FCC Denies Trump Administration’s Request To Block Ligado

The FCC denies the NTIA petition, but language in the FY 2021 NDAA all but pauses the project.

Earlier this month, the Trump Administration’s Federal Communications Commission (FCC) denied the petition to stay submitted by the National Telecommunications and Information Administration (NTIA) to stop the FCC’s April 2020 decision to let Ligado proceed with “a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz portions of its license in the mobile satellite services (MSS) L-band allocation.”

Ligado and its predecessor have been trying to obtain authorization from the FCC in one form or another for the last 15 years. When the company was finally given the green light last spring, other agencies renewed and their objections even though the had been part of the inter-agency consideration process. Moreover, there were Members of Congress who urged the FCC to rescind the authorization. The objections arose from claims that Ligado’s operation would impair key national security and civilian Global Positioning System (GPS) systems. And, on the basis of these concerns, there is language in a recently enacted law that will function to block the FCC and Ligado from proceeding until an independent report is completed.

However, this issue now becomes the responsibility of the Biden Administration. It is not known how the NTIA will proceed, and they conceivably could appeal the FCC’s decision in federal court. Moreover, the caretaker officials at the agency may do just this in order to preserve the option for the Biden Administration officials. Certainly, Members of Congress interested in stopping the FCC and Ligado have been in contact with the Biden team and will seek to draft them into their cause.

The FCC summarized its decision:

We find that the extraordinary equitable relief of a stay is not warranted.  First, NTIA itself argues that the harmful interference issue it raises will not likely arise until after Ligado deploys its network.  Such deployment will not occur for some time and not before the Commission has an opportunity to rule on the Petition for Reconsideration and to reach a determination as to whether NTIA’s claims justify barring this deployment or otherwise modifying its underlying order.  Thus, there is no need to issue a stay at this time to prevent any irreparable harm that NTIA claims will occur.  Second, based on the record, we conclude that NTIA is unlikely to succeed on the merits.  Its claim is based primarily on an argument that the Order departed from the Commission’s established approach to evaluating harmful interference concerns, a claim belied by the words of the Order itself.  To the extent NTIA contends that the Commission should use the specific 1 dB metric and approach specifically advocated by DOT and others, the Commission addressed that contention in detail in the Order.  To the extent NTIA in its Stay Petition is seeking to support its request for a stay based on providing new data or additional testing that NTIA had not previously provided in the record of this proceeding, this argument is unlikely to succeed on the merits based on its untimeliness.  Finally, the balance of the equities favors denial of a stay, in light of the tangible harm to Ligado from a stay and the public interest in finally bringing its terrestrial service to market. 

In late April, the FCC’s “decision authorize[d] Ligado to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” The agency argued the order “provides regulatory certainty to Ligado, ensures adjacent band operations, including GPS, are sufficiently protected from harmful interference, and promotes more efficient and effective use of [the U.S.’s] spectrum resources by making available additional spectrum for advanced wireless services, including 5G.”

Defense and other civilian government stakeholders remained unconvinced. Also, in late April, the chairs and ranking members of the Armed Services Committees penned an op-ed, in which they claimed “the [FCC] has used the [COVID-19] crisis, under the cover of darkness, to approve a long-stalled application by Ligado Networks — a proposal that threatens to undermine our GPS capabilities, and with it, our national security.” Then Chairs James Inhofe (R-OK) and Adam Smith (D-WA) and Ranking Members Jack Reed (D-RI) and Mac Thornberry (R-TX) asserted:

  • So, we wanted to clarify things: domestic 5G development is critical to our economic competiveness against China and for our national security. The Pentagon is committed working with government and industry to share mid-band spectrum where and when it makes sense to ensure rapid roll-out of 5G.
  • The problem here is that Ligado’s planned usage is not in the prime mid-band spectrum being considered for 5G — and it will have a significant risk of interference with GPS reception, according to the National Telecommunications and Information Administration (NTIA). The signals interference Ligado’s plan would create could cost taxpayers and consumers billions of dollars and require the replacement of current GPS equipment just as we are trying to get our economy back on its feet quickly — and the FCC has just allowed this to happen.

The Ligado application was seen as so important, the first hearing of the Senate Armed Services Committee held after the beginning of the COVID-19 pandemic was on this issue. Not surprisingly the DOD explained the risks of Ligado’s satellite-terrestrial wireless system as it sees them at some length. Under Secretary of Defense for Research and Engineering Michael Griffin asserted at the 6 May hearing:

  • The U.S. Department of Transportation (DOT) conducted a testing program developed over multiple years with stakeholder involvement, evaluating 80 consumer-grade navigation, survey, precision agriculture, timing, space-based, and aviation GPS receivers. This test program was conducted in coordination with DOD testing of military receivers. The results, as documented in the DoT “Adjacent Band Compatibility” study released in March, 2018, demonstrated that even very low power levels from a terrestrial system in the adjacent band will overload the very sensitive equipment required to collect and process GPS signals.  Also, many high precision receivers are designed to receive Global Navigation Satellite System (GNSS) signals not only in the 1559 MHz to 1610 MHz band, but also receive Mobile Satellite Service (MSS) signals in the 1525 MHz to 1559 MHz band to provide corrections to GPS/GNSS to improve accuracy. With the present and future planned ubiquity of base stations for mobile broadband use, the use of GPS in entire metropolitan areas would be effectively blocked.  That is why every government agency having any stake in GPS, as well as dozens of commercial entities that will be harmed if GPS becomes unreliable,  opposed the FCC’s decision. 
  • There are two principal reasons for the Department’s opposition to Ligado’s proposal. The first and most obvious is that we designed and built GPS for reasons of national security, reasons which are at least as valid today as when the system was conceived. The second, less well-known, is that the DoD has a statutory responsibility to sustain and protect the system. Quoting from 10 USC 2281, the Secretary of Defense “…shall provide for the sustainment and operation of the GPS Standard Positioning Service for peaceful civil, commercial, and scientific uses…” and “…may not agree to any restriction of the GPS System proposed by the head of a department or agency of the United States outside DoD that would adversely affect the military potential of GPS.”

Also in April, 32 Senators wrote the FCC expressing their concern that the “Order does not adequately project adjacent band operations – including those related to GPS and satellite communications –  from harmful interference that would impact countless commercial and military activities.” They also took issue “the hurried nature of the circulation and consideration of the Order,” which they claimed occurred during “a national crisis” and “was not conducive to addressing the many technical concerns raised by affected stakeholders.” Given that nearly one-third of the Senate signed the letter, this may demonstrate the breadth of opposition in Congress to the Ligado order.

In early May 2020, the NTIA, a component agency of the Department of Commerce, filed two petitions with the FCC) asking the latter agency to stay its decision allowing Ligado to proceed with wireless service using a satellite-terrestrial network utilizing the L-Band opposed by a number of Trump Administration agencies and a number of key Congressional stakeholders. They argue the order would allow Ligado to set up a system that would interfere with the Department of Defense’s (DOD) GPS and civilian federal agency applications of GPS as well.

The NTIA stated in its press release that it “petitioned the FCC to reconsider its Order and Authorization that conditionally granted license modification applications filed by Ligado Networks LLC…[that] permits Ligado to provide terrestrial wireless services that threaten to harm federal government users of the Global Positioning System (GPS) along with a variety of other public and private stakeholders.”

In the petition for a stay, NTIA asked that “Ligado Networks LLC’s (Ligado’s) mobile satellite service (MSS) license modification applications for ancillary terrestrial operations” be paused until the agency’s petition for reconsideration is decided by the FCC because of “executive branch concerns of harmful interference to federal government and other GPS devices.”

In the petition for reconsideration, the NTIA argued it “focuses on the problems in the Ligado Order that are uniquely related to the interests of Department of Defense (DOD) and other federal agencies and their mission-critical users of GPS.” The NTIA added “that the Commission failed to consider the major economic impact its decision will have on civilian GPS users and the American economy…[and] [a]s the lead civil agency for GPS, DOT explained…Ligado’s proposed operations would disrupt a wide range of civil GPS receivers owned and operated by emergency first responders, among others.”

NTIA made the following arguments in its petition:

  • The Ligado Order failed to adequately consider and give appropriate weight to important and valid executive branch concerns about harmful interference to GPS.
  • None of Ligado’s latest mitigation proposals, nor the conditions based on them, have been tested or evaluated by any independent party…[and] [a] more scientific way of resolving these technical disputes could be accomplished through further joint FCC-executive branch or independent testing based on Ligado’s actual network and base station parameters.
  • The license conditions imposed on Ligado will not adequately mitigate the risk of harmful interference to federal GPS devices, will shift the burden of fixing such interference to federal users, and are otherwise impractical for addressing actual impacts to national security systems. In light of the large number of federal GPS devices that potentially would be impacted by Ligado’s network, the FCC conditions, even if modified, will be a high-cost, time consuming effort for Ligado and federal agencies. As written, the condition requiring the repair or replacement of government receivers, is impractical, infeasible, and potentially illegal.

In June, Ligado filed its response to the NTIAs petitions to stay and have the FCC reconsider its order allowing the company to move forward with its satellite-terrestrial wireless network. The company argued the NTIA’s petitions rehash the same arguments heard and rejected by the FCC over the course of the nearly decade long proceeding, do not argue that an injury has occurred because Ligado is not yet operating, and is contrary to the public interest by delaying the rollout of 5G.

Ligado argued

  • First, NTIA is unlikely to prevail on the merits of its Petition for Reconsideration. The 72-page Order was the culmination of the Commission’s “extensive review of the record” generated during a comprehensive, multi-year proceeding, in which NTIA actively participated. In light of the ample notice and opportunity to comment that the Commission provided NTIA, its complaints regarding process are meritless and not a basis for reconsidering the Order. NTIA’s substantive arguments, which merely reiterate arguments that the Commission has already meticulously considered and rejected regarding alleged harmful interference with GPS devices, fare no better.
  • Second,  NTIA  effectively  concedes  that  it  will  suffer  no  imminent  irreparable  injury—meaning  “proof”  of  irreparable  injury  that  “is  certain  to  occur  in  the  near  future.” NTIA admits  that Ligado’s system will not become operational for a period as long as eighteen months. Putting aside  that  NTIA’s  alleged  injuries  are  contrary  to  the  extensive  record,  even  on  NTIA’s  own  theory those injuries would only occur after Ligado’s network commences operations, and so by definition  those  purported  injuries  are  not  “certain  to  occur  in  the  near  future.”
  • Third and finally, issuance of a stay would harm both Ligado and the public interest. A stay would needlessly hamper Ligado’s ability to make progress on important preliminary work items that are necessary to deploy the spectrum for 5G and have long lead times. Moreover, the Commission has explained that Ligado’s network will provide extensive benefits to the public, by unlocking the benefits of advanced communications technologies for customers and businesses, including 5G. A stay would thus unnecessarily delay the “significant public interest benefits associated with Ligado’s proposed ATC network and deployment.”

As mentioned, a recently enacted law will effectively block Ligado. There are provisions in the conference report to accompany the “William M. “Mac” Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395) barring the DOD to use funds to assist companies in mitigating any harmful interference from the operation of Ligado. Moreover, the DOD must contract for a study on any negative effects:

[The DOD] shall seek to enter into an agreement with the National Academies of Sciences, Engineering, and Medicine for the National Academies… carry out an independent technical review of the Order and Authorization adopted by the Federal Communications Commission on April 19, 2020 (FCC 20-48), to the extent that such Order and Authorization affects the devices, operations, or activities of the Department of Defense.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by AR on Unsplash

Preview of Senate Democratic Chairs

It’s not clear who will end up where, but new Senate chairs will change focus and agenda of committees and debate over the next two years.

With the victories of Senators-elect Rafael Warnock (D-GA) and Jon Ossoff (D-GA), control of the United States Senate will tip to the Democrats once Vice President-elect Kamala Harris (D) is sworn in and can break the 50-50 tie in the chamber in favor of the Democrats. With the shift in control, new chairs will take over committees key to setting the agenda over the next two years in the Senate. However, given the filibuster, and the fact that Senate Republicans will exert maximum leverage through its continued use, Democrats will be hamstrung and forced to work with Republicans on matters such as federal privacy legislation, artificial intelligence (AI), the Internet of Things (IOT), cybersecurity, data flows, surveillance, etc. just as Republicans have had to work with Democrats over the six years they controlled the chamber. Having said that, Democrats will be in a stronger position than they had been and will have the power to set the agenda in committee hearings, being empowered to call the lion’s share of witnesses and to control the floor agenda. What’s more, Democrats will be poised to confirm President-elect Joe Biden’s nominees at agencies like the Federal Communications Commission (FCC), Federal Trade Commission (FTC), the Department of Justice (DOJ), and others, giving the Biden Administration a free hand in many areas of technology policy.

All of that being said, this is not meant to be an exhaustive look at all the committees of jurisdiction and possible chairs. Rather, it seeks to survey likely chairs on selected committees and some of their priorities for the next two years. Subcommittee chairs will also be important, but until the cards get shuffled among the chairs, it will not be possible to see where they land at the subcommittee level.

When considering the possible Democratic chairs of committees, one must keep in mind it is often a matter of musical chairs with the most senior members getting first choice. And so, with Senator Patrick Leahy (D-VT) as the senior-most Democratic Senator, he may well choose to leave the Appropriations Committee and move back to assume the gavel of the Judiciary Committee. Leahy has long been a stakeholder on antitrust, data security, privacy, and surveillance legislation and would be in a position to influence what bills on those and other matters before the Senate look like. If Leahy does not move to the chair on Judiciary, he may still be entitled to chair a subcommittee and exert influence.

If Leahy stays put, then current Senate Minority Whip Dick Durbin (D-IL) would be poised to leapfrog Senator Dianne Feinstein (D-CA) to chair Judiciary after Feinstein was persuaded to step aside on account of her lackluster performance in a number of high-profile hearings in 2020. Durbin has also been active on privacy, data security, and surveillance issues. The Judiciary Committee will be central to a number of technology policies, including Foreign Intelligence Surveillance Act reauthorization, privacy legislation, Section 230 reform, antitrust, and others. On the Republican side of the dais, Senator Lindsey Graham (R-SC) leaving the top post because of term limit restrictions imposed by Republicans, and Senator Charles Grassley (R-IA) is set to replace him. How this changes the 47 USC 230 (Section 230) debate is not immediately clear. And yet, Grassley and three colleagues recently urged the Trump Administration in a letter to omit language in a trade agreement with the United Kingdom (UK) that mirrors the liability protection Section 230. Senators Rob Portman (R-OH), Mark R. Warner (D-VA), Richard Blumenthal (D-CT), and Grassley argued to U.S. Trade Representative Ambassador Robert Lighthizer that a “safe harbor” like the one provided to technology companies for hosting or moderating third party content is outdated, not needed in a free trade agreement, contrary to the will of both the Congress and UK Parliament, and likely to be changed legislatively in the near future. It is likely, however, Grassley will fall in with other Republicans propagating the narrative that social media is unfairly biased against conservatives, particularly in light of the recent purge of President Donald Trump for his many, repeated violations of policy.

The Senate Judiciary Committee will be central in any policy discussions of antitrust and anticompetition in the technology realm. But it bears note the filibuster (and the very low chances Senate Democrats would “go nuclear” and remove all vestiges of the functional supermajority requirement to pass legislation) will give Republicans leverage to block some of the more ambitious reforms Democrats might like to enact (e.g. the House Judiciary Committee’s October 2020 final report that calls for nothing less than a complete remaking of United States (U.S.) antitrust policy and law; see here for more analysis.)

It seems Senator Sherrod Brown (D-OH) will be the next chair of the Senate Banking, Housing, and Urban Development Committee which has jurisdiction over cybersecurity, data security, privacy, and other issues in the financial services sector, making it a player on any legislation designed to encompass the whole of the United States economy. Having said that, it may again be the case that sponsors of, say, privacy legislation decide to cut the Gordian knot of jurisdictional turf battles by cutting out certain committees. For example, many of the privacy bills had provisions making clear they would deem financial services entities in compliance with the Financial Services Modernization Act of 1999 (P.L. 106-102) (aka Gramm-Leach-Bliley) to be in compliance with the new privacy regime. I suppose these provisions may have been included on the basis of the very high privacy and data security standards Gramm-Leach-Bliley has brought about (e.g. the Experian hack), or sponsors of federal privacy legislation made the strategic calculation to circumvent the Senate Banking Committee as much as they can. Nonetheless, this committee has sought to insert itself into the policymaking process on privacy last year as Brown and outgoing Chair Mike Crapo (R-ID) requested “feedback” in February 2019 “from interested stakeholders on the collection, use and protection of sensitive information by financial regulators and private companies.” Additionally, Brown released what may be the most expansive privacy bill from the perspective of privacy and civil liberties advocates, the “Data Accountability and Transparency Act of 2020” in June 2020 (see here for my analysis.) Therefore, Brown may continue to push for a role in federal privacy legislation with a gavel in his hands.

In a similar vein, Senator Patty Murray (D-WA) will likely take over the Senate Health, Education, Labor, and Pensions (HELP) Committee which has jurisdiction over health information privacy and data security through the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). Again, as with the Senate Banking Committee and Gramm-Leach-Bliley, most of the privacy bills exempt HIPAA-compliant entities. And yet, even if her committee is cut out of a direct role in privacy legislation, Murray will still likely exert influence through oversight of and possible legislation changing HIPAA regulations and the Department of Health and Human Services (HHS) enforcement and rewriting of these standards for most of the healthcare industry. For example, HHS is rushing a rewrite of the HIPAA regulations at the tail end of the Trump Administration, and Murray could be in a position to inform how the Biden Administration and Secretary of Health and Human Services-designate Xavier Berra handles this rulemaking. Additionally, Murray may push the Office of Civil Rights (OCR), the arm of HHS that writes and enforces these regulations, to prioritize matters differently.

Senator Maria Cantwell (D-WA) appears to be the next chair of the Senate Commerce, Science, and Transportation Committee and arguably the largest technology portfolio in the Senate. It is the primary committee of jurisdiction for the FCC, FTC, National Telecommunications and Information Administration (NTIA), the National Institute of Standards and Technology (NIST), and the Department of Commerce. Cantwell may exert influence on which people are nominated to head and staff those agencies and others. Her committee is also the primary committee of jurisdiction for domestic and international privacy and data protection matters. And so, federal privacy legislation will likely be drafted by this committee, and legislative changes so the U.S. can enter into a new personal data sharing agreement with the European Union (EU) would also likely involve her and her committee.

Cantwell and likely next Ranking Member Roger Wicker (R-MS) agree on many elements of federal privacy law but were at odds last year on federal preemption and whether people could sue companies for privacy violations. Between them, they circulated three privacy bills. In September 2020, Wicker and three Republican colleagues introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act” (S.4626) (see here for more analysis). Wicker had put out for comment a discussion draft, the “Consumer Data Privacy Act of 2019” (CDPA) (See here for analysis) in November 2019 shortly after the Ranking Member on the committee, Senator Maria Cantwell (D-WA) and other Democrats had introduced their privacy bill, the “Consumer Online Privacy Rights Act“ (COPRA) (S.2968) (See here for more analysis).

Cantwell could also take a leading role on Section 230, but her focus, of late, seems to be on how technology companies are wreaking havoc to traditional media. released a report that she has mentioned during her opening statement at the 23 September hearing aimed at trying to revive data privacy legislation. She and her staff investigated the decline and financial troubles of local media outlets, which are facing a cumulative loss in advertising revenue of up to 70% since 2000. And since advertising revenue has long been the life blood of print journalism, this has devastated local media with many outlets shutting their doors or radically cutting their staff. This trend has been exacerbated by consolidation in the industry, often in concert with private equity or hedge funds looking to wring the last dollars of value from bargain basement priced newspapers. Cantwell also claimed that the overwhelming online advertising dominance of Google and Facebook has further diminished advertising revenue and other possible sources of funding through a variety of means. She intimates that much of this content may be illegal under U.S. law, and the FTC may well be able to use its Section 5 powers against unfair and deceptive acts and its anti-trust authority to take action. (see here for more analysis and context.) In this vein, Cantwell will want her committee to play in any antitrust policy changes, likely knowing massive changes in U.S. law are not possible in a split Senate with entrenched party positions and discipline.

