Further Reading, Other Developments, and Coming Events (16 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The House Homeland Security Committee will hold a hearing titled “Worldwide Threats to the Homeland” on 17 September with the following witnesses:
    • Chad Wolf, Department of Homeland Security
    • Christopher Wray, Director, Federal Bureau of Investigation
    • Christopher Miller, Director, National Counterterrorism Center (NCTC)
  • On 17 September, the House Energy and Commerce Committee’s Communications & technology Subcommittee will hold a hearing titled “Trump FCC: Four Years of Lost Opportunities.”
  • The House Armed Services Committee’s Intelligence and Emerging Threats and Capabilities Subcommittee will hold a hearing’ titled “Interim Review of the National Security Commission on Artificial Intelligence Effort and Recommendations” on 17 September with these witnesses:
    • Dr. Eric Schmidt , Chairman, National Security Commission on Artificial Intelligence 
    • HON Robert Work, Vice Chairman, National Security Commission on Artificial Intelligence, HON Mignon Clyburn, Commissioner, National Security Commission on Artificial Intelligence 
    • Dr. José-Marie Griffiths, Commissioner, National Security Commission on Artificial Intelligence
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” The agency has released its agenda and explained:
    • The workshop will also feature four panel discussions that will focus on: case studies on data portability rights in the European Union, India, and California; case studies on financial and health portability regimes; reconciling the benefits and risks of data portability; and the material challenges and solutions to realizing data portability’s potential.
  • The Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing “Examining Threats to American Intellectual Property: Cyber-attacks and Counterfeits During the COVID-19 Pandemic” with these witnesses:
    • Adam Hickey, Deputy Assistant Attorney General National Security Division, Department of Justice
    • Clyde Wallace, Deputy Assistant Director Cyber Division, Federal Bureau of Investigation
    • Steve Francis, Assistant Director, HSI Global Trade Investigations Division Director, National Intellectual Property Rights Center, U.S. Immigration and Customs Enforcement, Department of Homeland Security
    • Bryan S. Ware, Assistant Director for Cybersecurity Cyber Security and Infrastructure Security Agency, Department of Homeland Security
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled “Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.

Other Developments

  • The United States House of Representatives took up and passed two technology bills on 14 September. One of the bills, “Internet of Things (IoT) Cybersecurity Improvement Act of 2020” (H.R. 1668), was discussed in yesterday’s Technology Policy Update as part of an outlook on Internet of Things (IoT) legislation (see here for analysis). The House passed a revised version by voice vote, but its fate in the Senate may lie with the Senate Homeland Security & Governmental Affairs Committee, whose chair, Senator Ron Johnson (R-WI), has blocked a number of technology bills during his tenure to the chagrin of some House stakeholders. The House also passed the “AI in Government Act of 2019” (H.R.2575) that would establish an AI Center of Excellence within the General Services Administration that would
    • “(1) advise and promote the efforts of the Federal Government in developing innovative uses of artificial intelligence by the Federal Government to the benefit of the public; and
    • (2) improve cohesion and competency in the use of artificial intelligence.”
    • Also, this bill would direct the Office of Management and Budget (OMB) to “issue a memorandum to the head of each agency that shall—
      • inform the development of artificial intelligence governance approaches by those agencies regarding technologies and applications that—
        • are empowered or enabled by the use of artificial intelligence within that agency; and
        • advance the innovative use of artificial intelligence for the benefit of the public while upholding civil liberties, privacy, and civil rights;
      • consider ways to reduce barriers to the use of artificial intelligence in order to promote innovative application of those technologies for the benefit of the public, while protecting civil liberties, privacy, and civil rights;
      • establish best practices for identifying, assessing, and mitigating any bias on the basis of any classification protected under Federal nondiscrimination laws or other negative unintended consequence stemming from the use of artificial intelligence systems; and
      • provide a template of the required contents of the agency Governance Plans
    • The House Energy and Commerce Committee marked up and reported out more than 30 bills last week including:
      • The “Consumer Product Safety Inspection Enhancement Act” (H.R. 8134) that “would amend the Consumer Product Safety Act to enhance the Consumer Product Safety Commission’s (CPSC) ability to identify unsafe consumer products entering the United States, especially e-commerce shipments entering under the de minimis value exemption. Specifically, the bill would require the CPSC to enhance the targeting, surveillance, and screening of consumer products. The bill also would require electronic filing of certificates of compliance for all consumer products entering the United States.
      • The bill directs the CPSC to: 1) examine a sampling of de minimis shipments and shipments coming from China; 2) detail plans and timelines to effectively address targeting and screening of de minimis shipments; 3) establish metrics by which to evaluate the effectiveness of the CPSC’s efforts in this regard; 4) assess projected technology, resources, and staffing necessary; and 5) submit a report to Congress regarding such efforts. The bill further directs the CPSC to hire at least 16 employees every year until staffing needs are met to help identify violative products at ports.
      • The “AI for Consumer Product Safety Act” (H.R. 8128) that “would direct the Consumer Product Safety Commission (CPSC) to establish a pilot program to explore the use of artificial intelligence for at least one of the following purposes: 1) tracking injury trends; 2) identifying consumer product hazards; 3) monitoring the retail marketplace for the sale of recalled consumer products; or 4) identifying unsafe imported consumer products.” The revised bill passed by the committee “changes the title of the bill to the “Consumer Safety Technology Act”, and adds the text based on the Blockchain Innovation Act (H.R. 8153) and the Digital Taxonomy Act (H.R. 2154)…[and] adds sections that direct the Department of Commerce (DOC), in consultation with the Federal Trade Commission (FTC), to conduct a study and submit to Congress a report on the state of blockchain technology in commerce, including its use to reduce fraud and increase security.” The revised bill “would also require the FTC to submit to Congress a report and recommendations on unfair or deceptive acts or practices relating to digital tokens.”
      • The “American Competitiveness Of a More Productive Emerging Tech Economy Act” or the “American COMPETE Act” (H.R. 8132) “directs the DOC and the FTC to study and report to Congress on the state of the artificial intelligence, quantum computing, blockchain, and the new and advanced materials industries in the U.S…[and] would also require the DOC to study and report to Congress on the state of the Internet of Things (IoT) and IoT manufacturing industries as well as the three-dimensional printing industry” involving “among other things:1) listing industry sectors that develop and use each technology and public-private partnerships focused on promoting the adoption and use of each such technology; 2) establishing a list of federal agencies asserting jurisdiction over such industry sectors; and 3) assessing risks and trends in the marketplace and supply chain of each technology.
      • The bill would direct the DOC to study and report on the effect of unmanned delivery services on U.S. businesses conducting interstate commerce. In addition to these report elements, the bill would require the DOC to examine safety risks and effects on traffic congestion and jobs of unmanned delivery services.
      • Finally, the bill would require the FTC to study and report to Congress on how artificial intelligence may be used to address online harms, including scams directed at senior citizens, disinformation or exploitative content, and content furthering illegal activity.
  • The National Institute of Standards and Technology (NIST) issued NIST Interagency or Internal Report 8272 “Impact Analysis Tool for Interdependent Cyber Supply Chain Risks” designed to help public and private sector entities better address complicated, complex supply chain risks. NIST stated “[t]his publication de-scribes how to use the Cyber Supply Chain Risk Management (C-SCRM) Interdependency Tool that has been developed to help federal agencies identify and assess the potential impact of cybersecurity events in their interconnected supply chains.” NIST explained
    • More organizations are becoming aware of the importance of identifying cybersecurity risks associated with extensive, complicated supply chains. Several solutions have been developed to help manage supply chains; most focus on contract management or compliance. There is a need to provide organizations with a systematic and more usable way to evaluate the potential impacts of cyber supply chain risks relative to an organization’s risk appetite. This is especially important for organizations with complex supply chains and highly interdependent products and suppliers.
    • This publication describes one potential way to visualize and measure these impacts: a Cyber Supply Chain Risk Management (C-SCRM) Interdependency Tool (hereafter “Tool”), which is designed to provide a basic measurement of the potential impact of a cyber supply chain event. The Tool is not intended to measure the risk of an event, where risk is defined as a function of threat, vulnerability, likelihood, and impact. Research conducted by the authors of this publication found that, at the time of publication, existing cybersecurity risk tools and research focused on threats, vulnerabilities, and likelihood, but impact was frequently overlooked. Thus, this Tool is intended to bridge that gap and enable users and tool developers to create a more complete understanding of an organization’s risk by measuring impact in their specific environments.
    • The Tool also provides the user greater visibility over the supply chain and the relative importance of particular projects, products, and suppliers (hereafter referred to as “nodes”) compared to others. This can be determined by examining the metrics that contribute to a node’s importance, such as the amount of access a node has to the acquiring organization’s IT network, physical facilities, and data. By understanding which nodes are the most important in their organization’s supply chain, the user can begin to understand the potential impact a disruption of that node may cause on business operations. The user can then prioritize the completion of risk mitigating actions to reduce the impact a disruption would cause to the organization’s supply chain and overall business.
  • In a blog post, Microsoft released its findings on the escalating threats to political campaigns and figures during the run up to the United States’ (U.S.) election. This warning also served as an advertisement for Microsoft’s security products. But, be that as it may, these findings echo what U.S. security services have been saying for months. Microsoft stated
    • In recent weeks, Microsoft has detected cyberattacks targeting people and organizations involved in the upcoming presidential election, including unsuccessful attacks on people associated with both the Trump and Biden campaigns, as detailed below. We have and will continue to defend our democracy against these attacks through notifications of such activity to impacted customers, security features in our products and services, and legal and technical disruptions. The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated, and is consistent with what the U.S. government and others have reported. We also report here on attacks against other institutions and enterprises worldwide that reflect similar adversary activity.
    • We have observed that:
      • Strontium, operating from Russia, has attacked more than 200 organizations including political campaigns, advocacy groups, parties and political consultants
      • Zirconium, operating from China, has attacked high-profile individuals associated with the election, including people associated with the Joe Biden for President campaign and prominent leaders in the international affairs community
      • Phosphorus, operating from Iran, has continued to attack the personal accounts of people associated with the Donald J. Trump for President campaign
    • The majority of these attacks were detected and stopped by security tools built into our products. We have directly notified those who were targeted or compromised so they can take action to protect themselves. We are sharing more about the details of these attacks today, and where we’ve named impacted customers, we’re doing so with their support.
    • What we’ve seen is consistent with previous attack patterns that not only target candidates and campaign staffers but also those they consult on key issues. These activities highlight the need for people and organizations involved in the political process to take advantage of free and low-cost security tools to protect themselves as we get closer to election day. At Microsoft, for example, we offer AccountGuard threat monitoring, Microsoft 365 for Campaigns and Election Security Advisors to help secure campaigns and their volunteers. More broadly, these attacks underscore the continued importance of work underway at the United Nations to protect cyberspace and initiatives like the Paris Call for Trust and Security in Cyberspace.
  • The European Data Protection Supervisor (EDPS) has reiterated and expanded upon his calls for caution, prudence, and adherence to European Union (EU) law and principles in the use of artificial intelligence, especially as the EU looks to revamp its approach to AI and data protection. In a blog post, EDPS Wojciech Wiewiórowski stated:
    • The expectations of the increasing use of AI and the related economic advantages for those who control the technologies, as well as its appetite for data, have given rise to fierce competition about technological leadership. In this competition, the EU strives to be a frontrunner while staying true to its own values and ideals.
    • AI comes with its own risks and is not an innocuous, magical tool, which will heal the world harmlessly. For example, the rapid adoption of AI by public administrations in hospitals, utilities and transport services, financial supervisors, and other areas of public interest is considered in the EC White Paper ‘essential’, but we believe that prudency is needed. AI, like any other technology, is a mere tool, and should be designed to serve humankind. Benefits, costs and risks should be considered by anyone adopting a technology, especially by public administrations who process great amounts of personal data.
    • The increase in adoption of AI has not been (yet?) accompanied by a proper assessment of what the impact on individuals and on our society as a whole will likely be. Think especially of live facial recognition (remote biometric identification in the EC White Paper). We support the idea of a moratorium on automated recognition in public spaces of human features in the EU, of faces but also and importantly of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals.
    • Let’s not rush AI, we have to get it straight so that it is fair and that it serves individuals and society at large.
    • The context in which the consultation for the Data Strategy was conducted gave a prominent place to the role of data in matters of public interest, including combating the virus. This is good and right as the GDPR was crafted so that the processing of personal data should serve humankind. There are existing conditions under which such “processing for the public good” could already take place, and without which the necessary trust of data subjects would not be possible.
    • However, there is a substantial persuasive power in the narratives nudging individuals to ‘volunteer’ their data to address highly moral goals. Concepts such as ‘Data altruism”, or ‘Data donation” and their added value are not entirely clear and there is a need to better define and lay down their scope, and possible purposes, for instance, in the context of scientific research in the health sector. The fundamental right to the protection of personal data cannot be ‘waived’ by the individual concerned, be it through a ‘donation’ or through a ‘sale’ of personal data. The data controller is fully bound by the personal data rules and principles, such as purpose limitation even when processing data that have been ‘donated’ i.e. when consent to the processing had been given by the individual.

Further Reading

  • Peter Thiel Met With The Racist Fringe As He Went All In On Trump” By Rosie Gray and Ryan Mac — BuzzFeed News. A fascinating article about one of the technology world’s more interesting figures. As part of his decision to ally himself with Donald Trump when running for president, Peter Thiel also met with avowed white supremacists. However, it appears that the alliance is no longer worthy of his financial assistance or his public support as he supposedly was disturbed about the Administration’s response to the pandemic. However, Palantir, his company has flourished during the Trump Administration and may be going public right before matters may change under a Biden Administration.
  • TikTok’s Proposed Deal Seeks to Mollify U.S. and China” By David McCabe, Ana Swanson and Erin Griffith — The New York Times. ByteDance is apparently trying to mollify both Washington and Beijing in bringing Oracle onboard as “trusted technology partner,” for the arrangement may be acceptable to both nations under their export control and national security regimes. Oracle handling and safeguarding TikTokj user data would seem to address the Trump Administration’s concerns, but not selling the company nor permitting Oracle to access its algorithm for making recommendations would seem to appease the People’s Republic of China (PRC). Moreover, United States (U.S.) investors would hold control over TikTok even though PRC investors would maintain their stakes. Such an arrangement may satisfy the Committee on Foreign Investment in the United States (CFIUS), which has ordered ByteDance to sell the app that is an integral part of TikTok. The wild card, as always, is where President Donald Trump ultimately comes out on the deal.
  • Oracle’s courting of Trump may help it land TikTok’s business and coveted user data” By Jay Greene and Ellen Nakashima — The Washington Post. This piece dives into why Oracle, at first blush, seems like an unlikely suitor to TikTok, but it’s eroding business position visa vis cloud companies like Amazon explains its desire to diversify. Also, Oracle’s role as a data broker makes all the user data available from TikTok very attractive.
  • Chinese firm harvests social media posts, data of prominent Americans and military” By Gerry Shih — The Washington Post. Another view on Shenzhen Zhenhua Data Technology, the entity from the People’s Republic of China (PRC) exposed for collecting the personal data of more than 2.4 million westerners, many of whom hold positions of power and influence. This article quotes a number of experts allowed to look at what was leaked of the data base who are of the view the PRC has very little in the way of actionable intelligence, at this point. The country is leveraging publicly available big data from a variety of sources and may ultimately makes something useful from these data.
  • “‘This is f—ing crazy’: Florida Latinos swamped by wild conspiracy theories” By Sabrina Rodriguez and Marc Caputo — Politico. A number of sources are spreading rumors about former Vice President Joe Biden and the Democrats generally in order to curb support among a key demographic the party will need to carry overwhelmingly to win Florida.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Alexander Sinn on Unsplash

Further Reading, Other Developments, and Coming Events (14 September)

Coming Events

  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The House Homeland Security Committee will hold a hearing titled “Worldwide Threats to the Homeland” on 17 September with the following witnesses:
    • Chad Wolf, Department of Homeland Security
    • Christopher Wray, Director, Federal Bureau of Investigation
    • Christopher Miller, Director, National Counterterrorism Center (NCTC)
  • On 17 September, the House Energy and Commerce Committee’s Communications & technology Subcommittee will hold a hearing titled “Trump FCC: Four Years of Lost Opportunities.”
  • The House Armed Services Committee’s Intelligence and Emerging Threats and Capabilities Subcommittee will hold a hearing’ titled “Interim Review of the National Security Commission on Artificial Intelligence Effort and Recommendations” with these witnesses:
    • Dr. Eric Schmidt , Chairman, National Security Commission on Artificial Intelligence 
    • HON Robert Work, Vice Chairman, National Security Commission on Artificial Intelligence, HON Mignon Clyburn, Commissioner, National Security Commission on Artificial Intelligence 
    • Dr. José-Marie Griffiths, Commissioner, National Security Commission on Artificial Intelligence
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” The agency has released its agenda and explained:
    • The workshop will also feature four panel discussions that will focus on: case studies on data portability rights in the European Union, India, and California; case studies on financial and health portability regimes; reconciling the benefits and risks of data portability; and the material challenges and solutions to realizing data portability’s potential.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled “Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.

