Further Reading, Other Developments, and Coming Events (31 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 31 July, the House Intelligence Committee will mark up its Intelligence Authorization Act.
  • On 31 July the Select Committee on the Modernization of Congress will hold a business meeting “to consider proposed recommendations.”
  • On 3 August the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)
  • The National Institute of Standards and Technology (NIST) will hold the “Exploring Artificial Intelligence (AI) Trustworthiness: Workshop Series Kickoff Webinar,” “a NIST initiative involving private and public sector organizations and individuals in discussions about building blocks for trustworthy AI systems and the associated measurements, methods, standards, and tools to implement those building blocks when developing, using, and testing AI systems” on 6 August.
  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”

Other Developments

  • The European Commission (EC) released a report on the status of efforts across the European Union (EU) to implement the EU Toolbox on 5G Cybersecurity, the bloc’s approach to navigating security issues presented by equipment and services offered by companies from the People’s Republic of China such as Huawei. The EC concluded
    • All  Member  States  reported  that  concrete  steps  have  been  taken  to  implement  the  Toolbox.  Most  Member  States  carried  out  a  gap  analysis  and  launched  a  process  to  review  and  upgrade  existing security measures and enforcement mechanisms. Many Member States have already adopted or are well advanced in the preparation of more advanced security measures on 5G cybersecurity.
    • However,  work  is  still  ongoing  in  many  Member  States  on  defining  the  content  and  scope  of  the  measures and in some cases, political decisions still need to be made in this regard. In addition, even where  measures  are  in  progress  or  being  planned,  not  all  Member  States  have  shared  detailed information about every measure, due to diverse stages in the national implementation processor for national security reasons. Nevertheless, a number of findings can be formulated based on the analysis presented  in  this  report as  regards  the  implementation  of  the  Toolbox  and  areas  where  specific  attention  is  needed  in  the  next  phases  of  the  implementation  of  the  Toolbox  at  national  and/or  EU  level.
  • The United States (US) and Australia released this joint statement after this week’s Australia-United States Ministerial Consultations (AUSMIN) after the heads of their defense and foreign ministries met in Washington DC. The two countries listed a number of steps and initiatives designed to counter the People’s Republic of China (PRC). Among other developments:
    • The US and Australia signed a classified Statement of Principles on Alliance Defense Cooperation and Force Posture Priorities in the Indo-Pacific.
    • The two nations “plan to continue to counter these threats vigorously, including through collaboration with international partners, and through a new working group between the Department of Foreign Affairs and Trade and the Department of State, which will monitor and respond to disinformation efforts.”
    • The US and Australia “expressed deep concern that the targeting of intellectual property and sensitive business information, including information relating to the development of vaccines and treatments for pandemic response, presents an increasing threat to the global economy, and they committed to holding malicious actors accountable.”
    • The countries “noted the role of 5G network security best practices, such as the Prague Proposals, and expressed their intent to work with like-minded partners to develop end-to-end technical solutions for 5G that use trusted vendors….[and] [a]cknowledging that 5G is only the starting point, the two nations also reaffirm their commitment to lifting the security of critical and emerging technologies that will be vital to our nations’ prosperity.”
    • The US and Australia “welcomed the announcement that Lynas has signed a Phase 1 contract with the U.S. Department of Defense for an engineering and market feasibility study for the design of a heavy rare earth separation facility in the United States” and “the continued development of a U.S.-Australia Critical Minerals Plan of Action to improve the security of critical minerals in the United States and Australia.” 
  • The United Kingdom’s National Cyber Security Centre (NCSC) has issued a report titled “The Cyber Threat to Sports Organisations” “to demystify the cyber threat to sports organisations by highlighting the cyber security issues that affect the sector on a daily basis: business email compromise, digital fraud, and venue security.” The NCSC asserted
    • cyber attacks against sports organisations are very common, with 70% of those surveyed experiencing at least one attack per annum. This is significantly higher than the average across UK business.
    • The primary cyber threat comes from cyber criminals with a financial motive. Criminal attacks typically take advantage of poor implementation of technical controls and normal human traits such as trust and ineffective password policies.
    • There have been a small number of Hostile Nation-state attacks against sports organisations; typically, these attacks have exploited the same vulnerabilities used by criminals.
    • The most common outcome of cyber attacks is unauthorised access to email accounts (Business Email Compromise) leading to fraud. Ransomware is also a significant issue in the sector.
  • Top Republicans on one of the committees with jurisdiction over technology have written Google and Apple regarding their “app store and the policies you have in place to ensure apps are appropriately vetted, particularly those with close ties to China and the Chinese Communist Party (CCP).” House Energy and Commerce Committee Ranking Member Greg Walden (R-OR) and Consumer Protection and Commerce Subcommittee Ranking Member Cathy McMorris Rodgers (R-WA) are asking the companies to respond by 12 August to a series of questions. They asserted
    • As with any crisis, there are those that seek to exploit opportunities for their own malicious intent. We believe that bad actors may be taking advantage of the American people’s trust in your brand, which likely extends to apps available through your store. While we want an open and transparent marketplace that does not limit innovators outside your company, we know there are those that seek to use apps as a means to push through pop-up ads or hijack devices to make it a tool for eavesdropping.
    • The level of permissions that these apps require may include access to camera, microphone, and contacts, as well as functionality to load other malware for bad actors to control a device even after the original app has been removed. This is especially alarming when it comes from companies with direct or indirect links to the CCP.
  • A Washington DC think tank published a report written in part with Representatives Robin Kelly (D-IL) and Will Hurd (R-TX) titled “AI and the Workforce.” The Bipartisan Policy Center explained that “[b]ased on our discussions with stakeholders, we have identified the following key principles:
    • 1. The United States should embrace and take a leadership role in the AI-driven economy by filling the AI talent gap and preparing the rest of the workforce for the jobs of the future. However, in doing so, policymakers should make inclusivity and equal opportunity a priority.
    • 2. Closing the AI talent gap requires a targeted approach to training, recruiting, and retaining skilled workers. This AI talent should ideally have a multi-disciplinary skill set that includes ethics.
    • 3. The AI talent gap is not the only challenge of the AI-driven economy, so the federal government should focus more broadly on the jobs of the future and skills that are complemented by AI technology. Additionally, encouraging workers to develop basic AI and technological literacy can help them better determine how to complement AI systems.
    • 4. The educational system from kindergarten through post-college is not yet designed for the AI-driven economy and should be modernized.
    • 5. The skills that will be in demand in the future will continuously change, so lifelong learning and ways to help displaced and mid-career workers transition into new jobs is critical for the workforce of the future.
    • In September 2018, Kelly and Hurd released a white paper detailing the “lessons learned from the Subcommittee’s oversight and hearings on AI and sets forth recommendations for moving forward.” 
  • The National Cyber Security Centre (NCSC) updated its “Mobile Device Guidance” regarding “Windows 10, Android and VPNs. The NCSC stated “[o]ver the next few months, we’ll be bringing our Chrome OS and Ubuntu Linux guidance up to date and into the new format.”
  • Cybersecurity company FireEye released a report on a new type of Russian disinformation campaign where hackers are gaining access to legitimate news sources and planting fake stories that are subsequently amplified on social media.
    • FireEye explained it
      • has tied together several information operations that we assess with moderate confidence comprise part of a broader influence campaign, ongoing since at least March 2017, aligned with Russian security interests. The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe, occasionally leveraging other themes such as anti-U.S. and COVID-19-related narratives as part of this broader anti-NATO agenda. We have dubbed this campaign “Ghostwriter.”
    • FireEye added
      • Many, though not all, of the incidents we suspect to be part of the Ghostwriter campaign appear to have leveraged website compromises or spoofed email accounts to disseminate fabricated content, including falsified news articles, quotes, correspondence and other documents designed to appear as coming from military officials and political figures in the target countries. This falsified content has been referenced as source material in articles and op-eds authored by at least 14 inauthentic personas posing as locals, journalists, and analysts within those countries.

Further Reading

  • Rite Aid deployed facial recognition systems in hundreds of U.S. stores” by Jeffrey Dastin– Reuters. A major United States retailer was using facial recognition technology mostly at stores in poorer, more ethnically diverse areas that seems connected to a company in the People’s Republic of China. Rite Aid has ceased use of this system that was implemented to address shoplifting and other crime and guards and other personnel were supposed to act when the system turned up a hit on a person in the store who had committed a crime or made trouble in another location. Given the accuracy of this sort of technology, there were a range of false positives. Additionally, locations in New York City that had similar crime profiles in majority white, affluent areas were much less likely to have this system. The company, DeepCamLLC, providing the technology appears intimately connected to a Chinese firm, Shenzhen Shenmu, that appears funded by a Beijing run venture capital/investment fund.
  • Facebook Wins Temporary Halt to EU Antitrust Data Demands” by Stephanie Bodoni – Bloomberg. In a setback for the European Commission’s (EC) investigation, the European Union General Court has temporarily blocked data and document requests in a pair of rulings. The court ruled for Facebook in finding the EC’s request “may unavoidably include personal information” and so “it is important to ensure that confidential treatment of such information is safeguarded, especially when the information does, at first sight, not appear to have any link with the subject matter of the commission’s investigation.” A Facebook attorney claimed the requests were going to net “highly sensitive personal information such as employees’ medical information, personal financial documents, and private information about family members of employees.” The court is expected to issue a final decision on the data requests, which has obvious implications for the EC’s investigation of Facebook.
  • Google’s Top Search Result? Surprise! It’s Google” By Adrianne Jeffries and Leon Yin – The Markup. Google’s search results have changed tremendously over the last 15 years from showing the top organic results to now reserving the 50% of the page for Google results and products. As a result a number of online businesses that compete with Google products have withered and some have died. Google denies abusing its market power, but competitors and possibly some regulators think otherwise, possibly foreshadowing future anti-competitive enforcement actions.
  • Five Eyes alliance could expand in scope to counteract China” by Patrick Wintour – The Guardian. The United States, United Kingdom, Canada, New Zealand, and Australia may expand both the scope of heir Five Eyes arrangement and the membership as a means of pushing back on Chinese policies and actions. Japan could possibly join the alliance and perhaps it serves as the basis for a trade agreement to address Beijing.
  • Huawei to double down on HSBC as legal battle over extradition of Meng Wanzhou intensifies” by Zhou Xin – South China Morning Post. As the daughter of Huawei’s founder continues to be held in Canada facing possible extradition to the United States (US) to be tried on charges of violating US sanctions on Iran. Meng Wanzhou’s lawyers are focusing on the evidence provided by Hong Kong based bank HSBC to the US Department of Justice as being deficient in a number of ways. The People’s Republic of China is still holding two Canadians incommunicado who were arrested and charged with espionage after Meng was detained in British Columbia.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading and Other Developments (17 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Speaking of which, the Technology Policy Update is being published daily during the week, and here are the Other Developments and Further Reading from this week.

