EDPB Issues FAQs On Privacy Shield Decision

While the EDPB does not provide absolute answers on how US entities looking to transfer EU personal data should proceed, the agencies provide their best thinking on what the path forward looks like.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 24 July, the European Data Protection Board (EDPB) has addressed, in part, the implications of the recent decision that struck down the European Union-United States Privacy Shield, an agreement that had allowed US companies to transfer and process the personal data of EU citizens. The EDPB fully endorsed the view that the United States’ (US) surveillance regime, notably Section 702 of the “Foreign Intelligence Surveillance Act” (FISA) and Executive Order (EO) 12333, makes most transfers to the US illegal except perhaps if entities holding and using the data take extra steps to protect it. The EDPB references another means that allows for transfers to possibly continue but that generally requires informed and explicit consent from each and every EU person involved. Finally, the EDPB does not address whether the European Commission (EC) and the US are able to execute a third agreement that would be legal under EU law.

The EDPB, which is comprised of the European Union’s (EU) data protection authorities (DPAs), has formally adopted a document spelling out its view on if data transfers under Privacy Shield to the US are still legal and how companies should proceed in using standard contractual clauses (SCCs) and Binding Corporate Rules (BCR), two alternative means of transferring data aside from Privacy Shield. The EDPB’s views suggest the DPAs and supervisory authorities (SA) in each EU nation are going to need to work on a case-by-case basis regarding the latter two means, for the EDPB stressed these are to be evaluated individually. Given recent criticism of how nations are funding and resourcing their DPAs, there may be capacity issues in managing this new work alongside existing enforcement and investigation matters. Moreover, the EDPB discusses use of the exceptions available in Article 49 of the General Data Privacy Regulation (GDPR), stressing that most such transfers are to be occasional.

In last week’s decision, the Court of Justice of the European Union (CJEU) invalidated the European Commission’s adequacy decision on the EU-US Privacy Shield, thus throwing into question all transfers of personal data from the EU into the US that relied on this means. The CJEU was more circumspect in ruling on the use of standard contractual clauses (SCC), another way to legally transfer personal data out of the EU in compliance with the bloc’s law. The court seems to suggest there may be cases in which the use of SCCs may be inadequate given a country’s inadequate protections of the data of EU residents, especially with respect to national security and law enforcement surveillance. The EDPB issued a statement when the decision was made supporting the CJEU but has now adopted a more detailed explanation of its views on the implications of the decision for data controllers, data processors, other nations, EU DPAs and SAs.

In “Frequently Asked Questions (FAQ) on the judgment of the CJEU in Case C-311/18 -Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems,” the EDPB explains its current thinking on the decision, much of which is built on existing guidance and interpretation of the GDPR. The EDPB explained that the FAQ “aims at presenting answers to some frequently asked questions received by SAs and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the judgment of the CJEU.”

Here are notable excerpts:

  • Is there any grace period during which I can keep on transferring data to the U.S. without assessing my legal basis for the transfer? No, the Court has invalidated the Privacy Shield Decision without maintaining its effects, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection to the EU. This assessment has to be taken into account for any transfer to the U.S.
  • I was transferring data to a U.S. data importer adherent to the Privacy Shield, what should I do now? Transfers on the basis of this legal framework are illegal. Should you wish to keep on transferring data to the U.S., you would need to check whether you can do so under the conditions laid down below.
  • I am using SCCs with a data importer in the U.S., what should I do? The Court found that U.S. law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent SA.
  • I am using Binding Corporate Rules (“BCRs”) with an entity in the U.S., what should I do? Given the judgment of the Court, which invalidated the Privacy Shield because of the degree of interference created by the law of the U.S. with the fundamental rights of persons whose data are transferred to that third country, and the fact that the Privacy Shield was also designed to bring guarantees to data transferred with other tools such as BCRs, the Court’s assessment applies as well in the context of BCRs, since U.S. law will also have primacy over this tool.
  • Whether or not you can transfer personal data on the basis of BCRs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. These supplementary measures along with BCRs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However if you are intending to keep transferring data despite this conclusion, you must notify your competent SA.
  • Can I rely on one of the derogations of Article 49 GDPR to transfer data to the U.S.? It is still possible to transfer data from the EEA to the U.S. on the basis of derogations foreseen in Article 49 GDPR provided the conditions set forth in this Article apply. The EDPB refers to its guidelines on this provision. In particular, it should be recalled that when transfers are based on the consent of the data subject, it should be:
    • explicit,
    • specific for the particular data transfer or set of transfers (meaning that the data exporter must make sure to obtain specific consent before the transfer is put in place even if this occurs after the collection of the data has been made),and
    • informed, particularly as to the possible risks of the transfer (meaning the data subject should also informed of the specific risks resulting from the fact that their data will be transferred to a country that does not provide adequate protection and that no adequate safeguards aimed at providing protection for the data are being implemented).
  • With regard to transfers necessary for the performance of a contract between the data subject and the controller, it should be borne in mind that personal data may only be transferred when the transfer is occasional. It would have to be established on a case-by-case basis whether data transfers would be determined as “occasional” or “non-occasional”. In any case, this derogation can only be relied upon when the transfer is objectively necessary for the performance of the contract.
  • In relation to transfers necessary for important reasons of public interest(which must be recognized in EU or Member States’ law), the EDPB recalls that the essential requirement for the applicability of this derogation is the finding of an important public interest and not the nature of the organisation, and that although this derogation is not limited to data transfers that are “occasional”, this does not mean that data transfers on the basis of the important public interest derogation can take place on a large scale and in a systematic manner. Rather, the general principle needs to be respected according to which the derogations as set out in Article 49 GDPR should not become “the rule” in practice, but need to be restricted to specific situations and each data exporter needs to ensure that the transfer meets the strict necessity test.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Maret H. from Pixabay

Further Reading, Other Developments, and Coming Events (28 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 28 July, the House Rules Committee will consider the rule for and amendments to the H.R. 7617—Department of Defense Appropriations Act, 2021 [Defense, Commerce, Justice, Science, Energy and Water Development, Financial Services and General Government, Homeland Security, Labor, Health and Human Services, Education, Transportation, Housing, and Urban Development Appropriations Act, 2021].
  • On 28 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing titled “The PACT Act and Section 230: The Impact of the Law that Helped Create the Internet and an Examination of Proposed Reforms for Today’s Online World.”
  • On 28 July the House Science, Space, and Technology Committee’s Investigations and Oversight and Research and Technology Subcommittees will hold a joint virtual hearing titled “The Role of Technology in Countering Trafficking in Persons” with these witnesses:
    • Ms. Anjana Rajan, Chief Technology Officer, Polaris
    • Mr. Matthew Daggett, Technical Staff, Humanitarian Assistance and Disaster Relief Systems Group, Lincoln Laboratory, Massachusetts Institute of Technology
    • Ms. Emily Kennedy, President and Co-Founder, Marinus Analytics
  • On  29 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 30 July the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 30 July, the Senate Commerce, Science, and Transportation Committee’s Security Subcommittee will hold a hearing titled “The China Challenge: Realignment of U.S. Economic Policies to Build Resiliency and Competitiveness” with these witnesses:
    • The Honorable Nazak Nikakhtar, Assistant Secretary for Industry and Analysis, International Trade Administration, U.S. Department of Commerce
    • Dr. Rush Doshi, Director of the Chinese Strategy Initiative, The Brookings Institution
    • Mr. Michael Wessel, Commissioner, U.S. – China Economic and Security Review Commission
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)

Other Developments

  • The United States’ (US) Office of Management and Budget (OMB), an agency within the Executive Office of the President, has issued a memorandum in the same vein as other Trump Administration initiatives to increase the US government’s buying of goods and services produced domestically. Noting that 40% of the funds provided by Congress through annual legislation will be spent between 1 July and 30 September (roughly $200 billion), OMB urged federal agencies “to keep the following considerations in mind to support timely awards and maximize return on investment from each taxpayer dollar” among others:
    • Take full advantage of acquisition flexibilities and innovative tools. This week, the President’s Management Agenda unveiled a new cross-agency priority goal (CAP Goal) on “frictionless acquisition.” This CAP Goal creates a management platform to leverage modem buying strategies that have been shown to achieve just-in-time delivery with improved customer satisfaction and enable access to a broader and more innovative suite of companies and solutions. Agencies can review the resources on acquisition innovation and opportunities for collaboration by going to the frictionless CAP Goal on performance.gov.
      • The Goal Statement of this new CAP is “The Federal Government will deliver commercial items at the same speed as the market place & manage customers’ delivery expectations for acquisitions of non-commercial items by breaking down barriers to entry using modern business practices and technologies” as explained in a detailed presentation on frictionless acquisition released this month.
    • Use the resources of category management. As part of the ongoing transformation of federal acquisition, procurement involving common needs has been organized around categories of spending led by market experts who share business intelligence and help agencies avoid duplicative contracting work. This business structure has saved taxpayers more than $27 billion since FY 2016 and made it much easier for buyers to make rapid, well­ informed decisions on how best to acquire IT hardware, security, consulting services and many other every day needs that account for more than half of all contract spending. To stay current with market trends and available federal solutions, agencies should bookmark the category management dashboards on the acquisition gateway at https://hallways.cap.gsa.gov/app/#/.
    • Buy American. E.O. 13881 strengthens the general preference for American-made goods and, for the first time in 65 years, increases the percentage of U.S. manufactured content that must be in a product to qualify for the preference, including a very high standard for iron and steel. Agencies are encouraged to work with the Federal Acquisition Regulatory Council (FAR Council) to consider early implementation, as appropriate, while the rulemaking process proceeds.
    • In a related memorandum issued earlier this month, OMB asserted
      • Under the President’s Management Agenda and the leadership of OMB ‘s Office of Federal Procurement Policy (OFPP), the Administration has elevated the importance of acquisition innovation and category management as key pillars of a modernized procurement system. These pillars are proving to be critical assets in the face of market conditions that require heightened agility and the ongoing need r physical distancing as communities take steps to reopen. We are seeing smart use of existing contract vehicles and resources, supported by our category management market experts, such as for cleaning and distinction, information technology related to telework and healthcare, and enhanced entry screening services. We are also seeing growing examples of agencies leveraging innovative business practices, such as virtual acquisitions, that save time and enable acquisitions to continue where they might otherwise have been stopped.
      • OMB went on to detail best practices and examples in how agencies have adapted their procurement authority to the pandemic commensurate with ongoing Administration priorities such as category management
  • Senator Amy Klobuchar (D-MN) and some of her Democratic colleagues wrote Attorney General William Barr “to raise serious concerns regarding Google LLC’s (Google) proposed acquisition of Fitbit, Inc. (Fitbit)”. They stated
    • We are aware that the Antitrust Division of the Department of Justice is investigating this transaction and has issued a Second Request to gather additional information about the acquisition’s potential effects on competition. Amid reports that Google is offering modest, short-term concessions to overseas enforcers to avoid a full-scale investigation of the transaction in Europe, we write to urge the Division to continue with its efforts to conduct a thorough and comprehensive review of this proposed merger and to take any and all enforcement action warranted by the law and the evidence.
    • This letter comes at a time when the Department of Justice is considering Google’s potential antitrust practices and whether to file suit. The European Commission is also investigating the Google acquisition of FitBit.
    • Klobuchar is the Ranking Member of the Senate Judiciary Committee’s Antitrust, Competition Policy and Consumer Rights Subcommittee and was joined on the letter by Senators Richard Blumenthal (D-CT), Cory Booker (D-NJ), Mazie K. Hirono (D-HI), Sherrod Brown (D-OH), Mark Warner (D-VA), and Elizabeth Warren (D-MA).
  • Facebook and members of a class action and their attorneys have reached a second settlement in a suit brought under Illinois’ “Biometric Information Privacy Act” after a first settlement was rejected by the judge overseeing Patel, et al. v. Facebook, Inc.,. In January, the plaintiffs and Facebook agreed on a $550 million settlement to resolve claims the social media giant used and stored  people’s images contrary to the Illinois ban on such practices absent explicit consent. Facebook faced liability of up to $5000 per person affected and more than $40 billion in total potential liability. However, the judge thought the settlement was too low considering the Illinois legislature expressed its intention that violations would be punished more on the order of $1000 per person. Now, the parties have added $100 million, arriving at a $650 million settlement the judge will still need to bless.
  • Secretary of State Mike Pompeo made a speech at the Ronald Reagan Library “to make clear that the threats to Americans that President Trump’s China policy aims to address are clear and our strategy for securing those freedoms established.” Pompeo’s speech in the fourth in a series of Trump Administration officials making the Administration’s case against the People’s Republic of China (PRC), in some cases conflating PRC’s vying with the United States worldwide with the COVID-19 pandemic, suggesting the PRC is responsible for the course of the virus in the US and not Trump Administration policy.
  • The Department of Defense’s National Security Agency (NSA) and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) “released an advisory for critical infrastructure Operational Technology (OT) and Industrial Controls Systems (ICS) assets to be aware of current threats we observe, prioritize assessing their cybersecurity defenses and take appropriate action to secure their systems.” The agencies asserted “[d]ue to the increase in adversary capabilities and activities, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to harm to US interests or retaliate for perceived US aggression.”
  • The Secretary of Defense released a memorandum for Department of Defense (DOD) regarding “poor Proper Operations Security (OPSEC) practices within DOD in the past have resulted in the unauthorized disclosure or ” leaks” of controlled unclassified information (CUI), including information to be safeguarded under the CUI category for OPSEC, as well as classified national security information (together referred to here as “non-public information”). Secretary of Defense Mark Esper asserted “[o]ngoing reviews reveal a culture of insufficient OPSEC practices and habits within the DOD” and stated “[m]y goal, through an OPSEC campaign, is to change that culture across DOD by reminding DOD personnel.”
  • The United Kingdom’s Information Commissioner’s Office (ICO) published its annual report for 2019-2020, “covering what the Information Commissioner has called a “transformative period” for privacy and data protection and broader information rights.” The ICO offered these highlights:
    • Supporting and protecting the public and organisations
      • The Age Appropriate Design Code, introduced by the Data Protection Act 2018, was published in January. When it comes into full effect, it will help steer businesses to comply with current information rights legislation.
      • We intervened in the High Court case on the use of facial recognition technology by the South Wales Police as part of our work to ensure that the use of this technology does not infringe people’s rights.  As a response to the judgement, we issued the first Commissioner’s Opinion.
      • Our new freedom of information strategy was launched which sets out how we work to create a culture of openness in public authorities.  It also commits us to making the case for reform of the access to information law as set out previously in our Outsourcing Oversight report.
      • In figures:
        • We received 38,514 data protection complaints.
        • We closed 39,860 data protection cases (up from 34,684 in 2018/19) .
        • We received 6,367 freedom of information complaint cases.
    • Enforcement
      • We took regulatory action 236 times in response to breaches of the legislation that we regulate. That included 54 information notices, eight assessment notices, seven enforcement notices, four cautions, eight prosecutions and 15 fines.  
      • Over 2,100 investigations were conducted.
    • Innovation
      • Through our successful regulatory sandbox service, we have worked with a number of innovative organisations of all sizes to explore new data uses in a safe way while helping to ensure their customers’ privacy.
      • We also received additional resources from the government’s regulators innovation fund to set up a hub with other regulators to streamline and reduce burdens on businesses and public services using data.
      • In January, we launched our consultation on an AI framework to allow the auditing and assessment of the risk associated with AI applications and how to ensure their use is transparent, fair and accountable.
    • International
      • On a global scale, we continue to chair the Global Privacy Assembly, driving forward the development of the assembly into an international network that can have an impact on key data protection issues across the year. This helps to protect UK citizen’s personal data as it crosses borders and helps UK businesses operating internationally.
      • Due to the period covered by the report it does not reflect the impact of COVID-19 although, acknowledging the pandemic, Ms Denham said: ”The digital evolution of the past decade has accelerated at a dizzying speed in the past few months. Digital services are now central to how so many of us work, entertain ourselves and talk to friends and family.”

Further Reading

  • The Twitter Hacks Have to Stop” – The Atlantic. Bruce Schneier makes the case that the United States and other western democracies must step in and regulate vital platforms like Twitter for security and size given the central role they play in most societies. Letting these companies implement their own security without oversight or transparency has led to a situation where the account of world leaders or government agencies are vulnerable to hacks and misinformation. Schneier thinks the size and dominance of Twitter, Facebook, etc is a major part of this problem that must also be addressed.
  • US and Australia set to launch campaign to counter disinformation” – Sydney Morning Herald. Two of the Five Eyes allies met in Washington on 27 July for their annual Australia-U.S. Ministerial Consultations (AUSMIN) and part of their planning on how to counter the People’s Republic of China (PRC) is working together on an effort to address the PRC’s disinformation campaigns. The already close relationship between Washington and Canberra has deepened as tensions between the United States (US) and PRC continue to escalate. However, the US and Australia are framing this initiative as aiming to counter all disinformation in the Indo-Pacific region, suggesting other nations may be waging disinformation campaigns of concern, including the Russian Federation and the Democratic People’s Republic of Korea.
  • Russia’s GRU Hackers Hit US Government and Energy Targets” – WIRED. Starting in December 2018, APT28 (aka Fancy Bear), a Russian hacking group, targeted and penetrated a number of United States (US) entities, including federal and state governments, educational institutions, and energy companies. APT28 is closely associated with Glavnoye razvedyvatel’noye upravleniye (GRU), the Main Directorate of the General Staff of the Armed Forces of the Russian Federation and is the entity behind the takedowns of Ukraine’s electrical grid in 2015 and 2016 among other high profile hacks and attacks. The timing of these attacks, sometimes executed as phishing attacks, is interesting for it comes after US Cyber Command and possibly the Central Intelligence Agency (CIA) took down Russia’s Internet Research Agency and other actions designed to deter Russian interference in the 2019 mid-term elections in November 2018.
  • “Hurting People  At Scale” – Facebook’s Employees Reckon With The Social Network They’ve Built” – BuzzFeed News. This article documents the dissent and turmoil inside the company about content moderation, which some see the social media giant doing dismally. Some employees and ex-employees are taking issue with how CEO Mark Zuckerberg and his leadership are acting or not to take down extreme and violent content.
  • Big Tech Funds a Think Tank Pushing for Fewer Rules. For Big Tech.” – The New York Times. The Global Antitrust Institute at George Mason University’s Antonin Scalia Law School has been pushing for less regulation of antitrust statutes and regulations, especially in “educating” antitrust officials at conferences. It has also been financially supported by large technology companies which benefit from these policies and has not been transparent about its funding or the extent to which these companies’ positions on antitrust inform its efforts and output. A similar New York Times investigation into other Washington DC think tanks exposed the transactional nature of some of these institutions, donors, and positions.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (24 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On  27 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 28 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing titled “The PACT Act and Section 230: The Impact of the Law that Helped Create the Internet and an Examination of Proposed Reforms for Today’s Online World.”
  • On 28 July the House Science, Space, and Technology Committee’s Investigations and Oversight and Research and Technology Subcommittees will hold a joint virtual hearing titled “The Role of Technology in Countering Trafficking in Persons” with these witnesses:
    • Ms. Anjana Rajan, Chief Technology Officer, Polaris
    • Mr. Matthew Daggett, Technical Staff, Humanitarian Assistance and Disaster Relief Systems Group, Lincoln Laboratory, Massachusetts Institute of Technology
    • Ms. Emily Kennedy, President and Co-Founder, Marinus Analytics
  •  On 28 July, the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, & Innovation Subcommittee will hold a hearing titled “Secure, Safe, and Auditable: Protecting the Integrity of the 2020 Elections” with these witnesses:
    • Mr. David Levine, Elections Integrity Fellow, Alliance for Securing Democracy, German Marshall Fund of the United States
    • Ms. Sylvia Albert, Director of Voting and Elections, Common Cause
    • Ms. Amber McReynolds, Chief Executive Officer, National Vote at Home Institute
    • Mr. John Gilligan, President and Chief Executive Officer, Center for Internet Security, Inc.
  • On 30 July the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 30 July, the Senate Commerce, Science, and Transportation Committee’s Security Subcommittee will hold a hearing titled “The China Challenge: Realignment of U.S. Economic Policies to Build Resiliency and Competitiveness” with these witnesses:
    • The Honorable Nazak Nikakhtar, Assistant Secretary for Industry and Analysis, International Trade Administration, U.S. Department of Commerce
    • Dr. Rush Doshi, Director of the Chinese Strategy Initiative, The Brookings Institution
    • Mr. Michael Wessel, Commissioner, U.S. – China Economic and Security Review Commission
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)

