s use of automated tools to streamline manual, repetitive oversight tasks, allowing specialized oversight professionals to focus on matters that are most significant for Americans’ privacy and civil liberties.
    • The White Paper proposes other specific changes that would redirect the time and energy of government attorneys toward activities with a higher return on investment for privacy and civil liberties.
    • In March 2020, FISA’s post-9/11 authority to obtain business records expired. That sunset has created gaps in the government’s ability to investigate the activities of foreign agents in the U.S. The classified version of the White Paper provides additional information about the nature of those gaps.
    • A “savings clause” allows the government to continue to use the broader, pre-lapse authority for investigations that began or relate to conduct that occurred before the authority expired.
    • The government confirms that the vast majority of the 28 business-records orders is-sued in calendar year 2020 would not have been possible in a new investigation not covered by the savings clause.”
    • Chairman Klein recommends that Congress reauthorize the post-9/11 version of FISA’s business records provision. When it does so, Congress should also reinstate the 2015 ban on using this authority for bulk collection.
  • The North Atlantic Treaty Organization (NATO) issued a communique after its recent summit in Brussels and further explained its approach to defending against cyber incidents and attacks. In the document, NATO stated “Russia has also intensified its hybrid actions against NATO Allies and partners, including through proxies…[and] includes attempted interference in Allied elections and democratic processes; political and economic pressure and intimidation; widespread disinformation campaigns; malicious cyber activities; and turning a blind eye to cyber criminals operating from its territory, including those who target and disrupt critical infrastructure in NATO countries.” NATO declared:
    • Cyber threats to the security of the Allianceare complex, destructive, coercive, and becoming ever more frequent.  This has been recently illustrated by ransomware incidents and other malicious cyber activity targeting our critical infrastructure and democratic institutions, which might have systemic effects and cause significant harm.  To face this evolving challenge, we have today endorsed NATO’s Comprehensive Cyber Defence Policy, which will support NATO’s three core tasks and overall deterrence and defence posture, and further enhance our resilience.  Reaffirming NATO’s defensive mandate, the Alliance is determined to employ the full range of capabilities at all times to actively deter, defend against, and counter the full spectrum of cyber threats, including those conducted as part of hybrid campaigns, in accordance with international law.  We reaffirm that a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.  Allies recognise that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack.  We remain committed to act in accordance with international law, including the UN Charter, international humanitarian law, and international human rights law as applicable.  We will promote a free, open, peaceful, and secure cyberspace, and further pursue efforts to enhance stability and reduce the risk of conflict by supporting international law and voluntary norms of responsible state behaviour in cyberspace.  We will make greater use of NATO as a platform for political consultation among Allies, sharing concerns about malicious cyber activities, and exchanging national approaches and responses, as well as considering possible collective responses.  If necessary, we will impose costs on those who harm us.  Our response need not be restricted to the cyber domain.  We will enhance our situational awareness to support NATO’s decision-making.  Resilience and the ability to detect, prevent, mitigate, and respond to vulnerabilities and intrusions is critical, as demonstrated by malicious cyber actors’ exploitation of the COVID-19 pandemic.  NATO as an organisation will therefore continue to adapt and improve its cyber defences.  Five years since the adoption of our Cyber Defence Pledge, we remain committed to uphold strong national cyber defences as a matter of priority.  We continue to implement cyberspace as a domain of operations.We willenhance the effective integration ofsovereign cyber effects, provided voluntarily by Allies, intocollective defence and Alliance operations and missions, in the framework of strong political oversight.  We will further seek to develop mutually beneficial and effective partnerships as appropriate, including with partner countries, international organisations, industry, and academia, furthering our efforts to enhance international stability in cyberspace.  We welcome the recent opening of the NATO Communications and Information Academy in Portugal.
