Preview of Senate Democratic Chairs

It’s not clear who will end up where, but new Senate chairs will change focus and agenda of committees and debate over the next two years.

With the victories of Senators-elect Rafael Warnock (D-GA) and Jon Ossoff (D-GA), control of the United States Senate will tip to the Democrats once Vice President-elect Kamala Harris (D) is sworn in and can break the 50-50 tie in the chamber in favor of the Democrats. With the shift in control, new chairs will take over committees key to setting the agenda over the next two years in the Senate. However, given the filibuster, and the fact that Senate Republicans will exert maximum leverage through its continued use, Democrats will be hamstrung and forced to work with Republicans on matters such as federal privacy legislation, artificial intelligence (AI), the Internet of Things (IOT), cybersecurity, data flows, surveillance, etc. just as Republicans have had to work with Democrats over the six years they controlled the chamber. Having said that, Democrats will be in a stronger position than they had been and will have the power to set the agenda in committee hearings, being empowered to call the lion’s share of witnesses and to control the floor agenda. What’s more, Democrats will be poised to confirm President-elect Joe Biden’s nominees at agencies like the Federal Communications Commission (FCC), Federal Trade Commission (FTC), the Department of Justice (DOJ), and others, giving the Biden Administration a free hand in many areas of technology policy.

All of that being said, this is not meant to be an exhaustive look at all the committees of jurisdiction and possible chairs. Rather, it seeks to survey likely chairs on selected committees and some of their priorities for the next two years. Subcommittee chairs will also be important, but until the cards get shuffled among the chairs, it will not be possible to see where they land at the subcommittee level.

When considering the possible Democratic chairs of committees, one must keep in mind it is often a matter of musical chairs with the most senior members getting first choice. And so, with Senator Patrick Leahy (D-VT) as the senior-most Democratic Senator, he may well choose to leave the Appropriations Committee and move back to assume the gavel of the Judiciary Committee. Leahy has long been a stakeholder on antitrust, data security, privacy, and surveillance legislation and would be in a position to influence what bills on those and other matters before the Senate look like. If Leahy does not move to the chair on Judiciary, he may still be entitled to chair a subcommittee and exert influence.

If Leahy stays put, then current Senate Minority Whip Dick Durbin (D-IL) would be poised to leapfrog Senator Dianne Feinstein (D-CA) to chair Judiciary after Feinstein was persuaded to step aside on account of her lackluster performance in a number of high-profile hearings in 2020. Durbin has also been active on privacy, data security, and surveillance issues. The Judiciary Committee will be central to a number of technology policies, including Foreign Intelligence Surveillance Act reauthorization, privacy legislation, Section 230 reform, antitrust, and others. On the Republican side of the dais, Senator Lindsey Graham (R-SC) leaving the top post because of term limit restrictions imposed by Republicans, and Senator Charles Grassley (R-IA) is set to replace him. How this changes the 47 USC 230 (Section 230) debate is not immediately clear. And yet, Grassley and three colleagues recently urged the Trump Administration in a letter to omit language in a trade agreement with the United Kingdom (UK) that mirrors the liability protection Section 230. Senators Rob Portman (R-OH), Mark R. Warner (D-VA), Richard Blumenthal (D-CT), and Grassley argued to U.S. Trade Representative Ambassador Robert Lighthizer that a “safe harbor” like the one provided to technology companies for hosting or moderating third party content is outdated, not needed in a free trade agreement, contrary to the will of both the Congress and UK Parliament, and likely to be changed legislatively in the near future. It is likely, however, Grassley will fall in with other Republicans propagating the narrative that social media is unfairly biased against conservatives, particularly in light of the recent purge of President Donald Trump for his many, repeated violations of policy.

The Senate Judiciary Committee will be central in any policy discussions of antitrust and anticompetition in the technology realm. But it bears note the filibuster (and the very low chances Senate Democrats would “go nuclear” and remove all vestiges of the functional supermajority requirement to pass legislation) will give Republicans leverage to block some of the more ambitious reforms Democrats might like to enact (e.g. the House Judiciary Committee’s October 2020 final report that calls for nothing less than a complete remaking of United States (U.S.) antitrust policy and law; see here for more analysis.)

It seems Senator Sherrod Brown (D-OH) will be the next chair of the Senate Banking, Housing, and Urban Development Committee which has jurisdiction over cybersecurity, data security, privacy, and other issues in the financial services sector, making it a player on any legislation designed to encompass the whole of the United States economy. Having said that, it may again be the case that sponsors of, say, privacy legislation decide to cut the Gordian knot of jurisdictional turf battles by cutting out certain committees. For example, many of the privacy bills had provisions making clear they would deem financial services entities in compliance with the Financial Services Modernization Act of 1999 (P.L. 106-102) (aka Gramm-Leach-Bliley) to be in compliance with the new privacy regime. I suppose these provisions may have been included on the basis of the very high privacy and data security standards Gramm-Leach-Bliley has brought about (e.g. the Experian hack), or sponsors of federal privacy legislation made the strategic calculation to circumvent the Senate Banking Committee as much as they can. Nonetheless, this committee has sought to insert itself into the policymaking process on privacy last year as Brown and outgoing Chair Mike Crapo (R-ID) requested “feedback” in February 2019 “from interested stakeholders on the collection, use and protection of sensitive information by financial regulators and private companies.” Additionally, Brown released what may be the most expansive privacy bill from the perspective of privacy and civil liberties advocates, the “Data Accountability and Transparency Act of 2020” in June 2020 (see here for my analysis.) Therefore, Brown may continue to push for a role in federal privacy legislation with a gavel in his hands.

In a similar vein, Senator Patty Murray (D-WA) will likely take over the Senate Health, Education, Labor, and Pensions (HELP) Committee which has jurisdiction over health information privacy and data security through the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). Again, as with the Senate Banking Committee and Gramm-Leach-Bliley, most of the privacy bills exempt HIPAA-compliant entities. And yet, even if her committee is cut out of a direct role in privacy legislation, Murray will still likely exert influence through oversight of and possible legislation changing HIPAA regulations and the Department of Health and Human Services (HHS) enforcement and rewriting of these standards for most of the healthcare industry. For example, HHS is rushing a rewrite of the HIPAA regulations at the tail end of the Trump Administration, and Murray could be in a position to inform how the Biden Administration and Secretary of Health and Human Services-designate Xavier Berra handles this rulemaking. Additionally, Murray may push the Office of Civil Rights (OCR), the arm of HHS that writes and enforces these regulations, to prioritize matters differently.

Senator Maria Cantwell (D-WA) appears to be the next chair of the Senate Commerce, Science, and Transportation Committee and arguably the largest technology portfolio in the Senate. It is the primary committee of jurisdiction for the FCC, FTC, National Telecommunications and Information Administration (NTIA), the National Institute of Standards and Technology (NIST), and the Department of Commerce. Cantwell may exert influence on which people are nominated to head and staff those agencies and others. Her committee is also the primary committee of jurisdiction for domestic and international privacy and data protection matters. And so, federal privacy legislation will likely be drafted by this committee, and legislative changes so the U.S. can enter into a new personal data sharing agreement with the European Union (EU) would also likely involve her and her committee.

Cantwell and likely next Ranking Member Roger Wicker (R-MS) agree on many elements of federal privacy law but were at odds last year on federal preemption and whether people could sue companies for privacy violations. Between them, they circulated three privacy bills. In September 2020, Wicker and three Republican colleagues introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act” (S.4626) (see here for more analysis). Wicker had put out for comment a discussion draft, the “Consumer Data Privacy Act of 2019” (CDPA) (See here for analysis) in November 2019 shortly after the Ranking Member on the committee, Senator Maria Cantwell (D-WA) and other Democrats had introduced their privacy bill, the “Consumer Online Privacy Rights Act“ (COPRA) (S.2968) (See here for more analysis).

Cantwell could also take a leading role on Section 230, but her focus, of late, seems to be on how technology companies are wreaking havoc to traditional media. released a report that she has mentioned during her opening statement at the 23 September hearing aimed at trying to revive data privacy legislation. She and her staff investigated the decline and financial troubles of local media outlets, which are facing a cumulative loss in advertising revenue of up to 70% since 2000. And since advertising revenue has long been the life blood of print journalism, this has devastated local media with many outlets shutting their doors or radically cutting their staff. This trend has been exacerbated by consolidation in the industry, often in concert with private equity or hedge funds looking to wring the last dollars of value from bargain basement priced newspapers. Cantwell also claimed that the overwhelming online advertising dominance of Google and Facebook has further diminished advertising revenue and other possible sources of funding through a variety of means. She intimates that much of this content may be illegal under U.S. law, and the FTC may well be able to use its Section 5 powers against unfair and deceptive acts and its anti-trust authority to take action. (see here for more analysis and context.) In this vein, Cantwell will want her committee to play in any antitrust policy changes, likely knowing massive changes in U.S. law are not possible in a split Senate with entrenched party positions and discipline.

Senator Jack Reed (D-RI) will take over the Senate Armed Services Committee and its portfolio over national security technology policy that includes the cybersecurity, data protection and supply chain of national security agencies and their contractors, AI, offensive and defensive U.S. cyber operations, and other realms. Much of the changes Reed and his committee will seek to make will be through the annual National Defense Authorization Act (NDAA) (see here and here for the many technology provisions in the FY 2021 NDAA.) Reed may also prod the Department of Defense (DOD) to implement or enforce the Cybersecurity Maturity Model Certification (CMMC) Framework differently than envisioned and designed by the Trump Administration. In December 2020, a new rule took effect designed to drive better cybersecurity among U.S. defense contractors. This rule brings together two different lines of effort to require the Defense Industrial Base (DIB) to employ better cybersecurity given the risks they face by holding and using classified information, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The Executive Branch has long wrestled with how to best push contractors to secure their systems, and Congress and the White House have opted for using federal contract requirements in that contractors must certify compliance. However, the most recent initiative, the CMMC Framework will require contractors to be certified by third party assessors. And yet, it is not clear the DOD has wrestled with the often-misaligned incentives present in third party certification schemes.

Reed’s committee will undoubtedly delve deep into the recent SolarWinds hack and implement policy changes to avoid a reoccurrence. Doing so may lead the Senate Armed Services Committee back to reconsidering the Cyberspace Solarium Commission’s (CSC) March 2020 final report and follow up white papers, especially their views embodied in “Building a Trusted ICT Supply Chain.”

Senator Mark Warner (D-VA) will likely take over the Senate Intelligence Committee. Warner has long been a stakeholder on a number of technology issues and would be able to exert influence on the national security components of such issues. He and his committee will almost certainly play a role in the Congressional oversight of and response to the SolarWinds hack. Likewise, his committee shares jurisdiction over FISA with the Senate Judiciary Committee and over national security technology policy with the Armed Services Committee.

Senator Amy Klobuchar (D-MN) would be the Senate Democratic point person on election security from her perch at the Senate Rules and Administration Committee, which may enable her to more forcefully push for the legislative changes she has long advocated for. In May 2019, Klobuchar and other Senate Democrats introduced the “Election Security Act” (S. 1540), the Senate version of the stand-alone measure introduced in the House that was taken from the larger package, the “For the People Act” (H.R. 1) passed by the House.

In August 2018, the Senate Rules and Administration Committee postponed indefinitely a markup on a compromise bill to provide states additional assistance in securing elections from interference, the “The Secure Elections Act” (S.2593). Reportedly, there was concern among state officials that a provision requiring audits of election results would be in effect an unfunded mandate even though this provision was softened at the insistence of Senate Republican leadership. However, a Trump White House spokesperson indicated in a statement that the Administration opposed the bill, which may have posed an additional obstacle to Committee action. However, even if the Senate had passed its bill, it was unlikely that the Republican controlled House would have considered companion legislation (H.R. 6663).

Senator Gary Peters (D-MI) may be the next chair of the Senate Homeland Security and Governmental Affairs Committee, and if so, he will continue to face the rock on which many the bark of cybersecurity legislation has been dashed: Senator Ron Johnson (R-WI). So significant has Johnson’s opposition been to bipartisan cybersecurity legislation from the House, some House Republican stakeholders have said so in media accounts not bothering to hide in anonymity. And so whatever Peters’ ambitions may be to shore up the cybersecurity of the federal government as his committee will play a role in investigating and responding to the Russian hack of SolarWinds and many federal agencies, he will be limited by whatever Johnson and other Republicans will allow to move through the committee and through the Senate. Of course, Peters’ purview would include the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) and its remit to police the cybersecurity practices of the federal government. Peters would also have in his portfolio the information technology (IT) practices of the federal government, some $90 billion annually across all agencies.

Finally, whether it be Leahy or Durbin at the Senate Appropriations Committee, this post allows for immense influence in funding and programmatic changes in all federal programs through the power of the purse Congress holds.

Further Reading, Other Developments, and Coming Events (5 January 2021)

Further Reading

  • China Used Stolen Data To Expose CIA Operatives In Africa And Europe;” “Beijing Ransacked Data as U.S. Sources Went Dark in China;” “Tech Giants Are Giving China A Vital Edge In Espionage” By Zach Dorfman — Foreign Policy. This terrifying trio of articles lays bare the 180 degree change in espionage advantage the People’s Republic of China (PRC) seems to hold over the United States (U.S.). Hacking, big data, processing, algorithms, and other technological issues play prominent roles in the PRC’s seeming advantage. It remains to be seen how the U.S. responds to the new status quo.
  • Singapore police can access COVID-19 contact tracing data for criminal investigations” By Eileen Yu — ZDNet. During questioning in Singapore’s Parliament, it was revealed the police can use existing authority to access the data on a person’s smartphone collected by the nation’s TraceTogether app. Technically, this would entail a person being asked by the police to upload their data, which is stored on devices and encrypted. Nonetheless, this is the very scenario privacy advocates have been saying is all but inevitable with COVID-19 tracing apps on phones.
  • As Understanding of Russian Hacking Grows, So Does Alarm” By David Sanger, Nicole Perlroth, and Julian Barnes — The New York Times. Like a detonated bomb, the Russian hack of United States (U.S.) public and private systems keeps getting worse in terms of damage and fallout. The scope continues to widen as it may come to pass that thousands of U.S. entities have been compromised in ways that leave them vulnerable to future attacks. Incidentally, the massive hack has tarnished somewhat the triumph of the U.S. intelligence agencies in fending off interference with the 2020 election.
  • Google workers launch unconventional union with help of Communications Workers of America” By Nitasha Tiku — The Washington Post. A new union formed in Google stopped short of seeking certification by the National Labor Relations Board (NLRB), which will block it from collective bargaining. Nonetheless, the new union will collect dues and have a board of directors. This may lead to additional unionizing efforts in union-averse Silicon Valley and throughout the tech world.
  • ‘Break up the groupthink’: Democrats press Biden to diversify his tech picks” By Cristiano Lima — Politico. Key Democratic groups in the House are pushing the Biden team to appoint people of color for key technology positions at agencies such as the Federal Trade Commission (FTC), Federal Communications Commission (FCC), the Office of Science and Technology Policy (OSTP).

Other Developments

  • The Congress overrode President Donald Trump’s veto of the FY 2021 National Defense Authorization Act (NDAA), thus enacting the annual defense and national security policy bill, which includes a number of technology provisions that will have effects in the public and private sectors. (See here and here for analysis of these provisions in the “William M. “Mac” Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395).
  • A federal court dismissed a lawsuit brought by a civil liberties and privacy advocacy group to stop implementation of President Donald Trump’s executive order aimed at social media companies and their liability protection under 47 USC 230 (aka Section 230). In June, the Center for Democracy and Technology (CDT), filed suit in federal court to block enforcement of the “Executive Order (EO) on Preventing Online Censorship.” However, the United States District Court of the District of Columbia ruled that CDT is not injured by the executive order (EO) and any such lawsuit is premature. The court dismissed the lawsuit for lack of jurisdiction.
    • In its complaint, CDT argued the EO “violates the First Amendment in two fundamental respects:
      • First, the Order is plainly retaliatory: it attacks a private company, Twitter, for exercising its First Amendment right to comment on the President’s statements.
      • Second, and more fundamentally, the Order seeks to curtail and chill the constitutionally protected speech of all online platforms and individuals— by demonstrating the willingness to use government authority to retaliate against those who criticize the government.”
  • The Federal Trade Commission (FTC) reached a settlement with a company that sells emergency travel and medical services for failing “to take reasonable steps to secure sensitive consumer information such as health records,” including having a unsecured cloud database a security researcher stumbled upon with the sensitive data of more than 130,000 people. Moreover, the company claimed a certification of compliance with the Health Insurance Portability and Accountability Act (HIPAA), which turned out to be untrue. In the complaint, the FTC alleged that these and other practices “constitute unfair and/or deceptive acts or practices, in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.” The FTC and the company reached agreement on a consent order that will require the company’s compliance for at least 20 years.
    • In the complaint, the FTC stated that SkyMed “advertises, offers for sale, and sells nationwide a wide array of emergency travel membership plans that cover up to eighteen different emergency travel and medical evacuation services for members who sustain serious illnesses or injuries during travel in certain geographic areas.”
    • The FTC asserted a security researcher discovered SkyMed’s “database, which could be located and accessed by anyone on the internet, contained approximately 130,000 membership records with consumers’ personal information stored in plain text, including information populated in certain fields for names, dates of birth, gender, home addresses, email addresses, phone numbers, membership information and account numbers, and health information.”
    • The FTC noted the company told affected customers that it had investigated and “[t]here was no medical or payment-related information visible and no indication that the information has been misused.” This turns out to be completely false, and the company’s “investigation did not determine that consumers’ health information was neither stored on the cloud database, nor improperly accessed by an unauthorized third party.”
    • The FTC summarized the terms of the consent order and SkyMed’s obligations:
      • Under the proposed settlement, SkyMed is prohibited from misrepresenting how it secures personal data, the circumstances of and response to a data breach, and whether the company has been endorsed by or participates in any government-sponsored privacy or security program. The company also will be required to send a notice to affected consumers detailing the data that was exposed by the data breach.
      • As part of the mandated information security program, the company must identify and document potential internal and external risks and design, implement, and maintain safeguards to protect personal information it collects from those risks. In addition, SkyMed must obtain biennial assessments of its information security program by a third party, which the FTC has authority to approve, to examine the effectiveness of SkyMed’s information security program, identify any gaps or weaknesses, and monitor efforts to address these problems. The settlement also requires a senior SkyMed executive to certify annually that the company is complying with the requirements of the settlement.
  • The European Commission (EC) has communicated its vision for a new cybersecurity strategy to the European Parliament and European Council “to ensure a global and open Internet with strong guardrails to address the risks to the security and fundamental rights and freedoms of people in Europe.” The EC spelled out its dramatic plan to remake how the bloc regulates, invests in, and structures policies around cybersecurity. The EC claimed “[a]s a key component of Shaping Europe’s Digital Future, the Recovery Plan for Europe  and the EU Security Union Strategy, the Strategy will bolster Europe’s collective resilience against cyber threats and help to ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools.” If the European Union (EU) follows through, this strategy may have significant effects in the EU and around the world. The EC further explained:
    • Following the progress achieved under the previous strategies, it contains concrete proposals for deploying three principal instruments –regulatory, investment and policy instruments – to address three areas of EU action – (1) resilience, technological sovereignty and leadership, (2) building operational capacity to prevent, deter and respond, and (3) advancing a global and open cyberspace. The EU is committed to supporting this strategy through an unprecedented level of investment in the EU’s digital transition over the next seven years – potentially quadrupling previous levels – as part of new technological and industrial policies and the recovery agenda
    • Cybersecurity must be integrated into all these digital investments, particularly key technologies like Artificial Intelligence (AI), encryption and quantum computing, using incentives, obligations and benchmarks. This can stimulate the growth of the European cybersecurity industry and provide the certainty needed to ease the phasing out of legacy systems. The European Defence Fund (EDF) will support European cyber defence solutions, as part of the European defence technological and industrial base. Cybersecurity is included in external financial instruments to support our partners, notably the Neighbourhood, Development and International Cooperation Instrument. Preventing the misuse of technologies, protecting critical infrastructure and ensuring the integrity of supply chains also enables the EU’s adherence to the UN norms, rules and principles of responsible state behavior.
    • With respect to actions that might be taken, the EC stated that “[t]he EU should ensure:
      • Adoption of revised NIS Directive;
      • Regulatory measures for an Internet of Secure Things
      • Through the CCCN investment in cybersecurity (notably through the Digital Europe Programme, Horizon Europe and recovery facility) to reach up to €4.5 billion in public and private investments over 2021-2027;
      • An EU network of AI-enabled Security Operation Centres and an ultra-secure communication infrastructure harnessing quantum technologies;
      • Widespread adoption of cybersecurity technologies through dedicated support to SMEs under the Digital Innovation Hubs;
      • Development of an EU DNS resolver service as a safe and open alternative for EU citizens, businesses and public administration to access the Internet; and
      • Completion of the implementation of the 5G Toolbox by the second quarter of 2021
      • Complete the European cybersecurity crisis management framework and determine the process, milestones and timeline for establishing the Joint Cyber Unit;
      •  Continue implementation of cybercrime agenda under the Security Union Strategy;
      • Encourage and facilitate the establishment of a Member States’ cyber intelligence working group residing within the EU INTCEN;
      • Advance the EU’s cyber deterrence posture to prevent, discourage, deter and respond to malicious cyber activities;
      • Review the Cyber Defence Policy Framework;
      • Facilitate the development of an EU “Military Vision and Strategy on Cyberspace as a Domain of Operations” for CSDP military missions and operations;
      • Support synergies between civil, defence and space industries; and
      • Reinforce cybersecurity of critical space infrastructures under the Space Programme.
      • Define a set of objectives in international standardisation processes, and promote these at international level;
      • Advance international security and stability in cyberspace, notably through the proposal by the EU and its Member States for a Programme of Action to Advance Responsible State Behaviour in Cyberspace (PoA) in the United Nations;
      • Offer practical guidance on the application of human rights and fundamental freedoms in cyberspace;
      • Better protect children against child sexual abuse and exploitation, as well as a Strategy on the Rights of the Child;
      • Strengthen and promote the Budapest Convention on Cybercrime, including through the work on the Second Additional Protocol to the Budapest Convention;
      • Expand EU cyber dialogue with third countries, regional and international organisations, including through an informal EU Cyber Diplomacy Network;
      • Reinforce the exchanges with the multi-stakeholder community, notably by regular and structured exchanges with the private sector, academia and civil society; and
      • Propose an EU External Cyber Capacity Building Agenda and an EU Cyber Capacity Building Board.
  • The U.S.-China  Economic  and  Security  Review  Commission released its annual report on the People’s Republic of China (PRC) per its “mandate “to monitor, investigate, and report to Congress on the national security implications of the bilateral trade and economic relationship between the United States and the People’s Republic of China.” The Commission argued:
    • Left unchecked, the PRC will continue building a new global order anathema to the interests and values that have underpinned unprecedented economic growth and stability among nations in the post-Cold War era. The past 20 years are littered with the Chinese  Communist  Party’s (CCP) broken promises. In China’s intended new order, there is little reason to believe CCP promises of “win-win” solutions, mutual respect, and peaceful coexistence. A clear understanding of the CCP’s adversarial national security and economic ambitions is essential as U.S. and allied leaders develop the policies and programs that will define the conditions of global freedom and shape our future.
    • The Commission made ten “Key Recommendations:”
      • Congress adopt the principle of reciprocity as foundational in all legislation bearing on U.S.-China relations.
      • Congress expand the authority of the Federal Trade Commission (FTC) to monitor and take foreign government subsidies into account in premerger notification processes.
      • Congress direct the U.S. Department of State to produce an annual report detailing China’s actions in the United Nations and its subordinate agencies that subvert the principles and purposes of the United Nations
      • Congress hold hearings to consider the creation of an interagency executive Committee on Technical Standards that would be responsible for coordinating U.S. government policy and priorities on international standards.
      • Congress consider establishing a “Manhattan Project”-like effort to ensure that the American public has access to safe and secure supplies of critical lifesaving and life-sustaining drugs and medical equipment, and to ensure that these supplies are available from domestic sources or, where necessary, trusted allies.
      • Congress enact legislation establishing a China Economic Data Coordination Center (CEDCC) at the Bureau of Economic Analysis at the U.S. Department of Commerce.
      • Congress direct the Administration, when sanctioning an entity in the People’s Republic of China for actions contrary to the economic and national security interests of the United States or for violations of human rights, to also sanction the parent entity.
      • Congress consider enacting legislation to make the Director of the American Institute in Taiwan a presidential nomination subject to the advice and consent of the United States Senate.
      • Congress amend the Immigration and Nationality Act to clarify that association with a foreign government’s technology transfer programs may be considered grounds to deny a nonimmigrant visa if the foreign government in question is deemed a strategic competitor of the United States, or if the applicant has engaged in violations of U.S. laws relating to espionage, sabotage, or export controls.
      • Congress direct the Administration to identify and remove barriers to receiving United States visas for Hong Kong residents attempting to exit Hong Kong for fear of political persecution.
  • The Electronic Privacy Information Center, the Center for Digital Democracy, the Campaign for a Commercial-Free Childhood, the Parent Coalition for Student Privacy, and Consumer Federation of America asked the Federal Trade Commission (FTC) “to recommend specific changes to the proposed Consent Order to safeguard the privacy interests of Zoom users” in their comments submitted regarding the FTC’s settlement with Zoom. In November, the FTC split along party lines to approve a settlement with Zoom to resolve allegations that the video messaging platform violated the FTC Act’s ban on unfair and deceptive practices in commerce. Zoom agreed to a consent order mandating a new information security program, third party assessment, prompt reporting of covered incidents and other requirements over a period of 20 years. The two Democratic Commissioners voted against the settlement and dissented because they argued it did not punish the abundant wrongdoing and will not dissuade future offenders. Commissioners Rohit Chopra and Rebecca Kelly Slaughter dissented for a variety of reasons that may be summed up: the FTC let Zoom off with a slap on the wrist. Kelly Slaughter focused on the majority’s choice to ignore the privacy implications of Zoom’s misdeeds, especially by not including any requirements that Zoom improve its faulty privacy practices.
    • The groups “recommend that the FTC modify the proposed Consent Order and require Zoom to(1) implement a comprehensive privacy program; (2) obtain regular independent privacy assessments and make those assessments available to the public; (3) provide meaningful redress for victims of Zoom’s unfair and deceptive trade practices; and (4) ensure the adequate protection and limits on the collection of children’s data.”

