Further Reading, Other Developments, and Coming Events (28 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 28 July, the House Rules Committee will consider the rule for and amendments to the H.R. 7617—Department of Defense Appropriations Act, 2021 [Defense, Commerce, Justice, Science, Energy and Water Development, Financial Services and General Government, Homeland Security, Labor, Health and Human Services, Education, Transportation, Housing, and Urban Development Appropriations Act, 2021].
  • On 28 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing titled “The PACT Act and Section 230: The Impact of the Law that Helped Create the Internet and an Examination of Proposed Reforms for Today’s Online World.”
  • On 28 July the House Science, Space, and Technology Committee’s Investigations and Oversight and Research and Technology Subcommittees will hold a joint virtual hearing titled “The Role of Technology in Countering Trafficking in Persons” with these witnesses:
    • Ms. Anjana Rajan, Chief Technology Officer, Polaris
    • Mr. Matthew Daggett, Technical Staff, Humanitarian Assistance and Disaster Relief Systems Group, Lincoln Laboratory, Massachusetts Institute of Technology
    • Ms. Emily Kennedy, President and Co-Founder, Marinus Analytics
  • On  29 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 30 July the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 30 July, the Senate Commerce, Science, and Transportation Committee’s Security Subcommittee will hold a hearing titled “The China Challenge: Realignment of U.S. Economic Policies to Build Resiliency and Competitiveness” with these witnesses:
    • The Honorable Nazak Nikakhtar, Assistant Secretary for Industry and Analysis, International Trade Administration, U.S. Department of Commerce
    • Dr. Rush Doshi, Director of the Chinese Strategy Initiative, The Brookings Institution
    • Mr. Michael Wessel, Commissioner, U.S. – China Economic and Security Review Commission
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)

Other Developments

  • The United States’ (US) Office of Management and Budget (OMB), an agency within the Executive Office of the President, has issued a memorandum in the same vein as other Trump Administration initiatives to increase the US government’s buying of goods and services produced domestically. Noting that 40% of the funds provided by Congress through annual legislation will be spent between 1 July and 30 September (roughly $200 billion), OMB urged federal agencies “to keep the following considerations in mind to support timely awards and maximize return on investment from each taxpayer dollar” among others:
    • Take full advantage of acquisition flexibilities and innovative tools. This week, the President’s Management Agenda unveiled a new cross-agency priority goal (CAP Goal) on “frictionless acquisition.” This CAP Goal creates a management platform to leverage modem buying strategies that have been shown to achieve just-in-time delivery with improved customer satisfaction and enable access to a broader and more innovative suite of companies and solutions. Agencies can review the resources on acquisition innovation and opportunities for collaboration by going to the frictionless CAP Goal on performance.gov.
      • The Goal Statement of this new CAP is “The Federal Government will deliver commercial items at the same speed as the market place & manage customers’ delivery expectations for acquisitions of non-commercial items by breaking down barriers to entry using modern business practices and technologies” as explained in a detailed presentation on frictionless acquisition released this month.
    • Use the resources of category management. As part of the ongoing transformation of federal acquisition, procurement involving common needs has been organized around categories of spending led by market experts who share business intelligence and help agencies avoid duplicative contracting work. This business structure has saved taxpayers more than $27 billion since FY 2016 and made it much easier for buyers to make rapid, well­ informed decisions on how best to acquire IT hardware, security, consulting services and many other every day needs that account for more than half of all contract spending. To stay current with market trends and available federal solutions, agencies should bookmark the category management dashboards on the acquisition gateway at https://hallways.cap.gsa.gov/app/#/.
    • Buy American. E.O. 13881 strengthens the general preference for American-made goods and, for the first time in 65 years, increases the percentage of U.S. manufactured content that must be in a product to qualify for the preference, including a very high standard for iron and steel. Agencies are encouraged to work with the Federal Acquisition Regulatory Council (FAR Council) to consider early implementation, as appropriate, while the rulemaking process proceeds.
    • In a related memorandum issued earlier this month, OMB asserted
      • Under the President’s Management Agenda and the leadership of OMB ‘s Office of Federal Procurement Policy (OFPP), the Administration has elevated the importance of acquisition innovation and category management as key pillars of a modernized procurement system. These pillars are proving to be critical assets in the face of market conditions that require heightened agility and the ongoing need r physical distancing as communities take steps to reopen. We are seeing smart use of existing contract vehicles and resources, supported by our category management market experts, such as for cleaning and distinction, information technology related to telework and healthcare, and enhanced entry screening services. We are also seeing growing examples of agencies leveraging innovative business practices, such as virtual acquisitions, that save time and enable acquisitions to continue where they might otherwise have been stopped.
      • OMB went on to detail best practices and examples in how agencies have adapted their procurement authority to the pandemic commensurate with ongoing Administration priorities such as category management
  • Senator Amy Klobuchar (D-MN) and some of her Democratic colleagues wrote Attorney General William Barr “to raise serious concerns regarding Google LLC’s (Google) proposed acquisition of Fitbit, Inc. (Fitbit)”. They stated
    • We are aware that the Antitrust Division of the Department of Justice is investigating this transaction and has issued a Second Request to gather additional information about the acquisition’s potential effects on competition. Amid reports that Google is offering modest, short-term concessions to overseas enforcers to avoid a full-scale investigation of the transaction in Europe, we write to urge the Division to continue with its efforts to conduct a thorough and comprehensive review of this proposed merger and to take any and all enforcement action warranted by the law and the evidence.
    • This letter comes at a time when the Department of Justice is considering Google’s potential antitrust practices and whether to file suit. The European Commission is also investigating the Google acquisition of FitBit.
    • Klobuchar is the Ranking Member of the Senate Judiciary Committee’s Antitrust, Competition Policy and Consumer Rights Subcommittee and was joined on the letter by Senators Richard Blumenthal (D-CT), Cory Booker (D-NJ), Mazie K. Hirono (D-HI), Sherrod Brown (D-OH), Mark Warner (D-VA), and Elizabeth Warren (D-MA).
  • Facebook and members of a class action and their attorneys have reached a second settlement in a suit brought under Illinois’ “Biometric Information Privacy Act” after a first settlement was rejected by the judge overseeing Patel, et al. v. Facebook, Inc.,. In January, the plaintiffs and Facebook agreed on a $550 million settlement to resolve claims the social media giant used and stored  people’s images contrary to the Illinois ban on such practices absent explicit consent. Facebook faced liability of up to $5000 per person affected and more than $40 billion in total potential liability. However, the judge thought the settlement was too low considering the Illinois legislature expressed its intention that violations would be punished more on the order of $1000 per person. Now, the parties have added $100 million, arriving at a $650 million settlement the judge will still need to bless.
  • Secretary of State Mike Pompeo made a speech at the Ronald Reagan Library “to make clear that the threats to Americans that President Trump’s China policy aims to address are clear and our strategy for securing those freedoms established.” Pompeo’s speech in the fourth in a series of Trump Administration officials making the Administration’s case against the People’s Republic of China (PRC), in some cases conflating PRC’s vying with the United States worldwide with the COVID-19 pandemic, suggesting the PRC is responsible for the course of the virus in the US and not Trump Administration policy.
  • The Department of Defense’s National Security Agency (NSA) and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) “released an advisory for critical infrastructure Operational Technology (OT) and Industrial Controls Systems (ICS) assets to be aware of current threats we observe, prioritize assessing their cybersecurity defenses and take appropriate action to secure their systems.” The agencies asserted “[d]ue to the increase in adversary capabilities and activities, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to harm to US interests or retaliate for perceived US aggression.”
  • The Secretary of Defense released a memorandum for Department of Defense (DOD) regarding “poor Proper Operations Security (OPSEC) practices within DOD in the past have resulted in the unauthorized disclosure or ” leaks” of controlled unclassified information (CUI), including information to be safeguarded under the CUI category for OPSEC, as well as classified national security information (together referred to here as “non-public information”). Secretary of Defense Mark Esper asserted “[o]ngoing reviews reveal a culture of insufficient OPSEC practices and habits within the DOD” and stated “[m]y goal, through an OPSEC campaign, is to change that culture across DOD by reminding DOD personnel.”
  • The United Kingdom’s Information Commissioner’s Office (ICO) published its annual report for 2019-2020, “covering what the Information Commissioner has called a “transformative period” for privacy and data protection and broader information rights.” The ICO offered these highlights:
    • Supporting and protecting the public and organisations
      • The Age Appropriate Design Code, introduced by the Data Protection Act 2018, was published in January. When it comes into full effect, it will help steer businesses to comply with current information rights legislation.
      • We intervened in the High Court case on the use of facial recognition technology by the South Wales Police as part of our work to ensure that the use of this technology does not infringe people’s rights.  As a response to the judgement, we issued the first Commissioner’s Opinion.
      • Our new freedom of information strategy was launched which sets out how we work to create a culture of openness in public authorities.  It also commits us to making the case for reform of the access to information law as set out previously in our Outsourcing Oversight report.
      • In figures:
        • We received 38,514 data protection complaints.
        • We closed 39,860 data protection cases (up from 34,684 in 2018/19) .
        • We received 6,367 freedom of information complaint cases.
    • Enforcement
      • We took regulatory action 236 times in response to breaches of the legislation that we regulate. That included 54 information notices, eight assessment notices, seven enforcement notices, four cautions, eight prosecutions and 15 fines.  
      • Over 2,100 investigations were conducted.
    • Innovation
      • Through our successful regulatory sandbox service, we have worked with a number of innovative organisations of all sizes to explore new data uses in a safe way while helping to ensure their customers’ privacy.
      • We also received additional resources from the government’s regulators innovation fund to set up a hub with other regulators to streamline and reduce burdens on businesses and public services using data.
      • In January, we launched our consultation on an AI framework to allow the auditing and assessment of the risk associated with AI applications and how to ensure their use is transparent, fair and accountable.
    • International
      • On a global scale, we continue to chair the Global Privacy Assembly, driving forward the development of the assembly into an international network that can have an impact on key data protection issues across the year. This helps to protect UK citizen’s personal data as it crosses borders and helps UK businesses operating internationally.
      • Due to the period covered by the report it does not reflect the impact of COVID-19 although, acknowledging the pandemic, Ms Denham said: ”The digital evolution of the past decade has accelerated at a dizzying speed in the past few months. Digital services are now central to how so many of us work, entertain ourselves and talk to friends and family.”

Further Reading

  • The Twitter Hacks Have to Stop” – The Atlantic. Bruce Schneier makes the case that the United States and other western democracies must step in and regulate vital platforms like Twitter for security and size given the central role they play in most societies. Letting these companies implement their own security without oversight or transparency has led to a situation where the account of world leaders or government agencies are vulnerable to hacks and misinformation. Schneier thinks the size and dominance of Twitter, Facebook, etc is a major part of this problem that must also be addressed.
  • US and Australia set to launch campaign to counter disinformation” – Sydney Morning Herald. Two of the Five Eyes allies met in Washington on 27 July for their annual Australia-U.S. Ministerial Consultations (AUSMIN) and part of their planning on how to counter the People’s Republic of China (PRC) is working together on an effort to address the PRC’s disinformation campaigns. The already close relationship between Washington and Canberra has deepened as tensions between the United States (US) and PRC continue to escalate. However, the US and Australia are framing this initiative as aiming to counter all disinformation in the Indo-Pacific region, suggesting other nations may be waging disinformation campaigns of concern, including the Russian Federation and the Democratic People’s Republic of Korea.
  • Russia’s GRU Hackers Hit US Government and Energy Targets” – WIRED. Starting in December 2018, APT28 (aka Fancy Bear), a Russian hacking group, targeted and penetrated a number of United States (US) entities, including federal and state governments, educational institutions, and energy companies. APT28 is closely associated with Glavnoye razvedyvatel’noye upravleniye (GRU), the Main Directorate of the General Staff of the Armed Forces of the Russian Federation and is the entity behind the takedowns of Ukraine’s electrical grid in 2015 and 2016 among other high profile hacks and attacks. The timing of these attacks, sometimes executed as phishing attacks, is interesting for it comes after US Cyber Command and possibly the Central Intelligence Agency (CIA) took down Russia’s Internet Research Agency and other actions designed to deter Russian interference in the 2019 mid-term elections in November 2018.
  • “Hurting People  At Scale” – Facebook’s Employees Reckon With The Social Network They’ve Built” – BuzzFeed News. This article documents the dissent and turmoil inside the company about content moderation, which some see the social media giant doing dismally. Some employees and ex-employees are taking issue with how CEO Mark Zuckerberg and his leadership are acting or not to take down extreme and violent content.
  • Big Tech Funds a Think Tank Pushing for Fewer Rules. For Big Tech.” – The New York Times. The Global Antitrust Institute at George Mason University’s Antonin Scalia Law School has been pushing for less regulation of antitrust statutes and regulations, especially in “educating” antitrust officials at conferences. It has also been financially supported by large technology companies which benefit from these policies and has not been transparent about its funding or the extent to which these companies’ positions on antitrust inform its efforts and output. A similar New York Times investigation into other Washington DC think tanks exposed the transactional nature of some of these institutions, donors, and positions.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Federal Software Hearing

Through the prism of the US’ inadequate response to the COVID-19 pandemic, a House committee chewed over familiar issues plaguing the US’ government’s technology use and modernization efforts.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 15 July, the House Budget Committee held a virtual hearing titled “Software Update Required: COVID-19 Exposes Need for Federal Investments in Technology” to highlight the effects of underfunding of technology programs in the federal government has had in hindering efforts to combat COVID-19 and measures to mitigate its impacts. The shortcomings of federal information technology (IT) procurements, processes, and performance is one of the areas where there is bipartisan agreement on many of the issues and proposed solutions. However, Republicans and Democrats often differ on funding for civilian IT programs, a feature of the ongoing debate about another COVID-19 stimulus package. And this was the line that divided the chair and ranking member of the committee on how to address acknowledged failures in how federal and state governments distributed aid to people and businesses. Because the House Budget Committee does not have direct jurisdiction over technology programs other than setting broad parameters in the years it drafts and passes a budget resolution to guide Congressional funding, the impact of this hearing is more in the vein of shaping discussion in the House on how it should address the funding and governance of IT programs, which. Now total more than $90 billion annually of the more than $1.2 trillion in funds Congress doles out every year.

