Other Developments, Further Reading, and Coming Events (20 July 2021)

Appropriations, Budget, CISA, Coming Events, Cyber Crime, Cybersecurity, Data Protection, data security, DHS, DOD, DOJ, EU, FBI, FTC, Further Reading, FY 2022, NSA, Other Developments, People's Republic of China, privacy, Privacy Bill, Technology, Telecommunications 24 Minutes

Subscribe to my newsletter, The Wavelength, if you want the content on my blog delivered to your inbox four times a week before it’s posted here.

Other Developments

  • The United States (U.S.), allies, and other nations identified the People’s Republic of China (PRC) as being behind the Microsoft Exchange hack that compromised thousands of systems around the globe. The U.S. and other nations attributed the Microsoft Exchange server zero day attacks with a high degree of confidence to the PRC’s Ministry of State Security (MSS). The claims contextualized this attack within the PRC’s alleged history of conducting or sponsoring such activities and called on Beijing to stop. Not surprisingly, the PRC rejected these claims and accused the U.S. of hacking PRC entities. In its statement, the White House contended:
    • The United States has long been concerned about the People’s Republic of China’s (PRC) irresponsible and destabilizing behavior in cyberspace. Today, the United States and our allies and partners are exposing further details of the PRC’s pattern of malicious cyber activity and taking further action to counter it, as it poses a major threat to U.S. and allies’ economic and national security.
    • An unprecedented group of allies and partners – including the European Union, the United Kingdom, and NATO – are joining the United States in exposing and criticizing the PRC’s malicious cyber activities.
    • The PRC’s pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world. Today, countries around the world are making it clear that concerns regarding the PRC’s malicious cyber activities is bringing them together to call out those activities, promote network defense and cybersecurity, and act to disrupt threats to our economies and national security.
    • Our allies and partners are a tremendous source of strength and a unique American advantage, and our collective approach to cyber threat information sharing, defense, and mitigation helps hold countries like China to account. Working collectively enhances and increases information sharing, including cyber threat intelligence and network defense information, with public and private stakeholders and expand diplomatic engagement to strengthen our collective cyber resilience and security cooperation. Today’s announcement builds on the progress made from the President’s first foreign trip. From the G7 and EU commitments around ransomware to NATO adopting a new cyber defense policy for the first time in seven years, the President is putting forward a common cyber approach with our allies and laying down clear expectations and markers on how responsible nations behave in cyberspace.
    • The White House highlighted completed actions in response to this and the SolarWinds hack and previewed ongoing and coming actions, including:
      • The Administration has funded five cybersecurity modernization efforts across the Federal government to modernize network defenses to meet the threat. These include state-of-the-art endpoint security, improving logging practices, moving to a secure cloud environment, upgrading security operations centers, and deploying multi-factor authentication and encryption technologies.
      • The Administration is implementing President Biden’s Executive Order to improve the nation’s cybersecurity and protect Federal government networks. The E.O. contains aggressive but achievable implementation milestones, and to date we have met every milestone on time including:
        • The National Institute of Standards and Technology (NIST) convened a workshop with almost 1000 participants from industry, academia, and government to obtain input on best practices for building secure software.
        • NIST issued guidelines for the minimum standards that should be used by vendors to test the security of their software. This shows how we are leveraging federal procurement to improve the security of software not only used by the federal government but also used by companies, state and local governments, and individuals. 
        • The National Telecommunications and Information Administration (NTIA) published minimum elements for a Software Bill of Materials, as a first step to improve transparency of software used by the American public.  