Other Developments

  • After Ireland’s Data Protection Commission (DPC) directed Facebook to stop transferring the personal data of European Union citizens to the United States (U.S.), the company filed suit in Ireland’s court to stop enforcement of the order and succeeded in staying the matter until the court rules on the merits of the challenge. Earlier this summer, the Court of Justice for the European Union (CJEU) struck down the adequacy decision for the agreement between the European Union (EU) and United States (U.S.) that had provided the easiest means to transfer the personal data of EU citizens to the U.S. for processing under the General Data Protection Regulation (GDPR) (i.e. the EU-U.S. Privacy Shield). In the case known as Schrems II, the CJEU also cast doubt on whether standard contractual clauses (SCC) used to transfer personal data o the U.S. would pass muster given the grounds for finding the Privacy Shield inadequate: the U.S.’s surveillance regime and lack of meaningful redress for EU citizens. Consequently, it has appeared as if data protection authorities throughout the EU would need to revisit SCCs for transfers to the U.S., and it appears the DPC was looking to stop Facebook from using its SCC. Facebook is apparently arguing in its suit that it will suffer “extremely significant adverse effects” if the DPC’s decision is implemented.
  • In a related development, the European Data Protection Board (EDPB) has established “a taskforce to look into complaints filed in the aftermath of the CJEU Schrems II judgement.” The EDPB noted the 101 identical complaints “lodged with EEA Data Protection Authorities against several controllers in the European Economic Area (EEA) member states regarding their use of Google/Facebook services which involve the transfer of personal data.” The Board added “[s]pecifically the complainants, represented by the NGO NOYB, claim that Google/Facebook transfer personal data to the U.S. relying on the EU-U.S. Privacy Shield or Standard Contractual Clauses and that according to the recent CJEU judgment in case C-311/18 the controller is unable to ensure an adequate protection of the complainants’ personal data.” The EDPB claimed “[t]he taskforce will analyse the matter and ensure a close cooperation among the members of the Board…[and] [t]his taskforce will prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries.” EDPB Chair Andrea Jelinek cautioned “the implications of the judgment are wide-ranging, and the contexts of data transfers to third countries very diverse…[and] [t]herefore, there cannot be a one-size-fits-all, quick fix solution.” She added “[e]ach organisation will need to evaluate its own data processing operations and transfers and take appropriate measures.”
  • An Australian court ruled against Facebook in its efforts to dismiss a suit brought against the company for its role in retaining and providing personal data to Cambridge Analytica. A Federal Court of Australia dismissed Facebook’s filings to reverse a previous ruling that allowed the Office of the Australian Information Commissioner (OAIC) to sue Facebook’s United States and Irish entities.
    • In March, the OAIC filed suit in federal court in Australia, alleging the two companies transgressed the privacy rights of 311,127 Australians under Australia’s Privacy Act. The two companies could face liability as high as $1.7 million ASD per violation.
    • In its November 2018 report to Parliament titled “Investigation into the use of data analytics in political campaigns”, the ICO explained
      • One key strand of our investigation involved allegations that an app, ultimately referred to as ‘thisisyourdigitallife’, was developed by Dr Aleksandr Kogan and his company Global Science Research (GSR) in order to harvest the data of up to 87 million global Facebook users, including one million in the UK. Some of this data was then used by Cambridge Analytica, to target voters during the 2016 US Presidential campaign process.
    • In its July 2018 report titled “Democracy disrupted? Personal information and political influence,” the ICO explained
      • The online targeted advertising model used by Facebook is very complex, and we believe a high level of transparency in relation to political advertising is vital. This is a classic big-data scenario: understanding what data is going into the system; how users’ actions on Facebook are determining what interest groups they are placed in; and then the rules that are fed into any dynamic algorithms that enable organisations to target individuals with specific adverts and messaging.
      • Our investigation found significant fair-processing concerns both in terms of the information available to users about the sources of the data that are being used to determine what adverts they see and the nature of the profiling taking place. There were further concerns about the availability and transparency of the controls offered to users over what ads and messages they receive. The controls were difficult to find and were not intuitive to the user if they wanted to control the political advertising they received. Whilst users were informed that their data would be used for commercial advertising, it was not clear that political advertising would take place on the platform.
      • The ICO also found that despite a significant amount of privacy information and controls being made available, overall they did not effectively inform the users about the likely uses of their personal information. In particular, more explicit information should have been made available at the first layer of the privacy policy. The user tools available to block or remove ads were also complex and not clearly available to users from the core pages they would be accessing. The controls were also limited in relation to political advertising.
  • The Australian Competition & Consumer Commission (ACCC) announced it “will be examining the experiences of Australian consumers, developers, suppliers and others in a new report scrutinising mobile app stores” according to the agency’s press release. The ACCC’s inquiry comes at the same time regulators in the United States and the European Union are investigating the companies for their app store practices, which could lead to enforcement actions. The ACCC is also looking to institute a code that would require Google and Facebook to pay Australian media outlets for content used on their platforms. The ACCC stated that “[i]ssues to be examined include the use and sharing of data by apps, the extent of competition between Google and Apple’s app stores, and whether more pricing transparency is needed in Australia’s mobile apps market.” The ACCC added:
    • Consumers are invited to share their experiences with buying and using apps through a short survey. The ACCC has also released an issues paper seeking views and feedback from app developers and suppliers.
    • In the issues paper, the ACCC explained “[p]otential outcomes” could be:
      • findings regarding structural, competitive or behavioural issues affecting the supply of apps
      • increased information about competition, pricing and other practices in the supply of apps and on app marketplaces
      • ACCC action to address any conduct that raises concerns under the Competition and Consumer Act 2010, and
      • recommendations to the Government for legislative reform to address systemic issues.
  • The Government Accountability Office (GAO) found an agency has implemented spotty, incomplete privacy measures in using facial recognition technology (FRT) at ports of entry.
    • The House Homeland Security and Senate Homeland Security and Governmental Affairs asked the GAO
      • to review United States (U.S.) Customs and Border Protection (CBP) and Transportation Security Administration’s (TSA) facial recognition technology capabilities for traveler identity verification. This report addresses (1) the status of CBP’s testing and deployment of facial recognition technology at ports of entry, (2) the extent to which CBP’s use of facial recognition technology has incorporated privacy principles consistent with applicable laws and policies, (3) the extent to which CBP has assessed the accuracy and performance of its facial recognition capabilities at ports of entry, and (4) the status of TSA’s testing of facial recognition capabilities and the extent to which TSA’s facial recognition pilot tests incorporated privacy principles.
    • The GAO noted:
      • Most recently, in 2017, we reported that CBP had made progress in testing biometric exit capabilities, including facial recognition technology, but challenges continued to affect CBP’s efforts to develop and implement a biometric exit system, such as differences in the logistics and infrastructure among ports of entry. As we previously reported, CBP had tested various biometric technologies in different locations to determine which type of technology could be deployed on a large scale without disrupting legitimate travel and trade, while still meeting its mandate to implement a biometric entry-exit system. Based on the results of its testing, CBP concluded that facial recognition technology was the most operationally feasible and traveler-friendly option for a comprehensive biometric solution. Since then, CBP has prioritized testing and deploying facial recognition technology at airports (referred to as air exit), with seaports and land ports of entry to follow. These tests and deployments are part of CBP’s Biometric Entry-Exit Program.
      • As part of TSA’s mission to protect the nation’s transportation systems and to ensure freedom of movement for people and commerce, TSA has been exploring facial recognition technology for identity verification at airport checkpoints. Since 2017, TSA has conducted a series of pilot tests—some in partnership with CBP—to assess the feasibility of using facial recognition technology to automate traveler identity verification at airport security checkpoints. In April 2018, TSA signed a policy memorandum with CBP on the development and implementation of facial recognition capabilities at airports.
    • The GAO made recommendations to CBP:
      • The Commissioner of CBP should ensure that the Biometric Entry-Exit Program’s privacy notices contain complete and current information, including all of the locations where facial recognition is used and how travelers can request to opt out as appropriate. (Recommendation 1)
      • The Commissioner of CBP should ensure that the Biometric Entry-Exit Program’s privacy signage is consistently available at all locations where CBP is using facial recognition. (Recommendation 2)
      • The Commissioner of CBP should direct the Biometric Entry-Exit Program to develop and implement a plan to conduct privacy audits of its commercial partners’, contractors’, and vendors’ use of personally identifiable information. (Recommendation 3)
      • The Commissioner of CBP should develop and implement a plan to ensure that the biometric air exit capability meets its established photo capture requirement. (Recommendation 4)
      • The Commissioner of CBP should develop a process by which Biometric Entry-Exit program officials are alerted when the performance of air exit facial recognition falls below established thresholds. (Recommendation 5)
  • The United States (U.S.) Agency for Global Media (USAGM) is being sued by an entity it funds and oversees because
    • Previously, the United States Court of Appeals for the District of Columbia enjoined USAGM from “taking any action to remove or replace any officers or directors of the OTF,” pending the outcome of the suit which is being expedited.
    • Additionally, USAGM CEO and Chair of the Board Michael Pack is being accused in two different letters of seeking to compromise the integrity and independence of two organizations he oversees. There have been media accounts of the Trump Administration’s remaking of USAGM in ways critics contend are threatening the mission and effectiveness of the Open Technology Fund (OTF), a U.S. government non-profit designed to help dissidents and endangered populations throughout the world. The head of the OTF has been removed, evoking the ire of Members of Congress, and other changes have been implemented that are counter to the organization’s mission. Likewise, there are allegations that politically-motivated policy changes seek to remake the Voice of America (VOA) into a less independent entity.
      • In a letter to Pack, OTF argued that a number of recent actions Pack has undertaken have violated “firewall protections” in the organization’s grant agreement. They further argue that Pack is conflicted and should turn over the investigation to the United States (U.S.) Department of State’s Office of the Inspector General (OIG). OTF alleged the following:
        • 1. Attempts to compromise and undermine OTF’s independence: USAGM has repeatedly attempted to undermine OTF’s independence over the past several months.
        • 2. Attempts to compromise and undermine integrity: USAGM has also attempted to undermine the integrity of OTF by publicly making numerous false and misleading claims about OTF to the internet freedom community, the general public, and even to Congress.
        • 3. Attempts to compromise and undermine security: USAGM has attempted to undermine the security of OTF, our staff, and our project partners -many of whom operate in highly sensitive environments -by
          • 1) attempting to gain unauthorized and unsupervised access to our office space and
          • 2) by requesting vast amounts of sensitive information and documentation with no apparent grant-related purpose, and no regard for the security of that information and documentation
        • 4. Attempts to compromise and undermine privacy: Closely related to USAGM’s attempts to undermine OTF’s security, USAGM has also attempted to undermine the privacy of OTF’s staff and partners by requesting that OTF provide Personally Identifiable Information(PII) without a clearly articulated grant-related purpose, and with no guarantee that the PII will be handled in a secure manner.
        • 5. Attempts to compromise and undermine effectiveness: USAGM’s actions have undermined the effectiveness of OTF by:
          • 1) freezing and subsequently withholding $19,181,791 in congressionally appropriated funding from OTF, forcing OTF to issue stop-work orders to 49 of our 60 internet freedom projects;
          • 2) providing unjustified, duplicative, overbroad, and unduly burdensome requests for information and documentation, without any clear grant-related purpose, and with clearly unreasonable deadlines;
          • 3) attempting to divert and redirect funding obligated by USAGM to OTF in an effort to duplicate OTF’s work; and
          • 4) threatening to terminate OTF’s Grant Agreement.
    • OTF asserted
      • These actions individually serve to seriously undermine OTF’s organizational and programmatic effectiveness. In their combined aggregate they threaten to dismantle OTF’s basic ability to effectively carry out its congressionally mandated mission to the detriment of USAGM and the cause of internet freedom globally
    • A group of VOA journalists wrote the entity’s acting director, asserting that Pack’s actions risk crippling programs and projects for some countries that are considered national security priorities.” They added:
      • He has ordered the firing of contract journalists, with no valid reason, by cancelling their visas, forcing them back to home countries where the lives of some of them may be in jeopardy. Now the purge appears to be expanding to include U.S. permanent residents and even U.S. citizens, with Mr. Pack recklessly expressing that being a journalist is “a great cover for a spy.
  • The Cyberspace Solarium Commission (CSC) issued its latest white paper to address a continuing problem for the United States’ government: how to attract or train a sufficient cyber workforce when private sector salaries are generally better. In “Growing A Stronger Federal Cyber Workforce,” the CSC claimed “Currently more than one in three public-sector cyber jobs sits open…[and] [f]illing these roles has been a persistent and intractable problem over the past decade, in large part due to a lack of coordination and leadership.” The CSC averred “[i]n the context of this pervasive challenge, the fundamental purpose of this paper is to outline the elements required for a coherent strategy that enables substantive and coordinated investment in cyber workforce development and calls for a sustained investment in that strategy.” The CSC then proceeds to lay out “five elements to guide development of a federal cyber workforce strategy:
    • Organize: Federal departments and agencies must have flexible tools for organizing and managing their workforce that can adapt to each organization’s individual mission while also providing coherence across the entirety of the federal government. To appropriately organize the federal cyber workforce, the CSC recommends properly identifying and utilizing cyber-specific occupational classifications to allow more tailored workforce policies, building a federal cyber service to provide clear and agile hiring authorities and other personnel management tools, and establishing coordination structures to provide clear leadership for federal workforce development e orts.
    • Recruit: Federal leaders must focus on the programs that make public service an attractive prospect to talented individuals. In many ways, the federal government’s greatest tool for recruitment is the mission and unique learning opportunities inherent in federal work. To capitalize on these advantages, the government should invest in existing programs such as CyberCorps: Scholarship for Service and the Centers of Academic Excellence, while also working to mitigate recruitment barriers that stem from the personnel security clearance process.
    • Develop: e federal government, like all cyber employers, cannot expect every new employee to have hands-on experience, a four-year degree, and a list of industry certifications. Rather, the federal government will be stronger if it draws from a broad array of educational backgrounds and creates opportunities for employees to gain knowledge and experience as they work. is e ort will call for many innovative approaches, among which the Commission particularly recommends apprenticeship programs and upskilling opportunities to support cyber employee development.
    • Retain: Federal leaders should take a nuanced view of retention, recognizing that enabling talent to move flexibly between the public and private sectors enables a stronger cyber workforce overall. However, federal employers can take steps to encourage their employees to increase the time they spend in public service. Improving pay flexibility is a major consideration, but continuing the development of career pathways and providing interesting career development opportunities like rotational and exchange programs also can be critical. Of particular note, federal employers can increase retention of underrepresented groups through the removal of inequities and barriers to advancement in the workplace.
    • Stimulate growth: e federal government cannot simply recruit a larger share of the existing national talent pool. Rather, leaders must take steps to grow the talent pool itself in order to increase the numbers of those available for federal jobs. To promote growth of the talent pool nationwide, the federal government must first coordinate government efforts working toward this goal. Executive branch and congressional leaders should also invest in measures to promote diversity across the national workforce and incentivize research to provide a greater empirical understanding of cyber workforce dynamics. Finally, federal leaders must work to increase the military cyber workforce, which has a significant impact on the national cyber workforce because it serves as both a source and an employer of cyber talent.

Further Reading

  • Oracle reportedly wins deal for TikTok’s US operations as ‘trusted tech partner’” By Tom Warren and Nick Statt – The Verge. ByteDance chose Oracle over Microsoft but not for buying its operations in the United States (U.S.), Australia, Canada, and New Zealand. Now, Oracle is proposing to be TikTok’s trusted technology partner, which seems to be hosting TikTok’s operations in the U.S. and managing its data as a means of allaying the concerns of the U.S. government about access by the People’s Republic of China (PRC).
  • Why Do Voting Machines Break on Election Day?” By Adrianne Jeffries – The Markup. This piece seeks to debunk the hype by explaining that most voting issues are minor and easily fixed, which may well be a welcome message in the United States (U.S.) given the lies and fretting about the security and accuracy of the coming election. Nonetheless, the mechanical and systemic problems encountered by some Americans do speak to the need to update voting laws and standards. Among other problems are the high barriers to entry for firms making and selling voting machines.
  • Twitter steps up its fight against election misinformation” By Elizabeth Dwoskin – The Washington Post. Twitter and Google announced policy changes like Facebook did last week to help tamp down untrue claims and lies about voting and elections in the United States. Twitter will take a number of different approaches to handling lies and untrue assertions. If past is prologue, President Donald Trump may soon look to test the limits of this policy as he did shortly after Facebook announced its policy changes. Google will adjust searches on election day to place respected, fact oriented organizations at the top of search results.
  • China’s ‘hybrid war’: Beijing’s mass surveillance of Australia and the world for secrets and scandal” By Andrew Probyn and Matthew Doran – ABC News; “Zhenhua Data leak: personal details of millions around world gathered by China tech company” By Daniel Hurst in Canberra, Lily Kuo in Beijing and Charlotte Graham-McLay in Wellington – The Guardian. A massive database leaked to to an American shows the breadth and range of information collected by a company in the People’s Republic of China (PRC) alleged to be working with the country’s military and security services. Zhenhua Data is denying any wrongdoing or anything untoward, but the database contains information on 2.4 million people, most of whom live in western nations in positions of influence and power such as British and Australian prime Ministers Boris Johnson and Scott Morrison. Academics claim this sort of compilation of information from public and private sources is unprecedented and would allow the PRC to run a range of influence operations.
  • Europe Feels Squeeze as Tech Competition Heats Up Between U.S. and China” By Steven Erlanger and Adam Satariano – The New York Times. Structural challenges in the European Union (EU) and a lack of large technology companies have left the EU is a delicate position. It seeks to be the world’s de facto regulator but is having trouble keeping with the United States and the People’s Republic of China, the two dominant nations in technology.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by PixelAnarchy from Pixabay

Further Reading, Other Developments, and Coming Events (10 September)