Senator Jack Reed (D-RI) will take over the Senate Armed Services Committee and its portfolio over national security technology policy that includes the cybersecurity, data protection and supply chain of national security agencies and their contractors, AI, offensive and defensive U.S. cyber operations, and other realms. Much of the changes Reed and his committee will seek to make will be through the annual National Defense Authorization Act (NDAA) (see here and here for the many technology provisions in the FY 2021 NDAA.) Reed may also prod the Department of Defense (DOD) to implement or enforce the Cybersecurity Maturity Model Certification (CMMC) Framework differently than envisioned and designed by the Trump Administration. In December 2020, a new rule took effect designed to drive better cybersecurity among U.S. defense contractors. This rule brings together two different lines of effort to require the Defense Industrial Base (DIB) to employ better cybersecurity given the risks they face by holding and using classified information, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The Executive Branch has long wrestled with how to best push contractors to secure their systems, and Congress and the White House have opted for using federal contract requirements in that contractors must certify compliance. However, the most recent initiative, the CMMC Framework will require contractors to be certified by third party assessors. And yet, it is not clear the DOD has wrestled with the often-misaligned incentives present in third party certification schemes.

Reed’s committee will undoubtedly delve deep into the recent SolarWinds hack and implement policy changes to avoid a reoccurrence. Doing so may lead the Senate Armed Services Committee back to reconsidering the Cyberspace Solarium Commission’s (CSC) March 2020 final report and follow up white papers, especially their views embodied in “Building a Trusted ICT Supply Chain.”

Senator Mark Warner (D-VA) will likely take over the Senate Intelligence Committee. Warner has long been a stakeholder on a number of technology issues and would be able to exert influence on the national security components of such issues. He and his committee will almost certainly play a role in the Congressional oversight of and response to the SolarWinds hack. Likewise, his committee shares jurisdiction over FISA with the Senate Judiciary Committee and over national security technology policy with the Armed Services Committee.

Senator Amy Klobuchar (D-MN) would be the Senate Democratic point person on election security from her perch at the Senate Rules and Administration Committee, which may enable her to more forcefully push for the legislative changes she has long advocated for. In May 2019, Klobuchar and other Senate Democrats introduced the “Election Security Act” (S. 1540), the Senate version of the stand-alone measure introduced in the House that was taken from the larger package, the “For the People Act” (H.R. 1) passed by the House.

In August 2018, the Senate Rules and Administration Committee postponed indefinitely a markup on a compromise bill to provide states additional assistance in securing elections from interference, the “The Secure Elections Act” (S.2593). Reportedly, there was concern among state officials that a provision requiring audits of election results would be in effect an unfunded mandate even though this provision was softened at the insistence of Senate Republican leadership. However, a Trump White House spokesperson indicated in a statement that the Administration opposed the bill, which may have posed an additional obstacle to Committee action. However, even if the Senate had passed its bill, it was unlikely that the Republican controlled House would have considered companion legislation (H.R. 6663).

Senator Gary Peters (D-MI) may be the next chair of the Senate Homeland Security and Governmental Affairs Committee, and if so, he will continue to face the rock on which many the bark of cybersecurity legislation has been dashed: Senator Ron Johnson (R-WI). So significant has Johnson’s opposition been to bipartisan cybersecurity legislation from the House, some House Republican stakeholders have said so in media accounts not bothering to hide in anonymity. And so whatever Peters’ ambitions may be to shore up the cybersecurity of the federal government as his committee will play a role in investigating and responding to the Russian hack of SolarWinds and many federal agencies, he will be limited by whatever Johnson and other Republicans will allow to move through the committee and through the Senate. Of course, Peters’ purview would include the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) and its remit to police the cybersecurity practices of the federal government. Peters would also have in his portfolio the information technology (IT) practices of the federal government, some $90 billion annually across all agencies.

Finally, whether it be Leahy or Durbin at the Senate Appropriations Committee, this post allows for immense influence in funding and programmatic changes in all federal programs through the power of the purse Congress holds.

Further Reading, Other Developments, and Coming Events (12 January 2021)

Further Reading

  • Biden’s NSC to focus on global health, climate, cyber and human rights, as well as China and Russia” By Karen DeYoung — The Washington Post. Like almost every incoming White House, the Biden team has announced a restructuring of the National Security Council (NSC) to better effectuate the President-elect’s policy priorities. To not surprise, the volume on cybersecurity policy will be turned up. Other notable change is plans to take “cross-cutting” approaches to issues that will likely meld foreign and domestic and national security and civil issues, meaning there could be a new look on offensive cyber operations, for example. It is possible President Biden decides to put the genie back in the bottle, so to speak, by re-imposing an interagency decision-making process as opposed to the Trump Administration’s approach of delegating discretion to the National Security Agency/Cyber Command head. Also, the NSC will focus on emerging technology, a likely response to the technology arms race the United States finds itself in against the People’s Republic of China.
  • Exclusive: Pandemic relief aid went to media that promoted COVID misinformation” By Caitlin Dickson — yahoo! news. The consulting firm Alethea Group and the nonprofit Global Disinformation Index are claiming the COVID stimulus Paycheck Protection Program (PPP) provided loans and assistance to five firms that “were publishing false or misleading information about the pandemic, thus profiting off the infodemic” according to an Alethea Group vice president. This report follows an NBC News article claiming that 14 white supremacist and racist organizations have also received PPP loans. The Alethea Group and Global Disinformation Index named five entities who took PPP funds and kept spreading pandemic misinformation: Epoch Media Group, Newsmax Media, The Federalist, Liftable Media, and Prager University.
  • Facebook shuts Uganda accounts ahead of vote” — France24. The social media company shuttered a number of Facebook and Instagram accounts related to government officials in Uganda ahead of an election on account of “Coordinated Inauthentic Behaviour” (CIB). This follows the platform shutting down accounts related to the French Army and Russia seeking to influence events in Africa. These and other actions may indicate the platform is starting to pay the same attention to the non-western world as at least one former employee has argued the platform was negligent at best and reckless at worst in not properly resourcing efforts to police CIB throughout the Third World.
  • China tried to punish European states for Huawei bans by adding eleventh-hour rule to EU investment deal” By Finbarr Bermingham — South China Morning Post. At nearly the end of talks on a People’s Republic of China (PRC)-European Union (EU) trade deal, PRC negotiators tried slipping in language that would have barred entry to the PRC’s cloud computing market to any country or company from a country that restricts Huawei’s services and products. This is alternately being seen as either standard Chinese negotiating tactics or an attempt to avenge the thwarting of the crown jewel in its telecommunications ambitions.
  • Chinese regulators to push tech giants to share consumer credit data – sources” By Julie Zhu — Reuters. Ostensibly in a move to better manage the risks of too much unsafe lending, tech giants in the People’s Republic of China (PRC) will soon need to share data on consumer loans. It seems inevitable that such data will be used by Beijing to further crack down on undesirable people and elements within the PRC.
  • The mafia turns social media influencer to reinforce its brand” By Miles Johnson — The Financial Times. Even Italy’s feared ’Ndrangheta is creating and curating a social media presence.

Other Developments

  • President Donald Trump signed an executive order (EO) that bans eight applications from the People’s Republic of China on much the same grounds as the EOs prohibiting TikTok and WeChat. If this EO is not rescinded by the Biden Administration, federal courts may block its implementation as has happened with the TikTok and WeChat EOs to date. Notably, courts have found that the Trump Administration exceeded its authority under the International Emergency Economic Powers Act (IEEPA), which may also be an issue in the proposed prohibition on Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office. Trump found:
    • that additional steps must be taken to deal with the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain).  Specifically, the pace and pervasiveness of the spread in the United States of certain connected mobile and desktop applications and other software developed or controlled by persons in the People’s Republic of China, to include Hong Kong and Macau (China), continue to threaten the national security, foreign policy, and economy of the United States.  At this time, action must be taken to address the threat posed by these Chinese connected software applications.
    • Trump directed that within 45 days of issuance of the EO, there shall be a prohibition on “any transaction by any person, or with respect to any property, subject to the jurisdiction of the United States, with persons that develop or control the following Chinese connected software applications, or with their subsidiaries, as those transactions and persons are identified by the Secretary of Commerce (Secretary) under subsection (e) of this section: Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office.”
  • The Government Accountability Office (GAO) issued its first statutorily required annual assessment of how well the United States Department of Defense (DOD) is managing its major information technology (IT) procurements. The DOD spent more than $36 billion of the $90 billion the federal government was provided for IT in FY 2020. The GAO was tasked with assessing how well the DOD did in using iterative development, managing costs and schedules, and implementing cybersecurity measures. The GAO found progress in the first two realms but a continued lag in deploying long recommended best practices to ensure the security of the IT the DOD buys or builds. Nonetheless, the GAO focused on 15 major IT acquisitions that qualify as administrative (i.e. “business”) and communications and information security (i.e. “non-business.”) While there were no explicit recommendations made, the GAO found:
    • Ten of the 15 selected major IT programs exceeded their planned schedules, with delays ranging from 1 month for the Marine Corps’ CAC2S Inc 1 to 5 years for the Air Force’s Defense Enterprise Accounting and Management System-Increment 1.
    • …eight of the 10 selected major IT programs that had tested their then-current technical performance targets reported having met all of their targets…. As of December 2019, four programs had not yet conducted testing activities—Army’s ACWS, Air Force’s AFIPPS Inc 1, Air Force’s MROi, and Navy ePS. Testing data for one program, Air Force’s ISPAN Inc 4, were classified.
    • …officials from the 15 selected major IT programs we reviewed reported using software development approaches that may help to limit risks to cost and schedule outcomes. For example, major business IT programs reported using COTS software. In addition, most programs reported using an iterative software development approach and using a minimum deployable product. With respect to cybersecurity practices, all the programs reported developing cybersecurity strategies, but programs reported mixed experiences with respect to conducting cybersecurity testing. Most programs reported using operational cybersecurity testing, but less than half reported conducting developmental cybersecurity testing. In addition, programs that reported conducting cybersecurity vulnerability assessments experienced fewer increases in planned program costs and fewer schedule delays. Programs also reported a variety of challenges associated with their software development and cybersecurity staff.
    • 14 of the 15 programs reported using an iterative software development approach which, according to leading practices, may help reduce cost growth and deliver better results to the customer. However, programs also reported using an older approach to software development, known as waterfall, which could introduce risk for program cost growth because of its linear and sequential phases of development that may be implemented over a longer period of time. Specifically, two programs reported using a waterfall approach in conjunction with an iterative approach, while one was solely using a waterfall approach.
    • With respect to cybersecurity, programs reported mixed implementation of specific practices, contributing to program risks that might impact cost and schedule outcomes. For example, all 15 programs reported developing cybersecurity strategies, which are intended to help ensure that programs are planning for and documenting cybersecurity risk management efforts.
    • In contrast, only eight of the 15 programs reported conducting cybersecurity vulnerability assessments—systematic examinations of an information system or product intended to, among other things, determine the adequacy of security measures and identify security deficiencies. These eight programs experienced fewer increases in planned program costs and fewer schedule delays relative to the programs that did not report using cybersecurity vulnerability assessments.
  • The United States (U.S.) Department of Energy gave notice of a “Prohibition Order prohibiting the acquisition, importation, transfer, or installation of specified bulk-power system (BPS) electric equipment that directly serves Critical Defense Facilities (CDFs), pursuant to Executive Order 13920.” (See here for analysis of the executive order.) The Department explained:
    • Executive Order No. 13920 of May 1, 2020, Securing the United States Bulk-Power System (85 FR 26595 (May 4, 2020)) (E.O. 13920) declares that threats by foreign adversaries to the security of the BPS constitute a national emergency. A current list of such adversaries is provided in a Request for Information (RFI), issued by the Department of Energy (Department or DOE) on July 8, 2020 seeking public input to aid in its implementation of E.O. 13920. The Department has reason to believe, as detailed below, that the government of the People’s Republic of China (PRC or China), one of the listed adversaries, is equipped and actively planning to undermine the BPS. The Department has thus determined that certain BPS electric equipment or programmable components subject to China’s ownership, control, or influence, constitute undue risk to the security of the BPS and to U.S. national security. The purpose of this Order is to prohibit the acquisition, importation, transfer, or subsequent installation of such BPS electric equipment or programmable components in certain sections of the BPS.
  • The United States’ (U.S.) Department of Commerce’s Bureau of Industry and Security (BIS) added the People’s Republic of China’s (PRC) Semiconductor Manufacturing International Corporation (SMIC) to its Entity List in a move intended to starve the company of key U.S. technology needed to manufacture high end semiconductors. Therefore, any U.S. entity wishing to do business with SMIC will need a license which the Trump Administration may not be likely to grant. The Department of Commerce explained in its press release:
    • The Entity List designation limits SMIC’s ability to acquire certain U.S. technology by requiring U.S. exporters to apply for a license to sell to the company.  Items uniquely required to produce semiconductors at advanced technology nodes—10 nanometers or below—will be subject to a presumption of denial to prevent such key enabling technology from supporting China’s military-civil fusion efforts.
    • BIS also added more than sixty other entities to the Entity List for actions deemed contrary to the national security or foreign policy interest of the United States.  These include entities in China that enable human rights abuses, entities that supported the militarization and unlawful maritime claims in the South China Sea, entities that acquired U.S.-origin items in support of the People’s Liberation Army’s programs, and entities and persons that engaged in the theft of U.S. trade secrets.
    • As explained in the Federal Register notice:
      • SMIC is added to the Entity List as a result of China’s military-civil fusion (MCF) doctrine and evidence of activities between SMIC and entities of concern in the Chinese military industrial complex. The Entity List designation limits SMIC’s ability to acquire certain U.S. technology by requiring exporters, reexporters, and in-country transferors of such technology to apply for a license to sell to the company. Items uniquely required to produce semiconductors at advanced technology nodes 10 nanometers or below will be subject to a presumption of denial to prevent such key enabling technology from supporting China’s military modernization efforts. This rule adds SMIC and the following ten entities related to SMIC: Semiconductor Manufacturing International (Beijing) Corporation; Semiconductor Manufacturing International (Tianjin) Corporation; Semiconductor Manufacturing International (Shenzhen) Corporation; SMIC Semiconductor Manufacturing (Shanghai) Co., Ltd.; SMIC Holdings Limited; Semiconductor Manufacturing South China Corporation; SMIC Northern Integrated Circuit Manufacturing (Beijing) Co., Ltd.; SMIC Hong Kong International Company Limited; SJ Semiconductor; and Ningbo Semiconductor International Corporation (NSI).
  • The United States’ (U.S.) Department of Commerce’s Bureau of Industry and Security (BIS) amended its Export Administration Regulations “by adding a new ‘Military End User’ (MEU) List, as well as the first tranche of 103 entities, which includes 58 Chinese and 45 Russian companies” per its press release. The Department asserted:
    • The U.S. Government has determined that these companies are ‘military end users’ for purposes of the ‘military end user’ control in the EAR that applies to specified items for exports, reexports, or transfers (in-country) to the China, Russia, and Venezuela when such items are destined for a prohibited ‘military end user.’
  • The Australia Competition and Consumer Commission (ACCC) rolled out another piece of the Consumer Data Right (CDR) scheme under the Competition and Consumer Act 2010, specifically accreditation guidelines “to provide information and guidance to assist applicants with lodging a valid application to become an accredited person” to whom Australians may direct data holders share their data. The ACCC explained:
    • The CDR aims to give consumers more access to and control over their personal data.
    • Being able to easily and efficiently share data will improve consumers’ ability to compare and switch between products and services and encourage competition between service providers, leading to more innovative products and services for consumers and the potential for lower prices.
    • Banking is the first sector to be brought into the CDR.
    • Accredited persons may receive a CDR consumer’s data from a data holder at the request and consent of the consumer. Any person, in Australia or overseas, who wishes to receive CDR data to provide products or services to consumers under the CDR regime, must be accredited
  • Australia’s government has released its “Data Availability and Transparency Bill 2020” that “establishes a new data sharing scheme for federal government data, underpinned by strong safeguards to mitigate risks and simplified processes to make it easier to manage data sharing requests” according to the summary provided in Parliament by the government’s point person. In the accompanying “Explanatory Memorandum,” the following summary was provided:
    • The Bill establishes a new data sharing scheme which will serve as a pathway and regulatory framework for sharing public sector data. ‘Sharing’ involves providing controlled access to data, as distinct from open release to the public.
    • To oversee the scheme and support best practice, the Bill creates a new independent regulator, the National Data Commissioner (the Commissioner). The Commissioner’s role is modelled on other regulators such as the Australian Information Commissioner, with whom the Commissioner will cooperate.
    • The data sharing scheme comprises the Bill and disallowable legislative instruments (regulations, Minister-made rules, and any data codes issued by the Commissioner). The Commissioner may also issue non-legislative guidelines that participating entities must have regard to, and may release other guidance as necessary.
    • Participants in the scheme are known as data scheme entities:
      • Data custodians are Commonwealth bodies that control public sector data, and have the right to deal with that data.
      • Accredited users are entities accredited by the Commissioner to access to public sector data. To become accredited, entities must satisfy the security, privacy, infrastructure and governance requirements set out in the accreditation framework.
      • Accredited data service providers (ADSPs) are entities accredited by the Commissioner to perform data services such as data integration. Government agencies and users will be able to draw upon ADSPs’ expertise to help them to share and use data safely.
    • The Bill does not compel sharing. Data custodians are responsible for assessing each sharing request, and deciding whether to share their data if satisfied the risks can be managed.
    • The data sharing scheme contains robust safeguards to ensure sharing occurs in a consistent and transparent manner, in accordance with community expectations. The Bill authorises data custodians to share public sector data with accredited users, directly or through an ADSP, where:
      • Sharing is for a permitted purpose – government service delivery, informing government policy and programs, or research and development;
      • The data sharing principles have been applied to manage the risks of sharing; and
      • The terms of the arrangement are recorded in a data sharing agreement.
    • Where the above requirements are met, the Bill provides limited statutory authority to share public sector data, despite other Commonwealth, State and Territory laws that prevent sharing. This override of non-disclosure laws is ‘limited’ because it occurs only when the Bill’s requirements are met, and only to the extent necessary to facilitate sharing.
  • The United Kingdom’s Competition and Markets Authority’s (CMA) is asking interested parties to provide input on the proposed acquisition of British semiconductor company by a United States (U.S.) company before it launches a formal investigation later this year. However, CMA is limited to competition considerations, and any national security aspects of the proposed deal would need to be investigated by Prime Minister Boris Johnson’s government. CMA stated:
    • US-based chip designer and producer NVIDIA Corporation (NVIDIA) plans to purchase the Intellectual Property Group business of UK-based Arm Limited (Arm) in a deal worth $40 billion. Arm develops and licenses intellectual property (IP) and software tools for chip designs. The products and services supplied by the companies support a wide range of applications used by businesses and consumers across the UK, including desktop computers and mobile devices, game consoles and vehicle computer systems.
    • CMA added:
      • The CMA will look at the deal’s possible effect on competition in the UK. The CMA is likely to consider whether, following the takeover, Arm has an incentive to withdraw, raise prices or reduce the quality of its IP licensing services to NVIDIA’s rivals.
  • The Israeli firm, NSO Group, has been accused by an entity associated with a British university of using real-time cell phone data to sell its COVID-19 contact tracing app, Fleming, in ways that may have broken the laws of a handful of nations. Forensic Architecture,  a research agency, based at Goldsmiths, University of London, argued:
    • In March 2020, with the rise of COVID-19, Israeli cyber-weapons manufacturer NSO Group launched a contact-tracing technology named ‘Fleming’. Two months later, a database belonging to NSO’s Fleming program was found unprotected online. It contained more than five hundred thousand datapoints for more than thirty thousand distinct mobile phones. NSO Group denied there was a security breach. Forensic Architecture received and analysed a sample of the exposed database, which suggested that the data was based on ‘real’ personal data belonging to unsuspecting civilians, putting their private information in risk
    • Forensic Architecture added:
      • Leaving a database with genuine location data unprotected is a serious violation of the applicable data protection laws. That a surveillance company with access to personal data could have overseen this breach is all the more concerning.
      • This could constitute a violation of the General Data Protection Regulation (GDPR) based on where the database was discovered as well as the laws of the nations where NSO Group allegedly collected personal data
    • The NSO Group denied the claims and was quoted by Tech Crunch:
      • “We have not seen the supposed examination and have to question how these conclusions were reached. Nevertheless, we stand by our previous response of May 6, 2020. The demo material was not based on real and genuine data related to infected COVID-19 individuals,” said an unnamed spokesperson. (NSO’s earlier statement made no reference to individuals with COVID-19.)
      • “As our last statement details, the data used for the demonstrations did not contain any personally identifiable information (PII). And, also as previously stated, this demo was a simulation based on obfuscated data. The Fleming system is a tool that analyzes data provided by end users to help healthcare decision-makers during this global pandemic. NSO does not collect any data for the system, nor does NSO have any access to collected data.”

