Other Developments, Further Reading, and Coming Events (15 July 2021)

Subscribe to my newsletter, The Wavelength, if you want updates on global technology developments four times a week.

Other Developments

  • The United States (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued “Emergency Directive 21-04” “to mitigate a Microsoft Windows print spooler service vulnerability CVE-2021-34527 being actively exploited” the agency explained in its statement. CISA added in its press release:
    • Federal civilian agencies are required to immediately disable the print spooler service on Microsoft Active Directory Domain Controllers, apply the Microsoft July 2021 cumulative updates, and make additional configuration changes to all Microsoft Windows servers and workstations within one week.
    • Exploitation of the vulnerability allows an attacker to remotely execute code with system level privileges, enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization.
    • The emergency directive is in response to validated active exploitations. CISA is concerned that exploitation of this vulnerability may lead to full system compromise of affected agency networks if left unmitigated.  
    • CISA provided direction in the directive to federal cloud providers and advice to third party providers working with agencies outside the agency’s jurisdiction:
      • CISA is working closely with FedRAMP to coordinate the response to this Directive with FedRAMP Authorized cloud service providers (CSPs). FedRAMP Authorized CSPs have been informed to coordinate with their agency customers. CISA is also aware of third parties providing services for federal information systems subject to this Directive that may not be covered by a FedRAMP authorization.
      • Each agency is responsible for maintaining an inventory of its information systems hosted in third-party environments (FedRAMP Authorized or otherwise) and working with service providers directly for status updates pertaining to, and to ensure compliance with, this Directive.
      • For reporting purposes, if instances of affected versions have been found in a third-party environment, reporting obligations will vary based on whether the provider is another federal agency or a commercial provider.
      • If the affected third-party service provider is another federal entity, the provider agency itself is responsible for reporting status to CISA and the customer agency does not have any further reporting obligation.
      • If the affected third-party service provider is a commercial provider (FedRAMP Authorized or otherwise), the service provider must report the status of affected endpoints to the customer agency. Agencies remain responsible for engaging their service providers directly, as needed, to ensure compliance with this Directive.
      • All other provisions specified in this Directive remain applicable.
  • Dozens of prominent women from around the world signed an open letter to the CEOs of Facebook, Google, TikTok and Twitter “ask[ing] that you urgently prioritise the safety of women on your platforms.” They stated:
    • No quick-fix will cure the problem, but there are many avenues to make significant progress. For over a year, you have engaged with civil society and government experts from over 35 countries to tackle online abuse. This has been an important step forward, demonstrating the power of co-creating solutions informed by a wide range of partners, including women who have directly experienced abuse. 
    • Now it is vital to put into action two priorities women have said are critical for their safety — more control of their experiences on your platforms, and better reporting systems:
    • Give people greater control to manage their safety. Rather than a one-size-fits-all experience, women should have more control over who can interact with them on tech platforms, as well as more choice over what, when and how they see content online. These tools should be easy to find and simple to use.
    • Improve your systems for reporting abuse. Current tools need to be improved so women can easily report abuse and track the progress of these reports. For example, dashboards that show users the status of all their reports in one place, features to guide them through the reporting process, and tools that offer women access to additional support when it’s needed, could make a huge difference.
  • The Federal Communications Commission acted on a number of items at its 13 July open meeting, including:
    • an Order that incorporates changes to the Commission’s rules consistent with the Consolidated Appropriations Act, 2021, which appropriated $1.895 billion for the Secure and Trusted Communications Networks Reimbursement Program.  The Commission created the Reimbursement Program in 2020 to reimburse providers of advanced communications services for costs reasonably incurred in removing, replacing, and disposing of communications and equipment that pose an unacceptable risk to national security.  Today’s Order, among other changes, increases the eligibility cap for participation in the Reimbursement Program from providers serving two million or fewer customers to those with 10 million or fewer customers. Securing America’s critical communications infrastructure from potential security threats is more important than ever due to the outsized impact our communications networks have on work, education, health care, and personal communications.  Today’s Order is another step in ongoing FCC action to protect the communications networks from those who would harm the United States.  Key changes in the Order include:Modifying the equipment and services eligible for the Reimbursement Program to include all communications equipment and services produced or provided by Huawei Technologies Company or ZTE Corporation;Establishing June 30, 2020 as the new date by which covered communications equipment and services must have been obtained to be eligible for Reimbursement Program funds;Enacting the prioritization scheme expressly provided for in the Consolidated Appropriations Act if demand for Reimbursement Program funding exceeds the $1.895 billion appropriated by Congress; andClarifying some Reimbursement Program requirements to assist eligible providers as they prepare to seek reimbursement for expenses related to removing, replacing, and disposing of covered communications equipment or services.