  • Senator Kirsten Gillibrand (D-NY) reintroduced a modified version of her “Data Protection Act of 2021” (S.2134) that “would create the Data Protection Agency (DPA), an independent federal agency that would protect Americans’ data, safeguard their privacy, and ensure data practices are fair and transparent” (see here for analysis and detail on last year’s bill.) Senate Banking, Housing, and Urban Affairs Committee Chair Sherrod Brown (D-OH) is an original cosponsor, and last year, he also unveiled a data privacy bill, his discussion draft of the “Data Accountability and Transparency Act of 2020” (see here for more detail and analysis.) Gillibrand made available a section-by-section summary and a one page summary of the revised bill. Gillibrand explained the changes to her data privacy bill:
    • First introduced in 2020, the updated legislation has undergone significant improvements, including updated provisions to protect against privacy harms and discrimination, oversee the use of high-risk data practices, and to examine and propose remedies for the social, ethical, and economic impacts of data collection. Additionally, the DPA would have the authority and resources to effectively enforce data protection rules—created either by itself or Congress—and would be equipped with a broad range of enforcement tools, including civil penalties, injunctive relief, and equitable remedies. The DPA would promote data protection and privacy innovation across public and private sectors, developing model privacy and data protection standards, guidelines, and policies for use by the private sector. The U.S. is one of the only democracies, and the only member of the Organization for Economic Cooperation and Development (OECD), without a federal data protection agency. Senator Brown is an original cosponsor of the Data Protection Act.
    • The renewed Data Protection Act of 2021 has undergone significant improvements to its purpose, objectives, and functions, and makes explicit the agency’s mission to prevent privacy harms and discrimination. Improvements to the 2021 DPA include: 
      • Supervision of Data Aggregators: Grants the DPA authority to review Big Tech mergers involving a large data aggregator, or any merger that proposes the transfer of personal data of 50,000 or more individuals.
      • Office of Civil Rights: Establishes the DPA Office of Civil Rights to advance data justice and protect individuals from discrimination. 
      • Enforcement Powers: Improves DPA enforcement powers to oversee the use of high-risk data practices and to penalize, examine, and propose remedies to the social, ethical, and economic impacts of data collection.
      • Penalties and Fines: Prohibits data aggregators from committing any unlawful, unfair, deceptive, abusive, or discriminatory data practices; and allows for penalties and fines to be levied if violated, including triple penalties for violations against children.
      • Defines Key Terms for Transparency: Provides Key Definitions for Privacy Harm, Data Aggregators, and High-Risk Data Practice, among other key terms.
    • The agency will address a growing data privacy crisis in America. Massive amounts of personal information—public profiles, health data, photos, past purchases, locations, search histories, and much more—is being collected, processed, and in some cases, exploited by private companies and foreign adversaries. In some instances, the data was not given willingly, and in many others, consumers had little idea what they were signing up for. As a result, the data of everyday Americans is being parsed, split, and sold to the highest bidder, and there is little anyone–including the federal government–can do about it. Not only have these tech companies built major empires and made billions of dollars from selling Americans’ data, but they spend millions of dollars per year opposing new regulations.
    • The Data Protection Agency explained: The DPA would be an executive agency. The director would be appointed by the president and confirmed by the Senate, serves a 5-year term, and must have knowledge of technology, protection of personal data, civil rights, and law. The agency may investigate, subpoena for testimony or documents, and issue civil investigative demands. It may prescribe rules and issue orders and guidance as is necessary to carry out federal privacy laws. The authority of state agencies and state attorneys general are preserved in the Act. The DPA would have three core missions:
      • 1. Give Americans control and protection over their own data by authorizing the DPA to create and enforce data protection rules. 
        • The agency would regulate high-risk data practices and the collection, use, and sharing of personal data. It would enforce privacy statutes and rules around data protection, either as authorized by Congress or themselves. It would use a broad range of tools to do so, including civil penalties, injunctive relief, and equitable remedies.
        • The agency would also take complaints, conduct investigations, and inform the public on data protection matters. So if it seems like a company like Tinder is doing bad things with your data, the Data Protection Agency would have the authority to launch an investigation, share findings, and issue penalties, including with civil action or other appropriate relief.  
      • 2. Maintain the most innovative, successful tech sector in the world by ensuring fair competition within the digital marketplace. 
        • The agency’s research unit would analyze and report on data protection and privacy innovation across sectors, developing and providing resources that assess unfair, deceptive, or discriminatory outcomes that result from the use of automated decision systems, such as algorithms.