Coming Events

  • On 13 January, the Federal Communications Commission (FCC) will hold its monthly open meeting, and the agency has placed the following items on its tentative agenda “Bureau, Office, and Task Force leaders will summarize the work their teams have done over the last four years in a series of presentations:
    • Panel One. The Commission will hear presentations from the Wireless Telecommunications Bureau, International Bureau, Office of Engineering and Technology, and Office of Economics and Analytics.
    • Panel Two. The Commission will hear presentations from the Wireline Competition Bureau and the Rural Broadband Auctions Task Force.
    • Panel Three. The Commission will hear presentations from the Media Bureau and the Incentive Auction Task Force.
    • Panel Four. The Commission will hear presentations from the Consumer and Governmental Affairs Bureau, Enforcement Bureau, and Public Safety and Homeland Security Bureau.
    • Panel Five. The Commission will hear presentations from the Office of Communications Business Opportunities, Office of Managing Director, and Office of General Counsel.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Free-Photos from Pixabay

FY 2021 Omnibus and COVID Stimulus Become Law

The end-of-the-year funding package for FY 2021 is stuffed with technology policy changes.

At the tail end of the calendar year 2020, Congress and the White House finally agreed on FY 2021 appropriations and further COVID-19 relief funding and policies, much of which implicated or involved technology policy. As is often the practice, Congressional stakeholders used the opportunity of must-pass legislation as the vehicle for other legislation that perhaps could not get through a chamber of Congress or surmount the now customary filibuster in the Senate.

Congress cleared the “Consolidated Appropriations Act, 2021” (H.R.133) on 21 December 2020, but President Donald Trump equivocated on whether to sign the package, in part, because it did not provide for $2,000 in aid to every American, a new demand at odds with the one his negotiators worked out with House Democrats and Senate Republicans. Given this disparity, it seems more likely Trump made an issue of the $2,000 assistance to draw attention from a spate of controversial pardons issued to Trump allies and friends. Nonetheless, Trump ultimately signed the package on 27 December.

As one of the only bills or set of bills to annually pass Congress, appropriations acts are often the means by which policy and programmatic changes are made at federal agencies through the ability of the legislative branch to condition the use of such funds as are provided. This year’s package is different only in that it contains much more in the way of ride-along legislation than the average omnibus. In fact, there are hundreds, perhaps even more than 1,000 pages of non-appropriations legislation, some that pertains to technology policy. Moreover, with an additional supplemental bill attached to the FY 2021 omnibus also carries significant technology funding and programming.

First, we will review FY 2021 funding and policy for key U.S. agencies, then discuss COVID-19 related legislation, and then finally all the additional legislation Congress packed into the omnibus.

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) would receive $2.025 billion, a bare $9 million increase above FY 2020 with significant reordering of how the agency may spend its funds:

  • The agreement includes a net increase of $224,178,000 above the budget request. This includes $226,256,000 above the request to maintain current services, and $54,516,000 in enhancements that are described in more detail below. Assumed in the current services level of funding are several rejections of proposed reductions to prior year initiatives and the inclusion of necessary annualizations to sustain them, such as: $35,606,000 for threat analysis and response; $5,507,000 for soft targets and crowded places security, including school safety and best practices; $6,852,000 for bombing prevention activities, including the train-the-trainer programs; and $67,371,000 to fully fund the Chemical Facility Anti-Terrorism Standards program. The agreement includes the following reductions below the budget request: $6,937,000 for personnel cost adjustments; $2,500,000 of proposed increases to the CyberSentry program; $11,354,000 of proposed increases for the Vulnerability Management program; $2,000,000 of proposed increases to the Cybersecurity Quality Service Management Office (QSMO); $6,500,000 of proposed increases for cybersecurity advisors; and $27,303,000 for the requested increase for protective security advisors. Of the total amount provided for this account, $22,793,000 is available until September 30, 2022, for the National Infrastructure Simulation Analysis Center.

The FY 2021 omnibus requires of CISA the following:

  • Financial Transparency and Accountability.-The Cybersecurity and Infrastructure Security Agency (CISA) is directed to submit the fiscal year 2022 budget request at the same level of PP A detail provided in the table at the end of this report with no further adjustments to the PP A structure. Further, CISA shall brief the Committees not later than 45 days after the date of enactment of this Act and quarterly thereafter on: a spend plan; detailed hiring plans with a delineation of each mission critical occupation (MCO); procurement plans for all major investments to include projected spending and program schedules and milestones; and an execution strategy for each major initiative. The hiring plan shall include an update on CISA’s hiring strategy efforts and shall include the following for each MCO: the number of funded positions and FTE within each PP A; the projected and obligated funding; the number of actual onboard personnel as of the date of the plan; and the hiring and attrition projections for the fiscal year.
  • Cyber Defense Education and Training (CDET).-The agreement includes $29,457,000 for CISA’s CDET programs, an increase of$20,607,000 above the request that is described in further detail below. Efforts are underway to address the shortage of qualified national cybersecurity professionals in the current and future cybersecurity workforce. In order to move forward with a comprehensive plan for a cybersecurity workforce development effort, the agreement includes $10,000,000 above the request to enhance cybersecurity education and training and programs to address the national shortfall of cybersecurity professionals, including activities funded through the use of grants or cooperative agreements as needed in order to fully comply with congressional intent. CISA should consider building a higher education consortium of colleges and universities, led by at least one academic institution with an extensive history of education, research, policy, and outreach in computer science and engineering disciplines; existing designations as a land-grant institution with an extension role; a center of academic excellence in cyber security operations; a proven track record in hosting cyber corps programs; a record of distinction in research cybersecurity; and extensive experience in offering distance education programs and outreach with K-12 programs. The agreement also includes $4,300,000 above the request for the Cybersecurity Education and Training Assistance Program (CETAP), which was proposed for elimination, and $2,500,000 above the request to further expand and initiate cybersecurity education programs, including CETAP, which improve education delivery methods for K-12 students, teachers, counselors and post-secondary institutions and encourage students to pursue cybersecurity careers.
  • Further, the agreement includes $2,500,000 above the request to support CISA’s role with the National Institute of Standards and Technology, National Initiative for Cybersecurity Education Challenge project or for similar efforts to address shortages in the cybersecurity workforce through the development of content and curriculum for colleges, universities, and other higher education institutions.
  • Lastly, the agreement includes $800,000 above the request for a review of CISA’s program to build a national cybersecurity workforce. CISA is directed to enter into a contract for this review with the National Academy of Public Administration, or a similar non-profit organization, within 45 days of the date of enactment of this Act. The review shall assess: whether the partnership models under development by CISA are positioned to be effective and scalable to address current and anticipated needs for a highly capable cybersecurity workforce; whether other existing partnership models, including those used by other agencies and private industry, could usefully augment CISA’s strategy; and the extent to which CISA’s strategy has made progress on workforce development objectives, including excellence, scale, and diversity. A report with the findings of the review shall be provided to the Committees not later than 270 days after the date of enactment of this Act.
  • Cyber QSMO.-To help improve efforts to make strategic cybersecurity services available to federal agencies, the agreement provides $1,514,000 above the request to sustain and enhance prior year investments. As directed in the House report and within the funds provided, CISA is directed to work with the Management Directorate to conduct a crowd-sourced security testing program that uses technology platforms and ethical security researchers to test for vulnerabilities on departmental systems. In addition, not later than 90 days after the date of enactment of this Act, CISA is directed to brief the Committees on opportunities for state and local governments to leverage shared services provided through the Cyber QSMO or a similar capability and to explore the feasibility of executing a pilot program focused on this goal.
  • Cyber Threats to Critical Election Infrastructure.-The briefing required in House Report 116–458 regarding CISA’s efforts related to the 2020 elections shall be delivered not later than 60 days after the date of enactment of this Act. CISA is directed to continue working with SL TT stakeholders to implement election security measures.
  • Cybersecurity Worliforce.-By not later than September 30, 2021, CISA shall provide a joint briefing, in conjunction with the Department of Commerce and other appropriate federal departments and agencies, on progress made to date on each recommendation put forth in Executive Order 13800 and the subsequent “Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce” report.
  • Hunt and Incident Response Teams.-The agreement includes an increase of $3,000,000 above fiscal year 2020 funding levels to expand CISA’s threat hunting capabilities.
  • Joint Cyber Planning Office (JCPO).-The agreement provides an increase of $10,568,000 above the request to establish a JCPO to bring together federal and SLTT governments, industry, and international partners to strategically and operationally counter nation-state cyber threats. CISA is directed to brief the Committees not later than 60 days after the date of enactment of this Act on a plan for establishing the JCPO, including a budget and hiring plan; a description of how JCPO will complement and leverage other CISA capabilities; and a strategy for partnering with the aforementioned stakeholders.
  • Multi-State Information Sharing and Analysis Center (MS-ISAC).-The agreement provides $5,148,000 above the request for the MS-ISAC to continue enhancements to SLTT election security support, and furthers ransomware detection and response capabilities, including endpoint detection and response, threat intelligence platform integration, and malicious domain activity blocking.
  • Software Assurance Tools.-Not later than 90 days after the date of enactment of this Act, CISA, in conjunction with the Science and Technology Directorate, is directed to brief the Committees on their collaborative efforts to transition cyber-related research and development initiatives into operational tools that can be used to provide continuous software assurance. The briefing should include an explanation for any completed projects and activities that were not considered viable for practice or were considered operationally self-sufficient. Such briefing shall include software assurance projects, such as the Software Assurance Marketplace.
  • Updated Lifecycle Cost Estimates.–CISA is directed to provide a briefing, not later than 60 days after the date of enactment of this Act, regarding the Continuous Diagnostics and Mitigation (COM) and National Cybersecurity Protection System (NCPS) program lifecycles. The briefing shall clearly describe the projected evolution of both programs by detailing the assumptions that have changed since the last approved program cost and schedule baseline, and by describing the plans to address such changes. In addition, the briefing shall include an analysis of alternatives for aligning vulnerability management, incident response, and NCPS capabilities. Finally, CISA is directed to provide a report not later than 120 days after the date of enactment of this Act with updated five-year program costs and schedules which is congruent with projected capability gaps across federal civilian systems and networks.
  • Vulnerability Management.-The agreement provides $9,452,000 above fiscal year 2020 levels to continue reducing the 12-month backlog in vulnerability assessments. The agreement also provides an increase of $8,000,000 above the request to address the increasing number of identified and reported vulnerabilities in the software and hardware that operates critical infrastructure. This investment will improve capabilities to identify, analyze, and share information about known vulnerabilities and common attack patterns, including through the National Vulnerability Database, and to expand the coordinated responsible disclosure of vulnerabilities.

There are a pair of provisions aimed at the People’s Republic of China (PRC) in Division B (i.e. the FY 2021 Commerce-Justice-Science Appropriations Act):

  • Section 514 prohibits funds for acquisition of certain information systems unless the acquiring department or agency has reviewed and assessed certain risks. Any acquisition of such an information system is contingent upon the development of a risk mitigation strategy and a determination that the acquisition is in the national interest. Each department or agency covered under section 514 shall submit a quarterly report to the Committees on Appropriations describing reviews and assessments of risk made pursuant to this section and any associated findings or determinations.
  • Section 526 prohibits the use of funds by National Aeronautics and Space Administration (NASA), Office of Science and Technology Policy (OSTP), or the National Space Council (NSC) to engage in bilateral activities with China or a Chinese-owned company or effectuate the hosting of official Chinese visitors at certain facilities unless the activities are authorized by subsequent legislation or NASA, OSTP, or NSC have made a certification…

The National Institute of Standards and Technology (NIST) is asked with a number of duties, most of which relate to current or ongoing efforts in artificial intelligence (AI), cybersecurity, and the Internet of Things:

  • Artificial Intelligence (Al). -The agreement includes no less than $6,500,000 above the fiscal year 2020 level to continue NIST’s research efforts related to AI and adopts House language on Data Characterization Standards in Al. House language on Framework for Managing AI Risks is modified to direct NIST to establish a multi-stakeholder process for the development of an Al Risk Management Framework regarding the reliability, robustness, and trustworthiness of Al systems. Further, within 180 days of enactment of this Act, NIST shall establish the process by which it will engage with stakeholders throughout the multi-year framework development process.
  • Cybersecurity.-The agreement includes no less than the fiscal year 2020 enacted level for cybersecurity research, outreach, industry partnerships, and other activities at NIST, including the National Cybersecurity Center of Excellence (NCCoE) and the National Initiative for Cybersecurity Education (NICE). Within the funds provided, the agreement encourages NIST to establish additional NICE cooperative agreements with regional alliances and multi-stakeholder partnerships for cybersecurity workforce and education.
  • Cybersecurity of Genomic Data.-The agreement includes no less than $1,250,000 for NIST and NCCoE to initiate a use case, in collaboration with industry and academia, to research the cybersecurity of personally identifiable genomic data, with a particular focus on better securing deoxyribonucleic acid sequencing techniques, including clustered regularly interspaced short palindromic repeat (CRISPR) technologies, and genomic data storage architectures from cyber threats. NIST and NCCoE should look to partner with entities who have existing capability to research and develop state-of-the-art cybersecurity technologies for the unique needs of genomic and biomedical-based systems.
  • Industrial Internet of Things (IIoT).-The agreement includes no less than the fiscal year 2020 enacted amount for the continued development of an IloT cybersecurity research initiative and to partner, as appropriate, with academic entities and industry to improve the sustainable security of IloT devices in industrial settings.

NIST would receive a modest increase in funding from $1.034 billion to $1.0345 billion from the last fiscal year to the next.

The National Telecommunications and Information Administration (NTIA) would be provided $45.5 million and “the agreement provides (1) up to $7,500,000 for broadband mapping in coordination with the Federal Communications Commission (FCC); (2) no less than the fiscal year 2020 enacted amount for Broadband Programs; (3) $308,000 for Public Safety Communications; and (4) no less than $3,000,000 above the fiscal year 2020 enacted level for Advanced Communications Research.” The agency’s funding for FY 2021 is higher than the last fiscal year at a bit more than $40 million but far less than the Trump Administration’s request of more than $70 million.

Regarding NTIA programmatic language, the bill provides:

  • Further, the agreement directs the additional funds for Advanced Communications Research be used to procure and maintain cutting-edge equipment for research and testing of the next generation of communications technologies, including 5G, as well as to hire staff as needed. The agreement further encourages NTIA to improve the deployment of 5G and spectrum sharing through academic partnerships to accelerate the development of low-cost sensors. For fiscal year 2021, NTIA is directed to follow prior year report language, included in Senate Report 116-127 and adopted in Public Law 116-93, on the following topics: Federal Spectrum Management, Spectrum Management for Science, and the Internet Corporation for Assigned Names and Numbers (ICANN).
  • Spectrum Management System.-The agreement encourages NTIA and the Department to consider alternative proposals to fully fund the needed upgrades to its spectrum management system, including options outside of direct appropriations, and is directed to brief the Committees regarding possible alternative options no later than 90 days after enactment of this Act.
  • Next Generation Broadband in Rural Areas.-NTIA is encouraged to ensure that deployment of last-mile broadband infrastructure is targeted to areas that are currently unserved or underserved, and to utilize public-private partnerships and projects where Federal funding will not exceed 50 percent of a project’s total cost where practicable.
  • National Broadband Map Augmentation.-NTIA is directed to engage with rural and Tribal communities to further enhance the accuracy of the national broadband availability map. NTIA should include in its fiscal year 2022 budget request an update on rural-and Tribal-related broadband availability and access trends, challenges, and Federal actions to achieve equitable access to broadband services in currently underserved communities throughout the Nation. Furthermore, NTIA is encouraged, in coordination with the FCC, to develop and promulgate a standardized process for collecting data from State and local partners.
  • Domain Name Registration.-NTIA is directed, through its position within the Governmental Advisory Committee to work with ICANN to expedite the establishment of a global access model that provides law enforcement, intellectual property rights holders, and third parties with timely access to accurate domain name registration information for legitimate purposes. NTIA is encouraged, as appropriate, to require registrars and registries based in the United States to collect and make public accurate domain name registration information.