Chair John Yarmuth (D-KY) claimed “[r]ash funding cuts over the past decade have prevented the Internal Revenue Service (IRS) from modernizing its information technology (IT) systems, deteriorating the agency’s ability to not only carry out its core function of tax collection and enforcement, but also needlessly prolonging the delivery of stimulus payments to workers and families during the coronavirus pandemic and recession.” He asserted that “[t]he coronavirus pandemic has proved that the quicker the response the better the outcome – and that the steps taken by Congress to help American workers and families are only as effective as the agencies delivering that relief.” Yarmuth claimed “[u]nfortunately, the IRS is not alone in its inability to meet the needs of the American people in this perilous time.”

Yarmuth stated

  • Instead of helping to generate much-needed solutions, outdated IT systems are worsening an already difficult situation as Americans grapple with unreliable or insufficient internet access, useless automated systems, and overwhelmed and underprepared agencies. Emergency assistance programs across the board have been hampered by our antiquated IT systems – leaving families with delayed relief or no relief at all.
  • The most glaring example is unemployment assistance. We are four months into the worst economic downturn since the Great Depression, and there are still tens of thousands of workers who have filed for jobless claims but have not yet received a single payment. Many are going into debt or default, skipping meals, or losing their homes.
  • State unemployment offices, already underfunded and understaffed, were left completely unprepared for the massive influx of need. And a big reason for that is the fact that national administrative funding is essentially the same as it was in 2001 – and that’s before accounting for inflation.

Yarmuth continued

  • This lack of federal investment combined with old hardware, crashing web servers, and the need for new-hires proficient in COBOL – their systems’ 60-year old coding language – have left states scrambling. Their antiquated IT systems failed and continue to fail repeatedly – and American workers, those who lost their jobs through no fault of their own, are paying the price.
  • This aspect of our ongoing crisis is not new. The federal government has long sought to prioritize modern, secure, and shared IT solutions, but funding uncertainties – stemming from constrained discretionary funding under budget caps, shutdown threats, and continuing resolutions – have made agencies more likely to update instead of modernize. The Government Accountability Office (GAO) reports that while the total share of federal IT spending is increasing, it isn’t because we are investing in better and new technology. It’s because the price of updating our existing systems is snowballing as our ancient software becomes increasingly outdated and hardware parts nearly impossible to find.

Yarmuth said “[t]o date, Congress has passed legislation that includes $1 billion in grants to state unemployment offices to help process claims faster – and more is needed.” He argued that “[b]y refusing to bring the “HEROES Act” (H.R.6800) to the floor, [Senate Majority] Leader [Mitch] McConnell (R-KY) is holding up an additional $1 billion for the federal Technology Modernization Fund and a combined $5.5 billion to help schools, libraries, and impacted families access high speed connectivity and devices to facilitate distance learning – something we must prioritize in order to protect our children and educators.” Yarmuth remarked “earlier this month, House Democrats passed the “Moving Forward Act,” (H.R.2) a comprehensive infrastructure package that includes $100 billion in broadband funding to extend high speed internet to underserved and hard to reach communities.” He declared that “[w]e have to invest in modernization now, so that the federal government can help provide workers, families, and state and local governments with the necessary tools and resources to support our nation’s recovery efforts.”

Ranking Member Steve Womack (R-AR) said “[f]ederal information technology (IT) systems are critical to providing Americans with a wide range of government services and information…[and] [i]n the 21st century, it’s no secret that IT is fundamental to many different operations.” He contended “[t]hese systems are aimed at improving program delivery, maximizing effectiveness and efficiency, and ensuring data security…[and] [i]f we cannot maintain and optimize this critical infrastructure, the federal government will be unable to execute one of its essential functions: providing crucial resources and services to the American people.” Womack asserted “[w]e should never allow the delivery of veteran health care, social security benefits, or defense initiatives to fail because of outdated and faulty IT systems.”

Womack stated that “[u]nfortunately, current federal IT upgrade efforts are faltering due to missed deadlines, cost overruns, and inadequate outcomes, including operability failure and data breaches…[and] [w]hile COVID-19 exposed additional deficiencies of federal IT systems, these shortages existed long before the current pandemic.”

Womack stated

  • For example, in 2011, the Department of Veterans Affairs (VA) and the Department of Defense (DOD) began an electronic health record (EHR) modernization initiative to create a single, shared system between the two departments. In 2013, and after spending more than $1 billion on the program, the VA and DOD announced they were abandoning the project with nothing to show for the money spent other than a painful lesson learned. This is not only a waste of taxpayer dollars, but, more disconcerting, it hurts our nation’s service members and veterans who depend on these health care services. This is the more upsetting part for me. Program indecision and mismanagement have resulted in us failing those who’ve served this country.
  • Where is this EHR effort at the VA today? The VA and DOD are trying this again with a new government contract from Cerner. This initiative is already nearly one year behind schedule and has yet to go live in even one medical center. I truly hope this story ends better than past VA efforts in the IT space.

Womack added “I’m not just picking on the VA’s challenges. There are other examples of how we have fallen short:

  • In 2014, the Office of Personnel Management’s data was breached, which resulted in approximately 21.5 million compromised records.
  • The HITECH Act, which was part of the 2009 stimulus package, allocated billions of dollars for the Department of Health and Human Services (HHS) for IT development. To date, HHS still does not have an interoperable system and continues to struggle with siloed and fragmented data due to the different electronic health records vendors.”

Womack claimed “the question is, how do we make sure, going forward, all federal investments in IT modernization efforts result in the timely deployment of up-to-date, secure, and properly functioning systems?”

Womack asserted

  • Strong vetting and planning for proper IT implementation is key. It is imperative that these investments are met with rigorous oversight—yes, that is our job here in Congress—and agency accountability to ensure that the public is getting the best services available and taxpayer dollars are not wasted.
  • But, as I mentioned last week, there is another threat to federal investments in vital government programs such as IT modernization. That is our out-of-control deficit and debt. If we don’t confront the autopilot mandatory spending that is hurtling us towards a fiscal cliff, there won’t be any money left to fund a range of prerogatives.
  • Time is running out, and it’s essential that Congress directly address this problem. The Budget Committee must meet its duty and put together a budget to chart a new way forward. We need to get back to making the tough choices that will determine a brighter future. We have an obligation to current and future generations to ensure that critical programs don’t cease to exist.

National Academy of Public Administration President and CEO Teresa Gerton stated

  • The government’s IT infrastructure is heavily dependent upon technologies that were invented in the mid-twentieth century. The coronavirus pandemic has made it abundantly clear that those systems pose extraordinary risk to government operations in a steady state environment, and they may fail catastrophically in a crisis. And yet, government budgeting rules and appropriation law have created IT acquisition challenges for almost as long as the term “IT” has existed.
  • Insufficient funding for capital improvements has forced agencies to repeat a cycle in which robust plans submitted with their budget requests have to be scaled back to align with the reduced funding amounts they eventually receive. Insufficient funding leads to implementation of sub-optimal solutions with limited impact on improving efficiency. Ironically, governments bear an extra cost burden for such strategies because they must allocate expensive resources to maintain obsolete and inefficient solutions, which by any reasonable business standard should have been rationalized and replaced.
  • To really change the future, we must change the rules. Today the government has challenges with cloud procurement, but the market is constantly evolving. More things will be sold as a service in the future. With enablers like quantum computing and machine learning, technology innovation will inevitably continue at an increasing rate. Given the economic, demographic, and social challenges facing this nation, the federal government must find new ways to invest in and to improve its effectiveness and efficiency to successfully meet the current and future demands of the American public. We must provide acquisition and sustainment flexibility that reflects what the commercial market is selling, and we must adapt our accounting and auditing rules to encourage, not discourage, the use of these flexibilities. We must be ready to effectively acquire and deploy modern technology solutions or risk failures in our support to our citizens, and potentially calamitous failures in our ability to govern.

Code for America Founder and U.S. Digital Response Co-Founder Jennifer Pahlka said “[t]o get government tech right, we of course need to be able to procure more modern technology platforms…[b]ut that will be insufficient if we don’t also do three things that support ​agility and human-centered design:

  • The first is to break down the silos between policy, technology and other disciplines. Technology can’t speed a process in which most cases must be handled manually, as I described above in the case of unemployment benefits under the CARES Act. A similar problem is that many states require applicants for Pandemic Unemployment Assistance (PUA) to apply for regular unemployment first, wait to receive their rejection, and only then apply for PUA. Tech, operations, policy and compliance staff must work together to solve these problems, and agile development models allow for this collaboration in ways that legacy models do not. We must even have digital professionals at the table when we craft policy; understanding how the service will be delivered is critical to getting the outcomes the policy seeks, especially now, as we face greater and greater needs and limited delivery capabilities. As the former head of the White House Domestic Policy Council Cecilia Muñoz has said, “Policy leaders must learn the skills of human-centered design, and technology must have a seat at the strategy table.”
  • The second is to encourage rapid prototyping and continuous development. Our legacy process involves a requirements gathering period that can take many years, followed by the development of a Request for Proposal that can be thousands of pages long, lengthy contracting and development periods, and then a move into what’s called sustainment. This process may work for constructing buildings, but it’s simply not how good software comes to life. It is better, faster and cheaper when interdisciplinary teams start small, build iteratively, work closely with the users of the software all the way through, and continuously update and improve the application.
  • The third is to demand that all services provide real-time data about their usage and that human beings are assigned to looking at that data to understand what’s working, what’s not working and what can be done about it. When Code for America started working to decrease the participation gap in Supplemental Nutrition Assistance (SNAP) in California, our team found that the program leadership had very little insight into the reasons people tried to apply and couldn’t, or applied but couldn’t make it through the burdensome process despite being eligible. It wasn’t that they didn’t care; the systems they’d been given to manage eligibility and enrollment simply didn’t provide that data, and what data they did get was usually months, if not years, old by the time they got it. Creating an online application that was simpler and easier to use had huge benefits for the people applying, but an equally important benefit was that the system was instrumented to allow decision-makers to see in near real-time where users got stuck and begin to fix those issues. This access to real-time data is part of what’s needed as we deal with today’s crisis.

National Employment Law Project Executive Director Rebecca Dixon urged “Congress to immediately take the following steps, which will help stabilize and ensure greater accountability and transparency over the state IT systems:

1. Fully Fund the States Linked to Strong Accountability Standards: Most importantly, the federal government must make a sizable commitment to provide dedicated funding of IT modernization and far more adequate levels of basic state unemployment insurance (UI) administration funding. With the additional funding should come strong federal oversight and enforcement, including tangible requirements that the modernization process include input from stakeholders (including workers and their advocates) from beginning to end, and comprehensive user testing that ensures participation from Black people who are faced with the most barriers, and all communities of color; those on the other side of the digital divide; people with limited English proficiency; and people with disabilities.

2. Expand the Department of Labor’s (DOL) IT Expertise and Mandate to Ensure Full Access: There is extremely limited independent capacity and IT expertise on the part of DOL to actively monitor and enforce the state UI systems. DOL should create a specialized unit devoted to the IT, phone and other state UI agency infrastructure needs. DOL’s new regime should include strong measures of state success and failure (including adequate customer service) that can be assigned a grade that should be prominently featured on the DOL website to provide transparency to the public and compare the operation of programs across the states. For example, DOL should extend the timeliness regulations to ensure that workers are able to successfully reach a claims agent by phone within a reasonable period of time. In addition, DOL’s Center for Civil Rights should also be fully resourced to more promptly investigate and respond to complaints and make the results of their investigations public. DOL should also have the authority to review IT contractor agreements, audit contractors where necessary, and require the states to produce data documenting contractor performance.

3. Federal Commission on Modernization of Federally Funded Benefit Programs: A federal task force should be immediately created to evaluate the performance of federally funded programs, including UI, and make recommendations for reform related to funding, the creation of robust standards and metrics, contractor accountability, best practices, and the adequacy of federal agency oversight and enforcement, including compliance with civil rights laws. The task force should also explore whether certain administrative and infrastructure functions (especially in response to disasters and public health emergencies) should be federalized, and whether federal agencies should have the authority to negotiate favorable terms with IT and phone system vendors that take advantage of the federal government’s ability to leverage cost savings while also producing more compatible and high-quality state systems. Federalization in whole or part may be the simplest solution. The patchwork of state systems means that each state has to struggle with the modernization process and vendor negotiations. While some states have banded together into consortia to get a better deal, those consortia can dissolve as political leadership shifts in allied states or as states develop different modernization goals, wasting time and money. A federal process could achieve these goals on the largest possible scale.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Christina @ wocintechchat.com on Unsplash

House Appropriations Committee Passes Bills With Funding For and Directives To Technology Agencies

Four bills full of technology funding and programmatic direction are reported to the House.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The House Appropriations Committee finished work on four of the FY 2021 appropriations bills that fund a substantial portion of the United States’ (US) government’s technology programs and activities. Often appropriations bills are the primary vehicle by which Congress changes executive branch policy through the use of its funding powers, and so the bills and their committee reports contain a range of directives and instructions year-to-year. The House is set to finish committee consideration of all 12 bills this month, but there is no indication as to when the Senate Appropriations Committee will take up its bills. Given the late start on appropriations, it is all but certain the federal government will be operating under a stopgap funding bill for some portion of the first quarter of the next fiscal year. The outcome of the election could result in a further postponing of full appropriations and delaying of passage of technology funding and program changes.

FY 2021 Homeland Security Appropriations Act

In advance of the 15 July markup, the House Appropriations Committee made available its Committee Report to accompany the FY 2021 Homeland Security Appropriations Act.

The package includes $2.6 million for a Joint Cybersecurity Coordination Group (JCCG) inside DHS “serve as a coordinating entity that will help the Department identify strategic priorities and synchronize cyber-related activities across the operational components.” This new entity comes about because the Trump Administration requested its creation as part of its FY 2021 budget request. The Committee expressed disappointment with “the lack of quality and detail provided in CISA’s fiscal year 2021 budget justification documents, to include several errors and unjustified adjustments that appear to be attributable to CISA’s premature proposal for a new Program, Project, or Activity (PPA) structure and raise questions about whether the budget could be executed as requested.” Consequently, the Committee directed that CISA “submit the fiscal year 2022 budget request at the same level of PPA detail as provided in the table at the end of this report with no further adjustments to the PPA structure.”

