China Hearing

The extent of the PRC’s threat and options for countering its challenge, especially in the  realm of technology, were discussed by a Senate committee.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The Senate Foreign Relations Committee held a hearing titled “Advancing Effective U.S. Competition With China: Objectives, Priorities, and Next Steps” that showed a shared agreement on challenge posed by the People’s Republic of China (PRC) but different views on how to manage the challenge. The hearing comes at a time when tensions between the United States and the PRC continue to escalate across a number of fronts with the Trump Administration and a number of Congressional Republicans using increasingly strong rhetoric against Beijing. In concert with the hearing, the chair and three other Republicans introduced legislation “to advance a comprehensive strategy for U.S. competition with the People’s Republic of China (PRC)” per their press release. The Ranking Member also issued a report “by the Senate Foreign Relations Committee Democratic Staff on China’s digital authoritarianism” according to his statement.

Chair Jim Risch (R-ID) stated stated “[a]s the Trump Administration has correctly recognized, China is a strategic and global competitor of the United States…[and] [i]t will be the greatest foreign policy challenge the United States faces in the decades to come. The policies of the Chinese Communist Party (CCP) undermine U.S. interests and values, including those we share with allies and partners around the world.” Risch asserted

  • COVID-19 has brought this challenge to the forefront of American life. We now know just how much the CCP’s decisions and actions directly affect U.S. citizens, our allies and partners, and the entire world. And we know not even a global pandemic will stop China’s aggressive behavior – whether that’s in Hong Kong, the South China Sea, or along the Indian border.
  • Over the last three years, the Trump Administration has taken numerous steps to put the United States on a stronger path to competing with China. Last week I was glad to see long overdue sanctions on CCP officials for human rights abuses in Xinjiang and Tibet. I was also pleased that we declared China’s claims in the South China Sea as unlawful, and deployed two carrier battle groups there for exercises. And after the CCP crushed Hong Kong’s autonomy, the president made the tough but necessary decision to end certain types of special treatment for Hong Kong.

Risch said

  • In May, the administration published a report on the implementation of its China strategy that goes into more detail. So this is a good time for the Committee to conduct oversight regarding our objectives, what we’ve done, and where we go from here.
  • This is also an opportunity to discuss China legislation put forward by members of this committee and others. This week, I introduced the “Strengthening Trade, Regional Alliances, Technology, and Economic and Geopolitical Initiatives Concerning China Act” (STRATEGIC Act) (S.4272). It is a comprehensive approach to China with concrete policies in several key areas of the competition. I’ll describe some of them briefly.
  • We must continue our focus on China’s anti-competitive economic policies. The Chinese government engages in intellectual property theft and massive financing of Chinese companies, and the most abusive anti-free market tactic of forced technology transfer. This is a horrible practice – it’s reprehensible.
  • These policies are designed to push others out of the market and create monopolies. Innovative American companies like Micron Technologies, based in my home state of Idaho, know these challenges well. Their intellectual property was stolen by a Chinese company, who then patented that technology in China and sued Micron. The STRATEGIC Act authorizes new tools for U.S. companies to address the harms caused by such policies, among several other provisions.
  • To maintain our economic and technological edge, it’s not enough to just push back on what China is doing. We also have to strengthen and invest in ourselves. In other committees, I have focused on this issue by supporting legislation promoting U.S. manufacturing of critical technologies, fortifying cyber security for our infrastructure and small businesses, and strengthening our technology workforce.
  • The STRATEGIC Act focuses on increasing technology collaboration with allies and partners. America is a world hub for innovation, and we can boost that innovation further by working with our highly capable partners. If we do, we will all be in a better position to develop the technologies of the future, and ensure they are used to uphold individual freedom, human rights, and prosperity.

Risch stressed “the importance of deterrence” and added

  • The United States, of course, does not seek any sort of military confrontation with China. However, China’s military is getting bigger, more capable, and becoming more aggressive. In the Indo-Pacific region, we should all be a lot more worried about the CCP’s plans for Taiwan, given what it just did to Hong Kong. In addition to the South China Sea, Japan faces almost daily incursions and pressure in the East China Sea. Beyond the region, China’s Belt and Road Initiative is also helping the Chinese military expand its presence.
  • We have to make it completely clear to the CCP that we are willing and able to defend our interests. That means reaffirming our commitments to our Indo-Pacific allies – even as they need to take on a larger role in defending the interests we share. The STRATEGIC Act focuses on key steps for advancing defense cooperation with our allies, including advocating for several difficult but important policy changes. 
  • I want to stress that this bill that I’ve introduced does not seek to block China. Rather, what it does is it offers prosperity. It offers an invitation to join the international community and operate under the rule of law and under international norms. If that happens, we all will prosper.
  • We should not miss the bipartisan opportunity that we have today to address these things. I’ll close with a note about bipartisanship.
  • Time and time again – on everything from human rights to investment screening – the Senate has worked across the aisle on China. But unfortunately, in recent months, that has become a lot harder. We have a long road ahead of us in this competition. We cannot allow partisanship to get in the way, even in an election year. Whatever happens in November, China will remain an issue. If we do not work together, the United States as a whole will be weaker.
  • I introduced this bill to push forward a serious, and bipartisan, conversation about the Senate’s role in advancing an effective strategy of competition. I want to thank several of my colleagues on this committee, from both sides of the aisle, for joining me in that effort. There is both Republican and Democrat input into this bill, not only from this committee, but also from think tanks around Washington, D.C., including Democrat think tanks. And I hope this will be the start of more cooperation to come.
  • When we get to a final bill, I’m very hopeful that that bill will contain items that everyone has an interest in. There’s been a number of people that have introduced bills. I know the ranking member is about to introduce a bill – I have no doubt that there will be things in there that we can all embrace. And I hope that as we get to a final bill, we will have things that we can embrace on a bipartisan basis.

Ranking Member Bob Menendez (D-NJ) remarked “I think the administration is asking the right questions about China and the U.S.-China relationship…[but] [u]nfortunately, however, I find that the administration’s strategies and policies fall well short of answering the enormity of the challenge.” He contended that “[w]e need, instead, as the title of this hearing suggests, an “effective” China strategy.”

Menendez stated

  • The China of 2020 is not the China of 1972, or even the China of 2000, or 2010. China today is challenging the United States across every dimension of power — political, diplomatic, economic, innovation, military, even cultural, and with an alternative and deeply disturbing model for global governance. China today, led by the Communist Party and propelled by Xi Jinping’s hyper-nationalism, is unlike any challenge we have faced as a nation before.
  • Emboldened by the retrenchment, shortcomings, and sometimes enablement of the Trump administration, China today is more active and more assertive in the region and in the international community than ever before.
  • Indeed, just since this this past March, China has increased its patrols near the Senkaku Islands in the East China Sea as well as its coercive activities in South China Sea, conducted air and maritime patrols intended to threaten Taiwan, clashed with India along the Actual Line of Control (the People’s Liberation Army’s first use of force abroad in 30 years), and continued to implement a morally repugnant campaign of genocide in Xinjiang, its cruel oppression of the Tibetan people, and the crushing of its own civil liberty.

Menendez explained

  • Just yesterday I released a report, “The New Big Brother,” looking at how China has stepped-up its game in seeking to export a new model of digital authoritarianism and manipulate new technologies to control its own citizens and people worldwide.
  • Aside from bluster, rhetoric, and some hastily written sanctions, what has the response been from this administration? The administration is now taking strong action on Hong Kong, but for months, when the people of Hong Kong needed us, the President was silent and complicit in China’s erosion of Hong Kong’s autonomy, happy to trade Hong Kong for his so-called trade deal. Along with the Chairman, I welcome regular Freedom of Navigation assertions and the administration’s recent clarification of our approach to claims in the South China Sea, but the reality is that over the past three years China’s aggression and coercion in the South China Sea has continued completely unchecked.