Other Developments

  • Acting Senate Intelligence Committee Chair Marco Rubio (R-FL), Senate Foreign Relations Committee Chair Jim Risch (R-ID), and Senators Chris Coons (D-DE) and John Cornyn (R-TX) wrote Secretary of Commerce Wilbur Ross and Secretary of Defense Mike Esper “to ask that the Administration take immediate measures to bring the most advanced digital semiconductor manufacturing capabilities to the United States…[which] are critical to our American economic and national security and while our nation leads in the design of semiconductors, we rely on international manufacturing for advanced semiconductor fabrication.” This letter follows the Trump Administration’s May announcement that the Taiwan Semiconductor Manufacturing Corporation (TSMC) agreed to build a $12 billion plant in Arizona. It also bears note that one of the amendments pending to the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) would establish a grants program to stimulate semiconductor manufacturing in the US.
  • Senators Mark R. Warner (D-VA), Mazie K. Hirono (D-HI) and Bob Menendez (D-NJ) sent a letter to Facebook “regarding its failure to prevent the propagation of white supremacist groups online and its role in providing such groups with the organizational infrastructure and reach needed to expand.” They also “criticized Facebook for being unable or unwilling to enforce its own Community Standards and purge white supremacist and other violent extremist content from the site” and posed “a series of questions regarding Facebook’s policies and procedures against hate speech, violence, white supremacy and the amplification of extremist content.”
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published the Pipeline Cyber Risk Mitigation Infographic that was “[d]eveloped in coordination with the Transportation Security Administration (TSA)…[that] outlines activities that pipeline owners/operators can undertake to improve their ability to prepare for, respond to, and mitigate against malicious cyber threats.”
  • Representative Kendra Horn (D-OK) and 10 other Democrats introduced legislation “requiring the U.S. government to identify, analyze, and combat efforts by the Chinese government to exploit the COVID-19 pandemic” that was endorsed by “[t]he broader Blue Dog Coalition” according to their press release. The “Preventing China from Exploiting COVID-19 Act” (H.R.7484) “requires the Director of National Intelligence—in coordination with the Secretaries of Defense, State, and Homeland Security—to prepare an assessment of the different ways in which the Chinese government has exploited or could exploit the pandemic, which originated in China, in order to advance China’s interests and to undermine the interests of the United States, its allies, and the rules-based international order.” Horn and her cosponsors stated “[t]he assessment must be provided to Congress within 90 days and posted in unclassified form on the DNI’s website.”
  • The Supreme Court of Canada upheld the “Genetic Non-Discrimination Act” and denied a challenge to the legality of the statute brought by the government of Quebec, the Attorney General of Canada, and others. The court found:
    • The pith and substance of the challenged provisions is to protect individuals’ control over their detailed personal information disclosed by genetic tests, in the broad areas of contracting and the provision of goods and services, in order to address Canadians’ fears that their genetic test results will be used against them and to prevent discrimination based on that information. This matter is properly classified within Parliament’s power over criminal law. The provisions are supported by a criminal law purpose because they respond to a threat of harm to several overlapping public interests traditionally protected by the criminal law — autonomy, privacy, equality and public health.
  • The U.S.-China Economic and Security Review Commission published a report “analyzing the evolution of U.S. multinational enterprises (MNE) operations in China from 2000 to 2017.” The Commission found MNE’s operations in the People’s Republic of China “may indirectly erode the  United  States’  domestic industrial competitiveness  and  technological  leadership relative  to  China” and “as U.S. MNE activity in China increasingly focuses on the production of high-end technologies, the risk  that  U.S.  firms  are  unwittingly enabling China to  achieve  its industrial  policy and  military  development objectives rises.”
  • The Federal Communications Commission (FCC) and Huawei filed their final briefs in their lawsuit before the United States Court of Appeals for the Fifth Circuit arising from the FCC’s designation of Huawei as a “covered company” for purposes of a rule that denies Universal Service Funds (USF) “to purchase or obtain any equipment or services produced or provided by a covered company posing a national security threat to the integrity of communications networks or the communications supply chain.” Huawei claimed in its brief that “[t]he rulemaking and “initial designation” rest on the FCC’s national security judgments..[b]ut such judgments fall far afield of the FCC’s statutory  authority  and  competence.” Huawei also argued “[t]he USF rule, moreover, contravenes the Administrative Procedure Act (APA) and the Due Process Clause.” The FCC responded in its filing that “Huawei challenges the FCC’s decision to exclude carriers whose networks are vulnerable to foreign interference, contending that the FCC has neither statutory nor constitutional authority to make policy judgments involving “national security”…[but] [t]hese arguments are premature, as Huawei has not yet been injured by the Order.” The FCC added “Huawei’s claim that the Communications Act textually commits all policy determinations with national security implications to the President is demonstrably false.”
  • European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski released his Strategy for 2020-2024, “which will focus on Digital Solidarity.” Wiewiórowski explained that “three core pillars of the EDPS strategy outline the guiding actions and objectives for the organisation to the end of 2024:
    • Foresight: The EDPS will continue to monitor legal, social and technological advances around the world and engage with experts, specialists and data protection authorities to inform its work.
    • Action: To strengthen the EDPS’ supervision, enforcement and advisory roles the EDPS will promote coherence in the activities of enforcement bodies in the EU and develop tools to assist the EU institutions, bodies and agencies to maintain the highest standards in data protection.
    • Solidarity: While promoting digital justice and privacy for all, the EDPS will also enforce responsible and sustainable data processing, to positively impact individuals and maximise societal benefits in a just and fair way.
  • Facebook released a Civil Rights Audit, an “investigation into Facebook’s policies and practices began in 2018 at the behest and encouragement of the civil rights community and some members of Congress.” Those charged with conducting the audit explained that they “vigorously advocated for more and would have liked to see the company go further to address civil rights concerns in a host of areas that are described in detail in the report” including but not limited to
    • A stronger interpretation of its voter suppression policies — an interpretation that makes those policies effective against voter suppression and prohibits content like the Trump voting posts — and more robust and more consistent enforcement of those policies leading up to the US 2020 election.
    • More visible and consistent prioritization of civil rights in company decision-making overall.
    • More resources invested to study and address organized hate against Muslims, Jews and other targeted groups on the platform.
    • A commitment to go beyond banning explicit references to white separatism and white nationalism to also prohibit express praise, support and representation of white separatism and white nationalism even where the terms themselves are not used.
    • More concrete action and specific commitments to take steps to address concerns about algorithmic bias or discrimination.
    • They added that “[t]his report outlines a number of positive and consequential steps that the company has taken, but at this point in history, the Auditors are concerned that those gains could be obscured by the vexing and heartbreaking decisions Facebook has made that represent significant setbacks for civil rights.”
  • The National Security Commission on Artificial Intelligence (NSCAI) released a white paper titled “The Role of AI Technology in Pandemic Response and Preparedness” that “outlines a series of investments and initiatives that the United States must undertake to realize the full potential of AI to secure our nation against pandemics.” NSCAI noted its previous two white papers:
  • Secretary of Defense Mark Esper announced that Chief Technology Officer Michael J.K. Kratsios has “been designated to serve as Acting Under Secretary of Defense for Research and Engineering” even though he does not have a degree in science. The last Under Secretary held a PhD. However, Kratsios worked for venture capitalist Peter Thiel who backed President Donald Trump when he ran for office in 2016.
  • The United States’ Department of Transportation’s Federal Railroad Administration (FRA) issued research “to develop a cyber security risk analysis methodology for communications-based connected railroad technologies…[and] [t]he use-case-specific implementation of the methodology can identify potential cyber attack threats, system vulnerabilities, and consequences of the attack– with risk assessment and identification of promising risk mitigation strategies.”
  • In a blog post, a National Institute of Standards and Technology (NIST) economist asserted cybercrime may be having a much larger impact on the United States’ economy than previously thought:
    • In a recent NIST report, I looked at losses in the U.S. manufacturing industry due to cybercrime by examining an underutilized dataset from the Bureau of Justice Statistics, which is the most statistically reliable data that I can find. I also extended this work to look at the losses in all U.S. industries. The data is from a 2005 survey of 36,000 businesses with 8,079 responses, which is also by far the largest sample that I could identify for examining aggregated U.S. cybercrime losses. Using this data, combined with methods for examining uncertainty in data, I extrapolated upper and lower bounds, putting 2016 U.S. manufacturing losses to be between 0.4% and 1.7% of manufacturing value-added or between $8.3 billion and $36.3 billion. The losses for all industries are between 0.9% and 4.1% of total U.S. gross domestic product (GDP), or between $167.9 billion and $770.0 billion. The lower bound is 40% higher than the widely cited, but largely unconfirmed, estimates from McAfee.
  • The Government Accountability Office (GAO) advised the Federal Communications Commission (FCC) that it needs a comprehensive strategy for implementing 5G across the United States. The GAO concluded
    • FCC has taken a number of actions regarding 5G deployment, but it has not clearly developed specific and measurable performance goals and related measures–with the involvement of relevant stakeholders, including National Telecommunications and Information Administration (NTIA)–to manage the spectrum demands associated with 5G deployment. This makes FCC unable to demonstrate whether the progress being made in freeing up spectrum is achieving any specific goals, particularly as it relates to congested mid-band spectrum. Additionally, without having established specific and measurable performance goals with related strategies and measures for mitigating 5G’s potential effects on the digital divide, FCC will not be able to assess the extent to which its actions are addressing the digital divide or what actions would best help all Americans obtain access to wireless networks.
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued “Time Guidance for Network Operators, Chief Information Officers, and Chief Information Security Officers” “to inform public and private sector organizations, educational institutions, and government agencies on time resilience and security practices in enterprise networks and systems…[and] to address gaps in available time testing practices, increasing awareness of time-related system issues and the linkage between time and cybersecurity.”
  • Fifteen Democratic Senators sent a letter to the Department of Defense, Office of the Director of National Intelligence (ODNI), Department of Homeland Security (DHS), Federal Bureau of Investigations (FBI), and U.S. Cyber Command, urging them “to take additional measures to fight influence campaigns aimed at disenfranchising voters, especially voters of color, ahead of the 2020 election.” They called on these agencies to take “additional measures:”
    • The American people and political candidates are promptly informed about the targeting of our political processes by foreign malign actors, and that the public is provided regular periodic updates about such efforts leading up to the general election.
    • Members of Congress and congressional staff are appropriately and adequately briefed on continued findings and analysis involving election related foreign disinformation campaigns and the work of each agency and department to combat these campaigns.
    • Findings and analysis involving election related foreign disinformation campaigns are shared with civil society organizations and independent researchers to the maximum extent which is appropriate and permissible.
    • Secretary Esper and Director Ratcliffe implement a social media information sharing and analysis center (ISAC) to detect and counter information warfare campaigns across social media platforms as authorized by section 5323 of the Fiscal Year 2020 National Defense Authorization Act.
    • Director Ratcliffe implement the Foreign Malign Influence Response Center to coordinate a whole of government approach to combatting foreign malign influence campaigns as authorized by section 5322 of the Fiscal Year 2020 National Defense Authorization Act.
  • The Information Technology and Innovation Foundation (ITIF) unveiled an issue brief “Why New Calls to Subvert Commercial Encryption Are Unjustified” arguing “that government efforts to subvert encryption would negatively impact individuals and businesses.” ITIF offered these “key takeaways:”
    • Encryption gives individuals and organizations the means to protect the confidentiality of their data, but it has interfered with law enforcement’s ability to prevent and investigate crimes and foreign threats.
    • Technological advances have long frustrated some in the law enforcement community, giving rise to multiple efforts to subvert commercial use of encryption, from the Clipper Chip in the 1990s to the San Bernardino case two decades later.
    • Having failed in these prior attempts to circumvent encryption, some law enforcement officials are now calling on Congress to invoke a “nuclear option”: legislation banning “warrant-proof” encryption.
    • This represents an extreme and unjustified measure that would do little to take encryption out of the hands of bad actors, but it would make commercial products less secure for ordinary consumers and businesses and damage U.S. competitiveness.
  • The White House released an executive order in which President Donald Trump determined “that the Special Administrative Region of Hong Kong (Hong Kong) is no longer sufficiently autonomous to justify differential treatment in relation to the People’s Republic of China (PRC or China) under the particular United States laws and provisions thereof set out in this order.” Trump further determined “the situation with respect to Hong Kong, including recent actions taken by the PRC to fundamentally undermine Hong Kong’s autonomy, constitutes an unusual and extraordinary threat, which has its source in substantial part outside the United States, to the national security, foreign policy, and economy of the United States…[and] I hereby declare a national emergency with respect to that threat.” The executive order would continue the Administration’s process of changing policy to ensure Hong Kong is treated the same as the PRC.
  • President Donald Trump also signed a bill passed in response to the People’s Republic of China (PRC) passing legislation the United States and other claim will strip Hong Kong of the protections the PRC agreed to maintain for 50 years after the United Kingdom (UK) handed over the city. The “Hong Kong Autonomy Act” “requires the imposition of sanctions on Chinese individuals and banks who are included in an annual State Department list found to be subverting Hong Kong’s autonomy” according to the bill’s sponsor Representative Brad Sherman (D-CA).
  • Representative Stephen Lynch, who chairs House Oversight and Reform Committee’s National Security Subcommittee, sent letters to Apple and Google “after the Office of the Director of National Intelligence (ODNI) and the Federal Bureau of Investigation (FBI) confirmed that mobile applications developed, operated, or owned by foreign entities, including China and Russia, could potentially pose a national security risk to American citizens and the United States” according to his press release. He noted in letters sent by the technology companies to the Subcommittee that:
    • Apple confirmed that it does not require developers to submit “information on where user data (if any such data is collected by the developer’s app) will be housed” and that it “does not decide what user data a third-party app can access, the user does.”
    • Google stated that it does “not require developers to provide the countries in which their mobile applications will house user data” and acknowledged that “some developers, especially those with a global user base, may store data in multiple countries.”
    • Lynch is seeking “commitments from Apple and Google to require information from application developers about where user data is stored, and to make users aware of that information prior to downloading the application on their mobile devices.”
  • Minnesota Attorney General Keith Ellison announced a settlement with Frontier Communications that “concludes the three major investigations and lawsuits that the Attorney General’s office launched into Minnesota’s major telecoms providers for deceptive, misleading, and fraudulent practices.” The Office of the Attorney General (OAG) stated
    • Based on its investigation, the Attorney General’s Office alleged that Frontier used a variety of deceptive and misleading practices to overcharge its customers, such as: billing customers more than they were quoted by Frontier’s agents; failing to disclose fees and surcharges in its sales presentations and advertising materials; and billing customers for services that were not delivered.
    • The OAG “also alleged that Frontier sold Minnesotans expensive internet services with so-called “maximum speed” ratings that were not attainable, and that Frontier improperly advertised its service as “reliable,” when in fact it did not provide enough bandwidth for customers to consistently receive their expected service.”
  • The European Data Protection Board (EDPB) issued guidelines “on the criteria of the Right to be Forgotten in the search engines cases under the GDPR” that “focuses solely on processing by search engine providers and delisting requests  submitted by data subjects” even Article 17 of the General Data Protection Regulation applies to all data controllers. The EDPB explained “This paper is divided into two topics:
    • The first topic concerns the grounds a data subject can rely on for a delisting request sent to a search engine provider pursuant to Article 17.1 GDPR.
    • The second topic concerns the exceptions to the Right to request delisting according to Article 17.3 GDPR.