    • Enabling State-of-the-Art Radar Sensing Technologies in the 60 GHz Band. The Commission considered a Notice of Proposed Rulemaking proposing revisions to Section 15.255 of the rules governing short range radar operations in the 64-71 GHz frequency band. (ET Docket No. 21-264)
    • Updating Technical Rules for Radio Broadcasters*. The Commission considered a Notice of Proposed Rulemaking to eliminate or amend outmoded or unnecessary broadcast technical rules. (MB Docket No. 21-263)
    • Updating International Filing Requirements for the Digital Age. The Commission considered an Order that would amend rules to require the remaining applications and reports to be filed electronically in the International Bureau Filing System (IBFS) and eliminate duplicative paper filing requirements. (IB Docket No. 21-265)
    • Affirming Mobile Relay Fine. The Commission considered a Memorandum Opinion and Order that affirms a fine against Mobile Relay Associates for monopolizing shared spectrum and interfering with other licensees.
    • Promoting Technological Solutions to Combat Contraband Wireless Device Use in Correctional Facilities*. The Commission considered a Second Report and Order taking steps to combat contraband wireless devices in correctional facilities and Second Further Notice of Proposed Rulemaking seeking comment on additional technological solutions to combat contraband device usage in correctional facilities. (GN Docket No. 13-111)
  • The National Institute of Standards and Technology (NIST) stated that it “fulfilled two of its assignments to enhance the security of the software supply chain called for by a May 12, 2021, Presidential Executive Order on Improving the Nation’s Cybersecurity (14028).” NIST “published guidance outlining security measures for critical software use after consulting with the Cybersecurity & Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB)” and “also published guidelines recommending minimum standards for vendors’ testing of their software source code after consulting with the National Security Agency (NSA) as required under the EO.”
    • In the guidance on security measures for critical software use, NIST asserted:
      • The scope of this guidance on security measures is federal agency use of EO-critical software. Development and acquisition of EO-critical software are out of scope. The security measures are intended to protect the use of deployed EO-critical software in agencies’ operational environments.
      • NIST defined the following objectives for the security measures:
        • Protect EO-critical software and EO-critical software platforms (the platforms on which EO-critical software runs, such as endpoints, servers, and cloud resources) from unauthorized access and usage.
        • Protect the confidentiality, integrity, and availability of data used by EO-critical software and EO-critical software platforms. (See FAQ #6.)
        • Identify and maintain EO-critical software platforms and the software deployed to those platforms to protect the EO-critical software from exploitation.
        • Quickly detect, respond to, and recover from threats and incidents involving EO-critical software and EO-critical software platforms.
        • Strengthen the understanding and performance of humans’ actions that foster the security of EO-critical software and EO-critical software platforms.
      • NIST has identified security measures that are fundamental for meeting these objectives. These “Security Measures for EO-Critical Software Use” are not intended to be comprehensive, nor are they intended to eliminate the need for other security measures that federal agencies implement as part of their existing requirements and cybersecurity programs. Agencies should continue their efforts to secure systems and networks that EO-critical software runs on and to manage cyber supply chain risk (see FAQ #4), as well as implement zero trust practices (see FAQ #5), which depend on the fundamental security measures. The intent of specifying these security measures is to assist agencies by defining a set of common security objectives for prioritizing the security measures that should be in place to protect EO-critical software use.
    • In the guidelines setting forth minimum standards for vendors testing their software source code, NIST stated:
      • To ensure that software is sufficiently safe and secure, the software must be designed, built, delivered, and maintained in accordance with best practices. Frequent and thorough testing by developers as early as possible in the software development life cycle (SDLC) is one critical practice. At its highest conceptual level, verification is a discipline employed to increase software security. Verification encompasses many static and active assurance techniques, tools, and related processes to identify and remediate security defects while continuously improving the methodology and supporting processes. They must be employed alongside other methods to achieve a high level of software security.
      • This webpage summarizes minimum standards recommended for verification by software vendors or developers. No single verification standard can encompass all types of software testing, be specific and prescriptive, and present efficient and effective testing. Thus, this document recommends high-level guidelines for software producers to create their own prescriptive processes.
      • These guidelines expand on NIST’s Secure Software Development Framework (SSDF) practices.  See especially Produce Well-Secured Software (PW) Practice 7, Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements, and PW Practice 8, Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements. 
  • The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) released “the United States Core Data for Interoperability version 2 (USCDI v2), a standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange.” The agency explained:
    • With this new update, health IT stakeholders nationwide will have clearer direction toward the standardized, electronic exchange of social determinants of health (SDOH), sexual orientation, and gender identity (SO/GI) among several other updated data elements. This lays the foundation for the provider community to start systemizing the capture and use of SDOH and SO/GI data in the clinical setting. While encouraged, this update does not require health professionals, such as doctors and nurses, to record this data or individuals to share such data. It does however set a path forward for health IT to build in support for exchanging these data as they become applicable to an individual’s care.
  • Senate Finance Committee Chair Ron Wyden (D-OR) introduced “new legislation to protect reporters and journalists against unnecessary government surveillance that can chill First Amendment activities.” In his press statement, Wyden asserted:
    • The Protect Reporters from Excessive State Suppression (PRESS) Act ensures reporters cannot be compelled by the government to disclose their confidential sources or research files, and also protects their data held by third parties like phone and internet companies from being secretly seized by the government without the opportunity to challenge those demands in court. The bill shields journalists’ communications records, such as those that DOJ obtained about reporters at CNN, the Washington Post, and New York Times from the government, with narrow exceptions for terrorism and threat of imminent violence or harm.
    • While 48 states and the District of Columbia have some form of shield law or reporters privilege, protections vary significantly, and there is no federal shield law, and the state laws do not apply to investigations by federal agencies, such as DOJ. Importantly, there are currently no legal restrictions that prevent the government from secretly obtaining a reporters’ records directly from phone companies, email providers and other third parties in order to identify their sources.
  • Senator Ed Markey (D-MA) and Representatives Kathy Castor (D-FL) and Lori Trahan (D-MA) wrote the CEOs of Amazon, Facebook, Google, Snapchat, TikTok, and Twitter, “urging them to extend privacy protections required under the United Kingdom’s Age Appropriate Design Code (AADC) to children and teens in the United States.” They argued:
    • The AADC is a statutory code of practice that requires all commercial online services—including apps, search engines, social media platforms, and online games—that are likely to be accessed by young users’ in the United Kingdom to meet fifteen standards that protect children and teens’ privacy and wellbeing online. These standards include protections for both children and teens up to 18 years old, and they limit the amount of data companies can collect from young users. In their letter, the lawmakers express concerns about threats to young people’s online privacy amidst the recent rise in children and teens’ technology use and argue that, as companies update their data practices to comply with the AADC, they should apply those same practices in the United States.
    • They asserted:
      • It is imperative that Congress acts with urgency to enact a strong privacy law for children and teens in the 21st century. As we work towards that goal, we urge you to extend to American children and teens any privacy enhancements that you implement to comply with the AADC. We also request responses to the following questions by July 21, 2021.
        • Will you commit to providing American children and teens with the same privacy enhancements that you provide in the United Kingdom in accordance with the AADC?
        • If so, what specific privacy enhancements will you implement for users in the United States? Please describe in detail when you plan to implement these enhancements for users in the United States.
        • If not, why not?
  • The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) “requested public comment on proposed guidance designed to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology-focused entities.” The agencies added:
    • The proposed guidance is intended to assist banking organizations in identifying and addressing the risks associated with third-party relationships and responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance.
    • Banking organizations that engage third parties to provide products or services or to perform other activities remain responsible for ensuring that such outsourced activities are conducted in a safe and sound manner and in compliance with all applicable laws and regulations, including consumer protection laws.
  • Per Congressional direction, the National Telecommunications and Information Administration (NTIA), the Federal Communications Commission (FCC) and the U.S. Department of Agriculture (USDA) announcedan interagency agreement to share information about and coordinate the distribution of federal broadband deployment funds.” The agencies explained:
    • In accordance with the Broadband Interagency Coordination Act, enacted as part of the Consolidated Appropriations Act of 2021, the respective Cabinet and agency leaders announced that their agencies will consult with one another and share information about the distribution of new funds from the FCC’s high-cost programs that support broadband buildout in rural areas, the USDA’s Rural Utilities Services grant and loan programs, and programs administered or coordinated by NTIA.
    • As part of the signed agreement, each federal agency partner will share information about existing or planned projects that receive funding from the previously mentioned federal funding sources. Each partner will also, upon request, identify entities providing broadband service in a specified geographic area; the levels of broadband service in that area, including broadband speeds and technologies deployed; the geographic scope of broadband service in that area; and each entity in that area that has or will receive funds from these programs. The Agreement also requires the federal agency partners to consider basing the distribution of funds from the programs on standardized broadband coverage data.  More information about what programs will now require explicit coordination among the FCC, NTIA, and USDA can be found on NTIA’s website. The agreement is effective at the date of its signing, June 25.