Menendez said “[i]n short, I am deeply concerned that the Administration’s approach is one that labors under the mistaken belief that just being confrontational is the same thing as being competitive.” He asserted

  • That is my question, in fact, about the action that the administration announced today in Houston. I am all for safeguarding our national security. I understand the importance of being tough with China. But being tough is the means, not the ends. So while there may be reason for taking this action — and I look forward to a briefing on it in an appropriate setting — I want to understand better not just the tactical considerations, but how this measure advances our strategy. What is the effect we expect this to have on China’s behavior? When China “retaliates,” as they have said they will, what will be our next move? And our next after that? I’m obviously not asking you to disclose specific actions, which I know you won’t, and shouldn’t, but as this is not a simple two-step dance, so help me understand where you think this is going.
  • I ask this because there should be little doubt that we are indeed in a new era of strategic competition with China — and the United States needs a new strategic framework and a new set of organizing principles to address the challenges of this new era. So far, and despite all the bluster, that effective new strategy has been utterly lacking from this administration.

Menendez continued

  • One of these core organizing principles, I would suggest, is the importance of working in close coordination with our allies and partners to develop a shared and effective approach to China. And I have to say, Secretary Biegun, that the administration’s disastrously wrong-headed, alienating, and attacking approach to our alliances has been one of the most disheartening to witness these past several years.
  • Our alliances, our partnerships, and the shared values on which they stand, and our reliability in the face of adversity are our “special sauce” for effective global leadership. 

Menendez contended

  • I know you will argue that this president and this administration have been uniquely successful with China.
  • I know that you are good at your job. But facts are indeed stubborn things.
  • Now, before this hearing devolves into a hearing bashing China and the World Health Organization for the COVID pandemic, let me assure you I stand second to no one in this body regarding concerns over how China’s paranoid totalitarianism contributed to its spread. But blame game politics won’t save American lives. Instead of relying on science and knowledge, the administration has spent its energy towards finding fault and racially inflammatory rhetoric that both threatens the safety and wellbeing of Asian Americans and further alienates us on the global stage, including at the G-7 and the UN Security Council.
  • If this administration is truly concerned about China’s malign intent at the World Health Organization and elsewhere, there is a simple solution — show up. Take action. If the U.S. leads, others will follow. If we leave the field open, if our own country cannot develop a serious strategy at home, others, like China, are only too eager to step into the vacuum.

Menendez added

  • I know the Chairman has introduced legislation today on China. I welcome his effort. As I mentioned at another hearing this morning, I am also working with colleagues on a bill to create a comprehensive China strategy, crosscutting jurisdictions beyond and including this committee, including trade and economic issues and investments here at home, which we plan to shortly introduce. Given the shortcomings of President Trump’s “all bluster and tactics, no strategy” approach to China, a comprehensive and integrated approach is needed. I suspect that there will be many areas of agreement between my bill and the Chairman’s, and so look forward to working with him on a combined approach.
  • And it is in this spirit, Mr. Secretary, that I implore you today to engage beyond this hearing in a genuine conversation with us about how we work together to develop a comprehensive approach to China, to reset our strategy and diplomacy, to reinvest and replenish the sources of our national strength and competitiveness at home, to place our partnerships and allies first, and that reflects our fundamental values as Americans.

Deputy Secretary of State Stephen Biegun stated

  • Over the course of many years and across multiple administrations, in our relations with Beijing, the United States has sought to spur China’s integration into the rules-based international order by strengthening, not undermining, international law, norms, and institutions. Over more than three decades, U.S. policies towards China have been aimed at that goal – by supporting China’s economic development through the massive outpouring of international assistance and lending to develop infrastructure and economic institutions; by beneficial trade treatment and robust foreign investment; by facilitation of Chinese membership in global institutions such as the World Trade Organization; by development and humanitarian assistance, by the education of millions of China’s brightest scholars at our best schools; and by intensive commercial diplomacy to address strategic and sectoral economic concerns. We anchored economic and diplomatic policies toward China in the expectation that they would produce the gradual but eventual opening and liberalization of China and its peaceful rise in a manner that would enhance stability in the Indo- Pacific and beyond, increase the freedoms of its own people, and expand global prosperity in a mutually beneficial manner.Where this Administration diverges from previous Administrations is in the will to face an uncomfortable truth in the U.S.-China relationship – the policies of the past three decades have simply not produced the outcome for which so many had hoped. As stated in the 2017 National Security Strategy: “(f)or decades, U.S. policy was rooted in the belief that support for China’s rise and for its integration into the post-war international order would liberalize China. Contrary to our hopes, China expanded its power at the expense of the sovereignty of others. China gathers and exploits data on an unrivaled scale and spreads features of its authoritarian system, including corruption and the use of surveillance. It is building the most capable and well-funded military in the world, after our own. Its nuclear arsenal is growing and diversifying. Part of China’s military modernization and economic expansion is due to its access to the U.S. innovation economy, including America’s world-class universities.”
  • As further stated in the National Security Strategy, “(a)lthough the United States seeks to continue to cooperate with China, China is using economic inducements and penalties, influence operations, and implied military threats to persuade other states to further its political and security agenda. China’s infrastructure investments and trade strategies reinforce its geopolitical aspirations. Its efforts to build and militarize outposts in the South China Sea endanger the free flow of trade, threaten the sovereignty of other nations, and undermine regional stability. China has mounted a rapid military modernization campaign designed to limit U.S. access to the region and provide China a freer hand there. China presents its ambitions as mutually beneficial, but Chinese dominance risks diminishing the sovereignty of many states in the Indo-Pacific. States throughout the region are calling for sustained U.S. leadership in a collective response that upholds a regional order respectful of sovereignty and independence.”
  • Secretary [of State Mike] Pompeo summed up this strategic shift in his October 30 speech: “It is no longer realistic to ignore the fundamental differences between our two systems and the impact that…the differences in those systems have on American national security…Today, we are finally realizing the degree to which the Communist Party is truly hostile to the United States and our values.”
  • An honest assessment of trends in the U.S.-China relationship suggests that reconsideration of U.S. policy toward China is urgent and overdue. The United States must respond with the full toolkit of policy instruments. These instruments will be adapted to defend against PRC efforts to undermine U.S.-supported institutions, respond to actions that encroach upon the sovereign interests of our allies and partners, hold the PRC accountable for its human rights violations and abuses, and respond to Chinese policies that fail to provide reciprocal opportunities for equivalent U.S. entities.
  • Concerns about Beijing’s policies are fueled by a growing number of disputes and areas of concern. These longstanding areas of concern include intellectual property theft and commercial espionage (including through cyber-enabled means), unequal treatment of U.S. diplomats, exporters and investors, non-governmental organizations, social media companies, and traditional media outlets and journalists in China, as well as the abuse by PRC security services of the United States’ open and welcoming posture toward Chinese students and researchers.
  • Additional areas of concern include the dismantling of Hong Kong’s autonomy, liberty, and democratic institutions, military pressure against Taiwan, arbitrary mass detentions and other human rights abuses in Xinjiang, efforts to eliminate Tibetan identity, and the assertion of unfounded maritime claims in the South China Sea. Finally, there is growing alarm in the United States and around the world with the Chinese government’s use of military and economic coercion and state-sponsored disinformation campaigns against the United States and our allies and partners, including, among others, India, Australia, Canada, the European Union, and several individual European governments.