  • The Australian Competition & Consumer Commission (ACCC) “is seeking views on draft Rules and accompanying draft Privacy Impact Assessment that authorise third parties who are accredited at the ‘unrestricted’ level to collect Consumer Data Right (CDR) data on behalf of another accredited person.” The ACCC explained “[t]his will allow accredited persons to utilise other accredited parties to collect CDR data and provide other services that facilitate the provision of goods and services to consumers.” In a March explanatory statement, the ACCC stated “[t]he CDR is an economy-wide reform that will apply sector-by-sector, starting with the banking sector…[and] [t]he objective of the CDR is to provide individual and business consumers (consumers) with the ability to efficiently and conveniently access specified data held about them by businesses (data holders), and to authorise the secure disclosure of that data to third parties (accredited data recipients) or to themselves.” The ACCC noted “[t]he CDR is regulated by both the ACCC and the Office of the Australian Information Commissioner (OAIC) as it concerns both competition and consumer matters as well as the privacy and confidentiality of consumer data.” Input is due by 20 July.
  • Office of the Inspector General (OIG) for the Department of the Interior (Interior) found that even though the agency spends $1.4 billion annually on cybersecurity “[g]uarding against increasing cybersecurity threats” remains one of Interior’s top challenges. The OIG asserted Interior “continues to struggle to implement an enterprise information technology (IT) security program that balances compliance, cost, and risk while enabling bureaus to meet their diverse missions.”
  • In a summary of its larger investigation into “Security over Information Technology Peripheral Devices at Select Office of Science Locations,” the Department of Energy’s Office of the Inspector General (OIG) that “identified weaknesses related to access controls and configuration settings” for peripheral devices (e.g. thumb drives, printers, scanners and other connected devices)  “similar in type to those identified in prior evaluations of the Department’s unclassified cybersecurity program.”
  • The House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee Ranking Member John Katko (R-NY) “a comprehensive national cybersecurity improvement package” according to his press release, consisting of these bills:
    • The “Cybersecurity and Infrastructure Security Agency Director and Assistant Directors Act:”  This bipartisan measure takes steps to improve guidance and long-term strategic planning by stabilizing the CISA Director and Assistant Directors positions. Specifically, the bill:
      • Creates a 5-year term for the CISA Director, with a limit of 2 terms. The term of office for the current Director begins on date the Director began to serve.
      • Elevates the Director to the equivalent of a Deputy Secretary and Military Service Secretaries.
      • Depoliticizes the Assistant Director positions, appointed by the Secretary of the Department of Homeland Security (DHS), categorizing them as career public servants. 
    • The “Strengthening the Cybersecurity and Infrastructure Security Agency Act of 2020:” This measure mandates a comprehensive review of CISA in an effort to strengthen its operations, improve coordination, and increase oversight of the agency. Specifically, the bill:
      • Requires CISA to review how additional appropriations could be used to support programs for national risk management, federal information systems management, and public-private cybersecurity and integration. It also requires a review of workforce structure and current facilities and projected needs. 
      • Mandates that CISA provides a report to the House and Senate Homeland Committees within 1-year of enactment. CISA must also provide a report and recommendations to GSA on facility needs. 
      • Requires GSA to provide a review to the Administration and House and Senate Committees on CISA facilities needs within 30-days of Congressional report. 
    • The “CISA Public-Private Talent Exchange Act:” This bill requires CISA to create a public-private workforce program to facilitate the exchange of ideas, strategies, and concepts between federal and private sector cybersecurity professionals. Specifically, the bill:
      • Establishes a public-private cyber exchange program allowing government and industry professionals to work in one another’s field.
      • Expands existing private outreach and partnership efforts. 
  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is ordering United States federal civilian agencies “to apply the July 2020 Security Update for Windows Servers running DNS (CVE-2020-1350), or the temporary registry-based workaround if patching is not possible within 24 hours.” CISA stated “[t]he software update addresses a significant vulnerability where a remote attacker could exploit it to take control of an affected system and run arbitrary code in the context of the Local System Account.” CISA Director Christopher Krebs explained “due to the wide prevalence of Windows Server in civilian Executive Branch agencies, I’ve determined that immediate action is necessary, and federal departments and agencies need to take this remote code execution vulnerability in Windows Server’s Domain Name System (DNS) particularly seriously.”
  • The United States (US) Department of State has imposed “visa restrictions on certain employees of Chinese technology companies that provide material support to regimes engaging in human rights abuses globally” that is aimed at Huawei. In its statement, the Department stated “Companies impacted by today’s action include Huawei, an arm of the Chinese Communist Party’s (CCP) surveillance state that censors political dissidents and enables mass internment camps in Xinjiang and the indentured servitude of its population shipped all over China.” The Department claimed “[c]ertain Huawei employees provide material support to the CCP regime that commits human rights abuses.”
  • Earlier in the month, the US Departments of State, Treasury, Commerce, and of Homeland Security issued an “advisory to highlight the harsh repression in Xinjiang.” The agencies explained
    • Businesses, individuals, and other persons, including but not limited to academic institutions, research service providers, and investors (hereafter “businesses and individuals”), that choose to operate in Xinjiang or engage with entities that use labor from Xinjiang elsewhere in China should be aware of reputational, economic, and, in certain instances, legal, risks associated with certain types of involvement with entities that engage in human rights abuses, which could include Withhold Release Orders (WROs), civil or criminal investigations, and export controls.
  • The United Kingdom’s National Cyber Security Centre (NCSC), Canada’s Communications  Security Establishment (CSE), United States’ National Security Agency (NSA) and the United States’ Department of Homeland Security’s Cybersecurity and Infrastructure Security  Agency (CISA) issued a joint advisory on a Russian hacking organization’s efforts have “targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.” The agencies named APT29 (also known as ‘the Dukes’ or ‘Cozy Bear’), “a cyber espionage group, almost certainly part of the Russian intelligence services,” as the culprit behind “custom malware known as ‘WellMess’ and ‘WellMail.’”
    • This alert follows May advisories issued by Australia, the US, and the UK on hacking threats related to the pandemic. Australia’s Department of Foreign Affairs and Trade (DFAT) and the Australian Cyber Security Centre (ACSC) issued “Advisory 2020-009: Advanced Persistent Threat (APT) actors targeting Australian health sector organisations and COVID-19 essential services” that asserted “APT groups may be seeking information and intellectual property relating to vaccine development, treatments, research and responses to the outbreak as this information is now of higher value and priority globally.” CISA and NCSC issued a joint advisory for the healthcare sector, especially companies and entities engaged in fighting COVID-19. The agencies stated that they have evidence that Advanced Persistent Threat (APT) groups “are exploiting the COVID-19 pandemic as part of their cyber operations.” In an unclassified public service announcement, the Federal Bureau of Investigation (FBI) and CISA named the People’s Republic of China as a nation waging a cyber campaign against U.S. COVID-19 researchers. The agencies stated they “are issuing this announcement to raise awareness of the threat to COVID-19-related research.”
  • The National Initiative for Cybersecurity Education (NICE) has released a draft National Institute of Standards and Technology (NIST) Special Publication (SP) for comment due by 28 August. Draft NIST Special Publication (SP) 800-181 Revision 1, Workforce Framework for Cybersecurity (NICE Framework) that features several updates, including:
    • an updated title to be more inclusive of the variety of workers who perform cybersecurity work,
    • definition and normalization of key terms,
    • principles that facilitate agility, flexibility, interoperability, and modularity,
    • introduction of competencies,
  • Representatives Glenn Thompson (R-PA), Collin Peterson (D-MN), and James Comer (R-KY) sent a letter to Federal Communications Commission (FCC) “questioning the Commission’s April 20, 2020 Order granting Ligado’s application to deploy a terrestrial nationwide network to provide 5G services.”
  • The European Commission (EC) is asking for feedback on part of its recently released data strategy by 31 July. The EC stated it is aiming “to create a single market for data, where data from public bodies, business and citizens can be used safely and fairly for the common good…[and] [t]his initiative will draw up rules for common European data spaces (covering areas like the environment, energy and agriculture) to:
    • make better use of publicly held data for research for the common good
    • support voluntary data sharing by individuals
    • set up structures to enable key organisations to share data.
  • The United Kingdom’s Parliament is asking for feedback on its legislative proposal to regulate Internet of Things (IoT) devices. The Department for Digital, Culture, Media & Sport explained “the obligations within the government’s proposed legislative framework would fall mainly on the manufacturer if they are based in the UK, or if not based in the UK, on their UK representative.” The Department is also “developing an enforcement approach with relevant stakeholders to identify an appropriate enforcement body to be granted day to day responsibility and operational control of monitoring compliance with the legislation.” The Department also touted the publishing of the European Telecommunications Standards Institute’s (ETSI) “security baseline for Internet-connected consumer devices and provides a basis for future Internet of Things product certification schemes.”
  • Facebook issued a white paper, titled “CHARTING A WAY FORWARD: Communicating Towards People-Centered and Accountable Design About Privacy,” in which the company states its desire to be involved in shaping a United States privacy law (See below for an article on this). Facebook concluded:
    • Facebook recognizes the responsibility we have to make sure that people are informed about the data that we collect, use, and share.
    • That’s why we support globally consistent comprehensive privacy laws and regulations that, among other things, establish people’s basic rights to be informed about how their information is collected, used, and shared, and impose obligations for organizations to do the same, including the obligation to build internal processes that maintain accountability.
    • As improvements to technology challenge historic approaches to effective communications with people about privacy, companies and regulators need to keep up with changing times.
    • To serve the needs of a global community, on both the platforms that exist now and those that are yet to be developed, we want to work with regulators, companies, and other interested third parties to develop new ways of informing people about their data, empowering them to make meaningful choices, and holding ourselves accountable.
    • While we don’t have all the answers, there are many opportunities for businesses and regulators to embrace modern design methods, new opportunities for better collaboration, and innovative ways to hold organizations accountable.
  • Four Democratic Senators sent Facebook a letter “about reports that Facebook has created fact-checking exemptions for people and organizations who spread disinformation about the climate crisis on its social media platform” following a New York Times article this week on the social media’s practices regarding climate disinformation. Even though the social media giant has moved aggressively to take down false and inaccurate COVID-19 posts, climate disinformation lives on the social media platform largely unmolested for a couple of reasons. First, Facebook marks these sorts of posts as opinion and take the approach that opinions should be judged under an absolutist free speech regime. Moreover, Facebook asserts posts of this sort do not pose any imminent harm and therefore do not need to be taken down. Despite having teams of fact checkers to vet posts of demonstrably untrue information, Facebook chooses not to, most likely because material that elicits strong reactions from users drive engagement that, in turn, drives advertising dollars. Senators Elizabeth Warren (D-WA), Tom Carper (D-DE), Sheldon Whitehouse (D-R.I.) and Brian Schatz (D-HI) argued “[i]f Facebook is truly “committed to fighting the spread of false news on Facebook and Instagram,” the company must immediately acknowledge in its fact-checking process that the climate crisis is not a matter of opinion and act to close loopholes that allow climate disinformation to spread on its platform.” They posed a series of questions to Facebook CEO Mark Zuckerberg on these practices, requesting answers by 31 July.
  • A Canadian court has found that the Canadian Security Intelligence Service (CSIS) “admittedly collected information in a manner that is contrary to this foundational commitment and then relied on that information in applying for warrants under the Canadian Security Intelligence Service Act, RSC 1985, c C-23 [CSIS Act]” according to a court summary of its redacted decision. The court further stated “[t]he Service and the Attorney General also admittedly failed to disclose to the Court the Service’s reliance on information that was likely collected unlawfully when seeking warrants, thereby breaching the duty of candour owed to the Court.” The court added “[t]his is not the first time this Court has been faced with a breach of candour involving the Service…[and] [t]he events underpinning this most recent breach were unfolding as recommendations were being implemented by the Service and the Attorney General to address previously identified candour concerns.” CSIS was found to have illegally collected and used metadata in a 2016 case ion its conduct between 2006-2016. In response to the most recent ruling, CSIS is vowing to implement a range of reforms. The National Security and Intelligence Review Agency (NSIRA) is pledging the same.
  • The United Kingdom’s National Police Chiefs’ Council (NPCC) announced the withdrawal of “[t]he ‘Digital device extraction – information for complainants and witnesses’ form and ‘Digital Processing Notice’ (‘the relevant forms’) circulated to forces in February 2019 [that] are not sufficient for their intended purpose.” In mid-June, the UK’s data protection authority, the Information Commissioner’s Office (ICO) unveiled its “finding that police data extraction practices vary across the country, with excessive amounts of personal data often being extracted, stored, and made available to others, without an appropriate basis in existing data protection law.” This withdrawal was also due, in part, to a late June Court of Appeal decision.  
  • A range of public interest and advocacy organizations sent a letter to Speaker of the House Nancy Pelosi (D-CA) and House Minority Leader Kevin McCarthy (R-CA) noting “there are intense efforts underway to do exactly that, via current language in the House and Senate versions of the FY2021 National Defense Authorization Act (NDAA) that ultimately seek to reverse the FCC’s recent bipartisan and unanimous approval of Ligado Networks’ regulatory plans.” They urged them “not endorse efforts by the Department of Defense and its allies to veto commercial spectrum authorizations…[and][t]he FCC has proven itself to be the expert agency on resolving spectrum disputes based on science and engineering and should be allowed to do the job Congress authorized it to do.” In late April, the FCC’s “decision authorize[d] Ligado to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” The agency argued the order “provides regulatory certainty to Ligado, ensures adjacent band operations, including Global Positioning System (GPS), are sufficiently protected from harmful interference, and promotes more efficient and effective use of [the U.S.’s] spectrum resources by making available additional spectrum for advanced wireless services, including 5G.”
  • The European Data Protection Supervisor (EDPS) rendered his opinion on the European Commission’s White Paper on Artificial Intelligence: a European approach to excellence and trust and recommended the following for the European Union’s (EU) regulation of artificial intelligence (AI):
    • applies both to EU Member States and to EU institutions, offices, bodies and agencies;
    • is designed to protect from any negative impact, not only on individuals, but also on communities and society as a whole;
    • proposes a more robust and nuanced risk classification scheme, ensuring any significant potential harm posed by AI applications is matched by appropriate mitigating measures;
    • includes an impact assessment clearly defining the regulatory gaps that it intends to fill.
    • avoids overlap of different supervisory authorities and includes a cooperation mechanism.
    • Regarding remote biometric identification, the EDPS supports the idea of a moratorium on the deployment, in the EU, of automated recognition in public spaces of human features, not only of faces but also of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, so that an informed and democratic debate can take place and until the moment when the EU and Member States have all the appropriate safeguards, including a comprehensive legal framework in place to guarantee the proportionality of the respective technologies and systems for the specific use case.
  • The Bundesamt für Verfassungsschutz (BfV), Germany’s domestic security agency, released a summary of its annual report in which it claimed:
    • The Russian Federation, the People’s Republic of China, the Islamic Republic of Iran and the Republic of Turkey remain the main countries engaged in espionage activities and trying to exert influence on Germany.
    • The ongoing digital transformation and the increasingly networked nature of our society increases the potential for cyber attacks, worsening the threat of cyber espionage and cyber sabotage.
    • The intelligence services of the Russian Federation and the People’s Republic of China in particular carry out cyber espionage activities against German agencies. One of their tasks is to boost their own economies with the help of information gathered by the intelligence services. This type of information-gathering campaign severely threatens the success and development opportunities of German companies.
    • To counteract this threat, Germany has a comprehensive cyber security architecture in place, which is operated by a number of different authorities. The BfV plays a major role in investigating and defending against cyber threats by detecting attacks, attributing them to specific attackers, and using the knowledge gained from this to draw up prevention strategies. The National Cyber Response Centre, in which the BfV plays a key role, was set up to consolidate the co-operation between the competent agencies. The National Cyber Response Centre aims to optimise the exchange of information between state agencies and to improve the co-ordination of protective and defensive measures against potential IT incidents.