        • The Cybersecurity and Infrastructure Security Agency (CISA) established a framework to govern how Federal civilian agencies can securely use cloud services.
      • We continue to work closely with the private sector to address cybersecurity vulnerabilities of critical infrastructure. The Administration announced an Industrial Control System Cybersecurity Initiative in April and launched the Electricity Subsector Action Plan as a pilot. Under this pilot, we have already seen over 145 of 255 priority electricity entities that service over 76 million American customers adopt ICS cybersecurity monitoring technologies to date, and that number keeps growing. The Electricity Subsector pilot will be followed by similar pilots for pipelines, water, and chemical.
      • The Transportation Security Administration (TSA) issued Security Directive 1 to require critical pipeline owners and operators to adhere to cybersecurity standards. Under this directive, those owners and operators are required to report confirmed and potential cybersecurity incidents to CISA and to designate a Cybersecurity Coordinator, to be available 24 hours a day, seven days a week. The directive also requires critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days. In days to come, TSA will issue Security Directive 2 to further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership so critical to the cybersecurity of our homeland.
  • In an action coordinated with the White House’s statement of attribution of the Microsoft Exchange hack to the People’s Republic of China (PRC), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a number of advisories about PRC activity:
    • CISA, NSA and FBI have released Joint Cybersecurity Advisory: Chinese Observed TTPs, which describes Chinese cyber threat behavior and trends and provides mitigations to help protect the Federal Government; state, local, tribal, and territorial governments; critical infrastructure, defense industrial base, and private industry organizations.
  • The Cybersecurity and Infrastructure Security Agency’s (CISA) Executive Assistant Director Eric Goldstein blogged about the agency’s publishing on its website a page titled “Chinese Cyber Threat Overview and Actions for Leaders.” CISA suggested that “[l]eaders of organizations should:
    • Ensure your organization has incident response plans. Ensure personnel are familiar with the key steps they need to take during an incident, have the accesses they need, and are positioned to act in a calm and unified manner. Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity. Join other industry leaders and report incidents to help serve as part of CISA’s early warning system (see the Contact Information below). For guidance on responding to an incident, refer to Joint Cybersecurity Advisory AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity.
    • Stay informed about Chinese malicious cyber activity. Ensure security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any known Chinese state-sponsored indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) for immediate response. Use technical resources on Chinese malicious activity, such as us-cert.cisa.gov/china and nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance, to help ensure your security personnel possess the information to identify and report malicious cyber activity.
  • The United States (U.S.) Department of Justice (DOJ) unsealed a May 2021 indictment against four People’s Republic of China (PRC) nationals for hacking against U.S. and other entities. The agency claimed the four indicted individuals focused the majority of their activities on exfiltrating information and data of economic benefit to the PRC across a range of fields. The agency asserted:
    • A federal grand jury in San Diego, California, returned an indictment in May charging four nationals and residents of the People’s Republic of China with a campaign to hack into the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018.
    • The indictment, which was unsealed on Friday, alleges that much of the conspiracy’s theft was focused on information that was of significant economic benefit to China’s companies and commercial sectors, including information that would allow the circumvention of lengthy and resource-intensive research and development processes. The defendants and their Hainan State Security Department (HSSD) conspirators sought to obfuscate the Chinese government’s role in such theft by establishing a front company, Hainan Xiandun Technology Development Co., Ltd. (海南仙盾) (Hainan Xiandun), since disbanded, to operate out of Haikou, Hainan Province.