Biegun stated “United States foreign policy toward the People’s Republic of China roughly falls within five broad areas:

  • First, using the full toolkit of United States foreign policy instruments including diplomatic engagement, public diplomacy, foreign assistance, commercial diplomacy, trade law, law enforcement, export controls and sanctions, and military deterrence;
  • Second, steady application of pressure to push back the PRC’s attempt to change and replace the U.S.-led free and open international order in areas of dispute or competition;
  • Third, reciprocal and transparent treatment of PRC institutions and organizations commensurate with PRC treatment of equivalent U.S. entities;
  • Fourth, close cooperation among all U.S. stakeholders in the relationship with the People’s Republic of China, including bipartisan engagement, Congressional-Executive coordination, the expert and think tank community, academia, business and civil society;
  • And fifth, strengthening international cooperation with allies and partners on shared concerns with the conduct of the Chinese Communist Party, with special emphasis in the Indo-Pacific.

Biegun asserted

The United States and the PRC are likely for the foreseeable future to remain competitors, but this does not mean our two nations need to be enemies. As the Administration has reiterated, we seek a constructive and results-oriented relationship with Beijing, and we will cooperate with China where our interests align. U.S. policies are designed to protect our interests, we do not envision a zero sum game as long as China abides by the key principle of reciprocity and transparency. Indeed, we want to see a prosperous China that is at peace with its own people and with its neighbors. Historically, in shaping the U.S.-China relationship, numerous Presidents have engaged with China’s leaders in direct diplomacy and held any number of strategic dialogues, sectoral dialogues, and security dialogues over the past several decades to resolve problems and advance mutual interests.

© Michael Kans, Michael Kans Blog and, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and with appropriate and specific direction to the original content.

Photo by mentatdgt from Pexels

Further Reading and Other Developments (17 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Speaking of which, the Technology Policy Update is being published daily during the week, and here are the Other Developments and Further Reading from this week.

