Other Developments, Further Reading, and Coming Events (21 July 2021)

Subscribe to my newsletter, The Wavelength, if you want the content on my blog delivered to your inbox four times a week before it’s posted here.

Other Developments

  • A third antitrust suit has been filed against Google in the United States (U.S.), with this legal action alleging “exclusionary conduct relating to the Google Play Store for Android.” This action would seem to follow Epic Games’ suits against both Google and Apple for kicking their game, Fortnite, out of their app stores when the company began offering users the means to make in-game purchases outside the companies’ systems that entitles them to 30% of all such purchases. Utah Attorney General Sean Reyes, New York Attorney General Leticia James, North Carolina Attorney General Josh Stein, Tennessee Attorney General Herbert Slatery III are leading the suit and are joined by other states attorney general. This group filed suit in California “accuse Google of using its dominance to unfairly restrict competition with Google Play Store, harming consumers by limiting choice and driving up app prices” according to their press release. The attorneys general asserted:
    • According to the lawsuit, the heart of the case centers on Google’s exclusionary conduct, which substantially shuts out competing app distribution channels. Google also requires that app developers that offer their apps through the Google Play Store use Google Billing as a middleman. This arrangement, which ties a payment processing system to an app distribution channel forces app consumers to pay Google’s commission – up to 30% – on in-app purchases of digital content made by consumers through apps that are distributed via the Google Play Store. This commission is much higher than the commission that consumers would pay if they had the ability to choose one of Google’s competitors instead. The lawsuit alleges that Google works to discourage or prevent competition, violating federal and state antitrust laws. Google had earlier promised app developers and device manufacturers that it would keep Android “open source,” allowing developers to create compatible apps and distribute them without unnecessary restrictions.  The lawsuit says Google did not keep that promise. 
    • When Google launched its Android OS, it originally marketed it as an “open source” platform. By promising to keep Android open, Google successfully enticed “OEMs”—mobile device manufacturers such as Samsung—and “MNOs”—mobile network operators such as Verizon—to adopt Android, and more importantly, to forgo competing with Google’s Play Store at that time. Once Google had obtained the “critical mass” of Android OS adoption, Google moved to close the Android OS ecosystem—and the relevant Android App Distribution Market—to any effective competition by, among other things, requiring OEMs and MNOs to enter into various contractual and other restraints. These contractual restraints disincentivize and restrict OEMs and MNOs from competing (or fostering competition) in the relevant market. The lawsuit alleges that Google’s conduct constitutes unlawful monopoly maintenance, among other claims.
    • In aid of Google’s efforts discussed above, the AGs allege that Google also engaged in the following conduct, all aimed at enhancing and protecting Google’s monopoly position over Android app distribution:
      • Google imposes technical barriers that strongly discourage or effectively prevent third-party app developers from distributing apps outside of the Google Play Store. Google builds into Android a series of security warnings (regardless of actual security risk) and other barriers that discourage users from downloading apps from any source outside Google’s Play Store, effectively foreclosing app developers and app stores from direct distribution to consumers.
      • Google has not allowed Android to be “open source” for many years, effectively cutting off potential competition. Google forces OEMs that whish to sell devices that run Android to enter into agreements called “Android Compatibility Commitments” or ACCs. Under these “take it or leave it” agreements, OEMs must promise not to create or implement any variants or versions of Android that deviate from the Google-certified version of Android.
      • Google’s required contracts foreclose competition by forcing Google’s proprietary apps to be “pre-loaded” on essentially all devices designed to run on the Android OS, and requires that Google’s apps be given the most prominent placement on device home screens.
      • Google “buys off” its potential competition in the market for app distribution. Google has successfully persuaded OEMs and MNOs not to compete with Google’s Play Store by entering into arrangements that reward OEMs and MNOs with a share of Google’s monopoly profits.
      • Google forces app developers and app users alike to use Google’s payment processing service, Google Play Billing, to process payments for in-app purchases of content consumed within the app. Thus, Google is unlawfully tying the use of Google’s payment processor, which is a separate service within a separate market for payment processing within apps, to distribution through the Google Play Store. By forcing this tie, Google is able to extract an exorbitant processing fee as high as 30% for each transaction and which is more than ten times as high as the fee charged by Google’s competitors.
  • The House and Senate have passed a number of targeted cybersecurity and technology bills, the likes of which have proven to be the only types of bills that have a chance of making it into law.