Further Reading

  • What If Regulating Facebook Fails?” By Siva Vaidhyanathan — WIRED. What if nothing works? What if, after years of scholarship and journalism exposing the dominance, abrogations, duplicity, arrogance, and incompetence of Facebook, none of the policy tools we have come to rely on to rein in corporations make any difference at all? We have to be prepared for just such an outcome.
  • Don’t be that employee: How to avoid ransomware attacks at work” By Tatum Hunter — The Washington Post. When a security vulnerability at IT software-maker Kaseya led to a ransomware attack that affected 800 to 1,500 businesses, it wasn’t one employee’s fault. But that’s not always the case. Ransomware, which locks down a target’s computers and data, can infect a network a few different ways, including through employee accounts. Click the wrong link, open the wrong attachment or log into the wrong website, and you could put your company in a perilous position.
  •  “Scale, details of massive ransomware attack emerge” By Frank Bajak — Associated Press. Cybersecurity teams worked feverishly Sunday to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit. An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.
  • Biden announces investigation into international ransomware attack” — The Guardian. Joe Biden said on Saturday he had directed US intelligence agencies to investigate a sophisticated ransomware attack that hit hundreds of American businesses as the Fourth of July holiday weekend began and aroused suspicions of Russian gang involvement. Huntress, a security company, said on Friday it believed the Russia-linked REvil ransomware gang was to blame. Last month, the FBI blamed the same group for paralyzing the meat packer JBS.
  • China’s cyberspace regulator orders Didi off app stores after launching investigation” — ABC News. China’s cyberspace regulator said that it had ordered smartphone app stores to stop offering Didi’s app after finding the ride-hailing giant had illegally collected users’ personal data. The Cyberspace Administration of China (CAC) said it had told Didi to make changes to comply with Chinese data protection rules, four days after Didi began trading on the New York Stock Exchange, having raised $5.8 billion in an initial public offering.
  • TikTok’s Algorithm and AI Tech Are Now up for Sale” By Alyse Stanley — Gizmodo. Now anyone can tap into the secret sauce behind ByteDance’s globally successful TikTok app—for a price. The China-based company quietly launched a new BytePlus division back in June focused on selling TikTok’s artificial intelligence technology, including the popular recommendation algorithm behind its ForYou feed, to businesses worldwide, the Financial Times reported Sunday. Some of the features up for sale include the short-form video app’s computer vision tech, real-time video effects, automated translation of text and speech functions, and tools for data analysis and management, among others, the Times reports. Customers can then tailor this tech to fit the needs of their apps and consumer base.
  • Rioters accused of erasing content from social media, phones” By Jacques Billeaud — Associated Press. They flaunted their participation in the Jan. 6 riot at the U.S. Capitol on social media and then, apparently realizing they were in legal trouble, rushed to delete evidence of it, authorities say. Now their attempts to cover up their role in the deadly siege are likely to come back to haunt them in court. An Associated Press review of court records has found that at least 49 defendants are accused of trying to erase incriminating photos, videos and texts from phones or social media accounts documenting their conduct as a pro-Donald Trump mob stormed Congress and briefly interrupted the certification of Democrat Joe Biden’s election victory.
  • California’s yoga, wellness and spirituality community has a QAnon problem” By Laura Nelson — Los Angeles Times. It seemed like the end of a typical reiki attunement: A group of women wearing yoga pants and flowing floral skirts, gathered in a healer’s home after a course in the alternative therapy of balancing chakras, clearing auras and transferring energy. But it was the early days of the pandemic and COVID-19 was spreading fast. The women in the room stood so close that their bodies touched. No one wore masks. Kathleen Abraham, 61, saw that the Facebook photo of the group had been taken in the Orange County home of one of her dearest friends, a woman she had known for 15 years who had helped her recover from breast cancer and introduced her to the world of New Age spiritualism.
  • VA Secretary: Changes Coming to Electronic Health Records Program” By Aaron Boyd — Nextgov. The Veterans Affairs Department will move forward with its multibillion-dollar commercial electronic health records rollout after a 12-week strategic review put the program on pause. The review will lead to significant changes, VA Secretary Denis McDonough said this week, though he declined to share further details. VA has been working for more than two years with commercial EHR company Cerner to develop and deploy a single records management system across the agency that will also be interoperable with the Cerner-built system being deployed by the Defense Department and the Leidos Partnership for Defense Health.