Other Developments

  • Acting Senate Intelligence Committee Chair Marco Rubio (R-FL), Senate Foreign Relations Committee Chair Jim Risch (R-ID), and Senators Chris Coons (D-DE) and John Cornyn (R-TX) wrote Secretary of Commerce Wilbur Ross and Secretary of Defense Mike Esper “to ask that the Administration take immediate measures to bring the most advanced digital semiconductor manufacturing capabilities to the United States…[which] are critical to our American economic and national security and while our nation leads in the design of semiconductors, we rely on international manufacturing for advanced semiconductor fabrication.” This letter follows the Trump Administration’s May announcement that the Taiwan Semiconductor Manufacturing Corporation (TSMC) agreed to build a $12 billion plant in Arizona. It also bears note that one of the amendments pending to the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) would establish a grants program to stimulate semiconductor manufacturing in the US.
  • Senators Mark R. Warner (D-VA), Mazie K. Hirono (D-HI) and Bob Menendez (D-NJ) sent a letter to Facebook “regarding its failure to prevent the propagation of white supremacist groups online and its role in providing such groups with the organizational infrastructure and reach needed to expand.” They also “criticized Facebook for being unable or unwilling to enforce its own Community Standards and purge white supremacist and other violent extremist content from the site” and posed “a series of questions regarding Facebook’s policies and procedures against hate speech, violence, white supremacy and the amplification of extremist content.”
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published the Pipeline Cyber Risk Mitigation Infographic that was “[d]eveloped in coordination with the Transportation Security Administration (TSA)…[that] outlines activities that pipeline owners/operators can undertake to improve their ability to prepare for, respond to, and mitigate against malicious cyber threats.”
  • Representative Kendra Horn (D-OK) and 10 other Democrats introduced legislation “requiring the U.S. government to identify, analyze, and combat efforts by the Chinese government to exploit the COVID-19 pandemic” that was endorsed by “[t]he broader Blue Dog Coalition” according to their press release. The “Preventing China from Exploiting COVID-19 Act” (H.R.7484) “requires the Director of National Intelligence—in coordination with the Secretaries of Defense, State, and Homeland Security—to prepare an assessment of the different ways in which the Chinese government has exploited or could exploit the pandemic, which originated in China, in order to advance China’s interests and to undermine the interests of the United States, its allies, and the rules-based international order.” Horn and her cosponsors stated “[t]he assessment must be provided to Congress within 90 days and posted in unclassified form on the DNI’s website.”
  • The Supreme Court of Canada upheld the “Genetic Non-Discrimination Act” and denied a challenge to the legality of the statute brought by the government of Quebec, the Attorney General of Canada, and others. The court found:
    • The pith and substance of the challenged provisions is to protect individuals’ control over their detailed personal information disclosed by genetic tests, in the broad areas of contracting and the provision of goods and services, in order to address Canadians’ fears that their genetic test results will be used against them and to prevent discrimination based on that information. This matter is properly classified within Parliament’s power over criminal law. The provisions are supported by a criminal law purpose because they respond to a threat of harm to several overlapping public interests traditionally protected by the criminal law — autonomy, privacy, equality and public health.
  • The U.S.-China Economic and Security Review Commission published a report “analyzing the evolution of U.S. multinational enterprises (MNE) operations in China from 2000 to 2017.” The Commission found MNE’s operations in the People’s Republic of China “may indirectly erode the  United  States’  domestic industrial competitiveness  and  technological  leadership relative  to  China” and “as U.S. MNE activity in China increasingly focuses on the production of high-end technologies, the risk  that  U.S.  firms  are  unwittingly enabling China to  achieve  its industrial  policy and  military  development objectives rises.”
  • The Federal Communications Commission (FCC) and Huawei filed their final briefs in their lawsuit before the United States Court of Appeals for the Fifth Circuit arising from the FCC’s designation of Huawei as a “covered company” for purposes of a rule that denies Universal Service Funds (USF) “to purchase or obtain any equipment or services produced or provided by a covered company posing a national security threat to the integrity of communications networks or the communications supply chain.” Huawei claimed in its brief that “[t]he rulemaking and “initial designation” rest on the FCC’s national security judgments..[b]ut such judgments fall far afield of the FCC’s statutory  authority  and  competence.” Huawei also argued “[t]he USF rule, moreover, contravenes the Administrative Procedure Act (APA) and the Due Process Clause.” The FCC responded in its filing that “Huawei challenges the FCC’s decision to exclude carriers whose networks are vulnerable to foreign interference, contending that the FCC has neither statutory nor constitutional authority to make policy judgments involving “national security”…[but] [t]hese arguments are premature, as Huawei has not yet been injured by the Order.” The FCC added “Huawei’s claim that the Communications Act textually commits all policy determinations with national security implications to the President is demonstrably false.”
  • European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski released his Strategy for 2020-2024, “which will focus on Digital Solidarity.” Wiewiórowski explained that “three core pillars of the EDPS strategy outline the guiding actions and objectives for the organisation to the end of 2024:
    • Foresight: The EDPS will continue to monitor legal, social and technological advances around the world and engage with experts, specialists and data protection authorities to inform its work.
    • Action: To strengthen the EDPS’ supervision, enforcement and advisory roles the EDPS will promote coherence in the activities of enforcement bodies in the EU and develop tools to assist the EU institutions, bodies and agencies to maintain the highest standards in data protection.
    • Solidarity: While promoting digital justice and privacy for all, the EDPS will also enforce responsible and sustainable data processing, to positively impact individuals and maximise societal benefits in a just and fair way.
  • Facebook released a Civil Rights Audit, an “investigation into Facebook’s policies and practices began in 2018 at the behest and encouragement of the civil rights community and some members of Congress.” Those charged with conducting the audit explained that they “vigorously advocated for more and would have liked to see the company go further to address civil rights concerns in a host of areas that are described in detail in the report” including but not limited to
    • A stronger interpretation of its voter suppression policies — an interpretation that makes those policies effective against voter suppression and prohibits content like the Trump voting posts — and more robust and more consistent enforcement of those policies leading up to the US 2020 election.
    • More visible and consistent prioritization of civil rights in company decision-making overall.
    • More resources invested to study and address organized hate against Muslims, Jews and other targeted groups on the platform.
    • A commitment to go beyond banning explicit references to white separatism and white nationalism to also prohibit express praise, support and representation of white separatism and white nationalism even where the terms themselves are not used.
    • More concrete action and specific commitments to take steps to address concerns about algorithmic bias or discrimination.
    • They added that “[t]his report outlines a number of positive and consequential steps that the company has taken, but at this point in history, the Auditors are concerned that those gains could be obscured by the vexing and heartbreaking decisions Facebook has made that represent significant setbacks for civil rights.”
  • The National Security Commission on Artificial Intelligence (NSCAI) released a white paper titled “The Role of AI Technology in Pandemic Response and Preparedness” that “outlines a series of investments and initiatives that the United States must undertake to realize the full potential of AI to secure our nation against pandemics.” NSCAI noted its previous two white papers:
  • Secretary of Defense Mark Esper announced that Chief Technology Officer Michael J.K. Kratsios has “been designated to serve as Acting Under Secretary of Defense for Research and Engineering” even though he does not have a degree in science. The last Under Secretary held a PhD. However, Kratsios worked for venture capitalist Peter Thiel who backed President Donald Trump when he ran for office in 2016.
  • The United States’ Department of Transportation’s Federal Railroad Administration (FRA) issued research “to develop a cyber security risk analysis methodology for communications-based connected railroad technologies…[and] [t]he use-case-specific implementation of the methodology can identify potential cyber attack threats, system vulnerabilities, and consequences of the attack– with risk assessment and identification of promising risk mitigation strategies.”
  • In a blog post, a National Institute of Standards and Technology (NIST) economist asserted cybercrime may be having a much larger impact on the United States’ economy than previously thought:
    • In a recent NIST report, I looked at losses in the U.S. manufacturing industry due to cybercrime by examining an underutilized dataset from the Bureau of Justice Statistics, which is the most statistically reliable data that I can find. I also extended this work to look at the losses in all U.S. industries. The data is from a 2005 survey of 36,000 businesses with 8,079 responses, which is also by far the largest sample that I could identify for examining aggregated U.S. cybercrime losses. Using this data, combined with methods for examining uncertainty in data, I extrapolated upper and lower bounds, putting 2016 U.S. manufacturing losses to be between 0.4% and 1.7% of manufacturing value-added or between $8.3 billion and $36.3 billion. The losses for all industries are between 0.9% and 4.1% of total U.S. gross domestic product (GDP), or between $167.9 billion and $770.0 billion. The lower bound is 40% higher than the widely cited, but largely unconfirmed, estimates from McAfee.
  • The Government Accountability Office (GAO) advised the Federal Communications Commission (FCC) that it needs a comprehensive strategy for implementing 5G across the United States. The GAO concluded
    • FCC has taken a number of actions regarding 5G deployment, but it has not clearly developed specific and measurable performance goals and related measures–with the involvement of relevant stakeholders, including National Telecommunications and Information Administration (NTIA)–to manage the spectrum demands associated with 5G deployment. This makes FCC unable to demonstrate whether the progress being made in freeing up spectrum is achieving any specific goals, particularly as it relates to congested mid-band spectrum. Additionally, without having established specific and measurable performance goals with related strategies and measures for mitigating 5G’s potential effects on the digital divide, FCC will not be able to assess the extent to which its actions are addressing the digital divide or what actions would best help all Americans obtain access to wireless networks.
  • The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued “Time Guidance for Network Operators, Chief Information Officers, and Chief Information Security Officers” “to inform public and private sector organizations, educational institutions, and government agencies on time resilience and security practices in enterprise networks and systems…[and] to address gaps in available time testing practices, increasing awareness of time-related system issues and the linkage between time and cybersecurity.”
  • Fifteen Democratic Senators sent a letter to the Department of Defense, Office of the Director of National Intelligence (ODNI), Department of Homeland Security (DHS), Federal Bureau of Investigations (FBI), and U.S. Cyber Command, urging them “to take additional measures to fight influence campaigns aimed at disenfranchising voters, especially voters of color, ahead of the 2020 election.” They called on these agencies to take “additional measures:”
    • The American people and political candidates are promptly informed about the targeting of our political processes by foreign malign actors, and that the public is provided regular periodic updates about such efforts leading up to the general election.
    • Members of Congress and congressional staff are appropriately and adequately briefed on continued findings and analysis involving election related foreign disinformation campaigns and the work of each agency and department to combat these campaigns.
    • Findings and analysis involving election related foreign disinformation campaigns are shared with civil society organizations and independent researchers to the maximum extent which is appropriate and permissible.
    • Secretary Esper and Director Ratcliffe implement a social media information sharing and analysis center (ISAC) to detect and counter information warfare campaigns across social media platforms as authorized by section 5323 of the Fiscal Year 2020 National Defense Authorization Act.
    • Director Ratcliffe implement the Foreign Malign Influence Response Center to coordinate a whole of government approach to combatting foreign malign influence campaigns as authorized by section 5322 of the Fiscal Year 2020 National Defense Authorization Act.
  • The Information Technology and Innovation Foundation (ITIF) unveiled an issue brief “Why New Calls to Subvert Commercial Encryption Are Unjustified” arguing “that government efforts to subvert encryption would negatively impact individuals and businesses.” ITIF offered these “key takeaways:”
    • Encryption gives individuals and organizations the means to protect the confidentiality of their data, but it has interfered with law enforcement’s ability to prevent and investigate crimes and foreign threats.
    • Technological advances have long frustrated some in the law enforcement community, giving rise to multiple efforts to subvert commercial use of encryption, from the Clipper Chip in the 1990s to the San Bernardino case two decades later.
    • Having failed in these prior attempts to circumvent encryption, some law enforcement officials are now calling on Congress to invoke a “nuclear option”: legislation banning “warrant-proof” encryption.
    • This represents an extreme and unjustified measure that would do little to take encryption out of the hands of bad actors, but it would make commercial products less secure for ordinary consumers and businesses and damage U.S. competitiveness.
  • The White House released an executive order in which President Donald Trump determined “that the Special Administrative Region of Hong Kong (Hong Kong) is no longer sufficiently autonomous to justify differential treatment in relation to the People’s Republic of China (PRC or China) under the particular United States laws and provisions thereof set out in this order.” Trump further determined “the situation with respect to Hong Kong, including recent actions taken by the PRC to fundamentally undermine Hong Kong’s autonomy, constitutes an unusual and extraordinary threat, which has its source in substantial part outside the United States, to the national security, foreign policy, and economy of the United States…[and] I hereby declare a national emergency with respect to that threat.” The executive order would continue the Administration’s process of changing policy to ensure Hong Kong is treated the same as the PRC.
  • President Donald Trump also signed a bill passed in response to the People’s Republic of China (PRC) passing legislation the United States and other claim will strip Hong Kong of the protections the PRC agreed to maintain for 50 years after the United Kingdom (UK) handed over the city. The “Hong Kong Autonomy Act” “requires the imposition of sanctions on Chinese individuals and banks who are included in an annual State Department list found to be subverting Hong Kong’s autonomy” according to the bill’s sponsor Representative Brad Sherman (D-CA).
  • Representative Stephen Lynch, who chairs House Oversight and Reform Committee’s National Security Subcommittee, sent letters to Apple and Google “after the Office of the Director of National Intelligence (ODNI) and the Federal Bureau of Investigation (FBI) confirmed that mobile applications developed, operated, or owned by foreign entities, including China and Russia, could potentially pose a national security risk to American citizens and the United States” according to his press release. He noted in letters sent by the technology companies to the Subcommittee that:
    • Apple confirmed that it does not require developers to submit “information on where user data (if any such data is collected by the developer’s app) will be housed” and that it “does not decide what user data a third-party app can access, the user does.”
    • Google stated that it does “not require developers to provide the countries in which their mobile applications will house user data” and acknowledged that “some developers, especially those with a global user base, may store data in multiple countries.”
    • Lynch is seeking “commitments from Apple and Google to require information from application developers about where user data is stored, and to make users aware of that information prior to downloading the application on their mobile devices.”
  • Minnesota Attorney General Keith Ellison announced a settlement with Frontier Communications that “concludes the three major investigations and lawsuits that the Attorney General’s office launched into Minnesota’s major telecoms providers for deceptive, misleading, and fraudulent practices.” The Office of the Attorney General (OAG) stated
    • Based on its investigation, the Attorney General’s Office alleged that Frontier used a variety of deceptive and misleading practices to overcharge its customers, such as: billing customers more than they were quoted by Frontier’s agents; failing to disclose fees and surcharges in its sales presentations and advertising materials; and billing customers for services that were not delivered.
    • The OAG “also alleged that Frontier sold Minnesotans expensive internet services with so-called “maximum speed” ratings that were not attainable, and that Frontier improperly advertised its service as “reliable,” when in fact it did not provide enough bandwidth for customers to consistently receive their expected service.”
  • The European Data Protection Board (EDPB) issued guidelines “on the criteria of the Right to be Forgotten in the search engines cases under the GDPR” that “focuses solely on processing by search engine providers and delisting requests  submitted by data subjects” even Article 17 of the General Data Protection Regulation applies to all data controllers. The EDPB explained “This paper is divided into two topics:
    • The first topic concerns the grounds a data subject can rely on for a delisting request sent to a search engine provider pursuant to Article 17.1 GDPR.
    • The second topic concerns the exceptions to the Right to request delisting according to Article 17.3 GDPR.