Among other programmatic and funding highlights, the Committee

  • “[E]ncourage[d] CISA to continue to use commercial, human-led threat behavioral analysis and technology, and to employ private sector, industry-specific, threat intelligence and best practices to better characterize potential consequences to critical infrastructure sectors during a systemic cyber event.”
  • Urged “CISA and the Election Infrastructure Information Sharing and Analysis Center (EI–ISAC) to expand outreach to the most vulnerable jurisdictions” with respect to election security assistance.
  • Directed “CISA to continue providing the semiannual briefing on the National Cybersecurity Protection System (NCPS) program and the Continuous Diagnostics and Mitigation (CDM)”
  • Pointed to $5.8 million to set up a ‘‘central Federal information security incident center,’ a requirement mandated by the Federal Information Security Modernization Act (FISMA) (P.L. 113-283) and $9.3 million “to establish a formal program office to coordinate supply chain risk management efforts for federal civilian agencies; act as the executive agent for the Federal Acquisition Security Council (FASC), as authorized by the SECURE Technology Act, 2018 (Public Law 115– 390); and fund various supply chain related efforts and services.”
  • Emphasized its increase of $6 million as compared to FY 2020 “to grow CISA’s threat hunting capabilities” “[i]n the face of cyber threats from nation-state adversaries such as Russia, China, Iran, and North Korea.”
  • [P]rovide[d] an increase of $11,568,000 above the request to establish a Joint Cyber Center (JCC) for National Cyber Defense to bring together federal and State, Local, Tribal, and Territorial (SLTT) governments, industry, and international partners to strategically and operationally counter nation-state cyber threats.”
  • Bestowed “an increase of $10,022,000 above the request for the underlying infrastructure that enables better identification, analysis, and publication of known vulnerabilities and common attack patterns, including through the National Vulnerability Database, and to expand the coordinated responsible disclosure of vulnerabilities.”
  • Noted “[t]hrough the Shared Cybersecurity Services Office (SCSO), CISA serves as the Quality Services Management Office for federal cybersecurity” and explained “[t]o help improve efforts to make strategic cybersecurity services available to federal agencies, the Committee includes $5,064,000 above the request to sustain prior year investments and an additional $5,000,000 to continue to expand the office.”
  • Expressed its concern “about cyber vulnerabilities within supply chains, which pose unacceptable risks to the nation’s physical and cyber infrastructure and, therefore, to national security” and provided “an increase of $18,005,000 above the request to continue the development of capabilities to address these risks through the ICT Supply Chain Risk Management Task Force and other stakeholders, such as the FASC.”

FY 2021 Financial Services and General Government Appropriations Act

The FY 2021 Financial Services and General Government Appropriations Act has a provision that would bar either the Federal Trade Commission (FTC) or Federal Communications Commission (FCC) from taking certain actions related to Executive Order 13925, “Preventing Online Censorship” issued in May by the White House after Twitter fact checked a pair of President Donald Trump’s Tweets that contained untruthful claims about voting by mail. It is very unlikely Senate Republicans, some of whom have publicly supported this Executive Order will allow this language into the final bill funding the agencies.

Under the Executive Order, the National Telecommunications and Information Administration (NTIA) is to file a petition for rulemaking with the FCC to clarify the interplay between clauses of 47 USC 230, notably whether the liability shield that protects companies like Twitter and Facebook for content posted on an online platform also extends to so-called “editorial decisions,” presumably actions like Twitter’s in fact checking Trump regarding mail balloting. The NTIA would also ask the FCC to define better the conditions under which an online platform may take down content in good faith that are “deceptive, pretextual, or inconsistent with a provider’s terms of service; or taken after failing to provide adequate notice, reasoned explanation, or a meaningful opportunity to be heard.” The NTIA is also ask the FCC to promulgate any other regulations necessary to effectuate the EO. The FTC was directed consider whether online platforms are violating Section 5 of the FTC Act barring unfair or deceptive practices, which “may include practices by entities covered by section 230 that restrict speech in ways that do not align with those entities’ public representations about those practices.”

In the Committee Report for the FY 2021 Financial Services and General Government Appropriations Act, the House Appropriations Committee explained it provided $341 million for the FTC, “a $10,000,000 increase over fiscal year 2020… will increase the FTC’s capabilities both to monitor mergers and acquisitions that could reduce competition or lead to higher prices, and to take enforcement action against companies that fail to take reasonable steps to secure their customer data or that engage in other problematic trade practices.”

The Committee detailed the following program and funding provisions related to the FTC, including combatting fraudulent calls to seniors, robocalls, fraudulent health care calls, and the following:

  • Cryptocurrency.— The Committee encourages the FTC to work with the Securities and Exchange Commission, other financial regulators, consumer groups, law enforcement, and other public and private stakeholders to identify and investigate fraud related to cryptocurrencies market and discuss methods to empower and protect consumers.”
  • Consumer Repair Rights.—The Committee is aware of the FTC’s ongoing review of how manufacturers—in particular mobile phone and car manufacturers—may limit repairs by consumers and repair shops, and how those limitations may increase costs, limit choice, and impact consumers’ rights under the Magnuson-Moss Warranty Act. Not later than 120 days after the enactment of this Act, the FTC is directed to provide to the Committee, and to publish online, a report on anticompetitive practices related to repair markets. The report shall provide recommendations on how to best address these problems.
  • Antitrust Actions.—The Committee directs the GAO to study FTC and DOJ antitrust actions over the past 25 years. The study shall examine the following questions: How many instances have FTC and DOJ been on opposing sides of the same matter? In how many of these instances was the split created by (a) the FTC intervening in DOJ’s case; and (b) the DOJ intervening in FTC’s case? In these instances, how (if at all) did the split affect the final outcome (e.g., did the judicial opinion cite the split or explain how it affected the court’s decision)? In how many instances has an FTC action appeared before the Supreme Court? Of these instances, in how many cases did the FTC represent itself (rather than be represented by the Solicitor General)? In how many instances has the DOJ or FTC reneged on a clearance agreement with the other agency? In how many of these instances was the disruption created by (a) the FTC’s decision to renege on the agreement; and (b) the DOJ’s decision to renege on the agreement? How many amicus briefs did each agency file in each year? How many of the total amicus briefs filed by DOJ were done so at the invitation of the court? How many of the total amicus briefs filed by FTC were done so at the invitation of the court?

With respect to the FCC, the package provides $376 million and requires a host of programmatic responses, including:

  • Broadband Maps.—The Committee provides significant funding for upfront costs associated with implementation of the Broadband DATA Act. The Committee anticipates funding related to the Broadband DATA Act will decline considerably in future years and expects the FCC to repurpose a significant amount of staff currently working on economic, wireline, and wireless issues to focus on broadband mapping.
  • Broadband Access.—The Committee believes that deployment of broadband in rural and economically disadvantaged areas is a driver of economic development, jobs, and new educational opportunities. The Committee supports FCC efforts to judiciously allocate Universal Service Fund (USF) funds for these areas.
  • Rural Digital Opportunity Fund.—The Committee appreciates the significant investment the FCC is planning to make to deploy broadband services to unserved areas. The Committee recognizes the need for government programs to minimize instances in which two different providers receive support from two different programs to serve the same location. However, the Committee is concerned that current program rules may have the unintended consequence of discouraging other funding sources from participating in broadband deployment, particularly State-based programs. The Committee directs the FCC to adjust program rules to ensure applicants, and the States in which those applicants would deploy broadband, are not put at a disadvantage when applying for the Rural Digital Opportunity Fund based on the State’s proactive, independent investment in broadband.
  • Lifeline Service.—The Committee is concerned that changes to the Lifeline minimum service standards and support levels will adversely impact low-income Americans, including many suffering from economic hardships due to the coronavirus. The Committee directs the FCC to pause implementation of any changes to the currently applicable minimum service standards for Lifeline-supported mobile broadband service and any changes in the current levels of Lifeline support for voice services until the FCC has completed the State of the Lifeline Marketplace Report required by the 2016 Lifeline Order…
  • Mid-Band Spectrum.—The Committee believes that Fifth-Generation (5G) mobile technology is critical to U.S. national and economic security. A key component of the U.S. strategy for 5G is ensuring that U.S. wireless providers have enough mid-band spectrum (frequencies between 3 GHz and 24 GHz), which provides fast data connections while also traveling longer distances. The Committee is concerned that the U.S. is falling behind other countries in the allocation of such spectrum. The Committee urges the Administration and the FCC to work expeditiously to identify and make available more mid-band spectrum for 5G so that the U.S. does not fall further in the race to deploy 5G networks and services.
  • 5G Supply Chain.—The Committee understands the importance of a secure 5G technology supply chain. The Committee encourages the FCC to investigate options for increasing supply chain diversity, competition, and network security via interoperable technologies and open standard-based interfaces.

The Committee had a range of mandates for the Office of Management and Budget (OMB):

  • Federal and Critical Infrastructure Cybersecurity.—The Committee is aware that Federal agencies and the nation’s critical infrastructure face unique cybersecurity threats. Executive Order 13800, issued on May 11, 2017, directs agency heads to implement several risk management and cybersecurity measures, including the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity. OMB is directed to report, within 90 days of enactment of this Act, on the status of compliance with Executive Order 13800 by each applicable agency. The report shall identify risk management and cybersecurity compliance gaps and outline the steps each agency needs to take to manage such risks. OMB shall prioritize working with the applicable agency heads to address remaining gaps and inconsistencies.
  • Federal Information Technology Workforce.—OMB is directed to consult with the Office of Personnel Management and the General Services Administration and report to the Committee, no later than September 30, 2021, on gaps in Federal information technology workforce skills, disciplines, and experience required to enable the Federal government to modernize its ability to use technology and develop effective citizen-facing digital services to carry out its mission.

The Committee noted its additional funding to the Election Assistance Commission (EAC) for Election Security Grants of $500 million:

  • [T]he Coronavirus Aid, Relief, and Economic Security Act (CARES Act) (P.L. 116–136) included $400,000,000 for grants to States to prevent, prepare for, and respond to coronavirus. The Committee is gravely concerned by persistent threats from Russia and other foreign actors attempting to influence the U.S. democratic process, and vulnerabilities that continue to exist throughout the Nation’s election system.
  • Since fiscal year 2018, Congress has provided $805,000,000 in grants to States to improve the security of elections for Federal office.
  • However, that funding has been inconsistent, unpredictable, and insufficient to meet the vast need across all the States and territories.
  • Congress must provide a consistent, steady source of Federal funds to support State and local election officials on the frontlines of protecting U.S. elections. The bill requires States to use payments to replace direct-recording electronic (DRE) voting machines with voting systems that require the use of an individual, durable, voter-verified paper ballot, marked by the voter by hand or through the use of a non-tabulating ballot marking device or system, and made available for inspection and verification by the voter before the vote is cast and counted.
  • Funds shall only be available to a State or local election jurisdiction for further election security improvements after a State has submitted a certification to the EAC that all DRE voting machines have been or are in the process of being replaced. Funds shall be available to States for the following activities to improve the security of elections for Federal office:
    • implementing a post-election, risk-limiting audit system that provides a high level of confidence in the accuracy of the final vote tally;
    • maintaining or upgrading election-related computer systems, including voter registration systems, to address cyber vulnerabilities identified through DHS scans or similar assessments of existing election systems;
    • facilitating cyber and risk mitigation training for State and local election officials;
    • implementing established cybersecurity best practices for election systems; and other priority activities and
    • investments identified by the EAC, in consultation with DHS, to improve election security.
  • The EAC shall define in the Notice of Grant Award the eligible investments and activities for which grant funds may be used by the States. The EAC shall review all proposed investments to ensure funds are used for the purposes set forth in the Notice of Grant Award.
  • The bill also requires that not less than 50 percent of the payment made to a State be allocated in cash or in kind to local government entities responsible for the administration of elections for Federal office.

Regarding the General Services Administration (GSA), the Committee directed the following:

  • Interagency Task Force on Health and Human Services Information Technology (IT).— The Committee urges the Chief Information Office and Chief Technology Officer (CTO) of HHS, in collaboration with the White House CTO and U.S. Department of Agriculture (USDA), as well as the Office of the National Coordinator for Health Information Technology (ONC) within HHS, 18F within the GSA, and the Cybersecurity and Infrastructure security Agency (CISA) within the U.S. Department of Homeland Security, to establish an interagency task force that will examine existing IT infrastructure in Federal health human service programs nationwide and identify the limitations to successfully integrating and modernizing health and human services IT, and the network security necessary for health and human services IT interoperability. The task force shall submit to the Committee within 180 days of enactment on this Act a report on its progress and on recommendations for further Congressional action, which should include estimated costs for agencies to make progress on interoperability initiatives.
  • Category Management.—The Committee is interested in understanding the effects of GSA’s category management policy on contracts with small businesses. Category management refers to the business practice of buying common goods and services as an enterprise to eliminate redundancies, increase efficiency, and deliver more value and savings from the Federal government’s acquisition programs. Within 180 days of the enactment of this Act, the Committee directs GSA, in cooperation with SBA, to submit a report to the Committee on the number of contracts that could have been awarded under sections 8(a), 8(m), 15(a), 15(j), 31, or 36 of the Small Business Act, but were exempted by category management since its implementation.

The Committee made the following recommendations generally:

  • Cyberspace Solarium Commission Recommendations.—The Committee recognizes and supports the priorities and recommendations laid out in the Cyberspace Solarium Commission’s report and urges Federal departments and agencies to align cybersecurity budgetary priorities with those laid out by the Commission. In particular, the Committee calls attention to recommendation 3.2, Develop and Maintain Continuity of the Economy Planning; recommendation 4.6.3, Strengthen the Capacity of the Committee on Foreign Investment in the United States, particularly with respect to the need to train Federal bankruptcy judges; recommendation 3.4, Improve and Enhance the Funding of the Election Assistance Commission; and recommendation 3.1, Strengthen Sector-specific Agencies’ Ability to Manage Critical Infrastructure Risk, particularly with respect to the Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection.
  • Zero Trust Model.—The Committee is aware that the most effective cybersecurity systems are based on the zero trust model, which is designed not only to prevent cyber intrusions but to prevent cyberthieves from accessing or removing protected information. To ensure that Federal agencies achieve the highest level of security against cyberattacks in the shortest amount of time, the Committee encourages all agencies to acquire and deploy zero trust cybersecurity software that is compatible with all existing operating systems and hardware platforms used by Federal agencies. The Committee also encourages Federal agencies to acquire and utilize software compatible with all existing operating systems and hardware platforms that will enable agencies to measure or quantify their risk of a cybersecurity attack in the months ahead and the types of cyberattack the agency is most likely to experience. Upon learning the risk and type of cyberattack the agency is most likely to face, the agency shall immediately take remedial action to minimize such risk. Agencies shall include information in their fiscal year 2022 Congressional Justification to Congress on their progress in complying with this directive.