Coming Events

  • On 13 January, the Federal Communications Commission (FCC) will hold its monthly open meeting, and the agency has placed the following items on its tentative agenda “Bureau, Office, and Task Force leaders will summarize the work their teams have done over the last four years in a series of presentations:
    • Panel One. The Commission will hear presentations from the Wireless Telecommunications Bureau, International Bureau, Office of Engineering and Technology, and Office of Economics and Analytics.
    • Panel Two. The Commission will hear presentations from the Wireline Competition Bureau and the Rural Broadband Auctions Task Force.
    • Panel Three. The Commission will hear presentations from the Media Bureau and the Incentive Auction Task Force.
    • Panel Four. The Commission will hear presentations from the Consumer and Governmental Affairs Bureau, Enforcement Bureau, and Public Safety and Homeland Security Bureau.
    • Panel Five. The Commission will hear presentations from the Office of Communications Business Opportunities, Office of Managing Director, and Office of General Counsel.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Judith Scharnowski from Pixabay

Further Reading, Other Development, and Coming Events (4 January 2021)

Further Reading

  • Microsoft Says Russian Hackers Viewed Some of Its Source Code” By Nicole Perlroth — The New York Times. The Sluzhba vneshney razvedki Rossiyskoy Federatsii’s (SVR) hack keeps growing and growing with Microsoft admitting its source code was viewed through an employee account. It may be that authorized Microsoft resellers were one of the vectors by which the SVR accessed SolarWinds, FireEye, and ultimately a number of United States (U.S.) government agencies. Expect more revelations to come about the scope and breadth of entities and systems the SVR compromised.
  • In 2020, we reached peak Internet. Here’s what worked — and what flopped.” By Geoffrey Fowler — The Washington Post. The newspaper’s tech columnist reviews the technology used during the pandemic and what is likely to stay with us when life returns to some semblance of normal.
  • Facebook Says It’s Standing Up Against Apple For Small Businesses. Some Of Its Employees Don’t Believe It.” By Craig Silverman and Ryan Mac — BuzzFeed News. Again, two of the best-sourced journalists when it comes to Facebook have exposed employee dissent within the social media and advertising giant, and this time over the company’s advertising blitz positioning it as the champion of small businesses that allegedly stand to be hurt when Apple rolls out iOS 14 that will allow users to block the type of tracking across apps and the internet Facebook thrives on. The company’s PR campaign stands in contrast to the anecdotal stories about errors that harmed and impeded small companies in using Facebook to advertise and sell products and services to cusstomers.
  • SolarWinds hack spotlights a thorny legal problem: Who to blame for espionage?” By Tim Starks — cyberscoop. This piece previews possible and likely inevitable litigation to follow from the SolarWinds hack, including possible securities action on the basis of fishy dumps of stock by executive, breach of contract, and negligence for failing to patch and address vulnerabilities in a timely fashion. Federal and state regulators will probably get on the field, too. But this will probably take years to play out as Home Depot settled claims arising from its 2014 breach with state attorneys general in November 2020.
  • The Tech Policies the Trump Administration Leaves Behind” By Aaron Boyd — Nextgov. A look back at the good, the bad, and the ugly of the Trump Administration’s technology policies, some of which will live on in the Biden Administration.

Other Developments

  • In response to the SolarWinds hack, the Federal Bureau of Investigation (FBI), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) issued a joint statement indicating that the process established in Pursuant to Presidential Policy Directive (PPD) 41, an Obama Administration policy has been activated and a Cyber Unified Coordination Group (UCG) has been formed “to coordinate a whole-of-government response to this significant cyber incident.” The agencies explained “[t]he UCG is intended to unify the individual efforts of these agencies as they focus on their separate responsibilities.”
    • In PPD-41 it is explained that a UCG “shall serve as the primary method for coordinating between and among Federal agencies in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts, as appropriate.” Moreover, “[t]he Cyber UCG is intended to result in unity of effort and not to alter agency authorities or leadership, oversight, or command responsibilities.”
  • Following the completion of its “in-depth” investigation, the European Commission (EC) cleared Google’s acquisition of Fitbit with certain conditions, removing a significant hurdle for the American multinational in buying the wearable fitness tracker company. In its press release, the EC explained that after its investigation, “the Commission had concerns that the transaction, as initially notified, would have harmed competition in several markets.” To address and allay concerns, Google bound itself for ten years to a set of commitments that can be unilaterally extended by the EC and will be enforced, in part, by the appointment of a trustee to oversee compliance.
    • The EC was particularly concerned about:
      • Advertising: By acquiring Fitbit, Google would acquire (i) the database maintained by Fitbit about its users’ health and fitness; and (ii) the technology to develop a database similar to that of Fitbit. By increasing the already vast amount of data that Google could use for the personalisation of ads, it would be more difficult for rivals to match Google’s services in the markets for online search advertising, online display advertising, and the entire “ad tech” ecosystem. The transaction would therefore raise barriers to entry and expansion for Google’s competitors for these services to the detriment of advertisers, who would ultimately face higher prices and have less choice.
      • Access to Web Application Programming Interface (‘API’) in the market for digital healthcare: A number of players in this market currently access health and fitness data provided by Fitbit through a Web API, in order to provide services to Fitbit users and obtain their data in return. The Commission found that following the transaction, Google might restrict competitors’ access to the Fitbit Web API. Such a strategy would come especially at the detriment of start-ups in the nascent European digital healthcare space.
      • Wrist-worn wearable devices: The Commission is concerned that following the transaction, Google could put competing manufacturers of wrist-worn wearable devices at a disadvantage by degrading their interoperability with Android smartphones.
    • As noted, Google made a number of commitments to address competition concerns:
      • Ads Commitment:
        • Google will not use for Google Ads the health and wellness data collected from wrist-worn wearable devices and other Fitbit devices of users in the EEA, including search advertising, display advertising, and advertising intermediation products. This refers also to data collected via sensors (including GPS) as well as manually inserted data.
        • Google will maintain a technical separation of the relevant Fitbit’s user data. The data will be stored in a “data silo” which will be separate from any other Google data that is used for advertising.
        • Google will ensure that European Economic Area (‘EEA’) users will have an effective choice to grant or deny the use of health and wellness data stored in their Google Account or Fitbit Account by other Google services (such as Google Search, Google Maps, Google Assistant, and YouTube).
      • Web API Access Commitment:
        • Google will maintain access to users’ health and fitness data to software applications through the Fitbit Web API, without charging for access and subject to user consent.
      • Android APIs Commitment:
        • Google will continue to license for free to Android original equipment manufacturers (OEMs) those public APIs covering all current core functionalities that wrist-worn devices need to interoperate with an Android smartphone. Such core functionalities include but are not limited to, connecting via Bluetooth to an Android smartphone, accessing the smartphone’s camera or its GPS. To ensure that this commitment is future-proof, any improvements of those functionalities and relevant updates are also covered.
        • It is not possible for Google to circumvent the Android API commitment by duplicating the core interoperability APIs outside the Android Open Source Project (AOSP). This is because, according to the commitments, Google has to keep the functionalities afforded by the core interoperability APIs, including any improvements related to the functionalities, in open-source code in the future. Any improvements to the functionalities of these core interoperability APIs (including if ever they were made available to Fitbit via a private API) also need to be developed in AOSP and offered in open-source code to Fitbit’s competitors.
        • To ensure that wearable device OEMs have also access to future functionalities, Google will grant these OEMs access to all Android APIs that it will make available to Android smartphone app developers including those APIs that are part of Google Mobile Services (GMS), a collection of proprietary Google apps that is not a part of the Android Open Source Project.
        • Google also will not circumvent the Android API commitment by degrading users experience with third party wrist-worn devices through the display of warnings, error messages or permission requests in a discriminatory way or by imposing on wrist-worn devices OEMs discriminatory conditions on the access of their companion app to the Google Play Store.
  • The United States (U.S.) Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) has proposed a major rewrite of the regulations governing medical privacy in the U.S. As the U.S. lacks a unified privacy regime, the proposed changes would affect on those entities in the medical sector subject to the regime, which is admittedly many such entities. Nevertheless, it is almost certain the Biden Administration will pause this rulemaking and quite possibly withdraw it should it prove crosswise with the new White House’s policy goals.
    • HHS issued a notice of proposed rulemaking “to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).”
      • HHS continued:
        • The Privacy Rule is one of several rules, collectively known as the HIPAA Rules, that protect the privacy and security of individuals’ medical records and other protected health information (PHI), i.e., individually identifiable health information maintained or transmitted by or on behalf of HIPAA covered entities (i.e., health care providers who conduct covered health care transactions electronically, health plans, and health care clearinghouses).
        • The proposals in this NPRM support the Department’s Regulatory Sprint to Coordinated Care (Regulatory Sprint), described in detail below. Specifically, the proposals in this NPRM would amend provisions of the Privacy Rule that could present barriers to coordinated care and case management –or impose other regulatory burdens without sufficiently compensating for, or offsetting, such burdens through privacy protections. These regulatory barriers may impede the transformation of the health care system from a system that pays for procedures and services to a system of value-based health care that pays for quality care.
    • In a press release, OCR asserted:
      • The proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.
  • The Federal Trade Commission (FTC) has used its powers to compel selected regulated entities to provide requested information in asking that “nine social media and video streaming companies…provide data on how they collect, use, and present personal information, their advertising and user engagement practices, and how their practices affect children and teens.” The TFTC is using its Section 6(b) authority to compel the information from Amazon.com, Inc., ByteDance Ltd., which operates the short video service TikTok, Discord Inc., Facebook, Inc., Reddit, Inc., Snap Inc., Twitter, Inc., WhatsApp Inc., and YouTube LLC. Failure to respond can result in the FTC fining a non-compliant entity.
    • The FTC claimed in its press release it “is seeking information specifically related to:
      • how social media and video streaming services collect, use, track, estimate, or derive personal and demographic information;
      • how they determine which ads and other content are shown to consumers;
      • whether they apply algorithms or data analytics to personal information;
      • how they measure, promote, and research user engagement; and
      • how their practices affect children and teens.
    • The FTC explained in its sample order:
      • The Commission is seeking information concerning the privacy policies, procedures, and practices of Social Media and Video Streaming Service providers, Including the method and manner in which they collect, use, store, and disclose Personal Information about consumers and their devices. The Special Report will assist the Commission in conducting a study of such policies, practices, and procedures.
  • The United States (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) supplemented its Emergency Directive 21-01 to federal civilian agencies in response to the Sluzhba vneshney razvedki Rossiyskoy Federatsii’s (SVR) hack via SolarWinds. In an 18 December update, CISA explained:
    • This section provides additional guidance on the implementation of CISA Emergency Directive (ED) 21-01, to include an update on affected versions, guidance for agencies using third-party service providers, and additional clarity on required actions.
    •  In a 30 December update, CISA stated:
      • Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” below are required to use at least SolarWinds Orion Platform version 2020.2.1HF2. The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code. Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020. CISA will follow up with additional supplemental guidance, to include further clarifications and hardening requirements.
  • Australia’s Attorney-General’s Department published an unclassified version of the four volumes of the “Report of the Comprehensive Review of the Legal Framework of the National Intelligence Community,” an “examination of the legislative framework underpinning the National Intelligence Community (NIC)…the first and largest since the Hope Royal Commissions considered the Australian Intelligence Community (AIC) in the 1970s and 1980s.” Ultimately, the authors of the report concluded:
    • We do not consider the introduction of a common legislative framework, in the form of a single Act governing all or some NIC agencies, to be a practical, pragmatic or proportionate reform. It would be unlikely that the intended benefits of streamlining and simplifying NIC legislation could be achieved due to the diversity of NIC agency functions—from intelligence to law enforcement, regulatory and policy—and the need to maintain differences in powers, immunities and authorising frameworks. The Review estimates that reform of this scale would cost over $200million and take up to 10years to complete. This would be an impractical and disproportionate undertaking for no substantial gain. In our view, the significant costs and risks of moving to a single, consolidated Act clearly outweigh the limited potential benefits.
    • While not recommending a common legislative framework for the entire NIC, some areas of NIC legislation would benefit from simplification and modernisation. We recommend the repeal of the TIA Act, Surveillance Devices Act 2004(SD Act) and parts of the Australian Security Intelligence Organisation Act 1979 (ASIO Act), and their replacement with a single new Act governing the use of electronic surveillance powers—telecommunications interception, covert access to stored communications, computers and telecommunications data, and the use of optical, listening and tracking devices—under Commonwealth law.
  • The National Institute of Standards and Technology (NIST) released additional materials to supplement a major rewrite of a foundational security guidance document. NIST explained “[n]ew supplemental materials for NIST Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, are available for download to support the December 10, 2020 errata release of SP 800-53 and SP 800-53B, Control Baselines for Information Systems and Organizations.” These supplemental materials include:
    • A comparison of the NIST SP 800-53 Revision 5 controls and control enhancements to Revision 4. The spreadsheet describes the changes to each control and control enhancement, provides a brief summary of the changes, and includes an assessment of the significance of the changes.  Note that this comparison was authored by The MITRE Corporation for the Director of National Intelligence (DNI) and is being shared with permission by DNI.
    • Mapping of the Appendix J Privacy Controls (Revision 4) to Revision 5. The spreadsheet supports organizations using the privacy controls in Appendix J of SP 800-53 Revision 4 that are transitioning to the integrated control catalog in Revision 5.
    • Mappings between NIST SP 800-53 and other frameworks and standards. The mappings provide organizations a general indication of SP 800-53 control coverage with respect to other frameworks and standards. When leveraging the mappings, it is important to consider the intended scope of each publication and how each publication is used; organizations should not assume equivalency based solely on the mapping tables because mappings are not always one-to-one and there is a degree of subjectivity in the mapping analysis.
  • Via a final rule, the Department of Defense (DOD) codified “the National Industrial Security Program Operating Manual (NISPOM) in regulation…[that] establishes requirements for the protection of classified information disclosed to or developed by contractors, licensees, grantees, or certificate holders (hereinafter referred to as contractors) to prevent unauthorized disclosure.” The DOD stated “[i]n addition to adding the NISPOM to the Code of Federal Regulations (CFR), this rule incorporates the requirements of Security Executive Agent Directive (SEAD) 3, “Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position.” The DOD stated “SEAD 3 requires reporting by all contractor cleared personnel who have been granted eligibility for access to classified information.”
    • The DOD added “[t]his NISPOM rule provides for a single nation-wide implementation plan which will, with this rule, include SEAD 3 reporting by all contractor cleared personnel to report specific activities that may adversely impact their continued national security eligibility, such as reporting of foreign travel and foreign contacts.”
    • The DOD explained “NISP Cognizant Security Agencies (CSAs) shall conduct an analysis of such reported activities to determine whether they pose a potential threat to national security and take appropriate action.”
    • The DOD added that “the rule also implements the provisions of Section 842 of Public Law 115-232, which removes the requirement for a covered National Technology and Industrial Base (NTIB) entity operating under a special security agreement pursuant to the NISP to obtain a national interest determination as a condition for access to proscribed information.”
  • An advisory committee housed at the United States (U.S.) Department of Homeland Security (DHS) is calling for the White House to quickly “operationalize intelligence in a classified space with senior executives and cyber experts from most critical entities in the energy, financial services, and communications sectors working directly with intelligence analysts and other government staff.” In their report, the President’s National Infrastructure Advisory Council (NIAC) proposed the creation of a Critical Infrastructure Command Center (CICC) to “provid[e] real-time collaboration between government and industry…[and] take direct action and provide tactical solutions to mitigate, remediate,  and deter threats.” NIAC urged the President to “direct relevant federal agencies to support the private sector in executing the concept, including identifying the required government staff…[and] work with Congress to ensure the appropriate authorities are established to allow the CICC to fully realize its operational functionality.” NIAC recommended “near-term actions to implement the CICC concept:
    • 1.The President should direct the relevant federal agencies to support the private sector in rapidly standing up the CICC concept with the energy, financial services, and communications sectors:
      • a. Within 90 days the private sector will identify the executives who will lead execution of the CICC concept and establish governing criteria (including membership, staffing and rotation, and other logistics).
      • b. Within 120 days the CICC sector executives will identify and assign the necessary CICC staff from the private sector.
      • c. Within 90 days an appropriate venue to house the operational component will be identified and the necessary agreements put in place.
    • 2. The President should direct the Intelligence Community and other relevant government agencies to identify and co-locate the required government staff counterparts to enable the direct coordination required by the CICC. This staff should be pulled from the IC, SSAs, and law enforcement.
    • 3. The President, working with Congress, should establish the appropriate authorities and mission for federal agencies to directly share intelligence with critical infrastructure companies, along with any other authorities required for the CICC concept to be fully successful (identified in Appendix A).
    • 4. Once the CICC concept is fully operational (within 180 days), the responsible executives should deliver a report to the NSC and the NIAC demonstrating how the distinct capabilities of the CICC have been achieved and the impact of the capabilities to date. The report should identify remaining gaps in resources, direction, or authorities.

Coming Events

  • On 13 January, the Federal Communications Commission (FCC) will hold its monthly open meeting, and the agency has placed the following items on its tentative agenda “Bureau, Office, and Task Force leaders will summarize the work their teams have done over the last four years in a series of presentations:
    • Panel One. The Commission will hear presentations from the Wireless Telecommunications Bureau, International Bureau, Office of Engineering and Technology, and Office of Economics and Analytics.
    • Panel Two. The Commission will hear presentations from the Wireline Competition Bureau and the Rural Broadband Auctions Task Force.
    • Panel Three. The Commission will hear presentations from the Media Bureau and the Incentive Auction Task Force.
    • Panel Four. The Commission will hear presentations from the Consumer and Governmental Affairs Bureau, Enforcement Bureau, and Public Safety and Homeland Security Bureau.
    • Panel Five. The Commission will hear presentations from the Office of Communications Business Opportunities, Office of Managing Director, and Office of General Counsel.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by opsa from Pixabay

FY 2021 Omnibus and COVID Stimulus Become Law

The end-of-the-year funding package for FY 2021 is stuffed with technology policy changes.

At the tail end of the calendar year 2020, Congress and the White House finally agreed on FY 2021 appropriations and further COVID-19 relief funding and policies, much of which implicated or involved technology policy. As is often the practice, Congressional stakeholders used the opportunity of must-pass legislation as the vehicle for other legislation that perhaps could not get through a chamber of Congress or surmount the now customary filibuster in the Senate.

Congress cleared the “Consolidated Appropriations Act, 2021” (H.R.133) on 21 December 2020, but President Donald Trump equivocated on whether to sign the package, in part, because it did not provide for $2,000 in aid to every American, a new demand at odds with the one his negotiators worked out with House Democrats and Senate Republicans. Given this disparity, it seems more likely Trump made an issue of the $2,000 assistance to draw attention from a spate of controversial pardons issued to Trump allies and friends. Nonetheless, Trump ultimately signed the package on 27 December.

As one of the only bills or set of bills to annually pass Congress, appropriations acts are often the means by which policy and programmatic changes are made at federal agencies through the ability of the legislative branch to condition the use of such funds as are provided. This year’s package is different only in that it contains much more in the way of ride-along legislation than the average omnibus. In fact, there are hundreds, perhaps even more than 1,000 pages of non-appropriations legislation, some that pertains to technology policy. Moreover, with an additional supplemental bill attached to the FY 2021 omnibus also carries significant technology funding and programming.

First, we will review FY 2021 funding and policy for key U.S. agencies, then discuss COVID-19 related legislation, and then finally all the additional legislation Congress packed into the omnibus.

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) would receive $2.025 billion, a bare $9 million increase above FY 2020 with significant reordering of how the agency may spend its funds:

  • The agreement includes a net increase of $224,178,000 above the budget request. This includes $226,256,000 above the request to maintain current services, and $54,516,000 in enhancements that are described in more detail below. Assumed in the current services level of funding are several rejections of proposed reductions to prior year initiatives and the inclusion of necessary annualizations to sustain them, such as: $35,606,000 for threat analysis and response; $5,507,000 for soft targets and crowded places security, including school safety and best practices; $6,852,000 for bombing prevention activities, including the train-the-trainer programs; and $67,371,000 to fully fund the Chemical Facility Anti-Terrorism Standards program. The agreement includes the following reductions below the budget request: $6,937,000 for personnel cost adjustments; $2,500,000 of proposed increases to the CyberSentry program; $11,354,000 of proposed increases for the Vulnerability Management program; $2,000,000 of proposed increases to the Cybersecurity Quality Service Management Office (QSMO); $6,500,000 of proposed increases for cybersecurity advisors; and $27,303,000 for the requested increase for protective security advisors. Of the total amount provided for this account, $22,793,000 is available until September 30, 2022, for the National Infrastructure Simulation Analysis Center.