  • The Australian Competition & Consumer Commission (ACCC) “is seeking views on draft Rules and accompanying draft Privacy Impact Assessment that authorise third parties who are accredited at the ‘unrestricted’ level to collect Consumer Data Right (CDR) data on behalf of another accredited person.” The ACCC explained “[t]his will allow accredited persons to utilise other accredited parties to collect CDR data and provide other services that facilitate the provision of goods and services to consumers.” In a March explanatory statement, the ACCC stated “[t]he CDR is an economy-wide reform that will apply sector-by-sector, starting with the banking sector…[and] [t]he objective of the CDR is to provide individual and business consumers (consumers) with the ability to efficiently and conveniently access specified data held about them by businesses (data holders), and to authorise the secure disclosure of that data to third parties (accredited data recipients) or to themselves.” The ACCC noted “[t]he CDR is regulated by both the ACCC and the Office of the Australian Information Commissioner (OAIC) as it concerns both competition and consumer matters as well as the privacy and confidentiality of consumer data.” Input is due by 20 July.
  • Office of the Inspector General (OIG) for the Department of the Interior (Interior) found that even though the agency spends $1.4 billion annually on cybersecurity “[g]uarding against increasing cybersecurity threats” remains one of Interior’s top challenges. The OIG asserted Interior “continues to struggle to implement an enterprise information technology (IT) security program that balances compliance, cost, and risk while enabling bureaus to meet their diverse missions.”
  • In a summary of its larger investigation into “Security over Information Technology Peripheral Devices at Select Office of Science Locations,” the Department of Energy’s Office of the Inspector General (OIG) that “identified weaknesses related to access controls and configuration settings” for peripheral devices (e.g. thumb drives, printers, scanners and other connected devices)  “similar in type to those identified in prior evaluations of the Department’s unclassified cybersecurity program.”
  • The House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee Ranking Member John Katko (R-NY) “a comprehensive national cybersecurity improvement package” according to his press release, consisting of these bills:
    • The “Cybersecurity and Infrastructure Security Agency Director and Assistant Directors Act:”  This bipartisan measure takes steps to improve guidance and long-term strategic planning by stabilizing the CISA Director and Assistant Directors positions. Specifically, the bill:
      • Creates a 5-year term for the CISA Director, with a limit of 2 terms. The term of office for the current Director begins on date the Director began to serve.
      • Elevates the Director to the equivalent of a Deputy Secretary and Military Service Secretaries.
      • Depoliticizes the Assistant Director positions, appointed by the Secretary of the Department of Homeland Security (DHS), categorizing them as career public servants. 
    • The “Strengthening the Cybersecurity and Infrastructure Security Agency Act of 2020:” This measure mandates a comprehensive review of CISA in an effort to strengthen its operations, improve coordination, and increase oversight of the agency. Specifically, the bill:
      • Requires CISA to review how additional appropriations could be used to support programs for national risk management, federal information systems management, and public-private cybersecurity and integration. It also requires a review of workforce structure and current facilities and projected needs. 
      • Mandates that CISA provides a report to the House and Senate Homeland Committees within 1-year of enactment. CISA must also provide a report and recommendations to GSA on facility needs. 
      • Requires GSA to provide a review to the Administration and House and Senate Committees on CISA facilities needs within 30-days of Congressional report. 
    • The “CISA Public-Private Talent Exchange Act:” This bill requires CISA to create a public-private workforce program to facilitate the exchange of ideas, strategies, and concepts between federal and private sector cybersecurity professionals. Specifically, the bill:
      • Establishes a public-private cyber exchange program allowing government and industry professionals to work in one another’s field.
      • Expands existing private outreach and partnership efforts. 
  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is ordering United States federal civilian agencies “to apply the July 2020 Security Update for Windows Servers running DNS (CVE-2020-1350), or the temporary registry-based workaround if patching is not possible within 24 hours.” CISA stated “[t]he software update addresses a significant vulnerability where a remote attacker could exploit it to take control of an affected system and run arbitrary code in the context of the Local System Account.” CISA Director Christopher Krebs explained “due to the wide prevalence of Windows Server in civilian Executive Branch agencies, I’ve determined that immediate action is necessary, and federal departments and agencies need to take this remote code execution vulnerability in Windows Server’s Domain Name System (DNS) particularly seriously.”
  • The United States (US) Department of State has imposed “visa restrictions on certain employees of Chinese technology companies that provide material support to regimes engaging in human rights abuses globally” that is aimed at Huawei. In its statement, the Department stated “Companies impacted by today’s action include Huawei, an arm of the Chinese Communist Party’s (CCP) surveillance state that censors political dissidents and enables mass internment camps in Xinjiang and the indentured servitude of its population shipped all over China.” The Department claimed “[c]ertain Huawei employees provide material support to the CCP regime that commits human rights abuses.”
  • Earlier in the month, the US Departments of State, Treasury, Commerce, and of Homeland Security issued an “advisory to highlight the harsh repression in Xinjiang.” The agencies explained
    • Businesses, individuals, and other persons, including but not limited to academic institutions, research service providers, and investors (hereafter “businesses and individuals”), that choose to operate in Xinjiang or engage with entities that use labor from Xinjiang elsewhere in China should be aware of reputational, economic, and, in certain instances, legal, risks associated with certain types of involvement with entities that engage in human rights abuses, which could include Withhold Release Orders (WROs), civil or criminal investigations, and export controls.
  • The United Kingdom’s National Cyber Security Centre (NCSC), Canada’s Communications  Security Establishment (CSE), United States’ National Security Agency (NSA) and the United States’ Department of Homeland Security’s Cybersecurity and Infrastructure Security  Agency (CISA) issued a joint advisory on a Russian hacking organization’s efforts have “targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.” The agencies named APT29 (also known as ‘the Dukes’ or ‘Cozy Bear’), “a cyber espionage group, almost certainly part of the Russian intelligence services,” as the culprit behind “custom malware known as ‘WellMess’ and ‘WellMail.’”
    • This alert follows May advisories issued by Australia, the US, and the UK on hacking threats related to the pandemic. Australia’s Department of Foreign Affairs and Trade (DFAT) and the Australian Cyber Security Centre (ACSC) issued “Advisory 2020-009: Advanced Persistent Threat (APT) actors targeting Australian health sector organisations and COVID-19 essential services” that asserted “APT groups may be seeking information and intellectual property relating to vaccine development, treatments, research and responses to the outbreak as this information is now of higher value and priority globally.” CISA and NCSC issued a joint advisory for the healthcare sector, especially companies and entities engaged in fighting COVID-19. The agencies stated that they have evidence that Advanced Persistent Threat (APT) groups “are exploiting the COVID-19 pandemic as part of their cyber operations.” In an unclassified public service announcement, the Federal Bureau of Investigation (FBI) and CISA named the People’s Republic of China as a nation waging a cyber campaign against U.S. COVID-19 researchers. The agencies stated they “are issuing this announcement to raise awareness of the threat to COVID-19-related research.”
  • The National Initiative for Cybersecurity Education (NICE) has released a draft National Institute of Standards and Technology (NIST) Special Publication (SP) for comment due by 28 August. Draft NIST Special Publication (SP) 800-181 Revision 1, Workforce Framework for Cybersecurity (NICE Framework) that features several updates, including:
    • an updated title to be more inclusive of the variety of workers who perform cybersecurity work,
    • definition and normalization of key terms,
    • principles that facilitate agility, flexibility, interoperability, and modularity,
    • introduction of competencies,
  • Representatives Glenn Thompson (R-PA), Collin Peterson (D-MN), and James Comer (R-KY) sent a letter to Federal Communications Commission (FCC) “questioning the Commission’s April 20, 2020 Order granting Ligado’s application to deploy a terrestrial nationwide network to provide 5G services.”
  • The European Commission (EC) is asking for feedback on part of its recently released data strategy by 31 July. The EC stated it is aiming “to create a single market for data, where data from public bodies, business and citizens can be used safely and fairly for the common good…[and] [t]his initiative will draw up rules for common European data spaces (covering areas like the environment, energy and agriculture) to:
    • make better use of publicly held data for research for the common good
    • support voluntary data sharing by individuals
    • set up structures to enable key organisations to share data.