Coming Events

  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • Top Senate Democrats asked the Secretary of the Treasury to impose sanctions on officials and others in the Russian Federation for interfering in the 2020 United States election. In their letter, they urged Secretary Steven Mnuchin “to draw upon the conclusions of the Intelligence Community to identify and target for sanctions all those determined to be responsible for ongoing election interference, including any actors within the government of the Russian Federation, any Russian actors determined to be directly responsible, and those acting on their behalf or providing material or financial support for their efforts.” Given that Mnuchin is unlikely to displease President Donald Trump through agreeing that Russians are again interfering in a presidential election, it is probable that Senate Democrats are seeking to further their line of attack on Republicans that they are unwilling to defend the U.S. and its elections from Russia. They called on Mnuchin to use the authorities granted by Congress in the “Countering America’s Adversaries Through Sanctions Act” (P.L. 115-44) and Executive Order 13848 “Imposing Certain Sanctions in the Event of Foreign Interference in a United States Election.”
  • Epic Games has returned to court in an attempt to force Apple to put its popular multiplayer game, Fortnite back into the App Store. At present, those on iOS devices cannot download and play the newest version of the game released a few weeks ago. Even though Epic Games lost its request for a temporary restraining order that would order Apple to put the game back, it has filed for a preliminary injunction:
    • (1) restraining Defendant Apple Inc. (“Apple”) from removing, de-listing, refusing to list or otherwise making unavailable the app Fortnite or any other app on Epic’s Team ID ’84 account in Apple’s Developer Program, including any update of such an app, from the App Store on the basis that Fortnite offers in-app payment processing through means other than Apple’s In-App Purchase (“IAP”) or on any pretextual basis;
    • (2) restraining Apple from taking any adverse action against Epic, including but not limited to restricting, suspending, or terminating any other Apple Developer Program account of Epic or its affiliates, on the basis that Epic enabled in-app payment processing in Fortnite through means other than IAP or on the basis of the steps Epic took to do so;
    • (3) restraining Apple from removing, disabling, or modifying Fortnite or any code, script, feature, setting, certification, version or update thereof on any iOS user’s device; and
    • (4) requiring Apple to restore Epic’s Team ID ’84 account in Apple’s Developer Program.
    •  Epic Games asserts:
      • This motion is made on the grounds that: (1) Epic is likely to succeed on the merits of its claims that Apple’s conduct violates the Sherman Act; (2) absent a preliminary injunction, Epic is likely to suffer irreparable harm; (3) the balance of harms tips sharply in Epic’s favor; and (4) the public interest supports an injunction.
    • Considering that the judge ruled against Epic Games’ claim of irreparable harm in the motion for a temporary restraining order on the grounds that self-inflicted harm (i.e. Epic Game escalated by putting its own pay option on Fortnite to foil Apple’s 30% take on in-game sales and no public interest being present, one wonders if the company will prevail on this motion.
  • Apple filed a countersuit against Epic Games, arguing the latter breached its contract with the former and now must pay damages. In contrast, Epic Games is not suing for any monetary damages, surely a tactical decision to help its case in court and among interested observers.
    • Apple sought to portray Epic Games’ lawsuit this way:
      • Epic’s lawsuit is nothing more than a basic disagreement over money. Although Epic portrays itself as a modern corporate Robin Hood, in reality it is a multi-billion dollar enterprise that simply wants to pay nothing for the tremendous value it derives from the App Store. Epic’s demands for special treatment and cries of “retaliation” cannot be reconciled with its flagrant breach of contract and its own business practices, as it rakes in billions by taking commissions on game developers’ sales and charging consumers up to $99.99 for bundles of “V-Bucks.”
      • Epic decided that it would like to reap the benefits of the App Store without paying anything for them. Armed with the apparent view that Epic is too successful to play by the same rules as everyone else—and notwithstanding a public proclamation that Epic “w[ould] not accept special revenue sharing or payment terms just for ourselves”1—Epic CEO Tim Sweeney emailed Apple executives on June 30, 2020, requesting a “side letter” that would exempt Epic from its existing contractual obligations, including the App Store Review Guidelines (the “Guidelines”) that apply equally to all Apple developers. Among other things, Mr. Sweeney demanded a complete end-run around “Apple’s fees”—specifically, Epic wished to continue taking full advantage of the App Store while allowing consumers to pay Epic instead, leaving Apple to receive no payment whatsoever for the many services it provides developers and consumers.
    • Apple contended “[t]his Court should hold Epic to its contractual promises, award Apple compensatory and punitive damages, and enjoin Epic from engaging in further unfair business practices.”
  • The General Services Administration (GSA) released a draft Data Ethics Framework as part of implementing the Trump Administration’s Federal Data Strategy.
    • GSA noted
      • The Federal Data Strategy, delivered in December 2019, recognized the importance of ethics in its founding Principles. When the Federal Data Strategy team created the 2020 Action Plan, they specifically tasked the General Services Administration (GSA) with developing a Data Ethics Framework (Framework)in Action 14to help agency employees, managers, and leaders make ethical decisions as they acquire, manage, and use data.
      • The resulting Framework is intended to be a “living” resource and to be regularly updated by the CDO Council and ICSP. The Framework incorporates the input and terminology from stakeholders representing many domains, and who use different types of data in different ways. The developers of the Framework recognize that some terms may be used differently, depending on the context, type of data being used, and stage in the data lifecycle.
      • The Framework applies to all data types and data uses. The Framework consists of four parts:
        • About the Data Ethics Framework outlines the intended purpose and audience of this document
        • Data Ethics Defined explores the meaning of the term “data ethics,” as background to the Tenets provided in the following section
        • Data Ethics Tenets provides seven Tenets, or high-level principles, for using data ethically within the Federal Government
        • Data Ethics Tenets in Action describes the benefits of data ethics and contains use cases demonstrating how the Tenets can guide data activities within federal agencies and federally sponsored programs
      • The Administration claimed the 2020 Action Plan “establishes a solid foundation that will support implementation of the strategy over the next decade…[and] identifies initial actions for agencies that are essential for establishing processes, building capacity, and aligning existing efforts to better leverage data as a strategic asset.” The use of federal data holds a key place in the President’s Management Agenda (PMA) and, according to the Administration, will be a key driver in transforming how the federal government operates, particularly in relation to technology. The 2020 Action Plan lays out the steps agencies will be expected to take to realize the Administration’s 10-year Federal Data Strategy. As always, results will be informed by follow through and prioritization by the Office of Management and Budget (OMB) and buy-in from agency leadership.
      • Notably, the Administration tied the 2020 Action Plan to a number of other ongoing initiatives that rely heavily on data. The Administration said the plan “incorporates requirements of the Foundations for Evidence-Based Policymaking Act of 2018, the Geospatial Data Act of 2018, and Executive Order 13859 on Maintaining American Leadership in Artificial Intelligence.”
  • The Office of the Australian Information Commissioner (OAIC) published “its Corporate Plan for 2020-21, which sets out its strategic priorities and key activities for the next four years” according to its press release. The OAIC stated “[t]he plan identifies four strategic priorities that will help the OAIC achieve its vision to increase public trust and confidence in the protection of personal information and access to government-held information:
    • Advance online privacy protections for Australians
    • Influence and uphold privacy and information access rights frameworks
    • Encourage and support proactive release of government-held information, and
    • Contemporary approach to regulation.
    • The agency stated:
      • Over the coming year, the OAIC will continue to promote strong privacy protections for the use of personal information to prevent and manage the spread of COVID-19, including oversight of data handling within the COVIDSafe app system. 
      • Strengthening privacy protections in the online environment remains a key focus for the organisation, while privacy law reform will be a priority in 2020-21, with the Australian Government’s review of the Privacy Act an opportunity to ensure the regulatory framework can respond to new challenges in the digital environment.
      • Commissioner [Angelene] Falk said the OAIC will also enforce privacy safeguards under the Consumer Data Right and will continue its work to improve transparency and prevent harm to consumers through its oversight of the Notifiable Data Breaches scheme.
  • Ontario’s Ministry of Government and Consumer Services “launched consultations to improve the province’s privacy protection laws” and stakeholders “will have the opportunity to contribute to strengthening transparency and accountability concerning the collection, use and safeguarding of personal information online.” Ontario “is seeking advice on ways to:
    • Increase transparency for individuals, providing Ontarians with more detail about how their information is being used by businesses and organizations.
    • Enhance consent provisions allowing individuals to revoke consent at any time, and adopting an “opt-in” model for secondary uses of their information.
    • Introduce a right for individuals to request information related to them be deleted, subject to limitations (this is otherwise known as “right to erasure” or “the right to be forgotten”).
    • Introduce a right for individuals to obtain their data in a standard and portable digital format, giving them greater freedom to change service providers without losing their data (this is known as “data portability”).
    • Increase enforcement powers for the Information and Privacy Commissioner to ensure businesses comply with the law, including giving the commissioner the ability to impose penalties.
    • Introduce requirements for data that has been de-identified and derived from personal information to provide clarity of applicability of privacy protections.
    • Expand the scope and application of the law to include non-commercial organizations, including not-for-profits, charities, trade unions and political parties.
    • Create a legislative framework to enable the establishment of data trusts for privacy protective data sharing.
  • The United States (U.S.) Department of Homeland Security (DHS) Office of the Inspector General (OIG) issued “Progress and Challenges in Modernizing DHS’ Information Technology (IT) Systems and Infrastructure” and found fault with these three systems:
    • DHS-wide Human Resources IT (HRIT)
    • DHS Legacy Major IT Financial System that “[s]erves as Coast Guard and Transportation Security Agency’s (TSA) financial system of record.
    • Federal Emergency Management Agency (FEMA) Grants Management Mission Domain and Operational Environment
    • The OIG stated
      • The DHS 2019–2023 IT strategic plan included two distinct department-wide IT modernization initiatives: to adopt cloud-based computing and to consolidate data centers. However, not all components have complied with or fully embraced these efforts due to a lack of standard guidance and funding. Without consistent implementation of these efforts, DHS components remain hindered in their ability to provide personnel with more enhanced, up-to-date technology.
      • In the meantime, DHS continues to rely on deficient and outdated IT systems to perform mission-critical operations. We identified three legacy IT systems with significant operational challenges that negatively affected critical DHS functions, such as human resources and financial management, as well as disaster recovery mission operations. DHS has not made sufficient progress in replacing or augmenting these IT systems due to ineffective planning and inexperience in executing complex IT modernization efforts. Additionally, the DHS CIO has not performed mandated oversight of legacy IT to mitigate and reduce risks associated with outdated systems. Until DHS addresses these issues, it will continue to face significant challenges to accomplish mission operations efficiently and effectively
    • The OIG recommended:
      • We recommend the DHS OCIO develop department-wide guidance for implementing cloud technology and migrating legacy IT systems to the cloud. Recommendation
      • We recommend the DHS OCIO coordinate with components to develop and finalize a data center migration approach to accomplish strategic goals for reducing the footprint of DHS IT infrastructure. Recommendation
      • We recommend the DHS OCIO establish a process to assign risk ratings for major legacy IT investments, as required by the Federal Information Technology Acquisition Reform Act.
  • The University of Toronto’s Citizen Lab and the International Human Rights Program at the University of Toronto’s Faculty of Law published a report “To Surveil and Predict: A Human Rights Analysis of Algorithmic Policing in Canada” that “focuses on the human rights and constitutional law implications of the use of algorithmic policing technologies by law enforcement authorities.” The authors found:
    • The research conducted for this report found that multiple law enforcement agencies across Canada have started to use, procure, develop, or test a variety of algorithmic policing methods. These programs include using and both developing predictive policing technologies and using algorithmic surveillance tools. Additionally, some law enforcement agencies have acquired tools with the capability of algorithmic policing technology, but they are not currently using that capability because, to date, they have not decided to do so. 
    • The authors “analyze the potential impacts of algorithmic policing technologies on the following rights: the right to privacy; the right to freedoms of expression, peaceful assembly, and association; the right to equality and freedom from discrimination; the right to liberty and to be free from arbitrary detention; the right to due process; and the right to a remedy.”
  • The United States (U.S.) Department of Homeland Security (DHS) issued “the Electromagnetic Pulse (EMP) Program Status Report as part of an update on efforts underway in support of Executive Order (E.O.) 13865 on Coordinating National Resilience to Electromagnetic Pulses…[that] establishes resilience and security standards for U.S. critical infrastructure as a national priority.”
    • DHS stated
      • E.O.13865 states, “An electromagnetic pulse (EMP) has the potential to disrupt, degrade, and damage technology and critical infrastructure systems. Human-made or naturally occurring EMPs can affect large geographic areas, disrupting elements critical to the Nation’s security and economic prosperity, and could adversely affect global commerce and stability. The federal government must foster sustainable, efficient, and cost-effective approaches to improving the Nation’s resilience to the effects of EMPs.”
      • In accordance with E.O.13865, the Department has identified initial critical infrastructure and associated functions that are at greatest risk from an EMP and is focusing efforts on the development and implementation of evidence-based and independently-tested EMP protection and mitigation technologies and resilience best practices. Initial efforts within the Department, working across the federal interagency, have focused on risk management to both the Energy and Communications Sectors.
  • Two United States Magistrate Judges denied three requests for a geofence warrant to serve on Google to obtain cell phone data from an area of Chicago for three forty-five minutes periods on three different days. The courts took the unusual step of unsealing the opinions for the proceedings which are not adversarial because the person or people suspected of being involved with the alleged crime are presumably unaware and therefore cannot contest the warrant application. If Google took an adversarial position, there is no indication in the decisions the company did so. However, Google did state in a filing that “[b]etween 2017 and 2018, Google saw a 1,500% increase in geofence requests…[and] [b]etween 2018 and 2019, that figure shot up another 500%.”
    • Moreover, one wonders if prosecutors did not also seek similar warrant requests from other companies such as telecommunications providers. Nonetheless, the judges ruled the geofence warrant requests violated the Fourth Amendment to the U.S. Constitution in a number of ways and suggested that narrower, more particular requests might have been legal.
    • In the first denial, the magistrate judge explained:
      • As to the first geofence request, the government has probable cause to believe that the suspect received the stolen pharmaceuticals from a commercial enterprise located within the designated geofence area during the designated forty-five minute interval in the early afternoon hours on the day of the first geofence request. The geofence, which has a 100-meter radius, is in a densely populated city, and the area contains restaurants, various commercial establishments, and at least one large residential complex, complete with a swimming pool, workout facilities, and other amenities associated with upscale urban living.
      • The second and third geofence requests focus on the same commercial enterprise where the government has probable cause to believe that the suspect shipped some of the stolen pharmaceuticals to a buyer, who purchased the pharmaceuticals from the suspect at the government’s direction. Again, the government’s requested geofence is a I00-meter radius area extending from the commercial establishment where the suspect shipped the pharmaceuticals and covers two separate dates for forty-five minute intervals in the early afternoon hours. This geofence includes medical offices and other single and multi-floor commercial establishments that are likely to have multiple patrons during the early afternoon hours.
      • The warrant application contemplates that the information will be obtained in three stages: (l) Google will be required to disclose to the government an anonymized list of devices that specifies information including the corresponding unique device ID, timestamp, coordinates, and data source, if available, of the devices that reported their location within the geofence during the forty-five minute periods; (2) the government will then review the list to prioritize the devices about which it wishes to obtain associated information; and (3) Google will then be required to disclose to the government the information identifying the Google account(s) for those devices about which the government further inquiries. The warrant application includes no criteria or limitations as to which cellular telephones government agents can seek additional information.

Further Reading

  • A Saudi Prince’s Attempt to Silence Critics on Twitter” By Bradley Hope and Justin Scheck – WIRED. Considering the United States Department of Justice indictments against three Saudi nationals in November 2019 and resulting news stories (“Why Do We Tolerate Saudi Money in Tech?” – The New York Times and “Former Twitter employees charged with spying for Saudi Arabia by digging into the accounts of kingdom critics” – The Washington Post), one would think what news is there in this excerpt on a book. But we learn that Twitter’s anti-establishment stance led the company’s lawyers to suspend the Saudi Twitter employee who the target of a U.S. investigation which allowed him to flee the U.S. Government lawyers were livid. The bigger issue is foreign operatives infiltrated social media platforms and then reaping information about selected people, especially dissidents.
  • When Algorithms Give Real Students Imaginary Grades” By Meredith Broussard – The New York Times. The International Baccalaureate (IB) program used an algorithm to hand out grades this past spring when in-person exams were cancelled. It did not go well as you might imagine. The same was true in the United Kingdom for its A-level exams, causing a furor there. The case id made for never using algorithms in education or related fields.
  • Wheely ride-hailing app writes to UK privacy watchdog over Moscow data demands” By Simon Goodley – The Guardian. A British ride-sharing company wrote the United Kingdom’s data protection authority about data requests made by the Moscow Department of Transportation (MDOT) on individual riders. Wheely made the case to the Information Commissioner’s Office (ICO) that it could not hand over the data under the General Data Protection Regulation (GDPR) unlike some of the app’s rivals who apparently complied with the demand. It is not clear whether the company’s GDPR obligations would apply in another jurisdiction. It may possible Wheely is trying to smear the other companies in the U.K.
  • Deepfake porn is now mainstream. And major sites are cashing in” By Matt BurgessWired. Through the use of artificial intelligence technology, people are making fake pornography in which actresses’ faces are affixed to women’s bodies that are engaged in sexual acts. These deepfake porn videos are soaring in popularity, and there are often not good options for taking them down or taking legal action. This is another area in which technology has outpaced policy and law.
  • Most cyber-security reports only focus on the cool threats” By Catalin Cimpanu – ZDNet. Turns out that commercial threat reports are issued with an eye towards generating business and considering that governments and huge contractors have the deepest pockets, the issues of concern are covered while other less lucrative areas like threats to civil society are largely ignored. These reports also influence policymakers and give them a distorted picture of cyber threats.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Pending Legislation In U.S. Congress, Part III

Even though it is agreed Congress should revamp election security laws, there is no agreement on how.

Election security is a subject much on the minds of lawmakers and policymakers in Washington in this election; however, how the Congress should respond is a matter much disagreed upon. House Democrats have passed a number of bills to address a range of problems in the United States (U.S.) electoral system, but Republicans have generally rejected their proposed policy solutions, in no small part because of White House opposition. Moreover, President Donald Trump has steadfastly opposed any legislation intended to address future Russian interference in elections. Consequently, the prospects of any election security legislation being enacted are virtually nil even if lawmakers have steadily increased the amount of money the federal government is providing states to shore up security through the Election Assistance Commission’s grant program. These bills are nonetheless worthy of notice, for if Democrats capture the White House and Senate, it is very likely they will make a run at enacting election security legislation along the lines of some of these bills.  

In July, a deal was struck to add the “Intelligence Authorization Act for Fiscal Year 2021” (S.3905) to the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) but without an election security bill included in the package as reported out of the Senate Intelligence Committee: the “Foreign Influence Reporting in Elections Act” (FIRE Act) (S.2242). The sponsor of the FIRE Act, Senate Intelligence Committee Ranking Member Mark Warner (D-VA), went to the Senate floor to protest the striking of his bill and to announce his plans to offer it as an amendment and force a vote:

The  committee  voted  14  to 1 to  pass an intel authorization bill that included  the  FIRE Act,  the  act  that  I  just described, so that if a foreign government interferes or offers you assistance  or  offers  you  dirt,  you  don’t  say  thanks;  you  call  the  FBI.  So  you  can  imagine  my  surprise  and  frustration  when  I  learned  of  a  backroom  deal  to  strip  the  FIRE  Act  out  of  the  Intelligence   Committee’s   legislation   because  of  a  supposed  turf  war  with  another committee. I  am  back  again  today  because  the  security  of  our  elections  cannot  wait.  Let’s  not  hide  behind  process  or  jurisdictional  boundaries.  The  stakes  are  far  too  high  to  continue  the  partisan  blockade  of  election  security  legislation  that  we  have  seen  over  the  last  3  years. If,  behind  closed  doors,  my  Republican  colleagues  want  to  strip  this  legislation  out  of  the  NDAA,  then  I  am  going  to  offer  it  up  as  an  amendment  to  force  an  up-or-down  vote  and  put  every   Member   of   this   body   on   the   record: Are you for election security or are you for allowing foreign entities to interfere  and  offer  assistance  with  no  requirement to report?

Prior to its inclusion in the FY 2021 Intelligence Authorization Act, Warner had asked unanimous consent to take up the FIRE Act multiple times but was met with Republican objections each time. And there are other election security bills Republicans have continued to block, including:

  • The “Duty To Report Act” (S.1247) “to require reporting to the Federal Election Commission and the Federal Bureau of Investigation of offers by foreign nationals to make prohibited contributions, donations, expenditures, or disbursements.”
  • The “Senate Cybersecurity Protection Act” (S.890) “to protect the personal technology devices and accounts of Senators and covered employees from cyber attacks and hostile information collection activities, and for other purposes.”
  • The “Securing America’s Federal Elections Act” (SAFE Act) (H.R.2722) (see below)
  • The “Secure Elections Act of 2019” (S.1540) (see below)

The “Secure Elections Act of 2019” (S.1540) was cosponsored by 40 Democrats but has not been acted upon by the Senate. In her press release, primary sponsor, Senator Amy Klobuchar (D-MN), claimed the bill would do the following:

  • Require states use paper ballots.
  • Establish cybersecurity standards for voting systems vendors.
  • Fund grants for states to improve and maintain the security of their election systems, to provide cybersecurity training to election officials, and to implement post-election risk limiting audits.
  • Require the Director of National Intelligence to assess threats to election systems 180 days before an election and require the Department of Homeland Security and the Election Assistance Commission to issue recommendations to address threats.
  • Require the testing of voting systems nine months before an election.
  • Require the President to produce a national strategy for protecting democratic institutions.
  • Create a National Commission to Protect United States Democratic Institutions.

Yet, last summer, the Senate took up and passed two election-related bills addressing facets of the cybersecurity challenges. In July 2019, the Senate passed the “Defending the Integrity of Voting Systems Act” (S. 1321) by unanimous consent that would “make it a federal crime to hack any voting systems used in a federal election” according to the Senate Judiciary Committee’s website. In June 2019, the Senate also passed the “Defending Elections against Trolls from Enemy Regimes (DETER) Act” (S. 1328) that “will make “improper interference in U.S. elections” a violation of U.S. immigration law, and violators would be barred from obtaining a visa to enter the United States. The House has yet to act on these bills, and Democratic Leadership is likely not to let them come to the floor to maximize their leverage in getting their bills through the Senate.

In February 2019, the House passed the “For the People Act” (H.R. 1) by a 234-193 vote, a House Democratic priority bill that would seek to bolster the cybersecurity of election systems across the country, among other policy goals. If this bill were enacted as written, there would be significant changes to current regulation. However, it was unlikely the Senate will take up this bill as written, and any measure in the Senate regarding election security would be more circumscribed. And, Senate Republicans blocked efforts to take up this bill.

Regarding the cybersecurity of election systems, the bill includes a process by which cybersecurity standards would be established for election infrastructure vendors and would also authorize grants for states and localities to upgrade and secure their election systems. For example, “qualified election infrastructure vendors” must agree “to ensure that the election infrastructure will be developed and maintained in a manner that is consistent with the cybersecurity best practices issued by the Technical Guidelines Development Committee” and to promptly report cybersecurity incidents to the Department of Homeland Security (DHS) and the Election Assistance Commission (EAC).

The bill would authorize $1.7 billion in funding for the EAC to make grants to states for a number of purposes, including “to carry out voting system security improvements” to undertake the following

(1) The acquisition of goods and services from qualified election infrastructure vendors by purchase, lease, or such other arrangements as may be appropriate.

(2) Cyber and risk mitigation training.

(3) A security risk and vulnerability assessment of the State’s election infrastructure which is carried out by a provider of cybersecurity services under a contract entered into between the chief State election official and the provider.

(4) The maintenance of election infrastructure, including addressing risks and vulnerabilities which are identified under either of the security risk and vulnerability assessments described in paragraph (3), except that none of the funds provided under this part may be used to renovate or replace a building or facility which is used primarily for purposes other than the administration of elections for public office.