        • The agency would develop model privacy and data protection standards, guidelines, and policies for use by the private sector to make it easier for businesses, especially small businesses, to comply with privacy and data protection rules and better prepare themselves against threats like ransomware.
      • 3. Prepare the American government for the digital age.
        • The agency would advise Congress on emerging privacy and technology issues, like deepfakes and encryption. It would also represent the United States at international forums regarding data privacy and inform future treaty agreements regarding data. 
        • The Agency would coordinate with and provide leadership to other Federal agencies and State regulators to promote consistent regulatory treatment of personal data.
  • The European Commission (EC) published “the preliminary results of its competition sector inquiry into markets for consumer Internet of Things (IoT) related products and services in the European Union.” The EC claimed the “Preliminary Report confirms the rapid growth of these markets, but also identifies potential concerns put forward by the respondents to the sector inquiry.” The EC stated:
    • The consumer IoT sector inquiry was launched on 16 July 2020 as part of the Commission’s digital strategy and following an announcement in the Commission’s Communication on Shaping Europe’s digital future. During the inquiry, the Commission has gathered information from over 200 companies of different sizes, operating in consumer IoT product and services markets and based across Europe, Asia and the United States. Furthermore, these companies have shared with the Commission more than 1000 agreements. This information forms the basis of the Preliminary Report published today.
      • Main Findings of the Preliminary Report
      • The findings of the Preliminary Report on the sector inquiry on the consumer IoT cover: (i) the characteristics of consumer IoT products and services, (ii) the features of competition in these markets, (iii) the main areas of potential concern raised by respondents in relation to the current functioning of consumer IoT markets, as well as to their future outlook.
      • Characteristics of consumer IoT products and services
      • The Preliminary Report indicates that, while the consumer IoT is a relatively new area, it is growing rapidly and becoming more and more a part of our everyday lives. In addition, there is a trend towards increasing availability and proliferation of voice assistants as user interfaces enabling interaction with different smart devices and consumer IoT services.
      • Features of competition in the markets for consumer IoT products and services
      • The majority of respondents to the sector inquiry indicate the cost of technology investment and the competitive situation as the main barriers to entry or expansion in the sector. According to the replies, technology investment costs are particularly high in the market for voice assistants. With respect to the competitive situation, a large number of respondents has reported difficulties in competing with vertically integrated companies that have built their own ecosystems within and beyond the consumer IoT sector (e.g. Google, Amazon or Apple). As these players provide the most common smart and mobile device operating systems as well as the leading voice assistants, they determine the processes for integrating smart devices and services in a consumer IoT system.
      • Main areas of potential concerns
      • Respondents raised concerns regarding certain exclusivity and tying practices in relation to voice assistants, as well as practices limiting the possibility to use different voice assistants on the same smart device.
      • The Preliminary Report sets out a number of potential concerns raised by respondents in respect of the position of voice assistants and smart device operating systems as intermediaries between users, on one side, and smart devices or consumer IoT services on the other side. This position, combined with their key role in the generation and collection of data, would allow them to control user relationships. In this context, respondents have also raised concerns in relation to the discoverability and visibility of their consumer IoT services.
      • Providers of smart device operating systems and voice assistants seem to have extensive access to data, including information on user interactions with third-party smart devices and consumer IoT services. The respondents to the sector inquiry consider that this access to and accumulation of large amounts of data would not only give voice assistant providers advantages in relation to the improvement and market position of their general-purpose voice assistants, but also allow them to leverage more easily into adjacent markets.
      • According to respondents, the prevalence of proprietary technology, leading at times to the creation of “de facto standards”, together with technology fragmentation and lack of common standards, raise concerns as to the lack of interoperability in the Consumer IoT sector. In particular, a few providers of voice assistants and operating systems are said to unilaterally control interoperability and integration processes and to be capable of limiting functionalities of third-party smart devices and consumer IoT services, compared to their own.
    • Next steps
      • The Preliminary Report on the findings of the sector inquiry will now be subject to a public consultation for a period of twelve weeks, until 1 September 2021*. All interested parties will be able to comment on the findings of the sector inquiry, submit additional information or raise further areas of concern.