  • The United Kingdom’s Parliament is asking for feedback on its legislative proposal to regulate Internet of Things (IoT) devices. The Department for Digital, Culture, Media & Sport explained “the obligations within the government’s proposed legislative framework would fall mainly on the manufacturer if they are based in the UK, or if not based in the UK, on their UK representative.” The Department is also “developing an enforcement approach with relevant stakeholders to identify an appropriate enforcement body to be granted day to day responsibility and operational control of monitoring compliance with the legislation.” The Department also touted the publishing of the European Telecommunications Standards Institute’s (ETSI) “security baseline for Internet-connected consumer devices and provides a basis for future Internet of Things product certification schemes.”
  • Facebook issued a white paper, titled “CHARTING A WAY FORWARD: Communicating Towards People-Centered and Accountable Design About Privacy,” in which the company states its desire to be involved in shaping a United States privacy law (See below for an article on this). Facebook concluded:
    • Facebook recognizes the responsibility we have to make sure that people are informed about the data that we collect, use, and share.
    • That’s why we support globally consistent comprehensive privacy laws and regulations that, among other things, establish people’s basic rights to be informed about how their information is collected, used, and shared, and impose obligations for organizations to do the same, including the obligation to build internal processes that maintain accountability.
    • As improvements to technology challenge historic approaches to effective communications with people about privacy, companies and regulators need to keep up with changing times.
    • To serve the needs of a global community, on both the platforms that exist now and those that are yet to be developed, we want to work with regulators, companies, and other interested third parties to develop new ways of informing people about their data, empowering them to make meaningful choices, and holding ourselves accountable.
    • While we don’t have all the answers, there are many opportunities for businesses and regulators to embrace modern design methods, new opportunities for better collaboration, and innovative ways to hold organizations accountable.
  • Four Democratic Senators sent Facebook a letter “about reports that Facebook has created fact-checking exemptions for people and organizations who spread disinformation about the climate crisis on its social media platform” following a New York Times article this week on the social media’s practices regarding climate disinformation. Even though the social media giant has moved aggressively to take down false and inaccurate COVID-19 posts, climate disinformation lives on the social media platform largely unmolested for a couple of reasons. First, Facebook marks these sorts of posts as opinion and take the approach that opinions should be judged under an absolutist free speech regime. Moreover, Facebook asserts posts of this sort do not pose any imminent harm and therefore do not need to be taken down. Despite having teams of fact checkers to vet posts of demonstrably untrue information, Facebook chooses not to, most likely because material that elicits strong reactions from users drive engagement that, in turn, drives advertising dollars. Senators Elizabeth Warren (D-WA), Tom Carper (D-DE), Sheldon Whitehouse (D-R.I.) and Brian Schatz (D-HI) argued “[i]f Facebook is truly “committed to fighting the spread of false news on Facebook and Instagram,” the company must immediately acknowledge in its fact-checking process that the climate crisis is not a matter of opinion and act to close loopholes that allow climate disinformation to spread on its platform.” They posed a series of questions to Facebook CEO Mark Zuckerberg on these practices, requesting answers by 31 July.
  • A Canadian court has found that the Canadian Security Intelligence Service (CSIS) “admittedly collected information in a manner that is contrary to this foundational commitment and then relied on that information in applying for warrants under the Canadian Security Intelligence Service Act, RSC 1985, c C-23 [CSIS Act]” according to a court summary of its redacted decision. The court further stated “[t]he Service and the Attorney General also admittedly failed to disclose to the Court the Service’s reliance on information that was likely collected unlawfully when seeking warrants, thereby breaching the duty of candour owed to the Court.” The court added “[t]his is not the first time this Court has been faced with a breach of candour involving the Service…[and] [t]he events underpinning this most recent breach were unfolding as recommendations were being implemented by the Service and the Attorney General to address previously identified candour concerns.” CSIS was found to have illegally collected and used metadata in a 2016 case ion its conduct between 2006-2016. In response to the most recent ruling, CSIS is vowing to implement a range of reforms. The National Security and Intelligence Review Agency (NSIRA) is pledging the same.
  • The United Kingdom’s National Police Chiefs’ Council (NPCC) announced the withdrawal of “[t]he ‘Digital device extraction – information for complainants and witnesses’ form and ‘Digital Processing Notice’ (‘the relevant forms’) circulated to forces in February 2019 [that] are not sufficient for their intended purpose.” In mid-June, the UK’s data protection authority, the Information Commissioner’s Office (ICO) unveiled its “finding that police data extraction practices vary across the country, with excessive amounts of personal data often being extracted, stored, and made available to others, without an appropriate basis in existing data protection law.” This withdrawal was also due, in part, to a late June Court of Appeal decision.  
  • A range of public interest and advocacy organizations sent a letter to Speaker of the House Nancy Pelosi (D-CA) and House Minority Leader Kevin McCarthy (R-CA) noting “there are intense efforts underway to do exactly that, via current language in the House and Senate versions of the FY2021 National Defense Authorization Act (NDAA) that ultimately seek to reverse the FCC’s recent bipartisan and unanimous approval of Ligado Networks’ regulatory plans.” They urged them “not endorse efforts by the Department of Defense and its allies to veto commercial spectrum authorizations…[and][t]he FCC has proven itself to be the expert agency on resolving spectrum disputes based on science and engineering and should be allowed to do the job Congress authorized it to do.” In late April, the FCC’s “decision authorize[d] Ligado to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” The agency argued the order “provides regulatory certainty to Ligado, ensures adjacent band operations, including Global Positioning System (GPS), are sufficiently protected from harmful interference, and promotes more efficient and effective use of [the U.S.’s] spectrum resources by making available additional spectrum for advanced wireless services, including 5G.”
  • The European Data Protection Supervisor (EDPS) rendered his opinion on the European Commission’s White Paper on Artificial Intelligence: a European approach to excellence and trust and recommended the following for the European Union’s (EU) regulation of artificial intelligence (AI):
    • applies both to EU Member States and to EU institutions, offices, bodies and agencies;
    • is designed to protect from any negative impact, not only on individuals, but also on communities and society as a whole;
    • proposes a more robust and nuanced risk classification scheme, ensuring any significant potential harm posed by AI applications is matched by appropriate mitigating measures;
    • includes an impact assessment clearly defining the regulatory gaps that it intends to fill.
    • avoids overlap of different supervisory authorities and includes a cooperation mechanism.
    • Regarding remote biometric identification, the EDPS supports the idea of a moratorium on the deployment, in the EU, of automated recognition in public spaces of human features, not only of faces but also of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, so that an informed and democratic debate can take place and until the moment when the EU and Member States have all the appropriate safeguards, including a comprehensive legal framework in place to guarantee the proportionality of the respective technologies and systems for the specific use case.
  • The Bundesamt für Verfassungsschutz (BfV), Germany’s domestic security agency, released a summary of its annual report in which it claimed:
    • The Russian Federation, the People’s Republic of China, the Islamic Republic of Iran and the Republic of Turkey remain the main countries engaged in espionage activities and trying to exert influence on Germany.
    • The ongoing digital transformation and the increasingly networked nature of our society increases the potential for cyber attacks, worsening the threat of cyber espionage and cyber sabotage.
    • The intelligence services of the Russian Federation and the People’s Republic of China in particular carry out cyber espionage activities against German agencies. One of their tasks is to boost their own economies with the help of information gathered by the intelligence services. This type of information-gathering campaign severely threatens the success and development opportunities of German companies.
    • To counteract this threat, Germany has a comprehensive cyber security architecture in place, which is operated by a number of different authorities. The BfV plays a major role in investigating and defending against cyber threats by detecting attacks, attributing them to specific attackers, and using the knowledge gained from this to draw up prevention strategies. The National Cyber Response Centre, in which the BfV plays a key role, was set up to consolidate the co-operation between the competent agencies. The National Cyber Response Centre aims to optimise the exchange of information between state agencies and to improve the co-ordination of protective and defensive measures against potential IT incidents.