The Federal Trade Commission (FTC) would receive $351 million, an increase of $20 million over FY 2020. The final bill includes this policy provision for the FTC to heed:

  • Resources for Data Privacy and Security. -The agreement urges the FTC to conduct a comprehensive internal assessment measuring the agency’s current efforts related to data privacy and security while separately identifying all resource-based needs of the FTC to improve in these areas. The agreement also urges the FTC to provide a report describing the assessment’s findings to the Committees within 180 days of enactment of this Act.

The Federal Communications Commission (FCC) would see a larger increase in funding for agency operations than the FTC, going from $339 million in FY 2020 to $374 million in FY 2021. However, $33 million of the increase is earmarked for implementing the “Broadband DATA Act” (P.L.116-130) along with the $65 million in COVID-19 supplemental funding for the same purpose. The FY 2021 omnibus directs the FCC on a range of policy issues:

  • Broadband Maps.-In addition to adopting the House report language on Broadband Maps, the agreement provides substantial dedicated resources for the FCC to implement the Broadband DATA Act. The FCC is directed to submit a report to the Committees on Appropriations within 90 days of enactment of this Act providing a detailed spending plan for these resources. In addition, the FCC, in coordination with the NTIA, shall outline the specific roles and responsibilities of each agency as it relates to the National Broadband Map and implementation of the Broadband DATA Act. The FCC is directed to report in writing to the Committees every 30 days on the date, amount, and purpose of any new obligation made for broadband mapping and any updates to the broadband mapping spending plan.
  • Lifeline Service. In lieu of the House report language on Lifeline Service, the agreement notes recent action by the FCC to partially waive its rules updating the Lifeline program’s minimum service standard for mobile broadband usage in light of the large increase to the standard that would have gone into effect on Dec. I, 2020, and the increased reliance by Americans on mobile broadband as a result of the pandemic. The FCC is urged to continue to balance the Lifeline program’s goals of accessibility and affordability.
  • 5G Fund and Rural America.-The agreement remains concerned about the feasible deployment of 5G in rural America. Rural locations will likely run into geographic barriers and infrastructure issues preventing the robust deployment of 5G technology, just as they have faced with 4G. The FCC’s proposed 5G Fund fails to provide adequate details or a targeted spend plan on creating seamless coverage in the most rural parts of the Nation. Given these concerns, the FCC is directed to report in writing on: (1) its current and future plans fix prioritizing deployment of 4G coverage in rural areas, (2) its plans for 5G deployment in rural areas, and (3) its plan for improving the mapping and long-term tracking of coverage in rural areas.
  • 6 Gigahertz. -As the FCC has authorized unlicensed use of the 6 gigahertz band, the agreement expects the Commission to ensure its plan does not result in harmful interference to incumbent users or impact critical infrastructure communications systems. The agreement is particularly concerned about the potential effects on the reliability of the electric transmission and distribution system. The agreement expects the FCC to ensure any mitigation technologies are rigorously tested and found to be effective in order to protect the electric transmission system. The FCC is directed to provide a report to the Committees within 90 days of enactment of this Act on its progress in ensuring rigorous testing related to unlicensed use of the 6 gigahertz band. Rural Broadband-The agreement remains concerned that far too many Americans living in rural and economically disadvantaged areas lack access to broadband at speeds necessary to fully participate in the Internet age. The agreement encourages the agency to prioritize projects in underserved areas, where the infrastructure to be installed provides access at download and upload speeds comparable to those available to Americans in urban areas. The agreement encourages the FCC to avoid efforts that could duplicate existing networks and to support deployment of last-mile broadband infrastructure to underserved areas. Further, the agreement encourages the agency to prioritize projects financed through public-private partnerships.
  • Contraband Cell Phones. -The agreement notes continued concern regarding the exploitation of contraband cell phones in prisons and jails nationwide. The agreement urges the FCC to act on the March 24, 2017 Further Notice of Proposed Rulemaking regarding combating contraband wireless devices. The FCC should consider all legally permissible options, including the creation, or use, of “quiet or no service zones,” geolocation-based denial, and beacon technologies to geographically appropriate correctional facilities. In addition, the agreement encourages the FCC to adopt a rules-based approach to cellphone disabling that would require immediate disabling by a wireless carrier upon proper identification of a contraband device. The agreement recommends that the FCC move forward with its suggestion in the Fiscal Year 2019 report to this Committee, noting that “additional field testing of jamming technology will provide a better understanding of the challenges and costs associated with the proper deployment of jamming system.” The agreement urges the FCC to use available funds to coordinate rigorous Federal testing of jamming technology and coordinate with all relevant stakeholders to effectively address this urgent problem.
  • Next-Generation Broadband Networks/or Rural America-Deployment of broadband and telecommunications services in rural areas is imperative to support economic growth and public safety. However, due to geographical challenges facing mobile connectivity and fiber providers, connectivity in certain areas remains challenging. Next generation satellite-based technology is being developed to deliver direct satellite to cellular capability. The FCC is encouraged to address potential regulatory hurdles, to promote private sector development and implementation of innovative, next generation networks such as this, and to accelerate broadband and telecommunications access to all Americans.

$635 million is provided for a Department of Agriculture rural development pilot program, and he Secretary will need to explain how he or she will use authority provided in the last farm bill to expand broadband:

  • The agreement provides $635,000,000 to support the ReConnect pilot program to increase access to broadband connectivity in unserved rural communities and directs the Department to target grants and loans to areas of the country with the largest broadband coverage gaps. These projects should utilize technology that will maximize coverage of broadband with the most benefit to taxpayers and the rural communities served. The agreement notes stakeholder concerns that the ReConnect pilot does not effectively recognize the unique challenges and opportunities that different technologies, including satellite, provide to delivering broadband in noncontiguous States or mountainous terrain and is concerned that providing preference to 100 mbps symmetrical service unfairly disadvantages these communities by limiting the deployment of other technologies capable of providing service to these areas.
  • The Agriculture Improvement Act of 2018 (Public Law 115-334) included new authorities for rural broadband programs that garnered broad stakeholder support as well as bipartisan, bicameral agreement in Congress. Therefore, the Secretary is directed to provide a report on how the Department plans to utilize these authorities to deploy broadband connectivity to rural communities.

In Division M of the package, the “Coronavirus Response and Relief Supplemental Appropriations Act, 2021,” there are provisions related to broadband policy and funding. The bill created a $3.2 billion program to help low-income Americans with internet service and buying devices for telework or distance education. The “Emergency Broadband Benefit Program” is established at the FCC, “under which eligible households may receive a discount of up to $50, or up to $75 on Tribal lands, off the cost of internet service and a subsidy for low-cost devices such as computers and tablets” according to a House Appropriations Committee summary. This funding is far short of what House Democrats wanted. And yet, this program aims to help those on the wrong side of the digital divide during the pandemic.

Moreover, this legislation also establishes two grant programs at the NTIA, designed to help provide broadband on tribal lands and in rural areas. $1 billion is provided for the former and $300 million for the latter with the funds going to tribal and state and local governments to obtain services from private sector providers. The $1 billion for tribal lands allows for greater flexibility in what the funds are ultimately spent on with the $320 million for underserved rural areas being restricted to broadband deployment. Again, these funds are aimed at bridging the disparity in broadband service exposed and exacerbated during the pandemic.

Congress also provided funds for the FCC to reimburse smaller telecommunications providers in removing and replacing risky telecommunications equipment from the People’s Republic of China (PRC). Following the enactment of the “Secure and Trusted Communications Networks Act of 2019” (P.L.116-124) that codified and added to a FCC regulatory effort to address the risks posed by Huawei and ZTE equipment in United States (U.S.) telecommunications networks, there was pressure in Congress to provide the funds necessary to help carriers meet the requirements of the program. The FY 2021 omnibus appropriates $1.9 billion for this program. In another but largely unrelated tranche of funding, the aforementioned $65 million given to the FCC to undertake the “Broadband DATA Act.”

Division Q contains text similar to the “Cybersecurity and Financial System Resilience Act of 2019” (H.R.4458) that would require “the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and National Credit Union Administration to annually report on efforts to strengthen cybersecurity by the agencies, financial institutions they regulate, and third-party service providers.”

Division U contains two bills pertaining to technology policy:

  • Title I. The AI in Government Act of 2020. This title codifies the AI Center of Excellence within the General Services Administration to advise and promote the efforts of the federal government in developing innovative uses of artificial intelligence (AI) and competency in the use of AI in the federal government. The section also requires that the Office of Personnel Management identify key skills and competencies needed for federal positions related to AI and establish an occupational series for positions related to AI.
  • Title IX. The DOTGOV Act. This title transfers the authority to manage the .gov internet domain from the General Services Administration to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security. The .gov internet domain shall be available to any Federal, State, local, or territorial government entity, or other publicly controlled entity, subject to registration requirements established by the Director of CISA and approved by the Director of the Office of Management and Budget.

Division W is the FY 2021 Intelligence Authorization Act with the following salient provisions:

  • Section 323. Report on signals intelligence priorities and requirements. Section 323 requires the Director of National Intelligence (DNI) to submit a report detailing signals intelligence priorities and requirements subject to Presidential Policy Directive-28 (PPD-28) that stipulates “why, whether, when, and how the United States conducts signals intelligence activities.” PPD-28 reformed how the National Security Agency (NSA) and other Intelligence Community (IC) agencies conducted signals intelligence, specifically collection of cellphone and internet data, after former NSA contractor Edward Snowden exposed the scope of the agency’s programs.
  • Section 501. Requirements and authorities to improve education in science, technology, engineering, arts, and mathematics. Section 501 ensures that the Director of the Central Intelligence Agency (CIA) has the legal authorities required to improve the skills in science, technology, engineering, arts, and mathematics (known as STEAM) necessary to meet long-term national security needs. Section 502. Seedling investment in next-generation microelectronics in support of artificial intelligence. Section 502 requires the DNI, acting through the Director of the Intelligence Advanced Research Projects Activity, to award contracts or grants, or enter into other transactions, to encourage microelectronics research.
  • Section 601. Report on attempts by foreign adversaries to build telecommunications and cybersecurity equipment and services for, or to provide them to, certain U.S. Section 601 requires the CIA, NSA, and DIA to submit a joint report that describes the United States intelligence sharing and military posture in Five Eyes countries that currently have or intend to use adversary telecommunications or cybersecurity equipment, especially as provided by China or Russia, with a description of potential vulnerabilities of that information and assessment of mitigation options.
  • Section 602. Report on foreign use of cyber intrusion and surveillance technology. Section 602 requires the DNI to submit a report on the threats posed by foreign governments and foreign entities using and appropriating commercially available cyber intrusion and other surveillance technology.
  • Section 603. Reports on recommendations of the Cyberspace Solarium Commission. Section 603 requires the ODNI and representatives of other agencies to report to Congress their assessment of the recommendations submitted by the Cyberspace Solarium Commission pursuant to Section 1652(j) of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019, and to describe actions that each agency expects to take to implement these recommendations.
  • Section 604. Assessment of critical technology trends relating to artificial intelligence, microchips, and semiconductors and related matters. Section 604 requires the DNI to complete an assessment of export controls related to artificial intelligence (AI), microchips, advanced manufacturing equipment, and other AI-enabled technologies, including the identification of opportunities for further cooperation with international partners.
  • Section 605. Combating Chinese influence operations in the United States and strengthening civil liberties protections. Section 605 provides additional requirements to annual reports on Influence Operations and Campaigns in the United States by the Chinese Communist Party (CCP) by mandating an identification of influence operations by the CCP against the science and technology sector in the United States. Section 605 also requires the FBI to create a plan to increase public awareness of influence activities by the CCP. Finally, section 605 requires the FBI, in consultation with the Assistant Attorney General for the Civil Rights and the Chief Privacy and Civil Liberties Officer of the Department of Justice, to develop recommendations to strengthen relationships with communities targeted by the CCP and to build trust with such communities through local and regional grassroots outreach.
  • Section 606. Annual report on corrupt activities of senior officials of the CCP. Section 606 requires the CIA, in coordination with the Department of Treasury’s Office of Intelligence and Analysis and the FBI, to submit to designated congressional committees annually through 2025 a report that describes and assesses the wealth and corruption of senior officials of the CCP, as well as targeted financial measures, including potential targets for sanctions designation. Section 606 further expresses the Sense of Congress that the United States should undertake every effort and pursue every opportunity to expose the corruption and illicit practices of senior officials of the CCP, including President Xi Jinping.
  • Section 607. Report on corrupt activities of Russian and other Eastern European oligarchs. Section 607 requires the CIA, in coordination with the Department of the Treasury’s Office of Intelligence and Analysis and the FBI, to submit to designated congressional committees and the Under Secretary of State for Public Diplomacy, a report that describes the corruption and corrupt or illegal activities among Russian and other Eastern European oligarchs who support the Russian government and Russian President Vladimir Putin, and the impact of those activities on the economy and citizens of Russia. Section 607 further requires the CIA, in coordination with the Department of Treasury’s Office of Intelligence and Analysis, to describe potential sanctions that could be imposed for such activities. Section 608. Report on biosecurity risk and disinformation by the CCP and the PRC. Section 608 requires the DNI to submit to the designated congressional committees a report identifying whether and how CCP officials and the Government of the People’s Republic of China may have sought to suppress or exploit for national advantage information regarding the novel coronavirus pandemic, including specific related assessments. Section 608 further provides that the report shall be submitted in unclassified form, but may have a classified annex.
  • Section 612. Research partnership on activities of People’s Republic of China. Section 612 requires the Director of the NGA to seek to enter into a partnership with an academic or non-profit research institution to carry out joint unclassified geospatial intelligence analyses of the activities of the People’s Republic of China that pose national security risks to the United States, and to make publicly available unclassified products relating to such analyses.

Division Z would tweak a data center energy efficiency and energy savings program overseen by the Secretary of Energy and the Administrator of the Environmental Protection Agency that could impact the Office of Management and Budget’s (OMB) government-wide program. Specifically, “Section 1003 requires the development of a metric for data center energy efficiency, and requires the Secretary of Energy, Administrator of the Environmental Protection Agency (EPA), and Director of the Office of Management and Budget (OMB) to maintain a data center energy practitioner program and open data initiative for federally owned and operated data center energy usage.” There is also language that would require the U.S. government to buy and use more energy-efficient information technology (IT): “each Federal agency shall coordinate with the Director [of OMB], the Secretary, and the Administrator of the Environmental Protection Agency to develop an implementation strategy (including best-practices and measurement and verification techniques) for the maintenance, purchase, and use by the Federal agency of energy-efficient and energy-saving information technologies at or for facilities owned and operated by the Federal agency, taking into consideration the performance goals.”

Division FF contains telecommunications provisions:

  • Section 902. Don’t Break Up the T-Band Act of 2020. Section 902 repeals the requirement for the FCC to reallocate and auction the 470 to 512megahertz band, commonly referred to as the T-band. In certain urban areas, the T-band is utilized by public-safety entities. It also directs the FCC to implement rules to clarify acceptable expenditures on which 9-1- 1 fees can be spent, and creates a strike force to consider how the Federal Government can end 9-1-1 fee diversion.
  • Section 903. Advancing Critical Connectivity Expands Service, Small Business Resources, Opportunities, Access, and Data Based on Assessed Need and Demand (ACCESS BROADBAND) Act. Section 903 establishes the Office of Internet Connectivity and Growth (Office) at the NTIA. This Office would be tasked with performing certain responsibilities related to broadband access, adoption, and deployment, such as performing public outreach to promote access and adoption of high-speed broadband service, and streamlining and standardizing the process for applying for Federal broadband support. The Office would also track Federal broadband support funds, and coordinate Federal broadband support programs within the Executive Branch and with the FCC to ensure unserved Americans have access to connectivity and to prevent duplication of broadband deployment programs.
  • Section 904. Broadband Interagency Coordination Act. Section 904 requires the Federal Communications Commission (FCC), the National Telecommunications and Information Administration (NTIA), and the Department of Agriculture to enter into an interagency agreement to coordinate the distribution of federal funds for broadband programs, to prevent duplication of support and ensure stewardship of taxpayer dollars. The agreement must cover, among other things, the exchange of information about project areas funded under the programs and the confidentiality of such information. The FCC is required to publish and collect public comments about the agreement, including regarding its efficacy and suggested modifications.
  • Section 905. Beat CHINA for 5G Act of 2020. Section 905 directs the President, acting through the Assistant Secretary of Commerce for Communications and Information, to withdraw or modify federal spectrum assignments in the 3450 to 3550 megahertz band, and directs the FCC to begin a system of competitive bidding to permit non-Federal, flexible-use services in a portion or all of such band no later than December 31, 2021.

Section 905 would countermand the White House’s efforts to auction off an ideal part of spectrum for 5G (see here for analysis of the August 2020 announcement). Congressional and a number of Trump Administration stakeholders were alarmed by what they saw as a push to bestow a windfall on a private sector company in the rollout of 5G.

Title XIV of Division FF would allow the FTC to seek civil fines of more than $43,000 per violation during the duration of the public health emergency arising from the pandemic “for unfair and deceptive practices associated with the treatment, cure, prevention, mitigation, or diagnosis of COVID–19 or a government benefit related to COVID-19.”

Finally, Division FF is the vehicle for the “American COMPETES Act” that:

directs the Department of Commerce and the FTC to conduct studies and submit reports on technologies including artificial intelligence, the Internet of Things, quantum computing, blockchain, advanced materials, unmanned delivery services, and 3-D printing. The studies include requirements to survey each industry and report recommendations to help grow the economy and safely implement the technology.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by forcal35 from Pixabay

Armed Services Committees Agree On Final NDAA

The annual defense policy bill creates a new National Cyber Director and addresses other technology issues.

Last week, the negotiators agreed on a final FY 2021 National Defense Authorization Act (NDAA) that could get passed as early as this week. To no great surprise, President Donald Trump has threatened to veto the annual policy and authorization package for reasons largely unrelated to the Department of Defense and other agencies subject to the bill. It is unclear how the President will respond if Congress ends him the bill and similarly unclear whether Republicans would vote to override a veto. Additionally, the bill might not make it to the White House until around Christmas Day which would complicate the reconvening of Congress to hold override votes.

Nonetheless, big picture, the conferees explained in the Joint Explanatory Statement that conference report to accompany the “William M. “Mac” Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395):

  • The budget request for national defense discretionary programs within the jurisdiction of the Committees on Armed Services of the Senate and the House of Representatives for fiscal year 2021 was $731.6 billion. Of this amount, $636.3 billion was requested for base Department of Defense programs, $69.0 billion was requested for overseas contingency operations, $26.0 billion was requested for national security programs in the Department of Energy and the Defense Nuclear Facilities Safety Board, and $314.0 million for defense-related activities.
  • The conference agreement would authorize $731.6 billion in fiscal year 2021, including $635.5 billion for base Department of Defense programs, $69.0 billion for overseas contingency operations, $26.6 billion for national security programs in the Department of Energy and the Defense Nuclear Facilities Safety Board, and $494.0 million for defense-related activities.

As always, the bill is replete with provisions to change national security-related technology policy, most of which pertains to the Department of Defense (DOD) and the Intelligence Community (IC). However, anymore, the Department of Homeland Security and other agencies also receive policy alterations in the NDAA.

The bill would change the requirements as to when the DOD notifies Congress if it conducts offensive or defensive cyber operations by narrowing the category of such operations. For example, if Cyber Command were to strike a botnet again as it reportedly did in the run up to the election, it would not need to notify Congress, for such an operation is not a foreign terrorist organization or a foreign government unless they may be deemed a “proxy force.” There is a provision extending the liability shield for DOD contractors participating in the Pentagon’s mandated cyber incident reporting system to include compliance with Defense Federal Acquisition Regulation Supplement clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

H.R.6395 would tweak the Quadrennial Cyber Posture Review assessments of U.S. statutes, policies, and authorities to manage cyber threats, especially in achieving cyber deterrence.

