Preview of Senate Democratic Chairs

It’s not clear who will end up where, but new Senate chairs will change focus and agenda of committees and debate over the next two years.

With the victories of Senators-elect Rafael Warnock (D-GA) and Jon Ossoff (D-GA), control of the United States Senate will tip to the Democrats once Vice President-elect Kamala Harris (D) is sworn in and can break the 50-50 tie in the chamber in favor of the Democrats. With the shift in control, new chairs will take over committees key to setting the agenda over the next two years in the Senate. However, given the filibuster, and the fact that Senate Republicans will exert maximum leverage through its continued use, Democrats will be hamstrung and forced to work with Republicans on matters such as federal privacy legislation, artificial intelligence (AI), the Internet of Things (IOT), cybersecurity, data flows, surveillance, etc. just as Republicans have had to work with Democrats over the six years they controlled the chamber. Having said that, Democrats will be in a stronger position than they had been and will have the power to set the agenda in committee hearings, being empowered to call the lion’s share of witnesses and to control the floor agenda. What’s more, Democrats will be poised to confirm President-elect Joe Biden’s nominees at agencies like the Federal Communications Commission (FCC), Federal Trade Commission (FTC), the Department of Justice (DOJ), and others, giving the Biden Administration a free hand in many areas of technology policy.

All of that being said, this is not meant to be an exhaustive look at all the committees of jurisdiction and possible chairs. Rather, it seeks to survey likely chairs on selected committees and some of their priorities for the next two years. Subcommittee chairs will also be important, but until the cards get shuffled among the chairs, it will not be possible to see where they land at the subcommittee level.

When considering the possible Democratic chairs of committees, one must keep in mind it is often a matter of musical chairs with the most senior members getting first choice. And so, with Senator Patrick Leahy (D-VT) as the senior-most Democratic Senator, he may well choose to leave the Appropriations Committee and move back to assume the gavel of the Judiciary Committee. Leahy has long been a stakeholder on antitrust, data security, privacy, and surveillance legislation and would be in a position to influence what bills on those and other matters before the Senate look like. If Leahy does not move to the chair on Judiciary, he may still be entitled to chair a subcommittee and exert influence.

If Leahy stays put, then current Senate Minority Whip Dick Durbin (D-IL) would be poised to leapfrog Senator Dianne Feinstein (D-CA) to chair Judiciary after Feinstein was persuaded to step aside on account of her lackluster performance in a number of high-profile hearings in 2020. Durbin has also been active on privacy, data security, and surveillance issues. The Judiciary Committee will be central to a number of technology policies, including Foreign Intelligence Surveillance Act reauthorization, privacy legislation, Section 230 reform, antitrust, and others. On the Republican side of the dais, Senator Lindsey Graham (R-SC) leaving the top post because of term limit restrictions imposed by Republicans, and Senator Charles Grassley (R-IA) is set to replace him. How this changes the 47 USC 230 (Section 230) debate is not immediately clear. And yet, Grassley and three colleagues recently urged the Trump Administration in a letter to omit language in a trade agreement with the United Kingdom (UK) that mirrors the liability protection Section 230. Senators Rob Portman (R-OH), Mark R. Warner (D-VA), Richard Blumenthal (D-CT), and Grassley argued to U.S. Trade Representative Ambassador Robert Lighthizer that a “safe harbor” like the one provided to technology companies for hosting or moderating third party content is outdated, not needed in a free trade agreement, contrary to the will of both the Congress and UK Parliament, and likely to be changed legislatively in the near future. It is likely, however, Grassley will fall in with other Republicans propagating the narrative that social media is unfairly biased against conservatives, particularly in light of the recent purge of President Donald Trump for his many, repeated violations of policy.

The Senate Judiciary Committee will be central in any policy discussions of antitrust and anticompetition in the technology realm. But it bears note the filibuster (and the very low chances Senate Democrats would “go nuclear” and remove all vestiges of the functional supermajority requirement to pass legislation) will give Republicans leverage to block some of the more ambitious reforms Democrats might like to enact (e.g. the House Judiciary Committee’s October 2020 final report that calls for nothing less than a complete remaking of United States (U.S.) antitrust policy and law; see here for more analysis.)

It seems Senator Sherrod Brown (D-OH) will be the next chair of the Senate Banking, Housing, and Urban Development Committee which has jurisdiction over cybersecurity, data security, privacy, and other issues in the financial services sector, making it a player on any legislation designed to encompass the whole of the United States economy. Having said that, it may again be the case that sponsors of, say, privacy legislation decide to cut the Gordian knot of jurisdictional turf battles by cutting out certain committees. For example, many of the privacy bills had provisions making clear they would deem financial services entities in compliance with the Financial Services Modernization Act of 1999 (P.L. 106-102) (aka Gramm-Leach-Bliley) to be in compliance with the new privacy regime. I suppose these provisions may have been included on the basis of the very high privacy and data security standards Gramm-Leach-Bliley has brought about (e.g. the Experian hack), or sponsors of federal privacy legislation made the strategic calculation to circumvent the Senate Banking Committee as much as they can. Nonetheless, this committee has sought to insert itself into the policymaking process on privacy last year as Brown and outgoing Chair Mike Crapo (R-ID) requested “feedback” in February 2019 “from interested stakeholders on the collection, use and protection of sensitive information by financial regulators and private companies.” Additionally, Brown released what may be the most expansive privacy bill from the perspective of privacy and civil liberties advocates, the “Data Accountability and Transparency Act of 2020” in June 2020 (see here for my analysis.) Therefore, Brown may continue to push for a role in federal privacy legislation with a gavel in his hands.

In a similar vein, Senator Patty Murray (D-WA) will likely take over the Senate Health, Education, Labor, and Pensions (HELP) Committee which has jurisdiction over health information privacy and data security through the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). Again, as with the Senate Banking Committee and Gramm-Leach-Bliley, most of the privacy bills exempt HIPAA-compliant entities. And yet, even if her committee is cut out of a direct role in privacy legislation, Murray will still likely exert influence through oversight of and possible legislation changing HIPAA regulations and the Department of Health and Human Services (HHS) enforcement and rewriting of these standards for most of the healthcare industry. For example, HHS is rushing a rewrite of the HIPAA regulations at the tail end of the Trump Administration, and Murray could be in a position to inform how the Biden Administration and Secretary of Health and Human Services-designate Xavier Berra handles this rulemaking. Additionally, Murray may push the Office of Civil Rights (OCR), the arm of HHS that writes and enforces these regulations, to prioritize matters differently.

Senator Maria Cantwell (D-WA) appears to be the next chair of the Senate Commerce, Science, and Transportation Committee and arguably the largest technology portfolio in the Senate. It is the primary committee of jurisdiction for the FCC, FTC, National Telecommunications and Information Administration (NTIA), the National Institute of Standards and Technology (NIST), and the Department of Commerce. Cantwell may exert influence on which people are nominated to head and staff those agencies and others. Her committee is also the primary committee of jurisdiction for domestic and international privacy and data protection matters. And so, federal privacy legislation will likely be drafted by this committee, and legislative changes so the U.S. can enter into a new personal data sharing agreement with the European Union (EU) would also likely involve her and her committee.

Cantwell and likely next Ranking Member Roger Wicker (R-MS) agree on many elements of federal privacy law but were at odds last year on federal preemption and whether people could sue companies for privacy violations. Between them, they circulated three privacy bills. In September 2020, Wicker and three Republican colleagues introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act” (S.4626) (see here for more analysis). Wicker had put out for comment a discussion draft, the “Consumer Data Privacy Act of 2019” (CDPA) (See here for analysis) in November 2019 shortly after the Ranking Member on the committee, Senator Maria Cantwell (D-WA) and other Democrats had introduced their privacy bill, the “Consumer Online Privacy Rights Act“ (COPRA) (S.2968) (See here for more analysis).

Cantwell could also take a leading role on Section 230, but her focus, of late, seems to be on how technology companies are wreaking havoc to traditional media. released a report that she has mentioned during her opening statement at the 23 September hearing aimed at trying to revive data privacy legislation. She and her staff investigated the decline and financial troubles of local media outlets, which are facing a cumulative loss in advertising revenue of up to 70% since 2000. And since advertising revenue has long been the life blood of print journalism, this has devastated local media with many outlets shutting their doors or radically cutting their staff. This trend has been exacerbated by consolidation in the industry, often in concert with private equity or hedge funds looking to wring the last dollars of value from bargain basement priced newspapers. Cantwell also claimed that the overwhelming online advertising dominance of Google and Facebook has further diminished advertising revenue and other possible sources of funding through a variety of means. She intimates that much of this content may be illegal under U.S. law, and the FTC may well be able to use its Section 5 powers against unfair and deceptive acts and its anti-trust authority to take action. (see here for more analysis and context.) In this vein, Cantwell will want her committee to play in any antitrust policy changes, likely knowing massive changes in U.S. law are not possible in a split Senate with entrenched party positions and discipline.

Senator Jack Reed (D-RI) will take over the Senate Armed Services Committee and its portfolio over national security technology policy that includes the cybersecurity, data protection and supply chain of national security agencies and their contractors, AI, offensive and defensive U.S. cyber operations, and other realms. Much of the changes Reed and his committee will seek to make will be through the annual National Defense Authorization Act (NDAA) (see here and here for the many technology provisions in the FY 2021 NDAA.) Reed may also prod the Department of Defense (DOD) to implement or enforce the Cybersecurity Maturity Model Certification (CMMC) Framework differently than envisioned and designed by the Trump Administration. In December 2020, a new rule took effect designed to drive better cybersecurity among U.S. defense contractors. This rule brings together two different lines of effort to require the Defense Industrial Base (DIB) to employ better cybersecurity given the risks they face by holding and using classified information, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The Executive Branch has long wrestled with how to best push contractors to secure their systems, and Congress and the White House have opted for using federal contract requirements in that contractors must certify compliance. However, the most recent initiative, the CMMC Framework will require contractors to be certified by third party assessors. And yet, it is not clear the DOD has wrestled with the often-misaligned incentives present in third party certification schemes.

Reed’s committee will undoubtedly delve deep into the recent SolarWinds hack and implement policy changes to avoid a reoccurrence. Doing so may lead the Senate Armed Services Committee back to reconsidering the Cyberspace Solarium Commission’s (CSC) March 2020 final report and follow up white papers, especially their views embodied in “Building a Trusted ICT Supply Chain.”

Senator Mark Warner (D-VA) will likely take over the Senate Intelligence Committee. Warner has long been a stakeholder on a number of technology issues and would be able to exert influence on the national security components of such issues. He and his committee will almost certainly play a role in the Congressional oversight of and response to the SolarWinds hack. Likewise, his committee shares jurisdiction over FISA with the Senate Judiciary Committee and over national security technology policy with the Armed Services Committee.

Senator Amy Klobuchar (D-MN) would be the Senate Democratic point person on election security from her perch at the Senate Rules and Administration Committee, which may enable her to more forcefully push for the legislative changes she has long advocated for. In May 2019, Klobuchar and other Senate Democrats introduced the “Election Security Act” (S. 1540), the Senate version of the stand-alone measure introduced in the House that was taken from the larger package, the “For the People Act” (H.R. 1) passed by the House.

In August 2018, the Senate Rules and Administration Committee postponed indefinitely a markup on a compromise bill to provide states additional assistance in securing elections from interference, the “The Secure Elections Act” (S.2593). Reportedly, there was concern among state officials that a provision requiring audits of election results would be in effect an unfunded mandate even though this provision was softened at the insistence of Senate Republican leadership. However, a Trump White House spokesperson indicated in a statement that the Administration opposed the bill, which may have posed an additional obstacle to Committee action. However, even if the Senate had passed its bill, it was unlikely that the Republican controlled House would have considered companion legislation (H.R. 6663).

Senator Gary Peters (D-MI) may be the next chair of the Senate Homeland Security and Governmental Affairs Committee, and if so, he will continue to face the rock on which many the bark of cybersecurity legislation has been dashed: Senator Ron Johnson (R-WI). So significant has Johnson’s opposition been to bipartisan cybersecurity legislation from the House, some House Republican stakeholders have said so in media accounts not bothering to hide in anonymity. And so whatever Peters’ ambitions may be to shore up the cybersecurity of the federal government as his committee will play a role in investigating and responding to the Russian hack of SolarWinds and many federal agencies, he will be limited by whatever Johnson and other Republicans will allow to move through the committee and through the Senate. Of course, Peters’ purview would include the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) and its remit to police the cybersecurity practices of the federal government. Peters would also have in his portfolio the information technology (IT) practices of the federal government, some $90 billion annually across all agencies.

Finally, whether it be Leahy or Durbin at the Senate Appropriations Committee, this post allows for immense influence in funding and programmatic changes in all federal programs through the power of the purse Congress holds.

Further Reading, Other Developments, and Coming Events (5 January 2021)

Further Reading

  • China Used Stolen Data To Expose CIA Operatives In Africa And Europe;” “Beijing Ransacked Data as U.S. Sources Went Dark in China;” “Tech Giants Are Giving China A Vital Edge In Espionage” By Zach Dorfman — Foreign Policy. This terrifying trio of articles lays bare the 180 degree change in espionage advantage the People’s Republic of China (PRC) seems to hold over the United States (U.S.). Hacking, big data, processing, algorithms, and other technological issues play prominent roles in the PRC’s seeming advantage. It remains to be seen how the U.S. responds to the new status quo.
  • Singapore police can access COVID-19 contact tracing data for criminal investigations” By Eileen Yu — ZDNet. During questioning in Singapore’s Parliament, it was revealed the police can use existing authority to access the data on a person’s smartphone collected by the nation’s TraceTogether app. Technically, this would entail a person being asked by the police to upload their data, which is stored on devices and encrypted. Nonetheless, this is the very scenario privacy advocates have been saying is all but inevitable with COVID-19 tracing apps on phones.
  • As Understanding of Russian Hacking Grows, So Does Alarm” By David Sanger, Nicole Perlroth, and Julian Barnes — The New York Times. Like a detonated bomb, the Russian hack of United States (U.S.) public and private systems keeps getting worse in terms of damage and fallout. The scope continues to widen as it may come to pass that thousands of U.S. entities have been compromised in ways that leave them vulnerable to future attacks. Incidentally, the massive hack has tarnished somewhat the triumph of the U.S. intelligence agencies in fending off interference with the 2020 election.
  • Google workers launch unconventional union with help of Communications Workers of America” By Nitasha Tiku — The Washington Post. A new union formed in Google stopped short of seeking certification by the National Labor Relations Board (NLRB), which will block it from collective bargaining. Nonetheless, the new union will collect dues and have a board of directors. This may lead to additional unionizing efforts in union-averse Silicon Valley and throughout the tech world.
  • ‘Break up the groupthink’: Democrats press Biden to diversify his tech picks” By Cristiano Lima — Politico. Key Democratic groups in the House are pushing the Biden team to appoint people of color for key technology positions at agencies such as the Federal Trade Commission (FTC), Federal Communications Commission (FCC), the Office of Science and Technology Policy (OSTP).