      • The Commission aims to publish the Final Report in the first half of 2022.
      • The information collected in the context of the sector inquiry on the consumer IoT will provide guidance to the Commission’s future enforcement and regulatory activity. Any competition enforcement measure following the sector inquiry would have to be based on a case-by-case assessment. The findings of this sector inquiry can also contribute to the ongoing legislative debate on the Commission’s proposal for the Digital Markets Act.
  • Senate Minority Whip John Thune (R-SD) and Senators Richard Blumenthal (D-CT), Jerry Moran (R-KS), Marsha Blackburn (R-TN), Brian Schatz (D-HI), and Mark Warner (D-VA) “reintroduced the “Filter Bubble Transparency Act” (S.2024) that “would require large-scale internet platforms that collect data from more than 1 million users and gross more than $50 million per year to provide greater transparency to consumers and allow users to view content that has not been curated as a result of a secret algorithm” per their press release. The Senators added “The Filter Bubble Transparency Act would make it easier for internet platform users to understand the potential manipulation that exists with secret algorithms and require large-scale platforms to allow those users to consume information outside of that potential manipulation zone or ‘filter bubble.’” They further explained:
    • The Filter Bubble Transparency Act would require large-scale internet platforms, as defined by the legislation, to:
      • Clearly notify its users that their platform creates a filter bubble that uses secret algorithms (computer-generated filters) to determine the order or manner in which information is delivered to users; and
      • Provide its users with the option of a filter bubble-free view of the information they provide. The bill would enable users to transition between a customized, filter bubble-generated version of information and a non-filter bubble version (for example, the “sparkle icon” option that is currently offered by Twitter that allows users to toggle between a personalized timeline and a purely chronological timeline).
    • The Filter Bubble Transparency Act would make it unlawful for any person to operate a covered internet platform that uses a secret algorithm unless the platform complies with the two above requirements. The Federal Trade Commission would enforce the legislation’s requirements, and it would be authorized to seek civil penalties for knowing violations.  
  • The Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) assessed the Continuous Diagnostics and Mitigation (CDM) program and found the program has fallen short of its goals. The OIG stated:
    • The Department of Homeland Security has not yet strengthened its cybersecurity posture by implementing a Continuous Diagnostics and Mitigation (CDM) program. DHS spent more than $180 million between 2013 and 2020 to design and build a department-wide continuous monitoring solution but faced setbacks. DHS initially planned to deploy its internal CDM solution in three phases by 2017 using a “One DHS” approach that restricted components to a standard set of common tools. After this attempt was unsuccessful, DHS adopted a new acquisition strategy in 2019, shifting to a capability- driven implementation approach, pushing the deadline to 2022, and allowing components to utilize existing tools to collect CDM data.
    • As of March 2020, DHS had developed an internal CDM dashboard, but reported less than half of the required asset management data. Efforts were still underway to automate and integrate the data collection process among components so DHS could report additional data, as required. DHS now needs to upgrade its dashboard to ensure sufficient processing capacity for component data. Until these capabilities are complete, the Department cannot leverage intended benefits of the dashboard to manage, prioritize, and respond to cyber risks in real time.
    • Additionally, we identified vulnerabilities on CDM servers and databases, which were due to DHS not clearly defining patch management responsibilities and not implementing required configuration settings. Consequently, databases and servers could be vulnerable to cybersecurity attack, and the integrity, confidentiality, and availability of the data could be at risk.
    • The OIG made these recommendations:
      • Recommendation 1: We recommend the Chief Information Security Officer update the Department’s Continuous Diagnostics and Mitigation program plan to demonstrate how OCISO will transition the agency dashboard to a scalable platform, ensure components use tools that meet requirements, set appropriate deadlines, and integrate component data.
      • Recommendation 2: We recommend the Chief Information Security Officer mitigate the vulnerabilities identified on the Continuous Diagnostics and Mitigation information technology assets.
      • Recommendation 3: We recommend the Chief Information Security Officer define patch management responsibilities for the Continuous Diagnostics and Mitigation information technology assets.