Further Reading

  • Trump confirms cyberattack on Russian trolls to deter them during 2018 midterms” – The Washington Post. In an interview with former George W. Bush speechwriter Marc Thiessen, President Donald Trump confirmed he ordered a widely reported retaliatory attack on the Russian Federation’s Internet Research Agency as a means of preventing interference during the 2018 mid-term election. Trump claimed this attack he ordered was the first action the United States took against Russian hacking even though his predecessor warned Russian President Vladimir Putin to stop such activities and imposed sanctions at the end of 2016. The timing of Trump’s revelation is interesting given the ongoing furor over reports of Russian bounties paid to Taliban fighters for killing Americans the Trump Administration may have known of but did little or nothing to stop.
  • Germany proposes first-ever use of EU cyber sanctions over Russia hacking” – Deutsche Welle. Germany is looking to use the European Union’s (EU) cyber sanctions powers against Russia for its alleged 2015 16 GB exfiltration of data from the Bundestag’s systems, including from Chancellor Angela Merkel’s office. Germany has been alleging that Fancy Bear (aka APT28) and Russia’s military secret service GRU carried out the attack. Germany has circulated its case for sanctions to other EU nations and EU leadership. In 2017, the European Council declared “[t]he EU diplomatic response to malicious cyber activities will make full use of measures within the Common Foreign and Security Policy, including, if necessary, restrictive measures…[and] [a] joint EU response to malicious cyber activities would be proportionate to the scope, scale, duration, intensity, complexity, sophistication and impact of the cyber activity.”
  • Wyden Plans Law to Stop Cops From Buying Data That Would Need a Warrant” – VICE. Following on a number of reports that federal, state, and local law enforcement agencies are essentially sidestepping the Fourth Amendment through buying location and other data from people’s smartphones, Senator Ron Wyden (D-OR) is going to draft legislation that would seemingly close what he, and other civil libertarians, are calling a loophole to the warrant requirement.
  • Amazon Backtracks From Demand That Employees Delete TikTok” – The New York Times. Amazon first instructed its employees to remove ByteDance’s app, TikTok, on 11 July from company devices and then reversed course the same day, claiming the email had been erroneously sent out. The strange episode capped another tumultuous week for ByteDance as the Trump Administration is intensifying pressure in a number of ways on the company which officials claim is subject to the laws of the People’s Republic of China and hence must share information with the government in Beijing. ByteDance counters the app marketed in the United States is through a subsidiary not subject to PRC law. ByteDance also said it would no longer offer the app in Hong Kong after the PRC change in law has extended the PRC’s reach into the former British colony. TikTok was also recently banned in India as part of a larger struggle between India and he PRC. Additionally, the Democratic National Committee warned staff about using the app this week, too.
  • Is it time to delete TikTok? A guide to the rumors and the real privacy risks.” – The Washington Post. A columnist and security specialist found ByteDance’s app vacuums up information from users, but so does Facebook and other similar apps. They scrutinized TikTok’s privacy policy and where the data went, and they could not say with certainty that it goes to and stays on servers in the US and Singapore. 
  • California investigating Google for potential antitrust violations” – Politico. California Attorney General Xavier Becerra is going to conduct his own investigation of Google aside and apart from the investigation of the company’s advertising practices being conducted by virtually every other state in the United States. It was unclear why Becerra opted against joining the larger probe launched in September 2019. Of course, the Trump Administration’s Department of Justice is also investigating Google and could file suit as early as this month.
  • How May Google Fight an Antitrust Case? Look at This Little-Noticed Paper” – The New York Times. In a filing with the Australian Competition and Consumer Commission (ACCC), Google claimed it does not control the online advertising market and it is borne out by a number of indicia that argue against a monopolistic situation. The company is likely to make the same case to the United States’ government in its antitrust inquiry. However, similar arguments did not gain tractions before the European Commission, which levied a €1.49 billion for “breaching EU antitrust rules” in March 2019.
  •  “Who Gets the Banhammer Now?” – The New York Times. This article examines possible motives for the recent wave of action by social media platforms to police a fraction of the extreme and hateful speech activists and others have been asking them to take down for years. This piece makes the argument that social media platforms are businesses and operate as such and expecting them to behave as de facto public squares dedicated to civil political and societal discourse is more or less how we ended up where we are.
  • TikTok goes tit-for-tat in appeal to MPs: ‘stop political football’ – The Australian. ByteDance is lobbying hard in Canberra to talk Ministers of Parliament out of possibly banning TikTok like the United States has said it is considering. While ByteDance claims the data collected on users in Australia is sent to the US or Singapore, some experts are arguing just to maintain and improve the app would necessarily result in some non-People’s Republic of China (PRC) user data making its way back to the PRC. As Australia’s relationship with the PRC has grown more fraught with allegations PRC hackers infiltrated Parliament and the Prime Minister all but saying PRC hackers were targeting hospitals and medical facilities, the government in Canberra could follow India’s lead and ban the app.
  • Calls for inquiry over claims Catalan lawmaker’s phone was targeted” – The Guardian. British and Spanish newspapers are reporting that an official in Catalonia who favors separating the region from Spain may have had his smartphone compromised with industrial grade spyware typically used only by law enforcement and counterterrorism agencies. The President of the Parliament of Catalonia Roger Torrent claims his phone was hacked for domestic political purposes, which other Catalan leaders argued, too. A spokesperson for the Spanish government said “[t]he government has no evidence that the speaker of the Catalan parliament has been the victim of a hack or theft involving his mobile.” However, the University of Toronto’s CitizenLab, the entity that researched and claimed that Israeli firm NSO Group’s spyware was deployed via WhatsApp to spy on a range of journalists, officials, and dissidents, often by their own governments, confirmed that Torrent’s phone was compromised.
  • While America Looks Away, Autocrats Crack Down on Digital News Sites” – The New York Times. The Trump Administration’s combative relationship with the media in the United States may be encouraging other nations to crack down on digital media outlets trying to hold those governments to account.
  •  “How Facebook Handles Climate Disinformation” – The New York Times. Even though the social media giant has moved aggressively to take down false and inaccurate COVID-19 posts, climate disinformation lives on the social media platform largely unmolested for a couple of reasons. First, Facebook marks these sorts of posts as opinion and take the approach that opinions should be judged under an absolutist free speech regime. Moreover, Facebook asserts posts of this sort do not pose any imminent harm and therefore do not need to be taken down. Despite having teams of fact checkers to vet posts of demonstrably untrue information, Facebook chooses not to, most likely because material that elicits strong reactions from users drive engagement that, in turn, drives advertising dollars.
  • Here’s how President Trump could go after TikTok” – The Washington Post. This piece lays out two means the Trump Administration could employ to press ByteDance in the immediate future: use of the May 2019 Executive Order “Securing the Information and Communications Technology and Services Supply Chain” or the Committee on Foreign Investment in the United States process examining ByteDance of the app Music.ly that became TikTok. Left unmentioned in this article is the possibility of the Federal Trade Commission (FTC) examining its 2019 settlement with ByteDance to settle violations of the “Children’s Online Privacy Protection Act” (COPPA).
  • You’re Doomscrolling Again. Here’s How to Snap Out of It.” – The New York Times. If you find yourself endlessly looking through social media feeds, this piece explains why and how you might stop doing so.
  • UK selling spyware and wiretaps to 17 repressive regimes including Saudi Arabia and China” – The Independent. There are allegations that the British government has ignored its own regulations on selling equipment and systems that can be used for surveillance and spying to other governments with spotty human rights records. Specifically, the United Kingdom (UK) has sold £75m to countries non-governmental organizations (NGO) are rated as “not free.” The claims include nations such as the People’s Republic of China (PRC), the Kingdom of Saudi Arabia, Bahrain, and others. Not surprisingly, NGOs and the minority Labour party are calling for an investigation and changes.
  • Google sued for allegedly tracking users in apps even after opting out” – c/net. Boies Schiller Flexner filed suit in what will undoubtedly seek to become a class action suit over Google’s alleged continuing to track users even when they turned off tracking features. This follows a suit filed by the same firm against Google in June, claiming its browser Chrome still tracks people when they switch to incognito mode.
  • Secret Trump order gives CIA more powers to launch cyberattacks” – Yahoo! News. It turns out that in addition to signing National Security Presidential Memorandum (NSPM) 13 that revamped and eased offensive cyber operations for the Department of Defense, President Donald Trump signed a presidential finding that has allowed the Central Intelligence Agency (CIA) to launch its own offensive cyber attacks, mainly at Russia and Iran, according to unnamed former United States (US) officials according to this blockbuster story. Now, the decision to commence with an attack is not vetted by the National Security Council; rather, the CIA makes the decision. Consequently, there have been a number of attacks on US adversaries that until now have not been associated with the US. And, the CIA is apparently not informing the National Security Agency or Cyber Command of its operations, raising the risk of US cyber forces working at cross purposes or against one another in cyberspace. Moreover, a recently released report blamed the lax security environment at the CIA for a massive exfiltration of hacking tools released by Wikileaks. 
  • Facebook’s plan for privacy laws? ‘Co-creating’ them with Congress” – Protocol. In concert with the release of a new white paper, Facebook Deputy Chief Privacy Officer Rob Sherman sat for an interview in which he pledged the company’s willingness to work with Congress to co-develop a national privacy law. However, he would not comment on any of the many privacy bills released thus far or the policy contours of a bill Facebook would favor except for advocating for an enhanced notice and consent regime under which people would be better informed about how their data is being used. Sherman also shrugged off suggestions Facebook may not be welcome given its record of privacy violations. Finally, it bears mention that similar efforts by other companies at the state level have not succeeded as of yet. For example, Microsoft’s efforts in Washington state have not borne fruit in the passage of a privacy law.
  • Deepfake used to attack activist couple shows new disinformation frontier” – Reuters. We are at the beginning of a new age of disinformation in which fake photographs and video will be used to wage campaigns against nations, causes, and people. An activist and his wife were accused of being terrorist sympathizers by a university student who apparently was an elaborate ruse for someone or some group looking to defame the couple. Small errors gave away the ruse this time, but advances in technology are likely to make detection all the harder.
  • Biden, billionaires and corporate accounts targeted in Twitter hack” – The Washington Post. Policymakers and security experts were alarmed when the accounts of major figures like Bill Gates and Barack Obama were hacked yesterday by some group seeking to sell bitcoin. They argue Twitter was lucky this time and a more ideologically motivated enemy may seek to cause havoc, say on the United States’ coming election. A number of experts are claiming the penetration of the platform must have been of internal controls for so many high profile accounts to be taken over at the same time.
  • TikTok Enlists Army of Lobbyists as Suspicions Over China Ties Grow” – The New York Times. ByteDance’s payments for lobbying services in Washington doubled between the last quarter of 2019 and thirst quarter of 2020, as the company has retained more than 35 lobbyists to push back against the Trump Administration’s rhetoric and policy changes. The company is fighting against a floated proposal to ban the TikTok app on national security grounds, which would cut the company off from another of its top markets after India banned it and scores of other apps from the People’s Republic of China. Even if the Administration does not bar use of the app in the United States, the company is facing legislation that would ban its use on federal networks and devices that will be acted upon next week by a Senate committee. Moreover, ByteDance’s acquisition of the app that became TikTok is facing a retrospective review of an inter-agency committee for national security considerations that could result in an unwinding of the deal. Moreover, the Federal Trade Commission (FTC) has been urged to review ByteDance’s compliance with a 2019 settlement that the company violated regulations protecting the privacy of children that could result in multi-billion dollar liability if wrongdoing is found.
  • Why Google and Facebook Are Racing to Invest in India” – Foreign Policy. With New Delhi banning 59 apps and platforms from the People’s Republic of China (PRC), two American firms have invested in an Indian giant with an eye toward the nearly 500 million Indians not yet online. Reliance Industries’ Jio Platforms have sold stakes to Google and Facebook worth $4.5 billion and $5.7 billion that gives them prized positions as the company looks to expand into 5G and other online ventures. This will undoubtedly give a leg up to the United States’ online giants in vying with competitors to the world’s second most populous nation.
  • “Outright Lies”: Voting Misinformation Flourishes on Facebook” – ProPublica. In this piece published with First Draft, “a global nonprofit that researches misinformation,” an analysis of the most popular claims made about mail voting show that many of them are inaccurate or false, thus violating the platforms terms of services yet Facebook has done nothing to remove them or mark them as inaccurate until this article was being written.
  • Inside America’s Secretive $2 Billion Research Hub” – Forbes. Using contract information obtained through Freedom of Information requests and interviews, light is shined on the little known non-profit MITRE Corporation that has been helping the United States government address numerous technological problems since the late 1950’s. The article uncovers some of its latest, federally funded projects that are raising eyebrows among privacy advocates: technology to life people’s fingerprints from social media pictures, technology to scan and copy Internet of Things (IoT) devices from a distance, a scanner to read a person’s DNA, and others.
  • The FBI Is Secretly Using A $2 Billion Travel Company As A Global Surveillance Tool” – Forbes. In his second blockbuster article in a week, Forbes reporter Thomas Brewster exposes how the United States (US) government is using questionable court orders to gather travel information from the three companies that essentially provide airlines, hotels, and other travel entities with back-end functions with respect to reservations and bookings. The three companies, one of whom, Sabre is a US multinational, have masses of information on you if you have ever traveled, and US law enforcement agencies, namely the Federal Bureau of Investigation, is using a 1789 statute to obtain orders all three companies have to obey for information in tracking suspects. Allegedly, this capability has only been used to track terror suspects but will now reportedly be used for COVID-19 tracking.
  • With Trump CIA directive, the cyber offense pendulum swings too far” – Yahoo! News. Former United States (US) National Coordinator for Security, Infrastructure Protection, and Counter-terrorism Richard Clarke argues against the Central Intelligence Agency (CIA) having carte blanche in conducting cyber operations without the review or input of other federal agencies. He suggests that the CIA in particular, and agencies in general, tend to push their authority to the extreme, which in this case could lead to incidents and lasting precedents in cyberspace that may haunt the US. Clarke also intimated that it may have been the CIA and not Israel that launched cyber attacks on infrastructure facilities in Tehran this month and last.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