Other Developments

  • The Congress overrode President Donald Trump’s veto of the FY 2021 National Defense Authorization Act (NDAA), thus enacting the annual defense and national security policy bill, which includes a number of technology provisions that will have effects in the public and private sectors. (See here and here for analysis of these provisions in the “William M. “Mac” Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395).
  • A federal court dismissed a lawsuit brought by a civil liberties and privacy advocacy group to stop implementation of President Donald Trump’s executive order aimed at social media companies and their liability protection under 47 USC 230 (aka Section 230). In June, the Center for Democracy and Technology (CDT), filed suit in federal court to block enforcement of the “Executive Order (EO) on Preventing Online Censorship.” However, the United States District Court of the District of Columbia ruled that CDT is not injured by the executive order (EO) and any such lawsuit is premature. The court dismissed the lawsuit for lack of jurisdiction.
    • In its complaint, CDT argued the EO “violates the First Amendment in two fundamental respects:
      • First, the Order is plainly retaliatory: it attacks a private company, Twitter, for exercising its First Amendment right to comment on the President’s statements.
      • Second, and more fundamentally, the Order seeks to curtail and chill the constitutionally protected speech of all online platforms and individuals— by demonstrating the willingness to use government authority to retaliate against those who criticize the government.”
  • The Federal Trade Commission (FTC) reached a settlement with a company that sells emergency travel and medical services for failing “to take reasonable steps to secure sensitive consumer information such as health records,” including having a unsecured cloud database a security researcher stumbled upon with the sensitive data of more than 130,000 people. Moreover, the company claimed a certification of compliance with the Health Insurance Portability and Accountability Act (HIPAA), which turned out to be untrue. In the complaint, the FTC alleged that these and other practices “constitute unfair and/or deceptive acts or practices, in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.” The FTC and the company reached agreement on a consent order that will require the company’s compliance for at least 20 years.
    • In the complaint, the FTC stated that SkyMed “advertises, offers for sale, and sells nationwide a wide array of emergency travel membership plans that cover up to eighteen different emergency travel and medical evacuation services for members who sustain serious illnesses or injuries during travel in certain geographic areas.”
    • The FTC asserted a security researcher discovered SkyMed’s “database, which could be located and accessed by anyone on the internet, contained approximately 130,000 membership records with consumers’ personal information stored in plain text, including information populated in certain fields for names, dates of birth, gender, home addresses, email addresses, phone numbers, membership information and account numbers, and health information.”
    • The FTC noted the company told affected customers that it had investigated and “[t]here was no medical or payment-related information visible and no indication that the information has been misused.” This turns out to be completely false, and the company’s “investigation did not determine that consumers’ health information was neither stored on the cloud database, nor improperly accessed by an unauthorized third party.”
    • The FTC summarized the terms of the consent order and SkyMed’s obligations:
      • Under the proposed settlement, SkyMed is prohibited from misrepresenting how it secures personal data, the circumstances of and response to a data breach, and whether the company has been endorsed by or participates in any government-sponsored privacy or security program. The company also will be required to send a notice to affected consumers detailing the data that was exposed by the data breach.
      • As part of the mandated information security program, the company must identify and document potential internal and external risks and design, implement, and maintain safeguards to protect personal information it collects from those risks. In addition, SkyMed must obtain biennial assessments of its information security program by a third party, which the FTC has authority to approve, to examine the effectiveness of SkyMed’s information security program, identify any gaps or weaknesses, and monitor efforts to address these problems. The settlement also requires a senior SkyMed executive to certify annually that the company is complying with the requirements of the settlement.
  • The European Commission (EC) has communicated its vision for a new cybersecurity strategy to the European Parliament and European Council “to ensure a global and open Internet with strong guardrails to address the risks to the security and fundamental rights and freedoms of people in Europe.” The EC spelled out its dramatic plan to remake how the bloc regulates, invests in, and structures policies around cybersecurity. The EC claimed “[a]s a key component of Shaping Europe’s Digital Future, the Recovery Plan for Europe  and the EU Security Union Strategy, the Strategy will bolster Europe’s collective resilience against cyber threats and help to ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools.” If the European Union (EU) follows through, this strategy may have significant effects in the EU and around the world. The EC further explained:
    • Following the progress achieved under the previous strategies, it contains concrete proposals for deploying three principal instruments –regulatory, investment and policy instruments – to address three areas of EU action – (1) resilience, technological sovereignty and leadership, (2) building operational capacity to prevent, deter and respond, and (3) advancing a global and open cyberspace. The EU is committed to supporting this strategy through an unprecedented level of investment in the EU’s digital transition over the next seven years – potentially quadrupling previous levels – as part of new technological and industrial policies and the recovery agenda
    • Cybersecurity must be integrated into all these digital investments, particularly key technologies like Artificial Intelligence (AI), encryption and quantum computing, using incentives, obligations and benchmarks. This can stimulate the growth of the European cybersecurity industry and provide the certainty needed to ease the phasing out of legacy systems. The European Defence Fund (EDF) will support European cyber defence solutions, as part of the European defence technological and industrial base. Cybersecurity is included in external financial instruments to support our partners, notably the Neighbourhood, Development and International Cooperation Instrument. Preventing the misuse of technologies, protecting critical infrastructure and ensuring the integrity of supply chains also enables the EU’s adherence to the UN norms, rules and principles of responsible state behavior.
    • With respect to actions that might be taken, the EC stated that “[t]he EU should ensure:
      • Adoption of revised NIS Directive;
      • Regulatory measures for an Internet of Secure Things
      • Through the CCCN investment in cybersecurity (notably through the Digital Europe Programme, Horizon Europe and recovery facility) to reach up to €4.5 billion in public and private investments over 2021-2027;
      • An EU network of AI-enabled Security Operation Centres and an ultra-secure communication infrastructure harnessing quantum technologies;
      • Widespread adoption of cybersecurity technologies through dedicated support to SMEs under the Digital Innovation Hubs;
      • Development of an EU DNS resolver service as a safe and open alternative for EU citizens, businesses and public administration to access the Internet; and
      • Completion of the implementation of the 5G Toolbox by the second quarter of 2021
      • Complete the European cybersecurity crisis management framework and determine the process, milestones and timeline for establishing the Joint Cyber Unit;
      •  Continue implementation of cybercrime agenda under the Security Union Strategy;
      • Encourage and facilitate the establishment of a Member States’ cyber intelligence working group residing within the EU INTCEN;
      • Advance the EU’s cyber deterrence posture to prevent, discourage, deter and respond to malicious cyber activities;
      • Review the Cyber Defence Policy Framework;
      • Facilitate the development of an EU “Military Vision and Strategy on Cyberspace as a Domain of Operations” for CSDP military missions and operations;
      • Support synergies between civil, defence and space industries; and
      • Reinforce cybersecurity of critical space infrastructures under the Space Programme.
      • Define a set of objectives in international standardisation processes, and promote these at international level;
      • Advance international security and stability in cyberspace, notably through the proposal by the EU and its Member States for a Programme of Action to Advance Responsible State Behaviour in Cyberspace (PoA) in the United Nations;
      • Offer practical guidance on the application of human rights and fundamental freedoms in cyberspace;
      • Better protect children against child sexual abuse and exploitation, as well as a Strategy on the Rights of the Child;
      • Strengthen and promote the Budapest Convention on Cybercrime, including through the work on the Second Additional Protocol to the Budapest Convention;
      • Expand EU cyber dialogue with third countries, regional and international organisations, including through an informal EU Cyber Diplomacy Network;
      • Reinforce the exchanges with the multi-stakeholder community, notably by regular and structured exchanges with the private sector, academia and civil society; and
      • Propose an EU External Cyber Capacity Building Agenda and an EU Cyber Capacity Building Board.
  • The U.S.-China  Economic  and  Security  Review  Commission released its annual report on the People’s Republic of China (PRC) per its “mandate “to monitor, investigate, and report to Congress on the national security implications of the bilateral trade and economic relationship between the United States and the People’s Republic of China.” The Commission argued:
    • Left unchecked, the PRC will continue building a new global order anathema to the interests and values that have underpinned unprecedented economic growth and stability among nations in the post-Cold War era. The past 20 years are littered with the Chinese  Communist  Party’s (CCP) broken promises. In China’s intended new order, there is little reason to believe CCP promises of “win-win” solutions, mutual respect, and peaceful coexistence. A clear understanding of the CCP’s adversarial national security and economic ambitions is essential as U.S. and allied leaders develop the policies and programs that will define the conditions of global freedom and shape our future.
    • The Commission made ten “Key Recommendations:”
      • Congress adopt the principle of reciprocity as foundational in all legislation bearing on U.S.-China relations.
      • Congress expand the authority of the Federal Trade Commission (FTC) to monitor and take foreign government subsidies into account in premerger notification processes.
      • Congress direct the U.S. Department of State to produce an annual report detailing China’s actions in the United Nations and its subordinate agencies that subvert the principles and purposes of the United Nations
      • Congress hold hearings to consider the creation of an interagency executive Committee on Technical Standards that would be responsible for coordinating U.S. government policy and priorities on international standards.
      • Congress consider establishing a “Manhattan Project”-like effort to ensure that the American public has access to safe and secure supplies of critical lifesaving and life-sustaining drugs and medical equipment, and to ensure that these supplies are available from domestic sources or, where necessary, trusted allies.
      • Congress enact legislation establishing a China Economic Data Coordination Center (CEDCC) at the Bureau of Economic Analysis at the U.S. Department of Commerce.
      • Congress direct the Administration, when sanctioning an entity in the People’s Republic of China for actions contrary to the economic and national security interests of the United States or for violations of human rights, to also sanction the parent entity.
      • Congress consider enacting legislation to make the Director of the American Institute in Taiwan a presidential nomination subject to the advice and consent of the United States Senate.
      • Congress amend the Immigration and Nationality Act to clarify that association with a foreign government’s technology transfer programs may be considered grounds to deny a nonimmigrant visa if the foreign government in question is deemed a strategic competitor of the United States, or if the applicant has engaged in violations of U.S. laws relating to espionage, sabotage, or export controls.
      • Congress direct the Administration to identify and remove barriers to receiving United States visas for Hong Kong residents attempting to exit Hong Kong for fear of political persecution.
  • The Electronic Privacy Information Center, the Center for Digital Democracy, the Campaign for a Commercial-Free Childhood, the Parent Coalition for Student Privacy, and Consumer Federation of America asked the Federal Trade Commission (FTC) “to recommend specific changes to the proposed Consent Order to safeguard the privacy interests of Zoom users” in their comments submitted regarding the FTC’s settlement with Zoom. In November, the FTC split along party lines to approve a settlement with Zoom to resolve allegations that the video messaging platform violated the FTC Act’s ban on unfair and deceptive practices in commerce. Zoom agreed to a consent order mandating a new information security program, third party assessment, prompt reporting of covered incidents and other requirements over a period of 20 years. The two Democratic Commissioners voted against the settlement and dissented because they argued it did not punish the abundant wrongdoing and will not dissuade future offenders. Commissioners Rohit Chopra and Rebecca Kelly Slaughter dissented for a variety of reasons that may be summed up: the FTC let Zoom off with a slap on the wrist. Kelly Slaughter focused on the majority’s choice to ignore the privacy implications of Zoom’s misdeeds, especially by not including any requirements that Zoom improve its faulty privacy practices.
    • The groups “recommend that the FTC modify the proposed Consent Order and require Zoom to(1) implement a comprehensive privacy program; (2) obtain regular independent privacy assessments and make those assessments available to the public; (3) provide meaningful redress for victims of Zoom’s unfair and deceptive trade practices; and (4) ensure the adequate protection and limits on the collection of children’s data.”

Coming Events

  • On 13 January, the Federal Communications Commission (FCC) will hold its monthly open meeting, and the agency has placed the following items on its tentative agenda “Bureau, Office, and Task Force leaders will summarize the work their teams have done over the last four years in a series of presentations:
    • Panel One. The Commission will hear presentations from the Wireless Telecommunications Bureau, International Bureau, Office of Engineering and Technology, and Office of Economics and Analytics.
    • Panel Two. The Commission will hear presentations from the Wireline Competition Bureau and the Rural Broadband Auctions Task Force.
    • Panel Three. The Commission will hear presentations from the Media Bureau and the Incentive Auction Task Force.
    • Panel Four. The Commission will hear presentations from the Consumer and Governmental Affairs Bureau, Enforcement Bureau, and Public Safety and Homeland Security Bureau.
    • Panel Five. The Commission will hear presentations from the Office of Communications Business Opportunities, Office of Managing Director, and Office of General Counsel.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Free-Photos from Pixabay

Final NDAA Agreement, Part II

There are AI, 5G, and supply chain provisions in the national security policy bill the Armed Services Committee have agreed upon.

So, it appears I failed to include all the technology goodies to be found in the final FY 2021 National Defense Authorization Act (NDAA). And so, I will cover the provisions I missed yesterday in the conference report to accompany the “William M. “Mac” Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395). For example, there are artificial intelligence (AI), 5G, and supply chain provisions.

Notably, the final bill includes the House Science, Space, and Technology Committee’s “National Artificial Intelligence Initiative Act of 2020” (H.R.6216). In the Joint Explanatory Statement, the conferees asserted:

The conferees believe that artificial intelligence systems have the potential to transform every sector of the United States economy, boosting productivity, enhancing scientific research, and increasing U.S. competitiveness and that the United States government should use this Initiative to enable the benefits of trustworthy artificial intelligence while preventing the creation and use of artificial intelligence systems that behave in ways that cause harm. The conferees further believe that such harmful artificial intelligence systems may include high-risk systems that lack sufficient robustness to prevent adversarial attacks; high-risk systems that harm the privacy or security of users or the general public; artificial general intelligence systems that become self-aware or uncontrollable; and artificial intelligence systems that unlawfully discriminate against protected classes of persons, including on the basis of sex, race, age, disability, color, creed, national origin, or religion. Finally, the conferees believe that the United States must take a whole of government approach to leadership in trustworthy artificial intelligence, including through coordination between the Department of Defense, the Intelligence Community, and the civilian agencies.

H.R.6216 directs the President to establish the National Artificial Intelligence Initiative that would:

  • Ensure the U.S. continues to lead in AI research and development (R&D)
  • Lead efforts throughout the world to develop and use “trustworthy AI systems” in both the public and private sectors
  • Prepare to assist U.S. workers for the coming integration and use of AI throughout the U.S., and
  • Coordinate AI R&D development and demonstration activities across the federal government, including national security agencies.

The President would have a variety of means at his or her discretion in effectuating those goals, including existing authority to ask Congress for funding and to use Executive Office agencies to manage the authority and funding Congress provides.

Big picture, H.R. 6216 would require better coordination of federal AI initiatives, research, and funding, and more involvement in the development of voluntary, consensus-based standards for AI. Much of this would happen through the standing up of a new “National Artificial Intelligence Initiative Office” by the Office of Science and Technology Policy (OSTP) in the White House. This new entity would be the locus of AI activities and programs in the United States’ (U.S.) government with the ultimate goal of ensuring the nation is the world’s foremost developer and user of the new technology.

Moreover, OSTP would “acting through the National Science and Technology Council…establish or designate an Interagency Committee to coordinate Federal programs and activities in support of the Initiative.” This body would “provide for interagency coordination of Federal artificial intelligence research, development, and demonstration activities, development of voluntary consensus standards and guidelines for research, development, testing, and adoption of ethically developed, safe, and trustworthy artificial intelligence systems, and education and training activities and programs of Federal departments and agencies undertaken pursuant to the Initiative.” The committee would need to “develop a strategic plan for AI” within two years and update it every three years thereafter. Moreover, the committee would need to “propose an annually coordinated interagency budget for the Initiative to the Office of Management and Budget (OMB) that is intended to ensure that the balance of funding across the Initiative is sufficient to meet the goals and priorities established for the Initiative.” However, OMB would be under no obligation to take notice of this proposal save for pressure from AI stakeholders in Congress or AI champions in any given Administration. The Secretary of Commerce would create a ‘‘National Artificial Intelligence Advisory Committee” to advise the President and National Artificial Intelligence Initiative Office on a range of AI policy matters. In the bill as added to the House’s FY 2021 NDAA, it was to have been the Secretary of Energy.

Federal agencies would be permitted to award funds to new Artificial Intelligence Research Institutes to pioneer research in any number of AI fields or considerations. The bill does not authorize any set amount of money for this program and instead kicks the decision over to the Appropriations Committees on any funding. The National Institute of Standards and Technology (NIST) must “support measurement research and development of best practices and voluntary standards for trustworthy artificial intelligence systems” and “support measurement research and development of best practices and voluntary standards for trustworthy artificial intelligence systems” among other duties. NIST must “shall work to develop, and periodically update, in collaboration with other public and private sector organizations, including the National Science Foundation and the Department of Energy, a voluntary risk management framework for the trustworthiness of artificial intelligence systems.” NIST would also “develop guidance to facilitate the creation of voluntary data sharing arrangements between industry, federally funded research centers, and Federal agencies for the purpose of advancing artificial intelligence research and technologies.”

The National Science Foundation (NSF) would need to “fund research and education activities in artificial intelligence systems and related fields, including competitive awards or grants to institutions of higher education or eligible non-profit organizations (or consortia thereof).” The Department of Energy must “carry out a cross-cutting research and development program to advance artificial intelligence tools, systems, capabilities, and workforce needs and to improve the reliability of artificial intelligence methods and solutions relevant to the mission of the Department.” This department would also be tasked with advancing “expertise in artificial intelligence and high-performance computing in order to improve health outcomes for veteran populations.”

According to a fact sheet issued by the House Science, Space, and Technology Committee, [t]he legislation will:

  • Formalize interagency coordination and strategic planning efforts in AI research, development, standards, and education through an Interagency Coordination Committee and a coordination office managed by the Office of Science and Technology Policy (OSTP).
  • Create an advisory committee to better inform the Coordination Committee’s strategic plan, track the state of the science around artificial intelligence, and ensure the Initiative is meeting its goals.
  • Create a network of AI institutes, coordinated through the National Science Foundation, that any Federal department of agency could fund to create partnerships between the academia and the public and private sectors to accelerate AI research focused on an economic sector, social sector, or on a cross-cutting AI challenge.
  • Support basic AI measurement research and standards development at the National Institute for Standards and Technology(NIST) and require NIST to create a framework for managing risks associated with AI systems and best practices for sharing data to advance trustworthy AI systems.
  • Support research at the National Science Foundation (NSF) across a wide variety of AI related research areas to both improve AI systems and use those systems to advance other areas of science. This section requires NSF to include an obligation for an ethics statement for all research proposals to ensure researchers are considering, and as appropriate, mitigating potential societal risks in carrying out their research.
  • Support education and workforce development in AI and related fields, including through scholarships and traineeships at NSF.
  • Support AI research and development efforts at the Department of Energy (DOE), utilize DOE computing infrastructure for AI challenges, promote technology transfer, data sharing, and coordination with other Federal agencies, and require an ethics statement for DOE funded research as required at NSF.
  • Require studies to better understand workforce impacts and opportunities created by AI, and identify the computing resources necessary to ensure the United States remains competitive in AI.

A provision would expand the scope of the biannual reports the DOD must submit to Congress on the Joint Artificial Intelligence Center (JAIC) to include the Pentagon’s efforts to develop or contribute to efforts to institute AI standards and more detailed information on uniformed DOD members who serve at the JAIC. Other language would revamp how the Under Secretary of Defense for Research and Engineering shall manage efforts and procurements between the DOD and the private sector on AI and other technology with cutting edge national security applications. The new emphasis of the program would be to buy mature AI to support DOD missions, allowing DOD components to directly use AI and machine learning to address operational problems, speeding up the development, testing, and deployment of AI technology and capabilities, and overseeing and managing any friction between DOD agencies and components over AI development and use. This section also spells out which DOD officials should be involved with this program and how the JAIC fits into the picture. This language and other provisions suggest the DOD may have trouble in coordinating AI activities and managing infighting, at least in the eyes of the Armed Services Committees.

Moreover, the JAIC would be given a new Board of Advisors to advise the Secretary of Defense and JAIC Director on a range of AI issues. However, as the Secretary shall appoint the members of the board, all of whom must be from outside the Pentagon, this organ would seem to be a means of the Office of the Secretary asserting greater control over the JAIC.

And yet, the Secretary is also directed to delegate acquisition authority to the JAIC, permitting it to operate with the same independence as a DOD agency. The JAIC Director will need to appoint an acquisition executive to manage acquisition and policy inside and outside the DOD. $75 million would be authorized a year for these activities, and the Secretary needs to draft and submit an implementation plan to Congress and conduct a demonstration before proceeding.

The DOD must identify five use cases of when AI-enabled systems have improved the functioning of the Department in handling management functions in implementing the National Defense Strategy and then create prototypes and technology pilots to utilize commercially available AI capabilities to bolster the use cases.

Within six months of enactment, the DOD must determine whether it currently has the resources, capability, and know how to ensure that any AI bought has been ethically and responsibly developed. Additionally, the DOD must assess how it can install ethical AI standards in acquisitions and supply chains.

The Secretary is provided the authority to convene a steering committing on emerging technology and national security threats comprised of senior DOD officials to decide on how the Department can best adapt to and buy new technology to ensure U.S. military superiority. This body would also investigate the new technology used by adversaries and how to address and counter any threats. For this steering committee, emerging technology is defined as:

Technology determined to be in an emerging phase of development by the Secretary, including quantum information science and technology, data analytics, artificial intelligence, autonomous technology, advanced materials, software, high performance computing, robotics, directed energy, hypersonics, biotechnology, medical technologies, and such other technology as may be identified by the Secretary.

Not surprisingly, the FY 2021 NDAA has provisions on 5G. Most notably, the Secretary of Defense must assess and mitigate any risks presented by “at-risk” 5G or 6G systems in other nations before a major weapons system or a battalion, squadron, or naval combatant can be based there. The Secretary must take into account any steps the nation is taking to address risk, those steps the U.S. is taking, any agreements in place to mitigate risks, and other steps. This provision names Huawei and ZTE as “at-risk vendors.” This language may be another means by which the U.S. can persuade other nations not to buy and install technology from these People’s Republic of China (PRC) companies.

The Under Secretary of Defense for Research and Engineering and a cross-functional team would need to develop a plan to transition the DOD to 5G throughout the Department and its components. Each military department inside the DOD would get to manage its own 5G acquisition with the caveat that the Secretary would need to establish a telecommunications security program to address 5G security risks in the DOD. The Secretary would also be tasked with conducting a demonstration project to “evaluate the maturity, performance, and cost of covered technologies to provide additional options for providers of fifth-generation wireless network services” for Open RAN (aka oRAN) and “one or more massive multiple-input, multiple-output radio arrays, provided by one or more companies based in the United States, that have the potential to compete favorably with radios produced by foreign companies in terms of cost, performance, and efficiency.”

The service departments would need to submit reports to the Secretary on how they are assessing and mitigating and reporting to the DOD on the following risks to acquisition programs:

  • Technical risks in engineering, software, manufacturing and testing.
  • Integration and interoperability risks, including complications related to systems working across multiple domains while using machine learning and artificial intelligence capabilities to continuously change and optimize system performance.
  • Operations and sustainment risks, including as mitigated by appropriate sustainment planning earlier in the lifecycle of a program, access to technical data, and intellectual property rights.
  • Workforce and training risks, including consideration of the role of contractors as part of the total workforce.
  • Supply chain risks, including cybersecurity, foreign control and ownership of key elements of supply chains, and the consequences that a fragile and weakening defense industrial base, combined with barriers to industrial cooperation with allies and partners, pose for delivering systems and technologies in a trusted and assured manner.

Moreover, “[t]he Under Secretary of Defense for Acquisition and Sustainment, in coordination with the Chief Information Officer of the Department of Defense, shall develop requirements for ap- propriate software security criteria to be included in solicitations for commercial and developmental solutions and the evaluation of bids submitted in response to such solicitations, including a delineation of what processes were or will be used for a secure software development life cycle.”

The Armed Services Committees are directing the Secretary to follow up a report submitted to the President per Executive Order 13806 on strengthening Defense Industrial Base (DIB) manufacturing and supply chain resiliency. The DOD must submit “additional recommendations regarding United States industrial policies….[that] shall consist of specific executive actions, programmatic changes, regulatory changes, and legislative proposals and changes, as appropriate.”

The DOD would also need to submit an annex to an annual report to Congress on “strategic and critical materials, including the gaps and vulnerabilities in supply chains of such materials.”

There is language that would change how the DOD manages the production of microelectronics and related supply chain risk. The Pentagon would also need to investigate how to commercialize its intellectual property for microelectronic R&D. The Department of Commerce would need to “assess the capabilities of the United States industrial base to support the national defense in light of the global nature of the supply chain and significant interdependencies between the United States industrial base and the industrial bases of foreign countries with respect to the manufacture, design, and end use of microelectronics.”

There is a revision of the Secretary of Energy’s authority over supply chain risk administered by the National Nuclear Security Administration (NNSA) that would provide for a “special exclusion action” that would bar the procurement of risky technology for up to two years.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Armed Services Committees Agree On Final NDAA

The annual defense policy bill creates a new National Cyber Director and addresses other technology issues.

Last week, the negotiators agreed on a final FY 2021 National Defense Authorization Act (NDAA) that could get passed as early as this week. To no great surprise, President Donald Trump has threatened to veto the annual policy and authorization package for reasons largely unrelated to the Department of Defense and other agencies subject to the bill. It is unclear how the President will respond if Congress ends him the bill and similarly unclear whether Republicans would vote to override a veto. Additionally, the bill might not make it to the White House until around Christmas Day which would complicate the reconvening of Congress to hold override votes.

Nonetheless, big picture, the conferees explained in the Joint Explanatory Statement that conference report to accompany the “William M. “Mac” Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395):

  • The budget request for national defense discretionary programs within the jurisdiction of the Committees on Armed Services of the Senate and the House of Representatives for fiscal year 2021 was $731.6 billion. Of this amount, $636.3 billion was requested for base Department of Defense programs, $69.0 billion was requested for overseas contingency operations, $26.0 billion was requested for national security programs in the Department of Energy and the Defense Nuclear Facilities Safety Board, and $314.0 million for defense-related activities.
  • The conference agreement would authorize $731.6 billion in fiscal year 2021, including $635.5 billion for base Department of Defense programs, $69.0 billion for overseas contingency operations, $26.6 billion for national security programs in the Department of Energy and the Defense Nuclear Facilities Safety Board, and $494.0 million for defense-related activities.