  • The Biden Administration published the United States’ (U.S.) “first-ever National Strategy for Countering Domestic Terrorism to address this challenge to America’s national security and improve the federal government’s response.” The White House explained:
    • To develop a government-wide strategy to counter domestic terrorists, the Biden Administration consulted extensively with a wide array of experts across the U.S. Government as well as with leaders in Congress, state and local governments, academia, civil society, religious communities, and foreign governments. Throughout the process, we embraced the protection of civil rights and civil liberties as a national security imperative. The strategy we are releasing today is carefully tailored to address violence and reduce the factors that lead to violence, threaten public safety, and infringe on the free expression of ideas. It is organized around four pillars – the core elements of how the Biden Administration will improve the U.S. Government’s response to this persistent, evolving, and lethal threat to our people, our democracy, and our national security:
    • The U.S. Government will enhance domestic terrorism analysis and improve information sharing throughout law enforcement at the federal, state, local, tribal, and territorial levels, and, where appropriate, private sector partners. The Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) have implemented a robust system to methodically track domestic terrorism cases nationwide. The Department of State as well as the intelligence and law enforcement communities are learning more from foreign partners about the international dimensions of this threat.
    • The Department of State will continue to assess whether additional foreign entities linked to domestic terrorism can be designated as Foreign Terrorist Organizations or Specially Designated Global Terrorists under relevant statutory criteria. The Department of the Treasury, in coordination with law enforcement, is exploring ways to enhance the identification and analysis of financial activity of domestic terrorists. The Department of Homeland Security (DHS) is enhancing its analysis of open-source information to identify threats earlier and will create a structured mechanism for receiving and sharing within government credible non-governmental analysis.
    • Drawing on the expertise of a variety of departments and agencies, the U.S. Government has revamped support to community partners who can help to prevent individuals from ever reaching the point of committing terrorist violence. The U.S. Government will strengthen domestic terrorism prevention resources and services. For the first time, the Department of Homeland Security (DHS) has designated “Domestic Violent Extremism” as a National Priority Area within the Department’s Homeland Security Grant Program, which means that over $77 million will be allocated to state, local, tribal, and territorial partners to prevent, protect against, and respond to domestic violent extremism. DHS and FBI are working to strengthen local prevention, threat assessment, and threat management frameworks. The Department of Defense (DOD) is incorporating training for servicemembers separating or retiring from the military on potential targeting of those with military training by violent extremist actors. The U.S. Government will improve public awareness of federal resources to address concerning or threatening behavior before violence occurs.
    • The U.S. Government will augment its efforts to address online terrorist recruitment and mobilization to violence by domestic terrorists through increased information sharing with the technology sector and the creation of innovative ways to foster digital literacy and build resilience to recruitment and mobilization. The United States also recently joined the Christchurch Call to Action to Eliminate Terrorist and Violent Extremist Content Online, an international partnership between governments and technology companies that works to develop new multilateral solutions to eliminating terrorist content online while safeguarding the freedom of online expression.

Further Reading

  • As Dictators Target Citizens Abroad, Few Safe Spaces Remain” By Max Fisher — The New York Times. Tahir Imin knew that romances sometimes end. So he did not expect the long arm of global authoritarianism when the woman he had been planning to marry broke things off in March. Perhaps he should have. He had fled China’s oppression of Uyghurs, a predominantly Muslim minority, in 2017. From his new home in Washington, D.C., he spoke out about Beijing’s indoctrination camps and systems of control, which he and the U.S. government have called a genocide.
  • Hackers Breached Colonial Pipeline Using Compromised Password” By  William Turton and Kartikay Mehrotra — Bloomberg. The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack. Hackers gained entry into the networks of Colonial Pipeline Co. on April 29 through a virtual private network account, which allowed employees to remotely access the company’s computer network, said Charles Carmakal, senior vice president at cybersecurity firm Mandiant, part of FireEye Inc., in an interview. The account was no longer in use at the time of the attack but could still be used to access Colonial’s network, he said.