Other Developments

  • Slack filed an antitrust complaint with the European Commission (EC) against Microsoft alleging that the latter’s tying Microsoft Teams to Microsoft Office is a move designed to push the former out of the market. A Slack vice president said in a statement “Slack threatens Microsoft’s hold on business email, the cornerstone of Office, which means Slack threatens Microsoft’s lock on enterprise software.” While the filing of a complaint does not mean the EC will necessarily investigate, under its new leadership the EC has signaled in a number of ways its intent to address the size of some technology companies and the effect on competition.
  • The National Institute of Standards and Technology (NIST) has issued for comment NIST the 2nd Draft of NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). NIST claimed this guidance document “promotes greater understanding of the relationship between cybersecurity risk management and ERM, and the benefits of integrating those approaches…[and] contains the same main concepts as the initial public draft, but their presentation has been revised to clarify the concepts and address other comments from the public.” Comments are due by 21 August 2020.
  • The United States National Security Commission on Artificial Intelligence (NSCAI) published its Second Quarter Recommendations, a compilation of policy proposals made this quarter. NSCAI said it is still on track to release its final recommendations in March 2021. The NSCAI asserted
    • The recommendations are not a comprehensive follow-up to the interim report or first quarter memorandum. They do not cover all areas that will be included in the final report. This memo spells out recommendations that can inform ongoing deliberations tied to policy, budget, and legislative calendars. But it also introduces recommendations designed to build a new framework for pivoting national security for the artificial intelligence (AI) era.
    • The NSCAI stated it “has focused its analysis and recommendations on six areas:
    • Advancing the Department of Defense’s internal AI research and development capabilities. The Department of Defense (DOD) must make reforms to the management of its research and development (R&D) ecosystem to enable the speed and agility needed to harness the potential of AI and other emerging technologies. To equip the R&D enterprise, the NSCAI recommends creating an AI software repository; improving agency- wide authorized use and sharing of software, components, and infrastructure; creating an AI data catalog; and expanding funding authorities to support DOD laboratories. DOD must also strengthen AI Test and Evaluation, Verification and Validation capabilities by developing an AI testing framework, creating tools to stand up new AI testbeds, and using partnered laboratories to test market and market-ready AI solutions. To optimize the transition from technological breakthroughs to application in the field, Congress and DOD need to reimagine how science and technology programs are budgeted to allow for agile development, and adopt the model of multi- stakeholder and multi-disciplinary development teams. Furthermore, DoD should encourage labs to collaborate by building open innovation models and a R&D database.
    • Accelerating AI applications for national security and defense. DOD must have enduring means to identify, prioritize, and resource the AI- enabled applications necessary to fight and win. To meet this challenge, the NSCAI recommends that DOD produce a classified Technology Annex to the National Defense Strategy that outlines a clear plan for pursuing disruptive technologies that address specific operational challenges. We also recommend establishing mechanisms for tactical experimentation, including by integrating AI-enabled technologies into exercises and wargames, to ensure technical capabilities meet mission and operator needs. On the business side, DOD should develop a list of core administrative functions most amenable to AI solutions and incentivize the adoption of commercially available AI tools.
    • Bridging the technology talent gap in government. The United States government must fundamentally re-imagine the way it recruits and builds a digital workforce. The Commission envisions a government-wide effort to build its digital talent base through a multi-prong approach, including: 1) the establishment of a National Reserve Digital Corps that will bring private sector talent into public service part-time; 2) the expansion of technology scholarship for service programs; and, 3) the creation of a national digital service academy for growing federal technology talent from the ground up.
    • Protecting AI advantages for national security through the discriminate use of export controls and investment screening. The United States must protect the national security sensitive elements of AI and other critical emerging technologies from foreign competitors, while ensuring that such efforts do not undercut U.S. investment and innovation. The Commission proposes that the President issue an Executive Order that outlines four principles to inform U.S. technology protection policies for export controls and investment screening, enhance the capacity of U.S. regulatory agencies in analyzing emerging technologies, and expedite the implementation of recent export control and investment screening reform legislation. Additionally, the Commission recommends prioritizing the application of export controls to hardware over other areas of AI-related technology. In practice, this requires working with key allies to control the supply of specific semiconductor manufacturing equipment critical to AI while simultaneously revitalizing the U.S. semiconductor industry and building the technology protection regulatory capacity of like-minded partners. Finally, the Commission recommends focusing the Committee on Foreign Investment in the United States (CFIUS) on preventing the transfer of technologies that create national security risks. This includes a legislative proposal granting the Department of the Treasury the authority to propose regulations for notice and public comment to mandate CFIUS filings for investments into AI and other sensitive technologies from China, Russia and other countries of special concern. The Commission’s recommendations would also exempt trusted allies and create fast tracks for vetted investors.
    • Reorienting the Department of State for great power competition in the digital age. Competitive diplomacy in AI and emerging technology arenas is a strategic imperative in an era of great power competition. Department of State personnel must have the organization, knowledge, and resources to advocate for American interests at the intersection of technology, security, economic interests, and democratic values. To strengthen the link between great power competition strategy, organization, foreign policy planning, and AI, the Department of State should create a Strategic Innovation and Technology Council as a dedicated forum for senior leaders to coordinate strategy and a Bureau of Cyberspace Security and Emerging Technology, which the Department has already proposed, to serve as a focal point and champion for security challenges associated with emerging technologies. To strengthen the integration of emerging technology and diplomacy, the Department of State should also enhance its presence and expertise in major tech hubs and expand training on AI and emerging technology for personnel at all levels across professional areas. Congress should conduct hearings to assess the Department’s posture and progress in reorienting to address emerging technology competition.
    • Creating a framework for the ethical and responsible development and fielding of AI. Agencies need practical guidance for implementing commonly agreed upon AI principles, and a more comprehensive strategy to develop and field AI ethically and responsibly. The NSCAI proposes a “Key Considerations” paradigm for agencies to implement that will help translate broad principles into concrete actions.
  • The Danish Defence Intelligence Service’s Centre for Cyber Security (CFCS) released its fifth annual assessment of the cyber threat against Denmark and concluded:
    • The cyber threat pose a serious threat to Denmark. Cyber attacks mainly carry economic and political consequences.
    • Hackers have tried to take advantage of the COVID-19 pandemic. This constitutes a new element in the general threat landscape.
    • The threat from cyber crime is VERY HIGH. No one is exempt from the threat. There is a growing threat from targeted ransomware attacks against Danish public authorities and private companies.  The threat from cyber espionage is VERY HIGH.
    • The threat is especially directed against public authorities dealing with foreign and security policy issues as well as private companies whose knowledge is of interest to foreign states. 
    • The threat from destructive cyber attacks is LOW. It is less likely that foreign states will launch destructive cyber attacks against Denmark. Private companies and public authorities operating in conflict-ridden regions are at a greater risk from this threat. 
    • The threat from cyber activism is LOW. Globally, the number of cyber activism attacks has dropped in recent years,and cyber activists rarely focus on Danish public authorities and private companies. The threat from cyber terrorism is NONE. Serious cyber attacks aimed at creating effects similar to those of conventional terrorism presuppose a level of technical expertise and organizational resources that militant extremists, at present, do not possess. Also, the intention remains limited. 
    • The technological development, including the development of artificial intelligence and quantum computing, creates new cyber security possibilities and challenges.

Further Reading

  • Accuse, Evict, Repeat: Why Punishing China and Russia for Cyberattacks Fails” – The New York Times. This piece points out that the United States (US) government is largely using 19th Century responses to address 21st Century conduct by expelling diplomats, imposing sanctions, and indicting hackers. Even a greater use of offensive cyber operations does not seem to be deterring the US’s adversaries. It may turn out that the US and other nations will need to focus more on defensive measures and securing its valuable data and information.
  • New police powers to be broad enough to target Facebook” – Sydney Morning Herald. On the heels of a 2018 law that some argue will allow the government in Canberra to order companies to decrypt users communications, Australia is considering the enactment of new legislation because of concern among the nation’s security services about end-to-end encryption and dark browsing. In particular, Facebook’s proposed changes to secure its networks is seen as fertile ground of criminals, especially those seeking to prey on children sexually.
  • The U.S. has a stronger hand in its tech battle with China than many suspect” – The Washington Post. A national security writer makes the case that the cries that the Chinese are coming may prove as overblown as similar claims made about the Japanese during the 1980s and the Russian during the Cold War. The Trump Administration has used some levers that may appear to impede the People’s Republic of China’s attempt to displace the United States. In all, this writer is calling for more balance in viewing the PRC and some of the challenges it poses.
  • Facebook is taking a hard look at racial bias in its algorithms” – Recode. After a civil rights audit that was critical of Facebook, the company is assembling and deploying teams to try to deal with the biases in its algorithms on Facebook and Instagram. Critics doubt the efforts will turn out well because economic incentives are aligned against rooting out such biases and the lack of diversity at the company.
  • Does TikTok Really Pose a Risk to US National Security?” – WIRED. This article asserts TikTok is probably no riskier than other social media apps even with the possibility that the People’s Republic of China (PRC) may have access to user data.
  • France won’t ban Huawei, but encouraging 5G telcos to avoid it: report” – Reuters. Unlike the United States, the United Kingdom, and others, France will not outright ban Huawei from their 5G networks but will instead encourage their telecommunications companies to use European manufacturers. Some companies already have Huawei equipment on the networks and may receive authorization to use the company’s equipment for up to five more years. However, France is not planning on extending authorizations past that deadline, which will function a de facto sunset. In contrast, authorizations for Ericsson or Nokia equipment were provided for eight years. The head of France’s cybersecurity agency stressed that France was not seeking to move against the People’s Republic of China (PRC) but is responding to security concerns.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (23 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Other Developments

  • New Zealand’s Privacy Commissioner has begun the process of implementing the new Privacy Act 2020 and has started asking for input on the codes of practice that will effectuate the rewrite of the nation’s privacy laws. The Commissioner laid out the following schedule:
    • Telecommunications Information Privacy Code and Civil Defence National Emergencies (Information Sharing) Code
      • Open: 29 July 2020 / Close: 26 August 2020
    • The Commissioner noted “[t]he new Privacy Act 2020 is set to come into force on 1 December…[and] makes several key reforms to New Zealand’s privacy law, including amendments to the information privacy principles.” The Commissioner added “[a]s a result, the six codes of practice made under the Privacy Act 1993 require replacement.”
  • Australia’s 2020 Cyber Security Strategy Industry Advisory Panel issued its report and recommendations “to provide strategic advice to support the development of Australia’s 2020 Cyber Security Strategy.” The body was convened by the Minister for Home Affairs. The panel “recommendations are structured around a framework of five key pillars:
    • Deterrence: The Government should establish clear consequences for those targeting businesses and Australians. A key priority is increasing transparency on Government investigative activity, more frequent attribution and consequences applied where appropriate, and strengthening the Australian Cyber Security Centre’s (ACSC’s) ability to disrupt cyber criminals by targeting the proceeds of cybercrime.
    • Prevention: Prevention is vital and should include initiatives to help businesses and Australians remain safer online. Industry should increase its cyber security capabilities and be increasingly responsible for ensuring their digital products and services are cyber safe and secure, protecting their customers from foreseeable cyber security harm. While Australians have access to trusted goods and services, they also need to be supported with advice on how to practice safe behaviours at home and work. A clear definition is required for what constitutes critical infrastructure and systems of national significance across the public and private sectors. This should be developed with consistent, principles-based regulatory requirements to implement reasonable protection against cyber threats for both the public and private sectors.
    • Detection: There is clear need for the development of a mechanism between industry and Government for real-time sharing of threat information, beginning with critical infrastructure operators. The Government should also empower industry to automatically detect and block a greater proportion of known cyber security threats in real-time including initiatives such as ‘cleaner pipes’.
    • Resilience: We know malicious cyber activity is hitting Australians hard. The tactics and techniques used by malicious cyber actors are evolving so quickly that individuals, businesses and critical infrastructure operators in Australia are not fully able to protect themselves and their assets against every cyber security threat. As a result, it is recommended that the Government should strengthen the incident response and victim support options already in place. This should include conducting cyber security exercises in partnership with the private sector. Speed is key when it comes to recovering from cyber incidents, it is therefore proposed that critical infrastructure operators should collaborate more closely to increase preparedness for major cyber incidents.
    • Investment: The Joint Cyber Security Centre (JCSC) program is a highly valuable asset to form a key delivery mechanism for the initiatives under the 2020 Cyber Security Strategy should be strengthened. This should include increased resources and the establishment of a national board in partnership with industry, states and territories with an integrated governance structure underpinned by a charter outlining scope and deliverables.
  •  Six of the world’s data protection authorities issued an open letter to the teleconferencing companies “to set out our concerns, and to clarify our expectations and the steps you should be taking as Video Teleconferencing (VTC) companies to mitigate the identified risks and ultimately ensure that our citizens’ personal information is safeguarded in line with public expectations and protected from any harm.” The DPAs stated that “[t]he principles in this open letter set out some of the key areas to focus on to ensure that your VTC offering is not only compliant with data protection and privacy law around the world, but also helps build the trust and confidence of your userbase.” They added that “[w]e welcome responses to this open letter from VTC companies, by 30 September 2020, to demonstrate how they are taking these principles into account in the design and delivery of their services. Responses will be shared amongst the joint signatories to this letter.” The letter was drafted and signed by:
    • The Privacy Commissioner of Canada
    • The United Kingdom Information Commissioner’s Office
    • The Office of the Australian Information Commissioner
    • The Gibraltar Regulatory Authority
    • The Office of the Privacy Commissioner for Personal Data, Hong Kong, China
    • The Federal Data Protection and Information Commissioner of Switzerland
  • The United States Office of the Comptroller of the Currency (OCC) “is reviewing its regulations on bank digital activities to ensure that its regulations continue to evolve with developments in the industry” and released an “advance notice of proposed rulemaking (ANPR) [that] solicits public input as part of this review” by 8 August 2020. The OCC explained:
    • Over the past two decades, technological advances have transformed the financial industry, including the channels through which products and services are delivered and the nature of the products and services themselves. Fewer than fifteen years ago, smart phones with slide-out keyboards and limited touchscreen capability were newsworthy.[1] Today, 49 percent of Americans bank on their phones,[2] and 85 percent of American millennials use mobile banking.[3]
    • The first person-to-person (P2P) platform for money transfer services was established in 1998.[4] Today, there are countless P2P payment options, and many Americans regularly use P2P to transfer funds.[5] In 2003, Congress authorized digital copies of checks to be made and electronically processed.[6] Today, remote deposit capture is the norm for many consumers.[7] The first cryptocurrency was created in 2009; there are now over 1,000 rival cryptocurrencies,[8] and approximately eight percent of Americans own cryptocurrency.[9] Today, artificial intelligence (AI) and machine learning, biometrics, cloud computing, big data and data analytics, and distributed ledger and blockchain technology are used commonly or are emerging in the banking sector. Even the language used to describe these innovations is evolving, with the term “digital” now commonly used to encompass electronic, mobile, and other online activities.
    • These technological developments have led to a wide range of new banking products and services delivered through innovative and more efficient channels in response to evolving customer preferences. Back-office banking operations have experienced significant changes as well. AI and machine learning play an increasing role, for example, in fraud identification, transaction monitoring, and loan underwriting and monitoring. And technology is fueling advances in payments. In addition, technological innovations are helping banks comply with the complex regulatory framework and enhance cybersecurity to more effectively protect bank and customer data and privacy. More and more banks, of all sizes and types, are entering into relationships with technology companies that enable banks and the technology companies to establish new delivery channels and business practices and develop new products to meet the needs of consumers, businesses, and communities. These relationships facilitate banks’ ability to reach new customers, better serve existing customers, and take advantage of cost efficiencies, which help them to remain competitive in a changing industry.
    • Along with the opportunities presented by these technological changes, there are new challenges and risks. Banks should adjust their business models and practices to a new financial marketplace and changing customer demands. Banks are in an environment where they compete with non-bank entities that offer products and services that historically have only been offered by banks, while ensuring that their activities are consistent with the authority provided by a banking charter and safe and sound banking practices. Banks also must comply with applicable laws and regulations, including those focused on consumer protection and Bank Secrecy Act/anti-money laundering (BSA/AML) compliance. And, importantly, advanced persistent threats require banks to pay constant and close attention to increasing cybersecurity risks.
    • Notwithstanding these challenges, the Federal banking system is well acquainted with and well positioned for change, which has been a hallmark of this system since its inception. The OCC’s support of responsible innovation throughout its history has helped facilitate the successful evolution of the industry. The OCC has long understood that the banking business is not frozen in time and agrees with the statement made over forty years ago by the U.S. Court of Appeals for the Ninth Circuit: “the powers of national banks must be construed so as to permit the use of new ways of conducting the very old business of banking.” [10] Accordingly, the OCC has sought to regulate banking in ways that allow for the responsible creation or adoption of technological advances and to establish a regulatory and supervisory framework that allows banking to evolve, while ensuring that safety and soundness and the fair treatment of customers is preserved.
  • A trio of House of Representatives Members have introduced “legislation to put American consumers in the driver’s seat by giving them clearer knowledge about the technology they are purchasing.” The “Informing Consumers about Smart Devices Act” (H.R.7583) was drafted and released by Representatives John Curtis (R-UT), Seth Moulton (D-MA), and Gus Bilirakis (R-FL) and according to their press release, it would:
    • The legislation is in response to reports about household devices listening to individuals’ conversations without their knowledge. While some manufacturers have taken steps to more clearly label their products with listening devices, this legislation would make this information more obvious to consumers without overly burdensome requirements on producers of these devices. 
    • Specifically, the bill requires the Federal Trade Commission (FTC) to work alongside industry leaders to establish guidelines for properly disclosing the potential for their products to contain audio or visual recording capabilities. To ensure this does not become an overly burdensome labeling requirement, the legislation provides manufacturers the option of requesting customized guidance from the FTC that fits within their existing marketing or branding practices in addition to permitting these disclosures pre or post-sale of their products.
  • House Oversight and Reform Committee Ranking Member James Comer (R-KY) sent Twitter CEO Jack Dorsey a letter regarding last week’s hack, asking for answers to his questions about the security practices of the platform. Government Operations Subcommittee Ranking Member Jody Hice (R-GA) and 18 other Republicans also wrote Dorsey demanding an explanation of “Twitter’s intent and use of tools labeled ‘SEARCH BLACKLIST’ and ‘TRENDS BLACKLIST’ shown in the leaked screenshots.”
  • The United States Court of Appeals for the District of Columbia has ruled against United States Agency for Global Media (USAGM) head Michael Pack and enjoined his efforts to fire the board of the Open Technology Fund (OTF). The court stated “it appears likely that the district court correctly concluded that 22 U.S.C. § 6209(d) does not grant the Chief Executive Officer of the United States Agency for Global Media, Michael Pack, with the authority to remove and replace members of OTF’s board.” Four removed members of the OTF Board had filed suit against pack. Yesterday, District of Columbia Attorney General Karl Racine (D) filed suit against USAGM, arguing that Pack violated District of Columbia law by dissolving the OTF Board and creating a new one.
  • Three advocacy organizations have lodged their opposition to the “California Privacy Rights Act” (aka Proposition 24) that will be on the ballot this fall in California. The American Civil Liberties Union, the California Alliance for Retired Americans, and Color of Change are speaking out against the bill because “it stacks the deck in favor of big tech corporations and reduces your privacy rights.” Industry groups have also started advertising and advocating against the statute that would rewrite the “California Consumer Privacy Act” (CCPA) (AB 375).