Coming Events

  • On 15 July, the Senate Commerce, Science, and Transportation Committee will convene a hearing titled “Implementing Supply Chain Resiliency.”
  • The House Homeland Security Committee will hold a 15 July hearing titled “Securing the Homeland: Reforming DHS to Meet Today’s Threats.”
  • On 21 July, the Federal Trade Commission (FTC) will open its monthly open meeting with this agenda:
    • Proposed Policy Statement on Repair Restrictions Imposed by Manufacturers and Sellers: The FTC Act authorizes the Commission to adopt policy statements. The Commission will vote on whether to issue a new policy statement, following the Commission’s “Nixing the Fix” report which was unanimously agreed to and announced on May 6, 2021.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.
  • On 5 August, the Federal Communications Commission (FCC) will hold its monthly open meeting with this tentative agenda:
    • Establishing Two New Innovation Zones. The Commission will consider a Public Notice that would create two new Innovation Zones for Program Experimental Licenses and the expansion of an existing Innovation Zone. (ET Docket No. 19-257)
    • Numbering Policies for Modern Communications. The Commission will consider a Further Notice of Proposed Rulemaking to update the Commission’s rules regarding direct access to numbers by interconnected Voice over Internet Protocol providers to safeguard the nation’s finite numbering resources, curb illegal robocalls, protect national security, and further promote public safety. (WC Docket Nos. 13-97, 07-243, 20-67; IB Docket No. 16-155)
    • Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions. The Commission will consider a Report and Order that would establish a process for the Commission to review decisions of the private STIR/SHAKEN Governance Authority that would have the effect of placing voice service providers out of compliance with the Commission’s STIR/SHAKEN implementation rules. (WC Docket Nos. 17-97, 21-291)
    • Modernizing Telecommunications Relay Service (TRS) Compensation. The Commission will consider a Notice of Proposed Rulemaking on TRS Fund compensation methodology for IP Relay service. (CG Docket No. 03-123; RM-11820)
    • Updating Outmoded Political Programming and Record-Keeping Rules. The Commission will consider a Notice of Proposed Rulemaking to update outmoded political programming rules. (MB Docket No. 21-293)
    • Review of the Commission’s Part 95 Personal Radio Services Rules. The Commission will consider a Memorandum Opinion and Order on Reconsideration that would grant three petitions for reconsideration of the Commission’s May 2017 Part 95 Personal Radio Services Rules Report and Order. (WT Docket No. 10-119)

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Brett Sayles from Pexels

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s