    • The two-count indictment alleges that Ding Xiaoyang (丁晓阳), Cheng Qingmin (程庆民) and Zhu Yunmin (朱允敏), were HSSD officers responsible for coordinating, facilitating and managing computer hackers and linguists at Hainan Xiandun and other MSS front companies to conduct hacking for the benefit of China and its state-owned and sponsored instrumentalities. The indictment alleges that Wu Shurong (吴淑荣) was a computer hacker who, as part of his job duties at Hainan Xiandun, created malware, hacked into computer systems operated by foreign governments, companies and universities, and supervised other Hainan Xiandun hackers.
    • The conspiracy’s hacking campaign targeted victims in the United States, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland and the United Kingdom. Targeted industries included, among others, aviation, defense, education, government, health care, biopharmaceutical and maritime. Stolen trade secrets and confidential business information included, among other things, sensitive technologies used for submersibles and autonomous vehicles, specialty chemical formulas, commercial aircraft servicing, proprietary genetic-sequencing technology and data, and foreign information to support China’s efforts to secure contracts for state-owned enterprises within the targeted country (e.g., large-scale high-speed railway development projects). At research institutes and universities, the conspiracy targeted infectious-disease research related to Ebola, MERS, HIV/AIDS, Marburg and tularemia.
    • As alleged, the charged MSS officers coordinated with staff and professors at various universities in Hainan and elsewhere in China to further the conspiracy’s goals. Not only did such universities assist the MSS in identifying and recruiting hackers and linguists to penetrate and steal from the computer networks of targeted entities, including peers at many foreign universities, but personnel at one identified Hainan-based university also helped support and manage Hainan Xiandun as a front company, including through payroll, benefits and a mailing address.
  • The top Republicans on the House and Senate’s commerce committees wrote President Joe Biden urging him “to work with Congress to enact a nationwide consumer data privacy law.” Given that these Republicans have reportedly been in talks with their Democratic counterparts this year regarding privacy legislation, this letter may be a sign that such talks are at an impasse. Hence, these Members may be trying to get the White House onto the field to get talks moving or maybe to soften the Democrats’ insistence that a private right of action be part of the bill and no state laws are preempted. Nonetheless, Senate Commerce, Science, and Transportation Committee Ranking Member Roger Wicker (R-MS), House Energy and Commerce Committee Ranking Member Cathy McMorris Rodgers (R-WA), the ranking member of the Consumer Protection, Product Safety, and Data Security, Senator Marsha Blackburn (R-TN), and the ranking member of the Consumer Protection and Commerce Subcommittee, Representative Gus Bilirakis (R-FL) invoked the recent wave of ransomware and cyber attacks as the impetus for national privacy legislation:
    • In light of the recent increase of cyberattacks on United States critical infrastructure, as well as businesses and localities, and ongoing efforts to expand internet services to every American, we urge you to prioritize comprehensive data privacy legislation as part of your Administration’s agenda. Such legislation should:
      • Establish one national data protection standard, rather than a patchwork of state laws, to provide consumers across the country with the same strong protections over their personal information no matter where they live;
      • Increase transparency and accountability to ensure consumers have a better understanding of how their information is collected, used, and shared, and to ensure companies who misuse consumer information are held sufficiently accountable;
      • Promote innovation by setting clear and workable rules that enable startups and small businesses to grow and compete; and
      • Enhance data security protections to ensure companies have reasonable practices in place to safeguard consumer information. 