Further Reading

  • Facebook adds info label to Trump post about elections” – The Hill. Facebook has followed Twitter in appending information to posts of President Donald Trump that implicitly rebut his false claims about fraud and mail-in voting. Interestingly, they also appended information to posts of former Vice President Joe Biden that merely asked people to vote Trump out in November. If Facebook continues this policy, it is likely to stoke the ire of Republicans, many of whom claim that the platform and others are biased against conservative voices and viewpoints.
  • Ajit Pai urges states to cap prison phone rates after he helped kill FCC caps” – Ars Technica. The chair of the Federal Communications Commission (FC) is imploring states to regulate the egregious rates charged on payphones to the incarcerated in prison. The rub here is that Pai fought against Obama-era FCC efforts to regulate these practices, claiming the agency lacked the jurisdiction to police intrastate calls. Pai pulled the plug on the agency’s efforts to fight for these powers in court when he became chair.
  • Twitter bans 7,000 QAnon accounts, limits 150,000 others as part of broad crackdown” – NBC News. Today, Twitter announced it was suspending thousands of account of conspiracy theorists who believe a great number of untrue things, namely the “deep state” of the United States is working to thwart the presidency of Donald Trump. Twitter announced in a tweet: “[w]e will permanently suspend accounts Tweeting about these topics that we know are engaged in violations of our multi-account policy, coordinating abuse around individual victims, or are attempting to evade a previous suspension — something we’ve seen more of in recent weeks.” This practice, alternately called brigading or swarming, has been employed on a number of celebrities who are alleged to be engaging in pedophilia. The group, QAnon, has even been quoted or supported by Members of the Republican Party, some of whom may see Twitter’s actions as ideological.
  • Russia and China’s vaccine hacks don’t violate rules of road for cyberspace, experts say” – The Washington Post. Contrary to the claims of the British, Canadian, and American governments, attempts by other nations to hack into COVID-19 research is not counter to cyber norms these and other nations have been pushing to make the rules of the road. The experts interviewed for the article are far more concerned about the long term effects of President Donald Trump allowing the Central Intelligence Agency to start launching cyber attacks when and how it wishes.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (22 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On 22 July, the Senate Homeland Security & Governmental Affairs Committee will markup a number of bills and nominations, including:
    • The nomination of Derek Kan to the Office of Management and Budget’s Deputy Director
    • The “Federal Emergency Pandemic Response Act” (S.4204)
    • The “Securing Healthcare and Response Equipment Act of 2020” (S.4210)
    • The “National Response Framework Improvement Act of 2020” (S.4153)
    • The “National Infrastructure Simulation and Analysis Center Pandemic Modeling Act of 2020” (S.4157)
    • The “PPE Supply Chain Transparency Act of 2020” (S.4158)
    • The “REAL ID Act Modernization Act” (S.4133)
    • The “Safeguarding American Innovation Act” (S.3997)
    • The “Information Technology Modernization Centers of Excellence Program Act” (S.4200)
    • The “Telework for U.S. Innovation Act” (S.4318)
    • The “GAO Database Modernization Act” (S.____)
    • The “CFO Vision Act of 2020” (S.3287)
    • The “No Tik Tok on Government Devices Act” (S. 3455)
    • The “Cybersecurity Advisory Committee Authorization Act of 2020” (S. 4024)
  • On 23 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing on “The State of U.S. Spectrum Policy” with the following witnesses:
    • Mr. Tom Power, Senior Vice President and General Counsel, CTIA
    • Mr. Mark Gibson, Director of Business Development, CommScope
    • Dr. Roslyn Layton, Visiting Researcher, Aalborg University
    • Mr. Michael Calabrese, Director, Wireless Future Project, Open Technology Institute at New America
  • On  27 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures – The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules – The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules – The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service – The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)
    • Inmate Calling Services – The Commission will consider a Report and Order on Remand and a Fourth Further Notice of Proposed Rulemaking that would respond to remands by the U.S. Court of Appeals for the District of Columbia Circuit and propose to comprehensively reform rates and charges for the inmate calling services within the Commission’s jurisdiction.  (WC Docket No. 12-375)

Other Developments

  • Acting Office of Management and Budget (OMB) Director Russell Vought was confirmed by the Senate by a 51-45 vote. OMB has been without a Senate-confirmed Director since Mick Mulvaney resigned at the end of March, but he was named acting White House Chief of Staff in January 2019, resulting in Vought serving as the acting OMB head since that time.
  • Former Vice President and Democratic candidate for President Joe Biden issued a statement on Russian interference with the 2020 election that laid out his plan to respond and retaliate against these ongoing activities. His very high-level plan is a list of currently used methods of combatting cyber-attacks, much of which he would be able to undertake without Congressional assent. Biden contended “[d]espite the exposure of Russia’s malign activities by the U.S. Intelligence Community, law enforcement agencies, and bipartisan Congressional committees, the Kremlin has not halted its efforts to interfere in our democracy.” Biden said “[i]n spite of President [Donald] Trump’s failure to act, America’s adversaries must not misjudge the resolve of the American people to counter every effort by a foreign power to interfere in our democracy, whether by hacking voting systems and databases, laundering money into our political system, systematically spreading disinformation, or trying to sow doubt about the integrity of our elections.” He vowed:
    • If elected president, I will treat foreign interference in our election as an adversarial act that significantly affects the relationship between the United States and the interfering nation’s government.
    • I will direct the U.S. Intelligence Community to report publicly and in a timely manner on any efforts by foreign governments that have interfered, or attempted to interfere, with U.S. elections.
    • I will direct my administration to leverage all appropriate instruments of national power and make full use of my executive authority to impose substantial and lasting costs on state perpetrators.
    • These costs could include financial-sector sanctions, asset freezes, cyber responses, and the exposure of corruption.
    • A range of other actions could also be taken, depending on the nature of the attack.
    • I will direct our response at a time and in a manner of our choosing.
    • In addition, I will take action where needed to stop attempts to interfere with U.S. elections before they can impact our democratic processes.
    • In particular, I will direct and resource the Department of Defense, Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Department of State, and the Federal Bureau of Investigation’s Foreign Interference Task Force to develop plans for disrupting foreign threats to our elections process.
    • This will be done, wherever possible, in coordination with our allies and partners, so that we are isolating the regimes that seek to undermine democracies and civil liberties.
  • Top Democrats in Congress have written the Director of the Federal Bureau of Investigation (FBI) requesting “a defensive counterintelligence briefing to all Members of the House of Representatives and the Senate regarding foreign efforts to interfere in the 2020 U.S. presidential election.” Speaker of the House Nancy Pelosi (D-CA), Senate Minority Leader Chuck Schumer (D-NY), House Intelligence Committee Chair Adam Schiff (D-CA), and Senate Intelligence Committee Ranking Member Mark Warner (D-VA) sent a letter to FBI Director Christopher Wray in which they claimed “that Congress appears to be the target of a concerted foreign interference campaign, which seeks to launder and amplify disinformation in order to influence congressional activity, public debate, and the presidential election in November.”
  • District of Columbia Attorney General Karl Racine (D) has inserted himself into the struggle raging over the Trump Administration’s remaking of the United States (US) Agency for Global Media (USAGM), in part, by installing Michael Pack as the head of USAGM. He filed suit “to resolve a dispute between two dueling Boards of Directors that has paralyzed the Open Technology Fund (OTF), a District nonprofit…which supports encryption and anti-censorship tools for people living in repressive societies…an independent nonprofit corporation organized and created under District law that receives grant funding from the USAGM” per his press release. Racine claimed:
    • The USAGM CEO does not have authority over OTF’s Board or officers: OTF is an independent D.C. nonprofit corporation, which governs itself under local law and under its own bylaws. While USAGM provides grant funding for OTF’s work, it does not have authority over OTF’s governance. OAG asserts that OTF’s bylaws are clear and that only the organization’s Board of Directors—not USAGM, its leadership, or any other body—has the authority to appoint or remove OTF directors.
    • Dueling Boards have paralyzed OTF: Two Boards are currently claiming authority over OTF, and without clarity as to which Board is properly in place, the organization is effectively leaderless. It is also unable to authorize decisions necessary for carrying out its functions, including decisions to authorize funding partner organizations have already been promised, and decisions related to potential new partnership. The leadership crisis has also left employees of the organization at risk of losing their jobs.
    • The original Board of Directors is the valid Board: OAG asserts that because Pack did not have authority under either District law or OTF’s bylaws to dismiss OTF’s Board of Directors, the Court should recognize OTF’s original Board as valid.
    • Any actions taken on behalf of OTF by Michael Pack or his replacement Board should be voided: Michael Pack did not have authority as USAGM CEO to dismiss or appoint Directors on behalf of OTF. As a result, any actions Pack or the replacement Board have taken on behalf of OTF should be invalidated.
  • The Department of Commerce’s (DOC) Bureau of Industry and Security (BIS) has announced further action against entities from the People’s Republic of China (PRC) by adding “to the Entity List 11 Chinese companies implicated in human rights violations and abuses in the implementation of the PRC’s campaign of repression, mass arbitrary detention, forced labor, involuntary collection of biometric data, and genetic analyses targeted at Muslim minority groups from the Xinjiang Uyghur Autonomous Region (XUAR)” according to the agency’s press release. DOC claimed “[t]oday’s action will result in these companies facing new restrictions on access to U.S.-origin items, including commodities and technology…[and] will supplement BIS’s two tranches of Entity List designations in October 2019 and June 2020, actions that together added 37 parties engaged in or enabling PRC’s repression in Xinjiang.”

Further Reading

  • Google Promises Privacy With Virus App but Can Still Collect Location Data” – The New York Times. Google’s version of the contact racing app developed with Apple has a feature the other company does not: it prompts users to turn on the Android device’s location setting. This feature would seem to be contrary to the claims made by Google and Apple that their Bluetooth tracing system does not collect sensitive location data. In fact, the companies refused to request of the governments of the United Kingdom and France, among others, to change settings on their smartphones to allow for centralized information collection on possible COVID-19 transmission. A number of European nations have pressed Google to remove this feature, and a Google spokesperson claimed the Android Bluetooth tracing capability did not use location services, begging the question why the prompt appears.
  • Inside the Federal Trade Commission’s Facebook probe” – Axios. The anonymous sources inside the Federal Trade Commission (FTC) cautioning that the agency will not likely pursue an anti-trust action against Facebook before next year may be part of an inner-agency quarrel slowing down the inquiry. Allegedly, the FTC’s Bureau of Competition and its Office of Policy Planning are at odds over the drafting of guidance that will govern the Facebook and other anti-trust investigations. The latter wants to keep the current standards of harm to consumers in terms of price changes, which the former thinks are inapplicable in the provision of free services. How this struggle plays out may well inform the agency’s approach to Facebook and other tech companies.
  • Beware the ‘But China’ Excuses” – The New York Times. This article cautions people from putting too much stock in the claims by the Trump Administration and technology companies that the People’s Republic of China (PRC) is the seeming threat they say it is. If the PRC is such a threat, the United States might consider investing more in basic research and development (R&D) and in some critical tech sectors to develop and build their products in the US. Also the notion advanced by some tech sector CEOs that breaking up the tech giants will ultimately benefit PRC competitors is scrutinized.
  • DHS Authorizes Domestic Surveillance to Protect Statues and Monuments” – Lawfare. One of my law school professors and a colleague examine a Department of Homeland Security’s (DHS) Office of Intelligence & Analysis (I&A) that authorizes intelligence and information collection on those who present threats to monuments, memorials, and statues that seems like a Trojan Horse by which DHS could surveil and mobilize protestors in the streets of American cities. The surveillance cannot be electronic surveillance, but then DHS could ask a sister agency to conduct such activity if needed.
  • Two more cyber-attacks hit Israel’s water system” – ZDNet. It appears Iran has responded to Israel’s cyber attacks that led to a number of problems at facilities in Tehran. This is the latest in an ongoing battle between the two Middle Eastern enemies that may escalate further.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (21 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • The Federal Trade Commission (FTC) will hold its fifth annual PrivacyCon on 21 July and has released its agenda.
  • On 22 July, the Senate Homeland Security & Governmental Affairs Committee will markup a number of bills and nominations, including:
    • The nomination of Derek Kan to the Office of Management and Budget’s Deputy Director
    • The “Federal Emergency Pandemic Response Act” (S.4204)
    • The “Securing Healthcare and Response Equipment Act of 2020” (S.4210)
    • The “National Response Framework Improvement Act of 2020” (S.4153)
    • The “National Infrastructure Simulation and Analysis Center Pandemic Modeling Act of 2020” (S.4157)
    • The “PPE Supply Chain Transparency Act of 2020” (S.4158)
    • The “REAL ID Act Modernization Act” (S.4133)
    • The “Safeguarding American Innovation Act” (S.3997)
    • The “Information Technology Modernization Centers of Excellence Program Act” (S.4200)
    • The “Telework for U.S. Innovation Act” (S.4318)
    • The “GAO Database Modernization Act” (S.____)
    • The “CFO Vision Act of 2020” (S.3287)
    • The “No Tik Tok on Government Devices Act” (S. 3455)
    • The “Cybersecurity Advisory Committee Authorization Act of 2020” (S. 4024)
  • On 23 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing on “The State of U.S. Spectrum Policy” with the following witnesses:
    • Mr. Tom Power, Senior Vice President and General Counsel, CTIA
    • Mr. Mark Gibson, Director of Business Development, CommScope
    • Dr. Roslyn Layton, Visiting Researcher, Aalborg University
    • Mr. Michael Calabrese, Director, Wireless Future Project, Open Technology Institute at New America
  • On  27 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures – The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules – The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules – The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service – The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)
    • Inmate Calling Services – The Commission will consider a Report and Order on Remand and a Fourth Further Notice of Proposed Rulemaking that would respond to remands by the U.S. Court of Appeals for the District of Columbia Circuit and propose to comprehensively reform rates and charges for the inmate calling services within the Commission’s jurisdiction.  (WC Docket No. 12-375)

Other Developments

  • A United States court has denied a motion by an Israeli technology company to dismiss an American tech giant’s suit that the former infected its messaging system with malware for purposes of espionage and harassment. In October 2019, WhatsApp and Facebook filed suit against the Israeli security firm, NSO Group, alleging that in April 2019, it sent “malware to approximately 1,400 mobile phones and devices…designed to infect the Target Devices for the purpose of conducting surveillance of specific WhatsApp users.” This step was taken, Facebook and WhatsApp claim, in order to circumvent WhatApp’s end-to-end encryption. The social media companies are suing “for injunctive relief and damages pursuant to the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and the California Comprehensive Computer Data Access and Fraud Act, California Penal Code § 502, and for breach of contract and trespass to chattels.” In the District Court’s ruling from last week, it rejected the NSO Group’s claims that it deserved sovereign immunity from the lawsuit because it was working for sovereign governments among others and will allow WhatsApp and Facebook to proceed with their suit.
  • The European Data Protection Supervisor (EDPS) published a report “on how EU institutions, bodies and agencies (EUIs) carry out Data Protection Impact Assessments (DPIAs) when processing information that presents a high risk to the rights and freedom of natural persons” according to the EDPS’ press release. The EDPS detailed its lessons learned, suggestions on how EU institutions could execute better DPIAs, and additional guidance on how DPIAs should be performed in the future.
  • The Court of Justice of the European Union’s (CJEU) Advocate General Saugmandsgaard Øe rendered his opinion in case concerning the possible lability of YouTube and Uploaded for a user posting copyrighted materials without the consent of the owners. In a CJEU summary, Øe found “as EU law currently stands, online platform operators, such as YouTube and Uploaded, are not directly liable for the illegal uploading of protected works by the users of those platforms.” Øe noted that “Directive  2019/790 on  copyright  and  related rights  in  the  Digital  Single  Market introduces, for online platform operators such as YouTube, a new liability regime specific to works illegally uploaded by  the  users  of  such  platforms….which  must  be  transposed  by  each Member State into its national law by 7 June 2021at the latest, requires, inter alia, those operators to obtain an authorisation from the rightholders, for example by concluding a licensing agreement, for the works uploaded by users of their platforms.” The Advocate General’s decisions are not binding but work to inform the CJEU as it decides cases, but it is not uncommon for the CJEU to incorporate the Advocate General’s findings in their decisions.
  • The United Kingdom’s Parliament’s House of Lords’ Select Committee on Democracy and Digital Technologies released its report regarding “a pandemic of ‘misinformation’ and ‘disinformation’…[that] [i]f allowed to flourish these counterfeit truths will result in the collapse of public trust, and without trust democracy as we know it will simply decline into irrelevance.” The committee explained the report “addresses a number of concerns, including the urgent case for reform of electoral law and our overwhelming need to become a digitally literate society” including “forty-five  recommendations  which,  taken  together,  we  believe could serve as a useful response to a whole series of concerns.”
  • Belgium’s data protection authority, the Autorité de protection des données, has fined Google €600,000 for violations related to the company’s failure to heed the right to be forgotten as enforced under the General Data Protection Regulation (GDPR).  
  • The National Institute of Standards and Technology (NIST) released two crosswalks undertaken by outside entities comparing the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management to the General Data Protection Regulation (GDPR) and ISO/IEC 27701, private sector privacy guidance:
    • The Enterprivacy Consulting Group’s crosswalk for the GDPR-Regulation 2016/679.
  • Senator Josh Hawley (R-MO) sent Twitter CEO Jack Dorsey a second letter regarding the Twitter hack and asserted:
    • [R]eports also indicate that screenshots of Twitter’s internal tools have been circulating within the hacking community. One such screenshot indicates that Twitter employs tools allowing it to append “Search Blacklist,” “Trends Blacklist,” “Bounced,” and “ReadOnly” flags to user accounts. Given your insistence in testimony to Congress that Twitter does not engage in politically biased “shadowbanning” and the public interest in Twitter’s moderation practices, it is notable that Twitter reportedly suspended user accounts sharing screenshots of this panel.
    • Hawley posed a series of questions seeking to root out a bias against conservative viewpoints on the platform, a frequently leveled charge.
  • The Ranking Members of the House Foreign Affairs Committee, House Energy and Commerce Committee, and House Financial Services Committee wrote President Donald Trump to “encourage you to consider utilizing your ability under existing authorities to sanction PRC-linked hackers” for “targeting U.S. institutions and “attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.” In a May unclassified public service announcement, the Federal Bureau of Investigation (FBI) and CISA named the People’s Republic of China as a nation waging a cyber campaign against U.S. COVID-19 researchers. The agencies stated they “are issuing this announcement to raise awareness of the threat to COVID-19-related research.” Last week, The United Kingdom’s National Cyber Security Centre (NCSC), Canada’s Communications  Security Establishment (CSE), United States’ National Security Agency (NSA) and the United States’ Department of Homeland Security’s Cybersecurity and Infrastructure Security  Agency (CISA) issued a joint advisory on a Russian hacking organization’s efforts have “targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.”