The UK Will Now Eliminate Huawei From Its 5G Networks

The Conservative government in London has changed course and will now ban Huawei from its 5G networks by 2027, but this might not be enough to head off a challenge from those in the party who want a stronger line. The British government claimed a US regulatory change has made using Huawei impracticable.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Prime Minister Boris Johnson has reversed the United Kingdom’s (UK) course on Huawei equipment in its 5G networks and instead of limiting the percentage of the UK’s next generation telecommunications network that would consist of Huawei to 35%, now Downing Street is proposing to eliminate the Chinese company entirely. While Johnson’s government is essentially blaming a United States Department of Commerce rule aiming to cut off the flow of semiconductors to Huawei, it is likely the position of a number of Conservative Ministers of Parliament (MP) who were planning to oppose Johnson’s original plan informed the revised path. And much to the chagrin of this bloc of 60 or so Tory MPs, Johnson’s government is not calling for the removal of Huawei equipment from existing 2G, 3G, and 4G networks, a proposal British telecommunications companies have opposed. Consequently, Conservative MPs may try to change the coming telecommunication bill to institute the new Huawei ban to apply it to existing equipment, and they may have the votes to do so, forcing the Prime Minister to risk a defeat on the floor of the House of Commons or change his package further ahead of consideration.

Johnson had floated the notion that a so-called G10 group of nations could pool resources and develop alternative means of achieving 5G other than buying from Huawei, one of the People’s Republic of China (PRC) companies the United States has been pressuring allies and others not to buy from. It is not clear whether Johnson will try to pursue this other strategy with the new change in course.

Digital, Culture, Media and Sport Secretary Oliver Dowden made a “statement on telecoms” earlier today in the House of Commons, explaining the government’s change in plans regarding Huawei in particular. Dowden stated:

  • In January, we set out to this House our conclusions on how we would define and restrict high risk vendors, keeping them outside the network’s core and away from critical infrastructure and sites.
  • We have been clear-eyed from the start that the Chinese-owned vendors Huawei and ZTE were deemed to be high risk.
  • And we made clear that the National Cyber Security Centre (NCSC) would review and update its advice as necessary.

He declared that “[s]ince January the situation has changed.” He added that “[o]n the 15th of May the US Department of Commerce announced that new sanctions had been imposed against Huawei through changes to the foreign direct product rules…a significant, material change – and one that we have to take into consideration.”

Dowden claimed

  • This morning, the Prime Minister chaired a meeting of the National Security Council. Attendees at that meeting took full account of the NCSC’s advice, together with the implications for UK industry and wider geostrategic considerations.
  • The government agrees with the NCSC’s advice: the best way to secure our networks is for operators to stop using new affected Huawei equipment to build the UK’s future 5G networks.
  • So to be clear, from the end of this year, telecoms operators must not buy any 5G equipment from Huawei. And once the Telecoms Security Bill is passed it will be illegal for them to do so.

Dowden continued

I know that Honourable Members have sought a commitment from the government to remove Huawei equipment from our 5G network altogether. This is why we have concluded that it is necessary and prudent to commit to a timetable for the removal of Huawei equipment from our 5G network by 2027. Let me be clear. This requirement will be set out in law by the Telecoms Security Bill. By the time of the next election, we will have implemented in law an irreversible path for the complete removal of Huawei equipment from our 5G networks.

Dowden explained that “one of the reasons we are in this situation is because of global market failure…[and] [p]ut simply, countries around the world, not just in the UK, have become dangerously reliant on too few vendors.” He stated that “[w]e have already set out a clear and ambitious diversification strategy…[and] [t]hat strategy will include wide-ranging action in the short, medium and long-term with the aim of driving competition and innovation to grow the market and deliver greater resilience across our networks.” Dowden stated “[t]]he strategy will focus on three core elements:

  • First – securing the supply chains of our incumbent, non high risk suppliers by putting in place measures and mitigations that will protect supply chains and ensure there is no disruption to our networks.
  • Second – bringing new scale vendors into the UK market by removing barriers to entry, providing commercial incentives and creating large scale opportunities for new vendors to enter the UK market.
  • And third – addressing the existing structure of the supply market by investing in research and development and building partnerships between operators and vendors that will mean operators using multiple vendors in a single network will become the standard across the industry.

In a blog post and a summary, the NCSC explained in much more detail its analysis of the risks of using Huawei’s equipment, which derive mostly from the implications of US action and less from inherent risks.

NCSC Technical Director Dr Ian Levy explained “[i]n May, the US changed a subtle and detailed export control rule called the ‘Foreign-Produced Direct Product Rule’ (FDPR).” He added that “[t]he amended rule says that no-one, anywhere in the world, can send Huawei-designed chips to Huawei if US technology was used in the design tools or manufacture processes…[and] [t]his doesn’t just mean that Huawei can’t use design tools that contain US technology…[i]t also means:

  • no-one else can take a Huawei design and turn it into chip manufacture instructions (usually something called a GDS2) using tools that contain US technology
  • even if you’ve already got the GDS2 for a Huawei chip, you can’t actually turn it into a chip if your foundry process uses US technology (and for modern process nodes, US technology is pretty pervasive) or if the GDS2 was produced using US technology

Levy stated

The FDPR change wasn’t in effect in January. It is now, and that’s a material change to the facts on the ground that has led us to revisit our analysis. The NCSC now believes that there are only three things that can happen to help Huawei in response to this action. In our recent consultations with them, Huawei haven’t disagreed with this analysis. Those options are:

  1. Someone breaks US law and continue to manufacture. This is pretty unlikely. Huawei have always publicly said that they’ll follow applicable law, but the impact on any design house or foundry that went this way would be huge. Also – given there’d be a reasonable expectation that the chips broke US law – any organisation buying the equipment would be taking a significant risk.
  2. Huawei switch chips in equipment designs to ones that aren’t Huawei-designed, but perform the same sort of function. This is a big task. Assuming you can find someone to design a chip that’s near enough to the original, the integration into the wider product is a very complex job. This can’t be a direct replacement for a Huawei-designed chip, because then at least some of the design will be Huawei’s, and so likely caught by the rule. This is a really complex engineering task. And given Huawei’s continued lack of security or engineering quality as described in the Oversight Board reports, this is highly likely to introduce security and reliability problems into the equipment for the next few years at least.
  3. Someone makes new design tools and manufacturing processes for chips that don’t use any US technology and so can provide Huawei what they need. Good luck doing that quickly. You need to invent some new ways of doing really complex things (extreme UV lithography, multi-patterning etc.) while being bound by the laws of physics. The precise mechanisms the foundry uses to make these tiny transistors dictate the design rules your EDA tools have to enforce. As a cartoon example, if the foundry process produces some fuzziness around the edges of transistors, your design tool will need to leave more space between them, or the performance of the chip could be affected. The performance and capability of your EDA tools dictate what the foundry can build reliably. If your EDA tools can’t do lots of Maxwell’s equation solving, you’ll need to route wires differently round the chip and simplify your design. You don’t need to understand how a FinFET works or what a hi-K dielectric is to know that’s a ton of work that’s likely to fail a few times.

Levy explained “[t]oday, we are publishing guidance, supported by government, as to what this all means for the future telecoms network builds and to help operators understand the impacts of this decision…[and] [t]he guidance says that:

  • existing Huawei equipment in the UK can continue to be used, subject to the HRV policy and our mitigation strategy
  • operators need to procure enough spares to maintain the equipment for the expected lifetime
  • operators should seek to cease procuring and deploying Huawei 5G access equipment, all transport equipment, and other miscellany to manage the long-term risks of the newly designed products (practically, procurements are likely to cease by the end of 2020)
  • operators should seek to cease procuring and deploying Huawei FTTP (Fibre to the Premises) access equipment. It may take a bit longer for rollouts to cease in this case, so the Department for Digital, Culture, Media & Sport (DCMS) are going to work with industry to establish a manageable timeframe

In mid-May, the Department of Commerce’s Bureau of Industry and Security (BIS) “announced plans to protect U.S. national security by restricting Huawei’s ability to use U.S. technology and software to design and manufacture its semiconductors abroad” per the agency’s press release. BIS released an interim final rule that takes effect as of 15 May, but the agency is accepting comments through 14 July, meaning there will be a final rule issued at some point in the future once the comments have been analyzed and addressed. Nevertheless, Commerce claimed the BIS interim final rule “cuts off Huawei’s efforts to undermine U.S. export controls.”

Commerce stated

  • BIS is amending its longstanding foreign-produced direct product rule and the Entity List to narrowly and strategically target Huawei’s acquisition of semiconductors that are the direct product of certain U.S. software and technology.
  • Since 2019 when BIS added Huawei Technologies and 114 of its overseas-related affiliates to the Entity List, companies wishing to export U.S. items were required to obtain a license.[1]  However, Huawei has continued to use U.S. software and technology to design semiconductors, undermining the national security and foreign policy purposes of the Entity List by commissioning their production in overseas foundries using U.S. equipment.
  • Specifically, this targeted rule change will make the following foreign-produced items subject to the Export Administration Regulations (EAR):
  • Items, such as semiconductor designs, when produced by Huawei and its affiliates on the Entity List (e.g., HiSilicon), that are the direct product of certain U.S. Commerce Control List (CCL) software and technology; and
  • Items, such as chipsets, when produced from the design specifications of Huawei or an affiliate on the Entity List (e.g., HiSilicon), that are the direct product of certain CCL semiconductor manufacturing equipment located outside the United States.  Such foreign-produced items will only require a license when there is knowledge that they are destined for reexport, export from abroad, or transfer (in-country) to Huawei or any of its affiliates on the Entity List.

Commerce added that “[t]o prevent immediate adverse economic impacts on foreign foundries utilizing U.S. semiconductor manufacturing equipment that have initiated any production step for items based on Huawei design specifications as of May 15, 2020, such foreign-produced items are not subject to these new licensing requirements so long as they are reexported, exported from abroad, or transferred (in-country) by 120 days from the effective date.”

The PRC’s Commerce Ministry posted a statement, arguing “[t]he U.S. uses state power, under the so-called excuse of national security, and abuses export control measures to continuously oppress and contain specific enterprises of other countries.” The Ministry vowed the PRC will “take all necessary measures to resolutely safeguard the legitimate rights and interests of Chinese enterprises.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Marcin Nowak on Unsplash

Trump Administration Issues Second Part of Rule Banning Huawei, ZTE, and Other PRC Entities From Federal Systems

Starting in a month, those contracting with the federal government may not have Huawei or ZTE equipment of systems per a directive of Congress enacted in 2018. Lawmakers were concerned about national security and argued PRC equipment and systems are compromised. The first half of this ban took effect one year ago.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Federal agencies released an interim rule to implement the second half of a government-wide ban on buying or using Huawei, ZTE, and other equipment and systems considered risky or suspect by the United States (US) government. The first half of this ban went into effect late last summer and generally bars US agencies from buying or using so-called “covered telecommunications equipment or services,” and this part of the ban extends the prohibition to entities that would contract with US agencies. Therefore, as a general matter, such contractors would need to certify their services, systems, and equipment are free and clear of “covered telecommunication equipment,” which is largely technology developed and manufactured in the People’s Republic of China (PRC) or the Russian Federation. This rule will take effect on 13 August but may possibly affect contracts entered into before that date. And yet, comments are being accepted on this rule until 14 September, which will likely affect the rule on the margins when a final version is issued but not its substance.

The Department of Defense (DOD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) amended “the Federal Acquisition Regulation (FAR) to implement section 889(a)(1)(B) of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that “prohibits executive agencies from entering into, or extending or renewing, a contract with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” The agencies stated

The statute covers certain telecommunications equipment and services produced or provided by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of those entities) and certain video surveillance products or telecommunications equipment and services produced or provided by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of those entities). The statute is not limited to contracting with entities that use end-products produced by those companies; it also covers the use of any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.

The DOD, GSA, and NASA explained “[t]he 889(a)(1)(A) rule does the following:

  • It amends the FAR to include the 889(a)(1)(A) prohibition, which prohibits agencies from procuring or obtaining equipment or services that use covered telecommunications equipment or services as a substantial or essential component or critical technology. (FAR 52.204-25)
  • It requires every offeror to represent prior to award whether or not it will provide covered telecommunications equipment or services and, if so, to furnish additional information about the covered telecommunications equipment or services. (FAR 52.204-24)
  • It mandates that contractors report (within one business day) any covered telecommunications equipment or services discovered during the course of contract performance. (FAR 52.204-25)

The agencies added

The FAR Council will address the public comments received on both previous interim rules in a subsequent rulemaking. In addition, each agency has the opportunity under 889(a)(1)(A) to issue agency-specific procedures (as they do for any acquisition-related requirement). For example, GSA issued a FAR deviation where GSA categorized risk to eliminate the representations for low and medium risk GSA-funded orders placed under GSA indefinite-delivery contracts.