    • Absent much-needed federal data privacy legislation, we risk losing consumers’ trust and confidence in the internet marketplace and undermining our national security and technological leadership abroad. In particular, the passage of federal data privacy legislation would bolster America’s position in the ongoing negotiations with the European Union to create a new framework governing transatlantic data flows. It would also solidify the United States’ status as a global leader on consumer privacy, by ensuring innovation and competition remain a foundational principle to our economic advancements, especially at a time when China, Russia, and others seek to do the same.
  • The European Union (EU) Parliament passed a three year temporary derogation to EU law to help web service providers locate and take down child sexual abuse material (CSAM). Next the Council of Europe needs to agree to the change for it to take effect. In a press release, the Parliament explained:
    • In the context of a worrying increase in the volume of child abuse material on the internet exacerbated by the pandemic, the House backed with 537 votes in favour, 133 against and 24 abstentions a piece of legislation to protect children more effectively from sexual abuse and exploitation when using webmail, chat and messaging services.
    • The agreement reached in April foresees the temporary derogation from Articles 5(1) and 6(1) of Directive 2002/58/EC, which protects the confidentiality of communications and traffic data. This legislation will apply for a maximum of three years, or fewer if new permanent rules on tackling child sexual abuse online are agreed in the meantime.
    • Voluntary detection by service providers
    • Service providers should use the least privacy-intrusive technologies possible.
    • Child sexual abuse material
    • Online material linked to child sexual abuse is detected using specific technologies that scan content, such as images and text, or traffic data. While hashing technology helps with images and videos, classifiers and artificial intelligence are used to analyse text or traffic data to detect cyber grooming.
    • The new rules will not apply to the scanning of audio communication.
    • Strengthened privacy protection
    • MEPs insisted on establishing appropriate procedures and redress mechanisms to ensure that individuals can lodge complaints if they consider that their rights have been infringed. National data protection authorities will have better oversight of the technologies used by the service providers through prior impact assessment and consultation procedures.
  • The House Appropriations Committee completed work on its FY 2022 Department of Defense Appropriations Act and Homeland Security Appropriations Act. It is unclear when the full House will consider the bills.
    • In the report accompanying the FY 2022 Department of Defense Appropriations Act, the committee stated:
      • The Committee recommendation for total discretionary fiscal year 2022 Department of Defense funding is $705,939,000,000, which is an increase of $9,977,500,000 above the fiscal year 2021 enacted level and $258,170,000 below the budget request.
      • With regard to Overseas Contingency Operations (OCO) funding, House Report 116–453 stated, ‘‘The OCO experiment has been an abject failure and has given the Department a budgetary relief valve that has allowed it to avoid making difficult decisions.’’ The Committee builds upon that statement by not providing any funding for OCO in fiscal year 2022. Instead of separate base and OCO accounts, all activities will be funded in base accounts, including direct war and enduring requirements. This change will increase transparency and accountability, although it necessitates adding amounts in base and OCO accounts enacted in fiscal year 2021 when comparing to recommended levels in base accounts in fiscal year 2022.
    • In the report accompany the FY 2022 Homeland Security Appropriations Act, the committee explained:
      • The Committee recommendation includes $76,154,086,000 in total discretionary appropriations for the Department of Homeland Security, including $52,811,000,000 within the bill’s 302(b) budget allocation, $4,544,086,000 in discretionary appropriations offset by fee collections, and $18,799,000,000 as a budget cap adjustment for major disaster response and recovery activities. The overall total is an increase of $931,023,000 above the fiscal year 2021 total and $387,333,000 above the President’s budget request. The total with- in the allocation is $934,000,000 above the fiscal year 2021 level.