FY 2021 Department of Defense Appropriations Act

On 14 July, the House Appropriations Committee marked up and reported out the “FY 2021 Department of Defense Appropriations Act,” which would provide $695 billion for the Department of Defense (DOD), “an increase of $1,294,992,000 above the fiscal year 2020 enacted level and a decrease of $3,695,880,000 below the budget request.”

The Committee Report contained these technology-related provisions:

  • ZERO TRUST ARCHITECTURE. The Committee encourages the Secretary of Defense to implement a Zero Trust Architecture to increase its cybersecurity posture and enhance the Department’s ability to protect its systems and data.
  • DISTRIBUTED LEDGER TECHNOLOGY RESEARCH AND DEVELOPMENT. The Committee is aware that distributed ledger technologies, such as blockchain, may have potentially useful applications for the Department of Defense, which include but are not limited to distributed computing, cybersecurity, logistics, and auditing. Therefore, the Committee encourages the Under Secretary of Defense (Research and Engineering) to consider research and development to explore the use of distributed ledger technologies for defense applications.
  • ARTIFICIAL INTELLIGENCE PARTNERSHIPS. The Committee is aware of the United States-Singapore partnership focusing on applying artificial intelligence in support of humanitarian assistance and disaster relief operations, which will help first responders better serve those in disaster zones. The Committee encourages the Secretary of Defense to pursue similar partnerships with additional partners in different regions, including the Middle East.
  • CYBER EDUCATION COLLABORATIVES. The Committee remains concerned by widespread shortages in cybersecurity talent across both the public and private sector. In accordance with the recommendations of the Cyberspace Solarium Commission, the Committee encourages the Under Secretary of Defense (Research and Engineering) to direct cyber-oriented units to collaborate with local colleges and universities on research, fellowships, internships, and cooperative work experiences to expand cyber-oriented education opportunities and grow the cybersecurity workforce. The Committee also appreciates that veterans and transitioning servicemembers could serve as a valuable recruiting pool to fill gaps in the cybersecurity workforce. Accordingly, the Committee encourages the Under Secretary to prioritize collaboration with colleges and universities near military installations as well as the veteran population.
  • 5G TELECOMMUNICATIONS TECHNOLOGY. The Committee is concerned about reports that foreign manufacturers are significantly ahead of United States companies in the development and deployment of 5G telecommunications technologies, which poses a national security risk to the United States and its allies. Without a robust domestic 5G supply chain, the United States will be vulnerable to 5G systems that facilitate cyber intrusion from hostile actors. In order to secure a reliable 5G system and a domestic supply chain that meets the national security needs of the United States and its allies, the Committee encourages the Secretary of Defense to accelerate engagement with domestic industry partners that are developing 5G systems. Additionally, the Committee is aware of the significant investments being made in 5G efforts but is concerned with the level of detail provided for congressional oversight. The Committee directs the Under Secretary of Defense (Research and Engineering) to conduct quarterly execution briefings with the House and Senate Appropriations Committees beginning not later than 90 days after the enactment of this Act.
  • MILITARY INFORMATION SUPPORT OPERATIONS. Over the past decade, the bulk of activities under Military Information Support Operations (MISO) focused on countering violent extremist organizations (VEO). While VEOs remain an ongoing threat and require continued vigilance, peer and near-peer adversaries like China and Russia are using social media and other vectors to weaken domestic and international institutions and undermine United States interests. This new information environment and the difficulty of discriminating between real and fake information heightens the importance of enhancing and coordinating United States government information-related capabilities as a tool of diplomatic and military strategy.
  • The Committee recognizes the efforts and accomplishments of the United States Special Operations Command and other agencies within the executive branch to operate in the digital domain. However, it is difficult to view individual agency activities as a coordinated whole of government effort. Over the past several years, the classified annex accompanying annual Department of Defense Appropriations Acts included direction focusing on the individual activities of geographic combatant commands. However, information messaging strategies to counter Chinese and Russian malign influences cuts across these geographic boundaries and requires coordination between multiple government agencies using different authorities.
  • Therefore, in order to better understand how MISO activities support a whole of government messaging strategy, the Committee directs the Assistant Secretary of Defense (Special Operations/Low Intensity Conflict) to submit a report for MISO activities for the individual geographic combatant commands justified by the main pillars of the National Defense Strategy to the House and Senate Appropriations Committees not later than 15 days after submission of the fiscal year 2022 budget request and annually thereafter. The report shall include spend plans identifying the requested and enacted funding levels for both voice and internet activities and how those activities are coordinated with the Intelligence Community and the Department of State. The enacted levels will serve as the baseline for reprogramming in accordance with section 8007 of this Act. Furthermore, the Committee directs the Assistant Secretary of Defense (Special Operations/Low Intensity Conflict) to submit to the congressional defense committees, not later than 90 days after the end of the fiscal year, an annual report that provides details on each combatant commands’ MISO activities by activity name, description, goal or objective, target audience, dissemination means, executed funds, and assessments of their effectiveness. Additional details for the report are included in the classified annex accompanying this Act.

FY 2021 Commerce, Justice, Science Appropriations Act

Also on 14 July, the “FY 2021 Commerce, Justice, Science Appropriations Act” was also marked up and reported out and its Committee Report contains these provisions:

  • Cybersecurity Threats.—The Committee remains concerned that as the Census Bureau looks to modernize data collection methods, the Census Bureau could potentially be exploited by nefarious actors who seek to undermine the integrity of census data, which is vital to democratic institutions, and gain access to sensitive information otherwise protected by law. These threats include both hacking into the Census Bureau IT infrastructure and efforts to use supercomputing to unmask the privacy of census respondents. The Committee directs the Census Bureau to prioritize cyber protections and high standards of data differential privacy, while also maintaining the accuracy of the data, and expects the Census Bureau to update the Committee regularly on these efforts.
  • Cybersecurity and Privacy.—The proliferation of data generation, storage, and usage associated with the digital economy is making it increasingly important to protect that data with effective cryptography and privacy standards. The Committee is concerned that individual, corporate, and public-sector data privacy is continuously at risk from attacks by individual actors, criminal organization, and nation-states. The Committee urges NIST to address the rapidly emerging threats in this field by furthering the development of new and needed cryptographic standards and technologies.
  • National Initiative for Cybersecurity Education.—The Committee notes with concern the shortage of cybersecurity professionals across the government and private sector, from entry level applicants to experienced professionals. The Committee therefore supports the National Initiative for Cybersecurity Education (NICE) and directs NIST to provide resources commensurate with the prior fiscal year for this effort.
  • Cybersecurity Conformity Assessment Programs.—The Committee instructs NIST, in collaboration with other relevant organizations, to report to the Committee no later than 270 days after the enactment of this Act on challenges and approaches to establishing and managing voluntary cybersecurity conformity assessment programs for information and communication technologies including federal cloud technologies.
  • Cybersecurity Training.—Within the increase to Manufacturing Extension Partnership (MEP), the Committee directs NIST to maintain the core services of the MEP and encourages NIST to utilize existing expertise within its Information Technology Laboratory to increase cybersecurity technical training to small manufacturers to strengthen their cybersecurity capabilities given the troubling threats from state and non-state actors and other emerging threats.
  • Cybersecurity threat information sharing.—The Committee supports sharing by DOJ of cybersecurity threat warnings and intelligence with private companies who may benefit from actionable information to deter, prevent, or mitigate threats. The Committee asks DOJ to provide a briefing on this topic not later than 90 days after enactment of this Act.
  • Chinese-government affiliated companies.—The Committee is concerned with companies operating within the United States that are known to have substantial ties to the Chinese government, including full or partial ownership by the Chinese government, and that are required by Chinese law to assist in espionage activities, including collection of personally identifiable information of American citizens. Such companies may pose cybersecurity risks, such as vulnerabilities in their equipment, and some are the subject of ongoing Congressional and Executive Branch investigations involving their business practices. The Committee directs DOJ to enforce applicable laws and prevent the operation of known foreign entities who participate in the theft of American intellectual property, the harvesting of personal identifiable information on behalf of a foreign government, and the unlawful surveillance of American citizens by adversarial state-owned enterprises.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Senate Consideration of NDAA Continues

Slowly, the Senate works on its NDAA by adding a number of amendments including a few standalone technology bills. However, an election security bill was stripped out of the FY 2021 Intelligence Authorization before it was added to the NDAA.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The Senate continued its consideration of the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) this week before recessing for the 4 July holiday. Work will continue later this month on the massive authorization package that sets annual policy for the Department of Defense (DOD) and related agencies. However, before leaving Washington, DC, the Senate did deal with some of the amendments offered for adoption by adding a number en bloc, some of which pertain to technology policy and funding.

The following amendments were adopted on 2 July 3, 2020 en bloc by unanimous consent:

  • The Department of Homeland of Security “shall produce a report on the state of digital content forgery technology” within one year of enactment and then every five years
  • “[T]he Secretary of Defense, with appropriate representatives of the Armed Forces, shall brief the Committees on Armed Services of the Senate and the House of Representatives on the feasibility and the current status of assigning members of the Armed Forces on active duty to the Joint Artificial Intelligence Center (JAIC) of the Department of Defense.”
  • “the Secretary of Homeland Security shall conduct a comprehensive review of the ability of the Cybersecurity and Infrastructure Security Agency to fulfill–
    • the missions of the Cybersecurity and Infrastructure Security Agency; and
    • the recommendations detailed in the report issued by the Cyberspace Solarium Commission”
  • The “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S.1611) that would require the Department of Commerce to “convene a working group of Federal stakeholders for the purpose of providing recommendations and a report to Congress relating to the aspects of the Internet of Things.”
  • “[T]he Secretary of Defense, in coordination with the Director of the National Reconnaissance Office and the Director of the National Geospatial-Intelligence Agency, shall leverage, to the maximum extent practicable, the capabilities of United States industry, including through the use of commercial geospatial-intelligence services and acquisition of commercial satellite imagery.”
  • “[T]he Secretary of Defense is authorized to establish a pilot program to explore the use of consumption-based solutions to address software-intensive warfighting capability” per a re commendation made by the Section 809 Panel.
  • “[T]he Secretary of Defense shall complete a study on the cyberexploitation of the personal  information and accounts of members of the Armed Forces and their families.”
  • A modified version of the “Utilizing Strategic Allied (USA) Telecommunications Act” (S.3189) that “would reassert U.S. and Western leadership by encouraging competition with Huawei that capitalizes on U.S. software advantages, accelerating development of an open-architecture model (known as O-RAN) that would allow for alternative vendors to enter the market for specific network components, rather than having to compete with Huawei end-to-end” according to a press release.

Additionally, a deal was struck to add the “Intelligence Authorization Act for Fiscal Year 2021” (S.3905) to S.4049 but without a bill included in the package as reported out of the Senate Intelligence Committee: the “Foreign Influence Reporting in Elections Act” (FIRE Act) (S.2242). The sponsor of the FIRE Act, Senate Intelligence Committee Ranking Member Mark Warner (D-VA), went to the Senate floor to protest the striking of his bill and to announce his plans to offer it as an amendment and force a vote:

The  committee  voted  14  to  1  to  pass an intel authorization bill that included  the  FIRE  Act,  the  act  that  I  just described, so that if a foreign government interferes or offers you assistance  or  offers  you  dirt,  you  don’t  say  thanks;  you  call  the  FBI.  So  you  can  imagine  my  surprise  and  frustration  when  I  learned  of  a  backroom  deal  to  strip  the  FIRE  Act  out  of  the  Intelligence   Committee’s   legislation   because  of  a  supposed  turf  war  with  another committee. I  am  back  again  today  because  the  security  of  our  elections  cannot  wait.  Let’s  not  hide  behind  process  or  jurisdictional  boundaries.  The  stakes  are  far  too  high  to  continue  the  partisan  blockade  of  election  security  legislation  that  we  have  seen  over  the  last  3  years. If,  behind  closed  doors,  my  Republican  colleagues  want  to  strip  this  legislation  out  of  the  NDAA,  then  I  am  going  to  offer  it  up  as  an  amendment  to  force  an  up-or-down  vote  and  put  every   Member   of   this   body   on   the   record: Are you for election security or are you for allowing foreign entities to interfere  and  offer  assistance  with  no  requirement to report?

Prior to its inclusion in the FY 2021 Intelligence Authorization Act, Warner had asked unanimous consent to take up the FIRE Act multiple times but was met with Republican objections each time. And there are other election security bills Republicans have continued to block, including:

  • The “Duty To Report Act” (S.1247)
  • The “Senate Cybersecurity Protection Act” (S.890)
  • The “Securing America’s Federal Elections Act” (SAFE Act) (H.R.2722)
  • The “Secure Elections Act of 2019” (S.1540)

Yet, the Senate has taken up and passed two election-related bills addressing facets of the cybersecurity challenges. On July 17, the Senate passed the “Defending the Integrity of Voting Systems Act” (S. 1321) by unanimous consent that would “make it a federal crime to hack any voting systems used in a federal election” according to the Senate Judiciary Committee’s website. In June the Senate also passed the “Defending Elections against Trolls from Enemy Regimes (DETER) Act” (S. 1328) that “will make “improper interference in U.S. elections” a violation of U.S. immigration law, and violators would be barred from obtaining a visa to enter the United States. The House has yet to act on these bills.