    • Last week, the Senate sent the “National Cybersecurity Preparedness Consortium Act of 2021” (S.658) to the House. In the committee report, it was asserted:
      • The purpose of S. 658, the National Cybersecurity Preparedness Consortium Act of 2021, is to codify the Secretary of Homeland Security’s existing authority to work with a consortium, primarily composed of nonprofit entities and academic institutions with expertise in cybersecurity, to address cybersecurity risks and incidents. The Secretary may work with such a consortium to provide assistance to the National Cybersecurity and Communications Integration Center (NCCIC) within the Department of Homeland Security (DHS) to provide cybersecurity-related training and expertise to state and local first responders and critical infrastructure owners and operators.
    • This week, the House took up and passed the following bills, per House Majority Whip Jim Clyburn’s (D-SC) summaries:
      • H.R. 2668 – Consumer Protection and Recovery Act (Rep. Cardenas – Energy and Commerce). This bill restores the Federal Trade Commission’s longstanding authorities to pursue relief on behalf of consumers against corporations that violate federal law.  It responds to the Supreme Court’s recent decision to block the FTC from using this authority as it has for the last four decades to send billions in relief back into consumers’ pockets in cases of telemarketing fraud, anticompetitive pharmaceutical practices, data security and privacy, and others.
      • H.R. 3119 – Energy Emergency Leadership Act (Rep. Rush – Energy and Commerce). The bill creates a new Department of Energy Assistant Secretary position with jurisdiction over all energy emergency and security functions related to energy supply, infrastructure, and cybersecurity.
      • H.R. 2931 – Enhancing Grid Security through Public-Private Partnerships Act (Rep. McNerney – Energy and Commerce). The bill directs the Secretary of Energy, in consultation with States, other Federal agencies, and industry stakeholders, to create and implement a program to enhance the physical and cybersecurity of electric utilities.  The bill also requires an update to the Interruption Cost Estimate (ICE) Calculator, an electric reliability planning tool for estimating electricity interruption costs and the benefits associated with reliability improvements, at least once every 2 years.
      • H.R. 2928 – Cyber Sense Act of 2021 (Rep. Latta – Energy and Commerce). The bill requires the Secretary of Energy to establish the Cyber Sense Program.  This voluntary program would identify cyber-secure products that could be used in the bulk-power system.
      • H.R. 1754 – MEDIA Diversity Act of 2021 (Rep. Long – Energy and Commerce). This bill Requires the FCC to consider market entry barriers for socially disadvantaged individuals in the communications marketplace.
      • H.R. 3003 – Promoting United States Wireless Leadership Act of 2021 (Rep. Walberg – Energy and Commerce). This bill directs NTIA to encourage participation by trusted American companies and other stakeholders in standards-setting bodies, and to offer technical assistance to such stakeholders that elect to participate, in the course of developing standards for 5G networks and future generations of communications networks.
      • H.R. 3138 – State and Local Cybersecurity Improvement Act, as amended (Rep. Clarke – Homeland Security). This bill would authorize a new DHS grant program to address cybersecurity vulnerabilities on State and local government networks. The new grant program would be authorized at $500 million with a graduating cost-share that incentivizes States to increase funding for cybersecurity in their budgets. Under the bill, State, tribal, and territorial governments would be required to develop comprehensive cybersecurity plans to guide the use of grant fuds. The bill also requires CISA to develop a strategy to improve the cybersecurity of State, local, tribal, and territorial governments, among other things, identify Federal resources that could be made available to State and local governments for cybersecurity purposes, and set baseline objectives for State and local cybersecurity efforts. CISA would also be required to assess the feasibility of implementing a short-term rotational program for the detail of approved State, local, Tribal, and territorial government employees in cyber workforce positions at CISA. Lastly, the bill establishes a State and Local Cybersecurity Resilience Committee comprised of representatives from State, local, tribal, and territorial governments to advise and provide situational awareness to CISA regarding the cybersecurity needs of such governments. In the 116th Congress, the House passed by voice vote a similar version of this bill (H.R. 5823) which was introduced by Rep. Richmond.
      • H.R. 1833 – DHS Industrial Control Systems Capabilities Enhancement Act of 2021, as amended (Rep. Katko – Homeland Security). This bill requires the Cybersecurity and Infrastructure Security Agency (CISA) to lead Federal efforts to detect and mitigate threats and vulnerabilities to industrial control systems. The measure also requires CISA to maintain cross-sector incident response capabilities, provide technical assistance to stakeholders and collect, coordinate, and provide vulnerability information about industrial control systems to stakeholders. Industrial control systems (ICS) monitor, control, and safeguard operational processes in critical infrastructure such as electric power generators, dams, water treatment facilities, medical devices, nuclear power plants, and natural gas pipelines. In the 115th Congress, a nearly identical version of the measure (H.R. 5733) passed the House by voice vote on June 25, 2018.