      • The Committee recommends an increase of $397,372,000 above the fiscal year 2021 level for the Cybersecurity and Infrastructure Security Agency to better protect federal civilian cyber networks and better help state and local governments and the private sector secure both cyber and physical infrastructure, including election infrastructure.
      • The recommendation includes increases above the request totaling $236,230,000, including $170,752,000 for the Cybersecurity Division; $21,137,000 for the Infrastructure Security Division; $1,000,000 for the Emergency Communications Division; $17,100,000 for integrated operations; $10,200,000 for Risk Management Operations; $13,014,000 for Stakeholder Engagements and Requirements; and $3,027,000 for Mission Support. Of the total amount provided for this account, $28,293,000 is available until September 20, 2023, for the National Infrastructure Simulation Analysis Center (NISAC).
      • The Committee is pleased with the progress towards providing more details in CISA’s budget justification materials, specifically the details at the PPA level at which Congress allocates funding. However, more information is needed to better understand the full scope of the planned program activities, strategic outlook, and planning assumptions for CISA’s acquisition programs, especially the Continuous Diagnostics and Mitigation (CDM) and the National Cybersecurity Protection System (NCPS) programs. Without such information, Congress lacks necessary information to make strategic funding decisions and understand the timelines associated with efforts to mitigate cybersecurity, infrastructure security, and emergency communications risks and vulnerabilities.
      • Additionally, CISA is directed to continue to provide the quarterly spend plan and hiring briefings required by the explanatory statement accompanying the Department of Homeland Security Appropriations Act, 2021, (Public Law 116–260), to be updated for the funding provided in the American Rescue Plan Act of 2021, (Public Law 117–2) (ARPA), and the new initiatives funded in this Act. Further, the Committee looks forward to receiving the briefings on the infrastructure security mission and the national critical functions required by the explanatory statement accompanying the Department of Homeland Security Appropriations Act, 2021, (Public Law 116–260).
      • Capabilities to Nullify Cyber Attacks.—Not later than 180 days after the date of enactment of this Act, CISA shall issue a Request for Information (RFI) from private sector providers, universities, and Department of Defense entities to identify existing software solutions for nullifying cybersecurity attacks before they infect systems and cause damage. Not later than 210 days after the date of enactment of this Act, CISA shall brief the Committee on the results of the RFI and the feasibility of using such programs to sup- port CISA missions.
      • Civilian CyberCorps.—The Committee supports CISA’s efforts to partner with the National Science Foundation (NSF), the Department of Defense, and the Office of Personnel Management to establish a plan to recruit, train, and educate personnel; shift military veterans into federal service upon discharge from active duty or engage reservists in civilian cyber workforce roles; manage digital careers; and set standards for digital workforce qualifications. This CyberCorps workforce model should build on the NSF’s Scholarship for Service program. Not later than 120 days after the date of enactment of this Act, CISA shall brief the Committee on progress towards the development of this plan, to include anticipated resources needed to expand the ranks of federal civilian cyber professionals.
      • Cyber Defense Education and Training Program (CDET).—The Committee provides an increase above the request of $11,800,000 to support CDET, of which $5,000,000 is to further expand the Federal Cyber Reskilling Academy and $6,800,000 is for sustaining fiscal year 2021 investments in cybersecurity education programs targeting the Kindergarten through 12th grade (K–12) community, including the Cybersecurity Education and Training Assistance Program (CETAP). CISA is encouraged to support a mix of geographically diverse individual higher education institutions, including in non-contiguous states, that are focused on connecting K–12 learners and environments with post-secondary education and resources.
      • The Committee notes that once again, education and training programs for the non-federal workforce were not funded in the President’s budget request. CISA is directed to work in collaboration with OMB and other agencies as needed to develop a strategy for addressing these requirements in future budget requests and to brief the Committee not later than 15 days after the date of submission of the fiscal year 2023 budget request regarding such strategy.