When the Senate returns to the bill on 20 July, a number of amendments will be pending, including one to establish semiconductor manufacturing grants.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

NDAA Markup Finishes In House

The House’s NDAA was moved out of committee and it would alter a range of technology programs and initiatives at the Pentagon. The bill may be considered by the full House later this month.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The House Armed Services Committee marked up and reported out the “National Defense Authorization Act for Fiscal Year 2021” (NDAA) (H.R.6395), three weeks after the Senate Armed Services Committee did the same with its NDAA. The two packages authorize very similar top-line funding for the Department of Defense (DOD) and non-DOD defense programs (most of which are the Department of Energy’s nuclear weapons programs) that largely meets the Trump Administration’s overall funding request of roughly $731 billion, including $69 billion for Overseas Contingency Operations (OCO). And, the annual authorization package is full of technology provisions that affect the DOD, related agencies, private sector contractors, and other nations. The House may take up H.R.6395 this month, which will likely result in more changes being made to the package.

Chair Adam Smith (D-WA) released his Mark (i.e. the full text of his proposed FY 2021 NDAA that served as the base text for the markup). This bill also added sections that were not included in the subcommittee marks, and with respect to cyber-policy, the Chair’s Mark added two provisions:

  • Section 1622—Cyberspace Solarium Commission
    • This section would modify section 1652 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Public Law 115–232) to update the Cyberspace Solarium Commission’s membership. Additionally, this section would permit the organization to extend further for the purposes of providing regular updates to the legislative and executive branches on the implementation of the Commission’s findings. 
  • Section 1624—Responsibility for the Sector Risk Management Agency Function of the Department of Defense
    • This section would assign full responsibility for certification, coordination, harmonization, and deconfliction of the various efforts, initiatives, and programs that the Department of Defense manages in the furtherance of its responsibilities as the Sector-Specific Agency (SSA) for the Defense Industrial Base to the Principal Cyber Advisor. Presently, the Department is the only SSA that has not unified its various physical and cybersecurity efforts under one organization. For the purposes of carrying out its SSA mission, the Principal Cyber Advisor will be tasked with the management of all functions associated with SSAs under Presidential Policy Directive-21.

The Chair’s Mark has a number of cybersecurity provisions in the Committee Report:

  • [T]he committee directs the Under Secretary of Defense for Acquisition and Sustainment to submit a report to the congressional defense committees by January 15, 2021, regarding the Cybersecurity Maturity Model Certification (CMMC) program.
  • Consistent with draft regulation issued in November 2019, and the anticipated August 2020 regulation related to this statute, the committee directs the Secretary of Defense, in coordination with the Secretary of Commerce, to provide a briefing to the House Committee on Armed Services not later than December 1, 2020, on the implementation status of the full requirements in section 889 of the FY 2019 NDAA that effectively bans Huawei, ZTE, Hytera, Hikvision, or Dahua systems or equipment from DOD and federal government systems and networks.

Intelligence and Emerging Threats and Capabilities Subcommittee’s Mark contains the following Committee Report language:

  • [T]he committee directs the Secretary of Defense, in coordination with the Department of Defense Chief Information Officer, to provide a report to the House Committee on Armed Services not later than March 31, 2021, on the status of the Department’s implementation of the [21st Century Integrated Digital Experience Act (IDEA) (P.L. 115-336)] across the defense enterprise.
  • The committee directs the Chief Information Officer of the Department of Defense, in coordination with chief information officers of the military services, to provide a briefing to the House Committee on Armed Services, not later than September 1, 2021, on the processes in place for asset discovery and management of hardware and software products.
  • [T]he committee directs the Comptroller General of the United States to provide a report to the House Committee on Armed Services by September 1, 2021, to examine the issue of internet architecture security.

The Committee adopted hundreds of amendments during its hours long markup, some of which pertained to defense technology issues. The Committee wrote this summary of selected provisions adopted in this package in the jurisdiction of the Intelligence & Emerging Threats and Capabilities Subcommittee offered by a range of Members:

  • Amends Sec. 1286 of the FY 2019 NDAA by adding to the requirements a publication deadline and public release of a list of Chinese and Russian academic institutions with a history of improper technology transfer and other malign behavior.
  • Directs the Secretary of Defense to provide a briefing to the House Committee on Armed Services, not later than 1 December 2020, on the information environment segmentation methodology framework.
  • Requires a GAO study of DOD’s Cyber vulnerability assessment efforts.
  • Requires DOD to submit a report to Congress on DOD components cyber hygiene practices and directs the GAO to review that report and brief the Committees on its findings.
  • To provide a briefing to HASC on improving the cybersecurity of disadvantaged small businesses in the defense industrial base.
  • National Security Commission on Artificial Intelligence (NSCAI) recommendations including
    • “a  steering  committee  on  emerging  technology  and  national  security  threats;”
    • “the  Secretary  of  Defense  shall  develop  and  implement  a  program  to  provide  covered  human  resources  personnel  with  training  in  the  fields  of  software  development,  data  science,  and  artificial  intelligence,  as  such  fields  related  to  the  duties  of  such  personnel;”
    • “a  pilot  program  under which applicants for technical positions within the Department  of  Defense  will  be  evaluated,  in  part,  based  on  electronic  portfolios  of  the  applicant’s  work;”
  • Briefing on use of Artificial Intelligence to analyze beneficial ownership of defense contractors
  • Establishes a National Artificial Intelligence Initiative
  • GAO Study and Report on Electronic Continuity of Operations on the Department of Defense
  • Package of recommendations on artificial intelligence (AI) and emerging technologies from the National Security Commission on Artificial Intelligence (NSCAI), including:
    • a program under which qualified professors and students may be employed on a part-time or term basis in an organization of the Defense science and technology enterprise for the purpose of conducting a research project
    • an advisory panel on microelectronics leadership and competitiveness
    • the Joint Artificial Intelligence Center…shall conduct an assessment to determine whether the Department of Defense has the ability to ensure that any artificial intelligence technology acquired by the Department is ethically and responsibly developed.
  • Amending report language on “Ties between Russia and China” to include assessment on defense cooperation and coordination between Russia and China
  • Requires a report on the applicability of using automated technologies related to computer aided manufacturing software and similar manufacturing technologies to address repair part obsolesce issues and part obsolesce issues and parts shortages across the organic industrial base.
  • To require a plan on spectrum information technology modernization and a program to identify and mitigate vulnerabilities in the military’s telecommunications infrastructure
  • The DOD lacks a similar comprehensive understanding of the Internet-connected assets and attack surface across the DOD enterprise. Amends existing DRL to require a briefing on the current and planned capabilities and concept of operations for Internet operations management.

The Committee also offered summaries of the following provisions adopted across three amendments:

  • Chair’s Mark En Bloc #1
    • Report on Supply Chain Security Cooperation with Taiwan
    • Directs the United States-China Economic and Security Review Commission to brief the committee on any plans, opportunities, and/or challenges the Commission has for sharing its expertise and cooperation with similar organizations among U.S. partners and allies
    • Encourages the Secretary of Defense to take into account the security risks, including threats to operational and information security, of 5G and 6G telecommunications networks in all future overseas stationing decisions
  • Chair’s Mark En Bloc #2
    • Cyber Threat Information Collaboration Environment (JCE)
    • Establishment of the Integrated Cyber Center
    • Cybersecurity Threat Hunting and Sensing, Discovery, and Mitigation
    • The  DOD “shall  establish  a  threat  intelligence  program  to  share  with  and  obtain  from  the  defense  industrial  base  information  and  intelligence  on  threats  to  national  security” that would include cybersecurity incident reporting for defense contractors
    • Requires a study and recommendations from NIST on China’s influence in international standards setting bodies for emerging tech.
    • Requirement to Buy Certain Satellite Component from National Technology and Industrial Base
    • Sense of Congress on the intent and implementation of the Section 889 of the FY19 National Defense Authorization Act pertaining to the prohibition on certain telecommunications and video surveillance services or equipment
    • Extends and modernizes required reporting by the Department of Defense on Chinese Communist Party military companies operating in the United States
  • Chair’s Mark En Bloc #3
    • DRL requiring a briefing from USD(A&S) on how DOD and the CMMC-AB plan to mitigate potential organizational conflicts of interest [between] contractors and third-party assessment organizations performing CMMC certifications
    • To provide assistance to small manufacturers in the defense industrial supply chain with improving cybersecurity
    • GAO Report on GSA e-commerce Portal Data Usage and Competition

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading and Other Developments (20 June)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Other Developments

  • The House Financial Services Committee’s National Security, International Development, and Monetary Policy Subcommittee held a virtual hearing titled “Cybercriminals and Fraudsters: How Bad Actors Are Exploiting the Financial System During the COVID-19 Pandemic.”
  • The Senate Appropriations Committee’s Financial Services and General Government Subcommittee held a hearing titled “Oversight of FCC Spectrum Auctions Program.”
  • The Commerce, Science, and Transportation Committee held a hearing on a number of nominations, including a re-nomination of Federal Communications Commission Commissioner Michael O’Reilly for another full term.
  • The Department of Commerce’s Industry and Security Bureau released an interim final rule to amend “the Export Administration Regulations (EAR) to authorize the release of certain technology to Huawei and its affiliates on the Entity List without a license if such release is made for the purpose of contributing to the revision or development of a “standard” in a “standards organization.” The Department added in its press release “The rule returns U.S. industry to the status quo ante, from an Entity List perspective, with respect to disclosures of such technology to Huawei and its affiliates in legitimate standards development contexts only, and not for commercial purposes. Disclosures for commercial purposes remain “subject to the EAR” and are still subject to recordkeeping and all other applicable EAR requirements.” Comments are due on 17 August 2020.
  • The National Transportation Safety Board (NTSB) released its “Safety Recommendation Report” that “called for a change in air cargo shipping requirements for some types of lithium-ion batteries” following its investigation “into the shipment of lithium-ion batteries that ignited while in transport on a delivery truck in Canada.” The NTSB recommended that the Pipeline and Hazardous Materials Safety Administration:
    • Propose to the International Civil Aviation Organization to remove its special provision A88 from its Technical Instructions for the Safe Transport of Dangerous Goods by Air allowing special permits for low-production or prototype lithium-ion cells or batteries shipped by airplane and eliminate any exceptions to the testing of United Nations Manual of Tests and Criteria, Part III, Sub-section 38.3 requirements for all lithium-ion batteries before transport by air.( A-20-31)
    • Once the International Civil Aviation Organization removes special provision A88 from the Technical Instructions for the Safe Transport of Dangerous Goods by Air, remove the exemption from United Nations Manual of Tests and Criteria, Part III, Sub-section 38.3 testing from Title 49 Code of Federal Regulations 173.185(e) for low-production or prototype lithium-ion batteries, when transported by air. (A-20-32)
  • The Carnegie Endowment for International Peace’s Partnership for Countering Influence Operations (PCIO) released “The Challenges of Countering Influence Operations” with these “Key Takeaways:”
    • Influence operations defy easy categorization. Influence operations often fail to fit neatly into boxes outlined by individual policies or legislation. They are run in a complex environment where actors overlap, borders are easily crossed and blurred, and motives are mixed—making enforcement challenging. In this case study, actors share highly politicized online content but also appear to benefit financially from their actions, making it difficult to ascertain whether their motives are primarily political, commercial, or both.
    • Relevant policies by social media platforms tend to be a patchwork of community standards that apply to individual activities of an influence campaign, not the operation as a whole. Policies published by social media companies often focus on individual components of influence operations. This approach attempts to neatly categorize and distinguish actors (foreign versus domestic), motives (political influence and profit), activities (including misrepresentation, fraud, and spamming behavior), and content (such as misinformation, hate speech, and abuse). This piecemeal approach to enforcement raises questions about whether officials within social media platforms fully understand how influence operations work and how such campaigns are more than the individual behaviors that compose them.
    • Social media networks have more opportunities to counter influence operations through their platform policies than governments do with existing legislation. Social media companies have implemented various policies to govern how their platforms are used, providing opportunities for combating influence operations. They also have greater access to information about how their platforms are used and have domain-specific expertise that allows them to create more tailored solutions. Fewer avenues exist for countering such influence operations using government-led legal mechanisms. This is not only because of the relative paucity of laws that govern online activity but also because law enforcement requires attribution before they can act, and such attribution can be difficult to ascertain in these cases. This means that governments have generally done little to help private industry actors determine what kinds of influence operations are unacceptable and should be combated. In the absence of such guidance, industry actors are de facto drawing those lines for society. Governments could do more to help guide industry players as they determine the boundaries of acceptable behavior by participating in multi-stakeholder efforts—some of which have been set up by think tanks and nonprofits—and by considering legal approaches that emphasize transparency rather than criminalization.
    • The influence operations uncovered by media scrutiny are not always as easy to counter as those writing about them might hope. Savvy influence operators understand how to evade existing rules, so that their activities and content do not breach known policies or legislation. Media coverage that showcases examples of influence operations seldom explains whether and how these operators violate existing platform policies or legislation. This is a problem because distasteful influence operations do not always overtly violate existing policies or laws—raising questions about where the lines are (and should be) between what is tolerable and what is not, and, moreover, who should be determining those lines. Even when existing policies clearly do apply, these questions persist. Stakeholders should more clearly assess what constitutes problematic behavior before rushing to demand enforcement.
  • A number of privacy and civil liberties groups released “principles to protect the civil rights and privacy of all persons, especially those populations who are at high risk for the virus and communities of color, when considering the deployment of technological measures in response to the COVID-19 crisis.” These groups also sent these principles in letters to both the House and the Senate.
  • The Technology Coalition, formed 15 years ago “when industry leaders came together to fight online child sexual exploitation and abuse (CSEA),” announced “Project Protect: A plan to combat online child sexual abuse – a renewed investment and ongoing commitment to our work seeking to prevent and eradicate online CSEA” with these elements:
    • Execute a Strategic “Five Pillar” Plan to reinforce the cross-industry approach to combating CSEA, putting in place the structure, membership models, and staffing needed to support the Technology Coalition’s long term objectives.
    • Establish a multi-million dollar Research and Innovation Fund to build crucial technological tools needed to more effectively prevent and work to eradicate CSEA.
    • Commit to publishing an Annual Progress Report on industry efforts to combat CSEA.
    • Create an annual Forum for CSEA experts bringing together industry, governments, and civil society to share best practices and drive collective action.
  • Amnesty International’s Security Lab named Bahrain, Kuwait and Norway as having “some of the most invasive COVID-19 contact tracing apps around the world, putting the privacy and security of hundreds of thousands of people at risk.”
  • The Knight Foundation and Gallup released “Free Expression, Harmful Speech, and Censorship in a Digital World,” “a study to gauge Americans’ opinions on [social media companies, the internet, and the role of government], delving specifically into two potential paths forward — amending Section 230 of the Communications Decency Act, which largely shields internet companies from legal liability for content shared on their sites, and the relatively new notion of content oversight boards” with these topline findings:
    • Americans prefer social media apps and sites to be places of open expression.
    • Even as Americans voice a preference for open expression, there are several forms of online content that many say should be restricted or never allowed
    • Many Americans have personally been targeted by harmful online behavior.
    • Americans are somewhat divided on Section 230 of the Communications Decency Act, which largely shields major internet companies from liability for content posted on their websites and apps by third parties.
    • A majority of Americans do not trust social media companies to make the right decisions about what content appears on their sites or apps.
    • Despite misgivings about major internet companies making the right decisions related to harmful online content, Americans are more likely to favor the companies, rather than government, setting policies to regulate such content
    • Americans’ opinions of content oversight boards are largely favorable, tending to prefer them to social media companies or the government to make decisions about what can and cannot appear on social media websites and apps. 
    • Americans’ favorability toward content oversight boards increases when they know more about them.
    • The most important content oversight board attributes for Americans are transparency and diversity, followed closely by independence — i.e., who appoints board members. Less valuable is the board’s ability to compel social media companies to enact its decisions or guidelines.
    • Americans’ trust in a social media company will not automatically increase solely because the company adopts a content oversight board. Rather, trust can be gained based on the board’s features relating to its independence, transparency, diversity and ability to enforce decisions.
  • Graphika released a report titled “Exposing Secondary Infektion: Forgeries, interference, and attacks on Kremlin critics across six years and 300 sites and platforms,” “a long-running Russian information operation, encompassing multiple campaigns on social media run by a central entity, which was already active in 2014 and that was still running in early 2020.”
  • The University of Toronto’s Citizen Lab and Amnesty International released a report on “nine Indian lawyers, activists, and journalists….targeted in 2019 in a coordinated malware campaign” with “NetWire, a commercially available spyware.”