The FY 2021 omnibus requires of CISA the following:

  • Financial Transparency and Accountability.-The Cybersecurity and Infrastructure Security Agency (CISA) is directed to submit the fiscal year 2022 budget request at the same level of PP A detail provided in the table at the end of this report with no further adjustments to the PP A structure. Further, CISA shall brief the Committees not later than 45 days after the date of enactment of this Act and quarterly thereafter on: a spend plan; detailed hiring plans with a delineation of each mission critical occupation (MCO); procurement plans for all major investments to include projected spending and program schedules and milestones; and an execution strategy for each major initiative. The hiring plan shall include an update on CISA’s hiring strategy efforts and shall include the following for each MCO: the number of funded positions and FTE within each PP A; the projected and obligated funding; the number of actual onboard personnel as of the date of the plan; and the hiring and attrition projections for the fiscal year.
  • Cyber Defense Education and Training (CDET).-The agreement includes $29,457,000 for CISA’s CDET programs, an increase of$20,607,000 above the request that is described in further detail below. Efforts are underway to address the shortage of qualified national cybersecurity professionals in the current and future cybersecurity workforce. In order to move forward with a comprehensive plan for a cybersecurity workforce development effort, the agreement includes $10,000,000 above the request to enhance cybersecurity education and training and programs to address the national shortfall of cybersecurity professionals, including activities funded through the use of grants or cooperative agreements as needed in order to fully comply with congressional intent. CISA should consider building a higher education consortium of colleges and universities, led by at least one academic institution with an extensive history of education, research, policy, and outreach in computer science and engineering disciplines; existing designations as a land-grant institution with an extension role; a center of academic excellence in cyber security operations; a proven track record in hosting cyber corps programs; a record of distinction in research cybersecurity; and extensive experience in offering distance education programs and outreach with K-12 programs. The agreement also includes $4,300,000 above the request for the Cybersecurity Education and Training Assistance Program (CETAP), which was proposed for elimination, and $2,500,000 above the request to further expand and initiate cybersecurity education programs, including CETAP, which improve education delivery methods for K-12 students, teachers, counselors and post-secondary institutions and encourage students to pursue cybersecurity careers.
  • Further, the agreement includes $2,500,000 above the request to support CISA’s role with the National Institute of Standards and Technology, National Initiative for Cybersecurity Education Challenge project or for similar efforts to address shortages in the cybersecurity workforce through the development of content and curriculum for colleges, universities, and other higher education institutions.
  • Lastly, the agreement includes $800,000 above the request for a review of CISA’s program to build a national cybersecurity workforce. CISA is directed to enter into a contract for this review with the National Academy of Public Administration, or a similar non-profit organization, within 45 days of the date of enactment of this Act. The review shall assess: whether the partnership models under development by CISA are positioned to be effective and scalable to address current and anticipated needs for a highly capable cybersecurity workforce; whether other existing partnership models, including those used by other agencies and private industry, could usefully augment CISA’s strategy; and the extent to which CISA’s strategy has made progress on workforce development objectives, including excellence, scale, and diversity. A report with the findings of the review shall be provided to the Committees not later than 270 days after the date of enactment of this Act.
  • Cyber QSMO.-To help improve efforts to make strategic cybersecurity services available to federal agencies, the agreement provides $1,514,000 above the request to sustain and enhance prior year investments. As directed in the House report and within the funds provided, CISA is directed to work with the Management Directorate to conduct a crowd-sourced security testing program that uses technology platforms and ethical security researchers to test for vulnerabilities on departmental systems. In addition, not later than 90 days after the date of enactment of this Act, CISA is directed to brief the Committees on opportunities for state and local governments to leverage shared services provided through the Cyber QSMO or a similar capability and to explore the feasibility of executing a pilot program focused on this goal.
  • Cyber Threats to Critical Election Infrastructure.-The briefing required in House Report 116–458 regarding CISA’s efforts related to the 2020 elections shall be delivered not later than 60 days after the date of enactment of this Act. CISA is directed to continue working with SL TT stakeholders to implement election security measures.
  • Cybersecurity Worliforce.-By not later than September 30, 2021, CISA shall provide a joint briefing, in conjunction with the Department of Commerce and other appropriate federal departments and agencies, on progress made to date on each recommendation put forth in Executive Order 13800 and the subsequent “Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce” report.
  • Hunt and Incident Response Teams.-The agreement includes an increase of $3,000,000 above fiscal year 2020 funding levels to expand CISA’s threat hunting capabilities.
  • Joint Cyber Planning Office (JCPO).-The agreement provides an increase of $10,568,000 above the request to establish a JCPO to bring together federal and SLTT governments, industry, and international partners to strategically and operationally counter nation-state cyber threats. CISA is directed to brief the Committees not later than 60 days after the date of enactment of this Act on a plan for establishing the JCPO, including a budget and hiring plan; a description of how JCPO will complement and leverage other CISA capabilities; and a strategy for partnering with the aforementioned stakeholders.
  • Multi-State Information Sharing and Analysis Center (MS-ISAC).-The agreement provides $5,148,000 above the request for the MS-ISAC to continue enhancements to SLTT election security support, and furthers ransomware detection and response capabilities, including endpoint detection and response, threat intelligence platform integration, and malicious domain activity blocking.
  • Software Assurance Tools.-Not later than 90 days after the date of enactment of this Act, CISA, in conjunction with the Science and Technology Directorate, is directed to brief the Committees on their collaborative efforts to transition cyber-related research and development initiatives into operational tools that can be used to provide continuous software assurance. The briefing should include an explanation for any completed projects and activities that were not considered viable for practice or were considered operationally self-sufficient. Such briefing shall include software assurance projects, such as the Software Assurance Marketplace.
  • Updated Lifecycle Cost Estimates.–CISA is directed to provide a briefing, not later than 60 days after the date of enactment of this Act, regarding the Continuous Diagnostics and Mitigation (COM) and National Cybersecurity Protection System (NCPS) program lifecycles. The briefing shall clearly describe the projected evolution of both programs by detailing the assumptions that have changed since the last approved program cost and schedule baseline, and by describing the plans to address such changes. In addition, the briefing shall include an analysis of alternatives for aligning vulnerability management, incident response, and NCPS capabilities. Finally, CISA is directed to provide a report not later than 120 days after the date of enactment of this Act with updated five-year program costs and schedules which is congruent with projected capability gaps across federal civilian systems and networks.
  • Vulnerability Management.-The agreement provides $9,452,000 above fiscal year 2020 levels to continue reducing the 12-month backlog in vulnerability assessments. The agreement also provides an increase of $8,000,000 above the request to address the increasing number of identified and reported vulnerabilities in the software and hardware that operates critical infrastructure. This investment will improve capabilities to identify, analyze, and share information about known vulnerabilities and common attack patterns, including through the National Vulnerability Database, and to expand the coordinated responsible disclosure of vulnerabilities.

There are a pair of provisions aimed at the People’s Republic of China (PRC) in Division B (i.e. the FY 2021 Commerce-Justice-Science Appropriations Act):

  • Section 514 prohibits funds for acquisition of certain information systems unless the acquiring department or agency has reviewed and assessed certain risks. Any acquisition of such an information system is contingent upon the development of a risk mitigation strategy and a determination that the acquisition is in the national interest. Each department or agency covered under section 514 shall submit a quarterly report to the Committees on Appropriations describing reviews and assessments of risk made pursuant to this section and any associated findings or determinations.
  • Section 526 prohibits the use of funds by National Aeronautics and Space Administration (NASA), Office of Science and Technology Policy (OSTP), or the National Space Council (NSC) to engage in bilateral activities with China or a Chinese-owned company or effectuate the hosting of official Chinese visitors at certain facilities unless the activities are authorized by subsequent legislation or NASA, OSTP, or NSC have made a certification…

The National Institute of Standards and Technology (NIST) is asked with a number of duties, most of which relate to current or ongoing efforts in artificial intelligence (AI), cybersecurity, and the Internet of Things:

  • Artificial Intelligence (Al). -The agreement includes no less than $6,500,000 above the fiscal year 2020 level to continue NIST’s research efforts related to AI and adopts House language on Data Characterization Standards in Al. House language on Framework for Managing AI Risks is modified to direct NIST to establish a multi-stakeholder process for the development of an Al Risk Management Framework regarding the reliability, robustness, and trustworthiness of Al systems. Further, within 180 days of enactment of this Act, NIST shall establish the process by which it will engage with stakeholders throughout the multi-year framework development process.
  • Cybersecurity.-The agreement includes no less than the fiscal year 2020 enacted level for cybersecurity research, outreach, industry partnerships, and other activities at NIST, including the National Cybersecurity Center of Excellence (NCCoE) and the National Initiative for Cybersecurity Education (NICE). Within the funds provided, the agreement encourages NIST to establish additional NICE cooperative agreements with regional alliances and multi-stakeholder partnerships for cybersecurity workforce and education.
  • Cybersecurity of Genomic Data.-The agreement includes no less than $1,250,000 for NIST and NCCoE to initiate a use case, in collaboration with industry and academia, to research the cybersecurity of personally identifiable genomic data, with a particular focus on better securing deoxyribonucleic acid sequencing techniques, including clustered regularly interspaced short palindromic repeat (CRISPR) technologies, and genomic data storage architectures from cyber threats. NIST and NCCoE should look to partner with entities who have existing capability to research and develop state-of-the-art cybersecurity technologies for the unique needs of genomic and biomedical-based systems.
  • Industrial Internet of Things (IIoT).-The agreement includes no less than the fiscal year 2020 enacted amount for the continued development of an IloT cybersecurity research initiative and to partner, as appropriate, with academic entities and industry to improve the sustainable security of IloT devices in industrial settings.

NIST would receive a modest increase in funding from $1.034 billion to $1.0345 billion from the last fiscal year to the next.

The National Telecommunications and Information Administration (NTIA) would be provided $45.5 million and “the agreement provides (1) up to $7,500,000 for broadband mapping in coordination with the Federal Communications Commission (FCC); (2) no less than the fiscal year 2020 enacted amount for Broadband Programs; (3) $308,000 for Public Safety Communications; and (4) no less than $3,000,000 above the fiscal year 2020 enacted level for Advanced Communications Research.” The agency’s funding for FY 2021 is higher than the last fiscal year at a bit more than $40 million but far less than the Trump Administration’s request of more than $70 million.

Regarding NTIA programmatic language, the bill provides:

  • Further, the agreement directs the additional funds for Advanced Communications Research be used to procure and maintain cutting-edge equipment for research and testing of the next generation of communications technologies, including 5G, as well as to hire staff as needed. The agreement further encourages NTIA to improve the deployment of 5G and spectrum sharing through academic partnerships to accelerate the development of low-cost sensors. For fiscal year 2021, NTIA is directed to follow prior year report language, included in Senate Report 116-127 and adopted in Public Law 116-93, on the following topics: Federal Spectrum Management, Spectrum Management for Science, and the Internet Corporation for Assigned Names and Numbers (ICANN).
  • Spectrum Management System.-The agreement encourages NTIA and the Department to consider alternative proposals to fully fund the needed upgrades to its spectrum management system, including options outside of direct appropriations, and is directed to brief the Committees regarding possible alternative options no later than 90 days after enactment of this Act.
  • Next Generation Broadband in Rural Areas.-NTIA is encouraged to ensure that deployment of last-mile broadband infrastructure is targeted to areas that are currently unserved or underserved, and to utilize public-private partnerships and projects where Federal funding will not exceed 50 percent of a project’s total cost where practicable.
  • National Broadband Map Augmentation.-NTIA is directed to engage with rural and Tribal communities to further enhance the accuracy of the national broadband availability map. NTIA should include in its fiscal year 2022 budget request an update on rural-and Tribal-related broadband availability and access trends, challenges, and Federal actions to achieve equitable access to broadband services in currently underserved communities throughout the Nation. Furthermore, NTIA is encouraged, in coordination with the FCC, to develop and promulgate a standardized process for collecting data from State and local partners.
  • Domain Name Registration.-NTIA is directed, through its position within the Governmental Advisory Committee to work with ICANN to expedite the establishment of a global access model that provides law enforcement, intellectual property rights holders, and third parties with timely access to accurate domain name registration information for legitimate purposes. NTIA is encouraged, as appropriate, to require registrars and registries based in the United States to collect and make public accurate domain name registration information.

The Federal Trade Commission (FTC) would receive $351 million, an increase of $20 million over FY 2020. The final bill includes this policy provision for the FTC to heed:

  • Resources for Data Privacy and Security. -The agreement urges the FTC to conduct a comprehensive internal assessment measuring the agency’s current efforts related to data privacy and security while separately identifying all resource-based needs of the FTC to improve in these areas. The agreement also urges the FTC to provide a report describing the assessment’s findings to the Committees within 180 days of enactment of this Act.

The Federal Communications Commission (FCC) would see a larger increase in funding for agency operations than the FTC, going from $339 million in FY 2020 to $374 million in FY 2021. However, $33 million of the increase is earmarked for implementing the “Broadband DATA Act” (P.L.116-130) along with the $65 million in COVID-19 supplemental funding for the same purpose. The FY 2021 omnibus directs the FCC on a range of policy issues:

  • Broadband Maps.-In addition to adopting the House report language on Broadband Maps, the agreement provides substantial dedicated resources for the FCC to implement the Broadband DATA Act. The FCC is directed to submit a report to the Committees on Appropriations within 90 days of enactment of this Act providing a detailed spending plan for these resources. In addition, the FCC, in coordination with the NTIA, shall outline the specific roles and responsibilities of each agency as it relates to the National Broadband Map and implementation of the Broadband DATA Act. The FCC is directed to report in writing to the Committees every 30 days on the date, amount, and purpose of any new obligation made for broadband mapping and any updates to the broadband mapping spending plan.
  • Lifeline Service. In lieu of the House report language on Lifeline Service, the agreement notes recent action by the FCC to partially waive its rules updating the Lifeline program’s minimum service standard for mobile broadband usage in light of the large increase to the standard that would have gone into effect on Dec. I, 2020, and the increased reliance by Americans on mobile broadband as a result of the pandemic. The FCC is urged to continue to balance the Lifeline program’s goals of accessibility and affordability.
  • 5G Fund and Rural America.-The agreement remains concerned about the feasible deployment of 5G in rural America. Rural locations will likely run into geographic barriers and infrastructure issues preventing the robust deployment of 5G technology, just as they have faced with 4G. The FCC’s proposed 5G Fund fails to provide adequate details or a targeted spend plan on creating seamless coverage in the most rural parts of the Nation. Given these concerns, the FCC is directed to report in writing on: (1) its current and future plans fix prioritizing deployment of 4G coverage in rural areas, (2) its plans for 5G deployment in rural areas, and (3) its plan for improving the mapping and long-term tracking of coverage in rural areas.
  • 6 Gigahertz. -As the FCC has authorized unlicensed use of the 6 gigahertz band, the agreement expects the Commission to ensure its plan does not result in harmful interference to incumbent users or impact critical infrastructure communications systems. The agreement is particularly concerned about the potential effects on the reliability of the electric transmission and distribution system. The agreement expects the FCC to ensure any mitigation technologies are rigorously tested and found to be effective in order to protect the electric transmission system. The FCC is directed to provide a report to the Committees within 90 days of enactment of this Act on its progress in ensuring rigorous testing related to unlicensed use of the 6 gigahertz band. Rural Broadband-The agreement remains concerned that far too many Americans living in rural and economically disadvantaged areas lack access to broadband at speeds necessary to fully participate in the Internet age. The agreement encourages the agency to prioritize projects in underserved areas, where the infrastructure to be installed provides access at download and upload speeds comparable to those available to Americans in urban areas. The agreement encourages the FCC to avoid efforts that could duplicate existing networks and to support deployment of last-mile broadband infrastructure to underserved areas. Further, the agreement encourages the agency to prioritize projects financed through public-private partnerships.
  • Contraband Cell Phones. -The agreement notes continued concern regarding the exploitation of contraband cell phones in prisons and jails nationwide. The agreement urges the FCC to act on the March 24, 2017 Further Notice of Proposed Rulemaking regarding combating contraband wireless devices. The FCC should consider all legally permissible options, including the creation, or use, of “quiet or no service zones,” geolocation-based denial, and beacon technologies to geographically appropriate correctional facilities. In addition, the agreement encourages the FCC to adopt a rules-based approach to cellphone disabling that would require immediate disabling by a wireless carrier upon proper identification of a contraband device. The agreement recommends that the FCC move forward with its suggestion in the Fiscal Year 2019 report to this Committee, noting that “additional field testing of jamming technology will provide a better understanding of the challenges and costs associated with the proper deployment of jamming system.” The agreement urges the FCC to use available funds to coordinate rigorous Federal testing of jamming technology and coordinate with all relevant stakeholders to effectively address this urgent problem.
  • Next-Generation Broadband Networks/or Rural America-Deployment of broadband and telecommunications services in rural areas is imperative to support economic growth and public safety. However, due to geographical challenges facing mobile connectivity and fiber providers, connectivity in certain areas remains challenging. Next generation satellite-based technology is being developed to deliver direct satellite to cellular capability. The FCC is encouraged to address potential regulatory hurdles, to promote private sector development and implementation of innovative, next generation networks such as this, and to accelerate broadband and telecommunications access to all Americans.

$635 million is provided for a Department of Agriculture rural development pilot program, and he Secretary will need to explain how he or she will use authority provided in the last farm bill to expand broadband:

  • The agreement provides $635,000,000 to support the ReConnect pilot program to increase access to broadband connectivity in unserved rural communities and directs the Department to target grants and loans to areas of the country with the largest broadband coverage gaps. These projects should utilize technology that will maximize coverage of broadband with the most benefit to taxpayers and the rural communities served. The agreement notes stakeholder concerns that the ReConnect pilot does not effectively recognize the unique challenges and opportunities that different technologies, including satellite, provide to delivering broadband in noncontiguous States or mountainous terrain and is concerned that providing preference to 100 mbps symmetrical service unfairly disadvantages these communities by limiting the deployment of other technologies capable of providing service to these areas.
  • The Agriculture Improvement Act of 2018 (Public Law 115-334) included new authorities for rural broadband programs that garnered broad stakeholder support as well as bipartisan, bicameral agreement in Congress. Therefore, the Secretary is directed to provide a report on how the Department plans to utilize these authorities to deploy broadband connectivity to rural communities.

In Division M of the package, the “Coronavirus Response and Relief Supplemental Appropriations Act, 2021,” there are provisions related to broadband policy and funding. The bill created a $3.2 billion program to help low-income Americans with internet service and buying devices for telework or distance education. The “Emergency Broadband Benefit Program” is established at the FCC, “under which eligible households may receive a discount of up to $50, or up to $75 on Tribal lands, off the cost of internet service and a subsidy for low-cost devices such as computers and tablets” according to a House Appropriations Committee summary. This funding is far short of what House Democrats wanted. And yet, this program aims to help those on the wrong side of the digital divide during the pandemic.

Moreover, this legislation also establishes two grant programs at the NTIA, designed to help provide broadband on tribal lands and in rural areas. $1 billion is provided for the former and $300 million for the latter with the funds going to tribal and state and local governments to obtain services from private sector providers. The $1 billion for tribal lands allows for greater flexibility in what the funds are ultimately spent on with the $320 million for underserved rural areas being restricted to broadband deployment. Again, these funds are aimed at bridging the disparity in broadband service exposed and exacerbated during the pandemic.

Congress also provided funds for the FCC to reimburse smaller telecommunications providers in removing and replacing risky telecommunications equipment from the People’s Republic of China (PRC). Following the enactment of the “Secure and Trusted Communications Networks Act of 2019” (P.L.116-124) that codified and added to a FCC regulatory effort to address the risks posed by Huawei and ZTE equipment in United States (U.S.) telecommunications networks, there was pressure in Congress to provide the funds necessary to help carriers meet the requirements of the program. The FY 2021 omnibus appropriates $1.9 billion for this program. In another but largely unrelated tranche of funding, the aforementioned $65 million given to the FCC to undertake the “Broadband DATA Act.”

Division Q contains text similar to the “Cybersecurity and Financial System Resilience Act of 2019” (H.R.4458) that would require “the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and National Credit Union Administration to annually report on efforts to strengthen cybersecurity by the agencies, financial institutions they regulate, and third-party service providers.”