      • Cyber Directives Management.—In support of requirements and anticipated workload in executing the Executive Order on Improving the Nation’s Cybersecurity, May 12, 2021 (EO 14028), the recommendation includes an increase of $1,850,000 above the request to expand CISA’s capacity for directives development and enforcement.
      • Cyber Workforce Support from the Department of Defense.—The Committee recognizes the dramatic increase in cybersecurity engagements, intrusions, and demands requested of America’s federal cybersecurity professionals and is concerned about the nation’s vulnerability to future and more widespread and damaging breaches. CISA is encouraged to maximize the use of its statutory hiring authorities, including section 1650 of the fiscal year 2019 National Defense Authorization Act, to help address its growing mission space, particularly with regard to intrusions involving foreign adversaries.
      • Cybersecurity Briefings.—The Committee directs CISA to continue providing semiannual briefing on the NCPS and CDM programs, as described in House Report 116–180.
      • Cybersecurity Information Sharing and Coordination in Ports.— In division J of Public Law 115–254, Congress directed DHS to develop and implement a maritime cyber security risk model and make recommendations on enhancing the sharing of cybersecurity information. The Committee directs the CISA and the Coast Guard to brief the Committee, not later than 90 days after the date of enactment of this Act, on the steps taken to fulfill these requirements and on current risks and challenges for port security.
      • Cybersecurity Shared Services Office.—Through the Cybersecurity Shared Services Office, CISA serves as the Quality Services Management Office for federal cybersecurity. To continue to support efforts to make strategic cybersecurity services available to federal agencies through this office, the recommendation includes $17,672,000, as requested.
      • Data Security Resilience.—The Committee is increasingly concerned with the ability of adversaries to circumvent and use existing cybersecurity solutions to gain access to critical systems and data. The Committee directs the Secretary to submit a report to the Committee, not later than 180 days after the date of enactment of this Act, that examines existing security vulnerabilities of government IT systems. The report shall include an examination of emerging technologies that could improve the government’s data security and protection, such as data shielding and immutable logging of suspect activity, instant threat and anomaly detection mechanisms, and user behavior analytics.
      • Cybersecurity Risks.—Not later than 90 days after the date of enactment of this Act, the CIO shall brief the Committee on cyber security capability gaps and associated risks by component in prioritized order. The briefing, which may be provided in classified and unclassified formats, shall identify specific gaps and risks and include cost estimates and a schedule for remediating them.
  • Representative Joe Morelle (D-NY) introduced the “Fair Repair Act” (H.R.4006) and explained the need for the bill and how it would work in his press release:
    • Currently, many electronics manufacturers require that repairs, or parts to complete a repair, be made by the original equipment manufacturer (OEM) itself or through one of their authorized vendors, making the process costly and burdensome for consumers. COVID-19 further magnified the need for consumers and small businesses to be self-reliant and have the ability to repair their own equipment when large retailers have to shutter.
    • The Fair Repair Act will require OEMs to make diagnostic and repair information, parts, and tools available to third-party repairers and owners in a timely manner and on fair and reasonable terms, helping consumers and repair shops to avoid unnecessary and costly delays while also reducing waste. This bill allows for the Federal Trade Commission (FTC) to penalize those who violate these provisions through civil penalties including payment of damages, reformation of contracts, and refund of money or property. It also empowers the FTC to promulgate any rules or regulations necessary to carry out these enforcement duties. The Fair Repair Act authorizes state attorneys general to enforce the bill’s provisions as well.