  • Are We Waiting for Everyone to Get Hacked?” By Nicole Perlroth — The New York Times. Leon Panetta is one of the few American government officials who can look around at the nation’s rolling cyberdisasters andjustifiably say, “I told you so.” The former secretary of defense was among the first senior leaders to warn us, in the most sober of terms, that this would happen in a 2012 speech that many derided as hyperbolic. He didn’t foretell every detail, and some of his graver predictions — a cyberattack that could derail passenger trains or worse, derail trains loaded with lethal chemicals — have yet to play out. But the stark vision he described, of hackers seizing our critical switches and contaminating our water supply, is veering dangerously close to the reality we are living with now.
  • Israel’s operation against Hamas was the world’s first AI war” By Anna Ahronheim — Jerusalem Post. Having relied heavily on machine learning, the Israeli military is calling Operation Guardian of the Walls the first artificial-intelligence war. “For the first time, artificial intelligence was a key component and power multiplier in fighting the enemy,” an IDF Intelligence Corps senior officer said. “This is a first-of-its-kind campaign for the IDF. We implemented new methods of operation and used technological developments that were a force multiplier for the entire IDF.”
  • Google Seeks to Break Vicious Cycle of Online Slander” By Kashmir Hill and Daisuke Wakabayashi — The New York Times. For many years, the vicious cycle has spun: Websites solicit lurid, unverified complaints about supposed cheaters, sexual predators, deadbeats and scammers. People slander their enemies. The anonymous posts appear high in Google results for the names of victims. Then the websites charge the victims thousands of dollars to take the posts down. This circle of slander has been lucrative for the websites and associated middlemen — and devastating for victims. Now Google is trying to break the loop.
  • Is the Internet (Briefly) Breaking a Sign of Things to Come?” By Charlotte Klein — Vanity Fair. At one point during Tuesday morning’s brief global internet outage, The Guardian was covering it solely via Twitter thread. “Thus ends my uncomfortable 50 minute period of being the only person in the entire newspaper capable of publishing content,” tech reporter Alex Hern tweeted once the site came back online—at least for him, he noted, as scattered disruptions continued to plague some of the world’s biggest online news platforms, as well as the UK government’s home page, some Amazon sites, and streaming services like Hulu and HBO Max. The Verge pivoted to Google Docs to share the news with readers (and briefly forgot to restrict the document’s editing abilities, allowing random people to chime in before editors realized what was going on). “We’re all on pins and needles right now,” CNN New Day co-anchor John Berman told his colleague Brian Stelter, who popped onto the program this morning to address the baffling failure as CNN’s own website, along with several other publishers, went dark. “Right now no indication that this is a cyberware or ransomware attack, but it is one of the most widespread web outages that I have ever seen,” said Stelter, CNN’s chief media correspondent.
  • Australia’s eSafety Commissioner targets abuse online as Covid-19 supercharges cyberbullying” By Julie Inman Grant — The Strategist. It’s never easy being first. There are no playbooks to thumb through and no clear footprints to follow to let you know you’re on track, or even that you’re heading in the right general direction. Six years ago, Australia’s eSafety Commissioner became the world’s first online safety regulator following the tragic death of TV presenter Charlotte Dawson.
  • Predictive policing strategies for children face pushback” By Olivia Solon and Cyrus Farivar — NBC News. Five months after Robert Jones, a 44-year-old aerospace process auditor, moved to what he described as the “really nice” neighborhood of Gulf Harbors in Pasco County, Florida, with his wife and four kids, “seven or eight” police cars showed up at his door. Officers said they had heard about his then-16-year-old son Bobby’s school delinquency from colleagues in Pinellas County, where the family previously lived, and wanted to make sure he understood that the Pasco Sheriff’s Office did things a little differently, Jones recalled.