Further Reading

  • Twitter’s security holes are now the nation’s problem“ – Politico; “Twitter hack triggers investigations and lawmaker concerns” – The Washington Post; “Hackers Convinced Twitter Employee to Help Them Hijack Accounts” – Vice’s Motherboard; “Twitter Struggles to Unpack a Hack Within Its Walls” and “Hackers Tell the Story of the Twitter Attack From the Inside” – The New York Times. After the hacking last week that took over a number of high profile people’s accounts (e.g. Barack Obama, Bill Gates, Elon Musk, etc.), policymakers in Washington are pressing Twitter for explanations and remediation to prevent any such future attacks, especially in the run up to the 2020 election. Reportedly, a group of hackers looking to push a Bitcoin scam took over accounts of famous people and then made it appear they were selling Bitcoin. Republicans and Democrats in the United States’ capital are alarmed that such a hack by another nation could throw the country and world into chaos. One media outlet is reporting the hackers provided proof they bribed a Twitter employee with access to administrative credentials to pull off the hack. Another is reporting that a hacker got into Twitter’s Slack channel where the credentials were posted. Nonetheless, the Federal Bureau of Investigation (FBI) has opened an inquiry. It is unclear whether the hackers accessed people’s DM’s, and Senator Ron Wyden (D-OR) noted he has secured a commitment from the company in 2018 to use encryption to secure DMs that has not yet been implemented. The company will have to answer more tough questions at a time when it is in the crosshairs of the rump Administration for alleged abuses of 47 U.S.C. 230 in stifling conservative viewpoints after the platform fact checked the President and has taken down a range of accounts. And, of course, working in the background is the company’s 2011 settlement with the Federal Trade Commission (FTC) in which the agency claimed Twitter violated the FTC Act by “engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security to: prevent unauthorized access to nonpublic user information and honor the privacy choices exercised by its users in designating certain tweets as nonpublic…[and by] fail[ing] to prevent unauthorized administrative control of the Twitter system.” If the agency investigates and finds similar misconduct, they could seek sizeable monetary damages in federal court.
  • F.T.C.’s Facebook Investigation May Stretch Past Election” – The New York Times. Even though media accounts say the United States Department of Justice will bring an antitrust action against Google possibly as early as this month, it now appears the Federal Trade Commission (FTC) will not be bringing a case against Facebook until next year. It appears the agency is weighing whether it should depose CEO Mark Zuckerberg and COO Sheryl Sandberg and has made additional rounds of document requests, all of which has reportedly slowed down the investigation. Of course, should the investigation stretch into next year, a President Joe Biden could designate a new chair of the agency, which could change the scope and tenor of the investigation.
  • New Emails Reveal Warm Relationship Between Kamala Harris And Big Tech” – HuffPost. Obtained via an Freedom of Information request, new email from Senator Kamala Harris’ (D-CA) tenure as her state’s attorney general suggest she was willing to overlook the role Facebook, Google, and others played and still play in one of her signature issues: revenge porn. This article makes the case Harris came down hard on a scammer running a revenge porn site but did not press the tech giants with any vigor to take down such material from their platforms. Consequently, the case is made if Harris is former Vice President Joe Biden’s vice presidential candidate, this would signal a go easy approach on large companies even though many Democrats have been calling to break up these companies and vigorously enforce antitrust laws. Harris has largely not engaged on tech issues during her tenure in the Senate. To be fair, many of these companies are headquartered in California and pump billions of dollars into the state’s economy annually, putting Harris in a tricky position politically. Of course, such pieces should be taken with a grain of salt since it may have been suggested or planted by one of Harris’ rivals for the vice president nomination or someone looking to settle a score.
  • Inside Big Tech’s Years-Long Manipulation Of American Op-Ed Pages” – Big Technology from Alan Krantowitz. To no great surprise, large technology companies have adopted a widely used tactic of getting someone sympathetic to “write” an op-ed for a local newspaper to show it is not just big companies pushing for a policy. In this case, it was, and likely still is, the argument against breaking up the tech giants or regulating them more closely. In one case, it is not clear the person who allegedly “wrote” the article actually even knew about it.
  • Trump campaign pushes Facebook ads bashing TikTok” – CNN. The White House is using new means to argue TikTok poses a threat to Americans and national security: advertisements on Facebook by the Trump campaign. The ads repeated the same basic message that has been coming out of the White House that TikTok has been denying: that the app collects and sends user sensitive user data to the People’s Republic of China (PRC). Another wrinkle TikTok pointed to is that Facebook is readying a competitor, Instagram Reels, set to be unveiled as early as this week.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Produtora Midtrack from Pexels

Federal Software Hearing

Through the prism of the US’ inadequate response to the COVID-19 pandemic, a House committee chewed over familiar issues plaguing the US’ government’s technology use and modernization efforts.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 15 July, the House Budget Committee held a virtual hearing titled “Software Update Required: COVID-19 Exposes Need for Federal Investments in Technology” to highlight the effects of underfunding of technology programs in the federal government has had in hindering efforts to combat COVID-19 and measures to mitigate its impacts. The shortcomings of federal information technology (IT) procurements, processes, and performance is one of the areas where there is bipartisan agreement on many of the issues and proposed solutions. However, Republicans and Democrats often differ on funding for civilian IT programs, a feature of the ongoing debate about another COVID-19 stimulus package. And this was the line that divided the chair and ranking member of the committee on how to address acknowledged failures in how federal and state governments distributed aid to people and businesses. Because the House Budget Committee does not have direct jurisdiction over technology programs other than setting broad parameters in the years it drafts and passes a budget resolution to guide Congressional funding, the impact of this hearing is more in the vein of shaping discussion in the House on how it should address the funding and governance of IT programs, which. Now total more than $90 billion annually of the more than $1.2 trillion in funds Congress doles out every year.

Chair John Yarmuth (D-KY) claimed “[r]ash funding cuts over the past decade have prevented the Internal Revenue Service (IRS) from modernizing its information technology (IT) systems, deteriorating the agency’s ability to not only carry out its core function of tax collection and enforcement, but also needlessly prolonging the delivery of stimulus payments to workers and families during the coronavirus pandemic and recession.” He asserted that “[t]he coronavirus pandemic has proved that the quicker the response the better the outcome – and that the steps taken by Congress to help American workers and families are only as effective as the agencies delivering that relief.” Yarmuth claimed “[u]nfortunately, the IRS is not alone in its inability to meet the needs of the American people in this perilous time.”

Yarmuth stated

  • Instead of helping to generate much-needed solutions, outdated IT systems are worsening an already difficult situation as Americans grapple with unreliable or insufficient internet access, useless automated systems, and overwhelmed and underprepared agencies. Emergency assistance programs across the board have been hampered by our antiquated IT systems – leaving families with delayed relief or no relief at all.
  • The most glaring example is unemployment assistance. We are four months into the worst economic downturn since the Great Depression, and there are still tens of thousands of workers who have filed for jobless claims but have not yet received a single payment. Many are going into debt or default, skipping meals, or losing their homes.
  • State unemployment offices, already underfunded and understaffed, were left completely unprepared for the massive influx of need. And a big reason for that is the fact that national administrative funding is essentially the same as it was in 2001 – and that’s before accounting for inflation.

Yarmuth continued

  • This lack of federal investment combined with old hardware, crashing web servers, and the need for new-hires proficient in COBOL – their systems’ 60-year old coding language – have left states scrambling. Their antiquated IT systems failed and continue to fail repeatedly – and American workers, those who lost their jobs through no fault of their own, are paying the price.
  • This aspect of our ongoing crisis is not new. The federal government has long sought to prioritize modern, secure, and shared IT solutions, but funding uncertainties – stemming from constrained discretionary funding under budget caps, shutdown threats, and continuing resolutions – have made agencies more likely to update instead of modernize. The Government Accountability Office (GAO) reports that while the total share of federal IT spending is increasing, it isn’t because we are investing in better and new technology. It’s because the price of updating our existing systems is snowballing as our ancient software becomes increasingly outdated and hardware parts nearly impossible to find.

Yarmuth said “[t]o date, Congress has passed legislation that includes $1 billion in grants to state unemployment offices to help process claims faster – and more is needed.” He argued that “[b]y refusing to bring the “HEROES Act” (H.R.6800) to the floor, [Senate Majority] Leader [Mitch] McConnell (R-KY) is holding up an additional $1 billion for the federal Technology Modernization Fund and a combined $5.5 billion to help schools, libraries, and impacted families access high speed connectivity and devices to facilitate distance learning – something we must prioritize in order to protect our children and educators.” Yarmuth remarked “earlier this month, House Democrats passed the “Moving Forward Act,” (H.R.2) a comprehensive infrastructure package that includes $100 billion in broadband funding to extend high speed internet to underserved and hard to reach communities.” He declared that “[w]e have to invest in modernization now, so that the federal government can help provide workers, families, and state and local governments with the necessary tools and resources to support our nation’s recovery efforts.”

Ranking Member Steve Womack (R-AR) said “[f]ederal information technology (IT) systems are critical to providing Americans with a wide range of government services and information…[and] [i]n the 21st century, it’s no secret that IT is fundamental to many different operations.” He contended “[t]hese systems are aimed at improving program delivery, maximizing effectiveness and efficiency, and ensuring data security…[and] [i]f we cannot maintain and optimize this critical infrastructure, the federal government will be unable to execute one of its essential functions: providing crucial resources and services to the American people.” Womack asserted “[w]e should never allow the delivery of veteran health care, social security benefits, or defense initiatives to fail because of outdated and faulty IT systems.”

Womack stated that “[u]nfortunately, current federal IT upgrade efforts are faltering due to missed deadlines, cost overruns, and inadequate outcomes, including operability failure and data breaches…[and] [w]hile COVID-19 exposed additional deficiencies of federal IT systems, these shortages existed long before the current pandemic.”

Womack stated

  • For example, in 2011, the Department of Veterans Affairs (VA) and the Department of Defense (DOD) began an electronic health record (EHR) modernization initiative to create a single, shared system between the two departments. In 2013, and after spending more than $1 billion on the program, the VA and DOD announced they were abandoning the project with nothing to show for the money spent other than a painful lesson learned. This is not only a waste of taxpayer dollars, but, more disconcerting, it hurts our nation’s service members and veterans who depend on these health care services. This is the more upsetting part for me. Program indecision and mismanagement have resulted in us failing those who’ve served this country.
  • Where is this EHR effort at the VA today? The VA and DOD are trying this again with a new government contract from Cerner. This initiative is already nearly one year behind schedule and has yet to go live in even one medical center. I truly hope this story ends better than past VA efforts in the IT space.

Womack added “I’m not just picking on the VA’s challenges. There are other examples of how we have fallen short:

  • In 2014, the Office of Personnel Management’s data was breached, which resulted in approximately 21.5 million compromised records.
  • The HITECH Act, which was part of the 2009 stimulus package, allocated billions of dollars for the Department of Health and Human Services (HHS) for IT development. To date, HHS still does not have an interoperable system and continues to struggle with siloed and fragmented data due to the different electronic health records vendors.”

Womack claimed “the question is, how do we make sure, going forward, all federal investments in IT modernization efforts result in the timely deployment of up-to-date, secure, and properly functioning systems?”

Womack asserted

  • Strong vetting and planning for proper IT implementation is key. It is imperative that these investments are met with rigorous oversight—yes, that is our job here in Congress—and agency accountability to ensure that the public is getting the best services available and taxpayer dollars are not wasted.
  • But, as I mentioned last week, there is another threat to federal investments in vital government programs such as IT modernization. That is our out-of-control deficit and debt. If we don’t confront the autopilot mandatory spending that is hurtling us towards a fiscal cliff, there won’t be any money left to fund a range of prerogatives.
  • Time is running out, and it’s essential that Congress directly address this problem. The Budget Committee must meet its duty and put together a budget to chart a new way forward. We need to get back to making the tough choices that will determine a brighter future. We have an obligation to current and future generations to ensure that critical programs don’t cease to exist.

National Academy of Public Administration President and CEO Teresa Gerton stated

  • The government’s IT infrastructure is heavily dependent upon technologies that were invented in the mid-twentieth century. The coronavirus pandemic has made it abundantly clear that those systems pose extraordinary risk to government operations in a steady state environment, and they may fail catastrophically in a crisis. And yet, government budgeting rules and appropriation law have created IT acquisition challenges for almost as long as the term “IT” has existed.
  • Insufficient funding for capital improvements has forced agencies to repeat a cycle in which robust plans submitted with their budget requests have to be scaled back to align with the reduced funding amounts they eventually receive. Insufficient funding leads to implementation of sub-optimal solutions with limited impact on improving efficiency. Ironically, governments bear an extra cost burden for such strategies because they must allocate expensive resources to maintain obsolete and inefficient solutions, which by any reasonable business standard should have been rationalized and replaced.
  • To really change the future, we must change the rules. Today the government has challenges with cloud procurement, but the market is constantly evolving. More things will be sold as a service in the future. With enablers like quantum computing and machine learning, technology innovation will inevitably continue at an increasing rate. Given the economic, demographic, and social challenges facing this nation, the federal government must find new ways to invest in and to improve its effectiveness and efficiency to successfully meet the current and future demands of the American public. We must provide acquisition and sustainment flexibility that reflects what the commercial market is selling, and we must adapt our accounting and auditing rules to encourage, not discourage, the use of these flexibilities. We must be ready to effectively acquire and deploy modern technology solutions or risk failures in our support to our citizens, and potentially calamitous failures in our ability to govern.

Code for America Founder and U.S. Digital Response Co-Founder Jennifer Pahlka said “[t]o get government tech right, we of course need to be able to procure more modern technology platforms…[b]ut that will be insufficient if we don’t also do three things that support ​agility and human-centered design:

  • The first is to break down the silos between policy, technology and other disciplines. Technology can’t speed a process in which most cases must be handled manually, as I described above in the case of unemployment benefits under the CARES Act. A similar problem is that many states require applicants for Pandemic Unemployment Assistance (PUA) to apply for regular unemployment first, wait to receive their rejection, and only then apply for PUA. Tech, operations, policy and compliance staff must work together to solve these problems, and agile development models allow for this collaboration in ways that legacy models do not. We must even have digital professionals at the table when we craft policy; understanding how the service will be delivered is critical to getting the outcomes the policy seeks, especially now, as we face greater and greater needs and limited delivery capabilities. As the former head of the White House Domestic Policy Council Cecilia Muñoz has said, “Policy leaders must learn the skills of human-centered design, and technology must have a seat at the strategy table.”
  • The second is to encourage rapid prototyping and continuous development. Our legacy process involves a requirements gathering period that can take many years, followed by the development of a Request for Proposal that can be thousands of pages long, lengthy contracting and development periods, and then a move into what’s called sustainment. This process may work for constructing buildings, but it’s simply not how good software comes to life. It is better, faster and cheaper when interdisciplinary teams start small, build iteratively, work closely with the users of the software all the way through, and continuously update and improve the application.
  • The third is to demand that all services provide real-time data about their usage and that human beings are assigned to looking at that data to understand what’s working, what’s not working and what can be done about it. When Code for America started working to decrease the participation gap in Supplemental Nutrition Assistance (SNAP) in California, our team found that the program leadership had very little insight into the reasons people tried to apply and couldn’t, or applied but couldn’t make it through the burdensome process despite being eligible. It wasn’t that they didn’t care; the systems they’d been given to manage eligibility and enrollment simply didn’t provide that data, and what data they did get was usually months, if not years, old by the time they got it. Creating an online application that was simpler and easier to use had huge benefits for the people applying, but an equally important benefit was that the system was instrumented to allow decision-makers to see in near real-time where users got stuck and begin to fix those issues. This access to real-time data is part of what’s needed as we deal with today’s crisis.

National Employment Law Project Executive Director Rebecca Dixon urged “Congress to immediately take the following steps, which will help stabilize and ensure greater accountability and transparency over the state IT systems:

1. Fully Fund the States Linked to Strong Accountability Standards: Most importantly, the federal government must make a sizable commitment to provide dedicated funding of IT modernization and far more adequate levels of basic state unemployment insurance (UI) administration funding. With the additional funding should come strong federal oversight and enforcement, including tangible requirements that the modernization process include input from stakeholders (including workers and their advocates) from beginning to end, and comprehensive user testing that ensures participation from Black people who are faced with the most barriers, and all communities of color; those on the other side of the digital divide; people with limited English proficiency; and people with disabilities.

2. Expand the Department of Labor’s (DOL) IT Expertise and Mandate to Ensure Full Access: There is extremely limited independent capacity and IT expertise on the part of DOL to actively monitor and enforce the state UI systems. DOL should create a specialized unit devoted to the IT, phone and other state UI agency infrastructure needs. DOL’s new regime should include strong measures of state success and failure (including adequate customer service) that can be assigned a grade that should be prominently featured on the DOL website to provide transparency to the public and compare the operation of programs across the states. For example, DOL should extend the timeliness regulations to ensure that workers are able to successfully reach a claims agent by phone within a reasonable period of time. In addition, DOL’s Center for Civil Rights should also be fully resourced to more promptly investigate and respond to complaints and make the results of their investigations public. DOL should also have the authority to review IT contractor agreements, audit contractors where necessary, and require the states to produce data documenting contractor performance.

3. Federal Commission on Modernization of Federally Funded Benefit Programs: A federal task force should be immediately created to evaluate the performance of federally funded programs, including UI, and make recommendations for reform related to funding, the creation of robust standards and metrics, contractor accountability, best practices, and the adequacy of federal agency oversight and enforcement, including compliance with civil rights laws. The task force should also explore whether certain administrative and infrastructure functions (especially in response to disasters and public health emergencies) should be federalized, and whether federal agencies should have the authority to negotiate favorable terms with IT and phone system vendors that take advantage of the federal government’s ability to leverage cost savings while also producing more compatible and high-quality state systems. Federalization in whole or part may be the simplest solution. The patchwork of state systems means that each state has to struggle with the modernization process and vendor negotiations. While some states have banded together into consortia to get a better deal, those consortia can dissolve as political leadership shifts in allied states or as states develop different modernization goals, wasting time and money. A federal process could achieve these goals on the largest possible scale.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Christina @ wocintechchat.com on Unsplash

House Appropriations Committee Passes Bills With Funding For and Directives To Technology Agencies

Four bills full of technology funding and programmatic direction are reported to the House.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The House Appropriations Committee finished work on four of the FY 2021 appropriations bills that fund a substantial portion of the United States’ (US) government’s technology programs and activities. Often appropriations bills are the primary vehicle by which Congress changes executive branch policy through the use of its funding powers, and so the bills and their committee reports contain a range of directives and instructions year-to-year. The House is set to finish committee consideration of all 12 bills this month, but there is no indication as to when the Senate Appropriations Committee will take up its bills. Given the late start on appropriations, it is all but certain the federal government will be operating under a stopgap funding bill for some portion of the first quarter of the next fiscal year. The outcome of the election could result in a further postponing of full appropriations and delaying of passage of technology funding and program changes.

FY 2021 Homeland Security Appropriations Act

In advance of the 15 July markup, the House Appropriations Committee made available its Committee Report to accompany the FY 2021 Homeland Security Appropriations Act.

The package includes $2.6 million for a Joint Cybersecurity Coordination Group (JCCG) inside DHS “serve as a coordinating entity that will help the Department identify strategic priorities and synchronize cyber-related activities across the operational components.” This new entity comes about because the Trump Administration requested its creation as part of its FY 2021 budget request. The Committee expressed disappointment with “the lack of quality and detail provided in CISA’s fiscal year 2021 budget justification documents, to include several errors and unjustified adjustments that appear to be attributable to CISA’s premature proposal for a new Program, Project, or Activity (PPA) structure and raise questions about whether the budget could be executed as requested.” Consequently, the Committee directed that CISA “submit the fiscal year 2022 budget request at the same level of PPA detail as provided in the table at the end of this report with no further adjustments to the PPA structure.”

Among other programmatic and funding highlights, the Committee

  • “[E]ncourage[d] CISA to continue to use commercial, human-led threat behavioral analysis and technology, and to employ private sector, industry-specific, threat intelligence and best practices to better characterize potential consequences to critical infrastructure sectors during a systemic cyber event.”
  • Urged “CISA and the Election Infrastructure Information Sharing and Analysis Center (EI–ISAC) to expand outreach to the most vulnerable jurisdictions” with respect to election security assistance.
  • Directed “CISA to continue providing the semiannual briefing on the National Cybersecurity Protection System (NCPS) program and the Continuous Diagnostics and Mitigation (CDM)”
  • Pointed to $5.8 million to set up a ‘‘central Federal information security incident center,’ a requirement mandated by the Federal Information Security Modernization Act (FISMA) (P.L. 113-283) and $9.3 million “to establish a formal program office to coordinate supply chain risk management efforts for federal civilian agencies; act as the executive agent for the Federal Acquisition Security Council (FASC), as authorized by the SECURE Technology Act, 2018 (Public Law 115– 390); and fund various supply chain related efforts and services.”
  • Emphasized its increase of $6 million as compared to FY 2020 “to grow CISA’s threat hunting capabilities” “[i]n the face of cyber threats from nation-state adversaries such as Russia, China, Iran, and North Korea.”
  • [P]rovide[d] an increase of $11,568,000 above the request to establish a Joint Cyber Center (JCC) for National Cyber Defense to bring together federal and State, Local, Tribal, and Territorial (SLTT) governments, industry, and international partners to strategically and operationally counter nation-state cyber threats.”
  • Bestowed “an increase of $10,022,000 above the request for the underlying infrastructure that enables better identification, analysis, and publication of known vulnerabilities and common attack patterns, including through the National Vulnerability Database, and to expand the coordinated responsible disclosure of vulnerabilities.”
  • Noted “[t]hrough the Shared Cybersecurity Services Office (SCSO), CISA serves as the Quality Services Management Office for federal cybersecurity” and explained “[t]o help improve efforts to make strategic cybersecurity services available to federal agencies, the Committee includes $5,064,000 above the request to sustain prior year investments and an additional $5,000,000 to continue to expand the office.”
  • Expressed its concern “about cyber vulnerabilities within supply chains, which pose unacceptable risks to the nation’s physical and cyber infrastructure and, therefore, to national security” and provided “an increase of $18,005,000 above the request to continue the development of capabilities to address these risks through the ICT Supply Chain Risk Management Task Force and other stakeholders, such as the FASC.”