      • H.R. 2980 – Cybersecurity Vulnerability Remediation Act, as amended (Rep. Jackson-Lee – Homeland Security). This bill would authorize the Cybersecurity and Infrastructure agency (CISA) to develop and distribute “playbooks,” in consultation with private sector experts, to provide procedures and mitigation strategies for the most critical, known vulnerabilities – especially those affecting software or hardware that is no longer supported by a vendor. The playbooks would be available to Federal agencies, industry, and other stakeholders.  H.R. 2980 would also allow for the DHS Science and Technology Directorate (S&T), in consultation with CISA, to establish a competition program for industry, individuals, academia, and others to provide remediation solutions for cybersecurity vulnerabilities that are no longer supported.  The ANS is updated to emphasize the prioritization of industrial control systems of critical infrastructure that may be targeted like the systems that underpin water systems and pipelines.
      • H.R. 3223 – CISA Cyber Exercise Act (Rep. Slotkin – Homeland Security). This bill establishes a National Cyber Exercise program within CISA.  This legislation builds upon language in H.R. 6395, National Defense Authorization Act for Fiscal Year 2021, which directed the Secretary of Homeland Security, in coordination with the Attorney General, the Secretary of Defense, and the Director of National Intelligence, to carry out at least three exercises over 12 years to test the national capability to respond to cyber attacks involving critical infrastructure.  H.R. 3223 complements the capstone exercise program authorized in H.R. 6395 by directing CISA, in consultation with sector risk management agencies, as appropriate, to develop an exercise program that is designed to more regularly test and asses systemic preparedness and resilience to cyber attacks against critical infrastructure, including by developing model exercises that State and local governments and private sector entities can readily adapt.
      • H.R. 3264 – Domains Critical to Homeland Security Act (Rep. Katko – Homeland Security). This bill authorizes DHS to conduct research and development into supply chain risks for critical domains of the United States economy. The bill would require DHS to conduct a risk analysis for each critical domain to determine potential homeland security threats caused by disruption, corruption, exploitation, or dysfunction of the domain. Based on the results of the risk analysis, the bill would authorize the Department to do further research into those critical domains considered highest risk to analyze the industries within the domains, examine performance under varying conditions, and identify ways to establish supply chain resiliency, among other things. The bill directs the Secretary of Homeland Security to report annually to Congress through fiscal year 2026 on the results of the Department’s research, along with actions the Secretary has taken or plans to take in response to the results.
  • The European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) Committee issued a study it commissioned titled “Exchanges of Personal Data After the Schrems II Judgment” “examines reforms to the  legal framework for the exchange of personal and other data between the EU and the USA that would be necessary to ascertain that the requirements  of  EU  law   are  satisfied  and  that  the  rights  of   EU  citizens are respected, following the Schrems II judgment of the EU  Court of Justice.” The authors of the paper explained:
    • On 16 July 2020 the Court of Justice of the European Union (CJEU) invalidated the Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-US “Privacy Shield” agreement, concerned US government surveillance powers are not limited as required by EU law, and that EU persons do not have effective means of redress. The judgment upheld the validity of standard contractual clauses to allow data transfers under the General Data Protection Regulation (GDPR), but requires data controllers to assess the level of data protection in the recipient’s country and to adopt “supplementary measures” if needed.
    • In this context the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) requested this study on reforms to the legal framework for the exchange of personal and other data between the EU and the USA to ensure EU law requirements are satisfied and EU citizens’ rights are respected.
    • Our analysis shows that no US federal or state privacy law is likely to provide “essentially equivalent” protection compared to the EU GDPR in the foreseeable future. Indeed, there are serious and in practice insurmountable US constitutional and institutional as well as practical/political obstacles to the adoption of such laws.
    • For the FTC to become an effective supervisory authority on the lines of the EU authorities, the FTC Act would likely have to be expanded or a new statute passed. Additionally, new or expanded Memoranda of Understanding should be signed among multiple US agencies, creating shared, coordinating enforcement teams.
    • It may not be possible to provide a right of action for individuals as broad as that envisaged in the GDPR. However, Congress could still significantly strengthen the right of action – and standing – of individuals, including non-US persons, who are significantly affected by privacy-related “unfair or deceptive acts or practices” committed by private entities.