The DOD would need to set requirements for the periodic, systematic review of the cybersecurity of major weapons systems and related critical infrastructure to ensure the security of these platforms. The Pentagon must also establish a “Strategic Cybersecurity Program” “to ensure that the Department of Defense is always able to conduct the most important military missions of the Department.” This new initiative “shall identify and designate for inclusion in the Program all of the systems, critical infrastructure, kill chains, and processes, including systems and components in development, that comprise the following military missions of the Department of Defense:

  • Nuclear deterrence and strike.
  • Select long-range conventional strike missions germane to the warfighting plans of United States European Command and United States Indo-Pacific Command.
  • Offensive cyber operations.
  • Homeland missile defense.

The DOD will need to “develop a standard, comprehensive framework to enhance the consistency, execution, and effectiveness of cyber hunt forward operations” including the criteria used to identify such operations, the roles of various stakeholders in the DOD, pre-deployment planning guidelines, the metrics to measure the success of the operation, and other facets. Cyber Command and the National Security Agency have been deploying more of these teams to other nations to develop partnerships with nations closer to shared cyber adversaries (e.g. Estonia and Montenegro visa vis Russia.) The formalization of this process indicates increased Congressional interest and a desire to regularize the practice.

The DOD must “conduct a review of the Cybersecurity Service Provider and Cyber Mission Force enterprises” to determine where there are gaps and redundancies between DOD systems and those provided by contractors. Presumably such an inventory process would precede the DOD consolidating where it can and expanding where necessary.

The position of DOD Principal Cyber Advisor would be reformed. The Secretary of Defense would name a person to fill this position from the DOD civilian officials confirmed by the Senate. The Principal Cyber Advisor would have the following responsibilities, among others:

  • Acting as the principal advisor to the Secretary on military cyber forces and activities.
  • Overall integration of Cyber Operations Forces activities relating to cyberspace operations, including associated policy and operational considerations, resources, personnel, technology development and transition, and acquisition.
  • Assessing and overseeing the implementation of the cyber strategy of the Department and execution of the cyber posture review of the Department on behalf of the Secretary.

The Principal Cyber Advisor will be tasked with the responsibility for the cybersecurity and critical infrastructure protection of the Defense Industrial Base (DIB) and must “synchronize, harmonize, de-conflict, and coordinate all policies and programs germane to defense industrial base cybersecurity.” This will encompass the Sector Specific Agency (SSA) responsibilities bestowed on the Under Secretary of Defense for Policy’s purview under Presidential Policy Directive-21, the Obama Administration era document that established the division and oversight of critical infrastructure with an eye towards cyber infrastructure. The Principal Cyber Advisor would also need to examine the Under Secretary of Defense for Acquisition and Sustainment’s authorities and responsibilities with respect to contracting and cybersecurity. The Principal Cyber Advisor would need to evaluate other facets of the DIB’s cybersecurity and critical infrastructure protection housed in different offices in the DOD, suggesting an obvious fracturing of efforts that may be at odds with one another.

The Principal Cyber Advisor and the head of Cyber Command would need to “conduct and complete an assessment on the operational planning and deconfliction policies and processes that govern cyber operations of the Department of Defense.” It appears that Congress would like DOD components to play better together when planning and conducting cyber operations, but this state of affairs is to be expected inside a large bureaucracy with players and entities interested in defending and even expanding their turf.

The DOD must “assess the feasibility and advisability of developing and using speed-based metrics to measure the performance and effectiveness of security operations centers and cyber security service providers in the Department of Defense.”

The DOD must study the feasibility of creating a new DIB information sharing program that would be above and beyond any current incident reporting requirements. Under law and regulation, at present, DIB contractors must report intrusions and incidents within 72 hours, but the language in H.R. 6395 envisions a program of greater information sharing for “cybersecurity purposes.” However, it begs the question as to why the DOD does not already have such a program given the “Cybersecurity Act of 2015” established the template for such programs over five years ago.

The Pentagon would need to “complete an assessment of the feasibility, suitability, definition of, and resourcing required to establish a defense industrial base cybersecurity threat hunting program to actively identify cybersecurity threats and vulnerabilities within the DIB.”

The DOD must “assess each Department component against the Cybersecurity Maturity Model Certification (CMMC) framework and submit to the congressional defense committees a report that identifies each such component’s CMMC level and implementation of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework.” And, for those components that fail to meet the “good cyber hygiene” standards, the report must indicate whether they will bring their hygiene up to snuff by March of 2022 and how they will shore up vulnerabilities and risks in the meantime.

The DOD would need to start submitting monthly reports on all “cross domain incidents,” a new term that seems to include all intrusions into classified or restricted systems regardless of whether information is exfiltrated, contaminated, or exposed. The Pentagon would also need to provide Congress with a list of all currently operative exemptions to DOD information policy.

The DOD must draft and implement a plan on how to secure and protect the U.S. nuclear command and control system from cyber threats.

The Cyberspace Solarium Commission (CSC) was extended. It was supposed to sunset after the delivery of its final report, but now it will continue to exist for the better part of two more years. The CSC would need to discharge the following duties:

  • collecting and assessing comments and feedback from the Executive Branch, academia, and the public on the analysis and recommendations contained in the Commission’s report;
  • collecting and assessing any developments in cybersecurity that may affect the analysis and recommendations contained in the Commission’s report;
  • reviewing the implementation of the recommendations contained in the Commission’s report;
  • revising, amending, or making new recommendations based on the [aforementioned] assessments and reviews…

The CSC’s primary recommendation that the U.S. have a National Cyber Director in the White House was included in the final bill. This new position shall also have a dedicated office in the Executive Office of the President but would not be a Senate confirmed position as the CSC advised. Moreover, it appears that offensive and defensive cyber operations of the DOD would be outside his or her statutory remit unless the President decides to make it so. The National Cyber Director would offer advice to the National Security Council (NSC) on U.S. cyber strategy and policy and coordinate the formulation of such policies and strategies. Moreover, the director would be a statutory member of the NSC. The National Cyber Director would lead U.S. responses at the federal level to cyber attacks and significant cyber campaigns.

The bill would expand the authority of the United States’ (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) with respect to operating on civilian agency networks. CISA would be able to access and inspect other agencies’ information systems without the permission or knowledge of the other agency and could then share information and its findings with the agency. And yet, CISA would not receive authority to act if it found something on another agency’s information networks or systems. Nonetheless, CISA would also be empowered to provide a range of assistance to other agencies.

DHS would need to conduct an assessment of CISA per the CSC’s recommendations on how the agency could improve its operations and better use its resources, among other matters. DHS would also be tasked with evaluating how well the Sector Specific Agency approach to regulating critical infrastructure is working as laid out in Presidential Policy Directive 21 and successor documents and make recommendations on how to revise the framework if needed. This could result in the Biden Administration revamping the current 17 sectors and other components of how the U.S. oversees its critical infrastructure. In concert with this review and possible revision, Sector Specific Agencies would be replaced by Sector Risk Management Agencies that, as a practical matter, will probably be the same agencies overseeing the same sectors but with greater statutory responsibilities.

DHS must study and draft a strategy for all U.S.-based email providers to use Domain-based Message Authentication, Reporting, and Conformance (DMARC), “an email authentication, policy, and reporting protocol that verifies the authenticity of the sender of an email and blocks and reports to the sender fraudulent accounts.”

DHS would need to report annually on digital content forgery technology with the Director of National Intelligence, including:

  • An assessment of the underlying technologies used to create or propagate digital content forgeries, including the evolution of such technologies and patterns of dissemination of such technologies.
  • A description of the types of digital content forgeries, including those used to commit fraud, cause harm, harass, coerce, or silence vulnerable groups or individuals, or violate civil rights recognized under Federal law.
  • An assessment of how foreign governments, and the proxies and networks thereof, use, or could use, digital content forgeries to harm national security.
  • An assessment of how non-governmental entities in the United States use, or could use, digital content forgeries.
  • An assessment of the uses, applications, dangers, and benefits, including the impact on individuals, of deep learning or digital content forgery technologies used to generate realistic depictions of events that did not occur.
  • An analysis of the methods used to determine whether content is created by digital content forgery technology, and an assessment of any effective heuristics used to make such a determination, as well as recommendations on how to identify and address suspect content and elements to provide warnings to users of such content.
  • A description of the technological countermeasures that are, or could be, used to address concerns with digital content forgery technology.
  • Any additional information the Secretary determines appropriate.

CISA would receive the subpoena authority it requested to obtain the contact information of owners and operators of critical cyber infrastructure from internet service providers (ISP) should there be a risk. CISA submitted a legislative proposal in summer 2019 that was then taken up by Senate and House stakeholders who then introduced legislation in December and February respectively: the “Cybersecurity Vulnerability Identification and Notification Act of 2019” (S. 3045) and the “Cybersecurity Vulnerability Identification and Notification Act of 2020” (H.R. 5680). The bills were very similar but had some differences that have been ironed out.

CISA would be able to appoint an employee in each state to serve as Cybersecurity State Coordinator to help states improve their cybersecurity.

CISA must establish a “Cybersecurity Advisory Committee” to “advise, consult with, report to, and make recommendations to the Director, as appropriate, on the development, refinement, and implementation of policies, programs, planning, and training pertaining to the cybersecurity mission of the Agency.”

Inside CISA, there would be a newly created Joint Cyber Planning Office “to develop, for public and private sector entities, plans for cyber defense operations, including the development of a set of coordinated actions to protect, detect, respond to, and recover from cybersecurity risks or incidents or limit, mitigate, or defend against coordinated, malicious cyber operations that pose a potential risk to critical infrastructure or national interests.”

Within one year, CISA “a report on Federal cybersecurity centers and the potential for better coordination of Federal cybersecurity efforts at an integrated cybersecurity center within” CISA.

The Government Accountability Office (GAO) would need to investigate and report on cyber insurance in the U.S. At one time, some experts considered the development of a cyber insurance market as being crucial to driving greater cybersecurity across the private sector. However, this has not come to pass, which is likely why the GAO will be reporting on the issue.

On other technology policy, a Public Wireless Supply Chain Innovation Fund would be established and overseen by the Department of Commerce’s National Telecommunications and Information Administration (NTIA) to support the following activities:

  • Promoting and deploying technology, including software, hardware, and microprocessing technology, that will enhance competitiveness in the fifth-generation (commonly known as ‘‘5G’’) and successor wireless technology supply chains that use open and interoperable interface radio access networks.
  • Accelerating commercial deployments of open interface standards-based compatible, interoperable equipment, such as equipment developed pursuant to the standards set forth by organizations such as the O-RAN Alliance, the Telecom Infra Project, 3GPP, the Open-RAN Software Community, or any successor organizations.
  • Promoting and deploying compatibility of new 5G equipment with future open standards-based, interoperable equipment.
  • Managing integration of multi-vendor network environments.
  • Identifying objective criteria to define equipment as compliant with open standards for multi-vendor network equipment interoperability.
  • Promoting and deploying security features enhancing the integrity and availability of equipment in multi-vendor networks.
  • Promoting and deploying network function virtualization to facilitate multi-vendor interoperability and a more diverse vendor market.

A Multilateral Telecommunications Security Fund would be created and run by the Department of State “to establish a common funding mechanism, in coordination with foreign partners, that uses amounts from the Multilateral Telecommunications Security Fund to support the development and adoption of secure and trusted telecommunications technologies.” The bill provides that “[i]n creating and sustaining a common funding mechanism, the Secretary of State should leverage United States funding in order to secure commitments and contributions from trusted foreign partners such as the United Kingdom, Canada, Australia, New Zealand, and Japan, and should prioritize the following objectives:

  • Advancing research and development of secure and trusted communications technologies.
  • Strengthening supply chains.
  • Promoting the use of trusted vendors.”

Both of these new programs would need the Appropriations Committees to provide funding as the FY 2021 NDAA does not give them any money.

H.R.6395 directs “an interagency information technology spectrum modernization effort, led by the Assistant Secretary of Commerce for Communications and Infrastructure and the NTIA, to synchronize development and coordination of standards and Federal spectrum management.” This provision “would also require the Secretary of Defense to establish a program to identify and mitigate vulnerabilities in the telecommunications infrastructure of the DOD.”

The FY 2021 NDAA contains the “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S.1611) that would require the Department of Commerce to “convene a working group of Federal stakeholders for the purpose of providing recommendations and a report to Congress relating to the aspects of the Internet of Things.”

H.R.6395 has provisions “that would require the Secretary of Commerce to establish a program that provides grants to covered entities to incentivize investment of semiconductor fabrication facilities, or assembly, testing, advanced packaging, or advanced research and development of semiconductors in the U.S.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Michael Afonso on Unsplash

Appropriations Move Ahead

Congress has started the new fiscal year as it usually does with a short-term bill. However, full appropriations may not be enacted until next spring. And yet, another stimulus bill may infuse more money into technology programs.

Congress and the White House agreed to a short-term bill to fund the federal government and all its activities through mid-December, removing a contentious, must-pass issue from the list of pending items that might get enacted before the election. Talks are ongoing regarding another COVID-19 stimulus package, and House Democrats revised and passed their proposal without a single Republican vote.

Last week, the President signed a continuing resolution (CR) into law that would keep government agencies and departments funded at the same level as the previous fiscal year that ended on 30 September. It is customary in most years to pass a short-term CR to give the two bodies more time to work out a final package. However, it bears note that in the last two elections in which the White House changed parties (2008 and 2016), regular appropriations were kicked well into the next calendar year resulting in long-term CRs passed after the election. So, if former Vice President Joe Biden wins next month’s election, FY 2021 appropriations may not get sorted until next spring.

As noted, the “Continuing Appropriations Act, 2021 and Other Extensions Act” (H.R.8337) extends FY 2020 appropriations until December 11, 2020 at the same level that departments and agencies were funded in FY 2020 with some exceptions (aka anomalies.) There was the customary bar on using these funds for any programs or activities not approved for FY 2020, meaning any new programs proposed for FY 2021 could not be funded. This prohibition includes the Department of Defense (DOD), and the CR explicitly bars the use of funds provided for

(1) the new production of items not funded for production in fiscal year 2020 or prior years;
(2) the increase in production rates above those sustained with fiscal year 2020 funds; or
(3) The initiation, resumption, or continuation of any project, activity, operation, or organization (defined as any project, subproject, activity, budget activity, program element, and subprogram within a program element, and for any investment items defined as a P–1 line item in a budget activity within an appropriation account and an R–1 line item that includes a program element and subprogram element within an appropriation account) for which appropriations, funds, or other authority were not available during fiscal year 2020.

The CR also bars the use of DOD funds “to initiate multi-year procurements utilizing advance procurement funding for economic order quantity procurement unless specifically appropriated later.”

As noted, the CR does allow some departments and agencies to have more funds for specified programs via so-called anomalies, and some of the more notable ones are:

  • $1.4 billion for the Rural Water and Waste Disposal Program
  • Language allowing the Department of Agriculture to spend at a level sufficient to ensure that a program to feed needy children during the summer is ready in 2021
  • A provision allowing the Commodity Supplemental Food Program to continue feeding low-income seniors, women, infants, and children aged six and below
  • $1.5 billion for the Bureau of the Census
  • “The Navy may enter into a contract, beginning with fiscal year 2021, for the procurement of up to two Columbia class submarines…in an amount not to exceed $1.62 billion.”

The CR also carried an extension for the current surface transportation bill that was set to expire on September 30, 2020 that funds programs at the current level until September 30, 2021 to give Congress more time to pass a full surface transportation reauthorization. $14.6 billion is appropriated to supplement Highway Trust Fund proceeds, and the Airport and Airway Trust Fund would also get an infusion of $14 billion to fund Federal Aviation Administration programs. The package also has Medicare and Medicaid extenders. There is also an extension of the “Antitrust Criminal Penalty Enhancement and Reform Act of 2004” “to strengthen public and private antitrust enforcement by providing incentives for antitrust violators to cooperate fully with government prosecutors and private litigants through the repeal of the sunset provision.”

Finally, the CR extends the Pandemic EBT program, the waivers for the National School Lunch Program and the Special Supplemental Nutrition Program for Women, Infants, and Children (WIC), and the administrative flexibility provided to states for the Supplemental Nutrition Assistance Program (SNAP).

On a party line vote, the House passed a slimmer version of the “HEROES Act,” the Democratic stimulus package. This bill would make available $2.2 trillion in comparison to the $3.4 trillion package passed in May. However, just because this bill passed the House does not mean another COVID-19 stimulus package would look like this. Speaker of the House Nancy Pelosi (D-CA) is still in negotiations with Secretary of the Treasury Steven Mnuchin, and the White House is also negotiating with Senate Republicans who generally favor a smaller bill. It is unclear whether these different stakeholders will reach agreement before the election.

According to the House Appropriations Committee summary, the HEROES Act would fund the following technology programs:

  • Elections – $3.6 billion for grants to states for contingency planning, preparation, and resilience of elections for Federal office.
  • Broadband – $12 billion to close the homework gap by providing funding for Wi-Fi hotspots and connected devices for students and library patrons, $3 billion for emergency home connectivity, $200 million for telemedicine grants, and $24 million for broadband mapping.
  • General Services Administration Technology Modernization Fund – $1 billion in funding for technology-related modernization activities to respond to coronavirus.
  • House of Representatives – $37 million to support expanded House operations such as tele-town halls, video conferencing, remote hearings, and cybersecurity. Funding will also support changes to Member office space, such as providing plastic barriers.
  • Senate– $6.345 million for teleworking and IT needs as well as funds to supplement daycare operations.
  • E-Rate Support for Wi-Fi Hotspots, Other Equipment, and Connected Devices During Emergency Periods Related to COVID-19. Authorizes a temporary disbursement to be administered through the Federal Communications Commission’s (FCC) E-rate Program for schools and libraries to provide internet service in a technologically neutral way to students and teachers, prioritizing those without internet access at home. It allows authorized funding to be used for internet service and providing connected devices, like laptops and tablets, Wi-Fi hotspots, modems, and routers, to students and teachers to help keep them in the digital classroom during the COVID-19 pandemic. Five percent of the emergency funds authorized are set aside to help serve schools and libraries that serve people living on tribal lands.
  • Benefit for Broadband Service During Emergency Periods Relating to COVID-19.Entitles households in which a member has been laid off or furloughed, among other households that will be eligible, to get a $50 benefit, or a$75 benefit on tribal lands, to put toward the monthly price of internet service during the COVID-19 public health emergency. Internet service providers would be required to provide eligible households service at a price reduced by an amount up to the emergency benefit, and those providers can seek a reimbursement from the FCC for such amount.
  • Continued Connectivity During Emergency Periods Relating to COVID-19. Prohibits broadband and telephone providers from terminating service due to a customer’s inability to pay their bill because of financial hardships caused by the COVID-19 pandemic or imposing late fees incurred because of hardships caused by the COVID-19 pandemic. It also prohibits broadband providers from employing data caps or charging customers from going over data caps and requires them to open Wi-Fi hotspots to the public at no cost during the COVID-19 public health emergency.
  • Requirement for Confinement Facility Communications Services, During the Covid-19 Pandemic and Other Times. Sets a mandatory, immediate, interim cap on all rates charged in connection with voice calls and video calls made to or from prisons or jails —both for calls within a state and calls between states — of .04 cents per-minute for debit calls and .05 cents per-minute for collect calls. It also gives the FCC the authority to set rates in connection with voice calls and video calls in prisons and jails both for calls within a state and calls between states. Finally, it requires the FCC to adopt rules to replace the mandatory interim caps within 18 months of passage and to review those rates every two years. Prohibits prisons or jails from charging site commissions.
  • Preempts any state law that permits a higher rate for voice or video calling but allows state laws mandating a lower rate to persist.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Arek Socha from Pixabay

Pending Legislation In U.S. Congress, Part II

Appropriations will, of course, be enacted, but when is the question. And along with bills to fund the U.S. government come policy direction.

As Congress returns from an eventful summer recess, it is possible technology focused and related legislation is passed or advances towards passage before the body leaves Washington in late September. Yesterday, we examined the FY 2021 National Defense Authorization Act (NDAA) and the lapsed provisions in the Foreign Intelligence Surveillance Act (FISA). Today we will look at appropriations.

Passage of regular appropriations during federal election years is almost always delayed until after the election, and the Congress and the President usually agree to extend the current year’s level of funding for agencies through late November or early December (aka a continuing resolution.) This year, negotiations over another potential pandemic package might complicate passage of a continuing resolution (CR) this month, but it appears, at present, the two issues are being handled separately with Speaker of the House Nancy Pelosi (D-CA) and Secretary of the Treasury Steven Mnuchin having reached agreement in principle on a CR. It remains to be seen whether this agreement will hold through passage of legislation to keep the U.S. government funded as carefully negotiated deals have unraveled at the last minute when President Donald Trump found reason to object.