(5) Providing increased technical support for any information technology infrastructure that the chief State election official deems to be part of the State’s election infrastructure or designates as critical to the operation of the State’s election infrastructure.

(6) Enhancing the cybersecurity and operations of the information technology infrastructure described in paragraph (4).

(7) Enhancing the cybersecurity of voter registration systems.

The package requires “qualified election infrastructure vendors” (i.e. “any person who provides, supports, or maintains, or who seeks to provide, support, or maintain, election infrastructure on behalf of a State, unit of local government, or election agency”) to meet these requirements:

  • [T]o ensure that the election infrastructure will be developed and maintained in a manner that is consistent with the cybersecurity best practices issued by the Technical Guidelines Development Committee.
  • [T]o maintain its information technology infrastructure in a manner that is consistent with the cybersecurity best practices issued by the Technical Guidelines Development Committee.
  • Reporting cybersecurity incidents “involving any of the goods and services provided by the vendor” to the EAC and DHS within three days of discovery
  • “[T]o permit independent security testing by the [EAC]…and by the Secretary of the goods and services provided by the vendor pursuant to a grant”

H.R. 1 would also change the Department of Homeland Security’s organic statute to make “election infrastructure” a critical infrastructure sector. In January 2017, then Secretary of Homeland Security Jeh Johnson expanded the Government Facilities Sector to include an Election Infrastructure Subsector. However, if H.R. 1 were enacted, then the election sector would be the 17th critical infrastructure sector and a future Secretary could not rescind this designation as one may with Johnson’s addition of state and local elections systems to the Government Facilities sector.

The Committee Report detailed the addition of the “Honest Ads Act” to H.R. 1:

  • The Honest Ads Act updates the rules that apply to online political advertising by incorporating disclosure and disclaimer concepts that apply to traditional media, while providing regulatory flexibility for new forms of digital advertising. This will help ensure that voters make informed decisions at the ballot box and to know who is spending money on digital political advertisements that they view.
  • It also expands the definition of public communication to include paid internet or paid digital communications, and amends the definition of electioneering communication to include certain digital or internet communications placed or promoted for a fee online.
  • Finally, the bill requires that large online platforms (defined to include those with 50,000,000 or more unique monthly United States visitors) maintain public databases of political ad purchases. This is a concept that already applies to broadcasters, who must maintain public files of political advertisements. The online data- bases maintained by the platforms will provide the public with in- formation about the purchasers of online political ads, including how the audience is targeted. Political advertisements are defined to include those that communicate messages relating to political matters of national importance, including about candidates, elections, and national legislative issues of public importance.
  • Finally, the Honest Ads Act requires all broadcasters, cable or satellite television and online platforms to take reasonable efforts to ensure that political advertising is not purchased by foreign nationals, directly or indirectly.

Thereafter, House Democrats brought pieces of H.R. 1 to the House floor for separate votes in attempt to push Senate Republicans to take up the bill and if they do not, to put them on the record as opposing the reforms House Democrats think are necessary, including bolstering the cybersecurity of voting systems. In late June 2019, the House considered and passed the “Securing America’s Federal Elections (SAFE) Act of 2019” (H.R. 2722) also largely along a party-line vote. In the Committee Report, the House Administration Committee explained the bill:

  • H.R. 2722 provides critical resources to states and localities to bolster election infrastructure, including necessary funds to replace aging voting equipment with voter-verified paper ballot voting systems and implement additional cybersecurity protocols. The bill also helps states and localities plan for future elections by providing ongoing maintenance funding on a biannual basis. The legislation provides grant programs for states to implement required risk-limiting audits, a best practice audit system that confirms election outcomes with a high degree of confidence.

The House took up this bill and passed it by a 225-184 vote, but the Senate has not considered it.

The House took up and passed its third major bill on election security in 2019 the “Stopping Harmful Interference in Elections for a Lasting Democracy Act” (SHIELD Act) (H.R. 4617), that addresses two of the technological facets of foreign disinformation campaigns aimed at U.S. elections according to the House Administration Committee’s summary:

  • Helps prevent foreign interference in future elections by improving transparency of online political advertisements.
    • Russia attempted to influence the 2016 presidential election by buying and placing political ads on platforms such as Facebook, Twitter and Google. The content and purchasers of those online advertisements were a mystery to the public because of outdated laws that have failed to keep up with evolving technology. The SHIELD Act takes steps to prevent hidden, foreign disinformation campaigns in our elections by ensuring that political ads sold online are covered by the same rules as ads sold on TV, radio, and satellite.
  • Prohibits deceptive practices about voting procedures.
    • Independent experts have identified voter suppression tactics the Russians used on social media, including malicious misdirection designed to create confusion about voting rules. The SHIELD Act incorporates the Deceptive Practices and Voter Intimidation Prevention Act to prohibit anyone from providing false information about voting rules and qualifications for voting, provides mechanisms for disseminating correct information, and establishes strong penalties for voter intimidation.

The House passed H.R. 4617 by a 227-181 vote with all Republicans present voting no and one Democrat joining them. Again, the Senate did not take up the bill.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (8 September)

Here is today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • The United States-China Economic and Security Review Commission will hold a hearing on 9 September on “U.S.-China Relations in 2020: Enduring Problems and Emerging Challenges” to “evaluate key developments in China’s economy, military capabilities, and foreign relations, during 2020.”
  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The National Institute of Standards and Technology (NIST) announced a 15 and 16 September webinar to discuss its Draft Outline of Cybersecurity Profile for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services. NIST stated it “seeks insight and feedback on this Annotated Outline to improve the PNT cybersecurity profile, which is scheduled for publication in February 2021…[and] [a]reas needing more input include feedback on the description of systems that use PNT services and the set of standards, guidelines, and practices addressing systems that use PNT services.” NIST explained that “[t]hrough the Profile development process, NIST will engage the public and private sectors on multiple occasions to include a request for information, participation in workshops, solicitation of feedback on this annotated outline, and public review and comment on the draft Profile.” The agency added “[t]he Profile development process is iterative and, in the end state, will identify and promote the responsible use of PNT services from a cybersecurity point of view.”
    • In June, NIST released a request for information (RFI) “about public and private sector use of positioning, navigation, and timing (PNT) services, and standards, practices, and technologies used to manage cybersecurity risks, to systems, networks, and assets dependent on PNT services.” This RFI is being undertaken per direction in a February executive order (EO) to serve as the foundation for the Trump Administration’s efforts to lessen the reliance of United States’ (U.S.) critical infrastructure on current PNT systems and services. Specifically, the EO seeks to build U.S. capacity to meet and overcome potential disruption or manipulation of the PNT systems and services used by virtually every key sector of the public and private sectors of the U.S.
    • NIST explained “Executive Order 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services, was issued on February 12, 2020 and seeks to protect the national and economic security of the United States from disruptions to PNT services that are vital to the functioning of technology and infrastructure, including the electrical power grid, communications infrastructure and mobile devices, all modes of transportation, precision agriculture, weather forecasting, and emergency response.” The EO directed NIST “to develop and make available, to at least the appropriate agencies and private sector users, PNT profiles.” NIST said “[r]esponses to this RFI will inform NIST’s development of a PNT profile, using the NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework), that will enable the public and private sectors to identify systems, networks, and assets dependent on PNT services; identify appropriate PNT services; detect the disruption and manipulation of PNT services; and manage the associated cybersecurity risks to the systems, networks, and assets dependent on PNT services.”
    • The EO defines the crucial term this RFI uses: “PNT profile” means a description of the responsible use of PNT services—aligned to standards, guidelines, and sector-specific requirements—selected for a particular system to address the potential disruption or manipulation of PNT services.
    • In April, the Department of Homeland Security (DHS) released a Congressionally required report, “Report on Positioning, Navigation, and Timing (PNT) Backup and Complementary Capabilities to the Global Positioning System (GPS)” as required by Section 1618 of the “2017 National Defense Authorization Act (NDAA) (P.L. 114–328) that was due in December 2017. DHS offered “recommendations to address the nation’s PNT requirements and backup or complementary capability gaps.”
  • Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) has reversed itself and decided that the Swiss-U.S. Privacy Shield does not provide adequate protection for Swiss citizens whose data is transferred for processing into the United States (U.S.) However, it does not appear that there will be any practical effect as of yet. The FDPIC determined that the agreement “does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to the Federal Act on Data Protection (FADP).” This decision comes two months after the Court of Justice of the European Union (CJEU) struck down the European Union-U.S. Privacy Shield. The FDPIC noted this determination followed “his annual assessment of the Swiss-US Privacy Shield regime and recent rulings on data protection by the CJEU.” The FDPIC also issued a policy paper explaining the determination. The FDPIC added
    • As a result of this assessment, which is based on Swiss law, the FDPIC has deleted the reference to ‘adequate data protection under certain conditions’ for the US in the FDPIC’s list of countries. Since the FDPIC’s assessment has no influence on the continued existence of the Privacy Shield regime, and those concerned can invoke the regime as long as it is not revoked by the US, the comments on the Privacy Shield in the list of countries will be retained in an adapted form.
  • The United States Department of Defense (DOD) released its statutorily required annual report on the People’s Republic of China (PRC) that documented the rising power of the nation, especially with respect to cybersecurity and information warfare. The Pentagon noted
    • 2020 marks an important year for the People’s Liberation Army (PLA) as it works to achieve important modernization milestones ahead of the Chinese Communist Party’s (CCP) broader goal to transform China into a “moderately prosperous society” by the CCP’s centenary in 2021. As the United States continues to respond to the growing strategic challenges posed by the PRC, 2020 offers a unique opportunity to assess both the continuity and changes that have taken place in the PRC’s strategy and armed forces over the past two decades.
    • Regarding Cyberwarfare, the DOD asserted
      • The development of cyberwarfare capabilities is consistent with PLA writings, which identify Information Operations (IO) – comprising cyber, electronic, and psychological warfare – as integral to achieving information superiority and as an effective means for countering a stronger foe. China has publicly identified cyberspace as a critical domain for national security and declared its intent to expedite the development of its cyber forces.
      • The PRC presents a significant, persistent cyber espionage and attack threat to military and critical infrastructure systems. China seeks to create disruptive and destructive effects—from denial-of- service attacks to physical disruptions of critical infrastructure— to shape decision-making and disrupt military operations in the initial stages of a conflict by targeting and exploiting perceived weaknesses of militarily superior adversaries. China is improving its cyberattack capabilities and has the ability to launch cyberattacks—such as disruption of a natural gas pipeline for days to weeks—in the United States.
      • PLA writings note the effectiveness of IO and cyberwarfare in recent conflicts and advocate targeting C2 and logistics networks to affect an adversary’s ability to operate during the early stages of conflict. Authoritative PLA sources call for the coordinated employment of space, cyber, and EW as strategic weapons to “paralyze the enemy’s operational system of systems” and “sabotage the enemy’s war command system of systems” early in a conflict. Increasingly, the PLA considers cyber capabilities a critical component in its overall integrated strategic deterrence posture, alongside space and nuclear deterrence. PLA studies discuss using warning or demonstration strikes—strikes against select military, political, and economic targets with clear “awing effects”—as part of deterrence. Accordingly, the PLA probably seeks to use its cyberwarfare capabilities to collect data for intelligence and cyberattack purposes; to constrain an adversary’s actions by targeting network-based logistics, C2, communications, commercial activities, and civilian and defense critical infrastructure; or, to serve as a force-multiplier when coupled with kinetic attacks during armed conflict.
      • The PLA’s ongoing structural reforms may further change how the PLA organizes and commands IO, particularly as the Strategic Support Force (SSF) evolves over time. By consolidating cyber and other IO-related elements, the SSF likely is generating synergies by combining national-level cyber reconnaissance, attack, and defense capabilities in its organization.
    • The DOD also noted the PLA’s emphasis on intelligentized warfare:
      • The PLA sees emerging technologies as driving a shift to “intelligentized” warfare from today’s “informatized” way of war. PLA strategists broadly describe intelligentized warfare as the operationalization of artificial intelligence (AI) and its enabling technologies, such as cloud computing, big data analytics, quantum information, and unmanned systems, for military applications. These technologies, according to PRC leaders—including Chairman Xi Jinping— represent a “Revolution in Military Affairs” for which China must undertake a whole-of-government approach to secure critical economic and military advantages against advanced militaries.
  • The United States’ (U.S.) Citizenship and Immigration Services (USCIS) of the Department of Homeland Security (DHS) is proposing a rule “to amend DHS regulations concerning the use and collection of biometrics in the enforcement and administration of immigration laws by USCIS, U.S. Customs and Border Protection (CBP), and U.S. Immigration and Customs Enforcement (ICE).”
    • USCIS further explained:
    • First, DHS proposes that any applicant, petitioner, sponsor, beneficiary, or individual filing or associated with an immigration benefit or request, including United States citizens, must appear for biometrics collection without regard to age unless DHS waives or exempts the biometrics requirement.
    • Second, DHS proposes to authorize biometric collection, without regard to age, upon arrest of an alien for purposes of processing, care, custody, and initiation of removal proceedings.
    • Third, DHS proposes to define the term biometrics.
    • Fourth, this rule proposes to increase the biometric modalities that DHS collects, to include iris image, palm print, and voice print.
    • Fifth, this rule proposes that DHS may require, request, or accept DNA test results, which include a partial DNA profile, to prove the existence of a claimed genetic relationship and that DHS may use and store DNA test results for the relevant adjudications or to perform any other functions necessary for administering and enforcing immigration and naturalization laws.
    • Sixth, this rule would modify how VAWA and T nonimmigrant petitioners demonstrate good moral character, as well as remove the presumption of good moral character for those under the age of 14. 
    • Lastly, DHS proposes to further clarify the purposes for which biometrics are collected from individuals filing immigration applications or petitions, to include criminal history and national security background checks; identity enrollment, verification, and management; secure document production, and to administer and enforce immigration and naturalization laws.

Further Reading

  • State aid helps China tech leaders shrug off US sanctions” By Kenji Kawase – Nikkei Asian Review. A number of companies placed on the United States’ no-trade list have received generous subsidies from their government in Beijing. The People’s Republic of China (PRC) sees the health of a number of these companies as vital to its long term development and is willing to prop them up. Some companies have received multiples of their net profit to keep them afloat.
  • Facebook Says Trump’s Misleading Post About Mail-In Voting Is OK. Employees Say It’s Not.” By Craig Silverman and Ryan Mac – BuzzFeed News. There is more internal dissension at Facebook even after the company’s announcement it would not accept political advertising the last week of the election and correct misinformation about voting. Within hours of this policy change, President Donald Trump encouraged voters to possibly vote twice, which many Facebook employees saw as a violation of the new policy. The company disagreed and appended a claim from a bipartisan think tank study finding that mail-in voting is largely fraud free.
  • Why Facebook’s Blocking of New Political Ads May Fall Short” By Davey Alba and Sheera Frenkel – The New York Times. This piece explains in detail why Facebook’s new policy to combat political misinformation is likely to fall quite short of addressing the problem.
  • Student arrested for cyberattack against Miami schools used ‘easy to prevent’ program” By Colleen Wright and David Ovalle – Miami Herald. The United States’ fourth largest school district fell victim to a distributed denial of service attack launched by a 16-year-old student using more than a decade old tools downloaded from the internet. This unnamed hacker foiled the Miami-Dade school district’s first three days of online classes, raising questions about the cybersecurity of the school system if such an old attack succeeded so easily and how safe the personal information of students is in this school system and others around the country.
  • Trump and allies ratchet up disinformation efforts in late stage of campaign” By Ashley Parker – The Washington Post. It has been apparent for some that President Donald Trump and a number of his Republican allies are intentionally or recklessly spreading false information to try to help his campaign cover ground against frontrunner former Vice President Joe Biden. The goal is to so muddy the waters that the average person will neither be able to discern the truth of a claim not be concerned about doing so. This approach is the very same Russia’s leader Vladimir Putin has successfully executed in pushing his country into a post-truth world. Experts are warning that a continuation of this trend in the United States (U.S.) could wreak potentially irreparable harm.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by wal_172619 from Pixabay

Pending Legislation In U.S. Congress, Part II

Appropriations will, of course, be enacted, but when is the question. And along with bills to fund the U.S. government come policy direction.

As Congress returns from an eventful summer recess, it is possible technology focused and related legislation is passed or advances towards passage before the body leaves Washington in late September. Yesterday, we examined the FY 2021 National Defense Authorization Act (NDAA) and the lapsed provisions in the Foreign Intelligence Surveillance Act (FISA). Today we will look at appropriations.

Passage of regular appropriations during federal election years is almost always delayed until after the election, and the Congress and the President usually agree to extend the current year’s level of funding for agencies through late November or early December (aka a continuing resolution.) This year, negotiations over another potential pandemic package might complicate passage of a continuing resolution (CR) this month, but it appears, at present, the two issues are being handled separately with Speaker of the House Nancy Pelosi (D-CA) and Secretary of the Treasury Steven Mnuchin having reached agreement in principle on a CR. It remains to be seen whether this agreement will hold through passage of legislation to keep the U.S. government funded as carefully negotiated deals have unraveled at the last minute when President Donald Trump found reason to object.

Also, there have been only four fiscal years since the enactment of the Congressional Budget Act of 1974 in which all the appropriations bills were enacted by the beginning of the coming fiscal year. Therefore, it is almost certainly going to be the case that the current fractured political environment in Washington results in a current resolution for the first few months of FY 2021 and quite possibly well into calendar year 2021 should the Democrats take control of the White House and Senate.

Moreover, the Trump Administration has again proposed steep cuts to many civilian agencies the Congress will probably ignore based on appropriations from the previous three fiscal years appropriations process. Nonetheless, in a footnote to a summary table in its FY 2021 budget request, the Administration explained it is “propos[ing] to fund base defense programs for 2021 at the existing [Budget Control Act] cap and fund base [non-defense] programs at a level that is five percent below the 2020 [non-defense] cap.” The Administration asked that Congress “extend the [Budget Control Act] caps through 2025 at the levels included in the 2021 Budget…[which] would provide an increase in defense funding of about two percent each year, and decrease funding for [non-defense] programs by two percent (or “2-penny”) each year.”

However, the House Appropriations Committee has again rejected these deep cuts to non-defense funding and have moved forward by passing 10 of the 12 annual bills in July. By way of contrast, the Senate Appropriations Committee, has not even considered any of its bills in committee, reportedly because there was a desire to shield vulnerable Republicans running for reelection from taking tough votes on politically divisive issues. Consequently, the Senate Appropriations Committees almost certainly has bills it has worked on and are ready to go when the time comes to consider the inevitable bundling of bills either into one omnibus or smaller packages to enact FY 2021 funding.

In any event, the annual appropriations bills provide top-line funding numbers for a number of agencies with jurisdiction over United States’ technology programs and policies. There can be policy directives written into these bills usually in the form of denying the use of funds for certain purposes or tying the use of funds to an agency addressing an issue of importance to a committee or subcommittee. However, the more directive policy changes are usually written in the Committee Reports that accompany the bills.

FY 2021 Homeland Security Appropriations Act

The Homeland Security Subcommittee marked up and reported out to the full committee its “FY 2021 Homeland Security Appropriations Act” that would provide the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) with $1.844 billion for operations and support, $396 million for procurement, construction, and improvement, and $14.4 million for research & development. For FY 2020, CISA was appropriated $1.566 billion for operations and support, $434 million for procurement, construction, and improvement, and $14.4 million for research & development. For the next fiscal year, the Trump Administration requested $1.438 billion, $313 million, and $6.4 million respectively for the same categories of programs. Moreover, the Committee made available its Committee Report. However, this bill has not come to the House floor and likely will not to shield Democrats seeking reelection in moderate or right-leaning districts from facing votes on issues like immigration.