As always, the bill is replete with provisions to change national security-related technology policy, most of which pertains to the Department of Defense (DOD) and the Intelligence Community (IC). However, anymore, the Department of Homeland Security and other agencies also receive policy alterations in the NDAA.

The bill would change the requirements as to when the DOD notifies Congress if it conducts offensive or defensive cyber operations by narrowing the category of such operations. For example, if Cyber Command were to strike a botnet again as it reportedly did in the run up to the election, it would not need to notify Congress, for such an operation is not a foreign terrorist organization or a foreign government unless they may be deemed a “proxy force.” There is a provision extending the liability shield for DOD contractors participating in the Pentagon’s mandated cyber incident reporting system to include compliance with Defense Federal Acquisition Regulation Supplement clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

H.R.6395 would tweak the Quadrennial Cyber Posture Review assessments of U.S. statutes, policies, and authorities to manage cyber threats, especially in achieving cyber deterrence.

The DOD would need to set requirements for the periodic, systematic review of the cybersecurity of major weapons systems and related critical infrastructure to ensure the security of these platforms. The Pentagon must also establish a “Strategic Cybersecurity Program” “to ensure that the Department of Defense is always able to conduct the most important military missions of the Department.” This new initiative “shall identify and designate for inclusion in the Program all of the systems, critical infrastructure, kill chains, and processes, including systems and components in development, that comprise the following military missions of the Department of Defense:

  • Nuclear deterrence and strike.
  • Select long-range conventional strike missions germane to the warfighting plans of United States European Command and United States Indo-Pacific Command.
  • Offensive cyber operations.
  • Homeland missile defense.

The DOD will need to “develop a standard, comprehensive framework to enhance the consistency, execution, and effectiveness of cyber hunt forward operations” including the criteria used to identify such operations, the roles of various stakeholders in the DOD, pre-deployment planning guidelines, the metrics to measure the success of the operation, and other facets. Cyber Command and the National Security Agency have been deploying more of these teams to other nations to develop partnerships with nations closer to shared cyber adversaries (e.g. Estonia and Montenegro visa vis Russia.) The formalization of this process indicates increased Congressional interest and a desire to regularize the practice.

The DOD must “conduct a review of the Cybersecurity Service Provider and Cyber Mission Force enterprises” to determine where there are gaps and redundancies between DOD systems and those provided by contractors. Presumably such an inventory process would precede the DOD consolidating where it can and expanding where necessary.

The position of DOD Principal Cyber Advisor would be reformed. The Secretary of Defense would name a person to fill this position from the DOD civilian officials confirmed by the Senate. The Principal Cyber Advisor would have the following responsibilities, among others:

  • Acting as the principal advisor to the Secretary on military cyber forces and activities.
  • Overall integration of Cyber Operations Forces activities relating to cyberspace operations, including associated policy and operational considerations, resources, personnel, technology development and transition, and acquisition.
  • Assessing and overseeing the implementation of the cyber strategy of the Department and execution of the cyber posture review of the Department on behalf of the Secretary.

The Principal Cyber Advisor will be tasked with the responsibility for the cybersecurity and critical infrastructure protection of the Defense Industrial Base (DIB) and must “synchronize, harmonize, de-conflict, and coordinate all policies and programs germane to defense industrial base cybersecurity.” This will encompass the Sector Specific Agency (SSA) responsibilities bestowed on the Under Secretary of Defense for Policy’s purview under Presidential Policy Directive-21, the Obama Administration era document that established the division and oversight of critical infrastructure with an eye towards cyber infrastructure. The Principal Cyber Advisor would also need to examine the Under Secretary of Defense for Acquisition and Sustainment’s authorities and responsibilities with respect to contracting and cybersecurity. The Principal Cyber Advisor would need to evaluate other facets of the DIB’s cybersecurity and critical infrastructure protection housed in different offices in the DOD, suggesting an obvious fracturing of efforts that may be at odds with one another.

The Principal Cyber Advisor and the head of Cyber Command would need to “conduct and complete an assessment on the operational planning and deconfliction policies and processes that govern cyber operations of the Department of Defense.” It appears that Congress would like DOD components to play better together when planning and conducting cyber operations, but this state of affairs is to be expected inside a large bureaucracy with players and entities interested in defending and even expanding their turf.

The DOD must “assess the feasibility and advisability of developing and using speed-based metrics to measure the performance and effectiveness of security operations centers and cyber security service providers in the Department of Defense.”

The DOD must study the feasibility of creating a new DIB information sharing program that would be above and beyond any current incident reporting requirements. Under law and regulation, at present, DIB contractors must report intrusions and incidents within 72 hours, but the language in H.R. 6395 envisions a program of greater information sharing for “cybersecurity purposes.” However, it begs the question as to why the DOD does not already have such a program given the “Cybersecurity Act of 2015” established the template for such programs over five years ago.

The Pentagon would need to “complete an assessment of the feasibility, suitability, definition of, and resourcing required to establish a defense industrial base cybersecurity threat hunting program to actively identify cybersecurity threats and vulnerabilities within the DIB.”

The DOD must “assess each Department component against the Cybersecurity Maturity Model Certification (CMMC) framework and submit to the congressional defense committees a report that identifies each such component’s CMMC level and implementation of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework.” And, for those components that fail to meet the “good cyber hygiene” standards, the report must indicate whether they will bring their hygiene up to snuff by March of 2022 and how they will shore up vulnerabilities and risks in the meantime.

The DOD would need to start submitting monthly reports on all “cross domain incidents,” a new term that seems to include all intrusions into classified or restricted systems regardless of whether information is exfiltrated, contaminated, or exposed. The Pentagon would also need to provide Congress with a list of all currently operative exemptions to DOD information policy.

The DOD must draft and implement a plan on how to secure and protect the U.S. nuclear command and control system from cyber threats.

The Cyberspace Solarium Commission (CSC) was extended. It was supposed to sunset after the delivery of its final report, but now it will continue to exist for the better part of two more years. The CSC would need to discharge the following duties:

  • collecting and assessing comments and feedback from the Executive Branch, academia, and the public on the analysis and recommendations contained in the Commission’s report;
  • collecting and assessing any developments in cybersecurity that may affect the analysis and recommendations contained in the Commission’s report;
  • reviewing the implementation of the recommendations contained in the Commission’s report;
  • revising, amending, or making new recommendations based on the [aforementioned] assessments and reviews…

The CSC’s primary recommendation that the U.S. have a National Cyber Director in the White House was included in the final bill. This new position shall also have a dedicated office in the Executive Office of the President but would not be a Senate confirmed position as the CSC advised. Moreover, it appears that offensive and defensive cyber operations of the DOD would be outside his or her statutory remit unless the President decides to make it so. The National Cyber Director would offer advice to the National Security Council (NSC) on U.S. cyber strategy and policy and coordinate the formulation of such policies and strategies. Moreover, the director would be a statutory member of the NSC. The National Cyber Director would lead U.S. responses at the federal level to cyber attacks and significant cyber campaigns.

The bill would expand the authority of the United States’ (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) with respect to operating on civilian agency networks. CISA would be able to access and inspect other agencies’ information systems without the permission or knowledge of the other agency and could then share information and its findings with the agency. And yet, CISA would not receive authority to act if it found something on another agency’s information networks or systems. Nonetheless, CISA would also be empowered to provide a range of assistance to other agencies.

DHS would need to conduct an assessment of CISA per the CSC’s recommendations on how the agency could improve its operations and better use its resources, among other matters. DHS would also be tasked with evaluating how well the Sector Specific Agency approach to regulating critical infrastructure is working as laid out in Presidential Policy Directive 21 and successor documents and make recommendations on how to revise the framework if needed. This could result in the Biden Administration revamping the current 17 sectors and other components of how the U.S. oversees its critical infrastructure. In concert with this review and possible revision, Sector Specific Agencies would be replaced by Sector Risk Management Agencies that, as a practical matter, will probably be the same agencies overseeing the same sectors but with greater statutory responsibilities.

DHS must study and draft a strategy for all U.S.-based email providers to use Domain-based Message Authentication, Reporting, and Conformance (DMARC), “an email authentication, policy, and reporting protocol that verifies the authenticity of the sender of an email and blocks and reports to the sender fraudulent accounts.”

DHS would need to report annually on digital content forgery technology with the Director of National Intelligence, including:

  • An assessment of the underlying technologies used to create or propagate digital content forgeries, including the evolution of such technologies and patterns of dissemination of such technologies.
  • A description of the types of digital content forgeries, including those used to commit fraud, cause harm, harass, coerce, or silence vulnerable groups or individuals, or violate civil rights recognized under Federal law.
  • An assessment of how foreign governments, and the proxies and networks thereof, use, or could use, digital content forgeries to harm national security.
  • An assessment of how non-governmental entities in the United States use, or could use, digital content forgeries.
  • An assessment of the uses, applications, dangers, and benefits, including the impact on individuals, of deep learning or digital content forgery technologies used to generate realistic depictions of events that did not occur.
  • An analysis of the methods used to determine whether content is created by digital content forgery technology, and an assessment of any effective heuristics used to make such a determination, as well as recommendations on how to identify and address suspect content and elements to provide warnings to users of such content.
  • A description of the technological countermeasures that are, or could be, used to address concerns with digital content forgery technology.
  • Any additional information the Secretary determines appropriate.

CISA would receive the subpoena authority it requested to obtain the contact information of owners and operators of critical cyber infrastructure from internet service providers (ISP) should there be a risk. CISA submitted a legislative proposal in summer 2019 that was then taken up by Senate and House stakeholders who then introduced legislation in December and February respectively: the “Cybersecurity Vulnerability Identification and Notification Act of 2019” (S. 3045) and the “Cybersecurity Vulnerability Identification and Notification Act of 2020” (H.R. 5680). The bills were very similar but had some differences that have been ironed out.

CISA would be able to appoint an employee in each state to serve as Cybersecurity State Coordinator to help states improve their cybersecurity.

CISA must establish a “Cybersecurity Advisory Committee” to “advise, consult with, report to, and make recommendations to the Director, as appropriate, on the development, refinement, and implementation of policies, programs, planning, and training pertaining to the cybersecurity mission of the Agency.”

Inside CISA, there would be a newly created Joint Cyber Planning Office “to develop, for public and private sector entities, plans for cyber defense operations, including the development of a set of coordinated actions to protect, detect, respond to, and recover from cybersecurity risks or incidents or limit, mitigate, or defend against coordinated, malicious cyber operations that pose a potential risk to critical infrastructure or national interests.”

Within one year, CISA “a report on Federal cybersecurity centers and the potential for better coordination of Federal cybersecurity efforts at an integrated cybersecurity center within” CISA.

The Government Accountability Office (GAO) would need to investigate and report on cyber insurance in the U.S. At one time, some experts considered the development of a cyber insurance market as being crucial to driving greater cybersecurity across the private sector. However, this has not come to pass, which is likely why the GAO will be reporting on the issue.

On other technology policy, a Public Wireless Supply Chain Innovation Fund would be established and overseen by the Department of Commerce’s National Telecommunications and Information Administration (NTIA) to support the following activities:

  • Promoting and deploying technology, including software, hardware, and microprocessing technology, that will enhance competitiveness in the fifth-generation (commonly known as ‘‘5G’’) and successor wireless technology supply chains that use open and interoperable interface radio access networks.
  • Accelerating commercial deployments of open interface standards-based compatible, interoperable equipment, such as equipment developed pursuant to the standards set forth by organizations such as the O-RAN Alliance, the Telecom Infra Project, 3GPP, the Open-RAN Software Community, or any successor organizations.
  • Promoting and deploying compatibility of new 5G equipment with future open standards-based, interoperable equipment.
  • Managing integration of multi-vendor network environments.
  • Identifying objective criteria to define equipment as compliant with open standards for multi-vendor network equipment interoperability.
  • Promoting and deploying security features enhancing the integrity and availability of equipment in multi-vendor networks.
  • Promoting and deploying network function virtualization to facilitate multi-vendor interoperability and a more diverse vendor market.

A Multilateral Telecommunications Security Fund would be created and run by the Department of State “to establish a common funding mechanism, in coordination with foreign partners, that uses amounts from the Multilateral Telecommunications Security Fund to support the development and adoption of secure and trusted telecommunications technologies.” The bill provides that “[i]n creating and sustaining a common funding mechanism, the Secretary of State should leverage United States funding in order to secure commitments and contributions from trusted foreign partners such as the United Kingdom, Canada, Australia, New Zealand, and Japan, and should prioritize the following objectives:

  • Advancing research and development of secure and trusted communications technologies.
  • Strengthening supply chains.
  • Promoting the use of trusted vendors.”

Both of these new programs would need the Appropriations Committees to provide funding as the FY 2021 NDAA does not give them any money.

H.R.6395 directs “an interagency information technology spectrum modernization effort, led by the Assistant Secretary of Commerce for Communications and Infrastructure and the NTIA, to synchronize development and coordination of standards and Federal spectrum management.” This provision “would also require the Secretary of Defense to establish a program to identify and mitigate vulnerabilities in the telecommunications infrastructure of the DOD.”

The FY 2021 NDAA contains the “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S.1611) that would require the Department of Commerce to “convene a working group of Federal stakeholders for the purpose of providing recommendations and a report to Congress relating to the aspects of the Internet of Things.”

H.R.6395 has provisions “that would require the Secretary of Commerce to establish a program that provides grants to covered entities to incentivize investment of semiconductor fabrication facilities, or assembly, testing, advanced packaging, or advanced research and development of semiconductors in the U.S.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Michael Afonso on Unsplash

Pending Legislation In U.S. Congress, Part V

Congress may well pass IoT legislation this year, and the two bills under consideration take different approaches.

Continuing our look at bills Congress may pass this year leads us to an issue area that has received attention but no legislative action; the Internet of Things (IoT). Many Members are aware and concerned about the lax or nonexistent security standards for many such devices, which leaves them open to attack or being used as part of a larger bot network to attack other internet connected devices. There are two bills with significant odds of being enacted, one better than the other, for it is a more modest bill and it is attached to the Senate’s FY 2021 National Defense Authorization Act. However, the other bill is finally coming to the House floor today, which may shake loose its companion bill in the Senate.

As the United States (U.S.) Departments of Commerce and Homeland Security explained in “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats, insecure IoT poses huge threats to the rest of the connected world:

The Distributed Denial of Service (DDoS) attacks launched from the Mirai botnet in the fall of 2016, for example, reached a level of sustained traffic that overwhelmed many common DDoS mitigation tools and services, and even disrupted a Domain Name System (DNS) service that was a commonly used component in many DDoS mitigation strategies. This attack also highlighted the growing insecurities in—and threats from—consumer-grade IoT devices. As a new technology, IoT devices are often built and deployed without important security features and practices in place. While the original Mirai variant was relatively simple, exploiting weak device passwords, more sophisticated botnets have followed; for example, the Reaper botnet uses known code vulnerabilities to exploit a long list of devices, and one of the largest DDoS attacks seen to date recently exploited a newly discovered vulnerability in the relatively obscure MemCacheD software.

Later in the report, as part of one of the proposed goals, the departments asserted:

When market incentives encourage manufacturers to feature security innovations as a balanced complement to functionality and performance, it increases adoption of tools and processes that result in more secure products. As these security features become more popular, increased demand will drive further research.

However, I would argue there are no such market incentives at this point, for most people looking to buy and use IoT are not even thinking about security except in the most superficial ways. Moreover, manufacturers and developers of IoT have not experienced the sort of financial liability or regulatory action that might change the incentive structure. In May, the Federal Trade Commission (FTC) reached “a settlement with a Canadian company related to allegations it falsely claimed that its Internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data it collected from users.”

As mentioned, one of the two major IoT bills stands a better chance of enactment. The “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S. 1611) would establish the beginnings of a statutory regime for the regulation of IoT at the federal level. The bill is sponsored by Senators Deb Fischer (R-NE), Cory Gardner (R-CO), Brian Schatz (D-HI), and Cory Booker (D-NJ) and is substantially similar to legislation (S. 88) the Senate passed unanimously in the last Congress the House never took up. In January, the Senate passed the bill by unanimous consent but the House has yet to take up the bill. S.1611was then added as an amendment to the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) in July. Its inclusion in an NDAA passed by a chamber of Congress dramatically increases the chances of enactment. However, it is possible the stakeholders in the House that have stopped this bill from advancing may yet succeed in stripping it out of a final NDAA.

Under this bill, the Secretary of Commerce must “convene a working group of Federal stakeholders for the purpose of providing recommendations and a report to Congress relating to the aspects of the Internet of Things, including”

identify any Federal regulations, statutes, grant practices, budgetary or jurisdictional challenges, and other sector-specific policies that are inhibiting, or could inhibit, the development or deployment of the Internet of Things;

  • consider policies or programs that encourage and improve coordination among Federal agencies that have responsibilities that are relevant to the objectives of this Act;
  • consider any findings or recommendations made by the steering committee and, where appropriate, act to implement those recommendations;
  • examine—
    • how Federal agencies can benefit from utilizing the Internet of Things;
    • the use of Internet of Things technology by Federal agencies as of the date on which the working group performs the examination;
    • the preparedness and ability of Federal agencies to adopt Internet of Things technology as of the date on which the working group performs the examination and in the future; and
    • any additional security measures that Federal agencies may need to take to—
      • safely and securely use the Internet of Things, including measures that ensure the security of critical infrastructure; and
      • enhance the resiliency of Federal systems against cyber threats to the Internet of Things

S.1611 requires this working group to have representatives from specified agencies such as the National Telecommunications and Information Administration, the National Institute of Standards and Technology, the Department of Homeland Security, the Office of Management and Budget, the Federal Trade Commission, and others. Nongovernmental stakeholders would also be represented on this body. Moreover, a steering committee would be established inside the Department of Commerce to advise this working group on a range of legal, policy, and technical issues. Within 18 months of enactment of S.1611, the working group would need to submit its recommendations to Congress that would then presumably inform additional legislation regulating IoT.  Finally, the Federal Communications Commission (FCC) would report to Congress on “future spectrum needs to enable better connectivity relating to the Internet of Things” after soliciting input from interested parties.

As noted, there is another IoT bill in Congress that may make it to the White House. In June 2019 the Senate and House committees of jurisdictions marked up their versions of the “Internet of Things (IoT) Cybersecurity Improvement Act of 2019” (H.R. 1668/S. 734), legislation that would tighten the federal government’s standards with respect to buying and using IoT. In what may augur enactment of this legislation, the House will take up its version today. However, new language in the amended bill coming to the floor making clear that the IoT standards for the federal government would not apply to “national security systems” (i.e. most of the Department of Defense, Intelligence Community, and other systems) suggests the roadblock that may have stalled this legislation for 15 months. It is reasonable to deduce that the aforementioned agencies made their case to the bill’s sponsors or allies in Congress that these IoT standards would somehow harm national security if made applicable to the defense IoT.

The bill text as released in March for both bills was identical signaling agreement between the two chambers’ sponsors, but the process of marking up the bills has resulted in different versions, requiring negotiation on a final bill. The House Oversight and Reform Committee marked up and reported out H.R. 1668 after adopting an amendment in the nature of a substitute that narrowed the scope of the bill and is more directive than the bill initially introduced in March. The Senate Homeland Security and Governmental Affairs Committee marked up S. 734 a week later, making their own changes from the March bill. The March version of the legislation unified two similar bills from the 115th Congress of the same title: the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” (S. 1691) and the “Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018” (H.R. 7283).

Per the Committee Report for S. 734, the purpose of bill

is to proactively mitigate the risks posed by inadequately-secured IoT devices through the establishment of minimum security standards for IoT devices purchased by the Federal Government. The bill codifies the ongoing work of the National Institute of Standards and Technology (NIST) to develop standards and guidelines, including minimum-security requirements, for the use of IoT devices by Federal agencies. The bill also directs the Office of Management and Budget (OMB), in consultation with the Department of Homeland Security (DHS), to issue the necessary policies and principles to implement the NIST standards and guidelines on IoT security and management. Additionally, the bill requires NIST, in consultation with cybersecurity researchers and industry experts, to publish guidelines for the reporting, coordinating, publishing, and receiving of information about Federal agencies’ security vulnerabilities and the coordinate resolutions of the reported vulnerabilities. OMB will provide the policies and principles and DHS will develop and issue the procedures necessary to implement NIST’s guidelines on coordinated vulnerability disclosure for Federal agencies. The bill includes a provision allowing Federal agency heads to waive the IoT use and management requirements issued by OMB for national security, functionality, alternative means, or economic reasons.