Also, there have been only four fiscal years since the enactment of the Congressional Budget Act of 1974 in which all the appropriations bills were enacted by the beginning of the coming fiscal year. Therefore, it is almost certainly going to be the case that the current fractured political environment in Washington results in a current resolution for the first few months of FY 2021 and quite possibly well into calendar year 2021 should the Democrats take control of the White House and Senate.

Moreover, the Trump Administration has again proposed steep cuts to many civilian agencies the Congress will probably ignore based on appropriations from the previous three fiscal years appropriations process. Nonetheless, in a footnote to a summary table in its FY 2021 budget request, the Administration explained it is “propos[ing] to fund base defense programs for 2021 at the existing [Budget Control Act] cap and fund base [non-defense] programs at a level that is five percent below the 2020 [non-defense] cap.” The Administration asked that Congress “extend the [Budget Control Act] caps through 2025 at the levels included in the 2021 Budget…[which] would provide an increase in defense funding of about two percent each year, and decrease funding for [non-defense] programs by two percent (or “2-penny”) each year.”

However, the House Appropriations Committee has again rejected these deep cuts to non-defense funding and have moved forward by passing 10 of the 12 annual bills in July. By way of contrast, the Senate Appropriations Committee, has not even considered any of its bills in committee, reportedly because there was a desire to shield vulnerable Republicans running for reelection from taking tough votes on politically divisive issues. Consequently, the Senate Appropriations Committees almost certainly has bills it has worked on and are ready to go when the time comes to consider the inevitable bundling of bills either into one omnibus or smaller packages to enact FY 2021 funding.

In any event, the annual appropriations bills provide top-line funding numbers for a number of agencies with jurisdiction over United States’ technology programs and policies. There can be policy directives written into these bills usually in the form of denying the use of funds for certain purposes or tying the use of funds to an agency addressing an issue of importance to a committee or subcommittee. However, the more directive policy changes are usually written in the Committee Reports that accompany the bills.

FY 2021 Homeland Security Appropriations Act

The Homeland Security Subcommittee marked up and reported out to the full committee its “FY 2021 Homeland Security Appropriations Act” that would provide the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) with $1.844 billion for operations and support, $396 million for procurement, construction, and improvement, and $14.4 million for research & development. For FY 2020, CISA was appropriated $1.566 billion for operations and support, $434 million for procurement, construction, and improvement, and $14.4 million for research & development. For the next fiscal year, the Trump Administration requested $1.438 billion, $313 million, and $6.4 million respectively for the same categories of programs. Moreover, the Committee made available its Committee Report. However, this bill has not come to the House floor and likely will not to shield Democrats seeking reelection in moderate or right-leaning districts from facing votes on issues like immigration.

The package includes $2.6 million for a Joint Cybersecurity Coordination Group (JCCG) inside DHS “serve as a coordinating entity that will help the Department identify strategic priorities and synchronize cyber-related activities across the operational components.” This new entity comes about because the Trump Administration requested its creation as part of its FY 2021 budget request. The Committee expressed disappointment with “the lack of quality and detail provided in CISA’s fiscal year 2021 budget justification documents, to include several errors and unjustified adjustments that appear to be attributable to CISA’s premature proposal for a new Program, Project, or Activity (PPA) structure and raise questions about whether the budget could be executed as requested.” Consequently, the Committee directed that CISA “submit the fiscal year 2022 budget request at the same level of PPA detail as provided in the table at the end of this report with no further adjustments to the PPA structure.”

Among other programmatic and funding highlights, the Committee

  • “[E]ncourage[d] CISA to continue to use commercial, human-led threat behavioral analysis and technology, and to employ private sector, industry-specific, threat intelligence and best practices to better characterize potential consequences to critical infrastructure sectors during a systemic cyber event.”
  • Urged “CISA and the Election Infrastructure Information Sharing and Analysis Center (EI–ISAC) to expand outreach to the most vulnerable jurisdictions” with respect to election security assistance.
  • Directed “CISA to continue providing the semiannual briefing on the National Cybersecurity Protection System (NCPS) program and the Continuous Diagnostics and Mitigation (CDM)”
  • Pointed to $5.8 million to set up a ‘‘central Federal information security incident center,’ a requirement mandated by the Federal Information Security Modernization Act (FISMA) (P.L. 113-283) and $9.3 million “to establish a formal program office to coordinate supply chain risk management efforts for federal civilian agencies; act as the executive agent for the Federal Acquisition Security Council (FASC), as authorized by the SECURE Technology Act, 2018 (Public Law 115– 390); and fund various supply chain related efforts and services.”
  • Emphasized its increase of $6 million as compared to FY 2020 “to grow CISA’s threat hunting capabilities” “[i]n the face of cyber threats from nation-state adversaries such as Russia, China, Iran, and North Korea.”
  • [P]rovide[d] an increase of $11,568,000 above the request to establish a Joint Cyber Center (JCC) for National Cyber Defense to bring together federal and State, Local, Tribal, and Territorial (SLTT) governments, industry, and international partners to strategically and operationally counter nation-state cyber threats.”
  • Bestowed “an increase of $10,022,000 above the request for the underlying infrastructure that enables better identification, analysis, and publication of known vulnerabilities and common attack patterns, including through the National Vulnerability Database, and to expand the coordinated responsible disclosure of vulnerabilities.”
  • Noted “[t]hrough the Shared Cybersecurity Services Office (SCSO), CISA serves as the Quality Services Management Office for federal cybersecurity” and explained “[t]o help improve efforts to make strategic cybersecurity services available to federal agencies, the Committee includes $5,064,000 above the request to sustain prior year investments and an additional $5,000,000 to continue to expand the office.”
  • Expressed its concern “about cyber vulnerabilities within supply chains, which pose unacceptable risks to the nation’s physical and cyber infrastructure and, therefore, to national security” and provided “an increase of $18,005,000 above the request to continue the development of capabilities to address these risks through the ICT Supply Chain Risk Management Task Force and other stakeholders, such as the FASC.”

FY 2021 Financial Services and General Government Appropriations Act

The FY 2021 Financial Services and General Government Appropriations Act has a provision that would bar either the Federal Trade Commission (FTC) or Federal Communications Commission (FCC) from taking certain actions related to Executive Order 13925, “Preventing Online Censorship” issued in May by the White House after Twitter fact checked a pair of President Donald Trump’s Tweets that contained untruthful claims about voting by mail. It is very unlikely Senate Republicans, some of whom have publicly supported this Executive Order will allow this language into the final bill funding the agencies.

Under the Executive Order, the National Telecommunications and Information Administration (NTIA) is to file a petition for rulemaking with the FCC to clarify the interplay between clauses of 47 USC 230, notably whether the liability shield that protects companies like Twitter and Facebook for content posted on an online platform also extends to so-called “editorial decisions,” presumably actions like Twitter’s in fact checking Trump regarding mail balloting. The NTIA would also ask the FCC to define better the conditions under which an online platform may take down content in good faith that are “deceptive, pretextual, or inconsistent with a provider’s terms of service; or taken after failing to provide adequate notice, reasoned explanation, or a meaningful opportunity to be heard.” The NTIA is also ask the FCC to promulgate any other regulations necessary to effectuate the EO. The FTC was directed consider whether online platforms are violating Section 5 of the FTC Act barring unfair or deceptive practices, which “may include practices by entities covered by section 230 that restrict speech in ways that do not align with those entities’ public representations about those practices.”

In the Committee Report for the FY 2021 Financial Services and General Government Appropriations Act, the House Appropriations Committee explained it provided $341 million for the FTC, “a $10,000,000 increase over fiscal year 2020… will increase the FTC’s capabilities both to monitor mergers and acquisitions that could reduce competition or lead to higher prices, and to take enforcement action against companies that fail to take reasonable steps to secure their customer data or that engage in other problematic trade practices.”

The Committee detailed the following program and funding provisions related to the FTC, including combatting fraudulent calls to seniors, robocalls, fraudulent health care calls, and the following:

  • Cryptocurrency.— The Committee encourages the FTC to work with the Securities and Exchange Commission, other financial regulators, consumer groups, law enforcement, and other public and private stakeholders to identify and investigate fraud related to cryptocurrencies market and discuss methods to empower and protect consumers.”
  • Consumer Repair Rights.—The Committee is aware of the FTC’s ongoing review of how manufacturers—in particular mobile phone and car manufacturers—may limit repairs by consumers and repair shops, and how those limitations may increase costs, limit choice, and impact consumers’ rights under the Magnuson-Moss Warranty Act. Not later than 120 days after the enactment of this Act, the FTC is directed to provide to the Committee, and to publish online, a report on anticompetitive practices related to repair markets. The report shall provide recommendations on how to best address these problems.
  • Antitrust Actions.—The Committee directs the GAO to study FTC and DOJ antitrust actions over the past 25 years. The study shall examine the following questions: How many instances have FTC and DOJ been on opposing sides of the same matter? In how many of these instances was the split created by (a) the FTC intervening in DOJ’s case; and (b) the DOJ intervening in FTC’s case? In these instances, how (if at all) did the split affect the final outcome (e.g., did the judicial opinion cite the split or explain how it affected the court’s decision)? In how many instances has an FTC action appeared before the Supreme Court? Of these instances, in how many cases did the FTC represent itself (rather than be represented by the Solicitor General)? In how many instances has the DOJ or FTC reneged on a clearance agreement with the other agency? In how many of these instances was the disruption created by (a) the FTC’s decision to renege on the agreement; and (b) the DOJ’s decision to renege on the agreement? How many amicus briefs did each agency file in each year? How many of the total amicus briefs filed by DOJ were done so at the invitation of the court? How many of the total amicus briefs filed by FTC were done so at the invitation of the court?

With respect to the FCC, the package provides $376 million and requires a host of programmatic responses, including:

  • Broadband Maps.—The Committee provides significant funding for upfront costs associated with implementation of the Broadband DATA Act. The Committee anticipates funding related to the Broadband DATA Act will decline considerably in future years and expects the FCC to repurpose a significant amount of staff currently working on economic, wireline, and wireless issues to focus on broadband mapping.
  • Broadband Access.—The Committee believes that deployment of broadband in rural and economically disadvantaged areas is a driver of economic development, jobs, and new educational opportunities. The Committee supports FCC efforts to judiciously allocate Universal Service Fund (USF) funds for these areas.
  • Rural Digital Opportunity Fund.—The Committee appreciates the significant investment the FCC is planning to make to deploy broadband services to unserved areas. The Committee recognizes the need for government programs to minimize instances in which two different providers receive support from two different programs to serve the same location. However, the Committee is concerned that current program rules may have the unintended consequence of discouraging other funding sources from participating in broadband deployment, particularly State-based programs. The Committee directs the FCC to adjust program rules to ensure applicants, and the States in which those applicants would deploy broadband, are not put at a disadvantage when applying for the Rural Digital Opportunity Fund based on the State’s proactive, independent investment in broadband.
  • Lifeline Service.—The Committee is concerned that changes to the Lifeline minimum service standards and support levels will adversely impact low-income Americans, including many suffering from economic hardships due to the coronavirus. The Committee directs the FCC to pause implementation of any changes to the currently applicable minimum service standards for Lifeline-supported mobile broadband service and any changes in the current levels of Lifeline support for voice services until the FCC has completed the State of the Lifeline Marketplace Report required by the 2016 Lifeline Order…
  • Mid-Band Spectrum.—The Committee believes that Fifth-Generation (5G) mobile technology is critical to U.S. national and economic security. A key component of the U.S. strategy for 5G is ensuring that U.S. wireless providers have enough mid-band spectrum (frequencies between 3 GHz and 24 GHz), which provides fast data connections while also traveling longer distances. The Committee is concerned that the U.S. is falling behind other countries in the allocation of such spectrum. The Committee urges the Administration and the FCC to work expeditiously to identify and make available more mid-band spectrum for 5G so that the U.S. does not fall further in the race to deploy 5G networks and services.
  • 5G Supply Chain.—The Committee understands the importance of a secure 5G technology supply chain. The Committee encourages the FCC to investigate options for increasing supply chain diversity, competition, and network security via interoperable technologies and open standard-based interfaces.

The Committee had a range of mandates for the Office of Management and Budget (OMB):

  • Federal and Critical Infrastructure Cybersecurity.—The Committee is aware that Federal agencies and the nation’s critical infrastructure face unique cybersecurity threats. Executive Order 13800, issued on May 11, 2017, directs agency heads to implement several risk management and cybersecurity measures, including the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity. OMB is directed to report, within 90 days of enactment of this Act, on the status of compliance with Executive Order 13800 by each applicable agency. The report shall identify risk management and cybersecurity compliance gaps and outline the steps each agency needs to take to manage such risks. OMB shall prioritize working with the applicable agency heads to address remaining gaps and inconsistencies.
  • Federal Information Technology Workforce.—OMB is directed to consult with the Office of Personnel Management and the General Services Administration and report to the Committee, no later than September 30, 2021, on gaps in Federal information technology workforce skills, disciplines, and experience required to enable the Federal government to modernize its ability to use technology and develop effective citizen-facing digital services to carry out its mission.

The Committee noted its additional funding to the Election Assistance Commission (EAC) for Election Security Grants of $500 million:

  • [T]he Coronavirus Aid, Relief, and Economic Security Act (CARES Act) (P.L. 116–136) included $400,000,000 for grants to States to prevent, prepare for, and respond to coronavirus. The Committee is gravely concerned by persistent threats from Russia and other foreign actors attempting to influence the U.S. democratic process, and vulnerabilities that continue to exist throughout the Nation’s election system.
  • Since fiscal year 2018, Congress has provided $805,000,000 in grants to States to improve the security of elections for Federal office.
  • However, that funding has been inconsistent, unpredictable, and insufficient to meet the vast need across all the States and territories.
  • Congress must provide a consistent, steady source of Federal funds to support State and local election officials on the frontlines of protecting U.S. elections. The bill requires States to use payments to replace direct-recording electronic (DRE) voting machines with voting systems that require the use of an individual, durable, voter-verified paper ballot, marked by the voter by hand or through the use of a non-tabulating ballot marking device or system, and made available for inspection and verification by the voter before the vote is cast and counted.
  • Funds shall only be available to a State or local election jurisdiction for further election security improvements after a State has submitted a certification to the EAC that all DRE voting machines have been or are in the process of being replaced. Funds shall be available to States for the following activities to improve the security of elections for Federal office:
    • implementing a post-election, risk-limiting audit system that provides a high level of confidence in the accuracy of the final vote tally;
    • maintaining or upgrading election-related computer systems, including voter registration systems, to address cyber vulnerabilities identified through DHS scans or similar assessments of existing election systems;
    • facilitating cyber and risk mitigation training for State and local election officials;
    • implementing established cybersecurity best practices for election systems; and other priority activities and
    • investments identified by the EAC, in consultation with DHS, to improve election security.
  • The EAC shall define in the Notice of Grant Award the eligible investments and activities for which grant funds may be used by the States. The EAC shall review all proposed investments to ensure funds are used for the purposes set forth in the Notice of Grant Award.
  • The bill also requires that not less than 50 percent of the payment made to a State be allocated in cash or in kind to local government entities responsible for the administration of elections for Federal office.

Regarding the General Services Administration (GSA), the Committee directed the following:

  • Interagency Task Force on Health and Human Services Information Technology (IT).— The Committee urges the Chief Information Office and Chief Technology Officer (CTO) of HHS, in collaboration with the White House CTO and U.S. Department of Agriculture (USDA), as well as the Office of the National Coordinator for Health Information Technology (ONC) within HHS, 18F within the GSA, and the Cybersecurity and Infrastructure security Agency (CISA) within the U.S. Department of Homeland Security, to establish an interagency task force that will examine existing IT infrastructure in Federal health human service programs nationwide and identify the limitations to successfully integrating and modernizing health and human services IT, and the network security necessary for health and human services IT interoperability. The task force shall submit to the Committee within 180 days of enactment on this Act a report on its progress and on recommendations for further Congressional action, which should include estimated costs for agencies to make progress on interoperability initiatives.
  • Category Management.—The Committee is interested in understanding the effects of GSA’s category management policy on contracts with small businesses. Category management refers to the business practice of buying common goods and services as an enterprise to eliminate redundancies, increase efficiency, and deliver more value and savings from the Federal government’s acquisition programs. Within 180 days of the enactment of this Act, the Committee directs GSA, in cooperation with SBA, to submit a report to the Committee on the number of contracts that could have been awarded under sections 8(a), 8(m), 15(a), 15(j), 31, or 36 of the Small Business Act, but were exempted by category management since its implementation.

The Committee made the following recommendations generally:

  • Cyberspace Solarium Commission Recommendations.—The Committee recognizes and supports the priorities and recommendations laid out in the Cyberspace Solarium Commission’s report and urges Federal departments and agencies to align cybersecurity budgetary priorities with those laid out by the Commission. In particular, the Committee calls attention to recommendation 3.2, Develop and Maintain Continuity of the Economy Planning; recommendation 4.6.3, Strengthen the Capacity of the Committee on Foreign Investment in the United States, particularly with respect to the need to train Federal bankruptcy judges; recommendation 3.4, Improve and Enhance the Funding of the Election Assistance Commission; and recommendation 3.1, Strengthen Sector-specific Agencies’ Ability to Manage Critical Infrastructure Risk, particularly with respect to the Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection.
  • Zero Trust Model.—The Committee is aware that the most effective cybersecurity systems are based on the zero trust model, which is designed not only to prevent cyber intrusions but to prevent cyberthieves from accessing or removing protected information. To ensure that Federal agencies achieve the highest level of security against cyberattacks in the shortest amount of time, the Committee encourages all agencies to acquire and deploy zero trust cybersecurity software that is compatible with all existing operating systems and hardware platforms used by Federal agencies. The Committee also encourages Federal agencies to acquire and utilize software compatible with all existing operating systems and hardware platforms that will enable agencies to measure or quantify their risk of a cybersecurity attack in the months ahead and the types of cyberattack the agency is most likely to experience. Upon learning the risk and type of cyberattack the agency is most likely to face, the agency shall immediately take remedial action to minimize such risk. Agencies shall include information in their fiscal year 2022 Congressional Justification to Congress on their progress in complying with this directive.

FY 2021 Department of Defense Appropriations Act

On 14 July, the House Appropriations Committee marked up and reported out the “FY 2021 Department of Defense Appropriations Act,” which would provide $695 billion for the Department of Defense (DOD), “an increase of $1,294,992,000 above the fiscal year 2020 enacted level and a decrease of $3,695,880,000 below the budget request.” The House subsequently passed this bill.