Division U contains two bills pertaining to technology policy:

  • Title I. The AI in Government Act of 2020. This title codifies the AI Center of Excellence within the General Services Administration to advise and promote the efforts of the federal government in developing innovative uses of artificial intelligence (AI) and competency in the use of AI in the federal government. The section also requires that the Office of Personnel Management identify key skills and competencies needed for federal positions related to AI and establish an occupational series for positions related to AI.
  • Title IX. The DOTGOV Act. This title transfers the authority to manage the .gov internet domain from the General Services Administration to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security. The .gov internet domain shall be available to any Federal, State, local, or territorial government entity, or other publicly controlled entity, subject to registration requirements established by the Director of CISA and approved by the Director of the Office of Management and Budget.

Division W is the FY 2021 Intelligence Authorization Act with the following salient provisions:

  • Section 323. Report on signals intelligence priorities and requirements. Section 323 requires the Director of National Intelligence (DNI) to submit a report detailing signals intelligence priorities and requirements subject to Presidential Policy Directive-28 (PPD-28) that stipulates “why, whether, when, and how the United States conducts signals intelligence activities.” PPD-28 reformed how the National Security Agency (NSA) and other Intelligence Community (IC) agencies conducted signals intelligence, specifically collection of cellphone and internet data, after former NSA contractor Edward Snowden exposed the scope of the agency’s programs.
  • Section 501. Requirements and authorities to improve education in science, technology, engineering, arts, and mathematics. Section 501 ensures that the Director of the Central Intelligence Agency (CIA) has the legal authorities required to improve the skills in science, technology, engineering, arts, and mathematics (known as STEAM) necessary to meet long-term national security needs. Section 502. Seedling investment in next-generation microelectronics in support of artificial intelligence. Section 502 requires the DNI, acting through the Director of the Intelligence Advanced Research Projects Activity, to award contracts or grants, or enter into other transactions, to encourage microelectronics research.
  • Section 601. Report on attempts by foreign adversaries to build telecommunications and cybersecurity equipment and services for, or to provide them to, certain U.S. Section 601 requires the CIA, NSA, and DIA to submit a joint report that describes the United States intelligence sharing and military posture in Five Eyes countries that currently have or intend to use adversary telecommunications or cybersecurity equipment, especially as provided by China or Russia, with a description of potential vulnerabilities of that information and assessment of mitigation options.
  • Section 602. Report on foreign use of cyber intrusion and surveillance technology. Section 602 requires the DNI to submit a report on the threats posed by foreign governments and foreign entities using and appropriating commercially available cyber intrusion and other surveillance technology.
  • Section 603. Reports on recommendations of the Cyberspace Solarium Commission. Section 603 requires the ODNI and representatives of other agencies to report to Congress their assessment of the recommendations submitted by the Cyberspace Solarium Commission pursuant to Section 1652(j) of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019, and to describe actions that each agency expects to take to implement these recommendations.
  • Section 604. Assessment of critical technology trends relating to artificial intelligence, microchips, and semiconductors and related matters. Section 604 requires the DNI to complete an assessment of export controls related to artificial intelligence (AI), microchips, advanced manufacturing equipment, and other AI-enabled technologies, including the identification of opportunities for further cooperation with international partners.
  • Section 605. Combating Chinese influence operations in the United States and strengthening civil liberties protections. Section 605 provides additional requirements to annual reports on Influence Operations and Campaigns in the United States by the Chinese Communist Party (CCP) by mandating an identification of influence operations by the CCP against the science and technology sector in the United States. Section 605 also requires the FBI to create a plan to increase public awareness of influence activities by the CCP. Finally, section 605 requires the FBI, in consultation with the Assistant Attorney General for the Civil Rights and the Chief Privacy and Civil Liberties Officer of the Department of Justice, to develop recommendations to strengthen relationships with communities targeted by the CCP and to build trust with such communities through local and regional grassroots outreach.
  • Section 606. Annual report on corrupt activities of senior officials of the CCP. Section 606 requires the CIA, in coordination with the Department of Treasury’s Office of Intelligence and Analysis and the FBI, to submit to designated congressional committees annually through 2025 a report that describes and assesses the wealth and corruption of senior officials of the CCP, as well as targeted financial measures, including potential targets for sanctions designation. Section 606 further expresses the Sense of Congress that the United States should undertake every effort and pursue every opportunity to expose the corruption and illicit practices of senior officials of the CCP, including President Xi Jinping.
  • Section 607. Report on corrupt activities of Russian and other Eastern European oligarchs. Section 607 requires the CIA, in coordination with the Department of the Treasury’s Office of Intelligence and Analysis and the FBI, to submit to designated congressional committees and the Under Secretary of State for Public Diplomacy, a report that describes the corruption and corrupt or illegal activities among Russian and other Eastern European oligarchs who support the Russian government and Russian President Vladimir Putin, and the impact of those activities on the economy and citizens of Russia. Section 607 further requires the CIA, in coordination with the Department of Treasury’s Office of Intelligence and Analysis, to describe potential sanctions that could be imposed for such activities. Section 608. Report on biosecurity risk and disinformation by the CCP and the PRC. Section 608 requires the DNI to submit to the designated congressional committees a report identifying whether and how CCP officials and the Government of the People’s Republic of China may have sought to suppress or exploit for national advantage information regarding the novel coronavirus pandemic, including specific related assessments. Section 608 further provides that the report shall be submitted in unclassified form, but may have a classified annex.
  • Section 612. Research partnership on activities of People’s Republic of China. Section 612 requires the Director of the NGA to seek to enter into a partnership with an academic or non-profit research institution to carry out joint unclassified geospatial intelligence analyses of the activities of the People’s Republic of China that pose national security risks to the United States, and to make publicly available unclassified products relating to such analyses.

Division Z would tweak a data center energy efficiency and energy savings program overseen by the Secretary of Energy and the Administrator of the Environmental Protection Agency that could impact the Office of Management and Budget’s (OMB) government-wide program. Specifically, “Section 1003 requires the development of a metric for data center energy efficiency, and requires the Secretary of Energy, Administrator of the Environmental Protection Agency (EPA), and Director of the Office of Management and Budget (OMB) to maintain a data center energy practitioner program and open data initiative for federally owned and operated data center energy usage.” There is also language that would require the U.S. government to buy and use more energy-efficient information technology (IT): “each Federal agency shall coordinate with the Director [of OMB], the Secretary, and the Administrator of the Environmental Protection Agency to develop an implementation strategy (including best-practices and measurement and verification techniques) for the maintenance, purchase, and use by the Federal agency of energy-efficient and energy-saving information technologies at or for facilities owned and operated by the Federal agency, taking into consideration the performance goals.”

Division FF contains telecommunications provisions:

  • Section 902. Don’t Break Up the T-Band Act of 2020. Section 902 repeals the requirement for the FCC to reallocate and auction the 470 to 512megahertz band, commonly referred to as the T-band. In certain urban areas, the T-band is utilized by public-safety entities. It also directs the FCC to implement rules to clarify acceptable expenditures on which 9-1- 1 fees can be spent, and creates a strike force to consider how the Federal Government can end 9-1-1 fee diversion.
  • Section 903. Advancing Critical Connectivity Expands Service, Small Business Resources, Opportunities, Access, and Data Based on Assessed Need and Demand (ACCESS BROADBAND) Act. Section 903 establishes the Office of Internet Connectivity and Growth (Office) at the NTIA. This Office would be tasked with performing certain responsibilities related to broadband access, adoption, and deployment, such as performing public outreach to promote access and adoption of high-speed broadband service, and streamlining and standardizing the process for applying for Federal broadband support. The Office would also track Federal broadband support funds, and coordinate Federal broadband support programs within the Executive Branch and with the FCC to ensure unserved Americans have access to connectivity and to prevent duplication of broadband deployment programs.
  • Section 904. Broadband Interagency Coordination Act. Section 904 requires the Federal Communications Commission (FCC), the National Telecommunications and Information Administration (NTIA), and the Department of Agriculture to enter into an interagency agreement to coordinate the distribution of federal funds for broadband programs, to prevent duplication of support and ensure stewardship of taxpayer dollars. The agreement must cover, among other things, the exchange of information about project areas funded under the programs and the confidentiality of such information. The FCC is required to publish and collect public comments about the agreement, including regarding its efficacy and suggested modifications.
  • Section 905. Beat CHINA for 5G Act of 2020. Section 905 directs the President, acting through the Assistant Secretary of Commerce for Communications and Information, to withdraw or modify federal spectrum assignments in the 3450 to 3550 megahertz band, and directs the FCC to begin a system of competitive bidding to permit non-Federal, flexible-use services in a portion or all of such band no later than December 31, 2021.

Section 905 would countermand the White House’s efforts to auction off an ideal part of spectrum for 5G (see here for analysis of the August 2020 announcement). Congressional and a number of Trump Administration stakeholders were alarmed by what they saw as a push to bestow a windfall on a private sector company in the rollout of 5G.

Title XIV of Division FF would allow the FTC to seek civil fines of more than $43,000 per violation during the duration of the public health emergency arising from the pandemic “for unfair and deceptive practices associated with the treatment, cure, prevention, mitigation, or diagnosis of COVID–19 or a government benefit related to COVID-19.”

Finally, Division FF is the vehicle for the “American COMPETES Act” that:

directs the Department of Commerce and the FTC to conduct studies and submit reports on technologies including artificial intelligence, the Internet of Things, quantum computing, blockchain, advanced materials, unmanned delivery services, and 3-D printing. The studies include requirements to survey each industry and report recommendations to help grow the economy and safely implement the technology.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by forcal35 from Pixabay

IC Concedes PATRIOT Act Used To Collect Browsing

The top U.S. intelligence official admits the PATRIOT Act has been used to surveil a website and its visitors. This admission could result in a narrowing of FISA to stop this and related practices.

In a follow-on letter to correct his previous letter the Director of National Intelligence (DNI) acknowledged the Federal Bureau of Investigation (FBI) has indeed used Section 215 of the PATRIOT Act to surveil a website and its users. The Senate came within one vote of adding language to the bill to reauthorize and reform the Foreign Intelligence Surveillance Act (FISA) barring the use of this provision to surveil web browsing and internet search histories. It is possible this revelation will sway the Congress and the Biden Administration to enact such a change when they turn to these and other lapsed FISA authorities next year. At present, FISA reauthorization seems very improbable under the current administration given the President’s animus for the FISA process that was used to surveil the contacts between his 2016 Campaign advisors and Russian intelligence operatives.

DNI John Ratcliffe conceded in a 25 November letter to Senator Ron Wyden (D-OR) that web browsing has been the subject of at least one FISA application and production. Ratcliffe stated “the Department of Justice provided additional information to my office indicating that one of those 61 orders [issued pursuant to applications under Title V of FISA in 2019] resulted in the production of information that could be characterized as information regarding browsing.” He added “[s]pecifically, as relevant to an authorized investigation to obtain foreign intelligence information, the order directed the production of log entries for a single, identified U.S. web page reflecting connections from IP addresses registered in a specified foreign country that occurred during a defined period of time.” Of course, Ratcliffe only referenced searches in 2019, and so, it is an open question as to how many FISA searches authorized under Section 215 authority have been conducted in recent years for web browsing and internet search histories.

In his 20 May letter to the then DNI, Wyden explained:

  • I am writing to inquire whether public reporting on the use of Section 215 of the PATRIOT Act would capture the government’s collection of web browsing and internet searches. As you know, on May 13, 2020, 59 U.S. Senators voted to prohibit this form of warrantless surveillance, reflecting the broad, bipartisan view that it represents a dangerous invasion of Americans’ privacy.
  • There have also been long-standing concerns about the inadequacy of public reporting on the use of Section 215, including whether the data released annually by the DNI adequately captures the extent of the government’s collection activities and its impact on Americans. These concerns are magnified by the lack of clarity as to how the public reporting requirements would apply to web browsing and internet searches.

In a statement to the New York Times, Wyden argued “the DNI has provided no guarantee that the government wouldn’t use the Patriot Act to intentionally collect Americans’ web browsing information in the future, which is why Congress must pass the warrant requirement that has already received support from a bipartisan majority in the Senate.” Apparently, Ratcliffe’s follow-on letter was a result of the newspaper’s reporters pressing the DNI on how it was defining web browsing. And yet, Ratcliffe refused to answer other questions about whether these practices occurred before 2019 or in 2020 because his letter is specific only to 2019.

The amendment Wyden referred to was considered earlier this year when the House, Senate, and White House seemed close to a deal to extend Section 215 and two other related surveillance provisions that had lapsed. That amendment would have barred the use of this FISA exception to the Fourth Amendment to surveil search histories, web browsing, location and GPS data. If all Senators had been present and voting, it would have likely been added to the bill, suggesting it will be added when FISA reauthorization is addressed next year. However, a compromise provision in the House was narrower than the Wyden/Daines amendment, which caused Wyden to announce his opposition to that language. Hence, there remains work on finding language acceptable to stakeholders in Congress and the Biden Administration.

In March, the House passed “USA FREEDOM Reauthorization Act of 2020” (H.R. 6172) by a 278-136 vote to reauthorize three expiring FISA provisions used by the National Security Agency (NSA) primarily to conduct surveillance: the business records exception, roving wiretaps, and the “lone wolf” provision. These authorities had been extended in December 2019 to March 15, 2020. However, the Senate did not act immediately on the bill and opted instead to send a 77-day extension of these now lapsed authorities to the House, which did not to take up the bill. The Senate was at an impasse on how to proceed, for some Members did not favor the House reforms while others wanted to implement further changes to the FISA process. Consequently, Senate Majority Leader Mitch McConnell (R-KY) promised amendment votes when the Senate took up H.R.6172.

Moreover, H.R. 6172 ends the NSA’s ability to use the so-called call detail record (CDR) program that had allowed the agency to access data on many billions of calls. Nonetheless, the NSA shut down the program in 2018 due to what it termed technical problems. This closure of the program was included in the bill even though the Trump Administration had explicitly requested it also be reauthorized.

As mentioned, H.R. 6172 would reauthorize the business records exception, which includes “any tangible thing,” in FISA first instituted in the USA PATRIOT Act in 2001 but would reform certain aspects of the program. For example, if the Federal Bureau of Investigation (FBI) or NSA is seeking a business record under FISA for which a law enforcement agency would need to obtain a warrant, then the FBI or NSA will also need to obtain a warrant. Currently, this is not the case. Additionally, under H.R.6172, the FISA application process under Section 215 could not be used to obtain a person’s cell site location or GPS information. However, the FBI or NSA would still be able to use Title I of FISA to seek cell site location or GPS data for purposes of conducting electronic surveillance related to alleged foreign intelligence. The bill would require that prosecutors must inform defendants of the evidence derived from electronic surveillance unless doing so would harm national security.

Moreover, records obtained under Section 215 could be retained no longer than five years subject to a number of exceptions that may serve to make this limitation a dead letter. For example, if such records are deemed to have a “secret meaning” or are certified by the FBI as being vital to national security, then such records may be held longer than five years. Given the tendency of agencies to read their authority as broadly as possible and the past record of Intelligence Community (IC) agencies, it is likely these authorities will be stretched as far as legally possible. It bears note that all restrictions are prospective, meaning that current, ongoing uses of Section 215 would be exempted. The business records provision would be extended until December 1, 2023 as are the other two expiring authorities that permit so-called roving wiretaps and allow for surveillance of so-called “lone wolves.”

For FISA applications under Title I (i.e., electronic surveillance), any agency seeking a FISA order to surveil will need to disclose to the FISA court any information that may call into question the accuracy of the application or any doubtful information. Moreover, certain FISA applications to surveil Americans or residents would need to spell out the proposed investigative techniques to the FISA court. Moreover, any FISA application targeting U.S. officials or candidates for federal office must be approved by the Attorney General in writing before they can be submitted. H.R.6172 would permit the suspension or removal of any federal official, employee, or contractor for misconduct before the FISA court and increases criminal liability for violating FISA from five to eight years. Most of these reforms seem aimed at those Members, many of whom are Republican, that were alarmed by the defects in the FISA surveillance process of Trump Campaign associate Cater Page as turned up by the Department of Justice’s Office of the Inspector General investigation. Some of these Members were opposed to the House Judiciary Committee’s initial bill, which they thought did not implement sufficient reforms to the larger FISA process.

In May, the Senate amended and passed H.R. 6172 by an 80-16 vote. Consideration of the bill was stalled in March when some Senators pushed for amendments, a demand to which the Senate Majority Leader finally agreed, provided these amendments would need 60 votes to be adopted. Consequently, once COVID-19 legislation had been considered, the Senate returned to H.R.6172, and debated and voted upon three amendments, one of which was agreed to.

Wyden and Senator Steve Daines (R-MT) offered an amendment to narrow the Section 215 exception to the Fourth Amendment’s requirement that a search requires a warrant. Section 215 currently allows for FISA court approved searches of business records and all tangible things in the course of a national security investigation, and the underlying text of H.R. 6172 would exclude cell site location and GPS location from Section 215. The Wyden/Daines amendment would also exclude web browsing and search engine histories.

As Wyden explained during debate,

With web browsing and searches, you are talking about some of the most intimate, some of the most personal, some of the most private details of the lives of Americans. Every thought that can come into people’s heads can be revealed in an internet search or in a visit to a website: their health histories, their medical fears, their political views, their romantic lives, their religious beliefs. Collecting this information is as close to reading minds as surveillance can get. It is the digital mining of the personal lives of the American people.

However, the amendment failed to reach the 60-vote threshold necessary for adoption under the rule of debate for H.R. 6172, failing by one vote as four Senators did not vote.

Two weeks later, when the House was gearing up to consider the Senate-amended version of H.R.6172, Representatives Zoe Lofgren (D-CA) and Warren Davidson (R-OH) submitted an amendment along the lines of the language Wyden and Daines proposed that the Senate rejected by one vote to bar the collection of web browsing and internet search history via a FISA order under Section 215. Lofgren and Davidson had negotiated with other House Democratic stakeholders on language acceptable to them.

Regarding their amendment, in their press release, Lofgren and Davidson claimed “[t]he amendment – which is supported by Reps. Adam Schiff, Chair of the House Permanent Select Committee on Intelligence, and Jerrold Nadler, Chair of the House Judiciary Committee – is an outright prohibition: the government will not be able to use Section 215 to collect the websites that a U.S. person visits, the videos that a U.S. person watches, or the search queries that a U.S. person makes…[and] [s]pecifically:

  • If the government is not sure if you’re a U.S. person, but you could be, the government cannot get your internet activity without a Title I FISA warrant.
  • If the government wants to order a service provider to produce a list of everyone who has visited a particular website, watched a particular video, or made a particular search query: the government cannot make that order unless it can guarantee that no U.S. persons’ IP addresses, device identifiers, or other identifiers will be disclosed to the government.
    • This amendment does not allow for the incidental collection of U.S. persons’ web browsing or search information when the target is a specific-selection term that would or could produce such information.
  • This prohibition is a strict liability-type provision. (It isn’t a knowledge standard or a reasonable-belief standard. An order must not result in the production of a U.S. person’s web browsing or search information.)
  • If the order would or could result in the production of a U.S. person’s web browsing or search information, the government cannot order it without a Title I FISA warrant that must be narrowly tailored toward the subject of the warrant.