In general, this bill seeks to leverage the federal government’s ability to set standards through acquisition processes to ideally drive the development of more secure IoT across the U.S. The legislation would require the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to work together to institute standards for IoT owned or controlled by most federal agencies. As mentioned, the latest version of this bill explicitly exclude “national security systems.” These standards would need to focus on secure development, identity management, patching, and configuration management and would be made part of Federal Acquisition Regulations (FAR), making them part of the federal government’s approach to buying and utilizing IoT. Thereafter, civilian federal agencies and contractors would need to use and buy IoT that meets the new security standards. Moreover, NIST would need to create and implement a process for the reporting of vulnerabilities in information systems owned or operated by agencies, including IoT naturally. However, the bill would seem to make contractors and subcontractors providing IoT responsible for sharing vulnerabilities upon discovery and then sending around fixes and patches when developed. And yet, this would seem to overlap with the recently announced Trump Administration vulnerabilities disclosure process (see here for more analysis) and language in the bill could be read as enshrining in statute the basis for the recently launched initiative even though future Administrations would have flexibility to modify or revamp as necessary.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by lea hope bonzer from Pixabay

Pending Legislation In U.S. Congress, Part I: FY 2021 NDAA and FISA Reauthorization

Normally, a FISA reauthorization would be considered must pass like an NDAA, but this year may be different.   

As Congress returns from an eventful summer recess, it is possible technology focused and related legislation is passed or advances towards passage before the body leaves Washington in late September. However, it is just as likely, possibly even more, that Congress punts everything except for a measure to keep the government funded through the November election. This week, we will explore some of the bills that may become law. Today’s piece is on the FY 2021 National Defense Authorization Act (NDAA) and the lapsed provisions in the Foreign Intelligence Surveillance Act (FISA).

FY 2021 NDAA

Congress will almost certainly pass its annual policy and authorization bill for the Department of Defense (DOD) as it has done for every year since FY 1962. Any more, this bill is laden with technology provisions, most of which are oriented towards national security programs, but not always because the National Defense Authorization Act (NDAA) is considered must-pass legislation, it attracts some legislation that is non-defense. For example, the revamp of how the United States government buys and develops information technology programs, the “Federal Information Technology Acquisition Reform Act” (FITARA) (P.L. 113-291), was enacted as part of the FY 2015 NDAA.

The House and Senate have passed their respective bills: the “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395) and the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) and have already started work on resolving differences between the two packages. However, over the last decade or so, the NDAA has been one of the last major bills passed each calendar year, and it is possible this legislation will not reach the President’s desk until late December.

The base bill put on the floor of the House contained a range of cybersecurity provisions. The DOD’s requirement that it must submit its cybersecurity and information technology (IT) budget would be broadened to include cyber mission force and a its new cyber operations force budgets. The Cyberspace Solarium Commission’s (CSC) structure would be changed and would be extended. The DOD would need to study and consider replicating an entity inside the Navy that has been researching and pioneering cyber warfare. The DOD’s Principal Cyber Advisor would be invested with the authority to manage the Pentagon’s role as the sector-specific agency (SSA) for the Defense Industrial Base (DIB) under Presidential Policy Directive- 21. The bill also increased the DOD’s reporting requirements to Congress regarding compromises of its system and exceptions to its IT policies with the goal of creating a baseline to help the Pentagon manage its cyber risks and tradeoffs. The DOD would determine whether a current public-private partnership on cybersecurity is working and should be extended.

The Department of Homeland Security (DHS) would need to submit a report on the feasibility of an Integrated Cyber Center housed at its National Cybersecurity and Communications Integration Center (NCCIC). DHS would need to work with the DOD, Office of the Director of National Intelligence (ODNI) and National Security Agency (NSA) on whether it makes sense to create a joint collaboration environment to help shore up cybersecurity. The Pentagon would need to study and then implement a threat hunting program that would allow its personnel to go searching for vulnerabilities and cyber risks in the IT systems of DIB contractors. The DOD would be barred from contracting with entities that do not belong to the DIB threat intelligence sharing program. The bill would also permit the DOD to make grants to companies providing cybersecurity to small manufacturers in the U.S. The bill would establish a National Artificial Intelligence Initiative to support and foster a number of related activities including research and development, education, and training.

During floor consideration of H.R.6395, the House agreed to scores of amendments in two en bloc packages that contained most of the technology provisions made in order for consideration. Among the most notable of these provisions are the following, some of which have been considered by the House as standalone legislation:

The cybersecurity provisions in S.4049 would change, alter, or establish a range of programs and operations. The bill would modify the statutory duties of Department of Defense’s Principal Cyber Advisor to require that the person chosen for this role is a civilian at the Pentagon who holds a position requiring Senate confirmation. The DOD would need to develop and implement a framework for forward hunt operations (i.e. offensive cyber operations) to address some of the issues the committee’s oversight turned up. The focus on this exercise would be to get a better understanding on the utility and life span of intelligence gained through such operations. The Pentagon’s reporting duties after executing an offensive or defensive cyber operation would be expanded to include nations and entities with whom the United States is not at war. The Committee expanded the DOD’s required briefings on cyber operations, expressing frustration with the Department’s “unwillingness to keep the committee apprised of cyber operations conducted to gain access to adversary systems, including those conducted pursuant to standing military plans against military targets.”

There is language mandating that the DOD begin the process of harmonizing the Pentagon’s cyber capabilities and those provided by private sector contractors, much of which overlaps in the view of the committee. Cyber Command would receive expanded but necessarily acquisition authority as the service branches are to remain the entities undertaking large procurements. The Principal Cyber Advisor and head of Cyber Command would need to assess how well the DOD manages inter-agency conflict in the Pentagon and among Intelligence Community agencies in managing the process by which cyber operations are designed and executed, suggesting there is significant internal friction among the stakeholders. The DOD would need to conduct a pilot on the feasibility of adopting and using a commercial practice of speed-based cybersecurity metrics. The Pentagon would also need to better integrate its data collection and data analysis regarding potentially malicious or illegal activities by DOD employees and contractors (i.e. so-called insider threat).

The DOD would need “to develop a comprehensive plan, by February 1, 2021, for the deployment of commercial-off-the-shelf solutions on supplier networks to monitor the public-facing Internet attack surface of members of the defense industrial base (DIB)” that is intended to supplement the DOD’s new Cybersecurity Maturity Model Certification and other DOD efforts to shore up the cybersecurity of its contractors. The bill would grant a DOD request to receive the authority to immediately react and respond to reported threats and penetrations to “operationally critical” DOD contractors’ systems and networks. The DOD would need “to conduct a baseline review of the Joint Regional Security Stacks (JRSS) activity to determine whether the initiative should continue, but as a program of record, or should be replaced by an improved design and modern technology.” The DOD would also receive limited flexibility to use Operation and Maintenance (O&M) “for cyber operations-peculiar capability development projects.” The committee also conditioned the availability of certain Office of the Secretary of Defense travel on fulfilling a requirement in the current year’s NDAA to submit “a report for the structuring and manning of information operations capabilities and forces” in the DOD, develop “a strategy for operations in the information environment” and to “conduct an information operations posture review.”

The Cyberspace Solarium Commission (CSC) would have its mandate extended so it could monitor, assess, and report on the implementation of its 75 recommendations made in March 2020. The bill includes a number of CSC recommendations, including:

  • Adding “a force structure assessment of the Department of Defense’s Cyber Operations Forces to future cyber posture reviews.”
  • “a report to the congressional defense committees, detailing the actions that the Secretary will undertake to ensure that the Commander, U.S. Cyber Command, has enhanced authority, direction, and control of the Cyber Operations Forces and of the equipment budget that enables Cyber Operations Forces’ operations and readiness, beginning with fiscal year 2024 budget request.”
  • Assessing “options for establishing a cyber reserve force.”
  • A comprehensive plan for “[e]nsuring cyber resiliency of nuclear command and control system”
  • Requiring “the Secretary of Defense to establish policies and requirements for each major weapon system, and the priority critical infrastructure essential to the proper functioning of major weapon systems in broader mission areas, to be re-assessed for cyber vulnerabilities.”
  • Mandating that the Secretary of Defense “establish a threat intelligence sharing program to share threat intelligence with and obtain threat intelligence from the defense industrial base.”
  • Requiring the Pentagon “to conduct an assessment of the adequacy of threat hunting elements of the Cyber Maturity Model Certification (CMMC) program and the need for continuous threat monitoring operations.”
  • Addressing “the risks to National Security Systems (NSSs) posed by quantum computing by requiring the Secretary of Defense to: (1) Complete an assessment of current and potential threats to critical NSSs and the standards used for quantum-resistant cryptography; and (2) Provide recommendations for research and development activities to secure NSSs.”
  • Study the feasibility of establishment of a National Cyber Director.

In terms of the provisions that were folded into the final Senate bill, Senate Homeland Security and Governmental Affairs Committee Chair Ron Johnson (R-WI) succeeded in attached to the larger bill the “Cybersecurity Vulnerability Identification and Notification Act of 2019” (S.3045). S.3045 would expand the authority of Cybersecurity and Infrastructure Security Agency’s (CISA) National Cybersecurity and Communications Integration Center (NCCIC) to issue subpoenas to internet service providers to obtain the identity of owners and operators of critical infrastructure subject to be drafted procedures and limits on how any information collected from subpoena is used and retained. The House’s counterpart bill, H.R.5680, was added as an amendment to H.R.6395, meaning the substance of the legislation will almost certainly be in the final NDAA. Also, an amendment was adopted to stimulate semiconductor manufacturing in the United States by creating a grant and tax incentive program at the Department of Commerce

There were other technology provisions added to the bill during debate. The following amendments were adopted on 2 July en bloc by unanimous consent:

  • The Department of Homeland of Security “shall produce a report on the state of digital content forgery technology” within one year of enactment and then every five years
  • “[T]he Secretary of Defense, with appropriate representatives of the Armed Forces, shall brief the Committees on Armed Services of the Senate and the House of Representatives on the feasibility and the current status of assigning members of the Armed Forces on active duty to the Joint Artificial Intelligence Center (JAIC) of the Department of Defense.”
  • “[T]he Secretary of Homeland Security shall conduct a comprehensive review of the ability of the Cybersecurity and Infrastructure Security Agency to fulfill–
    • the missions of the Cybersecurity and Infrastructure Security Agency; and
    • the recommendations detailed in the report issued by the Cyberspace Solarium Commission”
  • The “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S.1611) that would require the Department of Commerce to “convene a working group of Federal stakeholders for the purpose of providing recommendations and a report to Congress relating to the aspects of the Internet of Things.”
  • “[T]he Secretary of Defense, in coordination with the Director of the National Reconnaissance Office and the Director of the National Geospatial-Intelligence Agency, shall leverage, to the maximum extent practicable, the capabilities of United States industry, including through the use of commercial geospatial-intelligence services and acquisition of commercial satellite imagery.”
  • “[T]he Secretary of Defense is authorized to establish a pilot program to explore the use of consumption-based solutions to address software-intensive warfighting capability” per a re commendation made by the Section 809 Panel.
  • “[T]he Secretary of Defense shall complete a study on the cyberexploitation of the personal  information and accounts of members of the Armed Forces and their families.”
  • A modified version of the “Utilizing Strategic Allied (USA) Telecommunications Act” (S.3189) that “would reassert U.S. and Western leadership by encouraging competition with Huawei that capitalizes on U.S. software advantages, accelerating development of an open-architecture model (known as O-RAN) that would allow for alternative vendors to enter the market for specific network components, rather than having to compete with Huawei end-to-end” according to a press release.

Additionally, a deal was struck to add the “Intelligence Authorization Act for Fiscal Year 2021” (S.3905) to S.4049 but without a bill included in the package as reported out of the Senate Intelligence Committee: the “Foreign Influence Reporting in Elections Act” (FIRE Act) (S.2242).

FISA Reauthorization

At present, key surveillance authorities for new investigations have lapsed, and it does not appear Congress is close to a deal to restore and reform them, an unusual state of affairs, for since 11 September 2001, it has done so regularly. The House and Senate have both passed bills but have been unable to agree on the extent of reforms to Foreign Intelligence Surveillance Act (FISA) programs given antipathy from the Trump Administration on proposed changes and opposition from some Democrats and Republicans who want to see more significant reforms. It is always possible a compromise package is agreed to and then tacked onto the FY 2021 NDAA, a continuing resolution, or an omnibus appropriations bill as has happened before.

In March, the House passed the “USA FREEDOM Reauthorization Act of 2020” (H.R. 6172) by a 278-136 vote, a bill to reauthorize three expiring FISA provisions used by the National Security Agency (NSA) primarily to conduct surveillance: the business records exception, roving wiretaps, and the “lone wolf” provision. Moreover, H.R. 6172 ends the NSA’s ability to use the so-called call detail record (CDR) program that had allowed the agency to access data on many billions of calls. Nonetheless, the NSA shut down the program in 2018 due to what it termed technical problems. This closure of the program was included in the bill even though the Trump Administration had explicitly requested it also be reauthorized.

These authorities had been extended in December 2019 to March 15, 2020. However, the Senate did not act immediately on the bill and opted instead to send a 77-day extension of these now lapsed authorities to the House, which did not to take up the bill. The Senate was at an impasse on how to proceed, for some Members did not favor the House reforms while others wanted to implement further changes to the FISA process. Consequently, Senate Majority Leader Mitch McConnell (R-KY) promised amendment votes when the Senate took up H.R.6172, which it did in May. Thereafter, reforms House Democratic leadership tried adding to the bill failed to please stakeholders, leaving the chamber to squelch plans to send a revised bill to the Senate and instead ask for a conference, which is where matters currently stand.

As mentioned, H.R. 6172 would reauthorize the business records exception, which includes “any tangible thing,” in FISA first instituted in the “USA PATRIOT Act” in 2001 but would reform certain aspects of the program. For example, if the Federal Bureau of Investigation (FBI) or NSA is seeking a business record under FISA for which a law enforcement agency would need to obtain a warrant, then the FBI or NSA will also need to obtain a warrant. Currently, this is not the case. Additionally, under H.R.6172, the FISA application process under Section 215 could not be used to obtain a person’s cell site location or GPS information. However, the FBI or NSA would still be able to use Title I of FISA to seek cell site location or GPS data for purposes of conducting electronic surveillance related to alleged foreign intelligence. The bill would require that prosecutors must inform defendants of the evidence derived from electronic surveillance unless doing so would harm national security.

Moreover, records obtained under Section 215 could be retained no longer than five years subject to a number of exceptions that may serve to make this limitation a dead letter. For example, if such records are deemed to have a “secret meaning” or are certified by the FBI as being vital to national security, then such records may be held longer than five years. Given the tendency of agencies to read their authority as broadly as possible and the past record of IC agencies, it is likely these authorities will be stretched as far as legally possible. It bears note that all restrictions are prospective, meaning that current, ongoing uses of Section 215 would be exempted. The business records provision would be extended until December 1, 2023 as are the other two expiring authorities that permit so-called roving wiretaps and allow for surveillance of so-called “lone wolves.”

For FISA applications under Title I (i.e. electronic surveillance), any agency seeking a FISA order to surveil will need to disclose to the FISA court any information that may call into question the accuracy of the application or any doubtful information. Moreover, certain FISA applications to surveil Americans or residents would need to spell out the proposed investigative techniques to the FISA court. Moreover, any FISA application targeting U.S. officials or candidates for federal office must be approved by the Attorney General in writing before they can be submitted. H.R.6172 would permit the suspension or removal of any federal official, employee, or contractor for misconduct before the FISA court and increases criminal liability for violating FISA from five to eight years. Most of these reforms seem aimed at those Members, many of whom are Republican, that were alarmed by the defects in the FISA surveillance process of Trump Campaign associate Cater Page as turned up by the Department of Justice’s Office of the Inspector General investigation. Some of these Members were opposed to the House Judiciary Committee’s initial bill, which they thought did not implement sufficient reforms to the larger FISA process.

In May, the Senate amended and passed H.R. 6172 by an 80-16 vote. Consideration of the bill was stalled in March when some Senators pushed for amendments, a demand to which the Senate Majority Leader finally agreed, provided these amendments would need 60 votes to be adopted. Consequently, once COVID-19 legislation had been considered, the Senate returned to H.R.6172, and debated and voted upon three amendments, one of which was agreed to. Senators Pat Leahy (D-VT) and Mike Lee’s (R-UT) amendment to expand the amicus process during the FISA process prevailed by a 77-19 vote.

As mentioned, Wyden and Daines offered an amendment to narrow the Section 215 exception to the Fourth Amendment’s requirement that a search requires a warrant. Section 215 currently allows for FISA court approved searches of business records and all tangible things in the course of a national security investigation, and the underlying text of H.R. 6172 would exclude cell site location and GPS location from Section 215. The Wyden/Daines amendment would also exclude web browsing and search engine histories. However, the amendment failed to reach the 60-vote threshold necessary for adoption under the rule of debate for H.R. 6172, failing by one vote as four Senators did not vote.

In late May, it appeared as if the House would bring H.R. 6172 to the floor and possibly take a run at adding language that barely failed to get added during debate in the Senate that would further pare back the ability of federal law enforcement agencies to use the FISA process for surveillance. However, the Trump Administration more forcefully stated its objections to the amended bill, including a veto threat issued via Twitter, that caused Republican support for the bill to cave, and with it the chances of passage, for Republican votes were needed to pass the bill in the first place. Consequently, House Democratic Leadership explored the possibility of a clean vote on the Senate-amended bill, with the House Rules Committee reporting a rule for debate, but this effort was also scuttled as there were not the votes for passage of the bill to send it to the White House. Instead, House Democratic Leadership opted to go to conference committee, which succeeded in a 284-122 proxy vote, one of the first taken under the new procedure. Thereafter, the House named the following conferees: House Judiciary Committee Chair Jerrold Nadler (D-NY) and Ranking Member Jim Jordan (R-OH); House Intelligence Committee Chair Adam Schiff (D-CA) and Ranking Member Devin Nunes (R-CA) and Representative Zoe Lofgren (D-CA). The bill is being held at the desk in the Senate and Senate conferees have not been named, meaning the conference committee cannot formally begin.  