Section 889 of the FY 2019 NDAA was drafted to address the threats posed by the presence of Huawei and ZTE equipment and services throughout the systems and supply chains of the federal government and its contractors. The ultimate goal is the complete phaseout, if possible, of these and any other suspect systems that could possibly be compromised or exploited in the future. Consequently, Russian equipment and systems are also targeted. All federal agencies must inventory and then work to remove this equipment and products within the next few years, and the DOD has already started the required rulemakings to fulfill this policy goal.

As a result, the DOD and other agencies changed the FAR to put into effect a Congressionally-required ban on Huawei and ZTE products detailed in Section 889 of the FY 2019 NDAA. Specifically the August 2019 interim rule bars federal agencies from buying Huawei, ZTE, and related Chinese “equipment, system[s], or service[s] that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system” unless an exception allows the agency to disregard this general ban. This rule has already taken effect, and it is likely the DOD and other agencies will issue a final rule, which may change the interim rule on the margins but will likely maintain the substance of the prohibition. It bears note that this interim rule is applicable to all contracts going forward and some solicitations offered and contracts signed before August 13, 2019. In December 2019, the DOD, GSA, and NASA changed the original requirement that contractors certify for each procurement they do not have any Huawei or ZTE equipment or services and may make this certification annually instead.

In concert with the August 2019 interim final rule that put in place a ban on buying or using Huawei, ZTE, or other related equipment, the DOD issued a memorandum that “provides DOD-specific procedures associated with the interim FAR rule that implements section 889(a)(l)(A) of the National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-232)…[and] [t]hese implementation procedures apply to contracts, task orders, and delivery orders, including basic ordering agreements (BOAs), orders against BOAs, blanket purchase agreements (BPAs), and calls against BPAs.”

Finally, it bears note that Section 889(b) also contains language barring any agency from making a loan or providing a grant to any entity with Huawei or ZTE systems or equipment or to buy Huawei systems or equipment. In June 2019, the Office of Management and Budget (OMB) asked Congress for legislative changes to the grant and loan language, ideally in the FY 2020 NDAA, and to push back the deadline for both of these provisions from August 13, 2020 to August 13, 2022. However, the Armed Services Committees did not include such language in either FY 2020 NDAA, suggesting there is not support in the committees to softening or rolling back the Huawei/ZTE bans.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Alejandro Luengo on Unsplash

FCC Holds Open Meeting

The  FCC took up a number of 5G related items and a record fine for spoofed robocalls.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

At a 9 June Federal Communications Commission (FCC) meeting, the agency approved a number of rulings and proposed rulemakings, most notably the rules for an auction to implement a new $16 billion rural broadband initiative and a $225 million fine for over 1 billion spoofed robocalls. The agency summarized its actions:

  • Rural Digital Opportunity Fund Final Auction Procedures.
  • Modernizing and Expanding Access to the 70/80/90 GHz Bands.
  • State/Local Approval of Wireless Equipment Modifications.
  • Promoting Broadcast Internet Innovation through ATSC 3.0.
  • Proposed Fine for Illegal Spoofed Robocalls.

In the Rural Digital Opportunity Fund Public Notice, the FCC explained

  • By this Public Notice, we establish procedures for Phase I of the Rural Digital Opportunity Fund auction (auction or Auction 904).  The auction will award up to $16 billion over 10 years to service providers that commit to offer voice and broadband services to fixed locations in eligible unserved high-cost census blocks.  The bidding in the auction is now scheduled to begin on October 29, 2020. 
  • Auction 904 will be the Commission’s second auction to award ongoing high-cost universal service support through competitive bidding in a multiple-round, reverse auction and follows the successful Connect America Fund Phase II auction (Auction 903) in 2018.  As before, we intend to maximize the value the American people receive for the universal service funds we spend, balancing the need to support future-proofed networks and higher-quality services against the need to consider cost efficiencies and maximize the number of locations that receive service.  Therefore, we will again use an auction mechanism designed to select bids from providers that would deploy high-speed broadband and voice services in unserved communities for lower relative levels of support.  The bidding procedures we adopt, including some modifications to our proposals, will be implemented through the Auction 904 bidding system, which will enable a bidder to express in a simple and orderly way the amount of support it needs to provide a specified level of service to a specified set of eligible areas.
  • Auction 904 will be the Commission’s single largest step toward bridging the rural digital divide, potentially bringing voice and broadband to millions of unserved homes and businesses in rural areas and fulfilling our commitment to universal service.  
  • Nothing in this Public Notice is intended to amend the requirements set forth in the Rural Digital Opportunity Fund Order or the Commission’s rules. We urge prospective applicants to review carefully the Commission’s orders and public notices relating to the Rural Digital Opportunity Fund…

Regarding the Rural Digital Opportunity Fund, Chair Ajit Pai stated:

To help ensure that all Americans can enjoy those benefits of broadband, today we adopt final procedures for Phase I of the Rural Digital Opportunity Fund auction.  This reverse auction will distribute up to $16 billion over the next decade to deploy broadband to rural areas that everyone agrees lack broadband service, prioritizing gigabit-speed networks that will ensure networks serve consumers well into the future.  In March, Commission staff released a preliminary list of areas eligible for the Phase I auction, where staff estimate more than 11.7 million unserved Americans live and work.  That list includes millions of Americans who we know are on the wrong side of the digital divide.  And that’s why calls to delay the Phase I auction miss the mark.  These Americans deserve access to broadband as soon as possible.  They cannot afford to wait—and neither can we as a country—while we work to develop the new, more granular broadband coverage maps that will serve as the basis for the Phase II auction.  Digital opportunity delayed is digital opportunity denied.

Commissioner Geoffrey Starks explained:

Investments in bringing broadband to unserved areas are more critical than ever.  As I have noted throughout the development of the Rural Digital Opportunity Fund (RDOF), I support the auction structure, but I remain concerned about some key features of the program.  That includes our decision to spend such a large portion of the budget—over such a long term of support—based on broadband maps that are not accurate.  I would have preferred to start with a smaller budget or shorter term of support so that the bulk of the RDOF funds could be spent after we complete the mapping overhaul that data-driven policymaking and the Broadband DATA Act require.  Because this item builds on that flawed foundation, I must dissent in part.

The Notice of Proposed Rulemaking and Order titled “In the Matter of Modernizing and Expanding Access to the 70/80/90 GHz Bands,” the FCC stated

We initiate a proceeding to explore innovative new uses of the 71–76 GHz, 81–86 GHz, 92–94 GHz, and 94.1–95 GHz bands (collectively, the “70/80/90 GHz bands”).  In particular, we seek comment on potential rule changes for non-Federal users to facilitate the provision of wireless backhaul for 5G, as well as the deployment of broadband services to aircraft and ships, while protecting incumbent operations in the 70/80/90 GHz bands.  We seek to promote expanded use of this co-primary millimeter-wave spectrum for a myriad of innovative services by commercial industry, and in particular, we seek to take advantage of the highly directional signal characteristics of these bands, which may permit the co-existence of multiple types of deployments.  We also deny two requests for partial waiver of the antenna standards for the 71–76 and 81–86 GHz bands.  Because this is co-primary spectrum for Federal and non-Federal users, we will coordinate any proposed rule changes with the affected agencies and the National Telecommunications and Information Administration (NTIA).  This is consistent with established practice, in that, when evaluating any band that includes a shared allocation for Federal use, the FCC will work with NTIA to evaluate potential impacts associated with any new or expanded non-Federal use of shared allocations.

The agency also approved a notice of clarification and proposed rulemaking titled “In the Matter of Implementation of State and Local Governments’ Obligation to Approve Certain Wireless Facility Modification Requests Under Section 6409(a) of the Spectrum Act of 2012,” in which

  • [W]e clarify the meaning of our rules implementing Congress’ decisions in section 6409(a) of the Spectrum Act of 2012, which recognized the efficiency of using existing infrastructure for the expansion of advanced wireless networks.  Those rules set forth a streamlined process for State and local government review of applications to deploy wireless telecommunications equipment on existing infrastructure.  Under this framework, a State or local government shall approve within 60 days any request for modification of an existing wireless tower or base station that does not substantially change the physical dimensions of such tower or base station.
  • [W]e seek comment on whether changes to our rules regarding excavation outside the boundaries of an existing tower site, including the definition of the boundaries of a tower “site,” would advance the objectives of section 6409(a).

Commissioner Jessica Rosenworcel explained her opposition by noting

[Cities and states] want a bit more time to weigh in on our decision, so they can be in a better place to implement it.  They want this time because their resources are strained by a deadly virus, economic calamity, and civil unrest.  As 24 members of the United States House of Representatives Committee on Energy and Commerce noted last week, “[i]f local governments are forced to respond to this Declaratory Ruling instead of focusing on their public health and safety responses, it very well may put Americans’ health and safety at risk.” But the FCC has decided to ignore this modest request for time to review.  I don’t get it.

The FCC also adopted a declaratory ruling and a notice of proposed rulemaking titled “In the Matter of Promoting Broadcast Internet Innovation through ATSC 3.0” and explained

More than twenty years ago, during the transition from analog to digital broadcast television, the Commission adopted rules allowing digital television (DTV) licensees to provide ancillary or supplementary services on their excess spectrum capacity and authorized licensees to enter into leases with other entities that would provide such services. Flash forward to today, and the conversion of digital television from the first-generation technologies associated with the ATSC 1.0 standard to the next-generation of ancillary services that will be enabled by ATSC 3.0 is now underway.  This new technology promises to expand the universe of potential uses of broadcast spectrum capacity for new and innovative services beyond traditional over-the-air video in ways that will complement the nation’s burgeoning 5G network and usher in a new wave of innovation and opportunity.  These new offerings over broadcast spectrum can be referred to collectively as “Broadcast Internet” services to distinguish them from traditional over-the-air video services.  Broadcasters will not only be able to better serve the information and entertainment needs of their communities, but they will have the opportunity to play a part in addressing the digital divide and supporting the proliferation of new, IP-based consumer applications or voluntarily entering into arrangements to allow others to invest in achieving those goals.  We undertake this proceeding to ensure that our rules help to foster the introduction of new services and the efficient use of spectrum.

Finally, in “In the Matter of John C. Spiller; Jakob A. Mears; Rising Eagle Capital Group LLC; JSquared Telecom LLC; Only Web Leads LLC; Rising Phoenix Group; Rising Phoenix Holdings; RPG Leads; and Rising Eagle Capital Group – Cayman,” the FCC stated

This Notice of Apparent Liability proposes the largest fine in FCC history.  John C. Spiller and Jakob A. Mears, doing business under the names Rising Eagle Capital Group LLC, JSquared Telecom LLC, Only Web Leads LLC, Rising Phoenix Group, Rising Phoenix Holdings, RPG Leads, and Rising Eagle Capital Group – Cayman (collectively, Rising Eagle), made approximately one billion spoofed robocalls in the first four-and-a-half months of 2019 with the intent to defraud, cause harm, and wrongfully obtain something of value in apparent violation of the Truth in Caller ID Act.  Given the egregious circumstances and the scope and scale of the robocall campaigns, we propose a forfeiture of $225,000,000.

Rosenworcel noted her approval of the size of the fine considering the conduct but added

But there’s something missing in this all-hands effort.  That’s the Department of Justice.  They aren’t a part of taking on this fraud.  Why not?  What signals does their refusal to be involved send?  Here’s the signal I see.  Over the last several years the FCC has levied hundreds of millions in fines against robocallers just like the folks we have here today.  But so far collections on these eye-popping fines have netted next to nothing.  In fact, it was last year that The Wall Street Journal did the math and found that we had collected no more than $6,790 on hundreds of millions in fines.  Why?  Well, one reason is that the FCC looks to the Department of Justice to collect on the agency’s fines against robocallers.  We need them to help.  So when they don’t get involved—as here—that’s not a good sign.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Senate Subcommittee Faults US Government On PRC Telecom

“It is this constant evolution that highlights a major flaw with the FCC’s Section 214 authorizations: once authorized, a company can operate indefinitely without any oversight. Without proper oversight, foreign carriers operating in the United States can expose the United States to potential economic, national security, and law enforcement risks. The federal government has highlighted the potential risks associated with Chinese telecommunications carriers operating in the United States.”  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On June 9, the chair and ranking member of the Senate Homeland Security & Governmental Affairs Committee’s Permanent Investigations Subcommittee released a “bipartisan” report alleging that the United States’ (US) government was lax in allowing telecommunications companies from the People’s Republic of China (PRC) to enter the US market. Specifically, Chair Rob Portman (R-OH) and Ranking Member Tom Carper (D-DE) took issue with how well the Federal Communications Commission (FCC) and “Team Telecom,” an inter-agency review process, oversaw the entrance and operation of three PRC telecommunications in the US, especially from the perspective of national security: China Mobile, China Telecom, and China Unicom. The Subcommittee launched its inquiry after the FCC rejected China Mobile International (USA) Inc.’s application to operate in the US. In May 2019. Since that time, the FCC has undertaken a review of the three aforementioned PRC entities, and the Trump Administration issued an executive order (EO) to revamp and formalize the Team Telecom review process (See here for more detail.) The Subcommittee found a number of ongoing problems with the review and oversight process and recommended a number of changes.

Portman and Carper called for legislation to codify and reform the Team Telecom review process along the same lines as the recent reform of the Committee on Foreign Investment in the United States. Given that these authorities and the thrust of the legislation are focused on the PRC, there is likely significant support on Capitol Hill for a measure that would lead to further scrutiny of PRC telecommunications carriers. Should such legislation be paired with other measures aimed at PRC technology entities, it may face resistance from some stakeholders, including the White House, that may bar enactment this year. Another possibility is that legislation such as this is developed this Congress and support is built for passage in a future year, possibly via inclusion in the National Defense Authorization Act.