The package includes $2.6 million for a Joint Cybersecurity Coordination Group (JCCG) inside DHS “serve as a coordinating entity that will help the Department identify strategic priorities and synchronize cyber-related activities across the operational components.” This new entity comes about because the Trump Administration requested its creation as part of its FY 2021 budget request. The Committee expressed disappointment with “the lack of quality and detail provided in CISA’s fiscal year 2021 budget justification documents, to include several errors and unjustified adjustments that appear to be attributable to CISA’s premature proposal for a new Program, Project, or Activity (PPA) structure and raise questions about whether the budget could be executed as requested.” Consequently, the Committee directed that CISA “submit the fiscal year 2022 budget request at the same level of PPA detail as provided in the table at the end of this report with no further adjustments to the PPA structure.”

Among other programmatic and funding highlights, the Committee

  • “[E]ncourage[d] CISA to continue to use commercial, human-led threat behavioral analysis and technology, and to employ private sector, industry-specific, threat intelligence and best practices to better characterize potential consequences to critical infrastructure sectors during a systemic cyber event.”
  • Urged “CISA and the Election Infrastructure Information Sharing and Analysis Center (EI–ISAC) to expand outreach to the most vulnerable jurisdictions” with respect to election security assistance.
  • Directed “CISA to continue providing the semiannual briefing on the National Cybersecurity Protection System (NCPS) program and the Continuous Diagnostics and Mitigation (CDM)”
  • Pointed to $5.8 million to set up a ‘‘central Federal information security incident center,’ a requirement mandated by the Federal Information Security Modernization Act (FISMA) (P.L. 113-283) and $9.3 million “to establish a formal program office to coordinate supply chain risk management efforts for federal civilian agencies; act as the executive agent for the Federal Acquisition Security Council (FASC), as authorized by the SECURE Technology Act, 2018 (Public Law 115– 390); and fund various supply chain related efforts and services.”
  • Emphasized its increase of $6 million as compared to FY 2020 “to grow CISA’s threat hunting capabilities” “[i]n the face of cyber threats from nation-state adversaries such as Russia, China, Iran, and North Korea.”
  • [P]rovide[d] an increase of $11,568,000 above the request to establish a Joint Cyber Center (JCC) for National Cyber Defense to bring together federal and State, Local, Tribal, and Territorial (SLTT) governments, industry, and international partners to strategically and operationally counter nation-state cyber threats.”
  • Bestowed “an increase of $10,022,000 above the request for the underlying infrastructure that enables better identification, analysis, and publication of known vulnerabilities and common attack patterns, including through the National Vulnerability Database, and to expand the coordinated responsible disclosure of vulnerabilities.”
  • Noted “[t]hrough the Shared Cybersecurity Services Office (SCSO), CISA serves as the Quality Services Management Office for federal cybersecurity” and explained “[t]o help improve efforts to make strategic cybersecurity services available to federal agencies, the Committee includes $5,064,000 above the request to sustain prior year investments and an additional $5,000,000 to continue to expand the office.”
  • Expressed its concern “about cyber vulnerabilities within supply chains, which pose unacceptable risks to the nation’s physical and cyber infrastructure and, therefore, to national security” and provided “an increase of $18,005,000 above the request to continue the development of capabilities to address these risks through the ICT Supply Chain Risk Management Task Force and other stakeholders, such as the FASC.”

FY 2021 Financial Services and General Government Appropriations Act

The FY 2021 Financial Services and General Government Appropriations Act has a provision that would bar either the Federal Trade Commission (FTC) or Federal Communications Commission (FCC) from taking certain actions related to Executive Order 13925, “Preventing Online Censorship” issued in May by the White House after Twitter fact checked a pair of President Donald Trump’s Tweets that contained untruthful claims about voting by mail. It is very unlikely Senate Republicans, some of whom have publicly supported this Executive Order will allow this language into the final bill funding the agencies.

Under the Executive Order, the National Telecommunications and Information Administration (NTIA) is to file a petition for rulemaking with the FCC to clarify the interplay between clauses of 47 USC 230, notably whether the liability shield that protects companies like Twitter and Facebook for content posted on an online platform also extends to so-called “editorial decisions,” presumably actions like Twitter’s in fact checking Trump regarding mail balloting. The NTIA would also ask the FCC to define better the conditions under which an online platform may take down content in good faith that are “deceptive, pretextual, or inconsistent with a provider’s terms of service; or taken after failing to provide adequate notice, reasoned explanation, or a meaningful opportunity to be heard.” The NTIA is also ask the FCC to promulgate any other regulations necessary to effectuate the EO. The FTC was directed consider whether online platforms are violating Section 5 of the FTC Act barring unfair or deceptive practices, which “may include practices by entities covered by section 230 that restrict speech in ways that do not align with those entities’ public representations about those practices.”

In the Committee Report for the FY 2021 Financial Services and General Government Appropriations Act, the House Appropriations Committee explained it provided $341 million for the FTC, “a $10,000,000 increase over fiscal year 2020… will increase the FTC’s capabilities both to monitor mergers and acquisitions that could reduce competition or lead to higher prices, and to take enforcement action against companies that fail to take reasonable steps to secure their customer data or that engage in other problematic trade practices.”

The Committee detailed the following program and funding provisions related to the FTC, including combatting fraudulent calls to seniors, robocalls, fraudulent health care calls, and the following:

  • Cryptocurrency.— The Committee encourages the FTC to work with the Securities and Exchange Commission, other financial regulators, consumer groups, law enforcement, and other public and private stakeholders to identify and investigate fraud related to cryptocurrencies market and discuss methods to empower and protect consumers.”
  • Consumer Repair Rights.—The Committee is aware of the FTC’s ongoing review of how manufacturers—in particular mobile phone and car manufacturers—may limit repairs by consumers and repair shops, and how those limitations may increase costs, limit choice, and impact consumers’ rights under the Magnuson-Moss Warranty Act. Not later than 120 days after the enactment of this Act, the FTC is directed to provide to the Committee, and to publish online, a report on anticompetitive practices related to repair markets. The report shall provide recommendations on how to best address these problems.
  • Antitrust Actions.—The Committee directs the GAO to study FTC and DOJ antitrust actions over the past 25 years. The study shall examine the following questions: How many instances have FTC and DOJ been on opposing sides of the same matter? In how many of these instances was the split created by (a) the FTC intervening in DOJ’s case; and (b) the DOJ intervening in FTC’s case? In these instances, how (if at all) did the split affect the final outcome (e.g., did the judicial opinion cite the split or explain how it affected the court’s decision)? In how many instances has an FTC action appeared before the Supreme Court? Of these instances, in how many cases did the FTC represent itself (rather than be represented by the Solicitor General)? In how many instances has the DOJ or FTC reneged on a clearance agreement with the other agency? In how many of these instances was the disruption created by (a) the FTC’s decision to renege on the agreement; and (b) the DOJ’s decision to renege on the agreement? How many amicus briefs did each agency file in each year? How many of the total amicus briefs filed by DOJ were done so at the invitation of the court? How many of the total amicus briefs filed by FTC were done so at the invitation of the court?

With respect to the FCC, the package provides $376 million and requires a host of programmatic responses, including:

  • Broadband Maps.—The Committee provides significant funding for upfront costs associated with implementation of the Broadband DATA Act. The Committee anticipates funding related to the Broadband DATA Act will decline considerably in future years and expects the FCC to repurpose a significant amount of staff currently working on economic, wireline, and wireless issues to focus on broadband mapping.
  • Broadband Access.—The Committee believes that deployment of broadband in rural and economically disadvantaged areas is a driver of economic development, jobs, and new educational opportunities. The Committee supports FCC efforts to judiciously allocate Universal Service Fund (USF) funds for these areas.
  • Rural Digital Opportunity Fund.—The Committee appreciates the significant investment the FCC is planning to make to deploy broadband services to unserved areas. The Committee recognizes the need for government programs to minimize instances in which two different providers receive support from two different programs to serve the same location. However, the Committee is concerned that current program rules may have the unintended consequence of discouraging other funding sources from participating in broadband deployment, particularly State-based programs. The Committee directs the FCC to adjust program rules to ensure applicants, and the States in which those applicants would deploy broadband, are not put at a disadvantage when applying for the Rural Digital Opportunity Fund based on the State’s proactive, independent investment in broadband.
  • Lifeline Service.—The Committee is concerned that changes to the Lifeline minimum service standards and support levels will adversely impact low-income Americans, including many suffering from economic hardships due to the coronavirus. The Committee directs the FCC to pause implementation of any changes to the currently applicable minimum service standards for Lifeline-supported mobile broadband service and any changes in the current levels of Lifeline support for voice services until the FCC has completed the State of the Lifeline Marketplace Report required by the 2016 Lifeline Order…
  • Mid-Band Spectrum.—The Committee believes that Fifth-Generation (5G) mobile technology is critical to U.S. national and economic security. A key component of the U.S. strategy for 5G is ensuring that U.S. wireless providers have enough mid-band spectrum (frequencies between 3 GHz and 24 GHz), which provides fast data connections while also traveling longer distances. The Committee is concerned that the U.S. is falling behind other countries in the allocation of such spectrum. The Committee urges the Administration and the FCC to work expeditiously to identify and make available more mid-band spectrum for 5G so that the U.S. does not fall further in the race to deploy 5G networks and services.
  • 5G Supply Chain.—The Committee understands the importance of a secure 5G technology supply chain. The Committee encourages the FCC to investigate options for increasing supply chain diversity, competition, and network security via interoperable technologies and open standard-based interfaces.

The Committee had a range of mandates for the Office of Management and Budget (OMB):

  • Federal and Critical Infrastructure Cybersecurity.—The Committee is aware that Federal agencies and the nation’s critical infrastructure face unique cybersecurity threats. Executive Order 13800, issued on May 11, 2017, directs agency heads to implement several risk management and cybersecurity measures, including the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity. OMB is directed to report, within 90 days of enactment of this Act, on the status of compliance with Executive Order 13800 by each applicable agency. The report shall identify risk management and cybersecurity compliance gaps and outline the steps each agency needs to take to manage such risks. OMB shall prioritize working with the applicable agency heads to address remaining gaps and inconsistencies.
  • Federal Information Technology Workforce.—OMB is directed to consult with the Office of Personnel Management and the General Services Administration and report to the Committee, no later than September 30, 2021, on gaps in Federal information technology workforce skills, disciplines, and experience required to enable the Federal government to modernize its ability to use technology and develop effective citizen-facing digital services to carry out its mission.

The Committee noted its additional funding to the Election Assistance Commission (EAC) for Election Security Grants of $500 million:

  • [T]he Coronavirus Aid, Relief, and Economic Security Act (CARES Act) (P.L. 116–136) included $400,000,000 for grants to States to prevent, prepare for, and respond to coronavirus. The Committee is gravely concerned by persistent threats from Russia and other foreign actors attempting to influence the U.S. democratic process, and vulnerabilities that continue to exist throughout the Nation’s election system.
  • Since fiscal year 2018, Congress has provided $805,000,000 in grants to States to improve the security of elections for Federal office.
  • However, that funding has been inconsistent, unpredictable, and insufficient to meet the vast need across all the States and territories.
  • Congress must provide a consistent, steady source of Federal funds to support State and local election officials on the frontlines of protecting U.S. elections. The bill requires States to use payments to replace direct-recording electronic (DRE) voting machines with voting systems that require the use of an individual, durable, voter-verified paper ballot, marked by the voter by hand or through the use of a non-tabulating ballot marking device or system, and made available for inspection and verification by the voter before the vote is cast and counted.
  • Funds shall only be available to a State or local election jurisdiction for further election security improvements after a State has submitted a certification to the EAC that all DRE voting machines have been or are in the process of being replaced. Funds shall be available to States for the following activities to improve the security of elections for Federal office:
    • implementing a post-election, risk-limiting audit system that provides a high level of confidence in the accuracy of the final vote tally;
    • maintaining or upgrading election-related computer systems, including voter registration systems, to address cyber vulnerabilities identified through DHS scans or similar assessments of existing election systems;
    • facilitating cyber and risk mitigation training for State and local election officials;
    • implementing established cybersecurity best practices for election systems; and other priority activities and
    • investments identified by the EAC, in consultation with DHS, to improve election security.
  • The EAC shall define in the Notice of Grant Award the eligible investments and activities for which grant funds may be used by the States. The EAC shall review all proposed investments to ensure funds are used for the purposes set forth in the Notice of Grant Award.
  • The bill also requires that not less than 50 percent of the payment made to a State be allocated in cash or in kind to local government entities responsible for the administration of elections for Federal office.

Regarding the General Services Administration (GSA), the Committee directed the following:

  • Interagency Task Force on Health and Human Services Information Technology (IT).— The Committee urges the Chief Information Office and Chief Technology Officer (CTO) of HHS, in collaboration with the White House CTO and U.S. Department of Agriculture (USDA), as well as the Office of the National Coordinator for Health Information Technology (ONC) within HHS, 18F within the GSA, and the Cybersecurity and Infrastructure security Agency (CISA) within the U.S. Department of Homeland Security, to establish an interagency task force that will examine existing IT infrastructure in Federal health human service programs nationwide and identify the limitations to successfully integrating and modernizing health and human services IT, and the network security necessary for health and human services IT interoperability. The task force shall submit to the Committee within 180 days of enactment on this Act a report on its progress and on recommendations for further Congressional action, which should include estimated costs for agencies to make progress on interoperability initiatives.
  • Category Management.—The Committee is interested in understanding the effects of GSA’s category management policy on contracts with small businesses. Category management refers to the business practice of buying common goods and services as an enterprise to eliminate redundancies, increase efficiency, and deliver more value and savings from the Federal government’s acquisition programs. Within 180 days of the enactment of this Act, the Committee directs GSA, in cooperation with SBA, to submit a report to the Committee on the number of contracts that could have been awarded under sections 8(a), 8(m), 15(a), 15(j), 31, or 36 of the Small Business Act, but were exempted by category management since its implementation.

The Committee made the following recommendations generally:

  • Cyberspace Solarium Commission Recommendations.—The Committee recognizes and supports the priorities and recommendations laid out in the Cyberspace Solarium Commission’s report and urges Federal departments and agencies to align cybersecurity budgetary priorities with those laid out by the Commission. In particular, the Committee calls attention to recommendation 3.2, Develop and Maintain Continuity of the Economy Planning; recommendation 4.6.3, Strengthen the Capacity of the Committee on Foreign Investment in the United States, particularly with respect to the need to train Federal bankruptcy judges; recommendation 3.4, Improve and Enhance the Funding of the Election Assistance Commission; and recommendation 3.1, Strengthen Sector-specific Agencies’ Ability to Manage Critical Infrastructure Risk, particularly with respect to the Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection.
  • Zero Trust Model.—The Committee is aware that the most effective cybersecurity systems are based on the zero trust model, which is designed not only to prevent cyber intrusions but to prevent cyberthieves from accessing or removing protected information. To ensure that Federal agencies achieve the highest level of security against cyberattacks in the shortest amount of time, the Committee encourages all agencies to acquire and deploy zero trust cybersecurity software that is compatible with all existing operating systems and hardware platforms used by Federal agencies. The Committee also encourages Federal agencies to acquire and utilize software compatible with all existing operating systems and hardware platforms that will enable agencies to measure or quantify their risk of a cybersecurity attack in the months ahead and the types of cyberattack the agency is most likely to experience. Upon learning the risk and type of cyberattack the agency is most likely to face, the agency shall immediately take remedial action to minimize such risk. Agencies shall include information in their fiscal year 2022 Congressional Justification to Congress on their progress in complying with this directive.

FY 2021 Department of Defense Appropriations Act

On 14 July, the House Appropriations Committee marked up and reported out the “FY 2021 Department of Defense Appropriations Act,” which would provide $695 billion for the Department of Defense (DOD), “an increase of $1,294,992,000 above the fiscal year 2020 enacted level and a decrease of $3,695,880,000 below the budget request.” The House subsequently passed this bill.

The Committee Report contained these technology-related provisions:

  • ZERO TRUST ARCHITECTURE. The Committee encourages the Secretary of Defense to implement a Zero Trust Architecture to increase its cybersecurity posture and enhance the Department’s ability to protect its systems and data.
  • DISTRIBUTED LEDGER TECHNOLOGY RESEARCH AND DEVELOPMENT. The Committee is aware that distributed ledger technologies, such as blockchain, may have potentially useful applications for the Department of Defense, which include but are not limited to distributed computing, cybersecurity, logistics, and auditing. Therefore, the Committee encourages the Under Secretary of Defense (Research and Engineering) to consider research and development to explore the use of distributed ledger technologies for defense applications.
  • ARTIFICIAL INTELLIGENCE PARTNERSHIPS. The Committee is aware of the United States-Singapore partnership focusing on applying artificial intelligence in support of humanitarian assistance and disaster relief operations, which will help first responders better serve those in disaster zones. The Committee encourages the Secretary of Defense to pursue similar partnerships with additional partners in different regions, including the Middle East.
  • CYBER EDUCATION COLLABORATIVES. The Committee remains concerned by widespread shortages in cybersecurity talent across both the public and private sector. In accordance with the recommendations of the Cyberspace Solarium Commission, the Committee encourages the Under Secretary of Defense (Research and Engineering) to direct cyber-oriented units to collaborate with local colleges and universities on research, fellowships, internships, and cooperative work experiences to expand cyber-oriented education opportunities and grow the cybersecurity workforce. The Committee also appreciates that veterans and transitioning servicemembers could serve as a valuable recruiting pool to fill gaps in the cybersecurity workforce. Accordingly, the Committee encourages the Under Secretary to prioritize collaboration with colleges and universities near military installations as well as the veteran population.
  • 5G TELECOMMUNICATIONS TECHNOLOGY. The Committee is concerned about reports that foreign manufacturers are significantly ahead of United States companies in the development and deployment of 5G telecommunications technologies, which poses a national security risk to the United States and its allies. Without a robust domestic 5G supply chain, the United States will be vulnerable to 5G systems that facilitate cyber intrusion from hostile actors. In order to secure a reliable 5G system and a domestic supply chain that meets the national security needs of the United States and its allies, the Committee encourages the Secretary of Defense to accelerate engagement with domestic industry partners that are developing 5G systems. Additionally, the Committee is aware of the significant investments being made in 5G efforts but is concerned with the level of detail provided for congressional oversight. The Committee directs the Under Secretary of Defense (Research and Engineering) to conduct quarterly execution briefings with the House and Senate Appropriations Committees beginning not later than 90 days after the enactment of this Act.
  • MILITARY INFORMATION SUPPORT OPERATIONS. Over the past decade, the bulk of activities under Military Information Support Operations (MISO) focused on countering violent extremist organizations (VEO). While VEOs remain an ongoing threat and require continued vigilance, peer and near-peer adversaries like China and Russia are using social media and other vectors to weaken domestic and international institutions and undermine United States interests. This new information environment and the difficulty of discriminating between real and fake information heightens the importance of enhancing and coordinating United States government information-related capabilities as a tool of diplomatic and military strategy.
  • The Committee recognizes the efforts and accomplishments of the United States Special Operations Command and other agencies within the executive branch to operate in the digital domain. However, it is difficult to view individual agency activities as a coordinated whole of government effort. Over the past several years, the classified annex accompanying annual Department of Defense Appropriations Acts included direction focusing on the individual activities of geographic combatant commands. However, information messaging strategies to counter Chinese and Russian malign influences cuts across these geographic boundaries and requires coordination between multiple government agencies using different authorities.
  • Therefore, in order to better understand how MISO activities support a whole of government messaging strategy, the Committee directs the Assistant Secretary of Defense (Special Operations/Low Intensity Conflict) to submit a report for MISO activities for the individual geographic combatant commands justified by the main pillars of the National Defense Strategy to the House and Senate Appropriations Committees not later than 15 days after submission of the fiscal year 2022 budget request and annually thereafter. The report shall include spend plans identifying the requested and enacted funding levels for both voice and internet activities and how those activities are coordinated with the Intelligence Community and the Department of State. The enacted levels will serve as the baseline for reprogramming in accordance with section 8007 of this Act. Furthermore, the Committee directs the Assistant Secretary of Defense (Special Operations/Low Intensity Conflict) to submit to the congressional defense committees, not later than 90 days after the end of the fiscal year, an annual report that provides details on each combatant commands’ MISO activities by activity name, description, goal or objective, target audience, dissemination means, executed funds, and assessments of their effectiveness. Additional details for the report are included in the classified annex accompanying this Act.