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by ArtTower from Pixabay

Further Reading, Other Developments, and Coming Events (31 August)

Today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.”
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 30 September titled ““Oversight of the Enforcement of the Antitrust Laws” with Federal Trade Commission Chair Joseph Simons and United States Department of Justice Antitrust Division Assistant Attorney General Makan Delhrahim.
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • A group of Democratic Senators wrote the Federal Communications Commission (FCC) “to express our profound frustration that the [agency] has failed to take forceful action to keep households connected during the COVID-19 pandemic.” They asserted that “[a]s millions of American families face unprecedented financial pressures and educational challenges, we urge the FCC to reverse proposed changes to the Lifeline program, take immediate steps to open its assistance to more households, and ensure that its services meet the pressing needs of families during this crisis.”
    • They claimed
      • Since the first weeks of [FCC Chair Ajit Pai’s tenure], the FCC has sought to block new broadband providers’ participation in the Lifeline program, curtail benefits in tribal areas, exclude existing carriers, rollback reforms for registering new carriers, make it harder for new applicants  to subscribe, prevent carriers from offering free in-person distribution of phones, reduce incentives to enroll subscribers, and add more barriers for participating carriers and subscriber. These proposals have been so extreme that they would lead to cutting off carriers serving almost 70% of Lifeline subscribers.
    • They urged Pai “to immediately take the following steps:
      • 1.) Take emergency measures to provide additional financial support to Lifeline providers during the pandemic to temporarily support unlimited mobile data and voice minutes, and notify Congress if additional funding is needed for such changes.
      • 2.) Extend all current FCC waivers on Lifeline usage and subscriber documentation requirements for at least a full year, until August 2021or when we have recovered from the pandemic.
      • 3.) Close the currently outstanding Lifeline proposed rulemakings that would create new obstacles for eligible households and add unwarranted burden on carriers.
      • 4.)Pause the scheduled changes to Lifeline program’s minimum service standards until the Commission studies such impacts on the market in its upcoming 2021 State of Lifeline Marketplace Report, to avoid disruptions to customers’ services.
      • 5.) Restore the monthly subsidy to $9.25 for plans offering voice services for subscribers who value voice over data-heavy plans and pause the planned decrease in contributions for voice support.
      • 6.) Work with states to increase the automated verification of state databases with the National Verifier program by the end of this year.
  • New Zealand’s National Cyber Security Centre (NCSC) released a “General Security Advisory: ongoing campaign of Denial of Service (DoS) attacks affecting New Zealand entities” after four days of DoS attacks against New Zealand’s stock market coming from somewhere offshore. The NCSC recommended best practices the Australian Cyber Security Centre (ACSC) had published. The NCSC stated
    • [It] is aware of an ongoing campaign of DoS attacks affecting New Zealand entities.
    • The campaign has included the targeting of a number of global entities, predominantly in the financial sector. 
    • The NCSC strongly encourages all organisations in this sector to consider the risk to their organisation of DoS and ensure appropriate mitigations are in place.
  • Senator Mark Warner (D-VA) letters to DellAppleHPSamsungGoogleMicrosoftAcer America, and ASUS USA asking the “companies to do what they can to help bridge the “homework gap” – the lack of reliable computer or internet access that prevents school-aged children from being able to do school work from home.” Warner’s letter is in response to the nationwide shortage of lost laptops and tablets facing families as many children will be starting school online this fall. Warner stated:
    • There are a range of actions your company can take, including educational product discounts, the provision of complimentary or donated computers (including for home lending programs many educational institutions operate), and the provision of refurbished or returned products in good working condition for school districts and higher education institutions to distribute to educators and students. While I understand the strains placed on the global supply chain, your prioritization of these matters would greatly assist struggling families at this challenging time.
  • The United States Department of Defense (DOD) updated its list of ““Communist Chinese military companies” operating directly or indirectly in the United States in accordance with the statutory requirement of Section 1237 of the National Defense Authorization Act for Fiscal Year 1999, as amended.” The eleven companies from the People’s Republic of China (PRC) were added to the existing list sent “to Congress in June 2020,” some 20 years after Congress tasked the DOD with this responsibility. This action is most likely in response to a letter sent last year to fulfill this responsibility. Notably, any company on the list could be sanctioned by the President under the same authorities recently used against TikTok and WeChat.
    • In a September 2019 letter to Secretary of Defense Mark Esper, Senate Minority Leader Chuck Schumer (D-NY) and Senator Tom Cotton (R-AR) were joined by Representatives Ruben Gallego (D-AZ) and Mike Gallagher (R-WI) in asking whether the DOD has been updating a list of “those persons operating directly or indirectly in the United States or any of its territories and possessions that are Communist Chinese military companies” as directed by Section 1237 of the FY 1999 NDAA. They noted that China’s Communist Party has adopted a Military-Civilian Fusion strategy “to achieve its national objectives,” including the acquisition of U.S. technology through any means such as espionage, forced technology transfers, and the purchase of or investment in U.S. technology forms. Schumer, Cotton, Gallego, and Gallagher urged the Trump Administration “reexamine all statutory authorities at its disposal to confront the CCP’s strategy of Military-Civilian Fusion, including powers that have laid dormant for years.”
    • Unstated in this letter, however, is that the first part of Section 1237 grants the President authority to “exercise International Emergency Economic Powers Act (IEEPA) authorities (other than authorities relating to importation) without regard to section 202 of the IEEPA (50 U.S.C. 1701) in the case of any commercial activity in the United States by a person that is on the list.” Of IEEPA grants the President sweeping powers to prohibit transactions and block property and property interests for nations and other groups subject to an IEEPA national emergency declaration. Consequently, those companies identified by the DOD on a list per Section 1237 could be blocked and prohibited from doing business with U.S. entities and others and those that do business with such Chinese companies could be subject to enforcement actions by the U.S. government (e.g. the U.S.’s actions against ZTE for doing business with Iran in violation of an IEEPA national emergency).
    • The statute defines a “Communist Chinese military company” as “any person identified in the Defense Intelligence Agency publication numbered VP-1920-271-90, dated September 1990, or PC-1921-57-95, dated October 1995, and any update of those publications for the purposes of this section; and any other person that is owned or controlled by the People’s Liberation Army; and is engaged in providing commercial services, manufacturing, producing, or exporting.” Considering that the terms “owned” and “controlled” are not spelled out in this section, the executive branch may have very wide latitude in deeming a non-Chinese company as owned or controlled and therefore subject to the President’s use of IEEPA powers. Moreover, since the President already has the authority to declare an emergency and then use IEEPA powers, this language would seem to allow the President to bypass any such declaration and immediately use such powers, except those regarding importation, against any Chinese entities identified on this list by the Pentagon.
  • District of Columbia Attorney General Karl Racine (D) filed suit against Instacart alleging the company “violated the District’s Consumer Protection Procedures Act and tax law by: 
    • Charging District consumers millions of dollars in deceptive service fees: Prior to 2016, Instacart’s checkout screen contained an option to tip workers, set as a default 10 percent of the consumer’s subtotal for groceries that users could adjust. In 2016, Instacart swapped the tip option for a service fee, which was also set to a default 10 percent and could be adjusted, and displayed it where the tip option used to be. Consumers paid the service fee believing they were tipping workers. In reality, the service fee was a second charge—on top of a delivery fee—imposed by Instacart to cover delivery costs and operating expenses. Additionally, Instacart failed to clearly disclose that service fees were optional and that consumers could choose not to pay them.
    • Misleading consumers about how service fees contributed to worker pay: When Instacart announced the new service fees, it told consumers that “100% of the variable service amount is used to pay all shoppers more consistently for each and every delivery, not just the last shopper to touch the order.” Instacart also stated that the company collected a service fee because “multiple shoppers may have been involved in a single order” and the “service fee is used to pay this entire set of shoppers.” In fact, the shoppers who fulfilled a consumer’s order were paid the same whether or not a consumer paid the service fee.
    • Failing to pay at hundreds of thousands of dollars in District sales tax: Under District law, Instacart is responsible for collecting sales tax on the delivery services it provides. The entire time Instacart has operated in the District, it has failed to collect sales tax on the service fees and delivery fees it charged users.
  • Two large United States (U.S.) technology companies are facing class actions in the Netherlands and the United Kingdom (UK) that argue the companies’ use of third party cookies in order to sell real time bidding advertising violated the European Union’s General Data Protection Regulation (GDPR) by not obtaining the consent of people before their personal information is collected and processed. The suit against Oracle and Salesforce is being brought by The Privacy Collective, a European non-profit, that could result in damages of more than €10 billion.
  • As part of its lawsuit against Google “for deceptive and unfair practices used to obtain users’ location data, which Google then exploits for its lucrative advertising business,” the Office of the Attorney General of Arizona released emails obtained during the course of discovery that may demonstrate the company’s knowledge that its interface and operating system were trying to frustrate a user’s desire to truly turn off location data.
  • The eHealth Initiative & Foundation (eHI) and the Center for Democracy and Technology (CDT) released A Draft Consumer Privacy Framework for Health Data, “a collaborative effort addressing gaps in legal protections for consumer health data outside of the Health Insurance Portability and Accountability Act’s (HIPAA) coverage.” Feedback is welcome until 25 September.
    • The organizations asserted
      • The standards’ emphasis is on transparency, accountability, and the limitation on health data collection, disclosure, and use. Importantly, the standards:
        • (1) move beyond outdated notice and consent models,
        • (2) cover all health information, and
        • (3) cover all entities that use, disclose or collect consumer health information, regardless of the size or business model of the covered entity.
      • This proposal is not designed to be a replacement for necessary comprehensive data privacy legislation. Given that Congressional action to pass such a law is likely some time away, this effort is designed to build consensus on best practices and to do what we can now, in the interim, to shore up protections for non-HIPAA covered health data.

Further Reading

  • Big Oil Faded. Will Big Tech?” By Shira Ovide – The New York Times. This piece suggests that the so-called Big Tech companies may someday wane as many energy companies like Exxon are currently doing. The interesting point is made that a company or field’s preeminence can rapidly disappear and it can seem dominant until it is not. And this frequently happens for reasons that do not seem apparent or related. Ironically, Exxon essentially got pushed out of the Dow Jones Industrial Average because Apple had to split its stock because of its surging valuation. Another tech company, Salesforce, will replace Exxon.
  • Apple wants to stop advertisers from following you around the web. Facebook has other ideas.” By Peter Kafka – Recode. Apple will extend a feature from Safari to its next iOS for iPhones where users will soon be asked whether they want to allow apps to track them across the web and other apps in order to deliver them targeted, personalized advertising. To no great surprise, it is being assumed many users will say no, diminishing a prime mode by which companies reap data and show people advertisements that are intimately tied to what they read and watch online. Consequently, advertisers will be less willing to spend dollars on more general ads and income will be depressed for the two major players in this market: Facebook and Google. Facebook has already declared it will not use Apple’s device identifier unique to every iPhone or Apple Watch, meaning users downloading the Facebook app will not get the choice of whether to say no to the companies tracking them. It is not clear how well this workaround will mitigate the projected loss in ad revenue for Facebook, but it does represent the latest chapter in the fight between the two companies. Facebook has lined up with Epic Games, maker of Fortnite, in its suit against Apple regarding App Store policies. It is very likely Apple sees this change to iOS 14 as a means of burnishing its reputation as being more concerned about its users privacy than competitors in Silicon Valley, which it can afford to be considering it does not earn most of its revenue the same way Facebook does, and curry favor in Washington and Brussels where it is facing antitrust scrutiny.
  • Want a Free Amazon Halo Wearable? Just Hand Over Your Data to This Major Insurance Company” By Emily Mullin – OneZero. Amazon has teamed with insurer John Hancock to offer a wearable health and fitness tracker that will be used to collect personal data on wearers that is designed to nudge them into better behaviors and better health. This is not the first such pairing, and it raises a host of policy issues, for healthier people would be poised to reap benefits not available to less healthy people. Some insurers are offering modest amounts of cash or gift cards for exercising regularly or other benefits that would not go to less healthy people. These sorts of programs are similar to employee health and wellness programs that were enshrined in the “Patient Protection and Affordable Care Act” that studies have suggested do not work very well. Additionally, companies like Amazon and John Hancock will be collecting and processing all sorts of very sensitive personal information, making them likely targets of hacking operations. Also, there are privacy implications, for these wearable devices will likely allow companies to know the most intimate details of wearers’ lives.
  • TikTok Deal Is Complicated by New Rules From China Over Tech Exports” By Paul Mozur, Raymond Zhong and David McCabe – The New York Times; “TikTok Is Said to Wrestle With Two Competing Offers” By Mike Isaac – The New York Times; “China’s new tech export restrictions further cloud US TikTok sale and raise the risk of protectionism” By Coco Feng, Tracy Qu and Amanda Lee– South China Morning Post; “China puts drones and laser tech on restricted export list after US tightens rules” By Sidney Leng – South China Morning Post; “TikTok Chief Executive Kevin Mayer Resigns” By Mike Isaac – The New York Times.In a surprise announcement from two agencies late last week, the People’s Republic of China changed its export control rules for the first time since 2008 to likely have leverage over TikTok’s sale to a United States (U.S.) entity. Ostensibly, the changes are “to regulate technology exports, promote scientific and technological progress and economic and technological cooperation, and maintain national economic security,” but the inclusion of “personalised information recommendation service technology based on data analysis” and “artificial intelligence interactive interfaces” likely point to ByteDance’s app, TikTok. In fact a researcher with the PRC Ministry of Commerce was quoted as asserting “[t]he time to publish the new update of the export control list has been expedited due to the TikTok sale.” Moreover, the PRC’s timeline for deciding on whether an export license is needed is the same as the Trump Administration’s second executive order directing ByteDance to divest TikTok. Incidentally, these changes are probably in response to tighten of U.S. export controls against the PRC, which could set off retaliatory moves. In any event, Beijing will now have to approve any sale of TikTok operations in the U.S. Also, Walmart has apparently joined forces with Microsoft in preparing a bid on TikTok in competition with Oracle which threw its proverbal hat into the ring last week. And, new TikTok CEO Kevin Mayer stepped down in a surprise move citing ByteDance’s changed circumstances.
  • Trump aides interviewing replacement for embattled FTC chair” By Leah Nylen, Betsy Woodruff Swan, John Hendel and Daniel Lippman – Politico. The Trump Administration may be trying to force out Federal Trade Commission Chair Joe Simons or merely interviewing replacements if he steps down next year should President Donald Trump still be in the White House next year. Given the reports that Simons has resisted pressure from the White House to comply with the executive order on Section 230 by investigating social media platforms, Simons has likely not won any new fans at 1600 Pennsylvania Avenue. Having said that, removing an FTC Commissioner is much harder than other top positions in the U.S. government, and the FTC is designed to be insulated from political pressure. However, Commissioners are politicians, too, and carefully gauge the direction the wind is blowing. That being said, Simons has also sent out signals he will step down next year and return to private practice, so the interviewing of possible successors may be entirely normal in an Administration that usually does not operate normally.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Gordon Johnson from Pixabay

Further Reading, Other Developments, and Coming Events (26 August)

Here are today’s Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 10 September, the General Services Administration (GSA) will have a webinar to discuss implementation of Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) that bars the federal government and its contractors from buying the equipment and services from Huawei, ZTE, and other companies from the People’s Republic of China.
  • The Federal Communications Commission (FCC) will hold a forum on 5G Open Radio Access Networks on 14 September. The FCC asserted
    • Chairman [Ajit] Pai will host experts at the forefront of the development and deployment of open, interoperable, standards-based, virtualized radio access networks to discuss this innovative new approach to 5G network architecture. Open Radio Access Networks offer an alternative to traditional cellular network architecture and could enable a diversity in suppliers, better network security, and lower costs.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” By 21 August, the FTC “is seeking comment on a range of issues including:
    • How are companies currently implementing data portability? What are the different contexts in which data portability has been implemented?
    • What have been the benefits and costs of data portability? What are the benefits and costs of achieving data portability through regulation?
    • To what extent has data portability increased or decreased competition?
    • Are there research studies, surveys, or other information on the impact of data portability on consumer autonomy and trust?
    • Does data portability work better in some contexts than others (e.g., banking, health, social media)? Does it work better for particular types of information over others (e.g., information the consumer provides to the business vs. all information the business has about the consumer, information about the consumer alone vs. information that implicates others such as photos of multiple people, comment threads)?
    • Who should be responsible for the security of personal data in transit between businesses? Should there be data security standards for transmitting personal data between businesses? Who should develop these standards?
    • How do companies verify the identity of the requesting consumer before transmitting their information to another company?
    • How can interoperability among services best be achieved? What are the costs of interoperability? Who should be responsible for achieving interoperability?
    • What lessons and best practices can be learned from the implementation of the data portability requirements in the GDPR and CCPA? Has the implementation of these requirements affected competition and, if so, in what ways?”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The United States (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (CISA) Assistant Director for Infrastructure Security Brian Harrell has resigned and left CISA. Harrell is returning to the private sector and will be replaced by CISA Deputy Assistant Director Steve Harris in an acting capacity.
  • The Federal Communications Commission (FCC) announced “the successful conclusion of bidding in its auction of Priority Access Licenses in the 3550-3650 MHz band…which was designated as Auction 105, made available the greatest number of spectrum licenses ever in a single FCC auction.” The FCC stated “[t]his 70 megahertz of licensed spectrum will further the deployment of 5G, the next generation of wireless connectivity, as well as the Internet of Things and other advanced spectrum-based services.” The FCC added:
    • Bidding in the auction of 70 megahertz of Priority Access Licenses (PALs) in the 3550-3650 MHz band (Auction 105) concluded today following round 76. Gross proceeds reached $4,585,663,345, and bidders won 20,625 of 22,631, or more than 91.1%, of available licenses. The FCC will release a public notice in a few days providing detailed auction results, including the names of Auction 105 winning bidders, and announcing deadlines for payments and the filing of long-form applications, as well as other post-auction procedures needed for the prompt issuance of licenses. That information, as well as other information about Auction 105, will be available at: https://www.fcc.gov/auction/105.  
  • The United States (U.S.) Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory “in response to a voice phishing (vishing) campaign.” The agencies said “[v]ishing is a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward.” Vishing was reportedly key components in the recent Twitter hack and a breach of Israeli defense firms.
    • The FBI and CISA stated:
      • The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and elimination of in-person verification. In mid-July 2020, cybercriminals started a vishing campaign—gaining access to employee tools at multiple companies with indiscriminate targeting—with the end goal of monetizing the access. Using vished credentials, cybercriminals mined the victim company databases for their customers’ personal information to leverage in other attacks. The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cash-out scheme.
  • At a press conference at the Department of Defense (DOD), Undersecretary of Defense for Acquisition and Sustainment Ellen Lord provided more detail on the waiver the trump Administration granted for some purchases of services and equipment from the People’s Republic of China. Regarding the Section 889 waiver, Lord stated
    • The waiver was granted temporarily by ODNI. It’s only in effect until September 30th in order to provide time to review the full details of the rule implementation using additional information from DOD. 
    • The waiver covers items that are considered low-risk to national security such as food, clothing, maintenance services, construction materials that are not electronic, and numerous other items that ODNI has identified as commodities, low-risk commodities. 
    • The waiver received is not for our major weapons systems or any support activity related to them. The short-term waiver is important so that end-of-fiscal-year activity will not be impacted. We are balancing warfighter readiness and completing end-of-year purchases to avoid issues with expiring funds with rule implementation for the next 45 days. DOD is not seeking a broader waiver request at this time. 
    • As we eliminate Chinese telecommunications equipment form our supply chain, we know that there are challenges for our industry partners, but we are pleased to see the defense industrial base stepping up smartly. This is the right thing for our national security. 
    • We’re pleased to see the efforts of our major primes in being proactive to eliminate the prohibited equipment, and we continue to remain in constant dialogue. We will keep you updated as we move forward. 
  • The United States (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has updated its “Essential Critical Infrastructure Workers Guidance” by issuing Version 4.0. CISA stated “[w]hile earlier versions were primarily intended to help officials and organizations identify essential work functions in order to allow them access to their workplaces during times of community restrictions, Version 4.0 identifies those essential workers that require specialized risk management strategies to ensure that they can work safely. It can also be used to begin planning and preparing for the allocation of scare resources used to protect essential workers against COVID-19.”
    • In the guidance, CISA explained
      • This list is intended to help State, local, tribal, territorial officials and organizations endeavor to protect their workers and communities as they continue to reopen in a phased approach, coupled with the need to ensure continuity of functions critical to public health and safety, as well as economic and national security. Decisions informed by this list should also take into consideration worker safety, workplace settings, as well as additional public health considerations based on the specific COVID-19-related concerns of particular jurisdictions. This list is advisory in nature.
    • CISA stressed:
      • It is not, nor should it be considered, a federal directive or standard. Additionally, this advisory list is not intended to be the exclusive list of critical infrastructure sectors, workers, and functions that should continue to work safely during the COVID-19 response across all jurisdictions. (emphasis in the original)
    • CISA asserted
      • The advisory list identifies workers who conduct a range of operations and services that are typically essential to continued critical infrastructure viability, including staffing operations centers, maintaining and repairing critical infrastructure, operating call centers, working construction, and performing operational functions, among others. It also includes workers who support crucial supply chains and enable functions for critical infrastructure. The industries they support represent, but are not limited to, medical and healthcare, telecommunications, information technology systems, defense, food and agriculture, transportation and logistics, energy, water and wastewater, and law enforcement
  • The United States (U.S.) Department of Energy’s (DOE) Artificial Intelligence and Technology Office (AITO) “announced the creation of the First Five Consortium (First Five).” The DOE has adapted Pentagon developed artificial intelligence/machine learning to help U.S. first responders make better, faster decisions in the event of a disaster. However, this effort was co-led by Microsoft and involved a range of other stakeholders.
    • DOE explained
      • Co-Chaired with Microsoft Corporation, First Five was formed in response to the January 2020 White House Executive Forum focused on Humanitarian Assistance and Disaster Response. This cross-cut of industry, government, non-profit, and academia has pledged their in-kind support to develop solutions that will improve the impact mitigation of natural disasters in the United States.
      • DOE’s Pacific Northwest National Laboratory is currently scaling a prototype initially developed by the Department of Defense (DOD) Joint Artificial Intelligence Center (JAIC) that uses deep learning algorithms to provide near real-time data to improve the decision making of our nation’s First Responders. Since 2019, the JAIC has led the development of AI capability through its National Mission Initiatives.
      • To support this work, Microsoft recently established a critical infrastructure team to help advance the nation’s key systems, services, and functions essential to the operation of American society and its economy. Comprehensive data collection together with modeling hold huge promise for forecasting and detecting early signs of coming disasters. The development of life-saving AI algorithms can help responders better focus their aid and make for a faster and safer response. The team will explore avenues to use AI, confidential computing, modernized communications, distributed systems, and cybersecurity to improve disaster resilience, collaborating with DOE, DOD, and others.
  • The Federal Aviation Administration (FAA), Department of Justice (DOJ), Federal Communications Commission (FCC), and Department of Homeland Security (DHS) published “an advisory guidance document to assist non-federal public and private entities interested in using technical tools, systems, and capabilities to detect and mitigate Unmanned Aircraft Systems (UAS).” This guidance document is not binding on entities operating UAS but instead runs through a survey of some federal laws that limit the use of UAS, especially with respect to privacy and surveillance.
  • The agencies stated
    • The advisory is intended to provide an overview of potentially applicable federal laws and regulations, as well as some factors relevant to whether those laws may apply to particular actions or systems. Specifically, this advisory addresses two categories of federal laws that may apply to UAS detection and mitigation capabilities: (1) various provisions of the U.S. criminal code enforced by DOJ; and (2) federal laws and regulations administered by the FAA, DHS, and the FCC. The advisory does not address state and local laws, which UAS detection and mitigation capabilities may also implicate. Neither does it cover potential civil liability flowing from the use of UAS detection and mitigation technologies
    • This advisory is provided for informational purposes only. It is strongly recommended that, prior to the testing, acquisition, installation, or use of UAS detection and/or mitigation systems, entities seek the advice of counsel experienced with both federal and state criminal, surveillance, and communications laws. Entities should conduct their own legal and technical analysis of each UAS detection and/or mitigation system and should not rely solely on vendors’ representations of the systems’ legality or functionality. As part of that analysis, entities should closely evaluate and consider whether the use of UAS detection and mitigation capabilities might impact the public’s privacy, civil rights, and civil liberties. This is particularly important because potential legal prohibitions, as discussed below, are not based on broad classifications of systems (e.g., active versus passive, detection versus mitigation), but instead are based on the functionality of each system and the specific ways in which a system operates and is used. A thorough understanding of both applicable law and the systems’ functionality will ensure important technologies designed to protect public safety, by detecting and/or mitigating UAS threats, are used effectively, responsibly, and legally.
  • A United States Department of Homeland Security (DHS) advisory body has reported to President Donald Trump on software defined networking in response to a request from the Executive Office of the President that it examine “the implications of software-defined networking (SDN) on the Nation’s national security and emergency preparedness (NS/EP) communications and information and communications technology (ICT) infrastructure.”
    • The National Security Telecommunications Advisory Committee (NSTAC) explained
      • In networking, SDN and network functions virtualization (NFV) represent an ongoing shift away from legacy technologies based upon hardware to software based networks that leverage standard, commercial off-the-shelf, or commodity-based hardware.
      • This shift is structurally transforming the ICT ecosystem and allowing networks to become more flexible and adaptive. SDN’s more flexible architecture has proven to be beneficial during the ongoing response to the coronavirus (COVID-19) pandemic.
      • The NSTAC examined best practices for SDN and related technologies; identified the associated challenges and opportunities; and assessed current utilization and corresponding risk mitigations. Building off the recommendations outlined in the 2017 NSTAC Report to the President on Emerging Technologies Strategic Vision, this examination sought to make specific recommendations to the EOP regarding SDN policy.
    • NSTAC made these and other recommendations:
      • The Administration should encourage and support the continued deployment of SDN technology in the U.S. and allied nation ICT environments. Policymakers should consider how to promote the use of open architectures with particular focus on 5G and beyond.
      • The Defense Community and the Intelligence Community (IC) should expand efforts to define their specific requirements and use cases for SDN and related technology specific to their unique needs, which can be shared with private sector SDN providers and relevant standards bodies. In collaboration with the private sector, the Defense Community and IC should also determine how the capabilities might be leveraged for adoption in the national security environment.
      • The Government establish policies to help educate U.S. departments, agencies, and critical infrastructure operators on the full range of SDN and related technology capabilities to enhance their mission performance, improve security, and lower costs.
      • Working with Congress, the Administration should: establish policies and incentives to encourage U.S.-based investment and innovation in research and development of SDN and related technology capabilities and standards; (2) encourage best practices for secure implementation; and (3) promote deployment of these capabilities within the U.S. Government and allied nation ICT environments. Policymakers should also consider updating acquisition strategies and mechanisms around SDN and related technology-based services.
  • The Australian Strategic Policy Institute released a report titled “Hunting The Phoenix” that “focuses on overseas talent-recruitment operations—how the Chinese Communist Party (CCP) goes abroad to hunt or lure” technology talent from abroad as a means of leveling the playing field with the United States (U.S.) and other nations.
    • ASPI asserted
      • The CCP’s use of talent-recruitment activity as a conduit for non-transparent technology transfer presents a substantial challenge to governments and research institutions. Many of those activities fly under the radar of traditional counterintelligence work, yet they can develop into espionage, interference and illegal or unethical behaviour.
      • While this phenomenon may still be poorly understood by many governments and universities, it can often be addressed by better enforcement of existing regulations. Much of the misconduct associated with talent-recruitment programs breaches existing laws, contracts and institutional policies. The fact that it nonetheless occurs at high levels points to a failure of compliance and enforcement mechanisms across research institutions and relevant government agencies. Governments and research institutions should therefore emphasise the need to build an understanding of CCP talent-recruitment work. They must also ensure that they enforce existing policies, while updating them as necessary. This report recommends the introduction of new policies to promote transparency and accountability and help manage conflicts of interest.
    • The United States (U.S.) Department of State provided ASPI with $145,600, which may have resulted in a bias to the final product, so caveat lector.