The Subcommittee claimed the report “details how the U.S. federal government—particularly the FCC, Department of Justice (DOJ), and Department of Homeland Security (DHS)— historically exercised minimal oversight to safeguard U.S. telecommunications networks against risks posed by Chinese state-owned carriers.” The Subcommittee noted “[t]hree Chinese state-owned carriers have been operating in the United States since the early 2000s, but only in recent years have the FCC, DOJ, and DHS focused on potential risks associated with these carriers. DOJ and DHS did enter into security agreements with two of the Chinese state-owned carriers prior to 2010, but they conducted only two site visits to each carrier since that time (or four total).” The Subcommittee claimed “[t]hree of those visits occurred between 2017 and 2018” and concluded “[t]his lack of oversight undermined the safety of American communications and endangered our national security.”

The Subcommittee stated

Since the Subcommittee launched its investigation, the agencies have increased their oversight of the Chinese state-owned carriers. The administration also recently issued an executive order establishing a formal committee to review the national security and law enforcement risks posed by foreign carriers operating in the United States. Still, the new committee’s authorities remain limited, and as a result, our country, our privacy, and our information remain at risk.

The Subcommittee concluded

It is well understood that the national security environment evolves over time. It is this constant evolution that highlights a major flaw with the FCC’s Section 214 authorizations: once authorized, a company can operate indefinitely without any oversight. Without proper oversight, foreign carriers operating in the United States can expose the United States to potential economic, national security, and law enforcement risks. The federal government has highlighted the potential risks associated with Chinese telecommunications carriers operating in the United States. Three particular carriers have been operating in the United States for approximately 20 years, without sufficient oversight from the FCC and the Executive Branch. Especially when dealing with state-owned telecommunications carriers, greater controls are needed, and the Administration and Congress must work together to ensure sufficient safeguards and oversight mechanisms are in place.

The Subcommittee made the following recommendations:

  • (1)  The FCC should complete its review of China Telecom Americas, China Unicom Americas, and ComNet in a timely manner. Team Telecom has recommended that China Telecom Americas’ authorizations be revoked because of “substantial and unacceptable” national security concerns. The FCC should expeditiously review the authorizations of China Telecom Americas and the other Chinese state-owned carriers to ensure our national security and communications networks are not unnecessarily put at risk. As part of its review of China Unicom Americas’ and ComNet’s authorizations, the FCC should seek the recommendation of the newly established EO Telecom Committee as to national security and law enforcement concerns associated with the carriers’ authorizations. The analysis should also include a decision as to whether risks can be mitigated—through the existing security agreements or new agreements.
  • (2)  The FCC should establish a clear standard and process for revoking a foreign carrier’s existing authorizations. Currently, there is no clear standard or process for revoking a foreign carrier’s existing authorizations. Telecommunications companies must understand the circumstances under which authorizations could be revoked and be afforded due process to challenge potential revocation. Team Telecom officials indicated that they do not know what the FCC considers a “sufficient” basis for a revocation. Thus, while government officials may believe revocation is warranted, they may not recommend revocation without additional guidance. A formal standard and revocation process would provide clear guidance to both the government and industry as to when revocation of an existing authorization is warranted.
  • (3)  Congress should require the periodic review and renewal of foreign carriers’ authorizations to provide international telecommunications services. Currently, these authorizations can exist in perpetuity. Although the recent Executive Order allows the EO Telecom Committee to review existing authorizations, it does not mandate periodic review or renewal. Considering the limited resources DOJ and DHS dedicated to Team Telecom’s review of foreign carriers’ applications, it is unlikely that they will review many existing authorizations. National security and law enforcement concerns, as well as trade, and foreign policy concerns, however, are ever evolving, meaning that an authorization granted in one year may not continue to serve the public interest years later. Requiring a periodic review and renewal of authorizations would ensure that the FCC and the Executive Branch continually account for evolving national security, law enforcement, policy, and trade risks.
  • (4)  Congress should statutorily authorize the EO Telecom Committee. The Administration established the EO Telecom Committee, which formalizes Team Telecom, but the EO Telecom Committee still has no governing statutory authority. Team Telecom’s historical lack of statutory authority led to a review process criticized by many as “opaque” and “broken.” The recent Executive Order is a positive step, but formal legislative authority will provide for greater oversight over foreign carriers.
  • (5)  Congress should preserve the role of other relevant Executive Branch agencies. Team Telecom was comprised of DOJ, DHS, and DOD officials. These agencies are also the primary components of the newly established EO Telecom Committee. Historically, the FCC has sought input on a foreign carrier’s application from other Executive Branch agencies, including the Department of State, Department of Commerce, and the U.S. Trade Representative. The recent Executive Order makes these agencies, and others, advisors to the EO Telecom Committee. These agencies provide invaluable input and their role in the review process must be accounted for in any formal legislation.
  • (6)  Congress should set deadlines by which decisions on FCC- related application reviews must be made. Team Telecom had no set deadlines by which it needed to complete its review of a foreign carrier’s application pursuant to the FCC’s request. Further, Team Telecom’s already limited resources were often focused on actions related to the Committee on Foreign Investment in the United States (“CFIUS”). This resulted in protracted reviews and business uncertainty. Setting deadlines will imbue trust back into the review process. The recent Executive Order imposed certain timelines, but it allows for the EO Telecom Committee to seek extensions, which could draw out the review process, especially if resources remain limited.
  • (7)  Congress should provide sustained resources necessary for the EO Telecom Committee to effectively assess foreign carriers’ applications and to monitor foreign carriers operating in the United States. The Foreign Investment Risk Review Modernization Act of 2018 provided CFIUS agencies specialized authority to hire staff to ensure agencies can manage CFIUS filings. EO Telecom Committee agencies should be provided a similar authority to ensure it is able to effectively and efficiently review foreign carriers’ applications and monitor foreign carriers’ operations.
  • (8)  Congress should require the EO Telecom Committee to formally coordinate reviews of foreign carrier applications with CFIUS. The EO Telecom Committee’s component agencies are members of CFIUS. CFIUS’s and the EO Telecom Committee’s processes overlap when a foreign investor seeks to acquire control of a U.S. telecommunications operator or infrastructure owner. These applications already undergo extensive review by CFIUS. Requiring formal coordination between CFIUS and the EO Telecom Committee will streamline the regulatory clearance process while meeting national security, law enforcement, trade policy, and foreign policy objectives.
  • (9)  Congress should provide the EO Telecom Committee with authority to recommend revocation of a carrier’s authorization, even where no security agreement exists between it and the carrier. Where no security agreement existed, Team Telecom did not interact with the foreign carrier. Although certain government officials believed that Team Telecom could review an existing authorization, even where no agreement existed, there is no formal, legal basis for such review. Combined with a requirement to periodically renew authorizations, affording the EO Telecom Committee the authority to review and recommend revocation of existing authorizations, even without a security agreement in place, allows the EO Telecom Committee to better respond to the evolving nature of national security risks.
  • (10)  Congress should require the periodic review and renewal of security agreements between the EO Telecom Committee and foreign carriers. Team Telecom officials told the Subcommittee that, even if it believed that a security agreement was not comprehensive to address all risks associated with a foreign carrier’s operations, it had little leverage to update the agreement. This means that certain risks, which could otherwise be mitigated, may go unaddressed. Requiring a periodic review and renewal of security agreements provides the EO Telecom Committee yet another tool to ensure that national security and other risks are regularly assessed and addressed.
  • (11)  The EO Telecom Committee should establish formal, written policies and procedures governing its monitoring of compliance with security agreements. Team Telecom had no formal, written processes governing its monitoring of a foreign carrier’s compliance with a security agreement. It relied on written correspondence and site visits, but there was no clear method as to when these mechanisms were used or why. The EO Telecom Committee should document and formalize Team Telecom’s processes, which will provide for more streamlined and consistent review of foreign carriers’ operations in the United States.
  • (12) Congress and the Administration should take steps to ensure reciprocal access to the Chinese telecommunications market for U.S. companies. In those aspects of telecommunications in which China officially permits foreign participation, China requires forced technology transfers and imposes discriminatory regulatory processes and burdensome licensing and operating requirements. This results in a highly asymmetric playing field in which U.S. companies face immensely restrictive policies in China, while Chinese companies are not equally restricted in the United States.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Senate Armed Services Marks Up FY 2021 NDAA

Per usual, the NDAA contains a number of technology related provisions, including a some of the CSC’s recommendations. The People’s Republic of China and the Russian Federation continue to receive attention.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

This week, legislative work began on the FY 2021 National Defense Authorization Act (NDAA). The Senate Armed Services Committee conducted markups at the subcommittee and committee level, almost of which were in closed settings, and announced a finished bill that has not yet been made available per committee tradition. However, as in years past, a summary of the NDAA has been released that provides a high level overview of the bill, including its cybersecurity and technology related provisions. Bill text will not likely be released before the bill comes to the Senate floor.

Most notably, a number of the Cyberspace Solarium Commission’s (CSC) recommendations were apparently included in the bill, an outcome the four CSC Members who also serve in Congress were working towards; Senators Ben Sasse (R-NE) and Angus King (I-ME) served on the CSC and are also on the Senate Armed Services Committee.

The CSC’s highest profile recommendation was not entirely accepted, however. The CSC had called for a National Cyber Director its final report that would be “be the President’s principal advisor for cybersecurity-related issues, as well as lead national-level coordination of cybersecurity strategy and policy, both within government and with the private sector.” However, the FY 2021 NDAA merely uses an old strategy on possibly controversial changes: a study would be conducted on a National Cyber Director. Nevertheless, the CSC’s mandate would be extended another 16 months if this legislation is enacted, giving the body more time to work to see this and other recommendations possibly come to fruition.

All of the recommendations in the FY 2021 NDAA are those within the jurisdiction of the Armed Services Committees, suggesting the non-defense cybersecurity recommendations will need to be enacted by the various committees of jurisdiction. Ironically, this is the very issue the CSC addressed in its recommendation that Congress establish “House Permanent Select and Senate Select Committees on Cybersecurity.” However, it is a rare occurrence for Congress to redraw committee jurisdictions in such a significant way, and the Homeland Security Committees were created after the attacks on the United States on 11 September 2001. And yet, it is not uncommon for legislation that pertains mostly to civilian agencies and affairs to get added to the NDAA. For example, the “Federal Information Technology Acquisition Reform” (FITARA) (P.L. 113-291) was enacted as part of the FY 2013 NDAA.

The Committee explained that the NDAA includes 11 of the CSC’s recommendations:

  • A review of National Guard response to cyberattacks,
  • Adding a force structure assessment in the quadrennial cyber posture review,
  • A report on enabling Cyber Command authorities, direction, and control of Cyber Operations Forces-related budgets, ensuring flexibility and agility to control acquisition,
  • An evaluation of cyber reserve force options, which could provide capable surge capability and enable DOD to draw on cyber talent in the department sector,
  • Improving cyber resiliency of nuclear command and control systems,
  • A modification to fortify the Strategic Cybersecurity program and further cyber vulnerability assessment of weapons systems,
  • A Defense Industrial Base threat intelligence sharing program to support companies’ ability to defend themselves,
  • An assessment of the risk posed by quantum computing to national security systems,
  • An extension of the Cyberspace Solarium Commission for tracking and facilitating the implementation of its recommendations for 16 months,
  • An independent assessment on the feasibility and advisability of establishing a National Cyber Director.

The House Armed Services Committee will begin marking up its FY 2021 NDAA later this month with a full committee markup scheduled for 1 July. It is very likely CSC recommendations make it into this bill, and so it will be a matter of final negotiations to determine which recommendations are part of the bill, which is seen as must-pass on Capitol Hill. Moreover, CSC recommendations could get folded into appropriations bills for FY 2021, which is often one of the last matters Congress addresses before recessing for the winter holidays.

The Committee highlighted other cybersecurity and cyberspace provisions:

  • Updates the responsibilities of the Principal Cyber Advisor, a key driver of the Department’s development and implementation of its 2018 cyber strategy, by increasing the integration and coordination responsibilities of that office to ensure that DOD’s cyber policies are coherent, cohesive, and meet needs,
  • Improves transparency and requires DOD to provide more regular updates on cyber operations to Congress,
  • Requires pilot programs, demonstrations, and/or plans for: speed-based cybersecurity capability metrics to measure DOD performance and effectiveness; interoperability and automated orchestration of cybersecurity systems (increased by $10 million above the President’s request); addressing network timing and address inconsistencies; and integration of user activity monitoring and cybersecurity systems,
  • Requires an assessment of gaps between Cyber Mission Forces and Cybersecurity Service Providers,
  • Authorizes increased funding ($25 million for Air Force Operation and Maintenance and $5 million for Army Operation and Maintenance) to provide Cyber Mission Forces with more resources to access, operate, and train as required by increased operational demands,
  • Improves cyber readiness and “man, train, and equip” by:
    • Authorizing a pilot program to prepare the National Guard for providing cyber assistance remotely in the case of cyber attacks,
    • Prohibiting the Secretary of Defense from taking any action on the National Defense University’s College of Information and Cyber Space until completing an assessment of educational requirements for military and civilian leaders in this domain,
    • Modifying authority to use Operation and Maintenance funds to allow for rapid creation, testing, and fielding of cyber capabilities to respond more quickly to threats, and
    • Improving the training and retention of highly qualified cyber personnel, including providing Cyber Command with the same hiring authority for technical talent as exists at DARPA, the Strategic Capabilities Office, and the Joint Artificial Intelligence Center, and by allowing for pay that is more competitive with commercial industry.