FY 2021 Financial Services and General Government Appropriations Act

The FY 2021 Financial Services and General Government Appropriations Act has a provision that would bar either the Federal Trade Commission (FTC) or Federal Communications Commission (FCC) from taking certain actions related to Executive Order 13925, “Preventing Online Censorship” issued in May by the White House after Twitter fact checked a pair of President Donald Trump’s Tweets that contained untruthful claims about voting by mail. It is very unlikely Senate Republicans, some of whom have publicly supported this Executive Order will allow this language into the final bill funding the agencies.

Under the Executive Order, the National Telecommunications and Information Administration (NTIA) is to file a petition for rulemaking with the FCC to clarify the interplay between clauses of 47 USC 230, notably whether the liability shield that protects companies like Twitter and Facebook for content posted on an online platform also extends to so-called “editorial decisions,” presumably actions like Twitter’s in fact checking Trump regarding mail balloting. The NTIA would also ask the FCC to define better the conditions under which an online platform may take down content in good faith that are “deceptive, pretextual, or inconsistent with a provider’s terms of service; or taken after failing to provide adequate notice, reasoned explanation, or a meaningful opportunity to be heard.” The NTIA is also ask the FCC to promulgate any other regulations necessary to effectuate the EO. The FTC was directed consider whether online platforms are violating Section 5 of the FTC Act barring unfair or deceptive practices, which “may include practices by entities covered by section 230 that restrict speech in ways that do not align with those entities’ public representations about those practices.”

In the Committee Report for the FY 2021 Financial Services and General Government Appropriations Act, the House Appropriations Committee explained it provided $341 million for the FTC, “a $10,000,000 increase over fiscal year 2020… will increase the FTC’s capabilities both to monitor mergers and acquisitions that could reduce competition or lead to higher prices, and to take enforcement action against companies that fail to take reasonable steps to secure their customer data or that engage in other problematic trade practices.”

The Committee detailed the following program and funding provisions related to the FTC, including combatting fraudulent calls to seniors, robocalls, fraudulent health care calls, and the following:

  • Cryptocurrency.— The Committee encourages the FTC to work with the Securities and Exchange Commission, other financial regulators, consumer groups, law enforcement, and other public and private stakeholders to identify and investigate fraud related to cryptocurrencies market and discuss methods to empower and protect consumers.”
  • Consumer Repair Rights.—The Committee is aware of the FTC’s ongoing review of how manufacturers—in particular mobile phone and car manufacturers—may limit repairs by consumers and repair shops, and how those limitations may increase costs, limit choice, and impact consumers’ rights under the Magnuson-Moss Warranty Act. Not later than 120 days after the enactment of this Act, the FTC is directed to provide to the Committee, and to publish online, a report on anticompetitive practices related to repair markets. The report shall provide recommendations on how to best address these problems.
  • Antitrust Actions.—The Committee directs the GAO to study FTC and DOJ antitrust actions over the past 25 years. The study shall examine the following questions: How many instances have FTC and DOJ been on opposing sides of the same matter? In how many of these instances was the split created by (a) the FTC intervening in DOJ’s case; and (b) the DOJ intervening in FTC’s case? In these instances, how (if at all) did the split affect the final outcome (e.g., did the judicial opinion cite the split or explain how it affected the court’s decision)? In how many instances has an FTC action appeared before the Supreme Court? Of these instances, in how many cases did the FTC represent itself (rather than be represented by the Solicitor General)? In how many instances has the DOJ or FTC reneged on a clearance agreement with the other agency? In how many of these instances was the disruption created by (a) the FTC’s decision to renege on the agreement; and (b) the DOJ’s decision to renege on the agreement? How many amicus briefs did each agency file in each year? How many of the total amicus briefs filed by DOJ were done so at the invitation of the court? How many of the total amicus briefs filed by FTC were done so at the invitation of the court?

With respect to the FCC, the package provides $376 million and requires a host of programmatic responses, including:

  • Broadband Maps.—The Committee provides significant funding for upfront costs associated with implementation of the Broadband DATA Act. The Committee anticipates funding related to the Broadband DATA Act will decline considerably in future years and expects the FCC to repurpose a significant amount of staff currently working on economic, wireline, and wireless issues to focus on broadband mapping.
  • Broadband Access.—The Committee believes that deployment of broadband in rural and economically disadvantaged areas is a driver of economic development, jobs, and new educational opportunities. The Committee supports FCC efforts to judiciously allocate Universal Service Fund (USF) funds for these areas.
  • Rural Digital Opportunity Fund.—The Committee appreciates the significant investment the FCC is planning to make to deploy broadband services to unserved areas. The Committee recognizes the need for government programs to minimize instances in which two different providers receive support from two different programs to serve the same location. However, the Committee is concerned that current program rules may have the unintended consequence of discouraging other funding sources from participating in broadband deployment, particularly State-based programs. The Committee directs the FCC to adjust program rules to ensure applicants, and the States in which those applicants would deploy broadband, are not put at a disadvantage when applying for the Rural Digital Opportunity Fund based on the State’s proactive, independent investment in broadband.
  • Lifeline Service.—The Committee is concerned that changes to the Lifeline minimum service standards and support levels will adversely impact low-income Americans, including many suffering from economic hardships due to the coronavirus. The Committee directs the FCC to pause implementation of any changes to the currently applicable minimum service standards for Lifeline-supported mobile broadband service and any changes in the current levels of Lifeline support for voice services until the FCC has completed the State of the Lifeline Marketplace Report required by the 2016 Lifeline Order…
  • Mid-Band Spectrum.—The Committee believes that Fifth-Generation (5G) mobile technology is critical to U.S. national and economic security. A key component of the U.S. strategy for 5G is ensuring that U.S. wireless providers have enough mid-band spectrum (frequencies between 3 GHz and 24 GHz), which provides fast data connections while also traveling longer distances. The Committee is concerned that the U.S. is falling behind other countries in the allocation of such spectrum. The Committee urges the Administration and the FCC to work expeditiously to identify and make available more mid-band spectrum for 5G so that the U.S. does not fall further in the race to deploy 5G networks and services.
  • 5G Supply Chain.—The Committee understands the importance of a secure 5G technology supply chain. The Committee encourages the FCC to investigate options for increasing supply chain diversity, competition, and network security via interoperable technologies and open standard-based interfaces.

The Committee had a range of mandates for the Office of Management and Budget (OMB):

  • Federal and Critical Infrastructure Cybersecurity.—The Committee is aware that Federal agencies and the nation’s critical infrastructure face unique cybersecurity threats. Executive Order 13800, issued on May 11, 2017, directs agency heads to implement several risk management and cybersecurity measures, including the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity. OMB is directed to report, within 90 days of enactment of this Act, on the status of compliance with Executive Order 13800 by each applicable agency. The report shall identify risk management and cybersecurity compliance gaps and outline the steps each agency needs to take to manage such risks. OMB shall prioritize working with the applicable agency heads to address remaining gaps and inconsistencies.
  • Federal Information Technology Workforce.—OMB is directed to consult with the Office of Personnel Management and the General Services Administration and report to the Committee, no later than September 30, 2021, on gaps in Federal information technology workforce skills, disciplines, and experience required to enable the Federal government to modernize its ability to use technology and develop effective citizen-facing digital services to carry out its mission.

The Committee noted its additional funding to the Election Assistance Commission (EAC) for Election Security Grants of $500 million:

  • [T]he Coronavirus Aid, Relief, and Economic Security Act (CARES Act) (P.L. 116–136) included $400,000,000 for grants to States to prevent, prepare for, and respond to coronavirus. The Committee is gravely concerned by persistent threats from Russia and other foreign actors attempting to influence the U.S. democratic process, and vulnerabilities that continue to exist throughout the Nation’s election system.
  • Since fiscal year 2018, Congress has provided $805,000,000 in grants to States to improve the security of elections for Federal office.
  • However, that funding has been inconsistent, unpredictable, and insufficient to meet the vast need across all the States and territories.
  • Congress must provide a consistent, steady source of Federal funds to support State and local election officials on the frontlines of protecting U.S. elections. The bill requires States to use payments to replace direct-recording electronic (DRE) voting machines with voting systems that require the use of an individual, durable, voter-verified paper ballot, marked by the voter by hand or through the use of a non-tabulating ballot marking device or system, and made available for inspection and verification by the voter before the vote is cast and counted.
  • Funds shall only be available to a State or local election jurisdiction for further election security improvements after a State has submitted a certification to the EAC that all DRE voting machines have been or are in the process of being replaced. Funds shall be available to States for the following activities to improve the security of elections for Federal office:
    • implementing a post-election, risk-limiting audit system that provides a high level of confidence in the accuracy of the final vote tally;
    • maintaining or upgrading election-related computer systems, including voter registration systems, to address cyber vulnerabilities identified through DHS scans or similar assessments of existing election systems;
    • facilitating cyber and risk mitigation training for State and local election officials;
    • implementing established cybersecurity best practices for election systems; and other priority activities and
    • investments identified by the EAC, in consultation with DHS, to improve election security.
  • The EAC shall define in the Notice of Grant Award the eligible investments and activities for which grant funds may be used by the States. The EAC shall review all proposed investments to ensure funds are used for the purposes set forth in the Notice of Grant Award.
  • The bill also requires that not less than 50 percent of the payment made to a State be allocated in cash or in kind to local government entities responsible for the administration of elections for Federal office.

Regarding the General Services Administration (GSA), the Committee directed the following:

  • Interagency Task Force on Health and Human Services Information Technology (IT).— The Committee urges the Chief Information Office and Chief Technology Officer (CTO) of HHS, in collaboration with the White House CTO and U.S. Department of Agriculture (USDA), as well as the Office of the National Coordinator for Health Information Technology (ONC) within HHS, 18F within the GSA, and the Cybersecurity and Infrastructure security Agency (CISA) within the U.S. Department of Homeland Security, to establish an interagency task force that will examine existing IT infrastructure in Federal health human service programs nationwide and identify the limitations to successfully integrating and modernizing health and human services IT, and the network security necessary for health and human services IT interoperability. The task force shall submit to the Committee within 180 days of enactment on this Act a report on its progress and on recommendations for further Congressional action, which should include estimated costs for agencies to make progress on interoperability initiatives.
  • Category Management.—The Committee is interested in understanding the effects of GSA’s category management policy on contracts with small businesses. Category management refers to the business practice of buying common goods and services as an enterprise to eliminate redundancies, increase efficiency, and deliver more value and savings from the Federal government’s acquisition programs. Within 180 days of the enactment of this Act, the Committee directs GSA, in cooperation with SBA, to submit a report to the Committee on the number of contracts that could have been awarded under sections 8(a), 8(m), 15(a), 15(j), 31, or 36 of the Small Business Act, but were exempted by category management since its implementation.

The Committee made the following recommendations generally:

  • Cyberspace Solarium Commission Recommendations.—The Committee recognizes and supports the priorities and recommendations laid out in the Cyberspace Solarium Commission’s report and urges Federal departments and agencies to align cybersecurity budgetary priorities with those laid out by the Commission. In particular, the Committee calls attention to recommendation 3.2, Develop and Maintain Continuity of the Economy Planning; recommendation 4.6.3, Strengthen the Capacity of the Committee on Foreign Investment in the United States, particularly with respect to the need to train Federal bankruptcy judges; recommendation 3.4, Improve and Enhance the Funding of the Election Assistance Commission; and recommendation 3.1, Strengthen Sector-specific Agencies’ Ability to Manage Critical Infrastructure Risk, particularly with respect to the Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection.
  • Zero Trust Model.—The Committee is aware that the most effective cybersecurity systems are based on the zero trust model, which is designed not only to prevent cyber intrusions but to prevent cyberthieves from accessing or removing protected information. To ensure that Federal agencies achieve the highest level of security against cyberattacks in the shortest amount of time, the Committee encourages all agencies to acquire and deploy zero trust cybersecurity software that is compatible with all existing operating systems and hardware platforms used by Federal agencies. The Committee also encourages Federal agencies to acquire and utilize software compatible with all existing operating systems and hardware platforms that will enable agencies to measure or quantify their risk of a cybersecurity attack in the months ahead and the types of cyberattack the agency is most likely to experience. Upon learning the risk and type of cyberattack the agency is most likely to face, the agency shall immediately take remedial action to minimize such risk. Agencies shall include information in their fiscal year 2022 Congressional Justification to Congress on their progress in complying with this directive.

FY 2021 Department of Defense Appropriations Act

On 14 July, the House Appropriations Committee marked up and reported out the “FY 2021 Department of Defense Appropriations Act,” which would provide $695 billion for the Department of Defense (DOD), “an increase of $1,294,992,000 above the fiscal year 2020 enacted level and a decrease of $3,695,880,000 below the budget request.”

The Committee Report contained these technology-related provisions:

  • ZERO TRUST ARCHITECTURE. The Committee encourages the Secretary of Defense to implement a Zero Trust Architecture to increase its cybersecurity posture and enhance the Department’s ability to protect its systems and data.
  • DISTRIBUTED LEDGER TECHNOLOGY RESEARCH AND DEVELOPMENT. The Committee is aware that distributed ledger technologies, such as blockchain, may have potentially useful applications for the Department of Defense, which include but are not limited to distributed computing, cybersecurity, logistics, and auditing. Therefore, the Committee encourages the Under Secretary of Defense (Research and Engineering) to consider research and development to explore the use of distributed ledger technologies for defense applications.
  • ARTIFICIAL INTELLIGENCE PARTNERSHIPS. The Committee is aware of the United States-Singapore partnership focusing on applying artificial intelligence in support of humanitarian assistance and disaster relief operations, which will help first responders better serve those in disaster zones. The Committee encourages the Secretary of Defense to pursue similar partnerships with additional partners in different regions, including the Middle East.
  • CYBER EDUCATION COLLABORATIVES. The Committee remains concerned by widespread shortages in cybersecurity talent across both the public and private sector. In accordance with the recommendations of the Cyberspace Solarium Commission, the Committee encourages the Under Secretary of Defense (Research and Engineering) to direct cyber-oriented units to collaborate with local colleges and universities on research, fellowships, internships, and cooperative work experiences to expand cyber-oriented education opportunities and grow the cybersecurity workforce. The Committee also appreciates that veterans and transitioning servicemembers could serve as a valuable recruiting pool to fill gaps in the cybersecurity workforce. Accordingly, the Committee encourages the Under Secretary to prioritize collaboration with colleges and universities near military installations as well as the veteran population.
  • 5G TELECOMMUNICATIONS TECHNOLOGY. The Committee is concerned about reports that foreign manufacturers are significantly ahead of United States companies in the development and deployment of 5G telecommunications technologies, which poses a national security risk to the United States and its allies. Without a robust domestic 5G supply chain, the United States will be vulnerable to 5G systems that facilitate cyber intrusion from hostile actors. In order to secure a reliable 5G system and a domestic supply chain that meets the national security needs of the United States and its allies, the Committee encourages the Secretary of Defense to accelerate engagement with domestic industry partners that are developing 5G systems. Additionally, the Committee is aware of the significant investments being made in 5G efforts but is concerned with the level of detail provided for congressional oversight. The Committee directs the Under Secretary of Defense (Research and Engineering) to conduct quarterly execution briefings with the House and Senate Appropriations Committees beginning not later than 90 days after the enactment of this Act.
  • MILITARY INFORMATION SUPPORT OPERATIONS. Over the past decade, the bulk of activities under Military Information Support Operations (MISO) focused on countering violent extremist organizations (VEO). While VEOs remain an ongoing threat and require continued vigilance, peer and near-peer adversaries like China and Russia are using social media and other vectors to weaken domestic and international institutions and undermine United States interests. This new information environment and the difficulty of discriminating between real and fake information heightens the importance of enhancing and coordinating United States government information-related capabilities as a tool of diplomatic and military strategy.
  • The Committee recognizes the efforts and accomplishments of the United States Special Operations Command and other agencies within the executive branch to operate in the digital domain. However, it is difficult to view individual agency activities as a coordinated whole of government effort. Over the past several years, the classified annex accompanying annual Department of Defense Appropriations Acts included direction focusing on the individual activities of geographic combatant commands. However, information messaging strategies to counter Chinese and Russian malign influences cuts across these geographic boundaries and requires coordination between multiple government agencies using different authorities.
  • Therefore, in order to better understand how MISO activities support a whole of government messaging strategy, the Committee directs the Assistant Secretary of Defense (Special Operations/Low Intensity Conflict) to submit a report for MISO activities for the individual geographic combatant commands justified by the main pillars of the National Defense Strategy to the House and Senate Appropriations Committees not later than 15 days after submission of the fiscal year 2022 budget request and annually thereafter. The report shall include spend plans identifying the requested and enacted funding levels for both voice and internet activities and how those activities are coordinated with the Intelligence Community and the Department of State. The enacted levels will serve as the baseline for reprogramming in accordance with section 8007 of this Act. Furthermore, the Committee directs the Assistant Secretary of Defense (Special Operations/Low Intensity Conflict) to submit to the congressional defense committees, not later than 90 days after the end of the fiscal year, an annual report that provides details on each combatant commands’ MISO activities by activity name, description, goal or objective, target audience, dissemination means, executed funds, and assessments of their effectiveness. Additional details for the report are included in the classified annex accompanying this Act.

FY 2021 Commerce, Justice, Science Appropriations Act

Also on 14 July, the “FY 2021 Commerce, Justice, Science Appropriations Act” was also marked up and reported out and its Committee Report contains these provisions:

  • Cybersecurity Threats.—The Committee remains concerned that as the Census Bureau looks to modernize data collection methods, the Census Bureau could potentially be exploited by nefarious actors who seek to undermine the integrity of census data, which is vital to democratic institutions, and gain access to sensitive information otherwise protected by law. These threats include both hacking into the Census Bureau IT infrastructure and efforts to use supercomputing to unmask the privacy of census respondents. The Committee directs the Census Bureau to prioritize cyber protections and high standards of data differential privacy, while also maintaining the accuracy of the data, and expects the Census Bureau to update the Committee regularly on these efforts.
  • Cybersecurity and Privacy.—The proliferation of data generation, storage, and usage associated with the digital economy is making it increasingly important to protect that data with effective cryptography and privacy standards. The Committee is concerned that individual, corporate, and public-sector data privacy is continuously at risk from attacks by individual actors, criminal organization, and nation-states. The Committee urges NIST to address the rapidly emerging threats in this field by furthering the development of new and needed cryptographic standards and technologies.
  • National Initiative for Cybersecurity Education.—The Committee notes with concern the shortage of cybersecurity professionals across the government and private sector, from entry level applicants to experienced professionals. The Committee therefore supports the National Initiative for Cybersecurity Education (NICE) and directs NIST to provide resources commensurate with the prior fiscal year for this effort.
  • Cybersecurity Conformity Assessment Programs.—The Committee instructs NIST, in collaboration with other relevant organizations, to report to the Committee no later than 270 days after the enactment of this Act on challenges and approaches to establishing and managing voluntary cybersecurity conformity assessment programs for information and communication technologies including federal cloud technologies.
  • Cybersecurity Training.—Within the increase to Manufacturing Extension Partnership (MEP), the Committee directs NIST to maintain the core services of the MEP and encourages NIST to utilize existing expertise within its Information Technology Laboratory to increase cybersecurity technical training to small manufacturers to strengthen their cybersecurity capabilities given the troubling threats from state and non-state actors and other emerging threats.
  • Cybersecurity threat information sharing.—The Committee supports sharing by DOJ of cybersecurity threat warnings and intelligence with private companies who may benefit from actionable information to deter, prevent, or mitigate threats. The Committee asks DOJ to provide a briefing on this topic not later than 90 days after enactment of this Act.
  • Chinese-government affiliated companies.—The Committee is concerned with companies operating within the United States that are known to have substantial ties to the Chinese government, including full or partial ownership by the Chinese government, and that are required by Chinese law to assist in espionage activities, including collection of personally identifiable information of American citizens. Such companies may pose cybersecurity risks, such as vulnerabilities in their equipment, and some are the subject of ongoing Congressional and Executive Branch investigations involving their business practices. The Committee directs DOJ to enforce applicable laws and prevent the operation of known foreign entities who participate in the theft of American intellectual property, the harvesting of personal identifiable information on behalf of a foreign government, and the unlawful surveillance of American citizens by adversarial state-owned enterprises.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading and Other Developments (17 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Speaking of which, the Technology Policy Update is being published daily during the week, and here are the Other Developments and Further Reading from this week.