Further Reading

  • California DMV Is Selling Drivers’ Data to Private Investigators” By Joseph Cox – Vice. In following up on previous articles about various state Departments of Motor Vehicles (DMV) around the United States (U.S.) selling people’s personal information, this reporter got his hands on a list of the entities the California DMV is sharing such information with and it includes private investigators, bails bondsmen, and employers for those employees who drive as part of their duties. Previously, it has been disclosed that the CA DMV made $50 million a year doing this even though the agency claims this amount merely recovers its costs. No word in this article on whether recipients of this information are barred from sharing or selling it. Earlier this month, eight House Democrats and two Members of the California Assembly wrote the DMV with their concern about these practices and the practice of sharing driver’s license photos with law enforcement agencies for facial recognition technology.  
  • Facebook Braces Itself for Trump to Cast Doubt on Election Results” By Mike Isaac and Sheera Frenkel – The New York Times. In an article that seems sourced right out of Facebook headquarters, the reader is treated to the dilemmas facing the social media giant and competitors if President Donald Trump or others use their platforms to try and delegitimize an adverse or uncertain election result. There are plenty of options being discussed, but few decisions being made.
  • America’s Terrible Internet Is Making Quarantine Worse” By Olga Khazan – The Atlantic. The digital divide telecommunications advocates have been decrying for years has been exacerbated during the pandemic. Because the United States (U.S.) opted to treat broadband internet like a consumer product instead of a public utility (as many nations in Western Europe did), there are wide disparities in availability, quality, and speed that are further feeding inequities in the educational system. Affluent students have no trouble with online learning, less wealthy students may not be able to afford service or their service may not allow for Zoom classes. The U.S. may need to use the same methods deployed during the New Deal to rectify differences in electricity availability to close the digital divide.  
  • Trump pressures head of consumer agency to bend on social media crackdown” By Leah Nylen, John Hendel and Betsy Woodruff Swan – Politico. It comes as no surprise that President Donald Trump is leaning on Federal Trade Commission Chair Joe Simons to act according to the former’s executive order purportedly regarding online censorship. The two have met twice and the issue has arisen, but the unnamed sources in the article did not relate the result of the conversation. Before a Senate committee earlier this month, Simons poured cold water on the notion the agency will wade into the fight over implementation of the executive order that could strip away more protection for technology companies under 47 U.S.C. 230.
  • With Hacks and Cameras, Beijing’s Electronic Dragnet Closes on Hong Kong” By Paul Mozur – The New York Times. After passage of the new security law that changed civil liberties in Hong Kong, the police and security services are threatening and arresting pro-democracy activists and politicians. They are also using technological means to press these advocates such as hacking into Facebook accounts and forcing people to provide access to their phones. Many technology companies are refusing to honor requests for information or access from officials and are now treating them the same way they would for requests from Beijing.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Sasin Tipchai from Pixabay

House Starts Consideration of Its NDAA

The House will consider scores of amendments to change US technology policy, including a number of implement the recommendations of a congressional cybersecurity panel. However, some may not be in the final NDAA.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

As is almost always the case, House Members are using the occasion of the annual consideration of the National Defense Authorization Act (NDAA) to offer a range of amendments to the House Rules Committee. Hundreds of amendments were submitted, and at the 17 July hearing, the Committee determined which would be made in order and allow to be debated on the House floor, including scores of technology amendments. Many of these amendments to the “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395) would change US technology policy and funding, and some are complete bills the House has already passed, for inclusion in the NDAA increases the chances of enactment. Among the higher profile amendments made in order is one offered by Cyberspace Solarium Commission members that would establish a National Cyber Director position in the White House that the Senate declined to include in its FY 2021 NDAA, suggesting addition to the House’s bill does not necessarily this provision will make it into law.

Earlier today, the House began its consideration of H.R.6395, which may take up the better part of the week. The House Rules Committee made the following amendments in order to be offered during debate that pertain to technology:

The House Armed Services Committee has also released its Committee Report in two parts (Volume I and II) and detailed the overall funding authorized by the package:

H.R. 6395 supports an overall authorization of $740.5 billion dollars for our national defense. H.R. 6395 would authorize approximately $662.6 billion in discretionary spending for national defense and approximately $69.0 billion in discretionary spending for Over-seas Contingency Operations. This authorization level will allow our military to maintain readiness, expand capabilities, and invest in the new software and technologies required to secure our country.

The committee included a number of requests and directives of the DOD and other agencies, including but not limited to:

  • Report on Cybersecurity Maturity Model Certification
    • The committee acknowledges that the Department of Defense has taken initial steps to ensure that its contractors are aware of the actions necessary to protect the government’s data and networks from cybersecurity threats. However, the committee is concerned that there remain key unanswered questions about how it will implement its cybersecurity framework, especially given the level of collaboration necessary between industry and government for its success. Therefore, the committee directs the Under Secretary of Defense for Acquisition and Sustainment to submit a report to the congressional defense committees by January 15, 2021, regarding the Cybersecurity Maturity Model Certification (CMMC) program.
  • Report on Ties between Russia and China
    • The Department of Defense has acknowledged that China and Russia are increasingly working in cooperation on a wide range of matters, including economically, politically, and militarily; and that the Department believes the growing ties between Russia and China are challenging the rules-based order and present a threat to U.S. national security interests. The committee notes that the National Defense Strategy highlights the joint force’s eroding competitive edge against China and Russia. The committee endeavors to fully understand the extent of the ties between Russia and China. Therefore, the committee directs the Director of National Intelligence, in consultation with the Secretary of Defense, to submit a report to the congressional defense committees and the congressional intelligence committees by March 1, 2021, on the relationship between China and Russia.
  • Fourth Estate Network Optimization
    • The committee recognizes the importance of creating efficiencies and cost savings within the Fourth Estate and across the Department of Defense, to include the consolidation of information technology services away from legacy common use information technology services into a single service provider (SSP). The committee notes that on August 15, 2019 the Deputy Secretary of Defense directed the Defense Information Systems Agency (DISA) to execute such consolidation under the Fourth Estate Network Optimization (4ENO) effort over the period of fiscal year 2020 to fiscal year 2024. The committee directs the Secretary of Defense to provide a report to the congressional defense committees not later than February 1, 2021, on the status of the consolidation effort, including details on the schedule and plan for consolidation, progress on the transition of each Defense Agency and Field Activity (DAFA) from common use information technology services into the SSP environment, the list of assets and services being transitioned, a list of assets and services remaining within each DAFA, a justification for assets not transitioned, and the reallocation of funding as a result of the transition.
  • GAO Assessment on DOD Cyber Incident Management Efforts
    • The committee notes that the Department of Defense (DOD) has experienced a number of high-profile breaches to Department of Defense (DOD) systems and networks. For example, in July 2015, a phishing attack on the Joint Chiefs of Staff unclassified email servers resulted in the system being shut down for more than a week while cyber experts rebuilt the network, affecting the work of roughly 4,000 military and civilian personnel. In 2018, DOD disclosed a data breach to its contracted travel management system that allegedly affected approximately 30,000 military and civilian employees. In 2020, DOD similarly acknowledged that the Defense Information Systems Agency networks were breached that reportedly resulted in the personal data of approximately 200,000 network users being compromised.
    • The committee is concerned that while DOD established the Joint Force Headquarters–DOD Information Network (JFHQ– DODIN) to operationalize and defend DOD systems and networks, other DOD components still view these systems and networks as an administrative capability. Cyber incidents, such as those identified above, can disrupt critical military operations, lead to inappropriate access to and modification of sensitive information, result in long-term financial obligations for credit monitoring, and threaten national security. Therefore, the committee directs the Comptroller General of the United States to provide the congressional defense committees with an assessment of DOD management of cyber incidents and efforts to mitigate future cyber incidents.
  • GAO Study and Report on Electronic Continuity of Operations on the Department of Defense
    • The committee notes the centrality of electronic command, control, and communications to Department of Defense continuity of operations. To ensure that the committee is fully informed of how the Department of Defense is addressing issues related to the risk to electronic communications, the committee requests that the Comptroller General of the United States conduct a study of electronic communications continuity of operations of the Department of Defense.
  • Information Technology Asset Management and Inventory
    • The committee commends the Department of Defense for the considerable improvement made on information technology, asset discovery, and asset management. However, the committee believes the Department would benefit from an established process for auditing software and hardware inventories. The lack of a single policy framework hinders the capacity of the Department to discover license duplication and the Department is at risk of wasting valuable resources on redundant or underutilized hardware and software. The Department also lacks real-time discovery of and visibility over its network attack surface, particularly its forward-facing internet assets and Department assets held in cloud environments, resulting in increased risk of exposures exploitable by malicious adversaries. The private sector has successfully navigated this challenge through the use of automated software tools widely available on the commercial market.
    • The committee directs the Chief Information Officer of the Department of Defense, in coordination with chief information officers of the military services, to provide a briefing to the House Committee on Armed Services, not later than March 1, 2021, on the processes in place for asset discovery and management of hardware and software products.
  • Internet Architecture Security
    • The committee recognizes that the internet is inextricable and central to the American way of life, and the architecture that enables internet communications is layered, complex, and multi-faceted. The committee notes that this architecture includes high-capacity cables laid underground and underseas, cable landing stations that connect cables from continent to continent, and internet exchange points that serve as clearinghouses for data between Internet Service Providers and content delivery networks; all of which are required for the internet to operate. The committee recognizes that the executive branch has assigned responsibility for components or sectors of critical infrastructure to various executive branch departments and agencies, and internet architecture is approached in a fractured and piecemeal fashion, with multiple government stakeholder entities claiming responsibility. The committee is concerned that the lack of direction on the subject of internet architecture security creates significant risks to the nation. Consequently, the committee directs the Comptroller General of the United States to provide a report to the House Committee on Armed Services by September 1, 2021, to examine the issue of internet architecture security.
  • Report and GAO Briefing on DOD Cyber Hygiene and Cybersecurity Maturity Model Certification Framework
    • Given the importance of implementing cyber hygiene practices that could effectively protect DOD missions, information, and systems and networks, we direct the Secretary of Defense to submit a report to the defense committees identifying the extent to which each of the DOD components have implemented cyber hygiene practices and levels identified in the CMMC framework. For each DOD component that does not achieve level 3 status (referred to as ‘‘good cyber hygiene’’ in CMMC Model ver. 1.02), the head of the component is to provide the Congressional defense committees, the DOD Chief Information Officer, the commander of JFHQ–DODIN a plan on how the component will implement those security measures within one year and mitigate potential consequences until those practices are implemented. In order to aid in the under-standing of what cyber hygiene practices have been and have not been implemented by the DOD that the department requires private sector companies to implement before they receive a contract where they would have access to controlled unclassified information, the Secretary of Defense shall submit the DOD report to the Congressional defense committees and the Comptroller General of the United States by March 1, 2021. The committee further directs the Comptroller General to conduct an independent review of the Secretary’s report and provide a briefing to the Congressional defense committees no later than the end of the fiscal year.
  • Department of Defense Artificial Intelligence Capabilities and Strategy
    • The committee believes that global leadership in artificial intelligence (AI) technology is a national security priority. In 2018, the Department of Defense issued a department-wide AI strategy to provide direction for AI development. As the Department increases its investments in AI, machine learning, and other automation technologies, the committee believes that the Department’s re-sources, capabilities, and plans should continue to ensure U.S. competitive advantage over potential adversaries. Therefore, the committee directs the Comptroller General of the United States to provide the committee with an assessment of the Department’s resources, capabilities, and plans for AI.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by David Mark from Pixabay

Further Reading and Other Developments (17 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Speaking of which, the Technology Policy Update is being published daily during the week, and here are the Other Developments and Further Reading from this week.