FY 2021 Commerce, Justice, Science Appropriations Act

In July, the “FY 2021 Commerce, Justice, Science Appropriations Act” was also marked up and reported out, and the House passed the bill. The Committee Report contains these provisions:

  • Cybersecurity Threats.—The Committee remains concerned that as the Census Bureau looks to modernize data collection methods, the Census Bureau could potentially be exploited by nefarious actors who seek to undermine the integrity of census data, which is vital to democratic institutions, and gain access to sensitive information otherwise protected by law. These threats include both hacking into the Census Bureau IT infrastructure and efforts to use supercomputing to unmask the privacy of census respondents. The Committee directs the Census Bureau to prioritize cyber protections and high standards of data differential privacy, while also maintaining the accuracy of the data, and expects the Census Bureau to update the Committee regularly on these efforts.
  • Cybersecurity and Privacy.—The proliferation of data generation, storage, and usage associated with the digital economy is making it increasingly important to protect that data with effective cryptography and privacy standards. The Committee is concerned that individual, corporate, and public-sector data privacy is continuously at risk from attacks by individual actors, criminal organization, and nation-states. The Committee urges NIST to address the rapidly emerging threats in this field by furthering the development of new and needed cryptographic standards and technologies.
  • National Initiative for Cybersecurity Education.—The Committee notes with concern the shortage of cybersecurity professionals across the government and private sector, from entry level applicants to experienced professionals. The Committee therefore supports the National Initiative for Cybersecurity Education (NICE) and directs NIST to provide resources commensurate with the prior fiscal year for this effort.
  • Cybersecurity Conformity Assessment Programs.—The Committee instructs NIST, in collaboration with other relevant organizations, to report to the Committee no later than 270 days after the enactment of this Act on challenges and approaches to establishing and managing voluntary cybersecurity conformity assessment programs for information and communication technologies including federal cloud technologies.
  • Cybersecurity Training.—Within the increase to Manufacturing Extension Partnership (MEP), the Committee directs NIST to maintain the core services of the MEP and encourages NIST to utilize existing expertise within its Information Technology Laboratory to increase cybersecurity technical training to small manufacturers to strengthen their cybersecurity capabilities given the troubling threats from state and non-state actors and other emerging threats.
  • Cybersecurity threat information sharing.—The Committee supports sharing by DOJ of cybersecurity threat warnings and intelligence with private companies who may benefit from actionable information to deter, prevent, or mitigate threats. The Committee asks DOJ to provide a briefing on this topic not later than 90 days after enactment of this Act.
  • Chinese-government affiliated companies.—The Committee is concerned with companies operating within the United States that are known to have substantial ties to the Chinese government, including full or partial ownership by the Chinese government, and that are required by Chinese law to assist in espionage activities, including collection of personally identifiable information of American citizens. Such companies may pose cybersecurity risks, such as vulnerabilities in their equipment, and some are the subject of ongoing Congressional and Executive Branch investigations involving their business practices. The Committee directs DOJ to enforce applicable laws and prevent the operation of known foreign entities who participate in the theft of American intellectual property, the harvesting of personal identifiable information on behalf of a foreign government, and the unlawful surveillance of American citizens by adversarial state-owned enterprises.

The National Institute of Standards and Technology (NIST) would be given $1.044 billion via the “FY 2021 Commerce-Justice-Science Appropriations Act.” NIST received a total of $1.034 billion for FY 2020, and the agency requested $737 million for the next fiscal year. This bill includes annual language barring any agency receiving funds under it from buying “a high-impact or moderate-impact  information  system” unless all the risks have been mitigated associated with the procurement of such a system, most especially including supply chain risks, that may originate in the People’s Republic of China, Iran, North Korea, or Russia.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Francine Sreca from Pixabay

Further Reading, Other Developments, and Coming Events (7 September)

Here is today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • The United States-China Economic and Security Review Commission will hold a hearing on 9 September on “U.S.-China Relations in 2020: Enduring Problems and Emerging Challenges” to “evaluate key developments in China’s economy, military capabilities, and foreign relations, during 2020.”
  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • A federal appeals court found that the National Security Agency (NSA) exceeded it lawful remit in operating the bulk collection of metadata program former contractor Edward Snowden exposed. Even though the United States Court of Appeals for the Ninth Circuit did not reverse the convictions of four Somalis convicted of providing assistance to terrorists, the court did find the telephony metadata program exceeded Congress’ authorization provided in the Foreign Surveillance Intelligence Act (FISA). The court also suggested the NSA may have also violated the Fourth Amendment’s ban on unreasonable searches without deciding the question. The NSA closed the program in 2015 and had a great deal of difficulty with a successor program authorized the same year that was also shut down in 2018. However, the Trump Administration has asked for a reauthorization of the most recent version even though it has admitted it has no plans to restart the program in the immediate future.
  • The top Democrats on five House and Senate committees wrote the new Director of National Intelligence (DNI) calling on him to continue briefing committees of jurisdiction on intelligence regarding election interference. Reportedly, DNI John Ratcliffe wrote these committees in late August, stating his office would still provide Congress written briefings but would no longer conduct in-person briefings because of alleged leaking by Democrats. However, the chair of the Senate Intelligence Committee claimed his committee would still be briefed in person.
    • In an interview, Ratcliffe explained his rationale for ending in person briefings:
      • I reiterated to Congress, look, I’m going to keep you fully and currently informed, as required by the law. But I also said, we’re not going to do a repeat of what happened a month ago, when I did more than what was required, at the request of Congress, to brief not just the Oversight Committees, but every member of Congress. And yet, within minutes of that — one of those briefings ending, a number of members of Congress went to a number of different publications and leaked classified information, again, for political purposes, to create a narrative that simply isn’t true, that somehow Russia is a greater national security threat than China.
    • Senate Rules Committee Ranking Member Amy Klobuchar (D-MN), House Administration Committee Chair Zoe Lofgren (D-CA), Senate Judiciary Committee Ranking Member Dianne Feinstein (D-CA), House Judiciary Committee Chair Jerrold Nadler (D-NY), and House Homeland Security Committee Chair Bennie Thompson (D-MS) expressed “serious alarm regarding your decision to stop providing in-person election security briefings to Congress, and to insist that you immediately reschedule these critical briefings ahead of the November general election.” They added
      • The important dialogue that comes from a briefing cannot be understated, as you’re well aware. This is why the Intelligence Community (IC) has for decades arranged for senior members of every administration to have intelligence briefers who provide regular, often daily, briefings, rather than simply sending written products to review. Intelligence memos are not a substitute for full congressional briefings. It is also unacceptable to fully brief only one Committee on matters related to federal elections.
      • As Members of the House and Senate with jurisdiction over federal elections, we call on you to immediately resume in-person briefings. We also remind you that the ODNI does not own the intelligence it collects on behalf of the American people, it is a custodian of the information. In addition to the power to establish and fund the ODNI, Congress has the power to compel information from it.
    • In his statement, acting Senate Intelligence Committee Chair Marco Rubio (R-FL) asserted
      • Intelligence agencies have a legal obligation to keep Congress informed of their activities. And Members of Congress have a legal obligation to not divulge classified information. In my short time as Acting Chair of the Senate Select Committee on Intelligence, I have witnessed firsthand how this delicate balance has been destroyed.
      • Divulging access to classified information in order to employ it as a political weapon is not only an abuse, it is a serious federal crime with potentially severe consequences on our national security. This situation we now face is due, in no small part, to the willingness of some to commit federal crimes for the purpose of advancing their electoral aims.
      • Yet, this grotesque criminal misconduct does not release the Intelligence Community from fulfilling its legal requirements to respond to Congressional oversight committees and to keep Members of Congress fully informed of relevant information on a timely basis. I have spoken to Director Ratcliffe who stated unequivocally that he will continue to fulfill these obligations. In particular, he made explicitly clear that the Senate Select Committee on Intelligence will continue receiving briefings on all oversight topics, including election matters. 
    • In early August, National Counterintelligence and Security Center (NCSC) Director William Evanina issued an update to his late July statement “100 Days Until Election 2020” through “sharing additional information with the public on the intentions and activities of our adversaries with respect to the 2020 election…[that] is being released for the purpose of better informing Americans so they can play a critical role in safeguarding our election.” Evanina offered more in the way of detail on the three nations identified as those being most active in and capable of interfering in the November election: the Russian Federation, the People’s Republic of China (PRC), and Iran. This additional detail may well have been provided given the pressure Democrats in Congress to do just this. Members like Speaker of the House Nancy Pelosi (D-CA) argued that Evanina was not giving an accurate picture of the actions by foreign nations to influence the outcome and perception of the 2020 election. Republicans in Congress pushed back, claiming Democrats were seeking to politicize the classified briefings given by the Intelligence Community (IC).
    • In a statement, Pelosi and House Intelligence Committee Chair Adam Schiff (D-CA) expressed gratitude for the additional detail but took issue with the statement for implying through its structure that the risks each nation presents are equal. It would seem to make sense that Pelosi and Schiff are arguing that the Russian Federation is the biggest threat in light of its history in successfully spreading disinformation and misinformation in 2016 to benefit then candidate Donald Trump and harm former Secretary of State Hillary Clinton. This assertion would also serve to rebut the notion that the PRC is the top threat given its placement as the first nation mentioned and Trump Administration rhetoric to this effect.
  • The Federal Acquisition Security Council (FASC) has released an interim regulation that took effect upon being published, but the body will be accepting comments on a still-to-be drafted final regulation. This entire effort is aimed at helping the United States government identify and remove risky and untrustworthy information technology from its systems. However, the FASC is some nine months late in issuing this rule, suggesting that some of the same troubles that have slowed other Trump Administration efforts to secure the federal government’s information and communications technology supply chain delayed this rule. Other efforts have been slowed by industry stakeholder pushback because a number of American multinationals have supply chains in the People’s Republic of China (PRC) and have resisted efforts to decrease sourcing from that country. This rulemaking was required by the “Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act” (SECURE Technology Act) (P.L. 115-390). The council has one year to fashion and release a final rule.
    • FASC explained that the interim final rule “implement[s] the requirements of the laws that govern the operation of the FASC, the sharing of supply chain risk information, and the exercise of its authorities to recommend issuance of removal and exclusion orders to address supply chain security risks…[and] [w]ritten comments must be received on or before November 2, 2020.”
    • FASC stated
      • Information and communications technology and services (ICTS) are essential to the proper functioning of U.S. government information systems. The U. S. government’s efforts to evaluate threats to and vulnerabilities in ICTS supply chains have historically been undertaken by individual or small groups of agencies to address specific supply chain security risks. Because of the scale of supply chain risks faced by government agencies, and the need for better coordination among a broader group of agencies, there was an organized effort within the executive branch to support Congressional efforts in 2018 to pass new legislation to improve executive branch coordination, supply chain information sharing, and actions to address supply chain risks.
    • FASC explained the interim rule is divided into three parts:
      • Subpart A explains the scope of this IFR, provides definitions for relevant terms, and establishes the membership of the FASC. Subpart B establishes the role of the FASC’s Information Sharing Agency (ISA). DHS, acting primarily through the Cybersecurity and Infrastructure Security Agency, will serve as the ISA. The ISA will standardize processes and procedures for submission and dissemination of supply chain information, and will facilitate the operations of a Supply Chain Risk Management (SCRM) Task Force under the FASC. This FASC Task Force (hereafter referred to as “Task Force”) will be comprised of designated technical experts that will assist the FASC in implementing its information sharing, risk analysis, and risk assessment functions. Subpart B also prescribes mandatory and voluntary information sharing criteria and associated information protection requirements. Subpart C provides the criteria and procedures by which the FASC will evaluate supply chain risk from sources and covered articles and recommend issuance of orders requiring removal of covered articles from executive agency information systems (removal orders) and orders excluding sources or covered articles from future procurements (exclusion orders). Subpart C also provides the process for issuance of removal orders and exclusion orders and agency requests for waivers from such orders.
    • The FASC noted it was required to select “an appropriate executive agency—the FASC’s Information Sharing Agency (ISA)—to perform the administrative information sharing functions on behalf of the FASC,” and it has chosen the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA).
  • The Federal Communications Commission (FCC) released “the results of its efforts to identify use of Huawei and ZTE equipment and services in U.S. telecommunications networks that receive support from the federal Universal Service Fund.” The FCC initiated this proceeding with its the 2019 Supply Chain Order, 85 FR 230, and then Congress came behind the agency and enacted the “Secure and Trusted Communications Networks Act of 2019” (Secure Networks Act) (P.L. 116-124), which authorized in law much of what the FCC was doing. However, this statute did not appropriate any funds for the FCC to implement the identification and removal of Huawei and ZTE equipment from U.S. telecommunications networks. It is possible Congress could provide these funds in an annual appropriations bill for the coming fiscal year.
    • The FCC stated
      • Based on data Commission staff collected through the information collection, all filers report it could cost an estimated $1.837 billion to remove and replace Huawei and ZTE equipment in their networks. Of that total, filers that appear to initially qualify for reimbursement under the Secure and Trusted Communications Network Act of 2019 report it could require approximately $1.618 billion to remove and replace such equipment. Other providers of advanced communications service may not have participated in the information collection and yet still be eligible for reimbursement under the terms of that Act.
  • Australia’s government has released “a voluntary Code of Practice to improve the security of the Internet of Things (IoT),” “a first step in the Australian Government’s approach to improve the security of IoT devices in Australia.” These standards are optional but may foretell future mandatory requirements. The Department of Home Affairs and the Australian Signals Directorate’s Australian Cyber Security Centre developed the Code and explained:
    • This Code of Practice is a voluntary set of measures the Australian Government recommends for industry as the minimum standard for IoT devices. The Code of Practice will also help raise awareness of security safeguards associated with IoT devices, build greater consumer confidence in IoT technology and allow Australia to reap the benefits of greater IoT adoption.
    • The Code of Practice is designed for an industry audience and comprises 13 principles. The Australian Government recommends industry prioritise the top three principles because action on default passwords, vulnerability disclosure and security updates will bring the largest security benefits in the short term.
    • In acknowledgement of the global nature of this issue, the Code of Practice aligns with and builds upon guidance provided by the United Kingdom and is consistent with other international standards. The principles will help inform domestic and international manufacturers about the security features expected of devices available in Australia.
  • The Office of the Privacy Commissioner of Canada (OPC) issued “Privacy guidance for manufacturers of Internet of Things devices” intended to provide “practical information to help ensure that your business practices and the devices you make are privacy protective and compliant with the “Personal Information Protection and Electronic Documents Act” (PIPEDA). The OPC cautioned “[i]f your IoT device is collecting, using or disclosing personal data in the course of commercial activity, then you are subject to PIPEDA and must follow the principles set out in Schedule 1 of PIPEDA…[and] [t]hese principles…are rooted in international data protection standards and reflect the Canadian Standards Association’s Model Privacy Code for the Protection of Personal Information.” OPC offered this checklist:
    • What you must do to fulfill your responsibilities under PIPEDA:
      • Be accountable by instituting practices that protect the personal information under the control of your organization
      • Before collecting personal information, identify the purposes for its collection
      • Obtain informed and meaningful consent from the individual whose personal information is collected, used or disclosed
      • Design your devices to limit collection to that which is necessary to fulfil their stated purposes
      • Use and disclose personal information only for the purpose for which it was collected
      • Ensure that personal information is as accurate, up-to-date and complete as is necessary for the purposes for which it is to be used, especially when making a decision about individuals or when sharing it with others
      • Ensure the personal information you are accountable for is appropriately safeguarded
      • Inform individuals about your policies and practices for information management
      • Give individuals the ability to access and correct their information
      • Provide recourse to individuals by developing complaint procedures
      • Limit what you collect, use, share and retain about your customers, including children
      • Protect personal information through technological safeguards such as encryption and password protection
    • What you should do to supplement your responsibilities under the law:
      • Create device specific privacy policies to improve the transparency of your information practices. For example, include a list of every sensor a device possesses in your policy’s section on disclosures and state the minimum length of time these devices will receive security updates
      • Consider periodically notifying users when the device is collecting data and give consumers greater control to limit the collection.
      • Perform privacy and security risk assessments that help identify and mitigate risks associated with the device and your personal information handling practices
      • Design your devices to have consumers use of strong and unique passwords
      • Provide consumers with user-friendly options to permanently delete information you hold about them and inform them of how to do so
      • Ensure that the end user can patch or update the firmware on the device
  • The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM) published a joint technical alert “about an ongoing automated teller machine (ATM) cash-out scheme by North Korean government cyber actors – referred to by the U.S. government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.” The agencies asserted
    • [The Democratic People’s Republic of Korea’s (DPRK)] intelligence apparatus controls a hacking team dedicated to robbing banks through remote internet access. To differentiate methods from other North Korean malicious cyber activity, the U.S. Government refers to this team as BeagleBoyz, who represent a subset of HIDDEN COBRA activity. The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima and are responsible for the FASTCash ATM cash outs reported in October 2018, fraudulent abuse of compromised bank-operated SWIFT system endpoints since at least 2015, and lucrative cryptocurrency thefts. This illicit behavior has been identified by the United Nations (UN) DPRK Panel of Experts as evasion of UN Security Council resolutions, as it generates substantial revenue for North Korea. North Korea can use these funds for its UN-prohibited nuclear weapons and ballistic missile programs. Additionally, this activity poses significant operational risk to the Financial Services sector and erodes the integrity of the financial system.
  • In a short statement released late on a Friday heading into the Labor Day three day weekend, the Department of Defense (DOD) signaled the end of “its comprehensive re-evaluation of the Joint Enterprise Defense Infrastructure (JEDI) Cloud proposals and determined that Microsoft’s proposal continues to represent the best value to the Government.” Microsoft bested Amazon for the contract in late 2019, but the latter’s court challenge alleged bias against the company as evidenced by comments from President Donald Trump. This case is ongoing, and Amazon will almost certainly challenge this award, too. In a blog posting, Amazon declared “we will not back down in the face of targeted political cronyism or illusory corrective actions, and we will continue pursuing a fair, objective, and impartial review.” The DOD explained that the potentially $10 billion contract “will make a full range of cloud computing services available to the DOD.” The Pentagon conceded that “[w]hile contract performance will not begin immediately due to the Preliminary Injunction Order issued by the Court of Federal Claims on February 13, 2020, DOD is eager to begin delivering this capability to our men and women in uniform.”