It appeared this amendment would be made in order during debate, but opposition from both the left and right in the House and among stakeholders made this untenable. The fact that the Lofgren/Davidson amendment was narrower in that it would only provide this protection to people in the United States whereas the Wyden/Daines amendment would have outright barred the practice under FISA led to opposition on the left. Early on 27 May, Wyden supported this language, but when House Intelligence Committee Chair Adam Schiff (D-CA) suggested that intelligence agencies could continue to collect web browsing and search histories of Americans, Wyden withdrew his support. Thereafter, House Democratic Leadership ultimately decided against allowing this amendment to have a vote. Consequently, the effort to enact a FISA reauthorization collapsed.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by joffi from Pixabay

Further Reading, Other Developments, and Coming Events (15 December)

Further Reading

  • DHS, State and NIH join list of federal agencies — now five — hacked in major Russian cyberespionage campaign” By Ellen Nakashima and Craig Timberg — The Washington Post; “Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit” By David E. Sanger, Nicole Perlroth and Eric Schmitt — The New York Times; The list of United States (U.S.) government agencies breached by Sluzhba vneshney razvedki Rossiyskoy Federatsii (SVR), the Russian Federation’s Foreign Intelligence Service, has grown. Now the Department of Homeland Security, Defense, and State and the National Institutes of Health are reporting they have been breached. It is unclear if Fortune 500 companies in the U.S. and elsewhere and U.S. nuclear laboratories were also breached in this huge, sophisticated espionage exploit. It appears the Russians were selective and careful, and these hackers may have only accessed information held on U.S. government systems. And yet, the Trump Administration continues to issue equivocal statements neither denying nor acknowledging the hack, leaving the public to depend on quotes from anonymous officials. Perhaps admitting the Russians hacked U.S. government systems would throw light on Russian interference four years ago, and the President is loath to even contemplate that attack. In contrast, President Donald Trump has made all sorts of wild, untrue claims about vote totals being hacked despite no evidence supporting his assertions. It appears that the declaration of mission accomplished by some agencies of the Trump Administration over no Russian hacking of or interference with the 2020 election will be overshadowed by what may prove the most damaging hack of U.S. government systems ever.
  • Revealed: China suspected of spying on Americans via Caribbean phone networks” By Stephanie Kirchgaessner — The Guardian. This story depends on one source, so take it for what it is worth, but allegedly the People’s Republic of China (PRC) is using vulnerabilities in mobile communications networks to hack into the phones of Americans travelling in the Caribbean. If so, the PRC may be exploiting the same Signaling System 7 (SS7) weaknesses an Israeli firm, Circles, is using to sell access to phones, at least according to a report published recently by the University of Toronto’s Citizen Lab.
  • The Cartel Project | Revealed: The Israelis Making Millions Selling Cyberweapons to Latin America” By Amitai Ziv — Haaretz. Speaking of Israeli companies, the NSO Group among others are actively selling offensive cyber and surveillance capabilities to Central American nations often through practices that may be corrupt.
  • U.S. Schools Are Buying Phone-Hacking Tech That the FBI Uses to Investigate Terrorists” By Tom McKay and Dhruv Mehrotra — Gizmodo. Israeli firm Cellebrite and competitors are being used in school systems across the United States (U.S.) to access communications on students’ phones. The U.S. Supreme Court caselaw gives schools very wide discretion for searches, and the Fourth Amendment is largely null and void on school grounds.
  • ‘It’s Hard to Prove’: Why Antitrust Suits Against Facebook Face Hurdles” By Mike Issac and Cecilia Kang — The New York Times. The development of antitrust law over the last few decades may have laid an uphill path for the Federal Trade Commission (FTC) and state attorneys general in securing a breakup of Facebook, something that has not happened on a large scale since the historic splintering of AT&T in the early 1980’s.
  • Exclusive: Israeli Surveillance Companies Are Siphoning Masses Of Location Data From Smartphone Apps” By Thomas Brewster — Forbes. Turns out Israeli firms are using a feature (or what many would call a bug) in the online advertising system that allows those looking to buy ads to get close to real-time location data from application developers looking to sell advertising space. By putting out a shingle as a Demand Side Platform, it is possible to access reaps of location data, and two Israeli companies are doing just that and offering the service of locating and tracking people using this quirk in online advertising. And this is not just companies in Israel. There is a company under scrutiny in the United States (U.S.) that may have used these practices and then provided location data to federal agencies.

Other Developments

  • The Government Accountability Office (GAO) evaluated the United States’ (U.S.) Department of Defense’s electromagnetic spectrum (EMS) operations found that the DOD’s efforts to maintain EMS superiority over the Russian Federation and the People’s Republic of China (PRC). The GAO concluded:
    • Studies have shown that adversaries of the United States, such as China and Russia, are developing capabilities and strategies that could affect DOD superiority in the information environment, including the EMS. DOD has also reported that loss of EMS superiority could result in the department losing control of the battlefield, as its Electromagnetic Spectrum Operations (EMSO) supports many warfighting functions across all domains. DOD recognizes the importance of EMSO to military operations in actual conflicts and in operations short of open conflict that involve the broad information environment. However, gaps we identified in DOD’s ability to develop and implement EMS-related strategies have impeded progress in meeting DOD’s goals. By addressing gaps we found in five areas—(1) the processes and procedures to integrate EMSO throughout the department, (2) governance reforms to correct diffuse organization, (3) responsibility by an official with appropriate authority, (4) a strategy implementation plan, and (5) activities that monitor and assess the department’s progress in implementing the strategy—DOD can capitalize on progress that it has already made and better support ensuring EMS superiority.
    • The GAO recommended:
      • The Secretary of Defense should ensure that the Vice Chairman of the Joint Chiefs of Staff, as Senior Designated Official of the Electromagnetic Spectrum Operations Cross-Functional Team (CFT), identifies the procedures and processes necessary to provide for integrated defense-wide strategy, planning, and budgeting with respect to joint electromagnetic spectrum operations, as required by the FY19 NDAA. (Recommendation 1)
      • The Secretary of Defense should ensure that the Vice Chairman of the Joint Chiefs of Staff as Senior Designated Official of the CFT proposes EMS governance, management, organizational, and operational reforms to the Secretary. (Recommendation 2)
      • The Secretary of Defense should assign clear responsibility to a senior official with authority and resources necessary to compel action for the long-term implementation of the 2020 strategy in time to oversee the execution of the 2020 strategy implementation plan. (Recommendation 3)
      • The Secretary of Defense should ensure that the designated senior official for long-term strategy implementation issues an actionable implementation plan within 180 days following issuance of the 2020 strategy. (Recommendation 4)
      • The Secretary of Defense should ensure that the designated senior official for long-term strategy implementation creates oversight processes that would facilitate the department’s implementation of the 2020 strategy. (Recommendation 5)
  • A forerunner to Apple’s App Store has sued the company, claiming it has monopolized applications on its operating system to the detriment of other parties and done the same with respect to its payment system. The company behind Cydia is arguing that it conceived of and created the first application store for the iPhone, offering a range of programs Apple did not. Cydia is claiming that once Apple understood how lucrative an app store would be, it blocked Cydia and established its own store, the exclusive means through which programs can be installed and used on the iOS. Furthermore, this has enabled Apple to levy 30% of all in-application purchases made, which is allegedly a $50 billion market annually. This is the second high-profile suit this year against Apple. Epic Games, the maker of the popular game, Fortnite, sued Apple earlier this year on many of the same grounds because the company started allowing users to buy directly from it for a 30% discount. Apple responded by removing the game from the App Store, which has blocked players from downloading updated versions. That litigation has just begun. In its complaint, Cydia asserts:
    • Historically, distribution of apps for a specific operating system (“OS”) occurred in a separate and robustly competitive market. Apple, however, began coercing users to utilize no other iOS app distribution service but the App Store, coupling it closer and closer to the iPhone itself in order to crowd out all competition. But Apple did not come up with this idea initially—it only saw the economic promise that iOS app distribution represented after others, like [Cydia], demonstrated that value with their own iOS app distribution products/services. Faced with this realization, Apple then decided to take that separate market (as well as the additional iOS app payment processing market described herein) for itself.
    • Cydia became hugely popular by offering a marketplace to find and obtain third party iOS applications that greatly expanded the capabilities of the stock iPhone, including games, productivity applications, and audio/visual applications such as a video recorder (whereas the original iPhone only allowed still cameraphotos). Apple subsequently took many of these early third party applications’ innovations, incorporating them into the iPhone directly or through apps.
    • But far worse than simply copying others’ innovations, Apple also recognized that it could reap enormous profits if it cornered this fledgling market for iOS app distribution, because that would give Apple complete power over iOS apps, regardless of the developer. Apple therefore initiated a campaign to eliminate competition for iOS app distribution altogether. That campaign has been successful and continues to this day. Apple did (and continues to do) so by, inter alia, tying the App Store app to iPhone purchases by preinstalling it on all iOS devices and then requiring it as the default method to obtain iOS apps, regardless of user preference for other alternatives; technologically locking down the iPhone to prevent App Store competitors like Cydia from even operating on the device; and imposing contractual terms on users that coerce and prevent them from using App Store competitors. Apple has also mandated that iOS app developers use it as their sole option for app payment processing (such as in-app purchases), thus preventing other competitors, such as Cydia, from offering the same service to those developers.
    • Through these and other anticompetitive acts, Apple has wrongfully acquired and maintained monopoly power in the market (or aftermarket) for iOS app distribution, and in the market (or aftermarket) for iOS app payment processing. Apple has frozen Cydia and all other competitors out of both markets, depriving them of the ability to compete with the App Store and to offer developers and consumers better prices, better service, and more choice. This anticompetitive conduct has unsurprisingly generated massive profits and unprecedented market capitalization for Apple, as well as incredible market power.
  • California is asking to join antitrust suit against Google filed by the United States Department of Justice (DOJ) and eleven state attorneys general. This antitrust action centers on Google’s practices of making Google the default search engine on Android devices and paying browsers and other technology entities to make Google the default search engine. However, a number of states that had initially joined the joint state investigation of Google have opted not to join this action and will instead be continuing to investigate, signaling a much broader case than the one filed in the United States District Court for the District of Columbia. In any event, if the suit does proceed, and a change in Administration could result in a swift change in course, it may take years to be resolved. Of course, given the legion leaks from the DOJ and state attorneys general offices about the pressure U.S. Attorney General William Barr placed on staff and attorneys to bring a case before the election, there is criticism that rushing the case may result in a weaker, less comprehensive action that Google may ultimately fend off.
    • And, there is likely to be another lawsuit against Google filed by other state attorneys general. A number of attorneys general who had orginally joined the effort led by Texas Attorney General Ken Paxton in investigating Google released a statement at the time the DOJ suit was filed, indicating their investigation would continue, presaging a different, possibly broader lawsuit that might also address Google’s role in other markets. The attorneys general of New York, Colorado, Iowa, Nebraska, North Carolina, Tennessee, and Utah did not join the case that was filed but may soon file a related but parallel case. They stated:
      • Over the last year, both the U.S. DOJ and state attorneys general have conducted separate but parallel investigations into Google’s anticompetitive market behavior. We appreciate the strong bipartisan cooperation among the states and the good working relationship with the DOJ on these serious issues. This is a historic time for both federal and state antitrust authorities, as we work to protect competition and innovation in our technology markets. We plan to conclude parts of our investigation of Google in the coming weeks. If we decide to file a complaint, we would file a motion to consolidate our case with the DOJ’s. We would then litigate the consolidated case cooperatively, much as we did in the Microsoft case.
  • France’s Commission nationale de l’informatique et des libertés (CNIL) handed down multi-million Euro fines on Google and Amazon for putting cookies on users’ devices. CNIL fined Google a total of €100 million and Amazon €35 million because its investigation of both entities determined “when a user visited [their] website, cookies were automatically placed on his or her computer, without any action required on his or her part…[and] [s]everal of these cookies were used for advertising purposes.”
    • CNIL explained the decision against Google:
      • [CNIL] noticed three breaches of Article 82 of the French Data Protection Act:
      • Deposit of cookies without obtaining the prior consent of the user
        • When a user visited the website google.fr, several cookies used for advertising purposes were automatically placed on his or her computer, without any action required on his or her part.
        • Since this type of cookies can only be placed after the user has expressed his or her consent, the restricted committee considered that the companies had not complied with the requirement provided for in Article 82 of the French Data Protection Act regarding the collection of prior consent before placing cookies that are not essential to the service.
      • Lack of information provided to the users of the search engine google.fr
        • When a user visited the page google.fr, an information banner displayed at the bottom of the page, with the following note “Privacy reminder from Google”, in front of which were two buttons: “Remind me later” and “Access now”.
        • This banner did not provide the user with any information regarding cookies that had however already been placed on his or her computer when arriving on the site. The information was also not provided when he or she clicked on the button “Access now”.
        • Therefore, the restricted committee considered that the information provided by the companies did not enable the users living in France either to be previously and clearly informed regarding the deposit of cookies on their computer or, therefore, to be informed of the purposes of these cookies and the available means enabling to refuse them.
      • Partial failure of the « opposition » mechanism
        • When a user deactivated the ad personalization on the Google search by using the available mechanism from the button “Access now”, one of the advertising cookies was still stored on his or her computer and kept reading information aimed at the server to which it is attached.
        • Therefore, the restricted committee considered that the “opposition” mechanism set up by the companies was partially defective, breaching Article 82 of the French Data Protection Act.
    • CNIL explained the case against Amazon:
      • [CNIL] noticed two breaches of Article 82 of the French Data Protection Act:
      • Deposit of cookies without obtaining the prior consent of the user
        • The restricted committee noted that when a user visited one of the pages of the website amazon.fr, a large number of cookies used for advertising purposes was automatically placed on his or her computer, before any action required on his or her part. Yet, the restricted committee recalled that this type of cookies, which are not essential to the service, can only be placed after the user has expressed his or her consent. It considered that the deposit of cookies at the same time as arriving on the site was a practice which, by its nature, was incompatible with a prior consent.
      • Lack of information provided to the users of the website amazon.fr
        • First, the restricted committee noted that, in the case of a user visiting the website amazon.fr, the information provided was neither clear, nor complete.
        • It considered that the information banner displayed by the company, which was “By using this website, you accept our use of cookies allowing to offer and improve our services. Read More.”, only contained a general and approximate information regarding the purposes of all the cookies placed. In particular, it considered that, by reading the banner, the user could not understand that cookies placed on his or her computer were mainly used to display personalized ads. It also noted that the banner did not explain to the user that it could refuse these cookies and how to do it.
        • Then, the restricted committee noticed that the company’s failure to comply with its obligation was even more obvious regarding the case of users that visited the website amazon.fr after they had clicked on an advertisement published on another website. It underlined that in this case, the same cookies were placed but no information was provided to the users about that.
  • Senator Amy Klobuchar (D-MN) wrote the Secretary of Health and Human Services (HHS), to express “serious concerns regarding recent reports on the data collection practices of Amazon’s health-tracking bracelet (Halo) and to request information on the actions [HHS] is taking to ensure users’ health data is secure.” Klobuchar stated:
    • The Halo is a fitness tracker that users wear on their wrists. The tracker’s smartphone application (app) provides users with a wide-ranging analysis of their health by tracking a range of biological metrics including heartbeat patterns, exercise habits, sleep patterns, and skin temperature. The fitness tracker also enters into uncharted territory by collecting body photos and voice recordings and transmitting this data for analysis. To calculate the user’s body fat percentage, the Halo requires users to take scans of their body using a smartphone app. These photos are then temporarily sent to Amazon’s servers for analysis while the app returns a three-dimensional image of the user’s body, allowing the user to adjust the image to see what they would look like with different percentages of body fat. The Halo also offers a tone analysis feature that examines the nuances of a user’s voice to indicate how the user sounds to others. To accomplish this task, the device has built-in microphones that listen and records a user’s voice by taking periodic samples of speech throughout the day if users opt-in to the feature.
    • Recent reports have raised concerns about the Halo’s access to this extensive personal and private health information. Among publicly available consumer health devices, the Halo appears to collect an unprecedented level of personal information. This raises questions about the extent to which the tracker’s transmission of biological data may reveal private information regarding the user’s health conditions and how this information can be used. Last year, a study by BMJ (formerly the British Medical Journal) found that 79 percent of health apps studied by researchers were found to share user data in a manner that failed to provide transparency about the data being shared. The study concluded that health app developers routinely share consumer data with third-parties and that little transparency exists around such data sharing.
    • Klobuchar asked the Secretary of Health and Human Services Alex Azar II to “respond to the following questions:
      • What actions is HHS taking to ensure that fitness trackers like Halo safeguard users’ private health information?
      • What authority does HHS have to ensure the security and privacy of consumer data collected and analyzed by health tracking devices like Amazon’s Halo?
      • Are additional regulations required to help strengthen privacy and security protections for consumers’ personal health data given the rise of health tracking devices? Why or why not?
      • Please describe in detail what additional authority or resources that the HHS could use to help ensure the security and protection of consumer health data obtained through health tracking devices like the Halo.

Coming Events

  • On 15 December, the Senate Judiciary Committee’s Intellectual Property Subcommittee will hold a hearing titled “The Role of Private Agreements and Existing Technology in Curbing Online Piracy” with these witnesses:
    • Panel I
      • Ms. Ruth Vitale, Chief Executive Officer, CreativeFuture
      • Mr. Probir Mehta, Head of Global Intellectual Property and Trade Policy, Facebook, Inc.
      • Mr. Mitch Glazier, Chairman and CEO, Recording Industry Association of America
      • Mr. Joshua Lamel, Executive Director, Re:Create
    • Panel II
      • Ms. Katherine Oyama, Global Director of Business Public Policy, YouTube
      • Mr. Keith Kupferschmid, Chief Executive Officer, Copyright Alliance
      • Mr. Noah Becker, President and Co-Founder, AdRev
      • Mr. Dean S. Marks, Executive Director and Legal Counsel, Coalition for Online Accountability
  • The Senate Armed Services Committee’s Cybersecurity Subcommittee will hold a closed briefing on Department of Defense Cyber Operations on 15 December with these witnesses:
    • Mr. Thomas C. Wingfield, Deputy Assistant Secretary of Defense for Cyber Policy, Office of the Under Secretary of Defense for Policy
    • Mr. Jeffrey R. Jones, Vice Director, Command, Control, Communications and Computers/Cyber, Joint Staff, J-6
    • Ms. Katherine E. Arrington, Chief Information Security Officer for the Assistant Secretary of Defense for Acquisition, Office of the Under Secretary of Defense for Acquisition and Sustainment
    • Rear Admiral Jeffrey Czerewko, United States Navy, Deputy Director, Global Operations, J39, J3, Joint Staff
  • The Senate Banking, Housing, and Urban Affairs Committee’s Economic Policy Subcommittee will conduct a hearing titled “US-China: Winning the Economic Competition, Part II” on 16 December with these witnesses:
    • The Honorable Will Hurd, Member, United States House of Representatives;
    • Derek Scissors, Resident Scholar, American Enterprise Institute;
    • Melanie M. Hart, Ph.D., Senior Fellow and Director for China Policy, Center for American Progress; and
    • Roy Houseman, Legislative Director, United Steelworkers (USW).
  • On 17 December the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (CISA) Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force will convene for a virtual event, “Partnership in Action: Driving Supply Chain Security.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Naya Shaw from Pexels

Further Reading, Other Developments, and Coming Events (10 December)

Further Reading

  • Social media superspreaders: Why Instagram, not Facebook, will be the real battleground for COVID-19 vaccine misinformation” By Isobel Asher Hamilton — Business Insider. According to one group, COVID-19 anti-vaccination lies and misinformation are proliferating on Instagram despite its parent company’s, Facebook, efforts to find and remove such content. There has been dramatic growth in such content on Instagram, and Facebook seems to be applying COVID-19 standards more loosely on Instagram. In fact, some people kicked off of Facebook for violating that platform’s standards on COVID-19 are still on Instagram spreading the same lies, misinformation, and disinformation. For example, British anti-vaccination figure David Icke was removed from Facebook for making claims that COVID-19 was caused by or related to 5G, but he has a significant following on Instagram.
  • ‘Grey area’: China’s trolling drives home reality of social media war” By Chris Zappone — The Sydney Morning Herald. The same concept that is fueling aggressive cyber activity at a level below outright war has spread to diplomacy. The People’s Republic of China (PRC) has been waging “gray” social media campaigns against a number of Western nations, including Australia, mainly be propagating lies and misinformation. The most recent example is the spreading a fake photo of an Australian soldier appearing to kill an Afghan child. This false material seems designed to distract from the real issues between the two nations arising from clashing policies on trade and human rights. The PRC’s activities do not appear to violate Australia’s foreign interference laws and seem to have left Canberra at a loss as to how to respond effectively.
  • Facebook to start policing anti-Black hate speech more aggressively than anti-White comments, documents show” By Elizabeth Dwoskin, Nitasha Tiku and Heather Kelly — The Washington Post. Facebook will apparently seek to revamp its algorithms to target the types of hate speech that have traditionally targeted women and minority groups. Up until now all attacks were treated equally so that something like “white people suck” would be treated the same way as anti-Semitic content. Facebook has resisted changes for years even though experts and civil rights groups made the case that people of color, women, and LGBTI people endure far more abuse online. There is probably no connection between Facebook’s more aggressive content moderation policies and the advent of a new administration in Washington more receptive to claims that social media platforms allow the abuse of these people.
  • How Joe Biden’s Digital Team Tamed the MAGA Internet” By Kevin Roose — The New York Times. Take this piece with a block of salt. The why they won articles are almost always rife with fallacies, including the rationale that if a candidate won, his or her strategy must have worked. It is not clear that the Biden Campaign’s online messaging strategy of being nice and emphasizing positive values actually beat the Trump Campaign’s “Death Star” so much as the President’s mishandling of the pandemic response and cratering of the economy did him in.
  • Coronavirus Apps Show Promise but Prove a Tough Sell” By Jennifer Valentino-DeVries — The New York Times. It appears the intersection of concerns about private and public sector surveillance from two very different groups has worked to keep down rates of adopting smartphone COVID tracking apps in the United States. There are people wary of private sector practices to hoover up as much data as possible, and others concerned about the government’s surveillance activities. Consequently, many are shunning Google and Apple’s COVID contact tracing apps to the surprise of government, industry, and academia. A pair of studies show resistance to downloading or using such apps even if there are very strong privacy safeguards. This result may well be a foreseeable outcome from U.S. policies that have allowed companies and the security services to collect and use vast quantities of personal information.
  • UAE target of cyber attacks after Israel deal, official says” — Reuters. A top cybersecurity official in the United Arab Emirates claimed his nation’s financial services industries were targeted for cyber attack and implied Iran and affiliated hackers were responsible.