Other Developments

  • Acting Senate Intelligence Committee Chair Marco Rubio (R-FL), Senate Foreign Relations Committee Chair Jim Risch (R-ID), and Senators Chris Coons (D-DE) and John Cornyn (R-TX) wrote Secretary of Commerce Wilbur Ross and Secretary of Defense Mike Esper “to ask that the Administration take immediate measures to bring the most advanced digital semiconductor manufacturing capabilities to the United States…[which] are critical to our American economic and national security and while our nation leads in the design of semiconductors, we rely on international manufacturing for advanced semiconductor fabrication.” This letter follows the Trump Administration’s May announcement that the Taiwan Semiconductor Manufacturing Corporation (TSMC) agreed to build a $12 billion plant in Arizona. It also bears note that one of the amendments pending to the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) would establish a grants program to stimulate semiconductor manufacturing in the US.
  • Senators Mark R. Warner (D-VA), Mazie K. Hirono (D-HI) and Bob Menendez (D-NJ) sent a letter to Facebook “regarding its failure to prevent the propagation of white supremacist groups online and its role in providing such groups with the organizational infrastructure and reach needed to expand.” They also “criticized Facebook for being unable or unwilling to enforce its own Community Standards and purge white supremacist and other violent extremist content from the site” and posed “a series of questions regarding Facebook’s policies and procedures against hate speech, violence, white supremacy and the amplification of extremist content.”
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published the Pipeline Cyber Risk Mitigation Infographic that was “[d]eveloped in coordination with the Transportation Security Administration (TSA)…[that] outlines activities that pipeline owners/operators can undertake to improve their ability to prepare for, respond to, and mitigate against malicious cyber threats.”
  • Representative Kendra Horn (D-OK) and 10 other Democrats introduced legislation “requiring the U.S. government to identify, analyze, and combat efforts by the Chinese government to exploit the COVID-19 pandemic” that was endorsed by “[t]he broader Blue Dog Coalition” according to their press release. The “Preventing China from Exploiting COVID-19 Act” (H.R.7484) “requires the Director of National Intelligence—in coordination with the Secretaries of Defense, State, and Homeland Security—to prepare an assessment of the different ways in which the Chinese government has exploited or could exploit the pandemic, which originated in China, in order to advance China’s interests and to undermine the interests of the United States, its allies, and the rules-based international order.” Horn and her cosponsors stated “[t]he assessment must be provided to Congress within 90 days and posted in unclassified form on the DNI’s website.”
  • The Supreme Court of Canada upheld the “Genetic Non-Discrimination Act” and denied a challenge to the legality of the statute brought by the government of Quebec, the Attorney General of Canada, and others. The court found:
    • The pith and substance of the challenged provisions is to protect individuals’ control over their detailed personal information disclosed by genetic tests, in the broad areas of contracting and the provision of goods and services, in order to address Canadians’ fears that their genetic test results will be used against them and to prevent discrimination based on that information. This matter is properly classified within Parliament’s power over criminal law. The provisions are supported by a criminal law purpose because they respond to a threat of harm to several overlapping public interests traditionally protected by the criminal law — autonomy, privacy, equality and public health.
  • The U.S.-China Economic and Security Review Commission published a report “analyzing the evolution of U.S. multinational enterprises (MNE) operations in China from 2000 to 2017.” The Commission found MNE’s operations in the People’s Republic of China “may indirectly erode the  United  States’  domestic industrial competitiveness  and  technological  leadership relative  to  China” and “as U.S. MNE activity in China increasingly focuses on the production of high-end technologies, the risk  that  U.S.  firms  are  unwittingly enabling China to  achieve  its industrial  policy and  military  development objectives rises.”
  • The Federal Communications Commission (FCC) and Huawei filed their final briefs in their lawsuit before the United States Court of Appeals for the Fifth Circuit arising from the FCC’s designation of Huawei as a “covered company” for purposes of a rule that denies Universal Service Funds (USF) “to purchase or obtain any equipment or services produced or provided by a covered company posing a national security threat to the integrity of communications networks or the communications supply chain.” Huawei claimed in its brief that “[t]he rulemaking and “initial designation” rest on the FCC’s national security judgments..[b]ut such judgments fall far afield of the FCC’s statutory  authority  and  competence.” Huawei also argued “[t]he USF rule, moreover, contravenes the Administrative Procedure Act (APA) and the Due Process Clause.” The FCC responded in its filing that “Huawei challenges the FCC’s decision to exclude carriers whose networks are vulnerable to foreign interference, contending that the FCC has neither statutory nor constitutional authority to make policy judgments involving “national security”…[but] [t]hese arguments are premature, as Huawei has not yet been injured by the Order.” The FCC added “Huawei’s claim that the Communications Act textually commits all policy determinations with national security implications to the President is demonstrably false.”
  • European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski released his Strategy for 2020-2024, “which will focus on Digital Solidarity.” Wiewiórowski explained that “three core pillars of the EDPS strategy outline the guiding actions and objectives for the organisation to the end of 2024:
    • Foresight: The EDPS will continue to monitor legal, social and technological advances around the world and engage with experts, specialists and data protection authorities to inform its work.
    • Action: To strengthen the EDPS’ supervision, enforcement and advisory roles the EDPS will promote coherence in the activities of enforcement bodies in the EU and develop tools to assist the EU institutions, bodies and agencies to maintain the highest standards in data protection.
    • Solidarity: While promoting digital justice and privacy for all, the EDPS will also enforce responsible and sustainable data processing, to positively impact individuals and maximise societal benefits in a just and fair way.
  • Facebook released a Civil Rights Audit, an “investigation into Facebook’s policies and practices began in 2018 at the behest and encouragement of the civil rights community and some members of Congress.” Those charged with conducting the audit explained that they “vigorously advocated for more and would have liked to see the company go further to address civil rights concerns in a host of areas that are described in detail in the report” including but not limited to
    • A stronger interpretation of its voter suppression policies — an interpretation that makes those policies effective against voter suppression and prohibits content like the Trump voting posts — and more robust and more consistent enforcement of those policies leading up to the US 2020 election.
    • More visible and consistent prioritization of civil rights in company decision-making overall.
    • More resources invested to study and address organized hate against Muslims, Jews and other targeted groups on the platform.
    • A commitment to go beyond banning explicit references to white separatism and white nationalism to also prohibit express praise, support and representation of white separatism and white nationalism even where the terms themselves are not used.
    • More concrete action and specific commitments to take steps to address concerns about algorithmic bias or discrimination.
    • They added that “[t]his report outlines a number of positive and consequential steps that the company has taken, but at this point in history, the Auditors are concerned that those gains could be obscured by the vexing and heartbreaking decisions Facebook has made that represent significant setbacks for civil rights.”
  • The National Security Commission on Artificial Intelligence (NSCAI) released a white paper titled “The Role of AI Technology in Pandemic Response and Preparedness” that “outlines a series of investments and initiatives that the United States must undertake to realize the full potential of AI to secure our nation against pandemics.” NSCAI noted its previous two white papers:
  • Secretary of Defense Mark Esper announced that Chief Technology Officer Michael J.K. Kratsios has “been designated to serve as Acting Under Secretary of Defense for Research and Engineering” even though he does not have a degree in science. The last Under Secretary held a PhD. However, Kratsios worked for venture capitalist Peter Thiel who backed President Donald Trump when he ran for office in 2016.
  • The United States’ Department of Transportation’s Federal Railroad Administration (FRA) issued research “to develop a cyber security risk analysis methodology for communications-based connected railroad technologies…[and] [t]he use-case-specific implementation of the methodology can identify potential cyber attack threats, system vulnerabilities, and consequences of the attack– with risk assessment and identification of promising risk mitigation strategies.”
  • In a blog post, a National Institute of Standards and Technology (NIST) economist asserted cybercrime may be having a much larger impact on the United States’ economy than previously thought:
    • In a recent NIST report, I looked at losses in the U.S. manufacturing industry due to cybercrime by examining an underutilized dataset from the Bureau of Justice Statistics, which is the most statistically reliable data that I can find. I also extended this work to look at the losses in all U.S. industries. The data is from a 2005 survey of 36,000 businesses with 8,079 responses, which is also by far the largest sample that I could identify for examining aggregated U.S. cybercrime losses. Using this data, combined with methods for examining uncertainty in data, I extrapolated upper and lower bounds, putting 2016 U.S. manufacturing losses to be between 0.4% and 1.7% of manufacturing value-added or between $8.3 billion and $36.3 billion. The losses for all industries are between 0.9% and 4.1% of total U.S. gross domestic product (GDP), or between $167.9 billion and $770.0 billion. The lower bound is 40% higher than the widely cited, but largely unconfirmed, estimates from McAfee.
  • The Government Accountability Office (GAO) advised the Federal Communications Commission (FCC) that it needs a comprehensive strategy for implementing 5G across the United States. The GAO concluded
    • FCC has taken a number of actions regarding 5G deployment, but it has not clearly developed specific and measurable performance goals and related measures–with the involvement of relevant stakeholders, including National Telecommunications and Information Administration (NTIA)–to manage the spectrum demands associated with 5G deployment. This makes FCC unable to demonstrate whether the progress being made in freeing up spectrum is achieving any specific goals, particularly as it relates to congested mid-band spectrum. Additionally, without having established specific and measurable performance goals with related strategies and measures for mitigating 5G’s potential effects on the digital divide, FCC will not be able to assess the extent to which its actions are addressing the digital divide or what actions would best help all Americans obtain access to wireless networks.
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued “Time Guidance for Network Operators, Chief Information Officers, and Chief Information Security Officers” “to inform public and private sector organizations, educational institutions, and government agencies on time resilience and security practices in enterprise networks and systems…[and] to address gaps in available time testing practices, increasing awareness of time-related system issues and the linkage between time and cybersecurity.”
  • Fifteen Democratic Senators sent a letter to the Department of Defense, Office of the Director of National Intelligence (ODNI), Department of Homeland Security (DHS), Federal Bureau of Investigations (FBI), and U.S. Cyber Command, urging them “to take additional measures to fight influence campaigns aimed at disenfranchising voters, especially voters of color, ahead of the 2020 election.” They called on these agencies to take “additional measures:”
    • The American people and political candidates are promptly informed about the targeting of our political processes by foreign malign actors, and that the public is provided regular periodic updates about such efforts leading up to the general election.
    • Members of Congress and congressional staff are appropriately and adequately briefed on continued findings and analysis involving election related foreign disinformation campaigns and the work of each agency and department to combat these campaigns.
    • Findings and analysis involving election related foreign disinformation campaigns are shared with civil society organizations and independent researchers to the maximum extent which is appropriate and permissible.
    • Secretary Esper and Director Ratcliffe implement a social media information sharing and analysis center (ISAC) to detect and counter information warfare campaigns across social media platforms as authorized by section 5323 of the Fiscal Year 2020 National Defense Authorization Act.
    • Director Ratcliffe implement the Foreign Malign Influence Response Center to coordinate a whole of government approach to combatting foreign malign influence campaigns as authorized by section 5322 of the Fiscal Year 2020 National Defense Authorization Act.
  • The Information Technology and Innovation Foundation (ITIF) unveiled an issue brief “Why New Calls to Subvert Commercial Encryption Are Unjustified” arguing “that government efforts to subvert encryption would negatively impact individuals and businesses.” ITIF offered these “key takeaways:”
    • Encryption gives individuals and organizations the means to protect the confidentiality of their data, but it has interfered with law enforcement’s ability to prevent and investigate crimes and foreign threats.
    • Technological advances have long frustrated some in the law enforcement community, giving rise to multiple efforts to subvert commercial use of encryption, from the Clipper Chip in the 1990s to the San Bernardino case two decades later.
    • Having failed in these prior attempts to circumvent encryption, some law enforcement officials are now calling on Congress to invoke a “nuclear option”: legislation banning “warrant-proof” encryption.
    • This represents an extreme and unjustified measure that would do little to take encryption out of the hands of bad actors, but it would make commercial products less secure for ordinary consumers and businesses and damage U.S. competitiveness.
  • The White House released an executive order in which President Donald Trump determined “that the Special Administrative Region of Hong Kong (Hong Kong) is no longer sufficiently autonomous to justify differential treatment in relation to the People’s Republic of China (PRC or China) under the particular United States laws and provisions thereof set out in this order.” Trump further determined “the situation with respect to Hong Kong, including recent actions taken by the PRC to fundamentally undermine Hong Kong’s autonomy, constitutes an unusual and extraordinary threat, which has its source in substantial part outside the United States, to the national security, foreign policy, and economy of the United States…[and] I hereby declare a national emergency with respect to that threat.” The executive order would continue the Administration’s process of changing policy to ensure Hong Kong is treated the same as the PRC.
  • President Donald Trump also signed a bill passed in response to the People’s Republic of China (PRC) passing legislation the United States and other claim will strip Hong Kong of the protections the PRC agreed to maintain for 50 years after the United Kingdom (UK) handed over the city. The “Hong Kong Autonomy Act” “requires the imposition of sanctions on Chinese individuals and banks who are included in an annual State Department list found to be subverting Hong Kong’s autonomy” according to the bill’s sponsor Representative Brad Sherman (D-CA).
  • Representative Stephen Lynch, who chairs House Oversight and Reform Committee’s National Security Subcommittee, sent letters to Apple and Google “after the Office of the Director of National Intelligence (ODNI) and the Federal Bureau of Investigation (FBI) confirmed that mobile applications developed, operated, or owned by foreign entities, including China and Russia, could potentially pose a national security risk to American citizens and the United States” according to his press release. He noted in letters sent by the technology companies to the Subcommittee that:
    • Apple confirmed that it does not require developers to submit “information on where user data (if any such data is collected by the developer’s app) will be housed” and that it “does not decide what user data a third-party app can access, the user does.”
    • Google stated that it does “not require developers to provide the countries in which their mobile applications will house user data” and acknowledged that “some developers, especially those with a global user base, may store data in multiple countries.”
    • Lynch is seeking “commitments from Apple and Google to require information from application developers about where user data is stored, and to make users aware of that information prior to downloading the application on their mobile devices.”
  • Minnesota Attorney General Keith Ellison announced a settlement with Frontier Communications that “concludes the three major investigations and lawsuits that the Attorney General’s office launched into Minnesota’s major telecoms providers for deceptive, misleading, and fraudulent practices.” The Office of the Attorney General (OAG) stated
    • Based on its investigation, the Attorney General’s Office alleged that Frontier used a variety of deceptive and misleading practices to overcharge its customers, such as: billing customers more than they were quoted by Frontier’s agents; failing to disclose fees and surcharges in its sales presentations and advertising materials; and billing customers for services that were not delivered.
    • The OAG “also alleged that Frontier sold Minnesotans expensive internet services with so-called “maximum speed” ratings that were not attainable, and that Frontier improperly advertised its service as “reliable,” when in fact it did not provide enough bandwidth for customers to consistently receive their expected service.”
  • The European Data Protection Board (EDPB) issued guidelines “on the criteria of the Right to be Forgotten in the search engines cases under the GDPR” that “focuses solely on processing by search engine providers and delisting requests  submitted by data subjects” even Article 17 of the General Data Protection Regulation applies to all data controllers. The EDPB explained “This paper is divided into two topics:
    • The first topic concerns the grounds a data subject can rely on for a delisting request sent to a search engine provider pursuant to Article 17.1 GDPR.
    • The second topic concerns the exceptions to the Right to request delisting according to Article 17.3 GDPR.
  • The Australian Competition & Consumer Commission (ACCC) “is seeking views on draft Rules and accompanying draft Privacy Impact Assessment that authorise third parties who are accredited at the ‘unrestricted’ level to collect Consumer Data Right (CDR) data on behalf of another accredited person.” The ACCC explained “[t]his will allow accredited persons to utilise other accredited parties to collect CDR data and provide other services that facilitate the provision of goods and services to consumers.” In a March explanatory statement, the ACCC stated “[t]he CDR is an economy-wide reform that will apply sector-by-sector, starting with the banking sector…[and] [t]he objective of the CDR is to provide individual and business consumers (consumers) with the ability to efficiently and conveniently access specified data held about them by businesses (data holders), and to authorise the secure disclosure of that data to third parties (accredited data recipients) or to themselves.” The ACCC noted “[t]he CDR is regulated by both the ACCC and the Office of the Australian Information Commissioner (OAIC) as it concerns both competition and consumer matters as well as the privacy and confidentiality of consumer data.” Input is due by 20 July.
  • Office of the Inspector General (OIG) for the Department of the Interior (Interior) found that even though the agency spends $1.4 billion annually on cybersecurity “[g]uarding against increasing cybersecurity threats” remains one of Interior’s top challenges. The OIG asserted Interior “continues to struggle to implement an enterprise information technology (IT) security program that balances compliance, cost, and risk while enabling bureaus to meet their diverse missions.”
  • In a summary of its larger investigation into “Security over Information Technology Peripheral Devices at Select Office of Science Locations,” the Department of Energy’s Office of the Inspector General (OIG) that “identified weaknesses related to access controls and configuration settings” for peripheral devices (e.g. thumb drives, printers, scanners and other connected devices)  “similar in type to those identified in prior evaluations of the Department’s unclassified cybersecurity program.”
  • The House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee Ranking Member John Katko (R-NY) “a comprehensive national cybersecurity improvement package” according to his press release, consisting of these bills:
    • The “Cybersecurity and Infrastructure Security Agency Director and Assistant Directors Act:”  This bipartisan measure takes steps to improve guidance and long-term strategic planning by stabilizing the CISA Director and Assistant Directors positions. Specifically, the bill:
      • Creates a 5-year term for the CISA Director, with a limit of 2 terms. The term of office for the current Director begins on date the Director began to serve.
      • Elevates the Director to the equivalent of a Deputy Secretary and Military Service Secretaries.
      • Depoliticizes the Assistant Director positions, appointed by the Secretary of the Department of Homeland Security (DHS), categorizing them as career public servants. 
    • The “Strengthening the Cybersecurity and Infrastructure Security Agency Act of 2020:” This measure mandates a comprehensive review of CISA in an effort to strengthen its operations, improve coordination, and increase oversight of the agency. Specifically, the bill:
      • Requires CISA to review how additional appropriations could be used to support programs for national risk management, federal information systems management, and public-private cybersecurity and integration. It also requires a review of workforce structure and current facilities and projected needs. 
      • Mandates that CISA provides a report to the House and Senate Homeland Committees within 1-year of enactment. CISA must also provide a report and recommendations to GSA on facility needs. 
      • Requires GSA to provide a review to the Administration and House and Senate Committees on CISA facilities needs within 30-days of Congressional report. 
    • The “CISA Public-Private Talent Exchange Act:” This bill requires CISA to create a public-private workforce program to facilitate the exchange of ideas, strategies, and concepts between federal and private sector cybersecurity professionals. Specifically, the bill:
      • Establishes a public-private cyber exchange program allowing government and industry professionals to work in one another’s field.
      • Expands existing private outreach and partnership efforts. 
  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is ordering United States federal civilian agencies “to apply the July 2020 Security Update for Windows Servers running DNS (CVE-2020-1350), or the temporary registry-based workaround if patching is not possible within 24 hours.” CISA stated “[t]he software update addresses a significant vulnerability where a remote attacker could exploit it to take control of an affected system and run arbitrary code in the context of the Local System Account.” CISA Director Christopher Krebs explained “due to the wide prevalence of Windows Server in civilian Executive Branch agencies, I’ve determined that immediate action is necessary, and federal departments and agencies need to take this remote code execution vulnerability in Windows Server’s Domain Name System (DNS) particularly seriously.”
  • The United States (US) Department of State has imposed “visa restrictions on certain employees of Chinese technology companies that provide material support to regimes engaging in human rights abuses globally” that is aimed at Huawei. In its statement, the Department stated “Companies impacted by today’s action include Huawei, an arm of the Chinese Communist Party’s (CCP) surveillance state that censors political dissidents and enables mass internment camps in Xinjiang and the indentured servitude of its population shipped all over China.” The Department claimed “[c]ertain Huawei employees provide material support to the CCP regime that commits human rights abuses.”
  • Earlier in the month, the US Departments of State, Treasury, Commerce, and of Homeland Security issued an “advisory to highlight the harsh repression in Xinjiang.” The agencies explained
    • Businesses, individuals, and other persons, including but not limited to academic institutions, research service providers, and investors (hereafter “businesses and individuals”), that choose to operate in Xinjiang or engage with entities that use labor from Xinjiang elsewhere in China should be aware of reputational, economic, and, in certain instances, legal, risks associated with certain types of involvement with entities that engage in human rights abuses, which could include Withhold Release Orders (WROs), civil or criminal investigations, and export controls.
  • The United Kingdom’s National Cyber Security Centre (NCSC), Canada’s Communications  Security Establishment (CSE), United States’ National Security Agency (NSA) and the United States’ Department of Homeland Security’s Cybersecurity and Infrastructure Security  Agency (CISA) issued a joint advisory on a Russian hacking organization’s efforts have “targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.” The agencies named APT29 (also known as ‘the Dukes’ or ‘Cozy Bear’), “a cyber espionage group, almost certainly part of the Russian intelligence services,” as the culprit behind “custom malware known as ‘WellMess’ and ‘WellMail.’”
    • This alert follows May advisories issued by Australia, the US, and the UK on hacking threats related to the pandemic. Australia’s Department of Foreign Affairs and Trade (DFAT) and the Australian Cyber Security Centre (ACSC) issued “Advisory 2020-009: Advanced Persistent Threat (APT) actors targeting Australian health sector organisations and COVID-19 essential services” that asserted “APT groups may be seeking information and intellectual property relating to vaccine development, treatments, research and responses to the outbreak as this information is now of higher value and priority globally.” CISA and NCSC issued a joint advisory for the healthcare sector, especially companies and entities engaged in fighting COVID-19. The agencies stated that they have evidence that Advanced Persistent Threat (APT) groups “are exploiting the COVID-19 pandemic as part of their cyber operations.” In an unclassified public service announcement, the Federal Bureau of Investigation (FBI) and CISA named the People’s Republic of China as a nation waging a cyber campaign against U.S. COVID-19 researchers. The agencies stated they “are issuing this announcement to raise awareness of the threat to COVID-19-related research.”
  • The National Initiative for Cybersecurity Education (NICE) has released a draft National Institute of Standards and Technology (NIST) Special Publication (SP) for comment due by 28 August. Draft NIST Special Publication (SP) 800-181 Revision 1, Workforce Framework for Cybersecurity (NICE Framework) that features several updates, including:
    • an updated title to be more inclusive of the variety of workers who perform cybersecurity work,
    • definition and normalization of key terms,
    • principles that facilitate agility, flexibility, interoperability, and modularity,
    • introduction of competencies,
  • Representatives Glenn Thompson (R-PA), Collin Peterson (D-MN), and James Comer (R-KY) sent a letter to Federal Communications Commission (FCC) “questioning the Commission’s April 20, 2020 Order granting Ligado’s application to deploy a terrestrial nationwide network to provide 5G services.”
  • The European Commission (EC) is asking for feedback on part of its recently released data strategy by 31 July. The EC stated it is aiming “to create a single market for data, where data from public bodies, business and citizens can be used safely and fairly for the common good…[and] [t]his initiative will draw up rules for common European data spaces (covering areas like the environment, energy and agriculture) to:
    • make better use of publicly held data for research for the common good
    • support voluntary data sharing by individuals
    • set up structures to enable key organisations to share data.
  • The United Kingdom’s Parliament is asking for feedback on its legislative proposal to regulate Internet of Things (IoT) devices. The Department for Digital, Culture, Media & Sport explained “the obligations within the government’s proposed legislative framework would fall mainly on the manufacturer if they are based in the UK, or if not based in the UK, on their UK representative.” The Department is also “developing an enforcement approach with relevant stakeholders to identify an appropriate enforcement body to be granted day to day responsibility and operational control of monitoring compliance with the legislation.” The Department also touted the publishing of the European Telecommunications Standards Institute’s (ETSI) “security baseline for Internet-connected consumer devices and provides a basis for future Internet of Things product certification schemes.”
  • Facebook issued a white paper, titled “CHARTING A WAY FORWARD: Communicating Towards People-Centered and Accountable Design About Privacy,” in which the company states its desire to be involved in shaping a United States privacy law (See below for an article on this). Facebook concluded:
    • Facebook recognizes the responsibility we have to make sure that people are informed about the data that we collect, use, and share.
    • That’s why we support globally consistent comprehensive privacy laws and regulations that, among other things, establish people’s basic rights to be informed about how their information is collected, used, and shared, and impose obligations for organizations to do the same, including the obligation to build internal processes that maintain accountability.
    • As improvements to technology challenge historic approaches to effective communications with people about privacy, companies and regulators need to keep up with changing times.
    • To serve the needs of a global community, on both the platforms that exist now and those that are yet to be developed, we want to work with regulators, companies, and other interested third parties to develop new ways of informing people about their data, empowering them to make meaningful choices, and holding ourselves accountable.
    • While we don’t have all the answers, there are many opportunities for businesses and regulators to embrace modern design methods, new opportunities for better collaboration, and innovative ways to hold organizations accountable.
  • Four Democratic Senators sent Facebook a letter “about reports that Facebook has created fact-checking exemptions for people and organizations who spread disinformation about the climate crisis on its social media platform” following a New York Times article this week on the social media’s practices regarding climate disinformation. Even though the social media giant has moved aggressively to take down false and inaccurate COVID-19 posts, climate disinformation lives on the social media platform largely unmolested for a couple of reasons. First, Facebook marks these sorts of posts as opinion and take the approach that opinions should be judged under an absolutist free speech regime. Moreover, Facebook asserts posts of this sort do not pose any imminent harm and therefore do not need to be taken down. Despite having teams of fact checkers to vet posts of demonstrably untrue information, Facebook chooses not to, most likely because material that elicits strong reactions from users drive engagement that, in turn, drives advertising dollars. Senators Elizabeth Warren (D-WA), Tom Carper (D-DE), Sheldon Whitehouse (D-R.I.) and Brian Schatz (D-HI) argued “[i]f Facebook is truly “committed to fighting the spread of false news on Facebook and Instagram,” the company must immediately acknowledge in its fact-checking process that the climate crisis is not a matter of opinion and act to close loopholes that allow climate disinformation to spread on its platform.” They posed a series of questions to Facebook CEO Mark Zuckerberg on these practices, requesting answers by 31 July.
  • A Canadian court has found that the Canadian Security Intelligence Service (CSIS) “admittedly collected information in a manner that is contrary to this foundational commitment and then relied on that information in applying for warrants under the Canadian Security Intelligence Service Act, RSC 1985, c C-23 [CSIS Act]” according to a court summary of its redacted decision. The court further stated “[t]he Service and the Attorney General also admittedly failed to disclose to the Court the Service’s reliance on information that was likely collected unlawfully when seeking warrants, thereby breaching the duty of candour owed to the Court.” The court added “[t]his is not the first time this Court has been faced with a breach of candour involving the Service…[and] [t]he events underpinning this most recent breach were unfolding as recommendations were being implemented by the Service and the Attorney General to address previously identified candour concerns.” CSIS was found to have illegally collected and used metadata in a 2016 case ion its conduct between 2006-2016. In response to the most recent ruling, CSIS is vowing to implement a range of reforms. The National Security and Intelligence Review Agency (NSIRA) is pledging the same.
  • The United Kingdom’s National Police Chiefs’ Council (NPCC) announced the withdrawal of “[t]he ‘Digital device extraction – information for complainants and witnesses’ form and ‘Digital Processing Notice’ (‘the relevant forms’) circulated to forces in February 2019 [that] are not sufficient for their intended purpose.” In mid-June, the UK’s data protection authority, the Information Commissioner’s Office (ICO) unveiled its “finding that police data extraction practices vary across the country, with excessive amounts of personal data often being extracted, stored, and made available to others, without an appropriate basis in existing data protection law.” This withdrawal was also due, in part, to a late June Court of Appeal decision.  
  • A range of public interest and advocacy organizations sent a letter to Speaker of the House Nancy Pelosi (D-CA) and House Minority Leader Kevin McCarthy (R-CA) noting “there are intense efforts underway to do exactly that, via current language in the House and Senate versions of the FY2021 National Defense Authorization Act (NDAA) that ultimately seek to reverse the FCC’s recent bipartisan and unanimous approval of Ligado Networks’ regulatory plans.” They urged them “not endorse efforts by the Department of Defense and its allies to veto commercial spectrum authorizations…[and][t]he FCC has proven itself to be the expert agency on resolving spectrum disputes based on science and engineering and should be allowed to do the job Congress authorized it to do.” In late April, the FCC’s “decision authorize[d] Ligado to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” The agency argued the order “provides regulatory certainty to Ligado, ensures adjacent band operations, including Global Positioning System (GPS), are sufficiently protected from harmful interference, and promotes more efficient and effective use of [the U.S.’s] spectrum resources by making available additional spectrum for advanced wireless services, including 5G.”
  • The European Data Protection Supervisor (EDPS) rendered his opinion on the European Commission’s White Paper on Artificial Intelligence: a European approach to excellence and trust and recommended the following for the European Union’s (EU) regulation of artificial intelligence (AI):
    • applies both to EU Member States and to EU institutions, offices, bodies and agencies;
    • is designed to protect from any negative impact, not only on individuals, but also on communities and society as a whole;
    • proposes a more robust and nuanced risk classification scheme, ensuring any significant potential harm posed by AI applications is matched by appropriate mitigating measures;
    • includes an impact assessment clearly defining the regulatory gaps that it intends to fill.
    • avoids overlap of different supervisory authorities and includes a cooperation mechanism.
    • Regarding remote biometric identification, the EDPS supports the idea of a moratorium on the deployment, in the EU, of automated recognition in public spaces of human features, not only of faces but also of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, so that an informed and democratic debate can take place and until the moment when the EU and Member States have all the appropriate safeguards, including a comprehensive legal framework in place to guarantee the proportionality of the respective technologies and systems for the specific use case.
  • The Bundesamt für Verfassungsschutz (BfV), Germany’s domestic security agency, released a summary of its annual report in which it claimed:
    • The Russian Federation, the People’s Republic of China, the Islamic Republic of Iran and the Republic of Turkey remain the main countries engaged in espionage activities and trying to exert influence on Germany.
    • The ongoing digital transformation and the increasingly networked nature of our society increases the potential for cyber attacks, worsening the threat of cyber espionage and cyber sabotage.
    • The intelligence services of the Russian Federation and the People’s Republic of China in particular carry out cyber espionage activities against German agencies. One of their tasks is to boost their own economies with the help of information gathered by the intelligence services. This type of information-gathering campaign severely threatens the success and development opportunities of German companies.
    • To counteract this threat, Germany has a comprehensive cyber security architecture in place, which is operated by a number of different authorities. The BfV plays a major role in investigating and defending against cyber threats by detecting attacks, attributing them to specific attackers, and using the knowledge gained from this to draw up prevention strategies. The National Cyber Response Centre, in which the BfV plays a key role, was set up to consolidate the co-operation between the competent agencies. The National Cyber Response Centre aims to optimise the exchange of information between state agencies and to improve the co-ordination of protective and defensive measures against potential IT incidents.