The Committee Report contained these technology-related provisions:

  • ZERO TRUST ARCHITECTURE. The Committee encourages the Secretary of Defense to implement a Zero Trust Architecture to increase its cybersecurity posture and enhance the Department’s ability to protect its systems and data.
  • DISTRIBUTED LEDGER TECHNOLOGY RESEARCH AND DEVELOPMENT. The Committee is aware that distributed ledger technologies, such as blockchain, may have potentially useful applications for the Department of Defense, which include but are not limited to distributed computing, cybersecurity, logistics, and auditing. Therefore, the Committee encourages the Under Secretary of Defense (Research and Engineering) to consider research and development to explore the use of distributed ledger technologies for defense applications.
  • ARTIFICIAL INTELLIGENCE PARTNERSHIPS. The Committee is aware of the United States-Singapore partnership focusing on applying artificial intelligence in support of humanitarian assistance and disaster relief operations, which will help first responders better serve those in disaster zones. The Committee encourages the Secretary of Defense to pursue similar partnerships with additional partners in different regions, including the Middle East.
  • CYBER EDUCATION COLLABORATIVES. The Committee remains concerned by widespread shortages in cybersecurity talent across both the public and private sector. In accordance with the recommendations of the Cyberspace Solarium Commission, the Committee encourages the Under Secretary of Defense (Research and Engineering) to direct cyber-oriented units to collaborate with local colleges and universities on research, fellowships, internships, and cooperative work experiences to expand cyber-oriented education opportunities and grow the cybersecurity workforce. The Committee also appreciates that veterans and transitioning servicemembers could serve as a valuable recruiting pool to fill gaps in the cybersecurity workforce. Accordingly, the Committee encourages the Under Secretary to prioritize collaboration with colleges and universities near military installations as well as the veteran population.
  • 5G TELECOMMUNICATIONS TECHNOLOGY. The Committee is concerned about reports that foreign manufacturers are significantly ahead of United States companies in the development and deployment of 5G telecommunications technologies, which poses a national security risk to the United States and its allies. Without a robust domestic 5G supply chain, the United States will be vulnerable to 5G systems that facilitate cyber intrusion from hostile actors. In order to secure a reliable 5G system and a domestic supply chain that meets the national security needs of the United States and its allies, the Committee encourages the Secretary of Defense to accelerate engagement with domestic industry partners that are developing 5G systems. Additionally, the Committee is aware of the significant investments being made in 5G efforts but is concerned with the level of detail provided for congressional oversight. The Committee directs the Under Secretary of Defense (Research and Engineering) to conduct quarterly execution briefings with the House and Senate Appropriations Committees beginning not later than 90 days after the enactment of this Act.
  • MILITARY INFORMATION SUPPORT OPERATIONS. Over the past decade, the bulk of activities under Military Information Support Operations (MISO) focused on countering violent extremist organizations (VEO). While VEOs remain an ongoing threat and require continued vigilance, peer and near-peer adversaries like China and Russia are using social media and other vectors to weaken domestic and international institutions and undermine United States interests. This new information environment and the difficulty of discriminating between real and fake information heightens the importance of enhancing and coordinating United States government information-related capabilities as a tool of diplomatic and military strategy.
  • The Committee recognizes the efforts and accomplishments of the United States Special Operations Command and other agencies within the executive branch to operate in the digital domain. However, it is difficult to view individual agency activities as a coordinated whole of government effort. Over the past several years, the classified annex accompanying annual Department of Defense Appropriations Acts included direction focusing on the individual activities of geographic combatant commands. However, information messaging strategies to counter Chinese and Russian malign influences cuts across these geographic boundaries and requires coordination between multiple government agencies using different authorities.
  • Therefore, in order to better understand how MISO activities support a whole of government messaging strategy, the Committee directs the Assistant Secretary of Defense (Special Operations/Low Intensity Conflict) to submit a report for MISO activities for the individual geographic combatant commands justified by the main pillars of the National Defense Strategy to the House and Senate Appropriations Committees not later than 15 days after submission of the fiscal year 2022 budget request and annually thereafter. The report shall include spend plans identifying the requested and enacted funding levels for both voice and internet activities and how those activities are coordinated with the Intelligence Community and the Department of State. The enacted levels will serve as the baseline for reprogramming in accordance with section 8007 of this Act. Furthermore, the Committee directs the Assistant Secretary of Defense (Special Operations/Low Intensity Conflict) to submit to the congressional defense committees, not later than 90 days after the end of the fiscal year, an annual report that provides details on each combatant commands’ MISO activities by activity name, description, goal or objective, target audience, dissemination means, executed funds, and assessments of their effectiveness. Additional details for the report are included in the classified annex accompanying this Act.

FY 2021 Commerce, Justice, Science Appropriations Act

In July, the “FY 2021 Commerce, Justice, Science Appropriations Act” was also marked up and reported out, and the House passed the bill. The Committee Report contains these provisions:

  • Cybersecurity Threats.—The Committee remains concerned that as the Census Bureau looks to modernize data collection methods, the Census Bureau could potentially be exploited by nefarious actors who seek to undermine the integrity of census data, which is vital to democratic institutions, and gain access to sensitive information otherwise protected by law. These threats include both hacking into the Census Bureau IT infrastructure and efforts to use supercomputing to unmask the privacy of census respondents. The Committee directs the Census Bureau to prioritize cyber protections and high standards of data differential privacy, while also maintaining the accuracy of the data, and expects the Census Bureau to update the Committee regularly on these efforts.
  • Cybersecurity and Privacy.—The proliferation of data generation, storage, and usage associated with the digital economy is making it increasingly important to protect that data with effective cryptography and privacy standards. The Committee is concerned that individual, corporate, and public-sector data privacy is continuously at risk from attacks by individual actors, criminal organization, and nation-states. The Committee urges NIST to address the rapidly emerging threats in this field by furthering the development of new and needed cryptographic standards and technologies.
  • National Initiative for Cybersecurity Education.—The Committee notes with concern the shortage of cybersecurity professionals across the government and private sector, from entry level applicants to experienced professionals. The Committee therefore supports the National Initiative for Cybersecurity Education (NICE) and directs NIST to provide resources commensurate with the prior fiscal year for this effort.
  • Cybersecurity Conformity Assessment Programs.—The Committee instructs NIST, in collaboration with other relevant organizations, to report to the Committee no later than 270 days after the enactment of this Act on challenges and approaches to establishing and managing voluntary cybersecurity conformity assessment programs for information and communication technologies including federal cloud technologies.
  • Cybersecurity Training.—Within the increase to Manufacturing Extension Partnership (MEP), the Committee directs NIST to maintain the core services of the MEP and encourages NIST to utilize existing expertise within its Information Technology Laboratory to increase cybersecurity technical training to small manufacturers to strengthen their cybersecurity capabilities given the troubling threats from state and non-state actors and other emerging threats.
  • Cybersecurity threat information sharing.—The Committee supports sharing by DOJ of cybersecurity threat warnings and intelligence with private companies who may benefit from actionable information to deter, prevent, or mitigate threats. The Committee asks DOJ to provide a briefing on this topic not later than 90 days after enactment of this Act.
  • Chinese-government affiliated companies.—The Committee is concerned with companies operating within the United States that are known to have substantial ties to the Chinese government, including full or partial ownership by the Chinese government, and that are required by Chinese law to assist in espionage activities, including collection of personally identifiable information of American citizens. Such companies may pose cybersecurity risks, such as vulnerabilities in their equipment, and some are the subject of ongoing Congressional and Executive Branch investigations involving their business practices. The Committee directs DOJ to enforce applicable laws and prevent the operation of known foreign entities who participate in the theft of American intellectual property, the harvesting of personal identifiable information on behalf of a foreign government, and the unlawful surveillance of American citizens by adversarial state-owned enterprises.

The National Institute of Standards and Technology (NIST) would be given $1.044 billion via the “FY 2021 Commerce-Justice-Science Appropriations Act.” NIST received a total of $1.034 billion for FY 2020, and the agency requested $737 million for the next fiscal year. This bill includes annual language barring any agency receiving funds under it from buying “a high-impact or moderate-impact  information  system” unless all the risks have been mitigated associated with the procurement of such a system, most especially including supply chain risks, that may originate in the People’s Republic of China, Iran, North Korea, or Russia.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Francine Sreca from Pixabay

Further Reading, Other Developments, and Coming Events (28 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 28 July, the House Rules Committee will consider the rule for and amendments to the H.R. 7617—Department of Defense Appropriations Act, 2021 [Defense, Commerce, Justice, Science, Energy and Water Development, Financial Services and General Government, Homeland Security, Labor, Health and Human Services, Education, Transportation, Housing, and Urban Development Appropriations Act, 2021].
  • On 28 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing titled “The PACT Act and Section 230: The Impact of the Law that Helped Create the Internet and an Examination of Proposed Reforms for Today’s Online World.”
  • On 28 July the House Science, Space, and Technology Committee’s Investigations and Oversight and Research and Technology Subcommittees will hold a joint virtual hearing titled “The Role of Technology in Countering Trafficking in Persons” with these witnesses:
    • Ms. Anjana Rajan, Chief Technology Officer, Polaris
    • Mr. Matthew Daggett, Technical Staff, Humanitarian Assistance and Disaster Relief Systems Group, Lincoln Laboratory, Massachusetts Institute of Technology
    • Ms. Emily Kennedy, President and Co-Founder, Marinus Analytics
  • On  29 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 30 July the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 30 July, the Senate Commerce, Science, and Transportation Committee’s Security Subcommittee will hold a hearing titled “The China Challenge: Realignment of U.S. Economic Policies to Build Resiliency and Competitiveness” with these witnesses:
    • The Honorable Nazak Nikakhtar, Assistant Secretary for Industry and Analysis, International Trade Administration, U.S. Department of Commerce
    • Dr. Rush Doshi, Director of the Chinese Strategy Initiative, The Brookings Institution
    • Mr. Michael Wessel, Commissioner, U.S. – China Economic and Security Review Commission
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)

Other Developments

  • The United States’ (US) Office of Management and Budget (OMB), an agency within the Executive Office of the President, has issued a memorandum in the same vein as other Trump Administration initiatives to increase the US government’s buying of goods and services produced domestically. Noting that 40% of the funds provided by Congress through annual legislation will be spent between 1 July and 30 September (roughly $200 billion), OMB urged federal agencies “to keep the following considerations in mind to support timely awards and maximize return on investment from each taxpayer dollar” among others:
    • Take full advantage of acquisition flexibilities and innovative tools. This week, the President’s Management Agenda unveiled a new cross-agency priority goal (CAP Goal) on “frictionless acquisition.” This CAP Goal creates a management platform to leverage modem buying strategies that have been shown to achieve just-in-time delivery with improved customer satisfaction and enable access to a broader and more innovative suite of companies and solutions. Agencies can review the resources on acquisition innovation and opportunities for collaboration by going to the frictionless CAP Goal on performance.gov.
      • The Goal Statement of this new CAP is “The Federal Government will deliver commercial items at the same speed as the market place & manage customers’ delivery expectations for acquisitions of non-commercial items by breaking down barriers to entry using modern business practices and technologies” as explained in a detailed presentation on frictionless acquisition released this month.
    • Use the resources of category management. As part of the ongoing transformation of federal acquisition, procurement involving common needs has been organized around categories of spending led by market experts who share business intelligence and help agencies avoid duplicative contracting work. This business structure has saved taxpayers more than $27 billion since FY 2016 and made it much easier for buyers to make rapid, well­ informed decisions on how best to acquire IT hardware, security, consulting services and many other every day needs that account for more than half of all contract spending. To stay current with market trends and available federal solutions, agencies should bookmark the category management dashboards on the acquisition gateway at https://hallways.cap.gsa.gov/app/#/.
    • Buy American. E.O. 13881 strengthens the general preference for American-made goods and, for the first time in 65 years, increases the percentage of U.S. manufactured content that must be in a product to qualify for the preference, including a very high standard for iron and steel. Agencies are encouraged to work with the Federal Acquisition Regulatory Council (FAR Council) to consider early implementation, as appropriate, while the rulemaking process proceeds.
    • In a related memorandum issued earlier this month, OMB asserted
      • Under the President’s Management Agenda and the leadership of OMB ‘s Office of Federal Procurement Policy (OFPP), the Administration has elevated the importance of acquisition innovation and category management as key pillars of a modernized procurement system. These pillars are proving to be critical assets in the face of market conditions that require heightened agility and the ongoing need r physical distancing as communities take steps to reopen. We are seeing smart use of existing contract vehicles and resources, supported by our category management market experts, such as for cleaning and distinction, information technology related to telework and healthcare, and enhanced entry screening services. We are also seeing growing examples of agencies leveraging innovative business practices, such as virtual acquisitions, that save time and enable acquisitions to continue where they might otherwise have been stopped.
      • OMB went on to detail best practices and examples in how agencies have adapted their procurement authority to the pandemic commensurate with ongoing Administration priorities such as category management
  • Senator Amy Klobuchar (D-MN) and some of her Democratic colleagues wrote Attorney General William Barr “to raise serious concerns regarding Google LLC’s (Google) proposed acquisition of Fitbit, Inc. (Fitbit)”. They stated
    • We are aware that the Antitrust Division of the Department of Justice is investigating this transaction and has issued a Second Request to gather additional information about the acquisition’s potential effects on competition. Amid reports that Google is offering modest, short-term concessions to overseas enforcers to avoid a full-scale investigation of the transaction in Europe, we write to urge the Division to continue with its efforts to conduct a thorough and comprehensive review of this proposed merger and to take any and all enforcement action warranted by the law and the evidence.
    • This letter comes at a time when the Department of Justice is considering Google’s potential antitrust practices and whether to file suit. The European Commission is also investigating the Google acquisition of FitBit.
    • Klobuchar is the Ranking Member of the Senate Judiciary Committee’s Antitrust, Competition Policy and Consumer Rights Subcommittee and was joined on the letter by Senators Richard Blumenthal (D-CT), Cory Booker (D-NJ), Mazie K. Hirono (D-HI), Sherrod Brown (D-OH), Mark Warner (D-VA), and Elizabeth Warren (D-MA).
  • Facebook and members of a class action and their attorneys have reached a second settlement in a suit brought under Illinois’ “Biometric Information Privacy Act” after a first settlement was rejected by the judge overseeing Patel, et al. v. Facebook, Inc.,. In January, the plaintiffs and Facebook agreed on a $550 million settlement to resolve claims the social media giant used and stored  people’s images contrary to the Illinois ban on such practices absent explicit consent. Facebook faced liability of up to $5000 per person affected and more than $40 billion in total potential liability. However, the judge thought the settlement was too low considering the Illinois legislature expressed its intention that violations would be punished more on the order of $1000 per person. Now, the parties have added $100 million, arriving at a $650 million settlement the judge will still need to bless.
  • Secretary of State Mike Pompeo made a speech at the Ronald Reagan Library “to make clear that the threats to Americans that President Trump’s China policy aims to address are clear and our strategy for securing those freedoms established.” Pompeo’s speech in the fourth in a series of Trump Administration officials making the Administration’s case against the People’s Republic of China (PRC), in some cases conflating PRC’s vying with the United States worldwide with the COVID-19 pandemic, suggesting the PRC is responsible for the course of the virus in the US and not Trump Administration policy.
  • The Department of Defense’s National Security Agency (NSA) and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) “released an advisory for critical infrastructure Operational Technology (OT) and Industrial Controls Systems (ICS) assets to be aware of current threats we observe, prioritize assessing their cybersecurity defenses and take appropriate action to secure their systems.” The agencies asserted “[d]ue to the increase in adversary capabilities and activities, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to harm to US interests or retaliate for perceived US aggression.”
  • The Secretary of Defense released a memorandum for Department of Defense (DOD) regarding “poor Proper Operations Security (OPSEC) practices within DOD in the past have resulted in the unauthorized disclosure or ” leaks” of controlled unclassified information (CUI), including information to be safeguarded under the CUI category for OPSEC, as well as classified national security information (together referred to here as “non-public information”). Secretary of Defense Mark Esper asserted “[o]ngoing reviews reveal a culture of insufficient OPSEC practices and habits within the DOD” and stated “[m]y goal, through an OPSEC campaign, is to change that culture across DOD by reminding DOD personnel.”
  • The United Kingdom’s Information Commissioner’s Office (ICO) published its annual report for 2019-2020, “covering what the Information Commissioner has called a “transformative period” for privacy and data protection and broader information rights.” The ICO offered these highlights:
    • Supporting and protecting the public and organisations
      • The Age Appropriate Design Code, introduced by the Data Protection Act 2018, was published in January. When it comes into full effect, it will help steer businesses to comply with current information rights legislation.
      • We intervened in the High Court case on the use of facial recognition technology by the South Wales Police as part of our work to ensure that the use of this technology does not infringe people’s rights.  As a response to the judgement, we issued the first Commissioner’s Opinion.
      • Our new freedom of information strategy was launched which sets out how we work to create a culture of openness in public authorities.  It also commits us to making the case for reform of the access to information law as set out previously in our Outsourcing Oversight report.
      • In figures:
        • We received 38,514 data protection complaints.
        • We closed 39,860 data protection cases (up from 34,684 in 2018/19) .
        • We received 6,367 freedom of information complaint cases.
    • Enforcement
      • We took regulatory action 236 times in response to breaches of the legislation that we regulate. That included 54 information notices, eight assessment notices, seven enforcement notices, four cautions, eight prosecutions and 15 fines.  
      • Over 2,100 investigations were conducted.
    • Innovation
      • Through our successful regulatory sandbox service, we have worked with a number of innovative organisations of all sizes to explore new data uses in a safe way while helping to ensure their customers’ privacy.
      • We also received additional resources from the government’s regulators innovation fund to set up a hub with other regulators to streamline and reduce burdens on businesses and public services using data.
      • In January, we launched our consultation on an AI framework to allow the auditing and assessment of the risk associated with AI applications and how to ensure their use is transparent, fair and accountable.
    • International
      • On a global scale, we continue to chair the Global Privacy Assembly, driving forward the development of the assembly into an international network that can have an impact on key data protection issues across the year. This helps to protect UK citizen’s personal data as it crosses borders and helps UK businesses operating internationally.
      • Due to the period covered by the report it does not reflect the impact of COVID-19 although, acknowledging the pandemic, Ms Denham said: ”The digital evolution of the past decade has accelerated at a dizzying speed in the past few months. Digital services are now central to how so many of us work, entertain ourselves and talk to friends and family.”

Further Reading

  • The Twitter Hacks Have to Stop” – The Atlantic. Bruce Schneier makes the case that the United States and other western democracies must step in and regulate vital platforms like Twitter for security and size given the central role they play in most societies. Letting these companies implement their own security without oversight or transparency has led to a situation where the account of world leaders or government agencies are vulnerable to hacks and misinformation. Schneier thinks the size and dominance of Twitter, Facebook, etc is a major part of this problem that must also be addressed.
  • US and Australia set to launch campaign to counter disinformation” – Sydney Morning Herald. Two of the Five Eyes allies met in Washington on 27 July for their annual Australia-U.S. Ministerial Consultations (AUSMIN) and part of their planning on how to counter the People’s Republic of China (PRC) is working together on an effort to address the PRC’s disinformation campaigns. The already close relationship between Washington and Canberra has deepened as tensions between the United States (US) and PRC continue to escalate. However, the US and Australia are framing this initiative as aiming to counter all disinformation in the Indo-Pacific region, suggesting other nations may be waging disinformation campaigns of concern, including the Russian Federation and the Democratic People’s Republic of Korea.
  • Russia’s GRU Hackers Hit US Government and Energy Targets” – WIRED. Starting in December 2018, APT28 (aka Fancy Bear), a Russian hacking group, targeted and penetrated a number of United States (US) entities, including federal and state governments, educational institutions, and energy companies. APT28 is closely associated with Glavnoye razvedyvatel’noye upravleniye (GRU), the Main Directorate of the General Staff of the Armed Forces of the Russian Federation and is the entity behind the takedowns of Ukraine’s electrical grid in 2015 and 2016 among other high profile hacks and attacks. The timing of these attacks, sometimes executed as phishing attacks, is interesting for it comes after US Cyber Command and possibly the Central Intelligence Agency (CIA) took down Russia’s Internet Research Agency and other actions designed to deter Russian interference in the 2019 mid-term elections in November 2018.
  • “Hurting People  At Scale” – Facebook’s Employees Reckon With The Social Network They’ve Built” – BuzzFeed News. This article documents the dissent and turmoil inside the company about content moderation, which some see the social media giant doing dismally. Some employees and ex-employees are taking issue with how CEO Mark Zuckerberg and his leadership are acting or not to take down extreme and violent content.
  • Big Tech Funds a Think Tank Pushing for Fewer Rules. For Big Tech.” – The New York Times. The Global Antitrust Institute at George Mason University’s Antonin Scalia Law School has been pushing for less regulation of antitrust statutes and regulations, especially in “educating” antitrust officials at conferences. It has also been financially supported by large technology companies which benefit from these policies and has not been transparent about its funding or the extent to which these companies’ positions on antitrust inform its efforts and output. A similar New York Times investigation into other Washington DC think tanks exposed the transactional nature of some of these institutions, donors, and positions.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Federal Software Hearing

Through the prism of the US’ inadequate response to the COVID-19 pandemic, a House committee chewed over familiar issues plaguing the US’ government’s technology use and modernization efforts.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 15 July, the House Budget Committee held a virtual hearing titled “Software Update Required: COVID-19 Exposes Need for Federal Investments in Technology” to highlight the effects of underfunding of technology programs in the federal government has had in hindering efforts to combat COVID-19 and measures to mitigate its impacts. The shortcomings of federal information technology (IT) procurements, processes, and performance is one of the areas where there is bipartisan agreement on many of the issues and proposed solutions. However, Republicans and Democrats often differ on funding for civilian IT programs, a feature of the ongoing debate about another COVID-19 stimulus package. And this was the line that divided the chair and ranking member of the committee on how to address acknowledged failures in how federal and state governments distributed aid to people and businesses. Because the House Budget Committee does not have direct jurisdiction over technology programs other than setting broad parameters in the years it drafts and passes a budget resolution to guide Congressional funding, the impact of this hearing is more in the vein of shaping discussion in the House on how it should address the funding and governance of IT programs, which. Now total more than $90 billion annually of the more than $1.2 trillion in funds Congress doles out every year.

Chair John Yarmuth (D-KY) claimed “[r]ash funding cuts over the past decade have prevented the Internal Revenue Service (IRS) from modernizing its information technology (IT) systems, deteriorating the agency’s ability to not only carry out its core function of tax collection and enforcement, but also needlessly prolonging the delivery of stimulus payments to workers and families during the coronavirus pandemic and recession.” He asserted that “[t]he coronavirus pandemic has proved that the quicker the response the better the outcome – and that the steps taken by Congress to help American workers and families are only as effective as the agencies delivering that relief.” Yarmuth claimed “[u]nfortunately, the IRS is not alone in its inability to meet the needs of the American people in this perilous time.”