Other Developments

  • President-elect Joe Biden announced his intention to nominate California Attorney General Xavier Becerra to serve as the next Secretary of Health and Human Services (HHS). If confirmed by the Senate, California Governor Gavin Newsom would name Becerra’s successor who would need to continue enforcement of the “California Consumer Privacy Act” (CCPA) (AB 375) while also working towards the transition to the “California Privacy Rights Act” (Proposition 24) approved by California voters last month. The new statute establishes the California Privacy Protection Agency that will assume the Attorney General’s responsibilities regarding the enforcement of California’s privacy laws. However, Becerra’s successor may play a pivotal role in the transition between the two regulators and the creation of the new regulations needed to implement Proposition 24.
  • The Senate approved the nomination of Nathan Simington to be a Commissioner of the Federal Communications Commission (FCC) by a 49-46 vote. Once FCC Chair Ajit Pai steps down, the agency will be left with two Democratic and two Republican Commissioners, pending the Biden Administration’s nominee to fill Pai’s spot. If the Senate stays Republican, it is possible the calculation could be made that a deadlocked FCC is better than a Democratic agency that could revive net neutrality rules among other Democratic and progressive policies. Consequently, Simington’s confirmation may be the first step in a FCC unable to develop substantive policy.
  • Another federal court has broadened the injunction against the Trump Administration’s ban on TikTok to encompass the entirety of the Department of Commerce’s September order meant to stop the usage of the application in the United States (U.S.) It is unclear as to whether the Trump Administration will appeal, and if it should, whether a court would decide the case before the Biden Administration begins in mid-January. The United States Court for the District of Columbia found that TikTok “established that  the government likely exceeded IEEPA’s express limitations as part of an agency action that was arbitrary and capricious” and would likely suffer irreparable harm, making an injunction an appropriate remedy.
  • The United States’ National Security Agency (NSA) “released a Cybersecurity Advisory on Russian state-sponsored actors exploiting CVE-2020-4006, a command-injection vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector” and provided “mitigation and detection guidance.”
  • The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint alert, warning that U.S. think tanks are being targeted by “persistent continued cyber intrusions by advanced persistent threat (APT) actors.” The agencies stated “[t]his malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy.” CISA and the FBI stated its “guidance may assist U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.” The agencies added:
    • APT actors have relied on multiple avenues for initial access. These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.
    • Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of this Advisory.
  • A group of Democratic United States Senators have written the CEO of Alphabet and Google about its advertising policies and how its platforms may have been used to spread misinformation and contribute to voter suppression. Thus far, most of the scrutiny about the 2020 election and content moderation policy has fallen on Facebook and Twitter even though Google-owned YouTube has been flagged as containing the same amount of misinformation. Senators Amy Klobuchar (D-MN) and Mark Warner (D-VA) led the effort and expressed “serious concerns regarding recent reports that Google is profiting from the sale of ads spreading election-related disinformation” to Alphabet and Google CEO Sundar Pichai. Klobuchar, Warner, and their colleagues asserted:
    • Google is also helping organizations spreading election-related disinformation to raise revenue by placing ads on their websites. While Google has some policies in place to prevent the spread of election misinformation, they are not properly enforced and are inadequate. We urge you to immediately strengthen and improve enforcement of your policies on election-related disinformation and voter suppression, reject all ads spreading election-related disinformation, and stop providing advertising services on sites that spread election-related disinformation.
    • …a recent study by the Global Disinformation Index (GDI) found that Google services ads on 145 out of 200 websites GDI examined that publish disinformation. 
    • Similarly, a recent report from the Center for Countering Digital Hate (CCDH) found that Google has been placing ads on websites publishing disinformation designed to undermine elections. In examining just six websites publishing election-related disinformation, CCDH estimates that they receive 40 million visits a month, generating revenue for these sites of up to $3.4 million annually from displaying Google ads. In addition, Google receives $1.6 million from the advertisers’ payments annually.  These sites published stories ahead of the 2020 general election that contained disinformation alleging that voting by mail was not secure, that mail-in voting was being introduced to “steal the election,” and that election officials were “discarding mail ballots.” 
  • A bipartisan group of United States Senators on one committee are urging Congressional leadership to include funding to help telecommunications companies remove and replace Huawei and ZTE equipment and to aid the Federal Communications Commission (FCC) in drafting accurate maps of broadband service in the United States (U.S.). Senate Commerce, Science, and Transportation Committee Chair Roger Wicker (R-MS) and a number of his colleagues wrote the leadership of both the Senate and House and argued:
    • we urge you to provide full funding for Public Law 116-124, the Secure and Trusted Communications Networks Act, and Public Law 116-130, the Broadband DATA Act.   
    • Closing the digital divide and winning the race to 5G are critical to America’s economic prosperity and global leadership in technology. However, our ability to connect all Americans and provide access to next-generation technology will depend in large part on the security of our communications infrastructure. The Secure and Trusted Communications Networks Act (“rip and replace”) created a program to help small, rural telecommunications operators remove equipment posing a security threat to domestic networks and replace it with equipment from trusted providers. This is a national security imperative. Fully funding this program is essential to protecting the integrity of our communications infrastructure and the future viability of our digital economy at large.
    • In addition to safeguarding the security of the nation’s communications systems, developing accurate broadband maps is also critically important. The United States faces a persistent digital divide, and closing this divide requires accurate maps that show where broadband is available and where it is not. Current maps overstate broadband availability, which prevents many underserved communities, particularly in rural areas, from receiving the funds needed to build or expand broadband networks to millions of unconnected Americans. Fully funding the Broadband DATA Act will ensure more accurate broadband maps and better stewardship over the millions of dollars the federal government awards each year to support broadband deployment. Without these maps, the government risks overbuilding existing networks, duplicating funding already provided, and leaving communities unserved.  
  • The Government Accountability Office (GAO) released an assessment of 5G policy options that “discusses (1) how the performance goals and expected uses are to be realized in U.S. 5Gwireless networks; (2) the challenges that could affect the performance or usage of 5G wireless networks in the U.S.; and (3) policy options to address these challenges.” The report had been requested by the chairs and ranking members of the House Armed Services, Senate Armed Services, Senate Intelligence, and House Intelligence Committees along with other Members. The GAO stated “[w]hile 5G is expected to deliver significantly improved network performance and greater capabilities, challenges may hinder the performance or usage of 5G technologies in the U.S. We grouped the challenges into the following four categories:
    • availability and efficient use of spectrum
    • security of 5G networks
    • concerns over data privacy
    • concerns over possible health effects
    • The GAO presented the following policy options along with opportunities and considerations for each:
      • Spectrum-Sharing Technologies Opportunities:
        • Could allow for more efficient use of the limited spectrum available for 5G and future generations of wireless networks.
        • It may be possible to leverage existing5G testbeds for testing the spectrum sharing technologies developed through applied research.
      • Spectrum-Sharing Technologies Considerations:
        • Research and development is costly, must be coordinated and administered, and its potential benefits are uncertain. Identifying a funding source, setting up the funding mechanism, or determining which existing funding streams to reallocate will require detailed analysis.
      • Coordinated Cybersecurity Monitoring Opportunities:
        • A coordinated monitoring program would help ensure the entire wireless ecosystem stays knowledgeable about evolving threats, in close to real time; identify cybersecurity risks; and allow stakeholders to act rapidly in response to emerging threats or actual network attacks.
      • Coordinated Cybersecurity Monitoring Considerations:
        • Carriers may not be comfortable reporting incidents or vulnerabilities, and determinations would need to be made about what information is disclosed and how the information will be used and reported.
      • Cybersecurity Requirements Opportunities
        • Taking these steps could produce a more secure network. Without a baseline set of security requirements the implementation of network security practices is likely to be piecemeal and inconsistent.
        • Using existing protocols or best practices may decrease the time and cost of developing and implementing requirements.
      • Cybersecurity Requirements Considerations
        • Adopting network security requirements would be challenging, in part because defining and implementing the requirements would have to be done on an application-specific basis rather than as a one-size-fits-all approach.
        • Designing a system to certify network components would be costly and would require a centralized entity, be it industry-led or government-led.
      • Privacy Practices Considerations
        • Development and adoption of uniform privacy practices would benefit from existing privacy practices that have been implemented by states, other countries, or that have been developed by federal agencies or other organizations.
      • Privacy Practices Opportunities
        • Privacy practices come with costs, and policymakers would need to balance the need for privacy with the direct and indirect costs of implementing privacy requirements. Imposing requirements can be burdensome, especially for smaller entities.
      • High-band Research Opportunities
        • Could result in improved statistical modeling of antenna characteristics and more accurately representing propagation characteristics.
        • Could result in improved understanding of any possible health effects from long-term radio frequency exposure to high-band emissions.
      • High-band Research Considerations
        • Research and development is costly and must be coordinated and administered, and its potential benefits are uncertain. Policymakers will need to identify a funding source or determine which existing funding streams to reallocate.

Coming Events

  • The Senate Judiciary Committee will hold an executive session at which the “Online Content Policy Modernization Act” (S.4632), a bill to narrow the liability shield in 47 USC 230, may be marked up on 10 December.
  • On 10 December, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Securing the Communications Supply Chain. The Commission will consider a Report and Order that would require Eligible Telecommunications Carriers to remove equipment and services that pose an unacceptable risk to the national security of the United States or the security and safety of its people, would establish the Secure and Trusted Communications Networks Reimbursement Program, and would establish the procedures and criteria for publishing a list of covered communications equipment and services that must be removed. (WC Docket No. 18-89)
    • National Security Matter. The Commission will consider a national security matter.
    • National Security Matter. The Commission will consider a national security matter.
    • Allowing Earlier Equipment Marketing and Importation Opportunities. The Commission will consider a Notice of Proposed Rulemaking that would propose updates to its marketing and importation rules to permit, prior to equipment authorization, conditional sales of radiofrequency devices to consumers under certain circumstances and importation of a limited number of radiofrequency devices for certain pre-sale activities. (ET Docket No. 20-382)
    • Promoting Broadcast Internet Innovation Through ATSC 3.0. The Commission will consider a Report and Order that would modify and clarify existing rules to promote the deployment of Broadcast Internet services as part of the transition to ATSC 3.0. (MB Docket No. 20-145)

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Tima Miroshnichenko from Pexels

Further Reading, Other Developments, and Coming Events (9 December)

Further Reading

  • Secret Amazon Reports Expose the Company’s Surveillance of Labor and Environmental Groups” By Lauren Kaori Gurley — Vice’s Motherboard. Yet another article by Vice drawing back the curtain on Amazon’s labor practices, especially its apparently fervent desire to stop unionizing. This piece shines light on the company’s Global Security Operations Center that tracks labor organizing and union activities among Amazon’s workers and monitors environmental and human rights on social media. The company has even hired Pinkerton operatives to surveil its warehouse employees. Although the focus is on Europe because the leaked emails on which the story is based pertain to activities on that continent, there is no reason to expect the same tactics are not being used elsewhere. Moreover, the company may be violating the much stricter laws in Europe protecting workers and union activities.
  • Cyber Command deployed personnel to Estonia to protect elections against Russian threat” By Shannon Vavra — cyberscoop.  It was recently revealed that personnel from the United States (U.S.) Cyber Command were deployed to Estonia to work with the latter country’s Defense Forces Cyber Command to fend off potential Russian attacks during the U.S. election. This follows another recent “hunt forward” mission for Cyber Command in Montenegro, another nation on the “frontline” of Russian hacking activities. Whether this has any effect beyond building trust and capacity between nations opposed to state-sponsored hacking and disinformation is unclear.
  • How China Is Buying Up the West’s High-Tech Sector” By Elizabeth Braw — Foreign Policy. This piece by a fellow at the ring wing American Enterprise Institute (AEI) makes the case that reviewing and potentially banning direct foreign investment by People’s Republic of China (PRC) in the United States (U.S.), European Union (EU), and European nations is probably not cutting off PRC access to cutting edge technology. PRC entities are investing directly or indirectly as limited partners in venture capital firms and are probably still gaining access to new technology. For example, an entity associated with the University of Cambridge is working with Huawei on a private 5G wireless network even though London is advancing legislation and policy to ban the PRC giant from United Kingdom (UK) networks. The author advocates for expanding the regulation of foreign investment to include limited partnerships and other structures that are apparently allowing the PRC to continue investing in and reaping the benefit of Western venture capital. There is hope, however, as a number of Western nations are starting government-funded venture capital firms to fund promising technology.
  • Twitter expands hate speech rules to include race, ethnicity” By Katie Paul — Reuters. The social media platform announced that it “further expanding our hateful conduct policy to prohibit language that dehumanizes people on the basis of race, ethnicity, or national origin.” A human rights group, the Color of Change, that was part of a coalition to pressure Twitter and other platforms called the change “essential concessions” but took issue with the timing, stating it would have had more impact had it been made before the election. A spokesperson added “[t]he jury is still out for a company with a spotty track record of policy implementation and enforcing its rules with far-right extremist users…[and] [v]oid of hard evidence the company will follow through, this announcement will fall into a growing category of too little, too late PR stunt offerings.”
  • White House drafts executive order that could restrict global cloud computing companies” By Steven Overly and Eric Geller — Politico. The Trump Administration may make another foray into trying to ban foreign companies from United States (U.S.) key critical infrastructure, and this time would reportedly bar U.S. cloud companies like Microsoft, Amazon, and others from partnering with foreign companies or entities that pose risk to the U.S. through the use of these U.S. systems to conduct cyber-attacks. This seems like another attempt to strike at the People’s Republic of China’s (PRC) technology firms. If issued, it remains to be seen how a Biden Administration would use or implement such a directive given that there is not enough time for the Trump government to see things through to end on such an order. In any event, one can be sure that tech giants have already begun pressing both the outgoing and incoming Administration against any such order and most likely Congress as well.

Other Developments

  • A bipartisan group of Senators and Representatives issued the framework for a $908 billion COVID-19 stimulus package that is reportedly the subject of serious in Congress. The framework details $10 billion for broadband without no detail on how these funds would be distributed.
  • The Australian Competition & Consumer Commission (ACCC) announced the signing of the Australian Product Safety Pledge, “a voluntary initiative that commits its signatories to a range of safety related responsibilities that go beyond what is legally required of them” in e-commerce. The ACCC stated “AliExpress, Amazon Australia, Catch.com.au and eBay Australia, who together account for a significant share of online sales in Australia, are the first businesses to sign the pledge, signifying their commitment to consumers’ safety through a range of commitments such as removing unsafe product listings within two days of being notified by the ACCC.” The pledge consists of 12 commitments:
    • Regularly consult the Product Safety Australia website and other relevant sources for information on recalled/unsafe products. Take appropriate action[1] on these products once they are identified.
    • Provide a dedicated contact point(s) for Australian regulatory authorities to notify and request take-downs of recalled/unsafe products.
    • Remove identified unsafe product listings within two business days of the dedicated contact point(s) receiving a take-down request from Australian regulatory authorities. Inform authorities on the action that has been taken and any relevant outcomes.
    • Cooperate with Australian regulatory authorities in identifying, as far as possible, the supply chain of unsafe products by responding to data/information requests within ten business days should relevant information not be publicly available.
    • Have an internal mechanism for processing data/information requests and take-downs of unsafe products.
    • Provide a clear pathway for consumers to notify the pledge signatory directly of unsafe product listings. Such notifications are treated according to the signatory’s processes and where responses to consumers are appropriate, they are given within five business days.
    • Implement measures to facilitate sellers’ compliance with Australian product safety laws. Share information with sellers on compliance training/guidance, including a link to the ACCC’s Selling online page on the Product Safety Australia website.
    • Cooperate with Australian regulatory authorities and sellers to inform consumers[2] about relevant recalls or corrective actions on unsafe products.
    • Set up processes aimed at preventing or restricting the sale of banned, non-compliant and recalled products as appropriate.
    • Put in place reasonable measures to act against repeat offenders selling unsafe products, including in cooperation with Australian regulatory authorities.
    • Take measures aimed at preventing the reappearance of unsafe product listings already removed.
    • Explore the potential use of new technologies and innovation to improve the detection and removal of unsafe products.
  • Senator Ron Wyden (D-OR) and Representative Lauren Underwood (D-IL) introduced “The Federal Cybersecurity Oversight Act” (S.4912) that would amend the “Federal Cybersecurity Enhancement Act of 2015” (P.L. 114-113) to restrict the use of exceptions to longstanding requirements that federal agencies use measures such as multi-factor authentication and encryption. Currently federal agencies exempt themselves on a number of grounds. Wyden and Underwood’s bill would tighten this process by making the exceptions good only for a year at a time and require the Office of Management and Budget (OMB) approve the execption. In a fact sheet, they claimed:
    • [T]he bill requires the Director of the Office of Management and Budget to approve all waivers, which can currently be self-issued by the head of the agency. To request a waiver, the agency head will have to certify that:
      • It would be excessively burdensome to implement the particular requirement;
      • The particular requirement is not necessary to secure the agency system and data; and
      • The agency has taken all necessary steps to secure the agency system and data.
  • The Government Accountability Office (GAO) looked at the United States (U.S.) longstanding efforts to buy common services and equipment in bulk known as Category Management. The GAO found progress but saw room for considerably more progress. GAO noted:
    • Since 2016, the Office of Management and Budget (OMB) has led efforts to improve how agencies buy these products and services through the category management initiative, which directs agencies across the government to buy more like a single enterprise. OMB has reported the federal government has saved $27.3 billion in 3 years through category management.
  • The GAO concluded:
    • The category management initiative has saved the federal government billions of dollars, and in some instances, enhanced agencies’ mission capabilities. However, the initiative has opportunities to accomplish much more. To date, OMB has focused primarily on contracting aspects of the initiative, and still has several opportunities to help agencies improve how they define their requirements for common products and services. OMB can take concrete steps to improve how agencies define these requirements through more robust guidance and training, changes to leadership delegations and cost savings reporting, and the development of additional metrics to measure implementation of the initiative.
    • Additionally, OMB can lead the development of a coordinated strategy that addresses government-wide data challenges hindering agencies’ efforts to assess their spending and identify prices paid for common products and services.
    • Finally, OMB can tailor additional training courses to provide more relevant information to agency personnel responsible for small business matters, and improve public reporting about the impact of category management on small businesses. In doing so, OMB can enhance the quality of the information provided to the small business community and policymakers. Through these efforts to further advance the category management initiative, OMB can help federal agencies accomplish their missions more effectively while also being better stewards of taxpayer dollars.
    • The GAO made the following recommendations:
      • The Director of the Office of Management and Budget should emphasize in its overarching category management guidance the importance of effectively defining requirements for common products and services when implementing the category management initiative. (Recommendation 1)
      • The Director of the Office of Management and Budget should work with the Category Management Leadership Council and the General Services Administration’s Category Management Program Management Office, and other appropriate offices, to develop additional tailored training for Senior Accountable Officials and agency personnel who manage requirements for common products and services. (Recommendation 2)
      • The Director of the Office of Management and Budget should account for agencies’ training needs, including training needs for personnel who define requirements for common products and services, when setting category management training goals. (Recommendation 3)
      • The Director of the Office of Management and Budget should ensure that designated Senior Accountable Officials have the authority necessary to hold personnel accountable for defining requirements for common products and services as well as contracting activities. (Recommendation 4)
      • The Director of the Office of Management and Budget should report cost savings from the category management initiative by agency. (Recommendation 5)
      • The Director of the Office of Management and Budget should work with the Category Management Leadership Council and the Performance Improvement Council to establish additional performance metrics for the category management initiative that are related to agency requirements. (Recommendation 6)
      • The Director of the Office of Management and Budget should, in coordination with the Category Management Leadership Council and the Chief Data Officer Council, establish a strategic plan to coordinate agencies’ responses to government-wide data challenges hindering implementation of the category management initiative, including challenges involving prices-paid and spending data. (Recommendation 7)
      • The Director of the Office of Management and Budget should work with the General Services Administration’s Category Management Program Management Office and other organizations, as appropriate, to develop additional tailored training for Office of Small Disadvantaged Business Utilization personnel that emphasizes information about small business opportunities under the category management initiative. (Recommendation 8)
      • The Director of the Office of Management and Budget should update its methodology for calculating potentially duplicative contract reductions to strengthen the linkage between category management actions and the number of contracts eliminated. (Recommendation 9)
      • The Director of the Office of Management and Budget should identify the time frames covered by underlying data when reporting on how duplicative contract reductions have impacted small businesses. (Recommendation 10)
  • The chair and ranking member of the House Commerce Committee are calling on the Federal Communications Commission (FCC) to take preparatory steps before Congress provides funding to telecommunications providers to remove and replace Huawei and ZTE equipment. House Energy and Commerce Committee Chair Frank Pallone Jr (D-NJ) and Ranking Member Greg Walden (R-OR) noted the “Secure and Trusted Communications Networks Act” (P.L. 116-124):
    • provides the Federal Communications Commission (FCC) with several new authorities to secure our communications supply chain, including the establishment and administration of the Secure and Trusted Communications Networks Reimbursement Program (Program). Through this Program, small communications providers may seek reimbursement for the cost of removing and replacing suspect network equipment. This funding is critical because some small and rural communications providers would not otherwise be able to afford these upgrades. Among the responsibilities entrusted to the FCC to carry out the Program is the development of a list of suggested replacements for suspect equipment, including physical and virtual communications equipment, application and management software, and services.
    • Pallone and Walden conceded that Congress has not yet provided funds but asked the FCC to take some steps:
      • First, the FCC should develop and release the list of eligible replacement equipment, software, and services as soon as possible. Second, the agency should reassure companies that they will not jeopardize their eligibility for reimbursement under the Program just because replacement equipment purchases were made before the Program is funded, assuming other eligibility criteria are met.
  • The Office of Special Counsel (OSC) wrote one of the whistleblowers at the United States Agency for Global Media (USAGM) and indicated it has ordered the head of USAGM to investigate the claims of malfeasance at the agency. The OSC stated:
    • On December 2, 2020, after reviewing the information you submitted, we directed the Chief Executive Officer (CEO) of USAGM to order an investigation into the following allegations and report back to OSC pursuant to 5 U.S.C. § 1213(c). Allegations to be investigated include that, since June 2020, USAGM:
      • Repeatedly violated the Voice of America (VOA) firewall—the law that protects VOA journalists’ “professional independence and integrity”;
      • Engaged in gross mismanagement and abuse of authority by:
        • Terminating the Presidents of each USAGM-funded network— Radio Free Asia (RFA), Radio Free Europe/Radio Liberty (RFE/RL), the Middle East Broadcasting Networks (MBN), and the Office of Cuba Broadcasting (OCB)—as well as the President and the CEO of the Open Technology Fund (OTF);
        • Dismissing the bipartisan board members that governed the USAGM- funded networks, replacing those board members with largely political appointees, and designating the USAGM CEO as Chairman;
        • Revoking all authority from various members of USAGM’s Senior Executive Service (SES) and reassigning those authorities to political appointees outside of the relevant offices;
        • Removing the VOA Editor for News Standards and Best Practices—a central figure in the VOA editorial standards process and a critical component of the VOA firewall—from his position and leaving that position vacant;
        • Similarly removing the Executive Editor of RFA;
        • Suspending the security clearances of six of USAGM’s ten SES members and placing them on administrative leave; and
        • Prohibiting several offices critical to USAGM’s mission—including the Offices of General Counsel, Chief Strategy, and Congressional and Public Affairs—from communicating with outside parties without the front office’s express knowledge and consent;
      • Improperly froze all agency hiring, contracting, and Information Technology migrations, and either refused to approve such decisions or delayed approval until the outside reputation and/or continuity of agency or network operations, and at times safety of staff, were threatened;
      • Illegally repurposed, and pressured career staff to illegally repurpose, congressionally appropriated funds and programs without notifying Congress; and
      • Refused to authorize the renewal of the visas of non-U.S. citizen journalists working for the agency, endangering both the continuity of agency operations and those individuals’ safety.