Further Reading

  • Race for Coronavirus Vaccine Pits Spy Against Spy” By Julian E. Barnes and Michael Venutolo-Mantovani – The New York Times. Reportedly, hackers from the People’s Republic of China (PRC), Russian Federation, and the Islamic Republic of Iran have widened their list of targets to include research universities in the United States (U.S.) working on COVID-19 vaccine research. Officials quoted in the piece explain the likely motivations as being knowing what the U.S. is up to considering their research capabilities are not as good, “checking” their own research against the U.S., and possibly even prestige if they can leverage the intelligence gained into a viable vaccine more quickly than the U.S. or other western nations. Perhaps there is an even more basic motivation: they want a vaccine as fast as possible and are willing to steal one to save their citizens. Nonetheless, this article follows the announcements during the summer by Five Eyes security services that the three nations were targeting pharmaceutical companies and seems to be of the same piece. The article only hints at the possibility that the U.S. and its allies may be doing exactly the same to those nations to monitor their efforts as well. One final interesting strand. Russia seems to be gearing up for a major influence campaign to widen the split in U.S. society about the proper response to COVID-19 by sowing doubt about vaccinations generally.
  • Forget TikTok. China’s Powerhouse App Is WeChat, and Its Power Is Sweeping.” By Paul Mozur – The New York Times. This article delves deeply into WeChat the do-all app most people inside and from the People’s Republic of China (PRC) have on their phone. It is a combination WhatsApp, Amazon, Apple Pay, Facebook, and other functionality that has become indispensable to those living in the PRC. One person who lived in Canada and returned wishes she could dispense with the app that has become central to Beijing’s efforts to censor and control its people. The PRC employs algorithms and human monitoring to ensure nothing critical of the government is posted or disseminated. One user in North America was shocked to learn the depiction of Donald Trump on the app as being deeply respected be everyone in the United States (U.S.) was wrong when talking to others. A few of the experts quoted expressed doubt that banning the app in the U.S. will change much.
  • U.S. considers cutting trade with China’s biggest semiconductor manufacturer” By Jeanne Whalen – The Washington Post; “Trump administration weighs blacklisting China’s chipmaker SMIC” by Idrees Ali, Alexandra Alper, and Karen Freifeld – Reuters.
  •  The People’s Republic of China’s (PRC) biggest semiconductor maker may be added to the United States’ (U.S.) no-trade list soon in what may be another move to further cut Huawei’s access to crucial western technology. Ostensibly, the Semiconductor Manufacturing International Corp. (SMIC) is being accused of having ties that too close with the PRC’s military. However, the company rejected this allegation in its statement: “The company manufactures semiconductors and provides services solely for civilian and commercial end-users and end-uses. We have no relationship with the Chinese military.” A different PRC chip maker was added to the list in 2018: Fujian Jinhua Integrated Circuit Co.
  • Pasco’s sheriff created a futuristic program to stop crime before it happens. It monitors and harasses families across the county.” By Kathleen Mcgrory and Neil Bedi – Tampa Bay Times. Eevn though most of the truly alarming aspects of this sheriff’s office are human based, the notion that using technology and intelligence methods will allow someone to predict crime are dystopian and disconcerting. What this sheriff’s department has done to mostly minors guilty of at most petty misdemeanors should give anyone pause about employing technology to predict crime and criminals.
  • DHS, FBI rebut reports about hacked voter data on Russian forum” By Tim Starks – Politico. The United States Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) and Federal Bureau of Investigation rebutted claims made by journalist Julia Ioffe that Michigan voter data were in the hands of Russian hackers. However, statements by CISA, the FBI, and the state of Michigan explained there has been no hack, and that these data may have been obtained through a Freedom of Information Act request.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Republica from Pixabay

Pending Legislation In U.S. Congress, Part I: FY 2021 NDAA and FISA Reauthorization

Normally, a FISA reauthorization would be considered must pass like an NDAA, but this year may be different.   

As Congress returns from an eventful summer recess, it is possible technology focused and related legislation is passed or advances towards passage before the body leaves Washington in late September. However, it is just as likely, possibly even more, that Congress punts everything except for a measure to keep the government funded through the November election. This week, we will explore some of the bills that may become law. Today’s piece is on the FY 2021 National Defense Authorization Act (NDAA) and the lapsed provisions in the Foreign Intelligence Surveillance Act (FISA).

FY 2021 NDAA

Congress will almost certainly pass its annual policy and authorization bill for the Department of Defense (DOD) as it has done for every year since FY 1962. Any more, this bill is laden with technology provisions, most of which are oriented towards national security programs, but not always because the National Defense Authorization Act (NDAA) is considered must-pass legislation, it attracts some legislation that is non-defense. For example, the revamp of how the United States government buys and develops information technology programs, the “Federal Information Technology Acquisition Reform Act” (FITARA) (P.L. 113-291), was enacted as part of the FY 2015 NDAA.

The House and Senate have passed their respective bills: the “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395) and the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) and have already started work on resolving differences between the two packages. However, over the last decade or so, the NDAA has been one of the last major bills passed each calendar year, and it is possible this legislation will not reach the President’s desk until late December.

The base bill put on the floor of the House contained a range of cybersecurity provisions. The DOD’s requirement that it must submit its cybersecurity and information technology (IT) budget would be broadened to include cyber mission force and a its new cyber operations force budgets. The Cyberspace Solarium Commission’s (CSC) structure would be changed and would be extended. The DOD would need to study and consider replicating an entity inside the Navy that has been researching and pioneering cyber warfare. The DOD’s Principal Cyber Advisor would be invested with the authority to manage the Pentagon’s role as the sector-specific agency (SSA) for the Defense Industrial Base (DIB) under Presidential Policy Directive- 21. The bill also increased the DOD’s reporting requirements to Congress regarding compromises of its system and exceptions to its IT policies with the goal of creating a baseline to help the Pentagon manage its cyber risks and tradeoffs. The DOD would determine whether a current public-private partnership on cybersecurity is working and should be extended.

The Department of Homeland Security (DHS) would need to submit a report on the feasibility of an Integrated Cyber Center housed at its National Cybersecurity and Communications Integration Center (NCCIC). DHS would need to work with the DOD, Office of the Director of National Intelligence (ODNI) and National Security Agency (NSA) on whether it makes sense to create a joint collaboration environment to help shore up cybersecurity. The Pentagon would need to study and then implement a threat hunting program that would allow its personnel to go searching for vulnerabilities and cyber risks in the IT systems of DIB contractors. The DOD would be barred from contracting with entities that do not belong to the DIB threat intelligence sharing program. The bill would also permit the DOD to make grants to companies providing cybersecurity to small manufacturers in the U.S. The bill would establish a National Artificial Intelligence Initiative to support and foster a number of related activities including research and development, education, and training.

During floor consideration of H.R.6395, the House agreed to scores of amendments in two en bloc packages that contained most of the technology provisions made in order for consideration. Among the most notable of these provisions are the following, some of which have been considered by the House as standalone legislation:

The cybersecurity provisions in S.4049 would change, alter, or establish a range of programs and operations. The bill would modify the statutory duties of Department of Defense’s Principal Cyber Advisor to require that the person chosen for this role is a civilian at the Pentagon who holds a position requiring Senate confirmation. The DOD would need to develop and implement a framework for forward hunt operations (i.e. offensive cyber operations) to address some of the issues the committee’s oversight turned up. The focus on this exercise would be to get a better understanding on the utility and life span of intelligence gained through such operations. The Pentagon’s reporting duties after executing an offensive or defensive cyber operation would be expanded to include nations and entities with whom the United States is not at war. The Committee expanded the DOD’s required briefings on cyber operations, expressing frustration with the Department’s “unwillingness to keep the committee apprised of cyber operations conducted to gain access to adversary systems, including those conducted pursuant to standing military plans against military targets.”

There is language mandating that the DOD begin the process of harmonizing the Pentagon’s cyber capabilities and those provided by private sector contractors, much of which overlaps in the view of the committee. Cyber Command would receive expanded but necessarily acquisition authority as the service branches are to remain the entities undertaking large procurements. The Principal Cyber Advisor and head of Cyber Command would need to assess how well the DOD manages inter-agency conflict in the Pentagon and among Intelligence Community agencies in managing the process by which cyber operations are designed and executed, suggesting there is significant internal friction among the stakeholders. The DOD would need to conduct a pilot on the feasibility of adopting and using a commercial practice of speed-based cybersecurity metrics. The Pentagon would also need to better integrate its data collection and data analysis regarding potentially malicious or illegal activities by DOD employees and contractors (i.e. so-called insider threat).

The DOD would need “to develop a comprehensive plan, by February 1, 2021, for the deployment of commercial-off-the-shelf solutions on supplier networks to monitor the public-facing Internet attack surface of members of the defense industrial base (DIB)” that is intended to supplement the DOD’s new Cybersecurity Maturity Model Certification and other DOD efforts to shore up the cybersecurity of its contractors. The bill would grant a DOD request to receive the authority to immediately react and respond to reported threats and penetrations to “operationally critical” DOD contractors’ systems and networks. The DOD would need “to conduct a baseline review of the Joint Regional Security Stacks (JRSS) activity to determine whether the initiative should continue, but as a program of record, or should be replaced by an improved design and modern technology.” The DOD would also receive limited flexibility to use Operation and Maintenance (O&M) “for cyber operations-peculiar capability development projects.” The committee also conditioned the availability of certain Office of the Secretary of Defense travel on fulfilling a requirement in the current year’s NDAA to submit “a report for the structuring and manning of information operations capabilities and forces” in the DOD, develop “a strategy for operations in the information environment” and to “conduct an information operations posture review.”

The Cyberspace Solarium Commission (CSC) would have its mandate extended so it could monitor, assess, and report on the implementation of its 75 recommendations made in March 2020. The bill includes a number of CSC recommendations, including:

  • Adding “a force structure assessment of the Department of Defense’s Cyber Operations Forces to future cyber posture reviews.”
  • “a report to the congressional defense committees, detailing the actions that the Secretary will undertake to ensure that the Commander, U.S. Cyber Command, has enhanced authority, direction, and control of the Cyber Operations Forces and of the equipment budget that enables Cyber Operations Forces’ operations and readiness, beginning with fiscal year 2024 budget request.”
  • Assessing “options for establishing a cyber reserve force.”
  • A comprehensive plan for “[e]nsuring cyber resiliency of nuclear command and control system”
  • Requiring “the Secretary of Defense to establish policies and requirements for each major weapon system, and the priority critical infrastructure essential to the proper functioning of major weapon systems in broader mission areas, to be re-assessed for cyber vulnerabilities.”
  • Mandating that the Secretary of Defense “establish a threat intelligence sharing program to share threat intelligence with and obtain threat intelligence from the defense industrial base.”
  • Requiring the Pentagon “to conduct an assessment of the adequacy of threat hunting elements of the Cyber Maturity Model Certification (CMMC) program and the need for continuous threat monitoring operations.”
  • Addressing “the risks to National Security Systems (NSSs) posed by quantum computing by requiring the Secretary of Defense to: (1) Complete an assessment of current and potential threats to critical NSSs and the standards used for quantum-resistant cryptography; and (2) Provide recommendations for research and development activities to secure NSSs.”
  • Study the feasibility of establishment of a National Cyber Director.

In terms of the provisions that were folded into the final Senate bill, Senate Homeland Security and Governmental Affairs Committee Chair Ron Johnson (R-WI) succeeded in attached to the larger bill the “Cybersecurity Vulnerability Identification and Notification Act of 2019” (S.3045). S.3045 would expand the authority of Cybersecurity and Infrastructure Security Agency’s (CISA) National Cybersecurity and Communications Integration Center (NCCIC) to issue subpoenas to internet service providers to obtain the identity of owners and operators of critical infrastructure subject to be drafted procedures and limits on how any information collected from subpoena is used and retained. The House’s counterpart bill, H.R.5680, was added as an amendment to H.R.6395, meaning the substance of the legislation will almost certainly be in the final NDAA. Also, an amendment was adopted to stimulate semiconductor manufacturing in the United States by creating a grant and tax incentive program at the Department of Commerce

There were other technology provisions added to the bill during debate. The following amendments were adopted on 2 July en bloc by unanimous consent:

  • The Department of Homeland of Security “shall produce a report on the state of digital content forgery technology” within one year of enactment and then every five years
  • “[T]he Secretary of Defense, with appropriate representatives of the Armed Forces, shall brief the Committees on Armed Services of the Senate and the House of Representatives on the feasibility and the current status of assigning members of the Armed Forces on active duty to the Joint Artificial Intelligence Center (JAIC) of the Department of Defense.”
  • “[T]he Secretary of Homeland Security shall conduct a comprehensive review of the ability of the Cybersecurity and Infrastructure Security Agency to fulfill–
    • the missions of the Cybersecurity and Infrastructure Security Agency; and
    • the recommendations detailed in the report issued by the Cyberspace Solarium Commission”
  • The “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S.1611) that would require the Department of Commerce to “convene a working group of Federal stakeholders for the purpose of providing recommendations and a report to Congress relating to the aspects of the Internet of Things.”
  • “[T]he Secretary of Defense, in coordination with the Director of the National Reconnaissance Office and the Director of the National Geospatial-Intelligence Agency, shall leverage, to the maximum extent practicable, the capabilities of United States industry, including through the use of commercial geospatial-intelligence services and acquisition of commercial satellite imagery.”
  • “[T]he Secretary of Defense is authorized to establish a pilot program to explore the use of consumption-based solutions to address software-intensive warfighting capability” per a re commendation made by the Section 809 Panel.
  • “[T]he Secretary of Defense shall complete a study on the cyberexploitation of the personal  information and accounts of members of the Armed Forces and their families.”
  • A modified version of the “Utilizing Strategic Allied (USA) Telecommunications Act” (S.3189) that “would reassert U.S. and Western leadership by encouraging competition with Huawei that capitalizes on U.S. software advantages, accelerating development of an open-architecture model (known as O-RAN) that would allow for alternative vendors to enter the market for specific network components, rather than having to compete with Huawei end-to-end” according to a press release.

Additionally, a deal was struck to add the “Intelligence Authorization Act for Fiscal Year 2021” (S.3905) to S.4049 but without a bill included in the package as reported out of the Senate Intelligence Committee: the “Foreign Influence Reporting in Elections Act” (FIRE Act) (S.2242).

FISA Reauthorization

At present, key surveillance authorities for new investigations have lapsed, and it does not appear Congress is close to a deal to restore and reform them, an unusual state of affairs, for since 11 September 2001, it has done so regularly. The House and Senate have both passed bills but have been unable to agree on the extent of reforms to Foreign Intelligence Surveillance Act (FISA) programs given antipathy from the Trump Administration on proposed changes and opposition from some Democrats and Republicans who want to see more significant reforms. It is always possible a compromise package is agreed to and then tacked onto the FY 2021 NDAA, a continuing resolution, or an omnibus appropriations bill as has happened before.

In March, the House passed the “USA FREEDOM Reauthorization Act of 2020” (H.R. 6172) by a 278-136 vote, a bill to reauthorize three expiring FISA provisions used by the National Security Agency (NSA) primarily to conduct surveillance: the business records exception, roving wiretaps, and the “lone wolf” provision. Moreover, H.R. 6172 ends the NSA’s ability to use the so-called call detail record (CDR) program that had allowed the agency to access data on many billions of calls. Nonetheless, the NSA shut down the program in 2018 due to what it termed technical problems. This closure of the program was included in the bill even though the Trump Administration had explicitly requested it also be reauthorized.

These authorities had been extended in December 2019 to March 15, 2020. However, the Senate did not act immediately on the bill and opted instead to send a 77-day extension of these now lapsed authorities to the House, which did not to take up the bill. The Senate was at an impasse on how to proceed, for some Members did not favor the House reforms while others wanted to implement further changes to the FISA process. Consequently, Senate Majority Leader Mitch McConnell (R-KY) promised amendment votes when the Senate took up H.R.6172, which it did in May. Thereafter, reforms House Democratic leadership tried adding to the bill failed to please stakeholders, leaving the chamber to squelch plans to send a revised bill to the Senate and instead ask for a conference, which is where matters currently stand.

As mentioned, H.R. 6172 would reauthorize the business records exception, which includes “any tangible thing,” in FISA first instituted in the “USA PATRIOT Act” in 2001 but would reform certain aspects of the program. For example, if the Federal Bureau of Investigation (FBI) or NSA is seeking a business record under FISA for which a law enforcement agency would need to obtain a warrant, then the FBI or NSA will also need to obtain a warrant. Currently, this is not the case. Additionally, under H.R.6172, the FISA application process under Section 215 could not be used to obtain a person’s cell site location or GPS information. However, the FBI or NSA would still be able to use Title I of FISA to seek cell site location or GPS data for purposes of conducting electronic surveillance related to alleged foreign intelligence. The bill would require that prosecutors must inform defendants of the evidence derived from electronic surveillance unless doing so would harm national security.

Moreover, records obtained under Section 215 could be retained no longer than five years subject to a number of exceptions that may serve to make this limitation a dead letter. For example, if such records are deemed to have a “secret meaning” or are certified by the FBI as being vital to national security, then such records may be held longer than five years. Given the tendency of agencies to read their authority as broadly as possible and the past record of IC agencies, it is likely these authorities will be stretched as far as legally possible. It bears note that all restrictions are prospective, meaning that current, ongoing uses of Section 215 would be exempted. The business records provision would be extended until December 1, 2023 as are the other two expiring authorities that permit so-called roving wiretaps and allow for surveillance of so-called “lone wolves.”

For FISA applications under Title I (i.e. electronic surveillance), any agency seeking a FISA order to surveil will need to disclose to the FISA court any information that may call into question the accuracy of the application or any doubtful information. Moreover, certain FISA applications to surveil Americans or residents would need to spell out the proposed investigative techniques to the FISA court. Moreover, any FISA application targeting U.S. officials or candidates for federal office must be approved by the Attorney General in writing before they can be submitted. H.R.6172 would permit the suspension or removal of any federal official, employee, or contractor for misconduct before the FISA court and increases criminal liability for violating FISA from five to eight years. Most of these reforms seem aimed at those Members, many of whom are Republican, that were alarmed by the defects in the FISA surveillance process of Trump Campaign associate Cater Page as turned up by the Department of Justice’s Office of the Inspector General investigation. Some of these Members were opposed to the House Judiciary Committee’s initial bill, which they thought did not implement sufficient reforms to the larger FISA process.

In May, the Senate amended and passed H.R. 6172 by an 80-16 vote. Consideration of the bill was stalled in March when some Senators pushed for amendments, a demand to which the Senate Majority Leader finally agreed, provided these amendments would need 60 votes to be adopted. Consequently, once COVID-19 legislation had been considered, the Senate returned to H.R.6172, and debated and voted upon three amendments, one of which was agreed to. Senators Pat Leahy (D-VT) and Mike Lee’s (R-UT) amendment to expand the amicus process during the FISA process prevailed by a 77-19 vote.

As mentioned, Wyden and Daines offered an amendment to narrow the Section 215 exception to the Fourth Amendment’s requirement that a search requires a warrant. Section 215 currently allows for FISA court approved searches of business records and all tangible things in the course of a national security investigation, and the underlying text of H.R. 6172 would exclude cell site location and GPS location from Section 215. The Wyden/Daines amendment would also exclude web browsing and search engine histories. However, the amendment failed to reach the 60-vote threshold necessary for adoption under the rule of debate for H.R. 6172, failing by one vote as four Senators did not vote.

In late May, it appeared as if the House would bring H.R. 6172 to the floor and possibly take a run at adding language that barely failed to get added during debate in the Senate that would further pare back the ability of federal law enforcement agencies to use the FISA process for surveillance. However, the Trump Administration more forcefully stated its objections to the amended bill, including a veto threat issued via Twitter, that caused Republican support for the bill to cave, and with it the chances of passage, for Republican votes were needed to pass the bill in the first place. Consequently, House Democratic Leadership explored the possibility of a clean vote on the Senate-amended bill, with the House Rules Committee reporting a rule for debate, but this effort was also scuttled as there were not the votes for passage of the bill to send it to the White House. Instead, House Democratic Leadership opted to go to conference committee, which succeeded in a 284-122 proxy vote, one of the first taken under the new procedure. Thereafter, the House named the following conferees: House Judiciary Committee Chair Jerrold Nadler (D-NY) and Ranking Member Jim Jordan (R-OH); House Intelligence Committee Chair Adam Schiff (D-CA) and Ranking Member Devin Nunes (R-CA) and Representative Zoe Lofgren (D-CA). The bill is being held at the desk in the Senate and Senate conferees have not been named, meaning the conference committee cannot formally begin.  