    • If (i) the US and the EU were to take the legislative steps we outline relating to substance, enforcement and individuals’ rights of action and (ii) the US were to reform its surveillance laws and practices, thena new EU-US arrangement for self-certification by US entities could be achieved, under which the EU could issue a new positive adequacy decision on the USA, limited to personal data transfer red from the EU to entities that had self-certified their voluntary compliance with the EU GDPR substantive standards. Without these reforms, EU data protection authorities will be required to consider suspending t r a ns fers of personal data to the US even following an adequacy decision by the European Commission.
  • A Canadian federal court is permitting the Office of the Privacy Commissioner to continue to look into Google’s possible violation of Canada’s primary privacy statute, the “Personal Information Protection and Electronic Documents Act” (PIPEDA). The Privacy Commissioner posed two questions to the court and received the green light to continue investigating Google. The Federal Court stated:
    • This Reference is brought on the fringe of the Commissioner’s investigation of a complaint made in June 2017 against Google LLC [Google]. The Complainant states that Google contravenes the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 [PIPEDA]by displaying links to news articles that contained personal and sensitive information about him, when his name is searched using Google’s search engine. Information in the materials filed by the parties that could identify the Complainant will remain confidential in accordance with the Order of Madam Prothonotary Tabib dated November 2, 2018.
    • The Federal Court found:
      • To the question: Does Google, in the operation of its search engine service, collect, use or disclose personal information in the course of commercial activities within the meaning of paragraph 4(1)(a) of PIPEDA when it indexes webpages and presents search results in response to searches of an individual’s name?
        • The Court’s answer is: Yes
      • To the question: Is the operation of Google’s search engine service excluded from the application of Part 1 of PIPEDA by virtue of paragraph 4(2)(c) of PIPEDA because it involves the collection, use or disclosure of personal information for journalistic, artistic or literary purposes and for no other purpose?
        • The Court’s answer is: No
  • The Federal Trade Commission (FTC) and the United States (U.S.) Department of Justice (DOJ) reached a settlement with Toronto-based Kuuhuub Inc., along with its Finnish subsidiaries Kuu Hubb Oy and Recolor Oy that they violated the Children’s Online Privacy Protection Act Rule (COPPA Rule). In the FTC’s press release, the agency claimed:
    • The operators of an online coloring book app will be required to notify parents and offer refunds to current underage subscribers to settle Federal Trade Commission allegations that they violated a children’s privacy law by collecting and disclosing personal information about children who used the app without notifying their parents and obtaining their consent.
    • In a complaint filed by the Department of Justice on behalf of the FTC, the Commission alleged that the Toronto-based Kuuhuub Inc., along with its Finnish subsidiaries Kuu Hubb Oy and Recolor Oy, violated the Children’s Online Privacy Protection Act Rule (COPPA Rule). The Rule requires websites and apps to provide notice to parents and obtain verifiable parental consent before collecting personal information from children if the website or app—or even a portion of the website or app—is directed at children under 13.
    • The companies operate the Recolor coloring book app, which provides images that users can digitally color on their mobile devices. While billed as a “coloring book for adults,” a portion of the coloring book app was directed to children. The images are organized in a library with categories such as Movies and Animals. One popular category, called Kids, included images that would appeal to children, such as animated characters and cartoonish animals.
    • In addition to the coloring feature, the app, which generates revenues from ads and paid subscriptions, offers social media features such as the ability to upload images for others to view, comment on, and like. To access these social media features, users must register for an account by providing an email address, screen name, and an optional profile description and picture, which are made public to other users.
    • The FTC alleged that some children including those under 13 were able to register for accounts and use some of the social media features. The companies received dozens of complaints from parents and users who said that children were using the app’s social media features such as posting selfies and interacting with other users including adults.
    • In its complaint, the FTC alleged that the Recolor app collected personal information from children under the age of 13 who used the app’s social media features and allowed third-party advertising networks to collect personal information from users in the form of persistent identifiers, also known as cookies, for targeted ads. The companies failed to instruct the ad networks to refrain from using children’s persistent identifiers for behavioral advertising, according to the complaint. The FTC also alleged that the companies failed to provide notice to parents or obtain verifiable parental consent before collecting personal information from underage users of the Recolor app in violation of the COPPA Rule.
    • Under the settlement, the companies must delete all the personal information they collected from children under 13 unless they obtain parental consent, and must offer current paid subscribers of the Recolor app a refund if they were under the age of 18 when they signed up for the app. The companies also agreed to a $3 million monetary penalty, which will be suspended upon payment of $100,000 due to their inability to pay the full amount. They will be required to pay the full amount if they have misrepresented their finances. In addition, if they sell the app within a year following entry of the order, they must remit the net proceeds from the sale to the FTC, after the payment of debts and other related expenses.
    • The companies must notify users of the app about the alleged COPPA Rule violations and the steps that users can take in response to the settlement.