Again, the Committee addressed the threats posed by the DOD having a significant part of its supply chain rooted in the People’s Republic of China (PRC) and the challenges posed by the nation to US military and national security:

  • The FY21 NDAA takes numerous steps to reshape the Defense Industrial Base as a National Security Innovation Base, expanding its industrial capacity, promoting agility and resiliency, and identifying and mitigating risks associated with reliance on foreign adversaries, while investing in relationships with allies and partners. The shift to a National Security Innovation Base requires acknowledging that a whole-of-government approach is needed, and this bill encourages DOD to study broad factors that shape the industrial base and engage with outside stakeholders and interests. Recognizing that procurement restrictions are very powerful, the bill also ensures DOD is exploring all pathways to expand domestic capacity, including increased research and development. Lastly, the legislation safeguards proprietary technology, intellectual property, and other defense-sensitive data from being infiltrated by the government of China.
  • Further implements recommendations from DOD’s report proceeding from Executive Order 13806 on assessing and strengthening the manufacturing and defense industrial base and supply chain resiliency of the U.S., and updates the framework for modernizing acquisition processes to ensure the integrity of the Defense Industrial Base,
  • Requires analyses of a variety of materials and technology sectors, such as microelectronics, rare earth minerals, medical devices, personal protective equipment and pharmaceutical ingredients, to determine actions to take to address sourcing and industrial capacity,
  • Directs additional steps for certain items, such as microelectronics, printed circuit boards, critical raw materials, and unmanned aircraft systems to mitigate risk of relying on foreign sources for products, materials, components, and manufacturing,
  • Strengthens the National Technology and Industrial Base (NTIB) by creating a Regulatory Council and directing DOD to establish a process for admitting new members,
  • Requires assessment of foreign industrial base capabilities and capacity to see how these drive risk to the U.S. from overreliance on China and their economic aggression,
  • Continues to expand the role of small business, extending the authorization of a pilot program to streamline contracting and auditing processes for innovative technology programs and ensuring DOD pays small business contractors quickly,
  • Directs steps to safeguard defense-sensitive U.S. intellectual property and technology from acquisition by China and with post-employment restricts pertaining to China.

The Committee highlighted provisions aimed at the PRC and Russia:

  • Extends the limitation on providing sensitive missile defense information to Russia and on the integration of U.S. missile defense systems into those of China and Russia,
  • Requires the Secretary of Defense to submit a report on the risk to DOD personnel, equipment, and operations due to Huawei 5G architecture in host countries and possible steps for mitigation,
  • Requires the Secretary of Defense to consider 5G and 6G security risks posed by vendors like Huawei and ZTE when making overseas basing decisions,
  • Protects the defense industrial base and supply chain, as well as intellectual property and technology, from disruption, infiltration, or theft by the Government of China (see “Innovation Base”),
  • Fully funds the European Deterrence Initiative and increases funding to support rotational forces in Europe,
  • Requires a report on Russian support to racially and ethnically motivated violent extremist groups and networks in Europe and the United States that creates or causes growing national security threats, information warfare, and increasing risks to societal stability and democratic institutions,
  • Extends restrictions on military-to-military cooperation with Russia and any activities that would recognize Russian sovereignty over Crimea,
  • Expresses a sense of the Senate that long-term strategic competition with Russia is a top defense priority that requires sustained investment and enhanced deterrence due to the level of threat posed,

The Committee added

As our strategic competitors develop more and more advanced weapons, equipment, and technology, it’s critical that the United States keep pace through deliberate, knowledge-based development. The FY21 NDAA directs investments and implements policies that will maintain or expand our comparative advantage over China and Russia for key capabilities and technologies. One strategy for accelerating innovation will be through a tailored approach of both subsystem prototypes, including for unmanned surface vessels, and full-scale prototypes, including for hypersonic weapons, based on a detailed understanding of what is necessary to achieve technical and technological maturity.

The bill also

  • Supports the development of fifth-generation (5G) wireless networks by establishing a cross- functional team for 5G wireless networks and designates the DOD Chief Information Officer to lead the team and serve as the senior designated official for related policy, oversight, guidance, and coordination at DOD,
  • Strengthens Science and Technology efforts in emerging technologies, including by requiring: an assessment of U.S. efforts to develop biotechnologies compared to our adversaries; development of Artificial Intelligence use-cases for reform efforts; enhancements to the Quantum Information Science research and development program; and a demonstration of innovative 5G commercial technologies, Encourages DOD to leverage commercially available technology where appropriate, particularly for artificial intelligence,
  • Includes several provisions designed to recruit and retain talent with technology expertise, including requiring a study comparing methods for recruiting and retaining technology researchers used by both the U.S. and Chinese governments and authorizing a pilot program to permit university students and faculty to take on part-time and term employment at DOD labs to work on critical technologies and research activities,

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Executive Order Formalizes Review of Foreign Investment in Telecommunications

President Donald Trump has issued an executive order creating an inter-agency review body to determine whether foreign investment in U.S. telecommunications companies presents national security issues. However, the executive order merely formalizes and change the longstanding “Team Telecom” process through which proposed foreign investment in the U.S. telecommunications industry have been evaluated. Like the previous body, the new body will consist of representatives from the Departments of Defense, Homeland Security, and Justice and other agencies in an advisory role. Notably, a time limit will be set on how long these reviews should take. Moreover, a number of the changes will align this review process with the reforms enacted in 2018 to the Committee for Foreign Investment in the United States (CFIUS) process, and like the recent reforms to CFIUS, many of these reforms are aimed at countering Chinese companies’ growing investment in or purchase of U.S. companies in key industries.

The Executive Order (EO) “Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector” creates the new “Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector” (Committee) chaired by the Attorney General. The EO explained “the primary objective of which shall be to assist the Federal Communications Commission (FCC) in its public interest review of national security and law enforcement concerns that may be raised by foreign participation in the United States telecommunications services sector.” Moreover, the “The function of the Committee shall be:

(i) to review applications and licenses for risks to national security and law enforcement interests posed by such applications or licenses; and

(ii) to respond to any risks presented by applications or licenses by recommending to the FCC, as appropriate and consistent with the provisions of this order, that it dismiss an application, deny an application, condition the grant of an application upon compliance with mitigation measures, modify a license with a condition of compliance with mitigation measures, or revoke a license.”

The Committee “shall review and assess applications to determine whether granting a license or the transfer of a license poses a risk to national security or law enforcement interests of the United States” and must render its assessment within 120 days. If a secondary assessment is required “is warranted because risk to national security or law enforcement interests cannot be mitigated by standard mitigation measures,” then an additional 90 day review period may commence.

In a statement, Federal Communications Commission Chairman Ajit Pai said, “I applaud the President for formalizing Team Telecom review and establishing a process that will allow the Executive Branch to provide its expert input to the FCC in a timely manner.” He claimed that “[n]ow that this Executive Order has been issued, the FCC will move forward to conclude our own pending rulemaking on reform of the foreign ownership review process.” Pai stated that “[a]s we demonstrated last year in rejecting the China Mobile application, this FCC will not hesitate to act to protect our networks from foreign threats…[but] [a]t the same time, we welcome beneficial investment in our networks and believe that this Executive Order will allow us to process such applications more quickly.”

The pending rulemaking to which Pai referred was started under his predecessor former chair Tom Wheeler and would change the FCC’s review of foreign applications in these ways:

In this Notice of Proposed Rulemaking, we propose changes to our rules and procedures related to certain applications and petitions for declaratory ruling involving foreign ownership(together, “applications”). As discussed below, the Commission refers certain applications to the relevant Executive Branch agencies for their input on any national security, law enforcement, foreign policy, and trade policy concerns that may arise from the foreign ownership interests held in the applicants and petitioners (together, “applicants”). As part of our effort to reform the Commission’s processes, we seek to improve the timeliness and transparency of this referral process. More specifically, our goals here are to identify ways in which both the Commission and the agencies might streamline and facilitate the process for obtaining information necessary for Executive Branch review and identify expected time frames, while ensuring that we continue to take Executive Branch concerns into consideration as part of our public interest review.

White House Releases 5G Strategy That May Not Meet Congress’ Requirements

Recently, the White House released the “National Strategy to Secure 5G of the United States” the same day President Donald Trump signed the “Secure 5G and Beyond Act of 2020” (P.L. 116-129), legislation that requires a 5G strategy the Administration then implements to address the threats posed by a 5G rollout dominated by Huawei and other Chinese companies. Given how detailed the bill was on what must be in the strategy, either this new document is not intended to satisfy this requirement of Congress or it is, in which case a number of lawmakers are not going to be pleased.

The “Secure 5G and Beyond Act of 2020,” according to its Committee Report, would:

  • Require the President of the United States to develop a Federal Government-wide strategy to ensure the security of the Nation’s next-generation—and future generations—wireless telecommunications systems and infrastructure.
  • Direct the U.S. Government to assist allies and strategic partners in maximizing the security of next-generation wireless telecommunications systems, infrastructure, and software.

Elsewhere in the report, the Committee explained the legislation “would require the President, in consultation with various other Federal officials, to develop and submit to the appropriate committees of Congress within 180 days of enactment a ‘‘Secure Next Generation Wireless Communications Strategy’’ to do the following:

  • Ensure the security of 5th generation (5G) and future generations of U.S. wireless communications systems and infrastructure.
  • Provide technical assistance to U.S. mutual defense treaty allies, strategic partners, and other countries, when in the security interests of the United States, to maximize the security of 5G and future generations of wireless communications systems and infrastructure inside their countries.
  • Protect the competitiveness of U.S. companies, the privacy of U.S. consumers, and the integrity and impartiality of standards-setting bodies related to 5G and future generations of wireless communications systems and infrastructure.”

Moreover, the bill identifies “19 elements that would need to be included in the strategy,” including but not limited to:

  • A description of U.S. national and economic security interests pertaining to the deployment of 5G and future generations of wire-less communications systems and infrastructure.
  • An identification and assessment of the global competitive-ness and vulnerabilities of U.S. manufacturers and suppliers of 5G and future generations of wireless communications equipment. A list of domestic suppliers of 5G and future generations of wireless communications equipment and other suppliers in countries that are mutual defense allies or strategic partners as well as a strategy to assess their ability to produce and supply such systems and infrastructure.
  • Identification of trusted supplier entities from both inside and outside of the United States that are capable of producing and supplying to private industry infrastructure and systems equipment supporting 5G and future generations of wireless communications systems and infrastructure.

Additionally, the act requires “[i]n developing the Strategy, the President shall consult with relevant groups that represent consumers or the public interest, private sector communications providers, and communications infrastructure and systems equipment developers.”

In the cover letter, Trump stated

This National Strategy to Secure 5G articulates my vision for America to lead the development, deployment, and management of secure and reliable 5G communications infrastructure worldwide, arm-in-arm with our closest partners and allies, including:

  • Facilitating domestic 5G rollout;
  • Assessing the risks and identifying core security principles for 5G infrastructure;
  • Managing the risks to our economic and national security from the use of 5G infrastructure; and
  • Promoting responsible global development and deployment of 5G infrastructure.

Trump added

My Administration is committed to protecting America’s national security, promoting our prosperity, and preserving our civil liberties and democratic ideals. Ensuring the security, reliability, and trustworthiness of our 5G infrastructure is essential to these endeavors. This strategy explains how we will do just that.

In the strategy itself, the Administration remarked that “[t]he United States National Cyber Strategy states that:

The Administration will facilitate the accelerated development and rollout of next- generation telecommunications and information communications infrastructure here in the United States, while using the buying power of the Federal Government to incentivize the move towards more secure supply chains. The United States Government will work with the private sector to facilitate the evolution and security of 5G, examine technological and spectrum-based solutions, and lay the groundwork for innovation beyond next-generation advancements.

The Administration added

This National Strategy to Secure 5G expands on how the United States Government will secure 5G infrastructure domestically and abroad. 5G infrastructure will be an attractive target for criminals and foreign adversaries due to the large volume of data it transmits and processes as well as the support that 5G will provide to critical infrastructure. Criminals and foreign adversaries will seek to steal information transiting the networks for monetary gain and exploit these systems and devices for intelligence collection and surveillance. Adversaries may also disrupt or maliciously modify the public and private services that rely on communications infrastructure. Given these threats, 5G infrastructure must be secure and reliable to maintain information security and address risks to critical infrastructure, public health and safety, and economic and national security.

The Administration contended that “[t]his National Strategy to Secure 5G will fulfill the goals of the National Cyber Strategy with four lines of effort” identified by the President in his cover letter.

As noted, it is not apparent if this 5G strategy is meant to be the ‘‘Secure Next Generation Wireless Communications Strategy” called for in the “Secure 5G and Beyond Act of 2020.” And yet, an anonymous Administration official was quoted as saying that the National Strategy to Secure 5G satisfies a part of the bill (without specifying which part) with the implication that the Administration will not be producing a detailed strategy as required by statute. This official also claimed that the implementation plan would be much more detailed.

In any event, the Administration has announced its intention not to fully comply with other parts of the bill. In his signing statement, Trump explained he was going to interpret the new law in ways that would not, in his view, impinge the powers of the President:

  • As part of the strategy, section 4 of the Act purports to require the President to engage in international diplomacy in order to share information and pursue policy goals specified by the Congress.  Consistent with longstanding constitutional practice, my Administration will treat the relevant provisions of this section in a manner that does not interfere with the President’s exclusive constitutional authorities with respect to foreign relations, including the President’s role as the sole representative of the Nation in foreign affairs.
  • Section 5 of the Act further purports to condition the President’s authority to implement parts of the strategy upon the approval of the Federal Communications Commission.  My understanding is that this provision does not preclude me or future Presidents from exercising our constitutional authorities as the “sole organ” of the Nation in foreign relations and as the head of the unitary Executive Branch to ensure proper implementation of the entire strategy.