Further Reading

  • Why prisoners like me need internet access” By Joe Garcia — MIT Technology Review. California recently promised to provide free computer tablets to all state prisoners by the end of 2021, allowing prisoners like me to email our loved ones through a highly restricted prison messaging service and download content like movies and books. It’s a great first step, but without more open and frequent internet access, there’s no way we’ll ever truly keep pace with the changing world outside our prison walls. I’ve been locked up since 2003. Back then Apple had barely launched iTunes, and I was still in awe of the so-called high-speed connection I’d paid Time Warner to install in my apartment. In all the years since then, I haven’t logged a single second of internet activity. My frames of reference for what it means to be online now come from network television and print media. 
  • Biden tells Putin the U.S. will take ‘any necessary action’ after latest ransomware attack, White House says” By Ellen Nakashima and Eugene Scott — The Washington Post. President Biden told Russian President Vladimir Putin on Friday that the United States will take “any necessary action” to defend U.S. infrastructure, the White House said, after Russia-based hackers carried out the largest known ransomware attack to date. Biden has been under increasing pressure to counter such costly, brazen assaults — pressure that spiked last weekend after the latest attack, which afflicted up to 1,500 companies, schools and hospitals around the world. It was claimed by a criminal group called REvil operating largely out of Russia.
  • Contractor Exposed the Movements of People Wearing Ankle GPS Bracelets” By Lorenzo Franceschi-Bicchierai — Vice. A contractor for the Cook County Sheriff’s Office, a law enforcement agency that covers the city of Chicago, left exposed online the private data—including the ankle bracelet movements—of people who are under house arrest and being monitored through GPS devices. Matt Chapman, an investigative journalist who found the leak, described it as “an enormous amount of private information,” which included names, email and home addresses, “detailed movement schedules,” and more of people under electronic monitoring in Chicago. Chapman alerted the Sheriff’s office on May 18, which replied the next day saying the site that was leaking the data had been taken down, according to emails shared with Motherboard.
  • Kaseya Failed to Address Security Before Hack, Ex-Employees Say” By Ryan Gallagher and Andrew Martin — Bloomberg. Executives at Miami-based Kaseya Ltd. were warned of critical security flaws in its software before a ransomware attack this month that affected as many as 1,500 companies, according to five former employees. On several occasions from 2017 to 2020, employees at Kaseya’s offices in the U.S. said they flagged wide-ranging cybersecurity concerns to company leaders. But those issues often weren’t fully addressed, according to the workers, who were employed in software engineering and development at Kaseya and asked not to be identified because they had signed non-disclosure agreements or feared professional retribution.
  • ‘Barely able to keep up’: America’s cyberwarriors are spread thin by attacks” By Kevin Collier — NBC News. Charles Carmakal has a problem: Ransomware has become so prolific that he has too much business. “We’re getting calls from organizations almost every single day,” Carmakal, the chief technology officer at the cybersecurity giant Mandiant, said in a phone call. “We’re barely able to keep up.”
  • Defense Department IG Omitted Evidence of Alleged Corruption in JEDI Program, Documents Show” By Sara Sirota — The Intercept. The Pentagon’s Office of Inspector General denied the public a complete view of alleged corruption in the notorious Joint Enterprise Defense Infrastructure, or JEDI, program when it left gaping holes in an audit released last year. The investigator cleared many senior defense officials of favoring Amazon for the program’s $10 billion cloud services contract and also asserted its belief that the Defense Department was not pressured by the White House when eventually making the surprise decision to issue the award to Microsoft. However, new documents show the auditor shielded potentially compromising evidence from the public. The New York Times reported first today that depositions and emails — which the Department of Defense Office of Inspector General, or DOD IG, gathered during its JEDI investigation — show defense officials promoted Big Tech, especially Amazon, more than previously understood. The Intercept also obtained copies of the deposition via the Freedom of Information Act and emails from a source, and a closer look exposes even greater signs of advocacy for the Silicon Valley giants. The documents indicate that the DOD IG — when tasked with investigating the integrity of one of the most disputed and lucrative government contracts in recent years — glossed over evidence of a tainted acquisition.
  • We Got the Phone the FBI Secretly Sold to Criminals” By Joseph Cox — Vice. The sleek, black phone seems perfectly normal. Unlocking the Google Pixel 4a with a PIN code reveals some common apps: Tinder, Instagram, Facebook, Netflix, and even Candy Crush. But none of those apps work, and tapping their icons doesn’t do anything. Resetting the phone and typing in another PIN opens up an entirely different section of the device, with a new background and new apps. Now in place of the old apps sit a clock, a calculator, and the device’s settings.
  • Fallout From Hack of City Law Department Could Linger for Months” By Benjamin Weiser — The New York Times. Among the thousands of lawsuits New York City faces each year, this case was unexceptional — a man suing the city and several police officers over his arrest during a 2016 demonstration. But last week, the case hit a snag for an unusual reason: The city’s Law Department had been hacked, and lawyers were struggling to gain access to important documents. “Practically all attorneys from the New York City Law Department still do not have remote access to electronic files,” wrote Jorge M. Marquez, a city attorney, to the judge on July 1, asking for an extension of deadlines in the false-arrest case.