  • The Federal Communications Commission (FCC) announced that “schools and libraries can now begin to file applications for the $7.17 billion Emergency Connectivity Fund, the agency’s latest effort to connect Americans.” The agency stated:
    • Schools and libraries can apply for financial support to purchase laptops and tablets, Wi-Fi hotspots, modems, routers, and broadband connections to serve unmet needs for off-campus use by students, school staff, and library patrons.  From June 29 to August 13, eligible schools and libraries can submit requests for funding to purchase eligible equipment and services for the 2021-22 school year.
  • Senator Marco Rubio (R-FL) introduced the “Disincentivizing Internet Service Censorship of Online Users and Restrictions on Speech and Expression (DISCOURSE) Act” (S.2228) that would “halt Big Tech’s censorship of Americans, defend free speech on the internet, and level the playing field to remove unfair protections that shield massive Silicon Valley firms from accountability” per his press release. Rubio claimed his bill:
    • would hold Big Tech responsible for complying with pre-existing obligations per Section 230 of the Communications Decency Act (CDA) of 1996 and clarify ambiguous terms that allow Big Tech to engage in censorship.
    • Specifically, the DISCOURSE Act updates the statute so that when a market-dominant firm actively promotes or censors certain material or viewpoints — including through the manipulative use of algorithms — it no longer receives protections. The bill also limits Section 230 immunities for large corporations that fail to live up to the statute’s obligations. 
    • Rubio made available a one-page summary and offered this summary in his press release:
      • Holds Big Tech responsible for complying with Section 230’s existing obligations: 
        • Amends 230(c)(1) so that immunity guaranteed under the provision is only granted to big tech firms that comply with Section 230’s existing customer protection and information requirement.  
      • Amends Section 230(f)(3) to include the following activities for which an interactive computer service is defined as an “Information content provider” and is thus responsible for the information on its platform:
        • Amends Section 230(f)(3) to include the following activities for which an interactive computer service is defined as an “Information content provider” and is thus responsible for the information on its platform: 
          • 1. Algorithmic amplification: The use of algorithmic amplification by a market-dominant firm to target the third-party provided content to users on the platform when the user has not requested or searched for the content. 
          • 2. Moderation activity: Engaging in content moderation activity that reasonably appears to express, promote, or suppress a discernible viewpoint, including reducing or eliminating the ability of an information content provider to earn revenue. 
          • 3. Information creation and development: Soliciting, commenting on, funding, contributing to, and modifying information provided by another person.  
        • For each of these categories, an interactive computer service is responsible for specific information if it has engaged in any of the actions with respect to any user content. However, if the company engages in a pattern or practice of such behavior, it is liable for all of the content on its site.  
      • Amends Section 230(c)(2) to replace vague and subjective language with defined and legal terms: 
        • Conditions the content moderation liability shield on an objective reasonableness standard. In order to be protected from liability, a tech company may only restrict access to content on its platform where it has “an objectively reasonable belief” that the content falls within a specified category;  
        • Removes “otherwise objectionable” and replaces it with concrete terms, including “promoting terrorism,” content that is determined to be “unlawful,” and content that promotes “self-harm.”  
        • Includes a religious liberty clause, which states explicitly that (c)(2) does not extend liability protections to decisions that restrict content based on their religious nature. 
      • Requires disclosures to inform and protect consumers: 
        • Requires interactive computer services to issue public disclosures related to content moderation, promotion, and curation so that consumers can make informed choices when it comes to the use of such services.  
      • Clarifies that Section 230 immunity is an affirmative defense in a criminal or civil action.
  • Senate Commerce, Science, and Transportation Committee Ranking Member Roger Wicker (R-MS) wrote the Departments of Education, Agriculture, and the Treasury “requesting the agencies to report on the disbursement of funds received for broadband deployment, adoption, or other connectivity initiatives from the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, Consolidated Appropriations Act of 2021, and American Rescue Plan Act of 2021” per his press statement. Wicker contended:
    • The Department of Education received funding through all three legislative packages, with significant flexibility to allocate the funds as needed to help schools re-open safely or facilitate the transition to distance learning when schools could not re-open. In addition, the Federal Communications Commission received $7.1 billion for distance learning. The letter to Secretary Miguel Cardona requests details on coordination between the two agencies. 
    • The ReConnect program at the Department of Agriculture received $100 million from the CARES Act and an additional $635 million in the Consolidated Appropriations Act of 2021 for rural broadband deployment. ReConnect was an existing program prior to the pandemic, but received supplemental funding through the relief packages.