Further Reading

  • The Economy Is Reeling. The Tech Giants Spy Opportunity.” – The New York Times. All of the large technology companies are continuing the same pace of acquisition and product roll outs as last year. Critics fear that companies’ expansion through buying new businesses, technologies, and platforms will further cement their dominance of the United States (US) and world economies. Moreover, these companies have also been rolling out new services to compete with upstarts (e.g. Google’s meeting service to try to grab market share from Zoom.) It remains to be seen whether antitrust and anti-competitive actions in the US, European Union and elsewhere will stop or even reverse the continued growth of Google, Apple, Amazon, and others.
  • Amazon’s Ring has 29 new police agreements since the killing of George Floyd” – Protocol. In spite of its pledge to hold off on selling its facial recognition technology to police departments for a year, Amazon has continued to sign up local law enforcement for participation in partnerships using its Ring and Neighbors technology platforms. These systems make available to police footage from the camera/doorbell system Amazon is marketing as a security must have. Critics of the system and how Amazon operates it argue it has already disproportionately affected African Americans and other minorities in gentrifying areas and offers a workaround to warrant requirements for officers would not need to go to court to obtain this footage since private parties are not bound by the Fourth Amendment like government agencies.
  • Big Tech’s Pandemic Power Grab” – The Atlantic. This article foresees government regulation of large technology companies in the United States (US) that solidifies their preeminence, in large part, because these companies have been partnering with and working for the US government. And, in making this bargain, these companies are using every lever and all the leverage at their disposal to strike the type of bargain they want. There may be pushback against this impulse to grow, but it is worth keeping in mind that the trustbusting era in the US may have divided up corporate giants like Standard Oil but their progeny are still very powerful (e.g. Exxon Mobil.)
  • New York lawmakers want to outlaw geofence warrants as protests grow” – Protocol. A bill introduced in April to address the law enforcement practice of requesting geofencing data from technology companies receives renewed scrutiny in the New York State legislature in the midst of protests against racism and police violence in the United States. The article cites a Google filing in a Virginia lawsuit alleging “Between 2017 and 2018, Google saw a 1,500% increase in geofence requests…[and] [b]etween 2018 and 2019, that figure shot up another 500%.” Technology companies with troves of data on where people are at virtually every hour of the day are treading carefully as critics of geofence requests and warrants are pushing to ban law enforcement agencies from using these data.
  • Australian leader says unnamed state increasing cyberattacks” – Associated Press. Australia’s Prime Minister Scott Morrison told reporters “Australian organizations are currently being targeted by a sophisticated state-based cyber actor.” He contended “[t]his activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure.” In concert with Morrison’s statement, the Australian Cyber Security Centre (ACSC) and the Department of Home Affairs issued an advisory describing “the tactics, techniques and procedures (TTPs) identified during the ACSC’s investigation of a cyber campaign targeting Australian networks.” Some experts are saying it must be the People’s Republic of China (PRC), especially after Canberra named the PRC as the entity that hacked into Parliament.
  • Eric Schmidt: Huawei has engaged in unacceptable practices” – BBC News. The former Google head claims the People’s Republic of China (PRC) has accessed Huawei’s routers to exfiltrate information. Schmidt conceded that Huawei’s products are superior to other offerings on the market, which poses a challenge for networks and nations. He also flagged the research and development budgets Huawei and other PRC companies have that eclipse other multinationals.
  • French Court Strikes Down Most of Online Hate Speech Law” – The New York Times. A French court struck down the core of President Emmanuel Macron’s new statute to police offensive online speech, finding two provisions would impinge freedom of expression. Macron’s party has vowed to take another run at such legislation.
  • Europe threatens digital taxes without global deal, after U.S. quits talks” – Reuters. After the United States withdrew from Organisation for Economic Cooperation and Development (OECD) talks on digital taxes, prompting promises from the European Union to proceed with such taxes.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

CARES Act Largely Bypasses Tech Funding and Issues

On March 27, President Donald Trump signed into law the “Coronavirus Aid, Relief, and Economic Security Act” (CARES Act) (P.L. 116-136), the third stimulus package in the last month, that could cost $2.5 trillion, or even more, once all the spending is accounted for. There are provisions in the package loosening restrictions and increasing funding for telehealth and telework as the demand for both have skyrocketed during the COVID-19 crisis.

There is also additional funding to address cybersecurity issues. Most notably, the Election Assistance Commission (EAC) was given an additional $400 million “to prevent, prepare for, and respond to coronavirus, domestically or internationally, for the 2020 Federal election cycle.” The EAC was provided with $380 million and $       425 million, respectively in FY 2018 and 2019, to help states tighten the security of their election systems in large part because of Russian hacking and interference during the 2016 election. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) was provided with an additional $9.1 million for FY 2020 and 2021 “to prevent, prepare for, and respond to coronavirus, domestically or internationally, which shall be for support of interagency critical infrastructure coordination and related activities.”

Congress will likely pass additional COVID-19 relief and stimulus packages, and there are likely more funding and programmatic changes for technology programs coming. For example, House Democrats released the “The Take Responsibility for Workers and Families Act” (H.R.6379) last week when Senate Republicans, Senate Democrats, and the White House were negotiating the final version of the CARES Act. This $2.5 trillion package embodies many Democratic priorities, including technology policy. For example, the bill would provide CISA with $14.4 million to combat the effects of COVID-19, but that figure is likely the House Democrat’s preferred funding level as compared to the $9.1. million that was enacted as part of the CARES Act. And yet, the $4 billion House Democrats wanted for the EAC could augur significantly more funding for the agency to parcel out to states so they can improve and better secure their election systems.

However, the bill would provide $3 billion for the Technology Modernization Fund (TMF), a program that set up a revolving fund in the General Services Administration (GSA) to lend funds to agencies to refresh and replace dated information technology, especially legacy systems. In FY 2020, the Trump Administration asked for $150 million for the program but received only $25 million.

Broadband and 5G could both see additional funding. House Democrats allocated $25 million in extra funding for the Department of Agriculture’s Rural Utilities Service (RUS) for “Distance Learning, Telemedicine, and Broadband Program.” The first draft of the bill included $2 billion for a new Emergency Connectivity Fund to be established and administered by the Federal Communications Commission (FCC), and the agency would also receive $1 billion for an “Emergency Broadband Connectivity Fund.” And, there are additional provisions as detailed in a section-by-section summary prepared by the Democratic staff of the House Energy and Commerce Committee:

  • Section 102. Anti-Price Gouging During COVID-19 Emergency. This section provides the Federal Trade Commission and State attorneys general the authority to seek civil penalties from individuals and companies engaging in price gouging of goods and services during the COVID- 19 public health emergency.
  • Section 201. Broadband Hotspots and Connected Devices for Schools and Libraries During COVID-19 Emergency. This section authorizes increased funding and provides flexibility to the Federal Communication Commission’s (FCC) E-Rate program to enable schools and libraries, including tribal schools and libraries, to offer broadband hotspots and connected devices to facilitate distance learning and connectivity during the COVID-19 public health emergency.
  • Section 301. Expansion of Low-Income Broadband Subsidies During COVID-19 Emergency. This section authorizes increased funding and provides flexibility for the FCC’s Lifeline program to expand access to broadband for low-income Americans during the COVID- 19 public health emergency.
  • Section 401. Telecommunications Consumer Protections During COVID-19 Emergency.
  • This section makes certain practices, including the stopping of telephone or broadband services, if a consumer is unable to pay for reasons related to the COVID-19 emergency, unlawful during the COVID-19 public health emergency.
  • Section 501. Public Safety Use of the T-Band. This section repeals the requirement on the FCC to reallocate and auction the T-Band (470-512 MHz), which allows first responders to continue the use of the band for their public safety communications.

House Democrats could also use existing legislation or proposals. In the technology space, In May 2019, the chair and most Democrats on the House Energy and Commerce Committee introduced the “Leading Infrastructure For Tomorrow’s America Act” (H.R.2741), which was mostly about messaging and establishing a program to differentiate House Democrats from the White House and Senate Republicans. In a summary, Committee Democrats pointed to highlights of the package, most of which are technology-related:

Action to Combat the Climate Crisis and Protect Our Environment:

  • Over $33 billion for clean energy, including $4 billion to upgrade the U.S. electric grid to accommodate more renewable energy and make it more resilient. It also includes $4 billion for the expansion of renewable energy use, including $2.25 billion for the installation of solar panels in low-income and underserved communities. LIFT America also includes $23 billion for energy efficiency efforts – namely retrofitting and weatherizing buildings, including schools and homes, to ensure they produce fewer carbon emissions – and funding the nationwide deployment of more clean energy fuels.
  • $2.7 billion to spur the development of Smart Communities, including $850 million in technical assistance to help cities and counties integrate clean energy into their redevelopment efforts, and $1.4 billion to support the development of an electric vehicle (EV) charging network.

Expanding Access to Broadband Internet:

  • $40 billion for the deployment of secure and resilient high-speed broadband internet service to expand access for communities nationwide and bring broadband to 98 percent of the country.
  • $12 billion in grants for the implementation of Next Generation 9-1-1 services to make 9-1-1 service more accessible, effective, and resilient, and enable Americans to send text messages, images, or videos to 9-1-1 in times of emergency.
  • $5 billion in federal funding for low-interest financing of broadband infrastructure deployment through a new program that would allow eligible entities to apply for secured loans, lines of credit, or loan guarantees to finance broadband infrastructure build out projects.

Investing in America’s Health Infrastructure:

  • $2 billion in funding to reauthorize the Hill-Burton hospital infrastructure program, including targeted assistance to support cybersecurity in the health system.
  • $1 billion for Indian Health Service infrastructure projects to reduce health disparities in Indian Country.
  • $100 million to support state labs on the frontlines of fighting infectious diseases.
  • $100 million to establish a community-based care infrastructure program and to develop teaching health centers and mental health care centers.
  • $3.5 billion to improve public health infrastructure at the Centers for Disease Control and Prevention (CDC) and at state, local, tribal and territorial health departments.

A first draft of the bill contained language requiring the Federal Reserve Bank to set up a system of ‘‘pass-through digital dollar wallets” so that direct payments from the U.S. government to Americans as a means of stimulating the economy. So, it is possible this new program or similar language gets included in a fourth COVID-19 stimulus bill.

Finally, there may be growing consensus that a surface transportation reauthorization could be passed that would be much larger than normal and most likely front-loaded in order to stimulate the economy. This week, President Donald Trump called for a $2 trillion-dollar package, which was echoed by House Democrats but It is possible that this bill could be the vehicle by which more broadband, 5G, or technology funding is pushed through existing programs or newly created programs.

Fall Preview For Technology Legislation

With Congress having returned from the August recess, bright-eyed and bushy-tailed, a host of bills are awaiting these eager lawmakers. However, I will focus only on those bills that have been marked up and reported out of committee or have been passed by one chamber as these bills may be the most likely to be enacted. Of course, there are other issue areas Congress may address with legislation this fall, but as yet, legislation has neither been introduced nor marked up (e.g. privacy, data security, and the PATRIOT Act reauthorization.)

And, it should be noted that past could be prologue with respect to a PATRIOT Act reauthorization. As you might recall, what became the “Cybersecurity Act of 2015” (P.L. 114-113) was effectively blocked because of fighting over expiring PATRIOT Act provisions that were ultimately reauthorized as modified in the “USA Freedom Act” (P.L. 114-23). Therefore, until Congress reauthorizes these provisions, and I think it highly likely they will, it is possible technology-related legislation will be essentially used as leverage by proponents and opponents to see their preferred policy outcome enacted. Having said that, there are a number of technology-related bills that have been reported out of committee or come to the floor of one chamber or the other.