Yarmuth stated

  • Instead of helping to generate much-needed solutions, outdated IT systems are worsening an already difficult situation as Americans grapple with unreliable or insufficient internet access, useless automated systems, and overwhelmed and underprepared agencies. Emergency assistance programs across the board have been hampered by our antiquated IT systems – leaving families with delayed relief or no relief at all.
  • The most glaring example is unemployment assistance. We are four months into the worst economic downturn since the Great Depression, and there are still tens of thousands of workers who have filed for jobless claims but have not yet received a single payment. Many are going into debt or default, skipping meals, or losing their homes.
  • State unemployment offices, already underfunded and understaffed, were left completely unprepared for the massive influx of need. And a big reason for that is the fact that national administrative funding is essentially the same as it was in 2001 – and that’s before accounting for inflation.

Yarmuth continued

  • This lack of federal investment combined with old hardware, crashing web servers, and the need for new-hires proficient in COBOL – their systems’ 60-year old coding language – have left states scrambling. Their antiquated IT systems failed and continue to fail repeatedly – and American workers, those who lost their jobs through no fault of their own, are paying the price.
  • This aspect of our ongoing crisis is not new. The federal government has long sought to prioritize modern, secure, and shared IT solutions, but funding uncertainties – stemming from constrained discretionary funding under budget caps, shutdown threats, and continuing resolutions – have made agencies more likely to update instead of modernize. The Government Accountability Office (GAO) reports that while the total share of federal IT spending is increasing, it isn’t because we are investing in better and new technology. It’s because the price of updating our existing systems is snowballing as our ancient software becomes increasingly outdated and hardware parts nearly impossible to find.

Yarmuth said “[t]o date, Congress has passed legislation that includes $1 billion in grants to state unemployment offices to help process claims faster – and more is needed.” He argued that “[b]y refusing to bring the “HEROES Act” (H.R.6800) to the floor, [Senate Majority] Leader [Mitch] McConnell (R-KY) is holding up an additional $1 billion for the federal Technology Modernization Fund and a combined $5.5 billion to help schools, libraries, and impacted families access high speed connectivity and devices to facilitate distance learning – something we must prioritize in order to protect our children and educators.” Yarmuth remarked “earlier this month, House Democrats passed the “Moving Forward Act,” (H.R.2) a comprehensive infrastructure package that includes $100 billion in broadband funding to extend high speed internet to underserved and hard to reach communities.” He declared that “[w]e have to invest in modernization now, so that the federal government can help provide workers, families, and state and local governments with the necessary tools and resources to support our nation’s recovery efforts.”

Ranking Member Steve Womack (R-AR) said “[f]ederal information technology (IT) systems are critical to providing Americans with a wide range of government services and information…[and] [i]n the 21st century, it’s no secret that IT is fundamental to many different operations.” He contended “[t]hese systems are aimed at improving program delivery, maximizing effectiveness and efficiency, and ensuring data security…[and] [i]f we cannot maintain and optimize this critical infrastructure, the federal government will be unable to execute one of its essential functions: providing crucial resources and services to the American people.” Womack asserted “[w]e should never allow the delivery of veteran health care, social security benefits, or defense initiatives to fail because of outdated and faulty IT systems.”

Womack stated that “[u]nfortunately, current federal IT upgrade efforts are faltering due to missed deadlines, cost overruns, and inadequate outcomes, including operability failure and data breaches…[and] [w]hile COVID-19 exposed additional deficiencies of federal IT systems, these shortages existed long before the current pandemic.”

Womack stated

  • For example, in 2011, the Department of Veterans Affairs (VA) and the Department of Defense (DOD) began an electronic health record (EHR) modernization initiative to create a single, shared system between the two departments. In 2013, and after spending more than $1 billion on the program, the VA and DOD announced they were abandoning the project with nothing to show for the money spent other than a painful lesson learned. This is not only a waste of taxpayer dollars, but, more disconcerting, it hurts our nation’s service members and veterans who depend on these health care services. This is the more upsetting part for me. Program indecision and mismanagement have resulted in us failing those who’ve served this country.
  • Where is this EHR effort at the VA today? The VA and DOD are trying this again with a new government contract from Cerner. This initiative is already nearly one year behind schedule and has yet to go live in even one medical center. I truly hope this story ends better than past VA efforts in the IT space.

Womack added “I’m not just picking on the VA’s challenges. There are other examples of how we have fallen short:

  • In 2014, the Office of Personnel Management’s data was breached, which resulted in approximately 21.5 million compromised records.
  • The HITECH Act, which was part of the 2009 stimulus package, allocated billions of dollars for the Department of Health and Human Services (HHS) for IT development. To date, HHS still does not have an interoperable system and continues to struggle with siloed and fragmented data due to the different electronic health records vendors.”

Womack claimed “the question is, how do we make sure, going forward, all federal investments in IT modernization efforts result in the timely deployment of up-to-date, secure, and properly functioning systems?”

Womack asserted

  • Strong vetting and planning for proper IT implementation is key. It is imperative that these investments are met with rigorous oversight—yes, that is our job here in Congress—and agency accountability to ensure that the public is getting the best services available and taxpayer dollars are not wasted.
  • But, as I mentioned last week, there is another threat to federal investments in vital government programs such as IT modernization. That is our out-of-control deficit and debt. If we don’t confront the autopilot mandatory spending that is hurtling us towards a fiscal cliff, there won’t be any money left to fund a range of prerogatives.
  • Time is running out, and it’s essential that Congress directly address this problem. The Budget Committee must meet its duty and put together a budget to chart a new way forward. We need to get back to making the tough choices that will determine a brighter future. We have an obligation to current and future generations to ensure that critical programs don’t cease to exist.

National Academy of Public Administration President and CEO Teresa Gerton stated

  • The government’s IT infrastructure is heavily dependent upon technologies that were invented in the mid-twentieth century. The coronavirus pandemic has made it abundantly clear that those systems pose extraordinary risk to government operations in a steady state environment, and they may fail catastrophically in a crisis. And yet, government budgeting rules and appropriation law have created IT acquisition challenges for almost as long as the term “IT” has existed.
  • Insufficient funding for capital improvements has forced agencies to repeat a cycle in which robust plans submitted with their budget requests have to be scaled back to align with the reduced funding amounts they eventually receive. Insufficient funding leads to implementation of sub-optimal solutions with limited impact on improving efficiency. Ironically, governments bear an extra cost burden for such strategies because they must allocate expensive resources to maintain obsolete and inefficient solutions, which by any reasonable business standard should have been rationalized and replaced.
  • To really change the future, we must change the rules. Today the government has challenges with cloud procurement, but the market is constantly evolving. More things will be sold as a service in the future. With enablers like quantum computing and machine learning, technology innovation will inevitably continue at an increasing rate. Given the economic, demographic, and social challenges facing this nation, the federal government must find new ways to invest in and to improve its effectiveness and efficiency to successfully meet the current and future demands of the American public. We must provide acquisition and sustainment flexibility that reflects what the commercial market is selling, and we must adapt our accounting and auditing rules to encourage, not discourage, the use of these flexibilities. We must be ready to effectively acquire and deploy modern technology solutions or risk failures in our support to our citizens, and potentially calamitous failures in our ability to govern.

Code for America Founder and U.S. Digital Response Co-Founder Jennifer Pahlka said “[t]o get government tech right, we of course need to be able to procure more modern technology platforms…[b]ut that will be insufficient if we don’t also do three things that support ​agility and human-centered design:

  • The first is to break down the silos between policy, technology and other disciplines. Technology can’t speed a process in which most cases must be handled manually, as I described above in the case of unemployment benefits under the CARES Act. A similar problem is that many states require applicants for Pandemic Unemployment Assistance (PUA) to apply for regular unemployment first, wait to receive their rejection, and only then apply for PUA. Tech, operations, policy and compliance staff must work together to solve these problems, and agile development models allow for this collaboration in ways that legacy models do not. We must even have digital professionals at the table when we craft policy; understanding how the service will be delivered is critical to getting the outcomes the policy seeks, especially now, as we face greater and greater needs and limited delivery capabilities. As the former head of the White House Domestic Policy Council Cecilia Muñoz has said, “Policy leaders must learn the skills of human-centered design, and technology must have a seat at the strategy table.”
  • The second is to encourage rapid prototyping and continuous development. Our legacy process involves a requirements gathering period that can take many years, followed by the development of a Request for Proposal that can be thousands of pages long, lengthy contracting and development periods, and then a move into what’s called sustainment. This process may work for constructing buildings, but it’s simply not how good software comes to life. It is better, faster and cheaper when interdisciplinary teams start small, build iteratively, work closely with the users of the software all the way through, and continuously update and improve the application.
  • The third is to demand that all services provide real-time data about their usage and that human beings are assigned to looking at that data to understand what’s working, what’s not working and what can be done about it. When Code for America started working to decrease the participation gap in Supplemental Nutrition Assistance (SNAP) in California, our team found that the program leadership had very little insight into the reasons people tried to apply and couldn’t, or applied but couldn’t make it through the burdensome process despite being eligible. It wasn’t that they didn’t care; the systems they’d been given to manage eligibility and enrollment simply didn’t provide that data, and what data they did get was usually months, if not years, old by the time they got it. Creating an online application that was simpler and easier to use had huge benefits for the people applying, but an equally important benefit was that the system was instrumented to allow decision-makers to see in near real-time where users got stuck and begin to fix those issues. This access to real-time data is part of what’s needed as we deal with today’s crisis.

National Employment Law Project Executive Director Rebecca Dixon urged “Congress to immediately take the following steps, which will help stabilize and ensure greater accountability and transparency over the state IT systems:

1. Fully Fund the States Linked to Strong Accountability Standards: Most importantly, the federal government must make a sizable commitment to provide dedicated funding of IT modernization and far more adequate levels of basic state unemployment insurance (UI) administration funding. With the additional funding should come strong federal oversight and enforcement, including tangible requirements that the modernization process include input from stakeholders (including workers and their advocates) from beginning to end, and comprehensive user testing that ensures participation from Black people who are faced with the most barriers, and all communities of color; those on the other side of the digital divide; people with limited English proficiency; and people with disabilities.

2. Expand the Department of Labor’s (DOL) IT Expertise and Mandate to Ensure Full Access: There is extremely limited independent capacity and IT expertise on the part of DOL to actively monitor and enforce the state UI systems. DOL should create a specialized unit devoted to the IT, phone and other state UI agency infrastructure needs. DOL’s new regime should include strong measures of state success and failure (including adequate customer service) that can be assigned a grade that should be prominently featured on the DOL website to provide transparency to the public and compare the operation of programs across the states. For example, DOL should extend the timeliness regulations to ensure that workers are able to successfully reach a claims agent by phone within a reasonable period of time. In addition, DOL’s Center for Civil Rights should also be fully resourced to more promptly investigate and respond to complaints and make the results of their investigations public. DOL should also have the authority to review IT contractor agreements, audit contractors where necessary, and require the states to produce data documenting contractor performance.

3. Federal Commission on Modernization of Federally Funded Benefit Programs: A federal task force should be immediately created to evaluate the performance of federally funded programs, including UI, and make recommendations for reform related to funding, the creation of robust standards and metrics, contractor accountability, best practices, and the adequacy of federal agency oversight and enforcement, including compliance with civil rights laws. The task force should also explore whether certain administrative and infrastructure functions (especially in response to disasters and public health emergencies) should be federalized, and whether federal agencies should have the authority to negotiate favorable terms with IT and phone system vendors that take advantage of the federal government’s ability to leverage cost savings while also producing more compatible and high-quality state systems. Federalization in whole or part may be the simplest solution. The patchwork of state systems means that each state has to struggle with the modernization process and vendor negotiations. While some states have banded together into consortia to get a better deal, those consortia can dissolve as political leadership shifts in allied states or as states develop different modernization goals, wasting time and money. A federal process could achieve these goals on the largest possible scale.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Christina @ wocintechchat.com on Unsplash

House Appropriations Committee Passes Bills With Funding For and Directives To Technology Agencies

Four bills full of technology funding and programmatic direction are reported to the House.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The House Appropriations Committee finished work on four of the FY 2021 appropriations bills that fund a substantial portion of the United States’ (US) government’s technology programs and activities. Often appropriations bills are the primary vehicle by which Congress changes executive branch policy through the use of its funding powers, and so the bills and their committee reports contain a range of directives and instructions year-to-year. The House is set to finish committee consideration of all 12 bills this month, but there is no indication as to when the Senate Appropriations Committee will take up its bills. Given the late start on appropriations, it is all but certain the federal government will be operating under a stopgap funding bill for some portion of the first quarter of the next fiscal year. The outcome of the election could result in a further postponing of full appropriations and delaying of passage of technology funding and program changes.

FY 2021 Homeland Security Appropriations Act

In advance of the 15 July markup, the House Appropriations Committee made available its Committee Report to accompany the FY 2021 Homeland Security Appropriations Act.

The package includes $2.6 million for a Joint Cybersecurity Coordination Group (JCCG) inside DHS “serve as a coordinating entity that will help the Department identify strategic priorities and synchronize cyber-related activities across the operational components.” This new entity comes about because the Trump Administration requested its creation as part of its FY 2021 budget request. The Committee expressed disappointment with “the lack of quality and detail provided in CISA’s fiscal year 2021 budget justification documents, to include several errors and unjustified adjustments that appear to be attributable to CISA’s premature proposal for a new Program, Project, or Activity (PPA) structure and raise questions about whether the budget could be executed as requested.” Consequently, the Committee directed that CISA “submit the fiscal year 2022 budget request at the same level of PPA detail as provided in the table at the end of this report with no further adjustments to the PPA structure.”

Among other programmatic and funding highlights, the Committee

  • “[E]ncourage[d] CISA to continue to use commercial, human-led threat behavioral analysis and technology, and to employ private sector, industry-specific, threat intelligence and best practices to better characterize potential consequences to critical infrastructure sectors during a systemic cyber event.”
  • Urged “CISA and the Election Infrastructure Information Sharing and Analysis Center (EI–ISAC) to expand outreach to the most vulnerable jurisdictions” with respect to election security assistance.
  • Directed “CISA to continue providing the semiannual briefing on the National Cybersecurity Protection System (NCPS) program and the Continuous Diagnostics and Mitigation (CDM)”
  • Pointed to $5.8 million to set up a ‘‘central Federal information security incident center,’ a requirement mandated by the Federal Information Security Modernization Act (FISMA) (P.L. 113-283) and $9.3 million “to establish a formal program office to coordinate supply chain risk management efforts for federal civilian agencies; act as the executive agent for the Federal Acquisition Security Council (FASC), as authorized by the SECURE Technology Act, 2018 (Public Law 115– 390); and fund various supply chain related efforts and services.”
  • Emphasized its increase of $6 million as compared to FY 2020 “to grow CISA’s threat hunting capabilities” “[i]n the face of cyber threats from nation-state adversaries such as Russia, China, Iran, and North Korea.”
  • [P]rovide[d] an increase of $11,568,000 above the request to establish a Joint Cyber Center (JCC) for National Cyber Defense to bring together federal and State, Local, Tribal, and Territorial (SLTT) governments, industry, and international partners to strategically and operationally counter nation-state cyber threats.”
  • Bestowed “an increase of $10,022,000 above the request for the underlying infrastructure that enables better identification, analysis, and publication of known vulnerabilities and common attack patterns, including through the National Vulnerability Database, and to expand the coordinated responsible disclosure of vulnerabilities.”
  • Noted “[t]hrough the Shared Cybersecurity Services Office (SCSO), CISA serves as the Quality Services Management Office for federal cybersecurity” and explained “[t]o help improve efforts to make strategic cybersecurity services available to federal agencies, the Committee includes $5,064,000 above the request to sustain prior year investments and an additional $5,000,000 to continue to expand the office.”
  • Expressed its concern “about cyber vulnerabilities within supply chains, which pose unacceptable risks to the nation’s physical and cyber infrastructure and, therefore, to national security” and provided “an increase of $18,005,000 above the request to continue the development of capabilities to address these risks through the ICT Supply Chain Risk Management Task Force and other stakeholders, such as the FASC.”

FY 2021 Financial Services and General Government Appropriations Act

The FY 2021 Financial Services and General Government Appropriations Act has a provision that would bar either the Federal Trade Commission (FTC) or Federal Communications Commission (FCC) from taking certain actions related to Executive Order 13925, “Preventing Online Censorship” issued in May by the White House after Twitter fact checked a pair of President Donald Trump’s Tweets that contained untruthful claims about voting by mail. It is very unlikely Senate Republicans, some of whom have publicly supported this Executive Order will allow this language into the final bill funding the agencies.

Under the Executive Order, the National Telecommunications and Information Administration (NTIA) is to file a petition for rulemaking with the FCC to clarify the interplay between clauses of 47 USC 230, notably whether the liability shield that protects companies like Twitter and Facebook for content posted on an online platform also extends to so-called “editorial decisions,” presumably actions like Twitter’s in fact checking Trump regarding mail balloting. The NTIA would also ask the FCC to define better the conditions under which an online platform may take down content in good faith that are “deceptive, pretextual, or inconsistent with a provider’s terms of service; or taken after failing to provide adequate notice, reasoned explanation, or a meaningful opportunity to be heard.” The NTIA is also ask the FCC to promulgate any other regulations necessary to effectuate the EO. The FTC was directed consider whether online platforms are violating Section 5 of the FTC Act barring unfair or deceptive practices, which “may include practices by entities covered by section 230 that restrict speech in ways that do not align with those entities’ public representations about those practices.”

In the Committee Report for the FY 2021 Financial Services and General Government Appropriations Act, the House Appropriations Committee explained it provided $341 million for the FTC, “a $10,000,000 increase over fiscal year 2020… will increase the FTC’s capabilities both to monitor mergers and acquisitions that could reduce competition or lead to higher prices, and to take enforcement action against companies that fail to take reasonable steps to secure their customer data or that engage in other problematic trade practices.”

The Committee detailed the following program and funding provisions related to the FTC, including combatting fraudulent calls to seniors, robocalls, fraudulent health care calls, and the following:

  • Cryptocurrency.— The Committee encourages the FTC to work with the Securities and Exchange Commission, other financial regulators, consumer groups, law enforcement, and other public and private stakeholders to identify and investigate fraud related to cryptocurrencies market and discuss methods to empower and protect consumers.”
  • Consumer Repair Rights.—The Committee is aware of the FTC’s ongoing review of how manufacturers—in particular mobile phone and car manufacturers—may limit repairs by consumers and repair shops, and how those limitations may increase costs, limit choice, and impact consumers’ rights under the Magnuson-Moss Warranty Act. Not later than 120 days after the enactment of this Act, the FTC is directed to provide to the Committee, and to publish online, a report on anticompetitive practices related to repair markets. The report shall provide recommendations on how to best address these problems.
  • Antitrust Actions.—The Committee directs the GAO to study FTC and DOJ antitrust actions over the past 25 years. The study shall examine the following questions: How many instances have FTC and DOJ been on opposing sides of the same matter? In how many of these instances was the split created by (a) the FTC intervening in DOJ’s case; and (b) the DOJ intervening in FTC’s case? In these instances, how (if at all) did the split affect the final outcome (e.g., did the judicial opinion cite the split or explain how it affected the court’s decision)? In how many instances has an FTC action appeared before the Supreme Court? Of these instances, in how many cases did the FTC represent itself (rather than be represented by the Solicitor General)? In how many instances has the DOJ or FTC reneged on a clearance agreement with the other agency? In how many of these instances was the disruption created by (a) the FTC’s decision to renege on the agreement; and (b) the DOJ’s decision to renege on the agreement? How many amicus briefs did each agency file in each year? How many of the total amicus briefs filed by DOJ were done so at the invitation of the court? How many of the total amicus briefs filed by FTC were done so at the invitation of the court?