    • The Treasury was responsible for administering billions of dollars in relief funds, including $150 billion from the CARES Act and $360 billion from the American Rescue Plan. These funds were to be used by state and local governments to cover costs incurred as a result of the pandemic, as well as for a wide range of infrastructure and capital initiatives. Broadband infrastructure and remote healthcare and education were among the eligible uses. Treasury has already issued a detailed report on the funds disbursed to this point, and, because of this existing reporting, the letter directed to Secretary Janet Yellen requests that this practice continue.
  • The Government Accountability Office (GAO) has issued a number of priority recommendations reports for various United States (U.S.) agencies over the last month. In the report to the Office of Management and Budget (OMB), the GAO explained the purpose of the document is to “provide an update on the overall status of the OMB’s implementation of GAO’s recommendations and to call your personal attention to critical open recommendations that should be given high priority.” GAO stated:
    • In November 2020, we reported that on a government-wide basis, 77 percent of our recommendations made 4 years ago were implemented. As of June 2021, OMB’s recommendation implementation rate was 60 percent and OMB had 153 open recommendations. Fully implementing these open recommendations could yield significant savings and other improvements in executive branch agency operations.
    • Since our April 2020 letter, OMB has implemented four of our 35 open priority recommendations.
      • OMB, in coordination with the Department of the Treasury, issued additional guidance related to the Digital Accountability and Transparency Act of 2014 (DATA Act). The various guidance implements two priority recommendations that could help ensure that the integrity of certain data standards is maintained over time and improve the clarity, consistency, and quality of agency spending data.
      • OMB updated improper payment guidance, implementing two priority recommendations that will help agencies better address inconsistencies in improper payment estimations and improve congressional oversight of noncompliant programs.
    • Given the critical role OMB plays in providing oversight of vital government-wide performance and management issues, we ask for your attention to the remaining 31 open priority recommendations identified in the 2020 letter. We also are adding 13 new recommendations related to improving government performance, increasing availability and transparency of government data, improving acquisition management and reducing costs, reducing government-wide improper payments, improving federal real property asset management, and improving information management. This brings the total number of priority recommendations to 44….
    • The GAO highlighted priorities related to technology:
      • Improving acquisition management and reducing costs. Implementing 10 priority recommendations related to federal acquisitions would help agencies improve the management of high-priority information technology (IT) projects and achieve billions of dollars in other potential savings. For instance, the federal government spends more than $90 billion annually on IT investments. However, too often these investments have cost overruns and schedule delays. To enhance the oversight of high-priority IT projects, in November 2017 we recommended the Federal Chief Information Officer (CIO) become more directly involved in the oversight of these projects. In May 2020, OMB told us that its process for identifying high priority programs had evolved and been superseded by a process for identifying agencies’ most critical assets—known as high-value assets. The agency stated that both the Federal CIO and Federal Chief Information Security Officer were engaged in overseeing these assets through their involvement on the Federal CIO and Federal Chief Information Security Officer Councils. However, as of April 2021, OMB had not taken additional action to ensure that the Federal CIO was directly involved in the oversight of the full range of high priority programs across the federal government. As we reported, such oversight would improve accountability and achieve positive results for the federal government’s investments.
      • Category management is a government-wide initiative led by OMB that saves the federal government billions of dollars each year by improving how agencies buy common products and services. We are designating five recommendations that we made to the Director of OMB in November 2020 as priority recommendations. These relate to improving how agencies define requirements for common products and services, and leading efforts to address government-wide data challenges, among other things. OMB agreed with the substance of our recommendations, and reported in April 2021 some specific actions it plans to take in the coming year, such as updating its Fiscal Year 2022 Key Performance Indicators to include metrics for requirements definition.
      • Strengthening information security.Two priority recommendations are aimed at ensuring the security of federal information systems. Virtually all federal operations are supported by computer systems and electronic data, and agencies would find it difficult, if not impossible, to carry out their missions and account for their resources without these information assets. Safeguarding federal information systems has been a longstanding concern. We first designated it as a government-wide high-risk area in 1997.
      • One recommendation from July 2019 is for OMB to expand its coordination of meetings that engage agency leadership on cybersecurity—known as CyberStat meetings—to those agencies with a demonstrated need for assistance in implementing information security. By increasing the number of agencies participating in CyberStat meetings, OMB gains an opportunity to assist agencies with improving their information security posture. OMB also would increase its ability to oversee specific agency efforts to provide information security protections for federal information and information systems.
      • In March 2021, OMB officials stated that they have held numerous meetings with various agencies on CyberStat-related topics and are continuing to work with the Department of Homeland Security to update a concept of operations document. To fully implement this recommendation, OMB needs to finalize and release the CyberStat concept of operations document and increase agency participation in CyberStat meetings.