First, and possibly foremost, since this reauthorization has been enacted annually since the Kennedy Administration, is the FY 2020 National Defense Authorization Act (NDAA) (H.R. 2500/S. 1790). As cybersecurity has grown in prominence nationally and at the Pentagon, provisions dealing with this topic area have proliferated. Consequently, both bills are stuffed with statutory language ranging from supply chain to acquisition to offensive and defensive cyber operations, and other facets of cybersecurity. Likewise, the committee reports are also full of directives , mainly to the Pentagon, regarding actions, programs, briefings, and reports Congress would like the Department of Defense to undertake. Both NDAAS have passed their respective chambers and the Armed Services Committees have been working on reconciling the bills. Incidentally, the Senate attached its FY 2018, 2019, and 2020 Intelligence Authorization to S. 1790, which is also replete with cyber-related provisions for the Intelligence Community (i.e. the “Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020” (S. 1589)). On July 17, the House passed the “Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act (IAA) for Fiscal Years 2018, 2019, and 2020” (H.R. 3494) by a 397-31 vote. Therefore, it is possible that the NDAA also carries the intelligence reauthorization to enactment.

Speaking of annually enacted vehicles to effect technology policy, all twelve of the FY 2020 appropriations acts have yet to be enacted. A. number of the bills contain crucial language on cybersecurity and technology funding with a handful of bills being most important with respect to funding: the Homeland Security, Department of Defense, Financial Services and General Government, and the Commerce-Justice-Science appropriations acts. Despite having struck a deal on top-lines, it is not clear that Congress will enact of its appropriations bills before the current year ends on September 30. Therefore, we may be looking a continuing resolution into the fall, ideally followed by an omnibus or series of bills packaged together to fund FY 2020 programs. For example, the “FY 2020 Homeland Security Appropriations Act” would provide the Cybersecurity  and  Infrastructure  Security  Agency  (CISA) $2.016 billion for FY 2020, a boost of $334 million above its FY 2019 funding level and $408 million above the Administration’s budget request.”

Election security will likely be an area around which there will be intense messaging but less legislative action. House Democrats made election security reform a policy priority in large part because of the Russian interference and hacking in the 2016 election. The House has sent substantially the same legislation in two bills (i.e. the “For The People Act of 2019” (H.R. 1), a package of election reforms, and  the “Securing America’s Federal Elections (SAFE) Act of 2019” (H.R. 2722)) to the Senate where Senate Majority Leader Mitch McConnell (R-KY) has refused to consider them or Senate bills. Broadly speaking these bills would authorize funding and establish federal standards for states and localities in improving and upgrading their election systems from hacks and attacks. Incidentally, the $600 million in election grants these bills call for was provided in the “Financial Services and General Government Appropriations Act, 2020” (H.R. 3351) the House passed in June.

As noted, at the end of July, after the Senate Intelligence Committee released the first of the five volume report on the 2016 presidential election, Senators Richard Blumenthal (D-CT), Mark Warner (D-VA), Amy Klobuchar (D-MN), and others sought unanimous consent to proceed to a number of election security related bills but were blocked by Senate Republicans. The bills Senate Democrats tried to bring up for immediate consideration included:

  • The “Duty To Report Act” (S. 1247)
  • The “FIRE Act” (S. 2242)
  • The “Senate Cybersecurity Protection Act” (S. 890)
  • The “Securing America’s Federal Elections Act” (SAFE Act) (H.R. 2722)

The Senate did, however, pass the “Defending the Integrity of Voting Systems Act” (S. 1321) by unanimous consent on July 17. S. 1321 would “make it a federal crime to hack any voting systems used in a federal election” according to the Senate Judiciary Committee’s website. In June the Senate also passed the “Defending Elections against Trolls from Enemy Regimes (DETER) Act” (S. 1328) that “will make “improper interference in U.S. elections” a violation of U.S. immigration law, and violators would be barred from obtaining a visa to enter the United States. The House has yet to act on these bills. However, despite action on S. 1321 and 1328, Senate Democrats seem intent on continuing to try and force consideration of election security legislation. It is unclear whether McConnell will relent.

Likewise, the House has also began legislation to punish those found guilty of interfering with U.S. elections. In July the House Foreign Affairs Committee met and marked up a number of bills, including: the “Safeguard our Elections and Combat Unlawful Interference in Our Democracy Act” (SECURE Our Democracy Act) (H.R. 3501) “would impose sanctions on anyone found to interfere illegally in an American election from overseas…[and] is designed to punish Russian interference in the 2016 election and also deter future election interference” according to the Committee’s press release.

Congress also has pending a number of bills focused on the federal government’s cybersecurity posture and capabilities. In January, the House passed the “Federal CIO Authorization Act of 2019” (H.R. 247) that would codify the positions of Chief Information Officer (CIO) and Chief Information Security Officer (CISO), make the positions presidential appointments, require the CIO to report directly to the Office of Management and Budget (OMB) Director, require each agency to submit reports on all IT expenditures to the CIO, and task the CIO with submitting a plan to Congress “for consolidating information technology across the Federal Government…and increasing the use of shared services, including any recommendations for legislative changes that may be necessary to effect the proposal.” H.R. 247 is identical to a bill, the “Federal CIO Authorization Act of 2018” (H.R. 6901), the House overwhelmingly passed in December, but the Senate never took up the bill.

On July 17, the House Homeland Security Committee held a markup and reported out four such cybersecurity bills:

  • The “Securing the Homeland Security Supply Chain Act of 2019” (H.R. 3320) would “authorize the Secretary of Homeland Security to implement certain requirements for information relating to supply chain risk” with authority similar to those granted to the Department of Defense in the FY 2019 National Defense Authorization Act to exclude contractors with unacceptable supply chain risks.
  • The “DHS Acquisition Reform Act of 2019” (H.R. 3413) would “provide for certain acquisition authorities for the Under Secretary of Management of the Department of Homeland Security.”
  • The Pipeline Security Act (H.R. 3699) would “codify the Transportation Security Administration’s responsibility relating to securing pipelines against cybersecurity threats, acts of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of pipelines.”
  • The “Cybersecurity Vulnerability Remediation Act” (H.R. 3710) would permit but not require the Cybersecurity and Infrastructure Security Agency (CISA) to “identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.”

In June, the House took up and passed the “DHS Cyber Incident Response Teams Act of 2019” (H.R. 1158), as amended, by voice vote. H.R. 1158 would require the Cybersecurity and Infrastructure Security Agency’s (CISA) National Cybersecurity and Communications Integration Center (NCCIC) to “maintain cyber hunt and incident response teams for the purpose of providing, as appropriate and upon request, assistance “to asset owners and operators in restoring services following a cyber incident” among other circumstances. NCCIC must “continually assess and evaluate the cyber incident response teams and their operations using robust metrics” and may “include cybersecurity specialists from the private sector on cyber hunt and incident response teams.” A related bill has been marked up and reported out of the Senate Homeland Security and Governmental Affairs Committee, the “DHS Cyber Hunt and Incident Response Teams Act of 2019” (S. 315), that would charge NCCIC and CISA with substantially the same missions. The Senate Homeland Security Committee marked up and reported out two other such bills:

  • The “National Cybersecurity Preparedness Consortium Act of 2019” (S. 333) would allow the Department of Homeland Security to “work with a consortium to support efforts to address cybersecurity risks and incidents.” Consortiums are defined to be “a group primarily composed of nonprofit entities, including academic institutions, that develop, update, and deliver cybersecurity training in support of homeland security.”
  • The “Federal Rotational Cyber Workforce Program Act of 2019” (S. 406), which would establish a program under which cybersecurity employees would rotate at federal agencies.

In July, the Senate Homeland Security Committee marked up and reported out the “State and Local Government Cybersecurity Act of 2019” (S. 1846) that would provide the Department of Homeland Security (DHS) the authority “[t]o make grants to and enter into cooperative agreements or contracts with States, local governments, and other non-Federal entities” and direct the National Cybersecurity and Communications Integration Center (NCCIC) to work with “with Federal and non-Federal entities, such as the Multi-State Information Sharing and Analysis Center” on addressing a variety of cybersecurity-related responsibilities.

Congress also has proposed measures targeted at small businesses. On July 15, the House took and passed a pair of cybersecurity bills from the suspension calendar:

  • The “SBA Cyber Awareness Act” (H.R. 2331) would “require the Small Business Administrator (SBA) to issue annual reports assessing its IT and cybersecurity infrastructure and notify Congress and affected parties of cyber incidents when they occur.”
  • The “Small Business Development Center Cyber Training Act of 2019” (H.R. 1649) “help Small Business Development Centers (SBDCs) become better trained to assist small businesses with their cyber security and cyber strategy needs…[and] would establish a cyber counseling certification program in lead SBDCs to better assist small businesses with planning and implementing cybersecurity measures to defend against cyber attacks.”

Congress has also initiated legislation to better regulate the energy sector’s cybersecurity. On July 17, the House Energy and Commerce Committee marked up a quartet of energy sector cybersecurity bills:

  • The “Enhancing Grid Security through Public-Private Partnerships Act” (H.R. 359) “directs the Secretary of Energy, in consultation with States, other federal agencies, and industry stakeholders, to create and implement a program to enhance the physical and cyber security of electric utilities.
  • The “Cyber Sense Act of 2019” (H.R. 360) would establish “voluntary program [that] would identify cyber-secure products that could be used in the bulk- power system.”
  • The “Energy Emergency Leadership Act” (H.R. 362) would “create a new DOE Assistant Secretary position with jurisdiction over all energy emergency and security functions related to energy supply, infrastructure, and cybersecurity.”
  • The “Pipeline and LNG Facility Cybersecurity Preparedness Act” (H.R. 370) “would establish a program at DOE, in coordination with other Federal agencies, States, and the energy sector, to create policies and procedures to improve the physical and cyber security and resiliency of natural gas transmission and distribution pipelines, hazardous liquid pipelines, and liquefied natural gas (LNG) facilities.”

There are two bills regarding the Internet of Things that have been reported out of committee. On July 10, the Senate Commerce, Science, and Transportation Committee held a markup and reported out the “Developing Innovation and Growing the Internet of Things (DIGIT) Act” (S. 1611) sponsored by Senators Deb Fischer (R-NE), Cory Gardner (R-CO), Brian Schatz (D-HI), and Cory Booker (D-NJ). In her press release, Fischer explained the bill would “would convene a working group of federal entities and experts from the private and academic sectors tasked with providing recommendations to Congress on how to facilitate the growth of connected Internet of Things (IoT) technologies.” She added that “[t]he group’s recommendations would focus on how to plan for, and encourage, the development and deployment of the IoT in the U.S…[and] directs the Federal Communications Commission (FCC) to complete a report assessing spectrum needs required to support the Internet of Things.” S. 1611 is substantially similar to legislation (S. 88) the Senate passed unanimously in the last Congress the House never took up. It is not clear whether the same resistance exists in the House, but unlike the last Congress a companion DIGIT Act has not yet been introduced in the House.

Earlier this year, two versions of the same IoT bill were marked up and reported out of committee. The Senate Homeland Security and Governmental Affairs Committee marked up and reported out the “Internet of Things Cybersecurity Improvement Act of 2019” (S. 734) a week after the House Oversight and Reform Committee acted on the “Internet of Things Cybersecurity Improvement Act of 2019” (H.R. 1668) after adopting an amendment in the nature of a substitute that narrowed the scope of the bill. In general, these bills seek to leverage the federal government’s ability to set standards through acquisition processes to ideally drive the development of more secure IoT across the U.S. The stakeholders are responding to the security risks presented by weak or nonexistent security for IoT as seen in a number of major malware attacks. The legislation would require the NIST, the OMB, and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to work together to institute standards for IoT owned or controlled by most federal agencies. These standards would need to focus on secure development, identity management, patching, and configuration management and would be made part of Federal Acquisition Regulations (FAR), making them part of the federal government’s approach to buying and utilizing IoT. Thereafter, federal agencies and contractors would need to use and buy IoT that meets the new security standards.

Finally, House Democrats have made rolling back the Federal Communications Commission’s (FCC) repeal of the Obama Administration’s Open Internet Order (aka net neutrality) a priority. On April 3, the House Energy and Commerce Committee marked up and reported out the “Save the Internet Act of 2019” (H.R. 1644) that would undo the Federal Communications Commission’s (FCC) repeal of the Obama Administration’s 2015 net neutrality order and reclassify internet service providers (ISPs) under Title II of the Federal Communications Act as common carriers. The bill was subsequently passed by the House by a 232-190 vote, but the Senate has not yet taken up the bill and likely will not.

“I’m Shocked, Shocked To Find That Gambling Is Going On In Here”

The Congressional Budget Office (CBO) has updated its January “The Budget and Economic Outlook: 2019 to 2029,” and to what should be no great surprise, the U.S.’s projected fiscal condition is, well, not good. To anyone monitoring the CBO’s economic and budget updates, this is really not news. Nor is the insistence of some that the projected annual near trillion dollar on-budget deficits means it’s time to cut Democratic priorities. I suppose this sort of predictability among those who supported the “Tax Cuts and Jobs Act of 2017” (P.L. 115-97) is reassuring in a world where one struggles to find things on which to depend. So, cue up the calls among Republicans for fiscal responsibility that will become cacophonous should a Democrat retake the White House. Anyway on to specifics.

Here’s the CBO summary of the update:

  • Deficits. In CBO’s projections, the federal budget deficit is $960 billion in 2019 and averages $1.2 trillion between 2020 and 2029. Over the coming decade, deficits (after adjustments to exclude the effects of shifts in the timing of certain payments) fluctuate between 4.4 percent and 4.8 percent of gross domestic product (GDP), well above the average over the past 50 years. Although both revenues and outlays grow faster than GDP over the next 10 years in CBO’s baseline projections, the gap between the two persists.
  • Debt. As a result of those deficits, federal debt held by the public is projected to grow steadily, from 79 percent of GDP in 2019 to 95 percent in 2029—its highest level since just after World War II (see Chapter 1).
  • The Economy. Real (inflation-adjusted) GDP is projected to grow by 2.3 percent in 2019, supporting strong labor market conditions that feature low unemployment and rising wages. This year, real output is projected to exceed CBO’s estimate of its potential (maximum sustainable) level. After 2019, consumer spending and purchases of goods and services by federal, state, and local governments are projected to grow at a slower pace, and annual output growth is projected to slow—averaging 1.8 percent over the 2020–2023 period—as real output returns to its historical relationship with potential output. From 2024 to 2029, both output and potential output are projected to grow at an average pace of 1.8 percent per year, which is less than the long-term historical average. at slowdown occurs primarily because the labor force is expected to grow more slowly than it has in the past (see Chapter 2).
  • Changes in CBO’s Projections Since May 2019. CBO’s estimate of the deficit for 2019 is now $63 billion more—and its projection of the cumulative deficit over the 2020–2029 period, $809 billion more—than it was in May 2019. The agency’s baseline projections of primary deficits (that is, deficits excluding net outlays for interest) for that period increased by a total of $1.9 trillion. Recently enacted legislation accounts for most of that change. In particular, incorporating the higher discretionary funding limits for 2020 and 2021 that were established in the Bipartisan Budget Act of 2019 increased CBO’s projections of primary deficits for the 2020–2029 period by $1.5 trillion. (Those projections reflect the assumption—required by law—that future discretionary funding will grow at the rate of inflation after those limits expire.)