Other Developments

  • Acting Senate Intelligence Committee Chair Marco Rubio (R-FL), Senate Foreign Relations Committee Chair Jim Risch (R-ID), and Senators Chris Coons (D-DE) and John Cornyn (R-TX) wrote Secretary of Commerce Wilbur Ross and Secretary of Defense Mike Esper “to ask that the Administration take immediate measures to bring the most advanced digital semiconductor manufacturing capabilities to the United States…[which] are critical to our American economic and national security and while our nation leads in the design of semiconductors, we rely on international manufacturing for advanced semiconductor fabrication.” This letter follows the Trump Administration’s May announcement that the Taiwan Semiconductor Manufacturing Corporation (TSMC) agreed to build a $12 billion plant in Arizona. It also bears note that one of the amendments pending to the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) would establish a grants program to stimulate semiconductor manufacturing in the US.
  • Senators Mark R. Warner (D-VA), Mazie K. Hirono (D-HI) and Bob Menendez (D-NJ) sent a letter to Facebook “regarding its failure to prevent the propagation of white supremacist groups online and its role in providing such groups with the organizational infrastructure and reach needed to expand.” They also “criticized Facebook for being unable or unwilling to enforce its own Community Standards and purge white supremacist and other violent extremist content from the site” and posed “a series of questions regarding Facebook’s policies and procedures against hate speech, violence, white supremacy and the amplification of extremist content.”
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published the Pipeline Cyber Risk Mitigation Infographic that was “[d]eveloped in coordination with the Transportation Security Administration (TSA)…[that] outlines activities that pipeline owners/operators can undertake to improve their ability to prepare for, respond to, and mitigate against malicious cyber threats.”
  • Representative Kendra Horn (D-OK) and 10 other Democrats introduced legislation “requiring the U.S. government to identify, analyze, and combat efforts by the Chinese government to exploit the COVID-19 pandemic” that was endorsed by “[t]he broader Blue Dog Coalition” according to their press release. The “Preventing China from Exploiting COVID-19 Act” (H.R.7484) “requires the Director of National Intelligence—in coordination with the Secretaries of Defense, State, and Homeland Security—to prepare an assessment of the different ways in which the Chinese government has exploited or could exploit the pandemic, which originated in China, in order to advance China’s interests and to undermine the interests of the United States, its allies, and the rules-based international order.” Horn and her cosponsors stated “[t]he assessment must be provided to Congress within 90 days and posted in unclassified form on the DNI’s website.”
  • The Supreme Court of Canada upheld the “Genetic Non-Discrimination Act” and denied a challenge to the legality of the statute brought by the government of Quebec, the Attorney General of Canada, and others. The court found:
    • The pith and substance of the challenged provisions is to protect individuals’ control over their detailed personal information disclosed by genetic tests, in the broad areas of contracting and the provision of goods and services, in order to address Canadians’ fears that their genetic test results will be used against them and to prevent discrimination based on that information. This matter is properly classified within Parliament’s power over criminal law. The provisions are supported by a criminal law purpose because they respond to a threat of harm to several overlapping public interests traditionally protected by the criminal law — autonomy, privacy, equality and public health.
  • The U.S.-China Economic and Security Review Commission published a report “analyzing the evolution of U.S. multinational enterprises (MNE) operations in China from 2000 to 2017.” The Commission found MNE’s operations in the People’s Republic of China “may indirectly erode the  United  States’  domestic industrial competitiveness  and  technological  leadership relative  to  China” and “as U.S. MNE activity in China increasingly focuses on the production of high-end technologies, the risk  that  U.S.  firms  are  unwittingly enabling China to  achieve  its industrial  policy and  military  development objectives rises.”
  • The Federal Communications Commission (FCC) and Huawei filed their final briefs in their lawsuit before the United States Court of Appeals for the Fifth Circuit arising from the FCC’s designation of Huawei as a “covered company” for purposes of a rule that denies Universal Service Funds (USF) “to purchase or obtain any equipment or services produced or provided by a covered company posing a national security threat to the integrity of communications networks or the communications supply chain.” Huawei claimed in its brief that “[t]he rulemaking and “initial designation” rest on the FCC’s national security judgments..[b]ut such judgments fall far afield of the FCC’s statutory  authority  and  competence.” Huawei also argued “[t]he USF rule, moreover, contravenes the Administrative Procedure Act (APA) and the Due Process Clause.” The FCC responded in its filing that “Huawei challenges the FCC’s decision to exclude carriers whose networks are vulnerable to foreign interference, contending that the FCC has neither statutory nor constitutional authority to make policy judgments involving “national security”…[but] [t]hese arguments are premature, as Huawei has not yet been injured by the Order.” The FCC added “Huawei’s claim that the Communications Act textually commits all policy determinations with national security implications to the President is demonstrably false.”
  • European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski released his Strategy for 2020-2024, “which will focus on Digital Solidarity.” Wiewiórowski explained that “three core pillars of the EDPS strategy outline the guiding actions and objectives for the organisation to the end of 2024:
    • Foresight: The EDPS will continue to monitor legal, social and technological advances around the world and engage with experts, specialists and data protection authorities to inform its work.
    • Action: To strengthen the EDPS’ supervision, enforcement and advisory roles the EDPS will promote coherence in the activities of enforcement bodies in the EU and develop tools to assist the EU institutions, bodies and agencies to maintain the highest standards in data protection.
    • Solidarity: While promoting digital justice and privacy for all, the EDPS will also enforce responsible and sustainable data processing, to positively impact individuals and maximise societal benefits in a just and fair way.
  • Facebook released a Civil Rights Audit, an “investigation into Facebook’s policies and practices began in 2018 at the behest and encouragement of the civil rights community and some members of Congress.” Those charged with conducting the audit explained that they “vigorously advocated for more and would have liked to see the company go further to address civil rights concerns in a host of areas that are described in detail in the report” including but not limited to
    • A stronger interpretation of its voter suppression policies — an interpretation that makes those policies effective against voter suppression and prohibits content like the Trump voting posts — and more robust and more consistent enforcement of those policies leading up to the US 2020 election.
    • More visible and consistent prioritization of civil rights in company decision-making overall.
    • More resources invested to study and address organized hate against Muslims, Jews and other targeted groups on the platform.
    • A commitment to go beyond banning explicit references to white separatism and white nationalism to also prohibit express praise, support and representation of white separatism and white nationalism even where the terms themselves are not used.
    • More concrete action and specific commitments to take steps to address concerns about algorithmic bias or discrimination.
    • They added that “[t]his report outlines a number of positive and consequential steps that the company has taken, but at this point in history, the Auditors are concerned that those gains could be obscured by the vexing and heartbreaking decisions Facebook has made that represent significant setbacks for civil rights.”
  • The National Security Commission on Artificial Intelligence (NSCAI) released a white paper titled “The Role of AI Technology in Pandemic Response and Preparedness” that “outlines a series of investments and initiatives that the United States must undertake to realize the full potential of AI to secure our nation against pandemics.” NSCAI noted its previous two white papers:
  • Secretary of Defense Mark Esper announced that Chief Technology Officer Michael J.K. Kratsios has “been designated to serve as Acting Under Secretary of Defense for Research and Engineering” even though he does not have a degree in science. The last Under Secretary held a PhD. However, Kratsios worked for venture capitalist Peter Thiel who backed President Donald Trump when he ran for office in 2016.
  • The United States’ Department of Transportation’s Federal Railroad Administration (FRA) issued research “to develop a cyber security risk analysis methodology for communications-based connected railroad technologies…[and] [t]he use-case-specific implementation of the methodology can identify potential cyber attack threats, system vulnerabilities, and consequences of the attack– with risk assessment and identification of promising risk mitigation strategies.”
  • In a blog post, a National Institute of Standards and Technology (NIST) economist asserted cybercrime may be having a much larger impact on the United States’ economy than previously thought:
    • In a recent NIST report, I looked at losses in the U.S. manufacturing industry due to cybercrime by examining an underutilized dataset from the Bureau of Justice Statistics, which is the most statistically reliable data that I can find. I also extended this work to look at the losses in all U.S. industries. The data is from a 2005 survey of 36,000 businesses with 8,079 responses, which is also by far the largest sample that I could identify for examining aggregated U.S. cybercrime losses. Using this data, combined with methods for examining uncertainty in data, I extrapolated upper and lower bounds, putting 2016 U.S. manufacturing losses to be between 0.4% and 1.7% of manufacturing value-added or between $8.3 billion and $36.3 billion. The losses for all industries are between 0.9% and 4.1% of total U.S. gross domestic product (GDP), or between $167.9 billion and $770.0 billion. The lower bound is 40% higher than the widely cited, but largely unconfirmed, estimates from McAfee.
  • The Government Accountability Office (GAO) advised the Federal Communications Commission (FCC) that it needs a comprehensive strategy for implementing 5G across the United States. The GAO concluded
    • FCC has taken a number of actions regarding 5G deployment, but it has not clearly developed specific and measurable performance goals and related measures–with the involvement of relevant stakeholders, including National Telecommunications and Information Administration (NTIA)–to manage the spectrum demands associated with 5G deployment. This makes FCC unable to demonstrate whether the progress being made in freeing up spectrum is achieving any specific goals, particularly as it relates to congested mid-band spectrum. Additionally, without having established specific and measurable performance goals with related strategies and measures for mitigating 5G’s potential effects on the digital divide, FCC will not be able to assess the extent to which its actions are addressing the digital divide or what actions would best help all Americans obtain access to wireless networks.
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued “Time Guidance for Network Operators, Chief Information Officers, and Chief Information Security Officers” “to inform public and private sector organizations, educational institutions, and government agencies on time resilience and security practices in enterprise networks and systems…[and] to address gaps in available time testing practices, increasing awareness of time-related system issues and the linkage between time and cybersecurity.”
  • Fifteen Democratic Senators sent a letter to the Department of Defense, Office of the Director of National Intelligence (ODNI), Department of Homeland Security (DHS), Federal Bureau of Investigations (FBI), and U.S. Cyber Command, urging them “to take additional measures to fight influence campaigns aimed at disenfranchising voters, especially voters of color, ahead of the 2020 election.” They called on these agencies to take “additional measures:”
    • The American people and political candidates are promptly informed about the targeting of our political processes by foreign malign actors, and that the public is provided regular periodic updates about such efforts leading up to the general election.
    • Members of Congress and congressional staff are appropriately and adequately briefed on continued findings and analysis involving election related foreign disinformation campaigns and the work of each agency and department to combat these campaigns.
    • Findings and analysis involving election related foreign disinformation campaigns are shared with civil society organizations and independent researchers to the maximum extent which is appropriate and permissible.
    • Secretary Esper and Director Ratcliffe implement a social media information sharing and analysis center (ISAC) to detect and counter information warfare campaigns across social media platforms as authorized by section 5323 of the Fiscal Year 2020 National Defense Authorization Act.
    • Director Ratcliffe implement the Foreign Malign Influence Response Center to coordinate a whole of government approach to combatting foreign malign influence campaigns as authorized by section 5322 of the Fiscal Year 2020 National Defense Authorization Act.
  • The Information Technology and Innovation Foundation (ITIF) unveiled an issue brief “Why New Calls to Subvert Commercial Encryption Are Unjustified” arguing “that government efforts to subvert encryption would negatively impact individuals and businesses.” ITIF offered these “key takeaways:”
    • Encryption gives individuals and organizations the means to protect the confidentiality of their data, but it has interfered with law enforcement’s ability to prevent and investigate crimes and foreign threats.
    • Technological advances have long frustrated some in the law enforcement community, giving rise to multiple efforts to subvert commercial use of encryption, from the Clipper Chip in the 1990s to the San Bernardino case two decades later.
    • Having failed in these prior attempts to circumvent encryption, some law enforcement officials are now calling on Congress to invoke a “nuclear option”: legislation banning “warrant-proof” encryption.
    • This represents an extreme and unjustified measure that would do little to take encryption out of the hands of bad actors, but it would make commercial products less secure for ordinary consumers and businesses and damage U.S. competitiveness.
  • The White House released an executive order in which President Donald Trump determined “that the Special Administrative Region of Hong Kong (Hong Kong) is no longer sufficiently autonomous to justify differential treatment in relation to the People’s Republic of China (PRC or China) under the particular United States laws and provisions thereof set out in this order.” Trump further determined “the situation with respect to Hong Kong, including recent actions taken by the PRC to fundamentally undermine Hong Kong’s autonomy, constitutes an unusual and extraordinary threat, which has its source in substantial part outside the United States, to the national security, foreign policy, and economy of the United States…[and] I hereby declare a national emergency with respect to that threat.” The executive order would continue the Administration’s process of changing policy to ensure Hong Kong is treated the same as the PRC.
  • President Donald Trump also signed a bill passed in response to the People’s Republic of China (PRC) passing legislation the United States and other claim will strip Hong Kong of the protections the PRC agreed to maintain for 50 years after the United Kingdom (UK) handed over the city. The “Hong Kong Autonomy Act” “requires the imposition of sanctions on Chinese individuals and banks who are included in an annual State Department list found to be subverting Hong Kong’s autonomy” according to the bill’s sponsor Representative Brad Sherman (D-CA).
  • Representative Stephen Lynch, who chairs House Oversight and Reform Committee’s National Security Subcommittee, sent letters to Apple and Google “after the Office of the Director of National Intelligence (ODNI) and the Federal Bureau of Investigation (FBI) confirmed that mobile applications developed, operated, or owned by foreign entities, including China and Russia, could potentially pose a national security risk to American citizens and the United States” according to his press release. He noted in letters sent by the technology companies to the Subcommittee that:
    • Apple confirmed that it does not require developers to submit “information on where user data (if any such data is collected by the developer’s app) will be housed” and that it “does not decide what user data a third-party app can access, the user does.”
    • Google stated that it does “not require developers to provide the countries in which their mobile applications will house user data” and acknowledged that “some developers, especially those with a global user base, may store data in multiple countries.”
    • Lynch is seeking “commitments from Apple and Google to require information from application developers about where user data is stored, and to make users aware of that information prior to downloading the application on their mobile devices.”
  • Minnesota Attorney General Keith Ellison announced a settlement with Frontier Communications that “concludes the three major investigations and lawsuits that the Attorney General’s office launched into Minnesota’s major telecoms providers for deceptive, misleading, and fraudulent practices.” The Office of the Attorney General (OAG) stated
    • Based on its investigation, the Attorney General’s Office alleged that Frontier used a variety of deceptive and misleading practices to overcharge its customers, such as: billing customers more than they were quoted by Frontier’s agents; failing to disclose fees and surcharges in its sales presentations and advertising materials; and billing customers for services that were not delivered.
    • The OAG “also alleged that Frontier sold Minnesotans expensive internet services with so-called “maximum speed” ratings that were not attainable, and that Frontier improperly advertised its service as “reliable,” when in fact it did not provide enough bandwidth for customers to consistently receive their expected service.”
  • The European Data Protection Board (EDPB) issued guidelines “on the criteria of the Right to be Forgotten in the search engines cases under the GDPR” that “focuses solely on processing by search engine providers and delisting requests  submitted by data subjects” even Article 17 of the General Data Protection Regulation applies to all data controllers. The EDPB explained “This paper is divided into two topics:
    • The first topic concerns the grounds a data subject can rely on for a delisting request sent to a search engine provider pursuant to Article 17.1 GDPR.
    • The second topic concerns the exceptions to the Right to request delisting according to Article 17.3 GDPR.
  • The Australian Competition & Consumer Commission (ACCC) “is seeking views on draft Rules and accompanying draft Privacy Impact Assessment that authorise third parties who are accredited at the ‘unrestricted’ level to collect Consumer Data Right (CDR) data on behalf of another accredited person.” The ACCC explained “[t]his will allow accredited persons to utilise other accredited parties to collect CDR data and provide other services that facilitate the provision of goods and services to consumers.” In a March explanatory statement, the ACCC stated “[t]he CDR is an economy-wide reform that will apply sector-by-sector, starting with the banking sector…[and] [t]he objective of the CDR is to provide individual and business consumers (consumers) with the ability to efficiently and conveniently access specified data held about them by businesses (data holders), and to authorise the secure disclosure of that data to third parties (accredited data recipients) or to themselves.” The ACCC noted “[t]he CDR is regulated by both the ACCC and the Office of the Australian Information Commissioner (OAIC) as it concerns both competition and consumer matters as well as the privacy and confidentiality of consumer data.” Input is due by 20 July.
  • Office of the Inspector General (OIG) for the Department of the Interior (Interior) found that even though the agency spends $1.4 billion annually on cybersecurity “[g]uarding against increasing cybersecurity threats” remains one of Interior’s top challenges. The OIG asserted Interior “continues to struggle to implement an enterprise information technology (IT) security program that balances compliance, cost, and risk while enabling bureaus to meet their diverse missions.”
  • In a summary of its larger investigation into “Security over Information Technology Peripheral Devices at Select Office of Science Locations,” the Department of Energy’s Office of the Inspector General (OIG) that “identified weaknesses related to access controls and configuration settings” for peripheral devices (e.g. thumb drives, printers, scanners and other connected devices)  “similar in type to those identified in prior evaluations of the Department’s unclassified cybersecurity program.”
  • The House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee Ranking Member John Katko (R-NY) “a comprehensive national cybersecurity improvement package” according to his press release, consisting of these bills:
    • The “Cybersecurity and Infrastructure Security Agency Director and Assistant Directors Act:”  This bipartisan measure takes steps to improve guidance and long-term strategic planning by stabilizing the CISA Director and Assistant Directors positions. Specifically, the bill:
      • Creates a 5-year term for the CISA Director, with a limit of 2 terms. The term of office for the current Director begins on date the Director began to serve.
      • Elevates the Director to the equivalent of a Deputy Secretary and Military Service Secretaries.
      • Depoliticizes the Assistant Director positions, appointed by the Secretary of the Department of Homeland Security (DHS), categorizing them as career public servants. 
    • The “Strengthening the Cybersecurity and Infrastructure Security Agency Act of 2020:” This measure mandates a comprehensive review of CISA in an effort to strengthen its operations, improve coordination, and increase oversight of the agency. Specifically, the bill:
      • Requires CISA to review how additional appropriations could be used to support programs for national risk management, federal information systems management, and public-private cybersecurity and integration. It also requires a review of workforce structure and current facilities and projected needs. 
      • Mandates that CISA provides a report to the House and Senate Homeland Committees within 1-year of enactment. CISA must also provide a report and recommendations to GSA on facility needs. 
      • Requires GSA to provide a review to the Administration and House and Senate Committees on CISA facilities needs within 30-days of Congressional report. 
    • The “CISA Public-Private Talent Exchange Act:” This bill requires CISA to create a public-private workforce program to facilitate the exchange of ideas, strategies, and concepts between federal and private sector cybersecurity professionals. Specifically, the bill:
      • Establishes a public-private cyber exchange program allowing government and industry professionals to work in one another’s field.
      • Expands existing private outreach and partnership efforts. 
  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is ordering United States federal civilian agencies “to apply the July 2020 Security Update for Windows Servers running DNS (CVE-2020-1350), or the temporary registry-based workaround if patching is not possible within 24 hours.” CISA stated “[t]he software update addresses a significant vulnerability where a remote attacker could exploit it to take control of an affected system and run arbitrary code in the context of the Local System Account.” CISA Director Christopher Krebs explained “due to the wide prevalence of Windows Server in civilian Executive Branch agencies, I’ve determined that immediate action is necessary, and federal departments and agencies need to take this remote code execution vulnerability in Windows Server’s Domain Name System (DNS) particularly seriously.”
  • The United States (US) Department of State has imposed “visa restrictions on certain employees of Chinese technology companies that provide material support to regimes engaging in human rights abuses globally” that is aimed at Huawei. In its statement, the Department stated “Companies impacted by today’s action include Huawei, an arm of the Chinese Communist Party’s (CCP) surveillance state that censors political dissidents and enables mass internment camps in Xinjiang and the indentured servitude of its population shipped all over China.” The Department claimed “[c]ertain Huawei employees provide material support to the CCP regime that commits human rights abuses.”
  • Earlier in the month, the US Departments of State, Treasury, Commerce, and of Homeland Security issued an “advisory to highlight the harsh repression in Xinjiang.” The agencies explained
    • Businesses, individuals, and other persons, including but not limited to academic institutions, research service providers, and investors (hereafter “businesses and individuals”), that choose to operate in Xinjiang or engage with entities that use labor from Xinjiang elsewhere in China should be aware of reputational, economic, and, in certain instances, legal, risks associated with certain types of involvement with entities that engage in human rights abuses, which could include Withhold Release Orders (WROs), civil or criminal investigations, and export controls.
  • The United Kingdom’s National Cyber Security Centre (NCSC), Canada’s Communications  Security Establishment (CSE), United States’ National Security Agency (NSA) and the United States’ Department of Homeland Security’s Cybersecurity and Infrastructure Security  Agency (CISA) issued a joint advisory on a Russian hacking organization’s efforts have “targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.” The agencies named APT29 (also known as ‘the Dukes’ or ‘Cozy Bear’), “a cyber espionage group, almost certainly part of the Russian intelligence services,” as the culprit behind “custom malware known as ‘WellMess’ and ‘WellMail.’”
    • This alert follows May advisories issued by Australia, the US, and the UK on hacking threats related to the pandemic. Australia’s Department of Foreign Affairs and Trade (DFAT) and the Australian Cyber Security Centre (ACSC) issued “Advisory 2020-009: Advanced Persistent Threat (APT) actors targeting Australian health sector organisations and COVID-19 essential services” that asserted “APT groups may be seeking information and intellectual property relating to vaccine development, treatments, research and responses to the outbreak as this information is now of higher value and priority globally.” CISA and NCSC issued a joint advisory for the healthcare sector, especially companies and entities engaged in fighting COVID-19. The agencies stated that they have evidence that Advanced Persistent Threat (APT) groups “are exploiting the COVID-19 pandemic as part of their cyber operations.” In an unclassified public service announcement, the Federal Bureau of Investigation (FBI) and CISA named the People’s Republic of China as a nation waging a cyber campaign against U.S. COVID-19 researchers. The agencies stated they “are issuing this announcement to raise awareness of the threat to COVID-19-related research.”
  • The National Initiative for Cybersecurity Education (NICE) has released a draft National Institute of Standards and Technology (NIST) Special Publication (SP) for comment due by 28 August. Draft NIST Special Publication (SP) 800-181 Revision 1, Workforce Framework for Cybersecurity (NICE Framework) that features several updates, including:
    • an updated title to be more inclusive of the variety of workers who perform cybersecurity work,
    • definition and normalization of key terms,
    • principles that facilitate agility, flexibility, interoperability, and modularity,
    • introduction of competencies,
  • Representatives Glenn Thompson (R-PA), Collin Peterson (D-MN), and James Comer (R-KY) sent a letter to Federal Communications Commission (FCC) “questioning the Commission’s April 20, 2020 Order granting Ligado’s application to deploy a terrestrial nationwide network to provide 5G services.”
  • The European Commission (EC) is asking for feedback on part of its recently released data strategy by 31 July. The EC stated it is aiming “to create a single market for data, where data from public bodies, business and citizens can be used safely and fairly for the common good…[and] [t]his initiative will draw up rules for common European data spaces (covering areas like the environment, energy and agriculture) to:
    • make better use of publicly held data for research for the common good
    • support voluntary data sharing by individuals
    • set up structures to enable key organisations to share data.
  • The United Kingdom’s Parliament is asking for feedback on its legislative proposal to regulate Internet of Things (IoT) devices. The Department for Digital, Culture, Media & Sport explained “the obligations within the government’s proposed legislative framework would fall mainly on the manufacturer if they are based in the UK, or if not based in the UK, on their UK representative.” The Department is also “developing an enforcement approach with relevant stakeholders to identify an appropriate enforcement body to be granted day to day responsibility and operational control of monitoring compliance with the legislation.” The Department also touted the publishing of the European Telecommunications Standards Institute’s (ETSI) “security baseline for Internet-connected consumer devices and provides a basis for future Internet of Things product certification schemes.”
  • Facebook issued a white paper, titled “CHARTING A WAY FORWARD: Communicating Towards People-Centered and Accountable Design About Privacy,” in which the company states its desire to be involved in shaping a United States privacy law (See below for an article on this). Facebook concluded:
    • Facebook recognizes the responsibility we have to make sure that people are informed about the data that we collect, use, and share.
    • That’s why we support globally consistent comprehensive privacy laws and regulations that, among other things, establish people’s basic rights to be informed about how their information is collected, used, and shared, and impose obligations for organizations to do the same, including the obligation to build internal processes that maintain accountability.
    • As improvements to technology challenge historic approaches to effective communications with people about privacy, companies and regulators need to keep up with changing times.
    • To serve the needs of a global community, on both the platforms that exist now and those that are yet to be developed, we want to work with regulators, companies, and other interested third parties to develop new ways of informing people about their data, empowering them to make meaningful choices, and holding ourselves accountable.
    • While we don’t have all the answers, there are many opportunities for businesses and regulators to embrace modern design methods, new opportunities for better collaboration, and innovative ways to hold organizations accountable.
  • Four Democratic Senators sent Facebook a letter “about reports that Facebook has created fact-checking exemptions for people and organizations who spread disinformation about the climate crisis on its social media platform” following a New York Times article this week on the social media’s practices regarding climate disinformation. Even though the social media giant has moved aggressively to take down false and inaccurate COVID-19 posts, climate disinformation lives on the social media platform largely unmolested for a couple of reasons. First, Facebook marks these sorts of posts as opinion and take the approach that opinions should be judged under an absolutist free speech regime. Moreover, Facebook asserts posts of this sort do not pose any imminent harm and therefore do not need to be taken down. Despite having teams of fact checkers to vet posts of demonstrably untrue information, Facebook chooses not to, most likely because material that elicits strong reactions from users drive engagement that, in turn, drives advertising dollars. Senators Elizabeth Warren (D-WA), Tom Carper (D-DE), Sheldon Whitehouse (D-R.I.) and Brian Schatz (D-HI) argued “[i]f Facebook is truly “committed to fighting the spread of false news on Facebook and Instagram,” the company must immediately acknowledge in its fact-checking process that the climate crisis is not a matter of opinion and act to close loopholes that allow climate disinformation to spread on its platform.” They posed a series of questions to Facebook CEO Mark Zuckerberg on these practices, requesting answers by 31 July.
  • A Canadian court has found that the Canadian Security Intelligence Service (CSIS) “admittedly collected information in a manner that is contrary to this foundational commitment and then relied on that information in applying for warrants under the Canadian Security Intelligence Service Act, RSC 1985, c C-23 [CSIS Act]” according to a court summary of its redacted decision. The court further stated “[t]he Service and the Attorney General also admittedly failed to disclose to the Court the Service’s reliance on information that was likely collected unlawfully when seeking warrants, thereby breaching the duty of candour owed to the Court.” The court added “[t]his is not the first time this Court has been faced with a breach of candour involving the Service…[and] [t]he events underpinning this most recent breach were unfolding as recommendations were being implemented by the Service and the Attorney General to address previously identified candour concerns.” CSIS was found to have illegally collected and used metadata in a 2016 case ion its conduct between 2006-2016. In response to the most recent ruling, CSIS is vowing to implement a range of reforms. The National Security and Intelligence Review Agency (NSIRA) is pledging the same.
  • The United Kingdom’s National Police Chiefs’ Council (NPCC) announced the withdrawal of “[t]he ‘Digital device extraction – information for complainants and witnesses’ form and ‘Digital Processing Notice’ (‘the relevant forms’) circulated to forces in February 2019 [that] are not sufficient for their intended purpose.” In mid-June, the UK’s data protection authority, the Information Commissioner’s Office (ICO) unveiled its “finding that police data extraction practices vary across the country, with excessive amounts of personal data often being extracted, stored, and made available to others, without an appropriate basis in existing data protection law.” This withdrawal was also due, in part, to a late June Court of Appeal decision.  
  • A range of public interest and advocacy organizations sent a letter to Speaker of the House Nancy Pelosi (D-CA) and House Minority Leader Kevin McCarthy (R-CA) noting “there are intense efforts underway to do exactly that, via current language in the House and Senate versions of the FY2021 National Defense Authorization Act (NDAA) that ultimately seek to reverse the FCC’s recent bipartisan and unanimous approval of Ligado Networks’ regulatory plans.” They urged them “not endorse efforts by the Department of Defense and its allies to veto commercial spectrum authorizations…[and][t]he FCC has proven itself to be the expert agency on resolving spectrum disputes based on science and engineering and should be allowed to do the job Congress authorized it to do.” In late April, the FCC’s “decision authorize[d] Ligado to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” The agency argued the order “provides regulatory certainty to Ligado, ensures adjacent band operations, including Global Positioning System (GPS), are sufficiently protected from harmful interference, and promotes more efficient and effective use of [the U.S.’s] spectrum resources by making available additional spectrum for advanced wireless services, including 5G.”
  • The European Data Protection Supervisor (EDPS) rendered his opinion on the European Commission’s White Paper on Artificial Intelligence: a European approach to excellence and trust and recommended the following for the European Union’s (EU) regulation of artificial intelligence (AI):
    • applies both to EU Member States and to EU institutions, offices, bodies and agencies;
    • is designed to protect from any negative impact, not only on individuals, but also on communities and society as a whole;
    • proposes a more robust and nuanced risk classification scheme, ensuring any significant potential harm posed by AI applications is matched by appropriate mitigating measures;
    • includes an impact assessment clearly defining the regulatory gaps that it intends to fill.
    • avoids overlap of different supervisory authorities and includes a cooperation mechanism.
    • Regarding remote biometric identification, the EDPS supports the idea of a moratorium on the deployment, in the EU, of automated recognition in public spaces of human features, not only of faces but also of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, so that an informed and democratic debate can take place and until the moment when the EU and Member States have all the appropriate safeguards, including a comprehensive legal framework in place to guarantee the proportionality of the respective technologies and systems for the specific use case.
  • The Bundesamt für Verfassungsschutz (BfV), Germany’s domestic security agency, released a summary of its annual report in which it claimed:
    • The Russian Federation, the People’s Republic of China, the Islamic Republic of Iran and the Republic of Turkey remain the main countries engaged in espionage activities and trying to exert influence on Germany.
    • The ongoing digital transformation and the increasingly networked nature of our society increases the potential for cyber attacks, worsening the threat of cyber espionage and cyber sabotage.
    • The intelligence services of the Russian Federation and the People’s Republic of China in particular carry out cyber espionage activities against German agencies. One of their tasks is to boost their own economies with the help of information gathered by the intelligence services. This type of information-gathering campaign severely threatens the success and development opportunities of German companies.
    • To counteract this threat, Germany has a comprehensive cyber security architecture in place, which is operated by a number of different authorities. The BfV plays a major role in investigating and defending against cyber threats by detecting attacks, attributing them to specific attackers, and using the knowledge gained from this to draw up prevention strategies. The National Cyber Response Centre, in which the BfV plays a key role, was set up to consolidate the co-operation between the competent agencies. The National Cyber Response Centre aims to optimise the exchange of information between state agencies and to improve the co-ordination of protective and defensive measures against potential IT incidents.