      • In December 2019, we recommended that OMB establish a process for monitoring and holding agencies accountable for authorizing cloud services through the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is intended to provide a standardized approach for selecting and authorizing the use of cloud services that meet federal security requirements. Greater OMB oversight through such a process could increase federal agency participation in the FedRAMP program and may provide greater assurance that agency information stored in a cloud environment is better protected and aligns with federal security requirements. In April2021, OMB stated that it was coordinating with federal agencies and the General Services Administration’s FedRAMP to improve administrative processes. To fully implement this recommendation, OMB needs to collect data on the extent to which federal agencies are using cloud services authorized outside of FedRAMP and oversee agencies’ compliance with using the program.

Further Reading

  • An Office Phone Flaw Can’t Be Fixed by Cisco Alone” By Lily Hay Newman — WIRED. Ang Cui has spent 10 years hacking into internet-connected office phones and other “embedded devices”—that is, devices that don’t look like computers or servers but have all the trappings: a processor, memory, and, often, the ability to connect to other devices or the internet. As the founder of Red Balloon Security, Cui spends plenty of time evaluating sophisticated industrial control systems and even satellite infrastructure, but he still comes back to IP phones as a barometer for how much progress has been made securing the Internet of Things. His latest research indicates that there’s still a long way to go.
  • This Manual for a Popular Facial Recognition Tool Shows Just How Much the Software Tracks People” By Alfred Ng — The Markup. In 2019, the Santa Fe Independent School District in Texas ran a weeklong pilot program with the facial recognition firm AnyVision in its school hallways. With more than 5,000 student photos uploaded for the test run, AnyVision called the results “impressive” and expressed excitement at the results to school administrators. “Overall, we had over 164,000 detections the last 7 days running the pilot. We were able to detect students on multiple cameras and even detected one student 1100 times!” Taylor May, then a regional sales manager for AnyVision, said in an email to the school’s administrators.
  • Vietnam orders Netflix to remove Australian spy show over South China Sea map” By James Pearson — Reuters. Netflix Inc (NFLX.O) has removed Australian spy drama “Pine Gap” from its services in Vietnam after a complaint from broadcast authorities in the Southeast Asian country about the appearance of a map which depicts Chinese claims in the South China Sea.
  • UK’s largest chip plant to be acquired by Chinese-owned firm Nexperia amid global semiconductor shortage” By Sam Shead — CNBC. Newport Wafer Fab, the U.K.’s largest chip producer, is set to be acquired by Chinese-owned semiconductor company Nexperia for around £63 million ($87 million) next week, according to two sources close to the deal who asked to remain anonymous because the information is not yet public. Nexperia, a Dutch firm that is 100%-owned by China’s Wingtech Technology, told CNBC on Friday that the deal talks are ongoing.
  • Facebook has become a $1 trillion company” By Mitchell Clark — The Verge. Facebook has joined the ranks of companies valued over a trillion dollars as of today’s market close. The company’s market cap is sitting at $1.008 trillion according to Yahoo Finance, putting it over the mark for the first time in its history. Some of the most notable of Facebook’s divisions are the Facebook site itself, along with Messenger, as well as Instagram, WhatsApp, and Oculus. On the list of US tech companies that have passed the $1 trillion valuation mark, Facebook is the only one founded in the 2000s, making it the newest — as long as you’re counting from the date that Google was started (which was in 1998), instead of Alphabet (which was created 2015).
  • New Laws Are ‘Probably Needed’ to Force US Firms to Patch Known Cyber Vulnerabilities, NSA Official Says” By Patrick Tucker — Nextgov. The vast majority of cyber attacks exploit known vulnerabilities that could be fixed by patching older software and replacing older computing gear. But that costs money, and legislation will likely be needed to force companies to make these fixes soon — before the kind of AI-powered tools used by Russia and China become commonplace among smaller-scale hackers, said Rob Joyce, who leads the National Security Agency’s Cybersecurity Directorate.
  • AT&T gives investors and gov’t wildly different takes on need for fiber Internet” By Jon Brodkin — ars technica. AT&T says fiber Internet is a “superior” technology that is built for today and the future because of its ability to deliver symmetrical upload and download speeds of 1Gbps and higher. AT&T also says that “there is no compelling evidence” to support the deployment of fiber across the US and that rural people should be satisfied with nonfiber Internet access that provides only 10Mbps upload speeds.