The CBO continues:

Partly offsetting the increase in projected primary deficits is a net reduction of $1.1 trillion in the agency’s projections of interest costs over that same period. The largest factor contributing to that change is that CBO revised its forecast of interest rates downward, which lowered its projections of net interest outlays by $1.4 trillion (including interest savings from the resulting reductions in deficits and debt). Taken together, other changes to the budget projections increased projected debt-service costs by nearly $0.3 trillion; $0.2 trillion of that amount is associated with the increase in projected spending stemming from the Bipartisan Budget Act.

To contextualize this update, that shows FY 2019 will see a $980 billion deficit, in June 2017, CBO estimated that 2017 deficit would be $693 billion, “$109 billion more than the $585 billion deficit posted in 2016.” So, the deficit has been going in the wrong direction from a nominal dollars point of view. At that time, CBO explained the bases for this projection:

The projected rise in deficits would be the result of rapid growth in spending for federal retirement and health care programs targeted to older people and to rising interest payments on the government’s debt, accompanied by only moderate growth in revenue collections.

The waive in retirements does appear to be happening and there will undoubtedly be a surge in spending on Medicare. However, the CBO has been consistently wrong on its projections of interest rates on federal debt. In January 2006, CBO claimed

Interest rates are expected to move upward during the next two years, as the economy grows and the Federal Reserve continues to move toward a more neutral monetary policy. CBO forecasts that the three-month Treasury bill rate will rise to about 2.8 percent in 2005 and 4 percent in 2006; thereafter, it will average 4.6 percent, which is relatively low by historical standards. In the forecast, the rise in the rate for the 10-year Treasury note is somewhat smaller; it averages 4.8 percent in 2005 and 5.4 percent in 2006, then inches up to average 5.5 percent from 2007 to 2015.

However, in 2013, in the middle of the band CBO said would see interest rates averaging 5.5%, CBO said

CBO’s baseline economic forecast anticipates that the interest rate on 3-month Treasury bills—which has hovered near zero for the past several years—will climb to 4 percent by the end of 2017; by that point, the rate on 10-year Treasury notes is also projected to rise from its current level of around 2 percent. (Emphasis added.)

Perhaps CBO’s crystal ball on projected interest rates on federal debt is a bit cloudy?

As for other drivers behind this explosion in deficits and ultimately debt, in April 2018, CBO explained

Projected deficits over the 2018–2027 period have increased markedly since June 2017, when CBO issued its previous projections. The increase stems primarily from tax and spending legislation enacted since then—especially Public Law 115- 97 (originally called the Tax Cuts and Jobs Act and called the 2017 tax act in this report), the Bipartisan Budget Act of 2018 (P.L. 115- 123), and the Consolidated Appropriations Act, 2018 (P.L. 115-141). The legislation has significantly reduced revenues and increased outlays anticipated under current law.

However, the Bipartisan Budget deal and FY 2018 Omnibus pale in comparison to the size of the impact of the tax cut bill on the federal balance sheet. In 2018, CBO explained the package “increases the total projected deficit over the 2018–2028 period by about $1.9 trillion,” but, to be fair, $600 billion of that is increased service on federal debt on account of increased interest rates. But, the CBO used modeling that sounds very much like “dynamic scoring,” which takes into effect economic changes downstream from the change in federal spending that may mitigate or worsen the federal outlook. In this case, CBO claims increased economic activity will reduce the size of the total bill from $1.8 trillion in primary deficit to $1.3 trillion.

Consequently, there will be many Republicans, including the White House, to call for cuts in virtually all non-defense spending save for Social Security and Medicare, which are sacrosanct so long as seniors vote. It will be interesting to see how Democrats respond. My guess is that candidates for the Democratic nomination for president will call for rolling back the 2017 tax bill and for raising rates even further on the wealthy and corporations to pay for new ambitious social programs like Medicare for America or Medicare for All.

What’s PAYGO; And, First Cracks In Budget Deal Kumbaya

For those afflicted individuals like me who actually read legislation, one may have stumbled upon some intriguing language in the “Bipartisan Budget Act of 2019” (P.L. 116-37):

Effective on the date of the enactment of this Act, the balances on the PAYGO scorecards established pursuant to paragraphs (4) and (5) of section 4(d) of the Statutory Pay-As-You-Go Act of 2010 (2 U.S.C. 933(d)) shall be zero.

Consequently, as of August 2, the PAYGO scorecards are now set at zero, which is easy enough to understand on one level. But, what does this actually mean? Well, let’s find out.

First of all, there are actually three PAYGOs that are related but distinctly different: the House’s, the Senate’s, and the U.S. Code section. They are similar but have significant differences that bear some discussion. But, as a threshold matter, it’s fair but perhaps simplistic to say that PAYGO is to mandatory funding and revenue as spending caps are to discretionary funding. It’s a means by which the White House and Congress aren’t able to blow up the country’s finances by increasing mandatory funding or by cutting revenues. If this happens, then a sequester kicks in to cut many mandatory funding accounts by the amount mandatory funding has been increased or revenue has been cut.

In the House, earlier this year, Democrats revived a dormant PAYGO rule that had lapsed during Republican rule in favor of their CUTGO rule. See Rule XXI, Clause 10. Simply put the PAYGO rule provides that mandatory funding cannot be increased and/or revenues cannot be cut without corresponding changes to ensure that such legislation is budget-neutral (i.e. does not decrease the amount of money the government will take in on a net-basis and does not increase the amount of money also on a net-basis.) Moreover, unlike the previous PAYGO rule that was scrapped after the 111th Congress, the new PAYGO rule covers off-budget mandatory spending, the most notable program of which falls under the classification being Social Security. And yet, PAYGO does not apply to discretionary funding, and, yet, like almost all House rules, it can be waived by a majority vote, allowing the party controlling the chamber to break this rule as they please. Additionally, PAYGO does not apply to legislation designated as “emergency,” and there is an exception that allows the House to circumvent the rule if a bill is added to a House-passed bill upon engrossment of the legislation at which point only the PAYGO assessment of the latter bill is used for the two combined bills.

In the Senate, the chamber’s PAYGO rule has been in existence since the early 1990’s and has undergone a number of changes, the most recent in 2017. Section 4106 of H.Con.Res. 71, Budget Resolution for FY 2018. The Senate’s PAYGO rule also bars the consideration of legislation that increases mandatory spending or decreases revenue during the budget window. Their version provides:

It shall not be in order in the Senate to consider any direct spending or revenue legislation that would increase the on-budget deficit or cause an on-budget deficit for [periods of 6 and 11 years]

Again, this only pertains to on-budget funding, and so any off-budget accounts are exempt. The Senate may also waive or suspend PAYGO, but it requires 3/5 majority of all duly chosen and sworn Senators to do so (usually 60.)

The statutory PAYGO came into being in 2010 as part of the deal to lift the debt ceiling in P.L. 111-139 and was enacted per Title I of the bill (aka the “Statutory Pay-As-You-Go Act of 2010”). Looking back to 2010, the Obama White House and Congressional Democrats were looking at a federal balance sheet hemorrhaging cash because of the Great Recession and sought to return the government’s finances to the constraints implemented in the early 1990’s when PAYGO was first instituted. Arguably, PAYGO was part of the solution in helping the U.S. realize budget surpluses at the end of the 20th Century. And, Democrats (and, let’s face facts, it was almost only Democrats voting for the bill) were upfront about their intentions with Title I: “The purpose of this title is to reestablish a statutory procedure to enforce a rule of budget neutrality on new revenue and direct spending legislation.”

The statute provides ““PAYGO legislation” or a “PAYGO Act” refers to a bill or joint resolution that affects direct spending or revenue relative to the baseline.” It can also refer to discretionary spending that has a net negative effect on mandatory spending “if such provisions make outyear modifications to substantive law, except that provisions for which the outlay effects net to zero over a period consisting of the current year, the budget year, and the 4 subsequent years shall not be considered budgetary effects.” In any event, if legislation is enacted that violates PAYGO, OMB is required to issue a dreaded sequestration order to institute across-the-board cuts to all non-exempt mandatory funding (e.g. Medicaid, farm subsidies, SNAP, etc.) Since the statutory PAYGO doesn’t cover off-budget funding, Social Security and other programs wouldn’t be effected by a sequester.

In a section-by-section the chairs of the House and Senate Budget Committees inserted into the Congressional Record during debate, they provided the following explanation:

Budgetary effects are defined as the amount by which PAYGO legislation changes mandatory outlays or revenues relative to the baseline. The budgetary effects of changes in tax or mandatory spending law are measured relative to what revenues or mandatory spending would otherwise have been if not for the legislation, as measured by the baseline (as defined in section 257 of BBEDCA). Off-budget effects (i.e., Social Security trust funds and the Postal Service fund) and debt service are not counted as budgetary effects.

The chairs made another interesting point regarding changes in mandatory funding as part of appropriations bills possibly being subject to PAYGO:

Legislation subject to PAYGO also includes provisions in annual appropriations bills that change revenue or mandatory spending law in appropriations bills. Changes in mandatory spending law are considered discretionary in the current and budget years because the Appropriations Committees can offset the costs or use the savings by adjusting funding levels for discretionary programs in those years. But mandatory spending provisions in appropriations bills having outyear budget authority effects–that is, effects in those years after the budget year–are considered PAYGO legislation.

OMB is to maintain two publicly available PAYGO scorecards based on Congressional Budget Office (CBO) estimates of the effect of legislation subject to PAYGO. These CBO estimates are supposed to be entered into the Congressional Record by the chairs of the Budget Committees, but this doesn’t always happen, and if it doesn’t, OMB performs the calculations of whether legislation has resulted in an increase in mandatory funding or a reduction in revenues. For example, the most recent PAYGO scorecard was based on OMB’s estimates.

OMB explained the process:

Within 14 business days after a congressional session ends, OMB issues an annual PAYGO report and determines whether a violation of the PAYGO requirement has occurred. If either the 5- or 10-year scorecard shows net costs in the budget year column, the President is required to issue a sequestration order implementing across-the-board cuts to nonexempt mandatory pro-grams by an amount sufficient to offset those net costs.

Coming forward to the current Congress, OMB has posted the June 2019 scorecard showing a possible sequester of $3.218 billion, mainly because of scorecard balances carried over from the 115th Congress. But, of course, when OMB updates the PAYGO scorecard, per the “Bipartisan Budget Act of 2019,” the balance will be set to zero for both the five and ten year budget windows, which wipes the slate clean for the current Congress. Consequently, the balances shown on the most recent PAYGO scorecard have just been wiped clean as well as any potential PAYGO effects from the budget deal that lifted the FY 2020 and 2021 caps. It seems obvious that when Congress resets the PAYGO scorecards, they are not honoring the spirit of PAYGO. If I can change my scale, then weight gains would disappear, in a sense, right?

In the same vein, it must be mentioned that PAYGO didn’t stop Congress from adding more than $1.5 trillion in debt with the 2017 tax bill Republicans and the White House herald as their most significant legislative achievement. And, this was not the only time PAYGO Has been waived. Likewise, PAYGO was allowed to lapse when the George W. Bush Administration and Republicans pushed through their tax cut package and Medicare Part D drug prescription plan.

So, not surprisingly, PAYGO is only as good as Congress and the White House’s honoring of the rules in the House and Senate and on OMB’s scorecard.

On a different note, the budget ceasefire between the White House and Congress seems to be ending. The White House is proposing to begin the process to rescind a reported $4.3 billion in FY 2019 foreign aid funding appropriated to the Department of State and United States Agency for International Development (USAID). Normally, the funds are impounded, or set aside, for 45 days until either Congress passes legislation agreeing to rescind funds or fails to do so at which point the funds are released and are to be spent per the intent of Congress. The White House knows it cannot get a rescission bill through the Congress, but instead they are hoping to have the funds impounded through the end of the fiscal year, which ends on September 30, and then State and USAID will not be able to spend the funds. Correction: On August 3, the White House told State and USAID to essentially not use the funds in question until they provide an accounting in this letter. While this is not a rescission or impoundment request, this reapportionment of FY 2019 functions to freeze these funds.

This proposal has not been submitted to Congress, but Democrats and Republicans have already sent a number of letters urging the White House not to do this not least of which because the Government Accountability Office (GAO) issued a legal opinion in December 2018 finding asserting that the agencies in this situation would still receive the funding. The GAO determined that

the statutory text and legislative history of the Impoundment Control Act of 1974 (ICA), Supreme Court case law, and the overarching constitutional framework of legislative and executive powers provide no basis to construe the ICA as a mechanism by which the President may, in effect, unilaterally shorten the availability of budget authority by transmitting rescission proposals shortly before amounts are due to expire.

Here are the letters:

It is quite possible this will result in more litigation as the Administration pays little heed to norms and laws when they impede their policy goals. Besides, there are likely a million ways to work behind the scenes to keep funds from State and USAID even if the Administration loses the battle.

Of course, this is the White House looking to set the terms of political debate through driving the news cycle in ways they think favorable to Trump’s reelection. His base hates foreign aid, which is considered a giveaway to other countries, and regardless of whether this moves succeeds, it has the benefit of drawing a distinction between Trump on the side of his base in trying to stop foreign aid “welfare” and be fiscally responsible, and the Democrats who care more about foreigners than they do “average” Americans. Whether this spills over in the larger FY 2020 appropriations debate remains to be seen.