Further Reading

  • Trump confirms cyberattack on Russian trolls to deter them during 2018 midterms” – The Washington Post. In an interview with former George W. Bush speechwriter Marc Thiessen, President Donald Trump confirmed he ordered a widely reported retaliatory attack on the Russian Federation’s Internet Research Agency as a means of preventing interference during the 2018 mid-term election. Trump claimed this attack he ordered was the first action the United States took against Russian hacking even though his predecessor warned Russian President Vladimir Putin to stop such activities and imposed sanctions at the end of 2016. The timing of Trump’s revelation is interesting given the ongoing furor over reports of Russian bounties paid to Taliban fighters for killing Americans the Trump Administration may have known of but did little or nothing to stop.
  • Germany proposes first-ever use of EU cyber sanctions over Russia hacking” – Deutsche Welle. Germany is looking to use the European Union’s (EU) cyber sanctions powers against Russia for its alleged 2015 16 GB exfiltration of data from the Bundestag’s systems, including from Chancellor Angela Merkel’s office. Germany has been alleging that Fancy Bear (aka APT28) and Russia’s military secret service GRU carried out the attack. Germany has circulated its case for sanctions to other EU nations and EU leadership. In 2017, the European Council declared “[t]he EU diplomatic response to malicious cyber activities will make full use of measures within the Common Foreign and Security Policy, including, if necessary, restrictive measures…[and] [a] joint EU response to malicious cyber activities would be proportionate to the scope, scale, duration, intensity, complexity, sophistication and impact of the cyber activity.”
  • Wyden Plans Law to Stop Cops From Buying Data That Would Need a Warrant” – VICE. Following on a number of reports that federal, state, and local law enforcement agencies are essentially sidestepping the Fourth Amendment through buying location and other data from people’s smartphones, Senator Ron Wyden (D-OR) is going to draft legislation that would seemingly close what he, and other civil libertarians, are calling a loophole to the warrant requirement.
  • Amazon Backtracks From Demand That Employees Delete TikTok” – The New York Times. Amazon first instructed its employees to remove ByteDance’s app, TikTok, on 11 July from company devices and then reversed course the same day, claiming the email had been erroneously sent out. The strange episode capped another tumultuous week for ByteDance as the Trump Administration is intensifying pressure in a number of ways on the company which officials claim is subject to the laws of the People’s Republic of China and hence must share information with the government in Beijing. ByteDance counters the app marketed in the United States is through a subsidiary not subject to PRC law. ByteDance also said it would no longer offer the app in Hong Kong after the PRC change in law has extended the PRC’s reach into the former British colony. TikTok was also recently banned in India as part of a larger struggle between India and he PRC. Additionally, the Democratic National Committee warned staff about using the app this week, too.
  • Is it time to delete TikTok? A guide to the rumors and the real privacy risks.” – The Washington Post. A columnist and security specialist found ByteDance’s app vacuums up information from users, but so does Facebook and other similar apps. They scrutinized TikTok’s privacy policy and where the data went, and they could not say with certainty that it goes to and stays on servers in the US and Singapore. 
  • California investigating Google for potential antitrust violations” – Politico. California Attorney General Xavier Becerra is going to conduct his own investigation of Google aside and apart from the investigation of the company’s advertising practices being conducted by virtually every other state in the United States. It was unclear why Becerra opted against joining the larger probe launched in September 2019. Of course, the Trump Administration’s Department of Justice is also investigating Google and could file suit as early as this month.
  • How May Google Fight an Antitrust Case? Look at This Little-Noticed Paper” – The New York Times. In a filing with the Australian Competition and Consumer Commission (ACCC), Google claimed it does not control the online advertising market and it is borne out by a number of indicia that argue against a monopolistic situation. The company is likely to make the same case to the United States’ government in its antitrust inquiry. However, similar arguments did not gain tractions before the European Commission, which levied a €1.49 billion for “breaching EU antitrust rules” in March 2019.
  •  “Who Gets the Banhammer Now?” – The New York Times. This article examines possible motives for the recent wave of action by social media platforms to police a fraction of the extreme and hateful speech activists and others have been asking them to take down for years. This piece makes the argument that social media platforms are businesses and operate as such and expecting them to behave as de facto public squares dedicated to civil political and societal discourse is more or less how we ended up where we are.
  • TikTok goes tit-for-tat in appeal to MPs: ‘stop political football’ – The Australian. ByteDance is lobbying hard in Canberra to talk Ministers of Parliament out of possibly banning TikTok like the United States has said it is considering. While ByteDance claims the data collected on users in Australia is sent to the US or Singapore, some experts are arguing just to maintain and improve the app would necessarily result in some non-People’s Republic of China (PRC) user data making its way back to the PRC. As Australia’s relationship with the PRC has grown more fraught with allegations PRC hackers infiltrated Parliament and the Prime Minister all but saying PRC hackers were targeting hospitals and medical facilities, the government in Canberra could follow India’s lead and ban the app.
  • Calls for inquiry over claims Catalan lawmaker’s phone was targeted” – The Guardian. British and Spanish newspapers are reporting that an official in Catalonia who favors separating the region from Spain may have had his smartphone compromised with industrial grade spyware typically used only by law enforcement and counterterrorism agencies. The President of the Parliament of Catalonia Roger Torrent claims his phone was hacked for domestic political purposes, which other Catalan leaders argued, too. A spokesperson for the Spanish government said “[t]he government has no evidence that the speaker of the Catalan parliament has been the victim of a hack or theft involving his mobile.” However, the University of Toronto’s CitizenLab, the entity that researched and claimed that Israeli firm NSO Group’s spyware was deployed via WhatsApp to spy on a range of journalists, officials, and dissidents, often by their own governments, confirmed that Torrent’s phone was compromised.
  • While America Looks Away, Autocrats Crack Down on Digital News Sites” – The New York Times. The Trump Administration’s combative relationship with the media in the United States may be encouraging other nations to crack down on digital media outlets trying to hold those governments to account.
  •  “How Facebook Handles Climate Disinformation” – The New York Times. Even though the social media giant has moved aggressively to take down false and inaccurate COVID-19 posts, climate disinformation lives on the social media platform largely unmolested for a couple of reasons. First, Facebook marks these sorts of posts as opinion and take the approach that opinions should be judged under an absolutist free speech regime. Moreover, Facebook asserts posts of this sort do not pose any imminent harm and therefore do not need to be taken down. Despite having teams of fact checkers to vet posts of demonstrably untrue information, Facebook chooses not to, most likely because material that elicits strong reactions from users drive engagement that, in turn, drives advertising dollars.
  • Here’s how President Trump could go after TikTok” – The Washington Post. This piece lays out two means the Trump Administration could employ to press ByteDance in the immediate future: use of the May 2019 Executive Order “Securing the Information and Communications Technology and Services Supply Chain” or the Committee on Foreign Investment in the United States process examining ByteDance of the app Music.ly that became TikTok. Left unmentioned in this article is the possibility of the Federal Trade Commission (FTC) examining its 2019 settlement with ByteDance to settle violations of the “Children’s Online Privacy Protection Act” (COPPA).
  • You’re Doomscrolling Again. Here’s How to Snap Out of It.” – The New York Times. If you find yourself endlessly looking through social media feeds, this piece explains why and how you might stop doing so.
  • UK selling spyware and wiretaps to 17 repressive regimes including Saudi Arabia and China” – The Independent. There are allegations that the British government has ignored its own regulations on selling equipment and systems that can be used for surveillance and spying to other governments with spotty human rights records. Specifically, the United Kingdom (UK) has sold £75m to countries non-governmental organizations (NGO) are rated as “not free.” The claims include nations such as the People’s Republic of China (PRC), the Kingdom of Saudi Arabia, Bahrain, and others. Not surprisingly, NGOs and the minority Labour party are calling for an investigation and changes.
  • Google sued for allegedly tracking users in apps even after opting out” – c/net. Boies Schiller Flexner filed suit in what will undoubtedly seek to become a class action suit over Google’s alleged continuing to track users even when they turned off tracking features. This follows a suit filed by the same firm against Google in June, claiming its browser Chrome still tracks people when they switch to incognito mode.
  • Secret Trump order gives CIA more powers to launch cyberattacks” – Yahoo! News. It turns out that in addition to signing National Security Presidential Memorandum (NSPM) 13 that revamped and eased offensive cyber operations for the Department of Defense, President Donald Trump signed a presidential finding that has allowed the Central Intelligence Agency (CIA) to launch its own offensive cyber attacks, mainly at Russia and Iran, according to unnamed former United States (US) officials according to this blockbuster story. Now, the decision to commence with an attack is not vetted by the National Security Council; rather, the CIA makes the decision. Consequently, there have been a number of attacks on US adversaries that until now have not been associated with the US. And, the CIA is apparently not informing the National Security Agency or Cyber Command of its operations, raising the risk of US cyber forces working at cross purposes or against one another in cyberspace. Moreover, a recently released report blamed the lax security environment at the CIA for a massive exfiltration of hacking tools released by Wikileaks. 
  • Facebook’s plan for privacy laws? ‘Co-creating’ them with Congress” – Protocol. In concert with the release of a new white paper, Facebook Deputy Chief Privacy Officer Rob Sherman sat for an interview in which he pledged the company’s willingness to work with Congress to co-develop a national privacy law. However, he would not comment on any of the many privacy bills released thus far or the policy contours of a bill Facebook would favor except for advocating for an enhanced notice and consent regime under which people would be better informed about how their data is being used. Sherman also shrugged off suggestions Facebook may not be welcome given its record of privacy violations. Finally, it bears mention that similar efforts by other companies at the state level have not succeeded as of yet. For example, Microsoft’s efforts in Washington state have not borne fruit in the passage of a privacy law.
  • Deepfake used to attack activist couple shows new disinformation frontier” – Reuters. We are at the beginning of a new age of disinformation in which fake photographs and video will be used to wage campaigns against nations, causes, and people. An activist and his wife were accused of being terrorist sympathizers by a university student who apparently was an elaborate ruse for someone or some group looking to defame the couple. Small errors gave away the ruse this time, but advances in technology are likely to make detection all the harder.
  • Biden, billionaires and corporate accounts targeted in Twitter hack” – The Washington Post. Policymakers and security experts were alarmed when the accounts of major figures like Bill Gates and Barack Obama were hacked yesterday by some group seeking to sell bitcoin. They argue Twitter was lucky this time and a more ideologically motivated enemy may seek to cause havoc, say on the United States’ coming election. A number of experts are claiming the penetration of the platform must have been of internal controls for so many high profile accounts to be taken over at the same time.
  • TikTok Enlists Army of Lobbyists as Suspicions Over China Ties Grow” – The New York Times. ByteDance’s payments for lobbying services in Washington doubled between the last quarter of 2019 and thirst quarter of 2020, as the company has retained more than 35 lobbyists to push back against the Trump Administration’s rhetoric and policy changes. The company is fighting against a floated proposal to ban the TikTok app on national security grounds, which would cut the company off from another of its top markets after India banned it and scores of other apps from the People’s Republic of China. Even if the Administration does not bar use of the app in the United States, the company is facing legislation that would ban its use on federal networks and devices that will be acted upon next week by a Senate committee. Moreover, ByteDance’s acquisition of the app that became TikTok is facing a retrospective review of an inter-agency committee for national security considerations that could result in an unwinding of the deal. Moreover, the Federal Trade Commission (FTC) has been urged to review ByteDance’s compliance with a 2019 settlement that the company violated regulations protecting the privacy of children that could result in multi-billion dollar liability if wrongdoing is found.
  • Why Google and Facebook Are Racing to Invest in India” – Foreign Policy. With New Delhi banning 59 apps and platforms from the People’s Republic of China (PRC), two American firms have invested in an Indian giant with an eye toward the nearly 500 million Indians not yet online. Reliance Industries’ Jio Platforms have sold stakes to Google and Facebook worth $4.5 billion and $5.7 billion that gives them prized positions as the company looks to expand into 5G and other online ventures. This will undoubtedly give a leg up to the United States’ online giants in vying with competitors to the world’s second most populous nation.
  • “Outright Lies”: Voting Misinformation Flourishes on Facebook” – ProPublica. In this piece published with First Draft, “a global nonprofit that researches misinformation,” an analysis of the most popular claims made about mail voting show that many of them are inaccurate or false, thus violating the platforms terms of services yet Facebook has done nothing to remove them or mark them as inaccurate until this article was being written.
  • Inside America’s Secretive $2 Billion Research Hub” – Forbes. Using contract information obtained through Freedom of Information requests and interviews, light is shined on the little known non-profit MITRE Corporation that has been helping the United States government address numerous technological problems since the late 1950’s. The article uncovers some of its latest, federally funded projects that are raising eyebrows among privacy advocates: technology to life people’s fingerprints from social media pictures, technology to scan and copy Internet of Things (IoT) devices from a distance, a scanner to read a person’s DNA, and others.
  • The FBI Is Secretly Using A $2 Billion Travel Company As A Global Surveillance Tool” – Forbes. In his second blockbuster article in a week, Forbes reporter Thomas Brewster exposes how the United States (US) government is using questionable court orders to gather travel information from the three companies that essentially provide airlines, hotels, and other travel entities with back-end functions with respect to reservations and bookings. The three companies, one of whom, Sabre is a US multinational, have masses of information on you if you have ever traveled, and US law enforcement agencies, namely the Federal Bureau of Investigation, is using a 1789 statute to obtain orders all three companies have to obey for information in tracking suspects. Allegedly, this capability has only been used to track terror suspects but will now reportedly be used for COVID-19 tracking.
  • With Trump CIA directive, the cyber offense pendulum swings too far” – Yahoo! News. Former United States (US) National Coordinator for Security, Infrastructure Protection, and Counter-terrorism Richard Clarke argues against the Central Intelligence Agency (CIA) having carte blanche in conducting cyber operations without the review or input of other federal agencies. He suggests that the CIA in particular, and agencies in general, tend to push their authority to the extreme, which in this case could lead to incidents and lasting precedents in cyberspace that may haunt the US. Clarke also intimated that it may have been the CIA and not Israel that launched cyber attacks on infrastructure facilities in Tehran this month and last.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