With respect to the FCC, the package provides $376 million and requires a host of programmatic responses, including:

  • Broadband Maps.—The Committee provides significant funding for upfront costs associated with implementation of the Broadband DATA Act. The Committee anticipates funding related to the Broadband DATA Act will decline considerably in future years and expects the FCC to repurpose a significant amount of staff currently working on economic, wireline, and wireless issues to focus on broadband mapping.
  • Broadband Access.—The Committee believes that deployment of broadband in rural and economically disadvantaged areas is a driver of economic development, jobs, and new educational opportunities. The Committee supports FCC efforts to judiciously allocate Universal Service Fund (USF) funds for these areas.
  • Rural Digital Opportunity Fund.—The Committee appreciates the significant investment the FCC is planning to make to deploy broadband services to unserved areas. The Committee recognizes the need for government programs to minimize instances in which two different providers receive support from two different programs to serve the same location. However, the Committee is concerned that current program rules may have the unintended consequence of discouraging other funding sources from participating in broadband deployment, particularly State-based programs. The Committee directs the FCC to adjust program rules to ensure applicants, and the States in which those applicants would deploy broadband, are not put at a disadvantage when applying for the Rural Digital Opportunity Fund based on the State’s proactive, independent investment in broadband.
  • Lifeline Service.—The Committee is concerned that changes to the Lifeline minimum service standards and support levels will adversely impact low-income Americans, including many suffering from economic hardships due to the coronavirus. The Committee directs the FCC to pause implementation of any changes to the currently applicable minimum service standards for Lifeline-supported mobile broadband service and any changes in the current levels of Lifeline support for voice services until the FCC has completed the State of the Lifeline Marketplace Report required by the 2016 Lifeline Order…
  • Mid-Band Spectrum.—The Committee believes that Fifth-Generation (5G) mobile technology is critical to U.S. national and economic security. A key component of the U.S. strategy for 5G is ensuring that U.S. wireless providers have enough mid-band spectrum (frequencies between 3 GHz and 24 GHz), which provides fast data connections while also traveling longer distances. The Committee is concerned that the U.S. is falling behind other countries in the allocation of such spectrum. The Committee urges the Administration and the FCC to work expeditiously to identify and make available more mid-band spectrum for 5G so that the U.S. does not fall further in the race to deploy 5G networks and services.
  • 5G Supply Chain.—The Committee understands the importance of a secure 5G technology supply chain. The Committee encourages the FCC to investigate options for increasing supply chain diversity, competition, and network security via interoperable technologies and open standard-based interfaces.

The Committee had a range of mandates for the Office of Management and Budget (OMB):

  • Federal and Critical Infrastructure Cybersecurity.—The Committee is aware that Federal agencies and the nation’s critical infrastructure face unique cybersecurity threats. Executive Order 13800, issued on May 11, 2017, directs agency heads to implement several risk management and cybersecurity measures, including the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity. OMB is directed to report, within 90 days of enactment of this Act, on the status of compliance with Executive Order 13800 by each applicable agency. The report shall identify risk management and cybersecurity compliance gaps and outline the steps each agency needs to take to manage such risks. OMB shall prioritize working with the applicable agency heads to address remaining gaps and inconsistencies.
  • Federal Information Technology Workforce.—OMB is directed to consult with the Office of Personnel Management and the General Services Administration and report to the Committee, no later than September 30, 2021, on gaps in Federal information technology workforce skills, disciplines, and experience required to enable the Federal government to modernize its ability to use technology and develop effective citizen-facing digital services to carry out its mission.

The Committee noted its additional funding to the Election Assistance Commission (EAC) for Election Security Grants of $500 million:

  • [T]he Coronavirus Aid, Relief, and Economic Security Act (CARES Act) (P.L. 116–136) included $400,000,000 for grants to States to prevent, prepare for, and respond to coronavirus. The Committee is gravely concerned by persistent threats from Russia and other foreign actors attempting to influence the U.S. democratic process, and vulnerabilities that continue to exist throughout the Nation’s election system.
  • Since fiscal year 2018, Congress has provided $805,000,000 in grants to States to improve the security of elections for Federal office.
  • However, that funding has been inconsistent, unpredictable, and insufficient to meet the vast need across all the States and territories.
  • Congress must provide a consistent, steady source of Federal funds to support State and local election officials on the frontlines of protecting U.S. elections. The bill requires States to use payments to replace direct-recording electronic (DRE) voting machines with voting systems that require the use of an individual, durable, voter-verified paper ballot, marked by the voter by hand or through the use of a non-tabulating ballot marking device or system, and made available for inspection and verification by the voter before the vote is cast and counted.
  • Funds shall only be available to a State or local election jurisdiction for further election security improvements after a State has submitted a certification to the EAC that all DRE voting machines have been or are in the process of being replaced. Funds shall be available to States for the following activities to improve the security of elections for Federal office:
    • implementing a post-election, risk-limiting audit system that provides a high level of confidence in the accuracy of the final vote tally;
    • maintaining or upgrading election-related computer systems, including voter registration systems, to address cyber vulnerabilities identified through DHS scans or similar assessments of existing election systems;
    • facilitating cyber and risk mitigation training for State and local election officials;
    • implementing established cybersecurity best practices for election systems; and other priority activities and
    • investments identified by the EAC, in consultation with DHS, to improve election security.
  • The EAC shall define in the Notice of Grant Award the eligible investments and activities for which grant funds may be used by the States. The EAC shall review all proposed investments to ensure funds are used for the purposes set forth in the Notice of Grant Award.
  • The bill also requires that not less than 50 percent of the payment made to a State be allocated in cash or in kind to local government entities responsible for the administration of elections for Federal office.

Regarding the General Services Administration (GSA), the Committee directed the following:

  • Interagency Task Force on Health and Human Services Information Technology (IT).— The Committee urges the Chief Information Office and Chief Technology Officer (CTO) of HHS, in collaboration with the White House CTO and U.S. Department of Agriculture (USDA), as well as the Office of the National Coordinator for Health Information Technology (ONC) within HHS, 18F within the GSA, and the Cybersecurity and Infrastructure security Agency (CISA) within the U.S. Department of Homeland Security, to establish an interagency task force that will examine existing IT infrastructure in Federal health human service programs nationwide and identify the limitations to successfully integrating and modernizing health and human services IT, and the network security necessary for health and human services IT interoperability. The task force shall submit to the Committee within 180 days of enactment on this Act a report on its progress and on recommendations for further Congressional action, which should include estimated costs for agencies to make progress on interoperability initiatives.
  • Category Management.—The Committee is interested in understanding the effects of GSA’s category management policy on contracts with small businesses. Category management refers to the business practice of buying common goods and services as an enterprise to eliminate redundancies, increase efficiency, and deliver more value and savings from the Federal government’s acquisition programs. Within 180 days of the enactment of this Act, the Committee directs GSA, in cooperation with SBA, to submit a report to the Committee on the number of contracts that could have been awarded under sections 8(a), 8(m), 15(a), 15(j), 31, or 36 of the Small Business Act, but were exempted by category management since its implementation.

The Committee made the following recommendations generally:

  • Cyberspace Solarium Commission Recommendations.—The Committee recognizes and supports the priorities and recommendations laid out in the Cyberspace Solarium Commission’s report and urges Federal departments and agencies to align cybersecurity budgetary priorities with those laid out by the Commission. In particular, the Committee calls attention to recommendation 3.2, Develop and Maintain Continuity of the Economy Planning; recommendation 4.6.3, Strengthen the Capacity of the Committee on Foreign Investment in the United States, particularly with respect to the need to train Federal bankruptcy judges; recommendation 3.4, Improve and Enhance the Funding of the Election Assistance Commission; and recommendation 3.1, Strengthen Sector-specific Agencies’ Ability to Manage Critical Infrastructure Risk, particularly with respect to the Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection.
  • Zero Trust Model.—The Committee is aware that the most effective cybersecurity systems are based on the zero trust model, which is designed not only to prevent cyber intrusions but to prevent cyberthieves from accessing or removing protected information. To ensure that Federal agencies achieve the highest level of security against cyberattacks in the shortest amount of time, the Committee encourages all agencies to acquire and deploy zero trust cybersecurity software that is compatible with all existing operating systems and hardware platforms used by Federal agencies. The Committee also encourages Federal agencies to acquire and utilize software compatible with all existing operating systems and hardware platforms that will enable agencies to measure or quantify their risk of a cybersecurity attack in the months ahead and the types of cyberattack the agency is most likely to experience. Upon learning the risk and type of cyberattack the agency is most likely to face, the agency shall immediately take remedial action to minimize such risk. Agencies shall include information in their fiscal year 2022 Congressional Justification to Congress on their progress in complying with this directive.

FY 2021 Department of Defense Appropriations Act

On 14 July, the House Appropriations Committee marked up and reported out the “FY 2021 Department of Defense Appropriations Act,” which would provide $695 billion for the Department of Defense (DOD), “an increase of $1,294,992,000 above the fiscal year 2020 enacted level and a decrease of $3,695,880,000 below the budget request.”

The Committee Report contained these technology-related provisions:

  • ZERO TRUST ARCHITECTURE. The Committee encourages the Secretary of Defense to implement a Zero Trust Architecture to increase its cybersecurity posture and enhance the Department’s ability to protect its systems and data.
  • DISTRIBUTED LEDGER TECHNOLOGY RESEARCH AND DEVELOPMENT. The Committee is aware that distributed ledger technologies, such as blockchain, may have potentially useful applications for the Department of Defense, which include but are not limited to distributed computing, cybersecurity, logistics, and auditing. Therefore, the Committee encourages the Under Secretary of Defense (Research and Engineering) to consider research and development to explore the use of distributed ledger technologies for defense applications.
  • ARTIFICIAL INTELLIGENCE PARTNERSHIPS. The Committee is aware of the United States-Singapore partnership focusing on applying artificial intelligence in support of humanitarian assistance and disaster relief operations, which will help first responders better serve those in disaster zones. The Committee encourages the Secretary of Defense to pursue similar partnerships with additional partners in different regions, including the Middle East.
  • CYBER EDUCATION COLLABORATIVES. The Committee remains concerned by widespread shortages in cybersecurity talent across both the public and private sector. In accordance with the recommendations of the Cyberspace Solarium Commission, the Committee encourages the Under Secretary of Defense (Research and Engineering) to direct cyber-oriented units to collaborate with local colleges and universities on research, fellowships, internships, and cooperative work experiences to expand cyber-oriented education opportunities and grow the cybersecurity workforce. The Committee also appreciates that veterans and transitioning servicemembers could serve as a valuable recruiting pool to fill gaps in the cybersecurity workforce. Accordingly, the Committee encourages the Under Secretary to prioritize collaboration with colleges and universities near military installations as well as the veteran population.
  • 5G TELECOMMUNICATIONS TECHNOLOGY. The Committee is concerned about reports that foreign manufacturers are significantly ahead of United States companies in the development and deployment of 5G telecommunications technologies, which poses a national security risk to the United States and its allies. Without a robust domestic 5G supply chain, the United States will be vulnerable to 5G systems that facilitate cyber intrusion from hostile actors. In order to secure a reliable 5G system and a domestic supply chain that meets the national security needs of the United States and its allies, the Committee encourages the Secretary of Defense to accelerate engagement with domestic industry partners that are developing 5G systems. Additionally, the Committee is aware of the significant investments being made in 5G efforts but is concerned with the level of detail provided for congressional oversight. The Committee directs the Under Secretary of Defense (Research and Engineering) to conduct quarterly execution briefings with the House and Senate Appropriations Committees beginning not later than 90 days after the enactment of this Act.
  • MILITARY INFORMATION SUPPORT OPERATIONS. Over the past decade, the bulk of activities under Military Information Support Operations (MISO) focused on countering violent extremist organizations (VEO). While VEOs remain an ongoing threat and require continued vigilance, peer and near-peer adversaries like China and Russia are using social media and other vectors to weaken domestic and international institutions and undermine United States interests. This new information environment and the difficulty of discriminating between real and fake information heightens the importance of enhancing and coordinating United States government information-related capabilities as a tool of diplomatic and military strategy.
  • The Committee recognizes the efforts and accomplishments of the United States Special Operations Command and other agencies within the executive branch to operate in the digital domain. However, it is difficult to view individual agency activities as a coordinated whole of government effort. Over the past several years, the classified annex accompanying annual Department of Defense Appropriations Acts included direction focusing on the individual activities of geographic combatant commands. However, information messaging strategies to counter Chinese and Russian malign influences cuts across these geographic boundaries and requires coordination between multiple government agencies using different authorities.
  • Therefore, in order to better understand how MISO activities support a whole of government messaging strategy, the Committee directs the Assistant Secretary of Defense (Special Operations/Low Intensity Conflict) to submit a report for MISO activities for the individual geographic combatant commands justified by the main pillars of the National Defense Strategy to the House and Senate Appropriations Committees not later than 15 days after submission of the fiscal year 2022 budget request and annually thereafter. The report shall include spend plans identifying the requested and enacted funding levels for both voice and internet activities and how those activities are coordinated with the Intelligence Community and the Department of State. The enacted levels will serve as the baseline for reprogramming in accordance with section 8007 of this Act. Furthermore, the Committee directs the Assistant Secretary of Defense (Special Operations/Low Intensity Conflict) to submit to the congressional defense committees, not later than 90 days after the end of the fiscal year, an annual report that provides details on each combatant commands’ MISO activities by activity name, description, goal or objective, target audience, dissemination means, executed funds, and assessments of their effectiveness. Additional details for the report are included in the classified annex accompanying this Act.

FY 2021 Commerce, Justice, Science Appropriations Act

Also on 14 July, the “FY 2021 Commerce, Justice, Science Appropriations Act” was also marked up and reported out and its Committee Report contains these provisions:

  • Cybersecurity Threats.—The Committee remains concerned that as the Census Bureau looks to modernize data collection methods, the Census Bureau could potentially be exploited by nefarious actors who seek to undermine the integrity of census data, which is vital to democratic institutions, and gain access to sensitive information otherwise protected by law. These threats include both hacking into the Census Bureau IT infrastructure and efforts to use supercomputing to unmask the privacy of census respondents. The Committee directs the Census Bureau to prioritize cyber protections and high standards of data differential privacy, while also maintaining the accuracy of the data, and expects the Census Bureau to update the Committee regularly on these efforts.
  • Cybersecurity and Privacy.—The proliferation of data generation, storage, and usage associated with the digital economy is making it increasingly important to protect that data with effective cryptography and privacy standards. The Committee is concerned that individual, corporate, and public-sector data privacy is continuously at risk from attacks by individual actors, criminal organization, and nation-states. The Committee urges NIST to address the rapidly emerging threats in this field by furthering the development of new and needed cryptographic standards and technologies.
  • National Initiative for Cybersecurity Education.—The Committee notes with concern the shortage of cybersecurity professionals across the government and private sector, from entry level applicants to experienced professionals. The Committee therefore supports the National Initiative for Cybersecurity Education (NICE) and directs NIST to provide resources commensurate with the prior fiscal year for this effort.
  • Cybersecurity Conformity Assessment Programs.—The Committee instructs NIST, in collaboration with other relevant organizations, to report to the Committee no later than 270 days after the enactment of this Act on challenges and approaches to establishing and managing voluntary cybersecurity conformity assessment programs for information and communication technologies including federal cloud technologies.
  • Cybersecurity Training.—Within the increase to Manufacturing Extension Partnership (MEP), the Committee directs NIST to maintain the core services of the MEP and encourages NIST to utilize existing expertise within its Information Technology Laboratory to increase cybersecurity technical training to small manufacturers to strengthen their cybersecurity capabilities given the troubling threats from state and non-state actors and other emerging threats.
  • Cybersecurity threat information sharing.—The Committee supports sharing by DOJ of cybersecurity threat warnings and intelligence with private companies who may benefit from actionable information to deter, prevent, or mitigate threats. The Committee asks DOJ to provide a briefing on this topic not later than 90 days after enactment of this Act.
  • Chinese-government affiliated companies.—The Committee is concerned with companies operating within the United States that are known to have substantial ties to the Chinese government, including full or partial ownership by the Chinese government, and that are required by Chinese law to assist in espionage activities, including collection of personally identifiable information of American citizens. Such companies may pose cybersecurity risks, such as vulnerabilities in their equipment, and some are the subject of ongoing Congressional and Executive Branch investigations involving their business practices. The Committee directs DOJ to enforce applicable laws and prevent the operation of known foreign entities who participate in the theft of American intellectual property, the harvesting of personal identifiable information on behalf of a foreign government, and the unlawful surveillance of American citizens by adversarial state-owned enterprises.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Senate Consideration of NDAA Continues

Slowly, the Senate works on its NDAA by adding a number of amendments including a few standalone technology bills. However, an election security bill was stripped out of the FY 2021 Intelligence Authorization before it was added to the NDAA.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The Senate continued its consideration of the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) this week before recessing for the 4 July holiday. Work will continue later this month on the massive authorization package that sets annual policy for the Department of Defense (DOD) and related agencies. However, before leaving Washington, DC, the Senate did deal with some of the amendments offered for adoption by adding a number en bloc, some of which pertain to technology policy and funding.

The following amendments were adopted on 2 July 3, 2020 en bloc by unanimous consent:

  • The Department of Homeland of Security “shall produce a report on the state of digital content forgery technology” within one year of enactment and then every five years
  • “[T]he Secretary of Defense, with appropriate representatives of the Armed Forces, shall brief the Committees on Armed Services of the Senate and the House of Representatives on the feasibility and the current status of assigning members of the Armed Forces on active duty to the Joint Artificial Intelligence Center (JAIC) of the Department of Defense.”
  • “the Secretary of Homeland Security shall conduct a comprehensive review of the ability of the Cybersecurity and Infrastructure Security Agency to fulfill–
    • the missions of the Cybersecurity and Infrastructure Security Agency; and
    • the recommendations detailed in the report issued by the Cyberspace Solarium Commission”
  • The “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S.1611) that would require the Department of Commerce to “convene a working group of Federal stakeholders for the purpose of providing recommendations and a report to Congress relating to the aspects of the Internet of Things.”
  • “[T]he Secretary of Defense, in coordination with the Director of the National Reconnaissance Office and the Director of the National Geospatial-Intelligence Agency, shall leverage, to the maximum extent practicable, the capabilities of United States industry, including through the use of commercial geospatial-intelligence services and acquisition of commercial satellite imagery.”
  • “[T]he Secretary of Defense is authorized to establish a pilot program to explore the use of consumption-based solutions to address software-intensive warfighting capability” per a re commendation made by the Section 809 Panel.
  • “[T]he Secretary of Defense shall complete a study on the cyberexploitation of the personal  information and accounts of members of the Armed Forces and their families.”
  • A modified version of the “Utilizing Strategic Allied (USA) Telecommunications Act” (S.3189) that “would reassert U.S. and Western leadership by encouraging competition with Huawei that capitalizes on U.S. software advantages, accelerating development of an open-architecture model (known as O-RAN) that would allow for alternative vendors to enter the market for specific network components, rather than having to compete with Huawei end-to-end” according to a press release.

Additionally, a deal was struck to add the “Intelligence Authorization Act for Fiscal Year 2021” (S.3905) to S.4049 but without a bill included in the package as reported out of the Senate Intelligence Committee: the “Foreign Influence Reporting in Elections Act” (FIRE Act) (S.2242). The sponsor of the FIRE Act, Senate Intelligence Committee Ranking Member Mark Warner (D-VA), went to the Senate floor to protest the striking of his bill and to announce his plans to offer it as an amendment and force a vote:

The  committee  voted  14  to  1  to  pass an intel authorization bill that included  the  FIRE  Act,  the  act  that  I  just described, so that if a foreign government interferes or offers you assistance  or  offers  you  dirt,  you  don’t  say  thanks;  you  call  the  FBI.  So  you  can  imagine  my  surprise  and  frustration  when  I  learned  of  a  backroom  deal  to  strip  the  FIRE  Act  out  of  the  Intelligence   Committee’s   legislation   because  of  a  supposed  turf  war  with  another committee. I  am  back  again  today  because  the  security  of  our  elections  cannot  wait.  Let’s  not  hide  behind  process  or  jurisdictional  boundaries.  The  stakes  are  far  too  high  to  continue  the  partisan  blockade  of  election  security  legislation  that  we  have  seen  over  the  last  3  years. If,  behind  closed  doors,  my  Republican  colleagues  want  to  strip  this  legislation  out  of  the  NDAA,  then  I  am  going  to  offer  it  up  as  an  amendment  to  force  an  up-or-down  vote  and  put  every   Member   of   this   body   on   the   record: Are you for election security or are you for allowing foreign entities to interfere  and  offer  assistance  with  no  requirement to report?

Prior to its inclusion in the FY 2021 Intelligence Authorization Act, Warner had asked unanimous consent to take up the FIRE Act multiple times but was met with Republican objections each time. And there are other election security bills Republicans have continued to block, including:

  • The “Duty To Report Act” (S.1247)
  • The “Senate Cybersecurity Protection Act” (S.890)
  • The “Securing America’s Federal Elections Act” (SAFE Act) (H.R.2722)
  • The “Secure Elections Act of 2019” (S.1540)

Yet, the Senate has taken up and passed two election-related bills addressing facets of the cybersecurity challenges. On July 17, the Senate passed the “Defending the Integrity of Voting Systems Act” (S. 1321) by unanimous consent that would “make it a federal crime to hack any voting systems used in a federal election” according to the Senate Judiciary Committee’s website. In June the Senate also passed the “Defending Elections against Trolls from Enemy Regimes (DETER) Act” (S. 1328) that “will make “improper interference in U.S. elections” a violation of U.S. immigration law, and violators would be barred from obtaining a visa to enter the United States. The House has yet to act on these bills.

When the Senate returns to the bill on 20 July, a number of amendments will be pending, including one to establish semiconductor manufacturing grants.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.