  • Elon Musk says Starlink will be available worldwide in August” By Marguerite Reardon — c/net. Elon Musk’s satellite broadband service, Starlink, will be available worldwide except the North and South Poles starting in August, the billionaire entrepreneur said Tuesday during a talk at the virtual Mobile World Congress 2021. Starlink is “operational now in about 12 countries, and more are being added every month,” Musk said.
  • Hong Kong working to share its digital IDs with mainland China” By Laura Dobberstein — The Register. Hong Kong’s Office of the Government Chief Information Officer (OGCIO) has revealed that the territory is investigating the use of its digital ID in mainland China. In a Q&A, Secretary for Innovation and Technology, Mr Alfred Sit, said “the OGCIO is exploring with relevant authorities in the Mainland and Macao the collaboration opportunities between their identity authentication systems and iAM Smart.”
  • Cybersecurity Funding Faces Political Clash During Appropriations Markup” By Mariam Baksh — Nextgov. A leading Republican on the House Appropriations Committee will not support a bill that significantly increases funding for the Cybersecurity and Infrastructure Security Agency due to disputes over immigration issues raised by the administration of former President Donald Trump. “For some of the bill’s funding, we are in complete agreement: cybersecurity, [Transportation Security Administration], Secret Service, and Scientific and Technology, just to name a few,” said Rep. Chuck Fleischmann, R-Tenn., ranking member of Appropriation’s subcommittee on Homeland Security. “The proposed investments are worthy of our support. However, in order to truly get across the finish line, we must come to a reasonable agreement on the immigration issues and until that is done, we just cannot support this bill in its current form.”

Coming Events

  • 21 July
    • The Senate Armed Services Committee will mark up its FY 2022 National Defense Authorization Act in a closed session.
    • The House Ways and Means Committee’s Trade Subcommittee will hold a hearing titled “The Global Challenge of Forced Labor in Supply Chains: Strengthening Enforcement and Protecting Workers.”
    • The Senate Environment and Public Works Committee will hold a hearing titled “Addressing Cybersecurity Vulnerabilities Facing Our Nation’s Physical Infrastructure.”
    • The House Veterans’ Affairs Committee’s Technology Modernization Subcommittee will hold a hearing titled “Moving Forward: Evaluating Next Steps for the Department of Veterans Affairs Electronic Health Record Modernization Program.”
  • 27 July
  • 28 July
    • The House Armed Services Committee’s Cyber, Innovative Technologies, and Information Systems Subcommittee will mark up its portion of the committee’s FY 2022 National Defense Authorization Act (H.R.4395).
  • 5 August
    • The Federal Communications Commission (FCC) will hold its monthly open meeting with this tentative agenda:
      • Establishing Two New Innovation Zones. The Commission will consider a Public Notice that would create two new Innovation Zones for Program Experimental Licenses and the expansion of an existing Innovation Zone. (ET Docket No. 19-257)
      • Numbering Policies for Modern Communications. The Commission will consider a Further Notice of Proposed Rulemaking to update the Commission’s rules regarding direct access to numbers by interconnected Voice over Internet Protocol providers to safeguard the nation’s finite numbering resources, curb illegal robocalls, protect national security, and further promote public safety. (WC Docket Nos. 13-97, 07-243, 20-67; IB Docket No. 16-155)
      • Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions. The Commission will consider a Report and Order that would establish a process for the Commission to review decisions of the private STIR/SHAKEN Governance Authority that would have the effect of placing voice service providers out of compliance with the Commission’s STIR/SHAKEN implementation rules. (WC Docket Nos. 17-97, 21-291)
      • Modernizing Telecommunications Relay Service (TRS) Compensation. The Commission will consider a Notice of Proposed Rulemaking on TRS Fund compensation methodology for IP Relay service. (CG Docket No. 03-123; RM-11820)
      • Updating Outmoded Political Programming and Record-Keeping Rules. The Commission will consider a Notice of Proposed Rulemaking to update outmoded political programming rules. (MB Docket No. 21-293)
      • Review of the Commission’s Part 95 Personal Radio Services Rules. The Commission will consider a Memorandum Opinion and Order on Reconsideration that would grant three petitions for reconsideration of the Commission’s May 2017 Part 95 Personal Radio Services Rules Report and Order. (WT Docket No. 10-119)
  • 1 September
    • The House Armed Services Committee will mark up the FY 2022 National Defense Authorization Act (H.R.4395).

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by OpenClipart-Vectors from Pixabay

Image by Jill Wellington from Pixabay

Photo by Kai Wenzel on Unsplash

Photo by Pawel Czerwinski on Unsplash

Photo by The Climate Reality Project on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s