Coming Events

  • On 22 June, the Senate Commerce, Science, and Transportation’s Communications, Media, and Broadband Subcommittee will hold a hearing titled “Building Resilient Networks” “examine ways in which the federal government can support deployment of resilient, redundant, and secure broadband and telecommunications infrastructure, and review the lessons learned from outage incidents” with these witnesses:
    • Mr. Harold Feld, Senior Vice President, Public Knowledge
    • Mr. Jonathan Adelstein, President and Chief Executive Officer, Wireless Infrastructure Association
    • Mr. Denny Law, General Manager and Chief Executive Officer, Golden West Telecommunications
    • Mr. Jeff Johnson, Chief Executive, Western Fire Chiefs Association
  • The Senate Finance Committee’s International Trade, Customs, and Global Competitiveness Subcommittee will hold a 22 June hearing titled “International Trade, Customs, and Global Competitiveness” with these witnesses:
    • Wendy S. Cutler, Vice President, Asia Society Policy Institute
    • Donald Allan, Jr., President and Chief Financial Officer, Stanley Black & Decker
    • Peter A. Petri, Ph.D., Carl J. Shapiro Professor of International Finance at the Brandeis International Business School and Nonresident Senior Fellow at the Brookings Institution
    • The Honorable James B. Cunningham, Nonresident Senior Fellow at the Atlantic Council and former U.S. Ambassador to Afghanistan, Israel, and the United Nations, former Consul General of the United States in Hong Kong, Board Chair of the Committee for Freedom in Hong Kong
  • On 23 June, the Senate Armed Services Committee’s Cyber Subcommittee will hold a hearing “To receive testimony on recent ransomware attacks” with these witnesses:
    • Ms. Mieke Eoyang, Deputy Assistant Secretary of Defense for Cyber Policy
    • Major General Kevin Kennedy, Director of Operations, United States Cyber Command
    • Rear Admiral Ronald Foy, Deputy Director for Global Operations, Joint Staff
  • On 24 June, the House Energy and Commerce Committee’s Health Subcommittee will hold a hearing titled “Empowered by Data: Legislation to Advance Equity and Public Health” that will likely include discussion of the following bills:
    • H.R. 379, the “Improving Social Determinants of Health Act of 2021”
    • H.R. 666, the “Anti-Racism in Public Health Act of 2021”
    • H.R. 778, the “Secure Data and Privacy for Contact Tracing Act of 2021”
    • H.R. 791, the “Tracking COVID–19 Variants Act”
    • H.R. 831, the “Health Standards To Advance Transparency, Integrity, Science, Technology Infrastructure, and Confidential Statistics Act of 2021” or the “Health STATISTICS Act of 2021”
    • H.R. 925, the “Data to Save Moms Act”
    • H.R. 943, the “Social Determinants for Moms Act”
    • H.R. 976, the “Ensuring Transparent Honest Information on COVID–19 Act” or the “ETHIC Act”
    • H.R. 2125, the “Quit Because of COVID–19 Act”
    • H.R. 2503, the “Social Determinants Accelerator Act of 2021”
    • H.R. 3894, the “Collecting and Analyzing Resources Integral and Necessary for Guidance for Social Determinants of Health Act of 2021” or the “CARING for Social Determinants of Health Act of 2021”
    • H.R. 3969, to amend title XXVII of the Public Health Service Act to include activities to address social determinants of health in the calculation of medical loss ratios
    • H.R. ____, to require the Comptroller General of the United States to submit to Congress a report on actions taken by the Secretary of Health and Human Services to address social determinants of health
  • The House Appropriations Committee’s Financial Services and General Government Subcommittee will mark up its FY 2022 appropriations bill on 24 June, which includes funding and programmatic direction for a number of agencies including the Federal Communications Commission and Federal Trade Commission.
  • On 24 June, the House Small Business Committee’s Oversight, Investigations, and Regulations Subcommittee will hold a hearing titled “CMMC Implementation: What It Means for Small Businesses.” The subcommittee explained:
    • The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s latest initiative to increase cybersecurity preparedness across the defense industrial base. The hearing will provide Members the opportunity to learn more about this initiative, its implementation, and the compliance challenges it poses for small businesses.
    • The following witnesses will appear:
      • Mr. Jonathan T. Williams, Partner, PilieroMazza PLLC
      • Mr. Scott Singer, President, CyberNINES
      • Ms. Tina Wilson, Chief Executive Officer, T47 International, Inc.
      • Mr. Michael Dunbar, President, Ryzhka International LLC
  • On 29 June, the House Armed Services Committee’s Cyber, Innovative Technologies, and Information Systems Subcommittee will hold a hearing titled “Department of Defense Information Technology, Cybersecurity, and Information Assurance for Fiscal Year 2022.”
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Jean-Philippe Delberghe on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s