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by ArtTower from Pixabay

Further Reading, Other Developments, and Coming Events ( 4 September)

Here is today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • The United States-China Economic and Security Review Commission will hold a hearing on 9 September on “U.S.-China Relations in 2020: Enduring Problems and Emerging Challenges” to “evaluate key developments in China’s economy, military capabilities, and foreign relations, during 2020.”
  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The United States (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Election Assistance Commission (EAC) “released the Election Risk Profile Tool, a user-friendly assessment tool to equip election officials and federal agencies in prioritizing and managing cybersecurity risks to the Election Infrastructure Subsector.” The agencies stated “[t]he new tool is designed to help state and local election officials understand the range of risks they face and how to prioritize mitigation efforts…[and] also addresses areas of greatest risk, ensures technical cybersecurity assessments and services are meeting critical needs, and provides a sound analytic foundation for managing election security risk with partners at the federal, state and local level.”
    • CISA and the EAC explained “[t]he Election Risk Profile Tool:
      • Is a user-friendly assessment tool for state and local election officials to develop a high-level risk profile across a jurisdiction’s specific infrastructure components;
      • Provides election officials a method to gain insights into their cybersecurity risk and prioritize mitigations;
      • Accepts inputs of a jurisdiction’s specific election infrastructure configuration; and
      • Outputs a tailored risk profile for jurisdictions, which identifies specific areas of highest risk and recommends associated mitigation measures that the jurisdiction could implement to address the risk areas.
  • The cybersecurity agencies of the Five Eyes nations have released a Joint Cybersecurity Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity that “highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices.” The agencies asserted “[t]he purpose of this report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.”
    • The Australian Cyber Security Centre, Canada’s Communications Security Establishment, the United States’ Cybersecurity and Infrastructure Security Agency, the United Kingdom’s National Cyber Security Centre, and New Zealand’s National Cyber Security Centre and Computer Emergency Response Team summarized the key takeaways from the Joint Advisory:
      • When addressing potential incidents and applying best practice incident response procedures:
      • First, collect and remove for further analysis:
        • Relevant artifacts,
        • Logs, and
        • Data.
      • Next, implement mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.
      • Finally, consider soliciting incident response support from a third-party IT security organization to:
        • Provide subject matter expertise and technical support to the incident response,
        • Ensure that the actor is eradicated from the network, and
        • Avoid residual issues that could result in follow-up compromises once the incident is closed.
  • The United States’ (U.S.) Department of Justice (DOJ) and Federal Trade Commission (FTC) signed an Antitrust Cooperation Framework with their counterpart agencies from Australia, Canada, New Zealand, And United Kingdom. The Multilateral Mutual Assistance and Cooperation Framework for Competition Authorities (Framework) “aims to strengthen cooperation between the signatories, and provides the basis for a series of bilateral agreements among them focused on investigative assistance, including sharing confidential information and cross-border evidence gathering.” Given that a number of large technology companies are under investigation in the U.S., the European Union (EU) and elsewhere, signaling a shift in how technology multinationals are being viewed, this agreement may enable cross-border efforts to collectively address alleged abuses. However, the Framework “is not intended to be legally binding and does not give rise to legal rights or obligations under domestic or international law.” The Framework provides:
    • Recognising that the Participants can benefit by sharing their experience in developing, applying, and enforcing Competition Laws and competition policies, the Participants intend to cooperate and provide assistance, including by:
      • a) exchanging information on the development of competition issues, policies and laws;
      • b) exchanging experience on competition advocacy and outreach, including to consumers, industry, and government;
      • c) developing agency capacity and effectiveness by providing advice or training in areas of mutual interest, including through the exchange of officials and through experience-sharing events;
      • d) sharing best practices by exchanging information and experiences on matters of mutual interest, including enforcement methods and priorities; and
      • e) collaborating on projects of mutual interest, including via establishing working groups to consider specific issues.
  • Dynasplint Systems alerted the United States Department of Health and Human Services (HHS) that it suffered a breach affecting more than 100,000 people earlier this year. HHS’ Office of Civil Rights (OCR) is investigating possible violations of Health Insurance Portability and Accountability Act regulations regarding the safeguarding of patients’ health information. If Dynasplint failed to properly secure patient information or its systems, OCR could levy a multimillion dollar fine for the size breach. For example, in late July, OCR fined a company over $1 million for the theft of an unencrypted laptop that exposed the personal information of a little more than 20,000 people.
    • Dynasplint, a Maryland manufacturer of range of motion splints, explained:
      • On June 4, 2020, the investigation determined that certain information was accessed without authorization during the incident.
      • The information may have included names, addresses, dates of birth, Social Security numbers, and medical information.
      • Dynasplint Systems reported this matter to the FBI and will provide whatever cooperation is necessary to hold perpetrators accountable.
  • The California Legislature has sent two bills to Governor Gavin Newsom (D) that would change how technology is regulated in the state, including one that would alter the “California Consumer Privacy Act” (AB 375) (CCPA) if the “California Privacy Rights Act” (CPRA) (Ballot Initiative 24) is not enacted by voters in the November election. The two bills are:
    • AB 1138 would amend the recently effective “Parent’s Accountability and Child Protection Act” would bar those under the age of 13 from opening a social media account unless the platform got the explicit consent from their parents. Moreover, “[t]he bill would deem a business to have actual knowledge of a consumer’s age if it willfully disregards the consumer’s age.”
    •  AB 1281 would extend the carveout for employers to comply with the CCPA from 1 January 2021 to 1 January 2022. The CCPA “exempts from its provisions certain information collected by a business about a natural person in the course of the natural person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor, as specified…[and also] exempts from specified provisions personal information reflecting a written or verbal communication or a transaction between the business and the consumer, if the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency.” AB 1281 “shall become operative only” if the CPRA is not approved by voters.
  • Senators Senator Shelley Moore Capito (R-WV), Amy Klobuchar (D-MN) and Jerry Moran (R-KS) have written “a letter to Federal Trade Commission (FTC) Chairman Joseph Simons urging the FTC to take action to address the troubling data collection and sharing practices of the mobile application (app) Premom” and “to request information on the steps that the FTC plans to take to address this issue.” They asserted:
    • A recent investigation from the International Digital Accountability Council (IDAC) indicated that Premom may have engaged in deceptive consumer data collection and processing, and that there may be material differences between Premom’s stated privacy policies and its actual data-sharing practices. Most troubling, the investigation found that Premom shared its users’ data without their consent.
    • Moore Capito, Klobuchar, and Moran stated “[i]n light of these concerning reports, and given the critical role that the FTC plays in enforcing federal laws that protect consumer privacy and data under Section 5 of the Federal Trade Commission Act and other sector specific laws, we respectfully ask that you respond to the following questions:
      • 1. Does the FTC treat persistent identifiers, such as the non-resettable device hardware identifiers discussed in the IDAC report, as personally identifiable information in relation to its general consumer data security and privacy enforcement authorities under Section 5 of the FTC Act?  
      • 2. Is the FTC currently investigating or does it plan to investigate Premom’s consumer data collection, transmission, and processing conduct described in the IDAC report to determine if the company has engaged in deceptive practices?
      • 3. Does the FTC plan to take any steps to educate users of the Premom app that the app may still be sharing their personal data without their permission if they have not updated the app? If not, does the FTC plan to require Premom to conduct such outreach?
      • 4. Please describe any unique or practically uncommon uses of encryption by the involved third-party companies receiving information from Premom that could be functionally interpreted to obfuscate oversight of the involved data transmissions.
      • 5. How can the FTC use its Section 5 authority to ensure that mobile apps are not deceiving consumers about their data collection and sharing practices and to preempt future potentially deceptive practices like those Premom may have engaged in?

Further Reading

  • Justice Dept. Plans to File Antitrust Charges Against Google in Coming Weeks” By Katie Benner and Cecilia Kang – The New York Times; “The Justice Department could file a lawsuit against Google this month, overriding skepticism from its own top lawyers” By Tonty Romm – The Washington Post; “There’s a partisan schism over the timing of a Google antitrust lawsuit” By Timothy B. Lee – Ars Technica. The New York Times explains in its deeply sourced article that United States Department of Justice (DOJ) attorneys want more time to build a better case against Google, but that Attorney General William Barr is pressing for the filing of a suit as early as the end of this month in order for the Trump Administration to show voters it is taking on big tech. Additionally, a case against a tech company would help shore up the President’s right flank as he and other prominent conservatives continue to insist in the absence of evidence that technology companies are biased against the right. The team of DOJ attorneys has shrunk from 40 to about 20 as numerous lawyers asked off the case once it was clear what the Attorney General wanted. These articles also throw light on to the split between Republican and Democratic state attorneys general in the case they have been working on with the former accusing the latter of stalling for time in the hopes a Biden DOJ will be harsher on the company and the latter accusing the former of trying to file a narrow case while Donald Trump is still President that would impair efforts to address the range of Google’s alleged antitrust abuses.
  • Facebook Moves to Limit Election Chaos in November” By Mike Isaac – The New York Times. The social network giant unveiled measures to fight misinformation the week before the United States election and afterwards should people try to make factually inaccurate claims about the results. Notably, political advertisements will be banned a week before the 3 November election, but this seems like pretty weak tea considering it will be business as usual until late October. Even though the company frames these moves as “additional steps we’re taking to help secure the integrity of the U.S. elections by encouraging voting, connecting people to authoritative information, and reducing the risks of post-election confusion,” the effect of misinformation, disinformation, and lies that proliferate on Facebook will have likely already taken root by late October. It is possible the company still wants the advertising revenue it would forgo if it immediately banned political advertising. Another proposed change is to provide accurate information about voting generally and COVID-19 and voting. In fact, the platform corrected a post of President Donald Trump’s that expressed doubts about mail-in voting.
  • Washington firm ran fake Facebook accounts in Venezuela, Bolivia and Mexico, report finds” By Craig Timberg and Elizabeth Dwoskin – The Washington Post. In tandem with taking down fake content posted by the Internet Research Agency, Facebook also removed accounts traced back to a Washington, D.C. public relations firm, CLS Strategies, that was running multiple accounts to support the government in Bolivia and the opposition party in Venezuela, both of which are right wing. Using information provided by Facebook, Stanford University’s Internet Observatory released a report stating that “Facebook removed a network of 55 Facebook accounts,4 2 Pages and 36 Instagram accounts attributed to the US-based strategic communications firm CLS Strategies for engaging in coordinated inauthentic behavior (CIB).” Stanford asserted these key takeaways:
    • 11 Facebook pages related to Bolivia mainly supported Bolivia’s Interim President Jeanine Áñez and disparaged Bolivia’s former president Evo Morales. All had similar creation dates and manager location settings.
    • Venezuela-focused assets supported and promoted Venezuelan opposition leaders but changed in tone in 2020, reflecting factional divides in the opposition and a turn away from Juan Guaidó.
    • In addition to fake accounts, removed Facebook accounts include six profiles that match the names and photos of CLS Strategies employees listed publicly on their website and appear to be their real accounts.
    • CLS Strategies has a disclosed contract with the Bolivian government to provide strategic communications counsel for Bolivia’s 2020 elections and to strengthen democracy and human rights in Bolivia.
    • Coordinated inauthentic behavior reports from Facebook and Twitter have increasingly included assets linked to marketing and PR firms originating and acting around the world. The firms’ actions violate the platforms’ terms by operating internationally and failing to identify their origins and motivations to users.
    • In its release on the issue, Facebook explained:
      • In August, we removed three networks of accounts, Pages and Groups. Two of them — from Russia and the US — targeted people outside of their country, and another from Pakistan focused on both domestic audiences in Pakistan and also in India. We have shared information about our findings with law enforcement, policymakers and industry partners.
  • Belarusian Officials Shut Down Internet With Technology Made by U.S. Firm” By Ryan Gallagher – Bloomberg. A United States firm, Sandvine, sold deep packet inspection technology to the government in Belarus through a Russian intermediary. The technology was ostensibly to be used by the government to fend off dangers to the nation’s networks but was instead deployed to shut down numerous social media and news sites on the internet the day of the election. However, Belarusian activists quickly determined how to use workarounds, launching the current unrest that threatens to topple the regime. The same company’s technology has been used elsewhere in the world to cut off access to the internet as detailed by the University of Toronto’s Citizen Lab in 2018.
  • Canada has effectively moved to block China’s Huawei from 5G, but can’t say so” – Reuters. In a move reminiscent of how the People’s Republic of China (PRC) tanked Qualcomm’s proposed purchase of NXP Semiconductors in 2018, Canada has effectively barred Huawei from its 5G networks by not deciding, which eventually sent a signal to its telecommunications companies to use Ericsson and Nokia instead. This way, there is no public announcement or policy statement the PRC can object to, and the country toes the line with its other Five Eyes partners that have banned Huawei in varying degrees. Additionally, given that two Canadian nationals are being held because Huawei Chief Financial Officer Meng Wanzhou is being detained in Canada awaiting extradition to the Unted States to face criminal charges, Ottawa needs to manage its relations with the PRC gingerly.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Simon Steinberger from Pixabay

U.S. Vulnerabilities Disclosure Process Unveiled

Federal civilian agencies will need to have up and running programs to accept and act on vulnerabilities in their public facing systems within two years.

This week, the Trump Administration published final guidance and orders to civilian United States agencies on how they need to be accepting and using vulnerabilities researchers have turned up and submitted. Regularizing this process is supposed to both help agencies learn of and mitigate vulnerabilities and to encourage researchers to submit them. However, instead of establishing one program each agency will use, the Administration is opting to let each agency set up its own system within broad guidelines according to an enumerated timeline. Within two years, all federal “internet-accessible systems or services” at a civilian agency must be part of this vulnerability disclosure process. As with most federal cybersecurity efforts, the success of this initiative will depend on agency buy-in and follow through from the White House.

The Office of Management and Budget (OMB) issued the memorandum, M-20-32, “Improving Vulnerability Identification, Management, and Remediation,” to provide “[f]ederal agencies with guidance for obtaining and managing their vulnerability research programs.” And, pursuant to this memorandum, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issuing mandatory direction to civilian agencies in establishing their Vulnerability Disclosure Policy (VDP).

OMB stated

Federal agencies should continue to align their coordinated vulnerability disclosure (CVD) programs with internationally recognized standards (i.e. International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 29147 and ISO/IEC 30111) to the extent possible, consistent with Federal law and policy. CVD can expand the diversity of thinking involved in vulnerability identification and substantively improve the cybersecurity posture of Federal information systems.

OMB stated

Maintaining processes, procedures, and toolsets to identify, manage, and remediate vulnerabilities (i.e., managing the full vulnerability life cycle), no matter how they are discovered, is key to sustaining a risk-aware enterprise cybersecurity program. While many Federal agencies already maintain certain capabilities to discover vulnerabilities, such as penetration testing or receiving threat and vulnerability information from the Department of Homeland Security (DHS), agencies can benefit from closer partnerships with the reporters who choose to use their skills to find and report vulnerabilities on Federal information systems as a means to improving national cybersecurity.

OMB directed

In order to improve vulnerability identification, management, and remediation, Federal agencies shall implement VDPs that address the following areas:

  • Clearly Worded VDP: Agency VDPs shall clearly articulate which systems are in scope and the set of security research activities that can be performed against them to protect those who would report vulnerabilities. Federal agencies shall provide clear assurances that good-faith security research5 is welcomed and authorized.
  • Clearly Identified Reporting Mechanism: Each Federal agency shall clearly and publicly identify where and how Federal information system vulnerabilities should be reported.
  • Timely Feedback: Federal agencies shall provide timely feedback to good-faith vulnerability reporters. Once a vulnerability is reported, those who report them deserve to know they are being taken seriously and that action is being taken. Agencies should establish clear expectations for regular follow-up communications with the vulnerability reporter, to include an agency-defined timeline for coordinated disclosure.
  • Unencumbered Remediation: To streamline communication and collaboration, Federal agencies shall ensure vulnerability reports are available to system owners within 48 hours of submission, and shall establish a channel for system owners to communicate with vulnerability reporters, as appropriate.
  • Good-Faith Security Research is Not an Incident or Breach: Good-faith security research does not itself constitute an incident or breach under the Federal Information Security Modernization Act of2014 (FISMA) or 0MB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information. However, in the process of assessing and responding to vulnerabilities reported according to agencies’ VDPs, agencies shall work with their senior agency officials for privacy (SAOPs) to evaluate affected Federal information systems for breaches that occurred outside the scope of the good-faith security research (e.g., a breach that occurred before the research was conducted) and follow the requirements outlined in M-17-12. Pursuant to M-17-12, agencies may impose stricter standards consistent with their missions, authorities, circumstances, and identified risks.

As mentioned, CISA issued Binding Operational Directive (BOD) 20-01, “which requires individual federal civilian executive branch (FCEB) agencies to develop and publish a VDP for their internet-accessible systems and services, and maintain processes to support their VDP” according to the agency’s press release. The agency added that “[t]his BOD is part of CISA’s agency-wide priority to make 2020 the “year of vulnerability management,” with a particular focus on making vulnerability disclosure to the civilian executive branch easier for the public.”

CISA stated:

Cybersecurity is a public good that is strongest when the public is given the ability to contribute. A key component to receiving cybersecurity help from the public is to establish a formal policy that describes the activities that can be undertaken in order to find and report vulnerabilities in a legally authorized manner. Such policies enable federal agencies to remediate vulnerabilities before they can be exploited by an adversary – to immense public benefit.

CISA explained

  • A vulnerability is a “[w]eakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” Vulnerabilities are often found in individual software components, in systems comprised of multiple components, or in the interactions between components and systems. They are typically exploited to weaken the security of a system, its data, or its users, with impact to their confidentiality, integrity, or availability. The primary purpose of fixing vulnerabilities is to protect people, maintaining or enhancing their safety, security, and privacy.
  • Vulnerability disclosure is the “act of initially providing vulnerability information to a party that was not believed to be previously aware”. The individual or organization that performs this act is called the reporter.
  • Agencies should recognize that “a reporter or anyone in possession of vulnerability information can disclose or publish the information at any time,” including without prior notice to the agency. Such uncoordinated disclosure could result in exploitation of the vulnerability before the agency has had a chance to address it and could have legal consequences for the reporter as well. A key benefit of a vulnerability disclosure policy is to reduce risk to agency infrastructure and the public by incentivizing coordinated disclosure so there is time to fix the vulnerability before it is publicly known.
  • A VDP is similar to, but distinct from, a “bug bounty.” In bug bounty programs, organizations pay for valid and impactful findings of certain types of vulnerabilities in their systems or products. A financial reward can incentivize action and may attract people who might not otherwise look for vulnerabilities. This may also result in a higher number of reports or an increase in low-quality submissions. Organizations engaged in bug bounties will frequently use third-party platforms and service vendors to assist in managing and triaging bug reports. Bug bounties may be offered to the general public or may only be offered to select researchers or those who meet certain criteria. While bug bounties can enhance security, this directive does not require agencies to establish bug bounty programs.

Late last year, OMB and CISA released draft vulnerability disclosure documents for comment from stakeholders: A Request for Comments on Improving Vulnerability Identification, Management, and Remediation and a draft Binding Operational Directive (BOD).

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by methodshop from Pixabay