Coming Events

  • 19 July
    • The Senate Armed Services Committee’s Cyber Subcommittee will mark up its portion of the committee’s FY 2022 National Defense Authorization Act in a closed session.
  • 20 July
    • The House Intelligence Committee’s Strategic Technologies and Advanced Research Subcommittee will hold an open hearing titled “Microelectronics: Levers for Promoting Security and Innovation.”
    • The House Small Business Committee will hold a hearing titled “Strengthening the Cybersecurity Posture of America’s Small Business Community” with these witnesses:
      • Ms. Tasha Cornish, Executive Director, Cybersecurity Association of Maryland, Inc.
      • Ms. Sharon Nichols, State Director, Mississippi Small Business Development Center
      • Ms. Kiersten Todt, Managing Director, Cyber Readiness Institute
      • Mr. Graham Dufault, Senior Director for Public Policy, ACT | The App Association
    • The House Foreign Affairs Committee’s Europe, Energy, the Environment and Cyber  Subcommittee will hold a hearing titled “The New Transatlantic Trade Agenda: China, Climate, and COVID-19.”
    • The House Foreign Affairs Committee’s Western Hemisphere, Civilian Security, Migration and International Economic Policy Subcommittee will hold a hearing titled “Historic Protests in Cuba and the Crackdown on Free Expression.”
    • The  House Foreign Affairs Committee’s Asia, the Pacific, Central Asia, and Nonproliferation Subcommittee will hold a hearing titled “U.S.-European Cooperation on China and the Broader Indo-Pacific.”
    • The House Science, Space, and Technology Committee will hold a hearing titled “Spectrum Needs for Observations in Earth and Space Sciences.”
    • The House Energy and Commerce Committee’s Oversight and Investigations Subcommittee will hold a hearing titled “Stopping Digital Thieves: The Growing Threat of Ransomware.”
  • 21 July
    • The Senate Armed Services Committee will mark up its FY 2022 National Defense Authorization Act in a closed session.
    • The House Ways and Means Committee’s Trade Subcommittee will hold a hearing titled “The Global Challenge of Forced Labor in Supply Chains: Strengthening Enforcement and Protecting Workers.”
    • The Senate Environment and Public Works Committee will hold a hearing titled “Addressing Cybersecurity Vulnerabilities Facing Our Nation’s Physical Infrastructure.”
    • The House Veterans’ Affairs Committee’s Technology Modernization Subcommittee will hold a hearing titled “Moving Forward: Evaluating Next Steps for the Department of Veterans Affairs Electronic Health Record Modernization Program.”
  • 27 July
  • 28 July
    • The House Armed Services Committee’s Cyber, Innovative Technologies, and Information Systems Subcommittee will mark up its portion of the committee’s FY 2022 National Defense Authorization Act (H.R.4395).
  • 5 August
    • The Federal Communications Commission (FCC) will hold its monthly open meeting with this tentative agenda:
      • Establishing Two New Innovation Zones. The Commission will consider a Public Notice that would create two new Innovation Zones for Program Experimental Licenses and the expansion of an existing Innovation Zone. (ET Docket No. 19-257)
      • Numbering Policies for Modern Communications. The Commission will consider a Further Notice of Proposed Rulemaking to update the Commission’s rules regarding direct access to numbers by interconnected Voice over Internet Protocol providers to safeguard the nation’s finite numbering resources, curb illegal robocalls, protect national security, and further promote public safety. (WC Docket Nos. 13-97, 07-243, 20-67; IB Docket No. 16-155)
      • Appeals of the STIR/SHAKEN Governance Authority Token Revocation Decisions. The Commission will consider a Report and Order that would establish a process for the Commission to review decisions of the private STIR/SHAKEN Governance Authority that would have the effect of placing voice service providers out of compliance with the Commission’s STIR/SHAKEN implementation rules. (WC Docket Nos. 17-97, 21-291)
      • Modernizing Telecommunications Relay Service (TRS) Compensation. The Commission will consider a Notice of Proposed Rulemaking on TRS Fund compensation methodology for IP Relay service. (CG Docket No. 03-123; RM-11820)
      • Updating Outmoded Political Programming and Record-Keeping Rules. The Commission will consider a Notice of Proposed Rulemaking to update outmoded political programming rules. (MB Docket No. 21-293)
      • Review of the Commission’s Part 95 Personal Radio Services Rules. The Commission will consider a Memorandum Opinion and Order on Reconsideration that would grant three petitions for reconsideration of the Commission’s May 2017 Part 95 Personal Radio Services Rules Report and Order. (WT Docket No. 10-119)
  • 1 September
    • The House Armed Services Committee will mark up the FY 2022 National Defense Authorization Act (H.R.4395).

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Spencer Watson on Unsplash

Photo by Casey Horner on Unsplash

Photo by denis pan on Unsplash

Photo by Hédi Benyounes on Unsplash

Photo by Adi Goldstein on Unsplash

Published by Michael Kans

An attorney who specializes in technology policy, law, and politics with other areas of expertise.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s