Coming Events

  • The Senate Judiciary Committee will hold an executive session at which the “Online Content Policy Modernization Act” (S.4632), a bill to narrow the liability shield in 47 USC 230, may be marked up on 10 December.
  • On 10 December, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Securing the Communications Supply Chain. The Commission will consider a Report and Order that would require Eligible Telecommunications Carriers to remove equipment and services that pose an unacceptable risk to the national security of the United States or the security and safety of its people, would establish the Secure and Trusted Communications Networks Reimbursement Program, and would establish the procedures and criteria for publishing a list of covered communications equipment and services that must be removed. (WC Docket No. 18-89)
    • National Security Matter. The Commission will consider a national security matter.
    • National Security Matter. The Commission will consider a national security matter.
    • Allowing Earlier Equipment Marketing and Importation Opportunities. The Commission will consider a Notice of Proposed Rulemaking that would propose updates to its marketing and importation rules to permit, prior to equipment authorization, conditional sales of radiofrequency devices to consumers under certain circumstances and importation of a limited number of radiofrequency devices for certain pre-sale activities. (ET Docket No. 20-382)
    • Promoting Broadcast Internet Innovation Through ATSC 3.0. The Commission will consider a Report and Order that would modify and clarify existing rules to promote the deployment of Broadcast Internet services as part of the transition to ATSC 3.0. (MB Docket No. 20-145)

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Makalu from Pixabay

Armed Services Committees Agree On Final NDAA

The annual defense policy bill creates a new National Cyber Director and addresses other technology issues.

Last week, the negotiators agreed on a final FY 2021 National Defense Authorization Act (NDAA) that could get passed as early as this week. To no great surprise, President Donald Trump has threatened to veto the annual policy and authorization package for reasons largely unrelated to the Department of Defense and other agencies subject to the bill. It is unclear how the President will respond if Congress ends him the bill and similarly unclear whether Republicans would vote to override a veto. Additionally, the bill might not make it to the White House until around Christmas Day which would complicate the reconvening of Congress to hold override votes.

Nonetheless, big picture, the conferees explained in the Joint Explanatory Statement that conference report to accompany the “William M. “Mac” Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395):

  • The budget request for national defense discretionary programs within the jurisdiction of the Committees on Armed Services of the Senate and the House of Representatives for fiscal year 2021 was $731.6 billion. Of this amount, $636.3 billion was requested for base Department of Defense programs, $69.0 billion was requested for overseas contingency operations, $26.0 billion was requested for national security programs in the Department of Energy and the Defense Nuclear Facilities Safety Board, and $314.0 million for defense-related activities.
  • The conference agreement would authorize $731.6 billion in fiscal year 2021, including $635.5 billion for base Department of Defense programs, $69.0 billion for overseas contingency operations, $26.6 billion for national security programs in the Department of Energy and the Defense Nuclear Facilities Safety Board, and $494.0 million for defense-related activities.

As always, the bill is replete with provisions to change national security-related technology policy, most of which pertains to the Department of Defense (DOD) and the Intelligence Community (IC). However, anymore, the Department of Homeland Security and other agencies also receive policy alterations in the NDAA.

The bill would change the requirements as to when the DOD notifies Congress if it conducts offensive or defensive cyber operations by narrowing the category of such operations. For example, if Cyber Command were to strike a botnet again as it reportedly did in the run up to the election, it would not need to notify Congress, for such an operation is not a foreign terrorist organization or a foreign government unless they may be deemed a “proxy force.” There is a provision extending the liability shield for DOD contractors participating in the Pentagon’s mandated cyber incident reporting system to include compliance with Defense Federal Acquisition Regulation Supplement clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

H.R.6395 would tweak the Quadrennial Cyber Posture Review assessments of U.S. statutes, policies, and authorities to manage cyber threats, especially in achieving cyber deterrence.

The DOD would need to set requirements for the periodic, systematic review of the cybersecurity of major weapons systems and related critical infrastructure to ensure the security of these platforms. The Pentagon must also establish a “Strategic Cybersecurity Program” “to ensure that the Department of Defense is always able to conduct the most important military missions of the Department.” This new initiative “shall identify and designate for inclusion in the Program all of the systems, critical infrastructure, kill chains, and processes, including systems and components in development, that comprise the following military missions of the Department of Defense:

  • Nuclear deterrence and strike.
  • Select long-range conventional strike missions germane to the warfighting plans of United States European Command and United States Indo-Pacific Command.
  • Offensive cyber operations.
  • Homeland missile defense.

The DOD will need to “develop a standard, comprehensive framework to enhance the consistency, execution, and effectiveness of cyber hunt forward operations” including the criteria used to identify such operations, the roles of various stakeholders in the DOD, pre-deployment planning guidelines, the metrics to measure the success of the operation, and other facets. Cyber Command and the National Security Agency have been deploying more of these teams to other nations to develop partnerships with nations closer to shared cyber adversaries (e.g. Estonia and Montenegro visa vis Russia.) The formalization of this process indicates increased Congressional interest and a desire to regularize the practice.

The DOD must “conduct a review of the Cybersecurity Service Provider and Cyber Mission Force enterprises” to determine where there are gaps and redundancies between DOD systems and those provided by contractors. Presumably such an inventory process would precede the DOD consolidating where it can and expanding where necessary.

The position of DOD Principal Cyber Advisor would be reformed. The Secretary of Defense would name a person to fill this position from the DOD civilian officials confirmed by the Senate. The Principal Cyber Advisor would have the following responsibilities, among others:

  • Acting as the principal advisor to the Secretary on military cyber forces and activities.
  • Overall integration of Cyber Operations Forces activities relating to cyberspace operations, including associated policy and operational considerations, resources, personnel, technology development and transition, and acquisition.
  • Assessing and overseeing the implementation of the cyber strategy of the Department and execution of the cyber posture review of the Department on behalf of the Secretary.

The Principal Cyber Advisor will be tasked with the responsibility for the cybersecurity and critical infrastructure protection of the Defense Industrial Base (DIB) and must “synchronize, harmonize, de-conflict, and coordinate all policies and programs germane to defense industrial base cybersecurity.” This will encompass the Sector Specific Agency (SSA) responsibilities bestowed on the Under Secretary of Defense for Policy’s purview under Presidential Policy Directive-21, the Obama Administration era document that established the division and oversight of critical infrastructure with an eye towards cyber infrastructure. The Principal Cyber Advisor would also need to examine the Under Secretary of Defense for Acquisition and Sustainment’s authorities and responsibilities with respect to contracting and cybersecurity. The Principal Cyber Advisor would need to evaluate other facets of the DIB’s cybersecurity and critical infrastructure protection housed in different offices in the DOD, suggesting an obvious fracturing of efforts that may be at odds with one another.

The Principal Cyber Advisor and the head of Cyber Command would need to “conduct and complete an assessment on the operational planning and deconfliction policies and processes that govern cyber operations of the Department of Defense.” It appears that Congress would like DOD components to play better together when planning and conducting cyber operations, but this state of affairs is to be expected inside a large bureaucracy with players and entities interested in defending and even expanding their turf.

The DOD must “assess the feasibility and advisability of developing and using speed-based metrics to measure the performance and effectiveness of security operations centers and cyber security service providers in the Department of Defense.”

The DOD must study the feasibility of creating a new DIB information sharing program that would be above and beyond any current incident reporting requirements. Under law and regulation, at present, DIB contractors must report intrusions and incidents within 72 hours, but the language in H.R. 6395 envisions a program of greater information sharing for “cybersecurity purposes.” However, it begs the question as to why the DOD does not already have such a program given the “Cybersecurity Act of 2015” established the template for such programs over five years ago.

The Pentagon would need to “complete an assessment of the feasibility, suitability, definition of, and resourcing required to establish a defense industrial base cybersecurity threat hunting program to actively identify cybersecurity threats and vulnerabilities within the DIB.”

The DOD must “assess each Department component against the Cybersecurity Maturity Model Certification (CMMC) framework and submit to the congressional defense committees a report that identifies each such component’s CMMC level and implementation of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework.” And, for those components that fail to meet the “good cyber hygiene” standards, the report must indicate whether they will bring their hygiene up to snuff by March of 2022 and how they will shore up vulnerabilities and risks in the meantime.

The DOD would need to start submitting monthly reports on all “cross domain incidents,” a new term that seems to include all intrusions into classified or restricted systems regardless of whether information is exfiltrated, contaminated, or exposed. The Pentagon would also need to provide Congress with a list of all currently operative exemptions to DOD information policy.

The DOD must draft and implement a plan on how to secure and protect the U.S. nuclear command and control system from cyber threats.

The Cyberspace Solarium Commission (CSC) was extended. It was supposed to sunset after the delivery of its final report, but now it will continue to exist for the better part of two more years. The CSC would need to discharge the following duties:

  • collecting and assessing comments and feedback from the Executive Branch, academia, and the public on the analysis and recommendations contained in the Commission’s report;
  • collecting and assessing any developments in cybersecurity that may affect the analysis and recommendations contained in the Commission’s report;
  • reviewing the implementation of the recommendations contained in the Commission’s report;
  • revising, amending, or making new recommendations based on the [aforementioned] assessments and reviews…

The CSC’s primary recommendation that the U.S. have a National Cyber Director in the White House was included in the final bill. This new position shall also have a dedicated office in the Executive Office of the President but would not be a Senate confirmed position as the CSC advised. Moreover, it appears that offensive and defensive cyber operations of the DOD would be outside his or her statutory remit unless the President decides to make it so. The National Cyber Director would offer advice to the National Security Council (NSC) on U.S. cyber strategy and policy and coordinate the formulation of such policies and strategies. Moreover, the director would be a statutory member of the NSC. The National Cyber Director would lead U.S. responses at the federal level to cyber attacks and significant cyber campaigns.

The bill would expand the authority of the United States’ (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) with respect to operating on civilian agency networks. CISA would be able to access and inspect other agencies’ information systems without the permission or knowledge of the other agency and could then share information and its findings with the agency. And yet, CISA would not receive authority to act if it found something on another agency’s information networks or systems. Nonetheless, CISA would also be empowered to provide a range of assistance to other agencies.

DHS would need to conduct an assessment of CISA per the CSC’s recommendations on how the agency could improve its operations and better use its resources, among other matters. DHS would also be tasked with evaluating how well the Sector Specific Agency approach to regulating critical infrastructure is working as laid out in Presidential Policy Directive 21 and successor documents and make recommendations on how to revise the framework if needed. This could result in the Biden Administration revamping the current 17 sectors and other components of how the U.S. oversees its critical infrastructure. In concert with this review and possible revision, Sector Specific Agencies would be replaced by Sector Risk Management Agencies that, as a practical matter, will probably be the same agencies overseeing the same sectors but with greater statutory responsibilities.

DHS must study and draft a strategy for all U.S.-based email providers to use Domain-based Message Authentication, Reporting, and Conformance (DMARC), “an email authentication, policy, and reporting protocol that verifies the authenticity of the sender of an email and blocks and reports to the sender fraudulent accounts.”

DHS would need to report annually on digital content forgery technology with the Director of National Intelligence, including:

  • An assessment of the underlying technologies used to create or propagate digital content forgeries, including the evolution of such technologies and patterns of dissemination of such technologies.
  • A description of the types of digital content forgeries, including those used to commit fraud, cause harm, harass, coerce, or silence vulnerable groups or individuals, or violate civil rights recognized under Federal law.
  • An assessment of how foreign governments, and the proxies and networks thereof, use, or could use, digital content forgeries to harm national security.
  • An assessment of how non-governmental entities in the United States use, or could use, digital content forgeries.
  • An assessment of the uses, applications, dangers, and benefits, including the impact on individuals, of deep learning or digital content forgery technologies used to generate realistic depictions of events that did not occur.
  • An analysis of the methods used to determine whether content is created by digital content forgery technology, and an assessment of any effective heuristics used to make such a determination, as well as recommendations on how to identify and address suspect content and elements to provide warnings to users of such content.
  • A description of the technological countermeasures that are, or could be, used to address concerns with digital content forgery technology.
  • Any additional information the Secretary determines appropriate.

CISA would receive the subpoena authority it requested to obtain the contact information of owners and operators of critical cyber infrastructure from internet service providers (ISP) should there be a risk. CISA submitted a legislative proposal in summer 2019 that was then taken up by Senate and House stakeholders who then introduced legislation in December and February respectively: the “Cybersecurity Vulnerability Identification and Notification Act of 2019” (S. 3045) and the “Cybersecurity Vulnerability Identification and Notification Act of 2020” (H.R. 5680). The bills were very similar but had some differences that have been ironed out.

CISA would be able to appoint an employee in each state to serve as Cybersecurity State Coordinator to help states improve their cybersecurity.

CISA must establish a “Cybersecurity Advisory Committee” to “advise, consult with, report to, and make recommendations to the Director, as appropriate, on the development, refinement, and implementation of policies, programs, planning, and training pertaining to the cybersecurity mission of the Agency.”

Inside CISA, there would be a newly created Joint Cyber Planning Office “to develop, for public and private sector entities, plans for cyber defense operations, including the development of a set of coordinated actions to protect, detect, respond to, and recover from cybersecurity risks or incidents or limit, mitigate, or defend against coordinated, malicious cyber operations that pose a potential risk to critical infrastructure or national interests.”

Within one year, CISA “a report on Federal cybersecurity centers and the potential for better coordination of Federal cybersecurity efforts at an integrated cybersecurity center within” CISA.

The Government Accountability Office (GAO) would need to investigate and report on cyber insurance in the U.S. At one time, some experts considered the development of a cyber insurance market as being crucial to driving greater cybersecurity across the private sector. However, this has not come to pass, which is likely why the GAO will be reporting on the issue.

On other technology policy, a Public Wireless Supply Chain Innovation Fund would be established and overseen by the Department of Commerce’s National Telecommunications and Information Administration (NTIA) to support the following activities:

  • Promoting and deploying technology, including software, hardware, and microprocessing technology, that will enhance competitiveness in the fifth-generation (commonly known as ‘‘5G’’) and successor wireless technology supply chains that use open and interoperable interface radio access networks.
  • Accelerating commercial deployments of open interface standards-based compatible, interoperable equipment, such as equipment developed pursuant to the standards set forth by organizations such as the O-RAN Alliance, the Telecom Infra Project, 3GPP, the Open-RAN Software Community, or any successor organizations.
  • Promoting and deploying compatibility of new 5G equipment with future open standards-based, interoperable equipment.
  • Managing integration of multi-vendor network environments.
  • Identifying objective criteria to define equipment as compliant with open standards for multi-vendor network equipment interoperability.
  • Promoting and deploying security features enhancing the integrity and availability of equipment in multi-vendor networks.
  • Promoting and deploying network function virtualization to facilitate multi-vendor interoperability and a more diverse vendor market.

A Multilateral Telecommunications Security Fund would be created and run by the Department of State “to establish a common funding mechanism, in coordination with foreign partners, that uses amounts from the Multilateral Telecommunications Security Fund to support the development and adoption of secure and trusted telecommunications technologies.” The bill provides that “[i]n creating and sustaining a common funding mechanism, the Secretary of State should leverage United States funding in order to secure commitments and contributions from trusted foreign partners such as the United Kingdom, Canada, Australia, New Zealand, and Japan, and should prioritize the following objectives:

  • Advancing research and development of secure and trusted communications technologies.
  • Strengthening supply chains.
  • Promoting the use of trusted vendors.”

Both of these new programs would need the Appropriations Committees to provide funding as the FY 2021 NDAA does not give them any money.

H.R.6395 directs “an interagency information technology spectrum modernization effort, led by the Assistant Secretary of Commerce for Communications and Infrastructure and the NTIA, to synchronize development and coordination of standards and Federal spectrum management.” This provision “would also require the Secretary of Defense to establish a program to identify and mitigate vulnerabilities in the telecommunications infrastructure of the DOD.”

The FY 2021 NDAA contains the “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S.1611) that would require the Department of Commerce to “convene a working group of Federal stakeholders for the purpose of providing recommendations and a report to Congress relating to the aspects of the Internet of Things.”

H.R.6395 has provisions “that would require the Secretary of Commerce to establish a program that provides grants to covered entities to incentivize investment of semiconductor fabrication facilities, or assembly, testing, advanced packaging, or advanced research and development of semiconductors in the U.S.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Michael Afonso on Unsplash