Further Reading

  • Trump confirms cyberattack on Russian trolls to deter them during 2018 midterms” – The Washington Post. In an interview with former George W. Bush speechwriter Marc Thiessen, President Donald Trump confirmed he ordered a widely reported retaliatory attack on the Russian Federation’s Internet Research Agency as a means of preventing interference during the 2018 mid-term election. Trump claimed this attack he ordered was the first action the United States took against Russian hacking even though his predecessor warned Russian President Vladimir Putin to stop such activities and imposed sanctions at the end of 2016. The timing of Trump’s revelation is interesting given the ongoing furor over reports of Russian bounties paid to Taliban fighters for killing Americans the Trump Administration may have known of but did little or nothing to stop.
  • Germany proposes first-ever use of EU cyber sanctions over Russia hacking” – Deutsche Welle. Germany is looking to use the European Union’s (EU) cyber sanctions powers against Russia for its alleged 2015 16 GB exfiltration of data from the Bundestag’s systems, including from Chancellor Angela Merkel’s office. Germany has been alleging that Fancy Bear (aka APT28) and Russia’s military secret service GRU carried out the attack. Germany has circulated its case for sanctions to other EU nations and EU leadership. In 2017, the European Council declared “[t]he EU diplomatic response to malicious cyber activities will make full use of measures within the Common Foreign and Security Policy, including, if necessary, restrictive measures…[and] [a] joint EU response to malicious cyber activities would be proportionate to the scope, scale, duration, intensity, complexity, sophistication and impact of the cyber activity.”
  • Wyden Plans Law to Stop Cops From Buying Data That Would Need a Warrant” – VICE. Following on a number of reports that federal, state, and local law enforcement agencies are essentially sidestepping the Fourth Amendment through buying location and other data from people’s smartphones, Senator Ron Wyden (D-OR) is going to draft legislation that would seemingly close what he, and other civil libertarians, are calling a loophole to the warrant requirement.
  • Amazon Backtracks From Demand That Employees Delete TikTok” – The New York Times. Amazon first instructed its employees to remove ByteDance’s app, TikTok, on 11 July from company devices and then reversed course the same day, claiming the email had been erroneously sent out. The strange episode capped another tumultuous week for ByteDance as the Trump Administration is intensifying pressure in a number of ways on the company which officials claim is subject to the laws of the People’s Republic of China and hence must share information with the government in Beijing. ByteDance counters the app marketed in the United States is through a subsidiary not subject to PRC law. ByteDance also said it would no longer offer the app in Hong Kong after the PRC change in law has extended the PRC’s reach into the former British colony. TikTok was also recently banned in India as part of a larger struggle between India and he PRC. Additionally, the Democratic National Committee warned staff about using the app this week, too.
  • Is it time to delete TikTok? A guide to the rumors and the real privacy risks.” – The Washington Post. A columnist and security specialist found ByteDance’s app vacuums up information from users, but so does Facebook and other similar apps. They scrutinized TikTok’s privacy policy and where the data went, and they could not say with certainty that it goes to and stays on servers in the US and Singapore. 
  • California investigating Google for potential antitrust violations” – Politico. California Attorney General Xavier Becerra is going to conduct his own investigation of Google aside and apart from the investigation of the company’s advertising practices being conducted by virtually every other state in the United States. It was unclear why Becerra opted against joining the larger probe launched in September 2019. Of course, the Trump Administration’s Department of Justice is also investigating Google and could file suit as early as this month.
  • How May Google Fight an Antitrust Case? Look at This Little-Noticed Paper” – The New York Times. In a filing with the Australian Competition and Consumer Commission (ACCC), Google claimed it does not control the online advertising market and it is borne out by a number of indicia that argue against a monopolistic situation. The company is likely to make the same case to the United States’ government in its antitrust inquiry. However, similar arguments did not gain tractions before the European Commission, which levied a €1.49 billion for “breaching EU antitrust rules” in March 2019.
  •  “Who Gets the Banhammer Now?” – The New York Times. This article examines possible motives for the recent wave of action by social media platforms to police a fraction of the extreme and hateful speech activists and others have been asking them to take down for years. This piece makes the argument that social media platforms are businesses and operate as such and expecting them to behave as de facto public squares dedicated to civil political and societal discourse is more or less how we ended up where we are.
  • TikTok goes tit-for-tat in appeal to MPs: ‘stop political football’ – The Australian. ByteDance is lobbying hard in Canberra to talk Ministers of Parliament out of possibly banning TikTok like the United States has said it is considering. While ByteDance claims the data collected on users in Australia is sent to the US or Singapore, some experts are arguing just to maintain and improve the app would necessarily result in some non-People’s Republic of China (PRC) user data making its way back to the PRC. As Australia’s relationship with the PRC has grown more fraught with allegations PRC hackers infiltrated Parliament and the Prime Minister all but saying PRC hackers were targeting hospitals and medical facilities, the government in Canberra could follow India’s lead and ban the app.
  • Calls for inquiry over claims Catalan lawmaker’s phone was targeted” – The Guardian. British and Spanish newspapers are reporting that an official in Catalonia who favors separating the region from Spain may have had his smartphone compromised with industrial grade spyware typically used only by law enforcement and counterterrorism agencies. The President of the Parliament of Catalonia Roger Torrent claims his phone was hacked for domestic political purposes, which other Catalan leaders argued, too. A spokesperson for the Spanish government said “[t]he government has no evidence that the speaker of the Catalan parliament has been the victim of a hack or theft involving his mobile.” However, the University of Toronto’s CitizenLab, the entity that researched and claimed that Israeli firm NSO Group’s spyware was deployed via WhatsApp to spy on a range of journalists, officials, and dissidents, often by their own governments, confirmed that Torrent’s phone was compromised.
  • While America Looks Away, Autocrats Crack Down on Digital News Sites” – The New York Times. The Trump Administration’s combative relationship with the media in the United States may be encouraging other nations to crack down on digital media outlets trying to hold those governments to account.
  •  “How Facebook Handles Climate Disinformation” – The New York Times. Even though the social media giant has moved aggressively to take down false and inaccurate COVID-19 posts, climate disinformation lives on the social media platform largely unmolested for a couple of reasons. First, Facebook marks these sorts of posts as opinion and take the approach that opinions should be judged under an absolutist free speech regime. Moreover, Facebook asserts posts of this sort do not pose any imminent harm and therefore do not need to be taken down. Despite having teams of fact checkers to vet posts of demonstrably untrue information, Facebook chooses not to, most likely because material that elicits strong reactions from users drive engagement that, in turn, drives advertising dollars.
  • Here’s how President Trump could go after TikTok” – The Washington Post. This piece lays out two means the Trump Administration could employ to press ByteDance in the immediate future: use of the May 2019 Executive Order “Securing the Information and Communications Technology and Services Supply Chain” or the Committee on Foreign Investment in the United States process examining ByteDance of the app Music.ly that became TikTok. Left unmentioned in this article is the possibility of the Federal Trade Commission (FTC) examining its 2019 settlement with ByteDance to settle violations of the “Children’s Online Privacy Protection Act” (COPPA).
  • You’re Doomscrolling Again. Here’s How to Snap Out of It.” – The New York Times. If you find yourself endlessly looking through social media feeds, this piece explains why and how you might stop doing so.
  • UK selling spyware and wiretaps to 17 repressive regimes including Saudi Arabia and China” – The Independent. There are allegations that the British government has ignored its own regulations on selling equipment and systems that can be used for surveillance and spying to other governments with spotty human rights records. Specifically, the United Kingdom (UK) has sold £75m to countries non-governmental organizations (NGO) are rated as “not free.” The claims include nations such as the People’s Republic of China (PRC), the Kingdom of Saudi Arabia, Bahrain, and others. Not surprisingly, NGOs and the minority Labour party are calling for an investigation and changes.
  • Google sued for allegedly tracking users in apps even after opting out” – c/net. Boies Schiller Flexner filed suit in what will undoubtedly seek to become a class action suit over Google’s alleged continuing to track users even when they turned off tracking features. This follows a suit filed by the same firm against Google in June, claiming its browser Chrome still tracks people when they switch to incognito mode.
  • Secret Trump order gives CIA more powers to launch cyberattacks” – Yahoo! News. It turns out that in addition to signing National Security Presidential Memorandum (NSPM) 13 that revamped and eased offensive cyber operations for the Department of Defense, President Donald Trump signed a presidential finding that has allowed the Central Intelligence Agency (CIA) to launch its own offensive cyber attacks, mainly at Russia and Iran, according to unnamed former United States (US) officials according to this blockbuster story. Now, the decision to commence with an attack is not vetted by the National Security Council; rather, the CIA makes the decision. Consequently, there have been a number of attacks on US adversaries that until now have not been associated with the US. And, the CIA is apparently not informing the National Security Agency or Cyber Command of its operations, raising the risk of US cyber forces working at cross purposes or against one another in cyberspace. Moreover, a recently released report blamed the lax security environment at the CIA for a massive exfiltration of hacking tools released by Wikileaks. 
  • Facebook’s plan for privacy laws? ‘Co-creating’ them with Congress” – Protocol. In concert with the release of a new white paper, Facebook Deputy Chief Privacy Officer Rob Sherman sat for an interview in which he pledged the company’s willingness to work with Congress to co-develop a national privacy law. However, he would not comment on any of the many privacy bills released thus far or the policy contours of a bill Facebook would favor except for advocating for an enhanced notice and consent regime under which people would be better informed about how their data is being used. Sherman also shrugged off suggestions Facebook may not be welcome given its record of privacy violations. Finally, it bears mention that similar efforts by other companies at the state level have not succeeded as of yet. For example, Microsoft’s efforts in Washington state have not borne fruit in the passage of a privacy law.
  • Deepfake used to attack activist couple shows new disinformation frontier” – Reuters. We are at the beginning of a new age of disinformation in which fake photographs and video will be used to wage campaigns against nations, causes, and people. An activist and his wife were accused of being terrorist sympathizers by a university student who apparently was an elaborate ruse for someone or some group looking to defame the couple. Small errors gave away the ruse this time, but advances in technology are likely to make detection all the harder.
  • Biden, billionaires and corporate accounts targeted in Twitter hack” – The Washington Post. Policymakers and security experts were alarmed when the accounts of major figures like Bill Gates and Barack Obama were hacked yesterday by some group seeking to sell bitcoin. They argue Twitter was lucky this time and a more ideologically motivated enemy may seek to cause havoc, say on the United States’ coming election. A number of experts are claiming the penetration of the platform must have been of internal controls for so many high profile accounts to be taken over at the same time.
  • TikTok Enlists Army of Lobbyists as Suspicions Over China Ties Grow” – The New York Times. ByteDance’s payments for lobbying services in Washington doubled between the last quarter of 2019 and thirst quarter of 2020, as the company has retained more than 35 lobbyists to push back against the Trump Administration’s rhetoric and policy changes. The company is fighting against a floated proposal to ban the TikTok app on national security grounds, which would cut the company off from another of its top markets after India banned it and scores of other apps from the People’s Republic of China. Even if the Administration does not bar use of the app in the United States, the company is facing legislation that would ban its use on federal networks and devices that will be acted upon next week by a Senate committee. Moreover, ByteDance’s acquisition of the app that became TikTok is facing a retrospective review of an inter-agency committee for national security considerations that could result in an unwinding of the deal. Moreover, the Federal Trade Commission (FTC) has been urged to review ByteDance’s compliance with a 2019 settlement that the company violated regulations protecting the privacy of children that could result in multi-billion dollar liability if wrongdoing is found.
  • Why Google and Facebook Are Racing to Invest in India” – Foreign Policy. With New Delhi banning 59 apps and platforms from the People’s Republic of China (PRC), two American firms have invested in an Indian giant with an eye toward the nearly 500 million Indians not yet online. Reliance Industries’ Jio Platforms have sold stakes to Google and Facebook worth $4.5 billion and $5.7 billion that gives them prized positions as the company looks to expand into 5G and other online ventures. This will undoubtedly give a leg up to the United States’ online giants in vying with competitors to the world’s second most populous nation.
  • “Outright Lies”: Voting Misinformation Flourishes on Facebook” – ProPublica. In this piece published with First Draft, “a global nonprofit that researches misinformation,” an analysis of the most popular claims made about mail voting show that many of them are inaccurate or false, thus violating the platforms terms of services yet Facebook has done nothing to remove them or mark them as inaccurate until this article was being written.
  • Inside America’s Secretive $2 Billion Research Hub” – Forbes. Using contract information obtained through Freedom of Information requests and interviews, light is shined on the little known non-profit MITRE Corporation that has been helping the United States government address numerous technological problems since the late 1950’s. The article uncovers some of its latest, federally funded projects that are raising eyebrows among privacy advocates: technology to life people’s fingerprints from social media pictures, technology to scan and copy Internet of Things (IoT) devices from a distance, a scanner to read a person’s DNA, and others.
  • The FBI Is Secretly Using A $2 Billion Travel Company As A Global Surveillance Tool” – Forbes. In his second blockbuster article in a week, Forbes reporter Thomas Brewster exposes how the United States (US) government is using questionable court orders to gather travel information from the three companies that essentially provide airlines, hotels, and other travel entities with back-end functions with respect to reservations and bookings. The three companies, one of whom, Sabre is a US multinational, have masses of information on you if you have ever traveled, and US law enforcement agencies, namely the Federal Bureau of Investigation, is using a 1789 statute to obtain orders all three companies have to obey for information in tracking suspects. Allegedly, this capability has only been used to track terror suspects but will now reportedly be used for COVID-19 tracking.
  • With Trump CIA directive, the cyber offense pendulum swings too far” – Yahoo! News. Former United States (US) National Coordinator for Security, Infrastructure Protection, and Counter-terrorism Richard Clarke argues against the Central Intelligence Agency (CIA) having carte blanche in conducting cyber operations without the review or input of other federal agencies. He suggests that the CIA in particular, and agencies in general, tend to push their authority to the extreme, which in this case could lead to incidents and lasting precedents in cyberspace that may haunt the US. Clarke also intimated that it may have been the CIA and not Israel that launched cyber attacks on infrastructure facilities in Tehran this month and last.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.