National Cyber Director Hearing

The primary committee of jurisdiction over a bill to create a White House Cyber Director held a hearing on the ramifications of creating just such a position.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 14 July, the House Oversight and Reform Committee held a virtual hearing to discuss the recently introduced “National Cyber Director Act” (H.R.7331) that would implement one of the Cyberspace Solarium Commission’s (CSC) most significant recommendations. Representative James Langevin (D-RI), who served on the CSC, introduced the bill a few weeks ago when it appeared clear that neither Armed Services Committee will include the CSC’s recommendation that a position be established inside the Executive Office of the President of a National Cyber Director to coordinate much of the United States’ cyber policy that would need to be confirmed by the Senate. Langevin and a number of others submitted an amendment to the House Rules Committee for consideration of the “William M. (Mac) Thornberry National Defense Authorization Act (NDAA) for Fiscal Year 2021” (H.R.6395) that would add H.R.7331 to the House’s FY 2021 NDAA. It is possible this amendment is made in order and will be debated on the House floor when the chamber turns to H.R.6395, which could happen as soon as next week.

The holding of this hearing is likely part of an effort to convince House Democratic Leadership and the House Rules and Armed Services Committees of the support for H.R.7331 so that it can be debated during consideration of the FY 2021 NDAA. The chair of the House Oversight and Reform Committee cosponsored Langevin’s amendment as did a number of Republicans, demonstrating its bipartisan nature. Also, having held a hearing at which a number of witnesses endorsed the idea will lend further weight to it being allowed to be offered to the annual Department of Defense policy package.

The Senate’s NDAA does not include language establishing a National Cyber Director position. Rather, the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) would require “the  Secretary  of  Defense,  in  coordination  with  the Secretary  of  Homeland  Security,  shall  seek  to  enter  into  an  agreement  with  an  independent  organization  with  relevant expertise in cyber policy and governmental organization  to  conduct  and  complete  an  assessment  of  the  feasibility and advisability of establishing a National Cyber Director.” It is possible that CSC co-chair Senator Angus King (I-ME) succeeds in getting this recommendation included in the Senate’s FY 2021 NDAA when the body continues with debate next week.

Chair Carolyn Maloney (D-NY) stated

Cyberattacks are a critical, complex, prevalent, and growing threat to the nation’s safety and economic security, touching nearly every aspect of our lives. This assessment was upheld by recent findings from the U.S. Cyberspace Solarium Commission, which was established by the 2019 National Defense Authorization Act to review the state of our cybersecurity posture and develop bipartisan solutions for defending America against cyberthreats.  This commission of Congressional, Executive Branch, and private sector cybersecurity leaders sounded the alarm that, in addition to millions of intrusions that disrupt operations in America on a daily basis, we remain vulnerable to catastrophic attacks on critical infrastructure and economic systems that could cause widespread damage and death.

Maloney noted “[a] number of the commission’s recommendations fall within the legislative jurisdiction of this Committee…[and] [t]his includes one that has sparked a high level of interest on both sides of the aisle—the recommendation for a centralized cybersecurity position at the White House to develop and streamline the federal government’s strategy, coordination, and response to cyberthreats.” She said that “[t]his role was first formalized during the George W. Bush Administration, and then elevated and expanded during the Obama Administration…[b]ut in 2018, then-National Security Adviser John Bolton eliminated the role, reportedly to cut “another layer of bureaucracy.”

Maloney said that “we will review H.R. 7331, which would implement the Commission’s recommendation to establish a National Cyber Director in the Executive Office of the President.” She said that “[t]his new position would restore that cyber coordination and planning function at the White House…[and] [i]n addition, for the first time, it would be backed with resources and statutory authority to lead strategic planning efforts, review cybersecurity budgets, and coordinate national incident response.” Maloney stated “[a] challenge as complex and pervasive as cybersecurity requires that our government be strategic, organized, and ready…[and] Democrats and Republicans agree we need a National Cyber Director to ensure we are fully prepared for, and coordinated in, our response to cyberattacks as our nation fights this silent war.” She explained “[o]ur mission today is to gain a detailed understanding of the threats we face, and to thoroughly examine H.R. 7331 as the vehicle for preparing our country against those threats.”

Ranking Member James Comer (R-KY) said the federal cyber domain is dispersed with varying jurisdictions and expertise among agencies organized to fight cyber-crime, defend national security, and support the private sector’s critical cyber infrastructure. He noted the increasingly reliance in the US on technology and growing inter-connected nature of the American economy. Comer said foreign actors, terrorist groups, domestic agitators, and criminal enterprises all have a vested interest in exploiting US networks. Comer said the remote operations of the pandemic have created new cyber vulnerabilities that malicious actors are taking advantage of. He added the same threats face private sector and state, local, tribal, and territorial governments. Comer stressed that fostering relationships across the private sector and state and local partners, vital cyber threat information can be shared that helps secure critical infrastructure.

Comer noted the witnesses have vast experience in combatting cyber threats from nations like the People’s Republic of China (PRC) that has historically hacked into agencies like the Federal Deposit Insurance Corporation, stolen intellectual property, and paid professors and researchers for research and development information. He stated he would welcome the opportunity to work with Democrats to hold the PRC accountable for these bad acts as well as their deceptive tactics over the course of the COVID-19 pandemic. Comer said the present hearing would, instead, examine a proposal to create a National Cyber Director. He stressed that Members have a duty to be good stewards of taxpayer dollars and not create more bureaucracy. Comer commended the Trump’s Administration’s performance in fending off threats to medical and health facilities and to teleworkers during the pandemic.

Comer asked whether it is truly necessary to establish a new position to coordinate cybersecurity, and, if so, would this official actually have the authority necessary to execute her responsibilities. Moreover, will other stakeholders fall in line and work in harmony, he asked. Comer said it is already he case the multiple federal agencies have cybersecurity jurisdiction and wondered whether another official would help the US government’s cyber posture. He expressed his concern that the bill may create a duplicative, bureaucratic layer of government that will hinder future responses to cyber-attacks.

Representatives and CSC Members James Langevin (D-RI) and Mike Gallagher (R-WI) claimed

First and foremost, the Executive Branch must establish a National Cyber Director to centralize and coordinate the cybersecurity mission at the national level. The National Cyber Director would work among Federal departments and agencies to bring coherence in both in the development of cybersecurity policy and strategy and in its execution. The position would provide clear leadership in the White House and signal cybersecurity is an enduring priority in U.S. national security strategy.

Langevin and Gallagher stated “[l]ooking at the history and the current structure of the Executive Branch, four clear institutional challenges emerge:

  • First, the Federal government lacks consistent, institutionalized leadership in the White House on cybersecurity strategy and policy.
  • Second, due to the absence of a consistent advocate, cybersecurity is inconsistently prioritized in the context of national security.
  • Third, the United States lacks a coordinated, cohesive, and clear strategic vision for cyber.
  • Fourth, the lack of centralized Executive Branch leadership complicates and prevents effective congressional oversight. In the March 2020 Commission report, the Commission recognized the need for a single individual at the highest level in the Federal government to take on these responsibilities.

Langevin and Gallagher explained

On the issue of whether to recommend the creation of new Executive Branch structures, or strengthen the existing structures, the Commission explored several different options. These models included the creation of a new cabinet department for cyber led by a Secretary, an independent agency for cyber led by a Director reporting to an existing cabinet department, an equivalent to a Homeland Security Advisor for cyber within the National Security Council, or a new office within the White House Executive Office of the President (EOP) led by a Director. Ultimately, the Commission decided that the Federal government would be better served by strengthening existing department and agency efforts in cybersecurity, including strengthening CISA and Sector-Specific Agencies, rather than the creation of a new department. While the creation of a new cabinet department or independent agency would give the position gravitas, the Commission recognized the protracted development of a new department would prevent, or even eliminate, much-needed near-term progress.

Cyber Threat Alliance President and Chief Executive Officer Michael Daniel claimed “we have reached the point where making more than incremental progress will prove difficult unless we address at least four impediments:

  • First, cybersecurity’s cross-cutting nature does not fit with the US government’s bureaucratic structure, making the issue difficult to deal with during policy development. 
  • Second, agencies are not incentivized to sustain the degree of coordination required for effective cybersecurity over the long term. 
  • Third, a lack of central coordination hinders effective incident response actions. 
  • Fourth, cybersecurity’s complexity and unusual nature make it tough for the President and other senior leaders to tackle without access to expertise. 

Daniel stated “[a]ddressing these impediments would be challenging under normal circumstances, but this Administration has chosen to take a step backward by eliminating the cybersecurity coordinator position at the White House, which makes it even harder.” He said that “[c]learly, no single policy action will solve these problems…[and] [t]hey are too complicated for a one-shot solution.” Daniel said “[t]hat said, creating a position like a National Cyber Director along the lines the Cyberspace Solarium Commission recommends or that Representative Langevin has proposed is a necessary part of the solution.”

Daniel asserted

  • Cybersecurity is a strategic, national level problem that defies easy categorization.  Cyberspace and the Internet are permanent features of our society, economy, public safety, and national security.  We will not “solve” our cybersecurity problems; cyber threats are now a permanent feature in society and international relations.  Instead, we will manage and mitigate the threat.  Thus, we need a strategic level leader focused on this problem with a government-wide perspective.  Moreover, we will need a national cyber director for the long-term. 
  • The EOP is the only part of the executive branch with a sufficiently broad scope to look across all the different aspects of cybersecurity.  It is the only part of the executive branch that can overcome the “you’re not the boss of me” effect and incentivize agencies to engage in regular, sustained, and intense coordination. It is the logical place to organize a cyber crisis response because it can serve as a neutral, inter-agency hub and activate resources across the entire Federal government. Finally, it is the primary organization for direct Presidential advisors.

Daniel said that “[a]s Congress debates this issue, I would urge it to consider certain parameters in crafting the position: The NCD Office should be big enough to run effective processes, but not so big that it tries to be operational.” He claimed “[i]f we want the office to succeed, then it cannot be so small that the staff do not have time to do anything right…[and] [o]n the other hand, it should not be so large that its staff are tempted to try to run operations directly.” Daniel stated that “[t]he NCD Office should integrate tightly with OMB’s budget process and NSC’s policy process, otherwise it will be irrelevant.”

Daniel stated

  • The NCD Office should have insight into and a policy oversight role for all Federal government cyber functions, including military, intelligence, or law enforcement activities; this insight must extend to offensive cyber operations. We cannot exclude those activities from the NCD’s purview and expect the position to succeed. For the record, I strongly support the independence of indictment and prosecutorial decisions from the White House, but that separation does not mean the NCD should not understand what law enforcement operations are occurring or influence our strategic level policy toward cybercrime. If the NCD only has oversight and coordination roles for network defense activities and working with the private sector, then the position would largely duplicate the CISA director, which we do not need.
  • NCD staff should not participate in policy execution. Law enforcement agencies investigates and prosecutes crime, intelligence agencies collect information, the military conducts offensive cyber operations, and the sector specific agencies work with their industries. Policy execution should remain the domain of the departments and agencies.
  • The office will need a clear relationship with the Federal Chief Information Security Officer (CISO). This existing office has worked hard to improve the security of Federal networks. The NCD’s office will need to work closely with the Federal CISO to ensure that Federal agencies are following the general guidance and advice the government gives the private sector. We must walk our talk.

Tenable Chairman and CEO Amit Yoran stated

Beyond the authorities already included in H.R. 7331, I recommend additional authorities for the National Cyber Director that would improve the nation’s cybersecurity risk management for both the public and private sectors. These additional authorities include developing a national encryption policy, managing the Vulnerabilities Equities Process (VEP), coordinating with regulatory entities, driving cybersecurity workforce development, and leading all international cybersecurity efforts, to include the development of international cyber strategies and international engagement.

Yoran added that

The Cyberspace Solarium Report also included recommendations on how to further strengthen the Cybersecurity Infrastructure Security Agency (CISA) in order to ensure the national resilience of critical infrastructure, promote a more secure cyber ecosystem and serve as the central civilian authority to support federal, state, local and private sector cybersecurity efforts. CISA has established information sharing capabilities across the government, provides technical assistance to cybersecurity operators in the public and private sectors, and engages stakeholders both inside and outside the federal government. However, CISA’s role has clear limitations:

  • CISA’s convening power is not widely understood or consistently recognized.
  • CISA does not have jurisdiction over law enforcement, the Department of Defense or federal intelligence agencies, which are all critical pieces of a unified approach to U.S. cyber defense, nor are these organizations required to collaborate and share their activities with CISA.
  • CISA does not have the budget or the analytic capacity to assess, plan for and lead a unified effort to mitigate national systemic cyber risk.

Yoran said that “[t]he creation of the National Cybersecurity Director role should be done in conjunction with efforts to empower and appropriately resource CISA as a critical player to improve the nation’s cybersecurity.” He contended “[t]o strengthen CISA, Congress should elevate the Director position as recommended by the Cyberspace Solarium Commission and provide additional funding and program support that will enable the organization to enhance current operations.” Yoran stated that “[a]n expanded budget would also allow CISA to increase funding for the Continuous Diagnostics and Mitigation (CDM) program in order to meet surge capacity to protect .gov networks, support state and local cybersecurity networks and systems, and expand other programs that support the private sector, including many of the public-private operations that comprise the U.S. critical infrastructure.”

George Mason University’s National Security Institute Founder & Executive Director Jamil Jaffer stated

  • Given the general agreement that such [cyber] coordination is advisable, and indeed, necessary, one needs wonder why the Commission’s approach might be controversial.  The first and most obvious issue that would likely trouble any White House—regardless of political party and relationship with Congress—is the idea of having yet another Senate-confirmed appointee in the White House Office. 
  • The challenge, of course, with a National Cyber Director, particularly as it relates to a position in the White House Office and as described in H.R. 7331, is that this individual would have responsibilities that are generally understood by Presidents to be squarely in their control, namely matters related to the execution of the President’s textual Commander-in-Chief responsibilities. And while Congress may certainly argue that it has a number of textual commitments in this area also, like the declaration of war authority and the provisioning of the armed forces, the reality is that Presidents have long taken the view that matters of national security decisionmaking, particularly in the White House, are firmly committed to their discretion.  Thus, it is likely that any President, regardless of party or relationship with Congress, would be strongly opposed to Senate-confirmation of such an individual and, if such confirmation was ultimately required, it may actually undermine rather than buttress the individual position’s influence and role within the White House.
  • Moreover, making such a position Senate-confirmed essentially seeks to elevate it to an Assistant to the President role, namely a principal officer inside the White House Office. The challenge with doing so, of course, is that the vast majority of issues such an individual would deal with likely also fall squarely within the ambit of the existing responsibilities of the Assistant to the President for National Security (i.e., the National Security Advisor). 
  • The legislation clearly envisions the former approach—that is, direct advice to the President—which could very well create its own set of coordination and integration challenges within the White House and with the interagency. This challenge is enhanced, in particular, when it comes to areas of clear overlap between existing White House officials like the National Security Advisor (e.g., in the case of offensive and defensive cyber operations), as well as the Director of OMB (e.g., in the case of budgetary authority). Where the situation becomes even more problematic, however, is where the NCD’s assigned authorities appear to directly conflict with the authorities of another cabinet-level official. 
  • Finally, the size of the office likewise presents its own challenges.  While it is true that the USTR has an office of over 200 individuals and OMB has nearly 500, even at 75 authorized individuals, when one adds in the authority for other outside experts, consultants, and other government agency personnel in support, this number is likely to be viewed as too high for the mission.  This is particularly the case given that such an office would be roughly1/3 the size of the entire National Security Council staff, which itself is currently seen as fairly bloated (even after the Trump-directed staff reductions in 2019)

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.