Further Reading

  • Trump confirms cyberattack on Russian trolls to deter them during 2018 midterms” – The Washington Post. In an interview with former George W. Bush speechwriter Marc Thiessen, President Donald Trump confirmed he ordered a widely reported retaliatory attack on the Russian Federation’s Internet Research Agency as a means of preventing interference during the 2018 mid-term election. Trump claimed this attack he ordered was the first action the United States took against Russian hacking even though his predecessor warned Russian President Vladimir Putin to stop such activities and imposed sanctions at the end of 2016. The timing of Trump’s revelation is interesting given the ongoing furor over reports of Russian bounties paid to Taliban fighters for killing Americans the Trump Administration may have known of but did little or nothing to stop.
  • Germany proposes first-ever use of EU cyber sanctions over Russia hacking” – Deutsche Welle. Germany is looking to use the European Union’s (EU) cyber sanctions powers against Russia for its alleged 2015 16 GB exfiltration of data from the Bundestag’s systems, including from Chancellor Angela Merkel’s office. Germany has been alleging that Fancy Bear (aka APT28) and Russia’s military secret service GRU carried out the attack. Germany has circulated its case for sanctions to other EU nations and EU leadership. In 2017, the European Council declared “[t]he EU diplomatic response to malicious cyber activities will make full use of measures within the Common Foreign and Security Policy, including, if necessary, restrictive measures…[and] [a] joint EU response to malicious cyber activities would be proportionate to the scope, scale, duration, intensity, complexity, sophistication and impact of the cyber activity.”
  • Wyden Plans Law to Stop Cops From Buying Data That Would Need a Warrant” – VICE. Following on a number of reports that federal, state, and local law enforcement agencies are essentially sidestepping the Fourth Amendment through buying location and other data from people’s smartphones, Senator Ron Wyden (D-OR) is going to draft legislation that would seemingly close what he, and other civil libertarians, are calling a loophole to the warrant requirement.
  • Amazon Backtracks From Demand That Employees Delete TikTok” – The New York Times. Amazon first instructed its employees to remove ByteDance’s app, TikTok, on 11 July from company devices and then reversed course the same day, claiming the email had been erroneously sent out. The strange episode capped another tumultuous week for ByteDance as the Trump Administration is intensifying pressure in a number of ways on the company which officials claim is subject to the laws of the People’s Republic of China and hence must share information with the government in Beijing. ByteDance counters the app marketed in the United States is through a subsidiary not subject to PRC law. ByteDance also said it would no longer offer the app in Hong Kong after the PRC change in law has extended the PRC’s reach into the former British colony. TikTok was also recently banned in India as part of a larger struggle between India and he PRC. Additionally, the Democratic National Committee warned staff about using the app this week, too.
  • Is it time to delete TikTok? A guide to the rumors and the real privacy risks.” – The Washington Post. A columnist and security specialist found ByteDance’s app vacuums up information from users, but so does Facebook and other similar apps. They scrutinized TikTok’s privacy policy and where the data went, and they could not say with certainty that it goes to and stays on servers in the US and Singapore. 
  • California investigating Google for potential antitrust violations” – Politico. California Attorney General Xavier Becerra is going to conduct his own investigation of Google aside and apart from the investigation of the company’s advertising practices being conducted by virtually every other state in the United States. It was unclear why Becerra opted against joining the larger probe launched in September 2019. Of course, the Trump Administration’s Department of Justice is also investigating Google and could file suit as early as this month.
  • How May Google Fight an Antitrust Case? Look at This Little-Noticed Paper” – The New York Times. In a filing with the Australian Competition and Consumer Commission (ACCC), Google claimed it does not control the online advertising market and it is borne out by a number of indicia that argue against a monopolistic situation. The company is likely to make the same case to the United States’ government in its antitrust inquiry. However, similar arguments did not gain tractions before the European Commission, which levied a €1.49 billion for “breaching EU antitrust rules” in March 2019.
  •  “Who Gets the Banhammer Now?” – The New York Times. This article examines possible motives for the recent wave of action by social media platforms to police a fraction of the extreme and hateful speech activists and others have been asking them to take down for years. This piece makes the argument that social media platforms are businesses and operate as such and expecting them to behave as de facto public squares dedicated to civil political and societal discourse is more or less how we ended up where we are.
  • TikTok goes tit-for-tat in appeal to MPs: ‘stop political football’ – The Australian. ByteDance is lobbying hard in Canberra to talk Ministers of Parliament out of possibly banning TikTok like the United States has said it is considering. While ByteDance claims the data collected on users in Australia is sent to the US or Singapore, some experts are arguing just to maintain and improve the app would necessarily result in some non-People’s Republic of China (PRC) user data making its way back to the PRC. As Australia’s relationship with the PRC has grown more fraught with allegations PRC hackers infiltrated Parliament and the Prime Minister all but saying PRC hackers were targeting hospitals and medical facilities, the government in Canberra could follow India’s lead and ban the app.
  • Calls for inquiry over claims Catalan lawmaker’s phone was targeted” – The Guardian. British and Spanish newspapers are reporting that an official in Catalonia who favors separating the region from Spain may have had his smartphone compromised with industrial grade spyware typically used only by law enforcement and counterterrorism agencies. The President of the Parliament of Catalonia Roger Torrent claims his phone was hacked for domestic political purposes, which other Catalan leaders argued, too. A spokesperson for the Spanish government said “[t]he government has no evidence that the speaker of the Catalan parliament has been the victim of a hack or theft involving his mobile.” However, the University of Toronto’s CitizenLab, the entity that researched and claimed that Israeli firm NSO Group’s spyware was deployed via WhatsApp to spy on a range of journalists, officials, and dissidents, often by their own governments, confirmed that Torrent’s phone was compromised.
  • While America Looks Away, Autocrats Crack Down on Digital News Sites” – The New York Times. The Trump Administration’s combative relationship with the media in the United States may be encouraging other nations to crack down on digital media outlets trying to hold those governments to account.
  •  “How Facebook Handles Climate Disinformation” – The New York Times. Even though the social media giant has moved aggressively to take down false and inaccurate COVID-19 posts, climate disinformation lives on the social media platform largely unmolested for a couple of reasons. First, Facebook marks these sorts of posts as opinion and take the approach that opinions should be judged under an absolutist free speech regime. Moreover, Facebook asserts posts of this sort do not pose any imminent harm and therefore do not need to be taken down. Despite having teams of fact checkers to vet posts of demonstrably untrue information, Facebook chooses not to, most likely because material that elicits strong reactions from users drive engagement that, in turn, drives advertising dollars.
  • Here’s how President Trump could go after TikTok” – The Washington Post. This piece lays out two means the Trump Administration could employ to press ByteDance in the immediate future: use of the May 2019 Executive Order “Securing the Information and Communications Technology and Services Supply Chain” or the Committee on Foreign Investment in the United States process examining ByteDance of the app that became TikTok. Left unmentioned in this article is the possibility of the Federal Trade Commission (FTC) examining its 2019 settlement with ByteDance to settle violations of the “Children’s Online Privacy Protection Act” (COPPA).
  • You’re Doomscrolling Again. Here’s How to Snap Out of It.” – The New York Times. If you find yourself endlessly looking through social media feeds, this piece explains why and how you might stop doing so.
  • UK selling spyware and wiretaps to 17 repressive regimes including Saudi Arabia and China” – The Independent. There are allegations that the British government has ignored its own regulations on selling equipment and systems that can be used for surveillance and spying to other governments with spotty human rights records. Specifically, the United Kingdom (UK) has sold £75m to countries non-governmental organizations (NGO) are rated as “not free.” The claims include nations such as the People’s Republic of China (PRC), the Kingdom of Saudi Arabia, Bahrain, and others. Not surprisingly, NGOs and the minority Labour party are calling for an investigation and changes.
  • Google sued for allegedly tracking users in apps even after opting out” – c/net. Boies Schiller Flexner filed suit in what will undoubtedly seek to become a class action suit over Google’s alleged continuing to track users even when they turned off tracking features. This follows a suit filed by the same firm against Google in June, claiming its browser Chrome still tracks people when they switch to incognito mode.
  • Secret Trump order gives CIA more powers to launch cyberattacks” – Yahoo! News. It turns out that in addition to signing National Security Presidential Memorandum (NSPM) 13 that revamped and eased offensive cyber operations for the Department of Defense, President Donald Trump signed a presidential finding that has allowed the Central Intelligence Agency (CIA) to launch its own offensive cyber attacks, mainly at Russia and Iran, according to unnamed former United States (US) officials according to this blockbuster story. Now, the decision to commence with an attack is not vetted by the National Security Council; rather, the CIA makes the decision. Consequently, there have been a number of attacks on US adversaries that until now have not been associated with the US. And, the CIA is apparently not informing the National Security Agency or Cyber Command of its operations, raising the risk of US cyber forces working at cross purposes or against one another in cyberspace. Moreover, a recently released report blamed the lax security environment at the CIA for a massive exfiltration of hacking tools released by Wikileaks. 
  • Facebook’s plan for privacy laws? ‘Co-creating’ them with Congress” – Protocol. In concert with the release of a new white paper, Facebook Deputy Chief Privacy Officer Rob Sherman sat for an interview in which he pledged the company’s willingness to work with Congress to co-develop a national privacy law. However, he would not comment on any of the many privacy bills released thus far or the policy contours of a bill Facebook would favor except for advocating for an enhanced notice and consent regime under which people would be better informed about how their data is being used. Sherman also shrugged off suggestions Facebook may not be welcome given its record of privacy violations. Finally, it bears mention that similar efforts by other companies at the state level have not succeeded as of yet. For example, Microsoft’s efforts in Washington state have not borne fruit in the passage of a privacy law.
  • Deepfake used to attack activist couple shows new disinformation frontier” – Reuters. We are at the beginning of a new age of disinformation in which fake photographs and video will be used to wage campaigns against nations, causes, and people. An activist and his wife were accused of being terrorist sympathizers by a university student who apparently was an elaborate ruse for someone or some group looking to defame the couple. Small errors gave away the ruse this time, but advances in technology are likely to make detection all the harder.
  • Biden, billionaires and corporate accounts targeted in Twitter hack” – The Washington Post. Policymakers and security experts were alarmed when the accounts of major figures like Bill Gates and Barack Obama were hacked yesterday by some group seeking to sell bitcoin. They argue Twitter was lucky this time and a more ideologically motivated enemy may seek to cause havoc, say on the United States’ coming election. A number of experts are claiming the penetration of the platform must have been of internal controls for so many high profile accounts to be taken over at the same time.
  • TikTok Enlists Army of Lobbyists as Suspicions Over China Ties Grow” – The New York Times. ByteDance’s payments for lobbying services in Washington doubled between the last quarter of 2019 and thirst quarter of 2020, as the company has retained more than 35 lobbyists to push back against the Trump Administration’s rhetoric and policy changes. The company is fighting against a floated proposal to ban the TikTok app on national security grounds, which would cut the company off from another of its top markets after India banned it and scores of other apps from the People’s Republic of China. Even if the Administration does not bar use of the app in the United States, the company is facing legislation that would ban its use on federal networks and devices that will be acted upon next week by a Senate committee. Moreover, ByteDance’s acquisition of the app that became TikTok is facing a retrospective review of an inter-agency committee for national security considerations that could result in an unwinding of the deal. Moreover, the Federal Trade Commission (FTC) has been urged to review ByteDance’s compliance with a 2019 settlement that the company violated regulations protecting the privacy of children that could result in multi-billion dollar liability if wrongdoing is found.
  • Why Google and Facebook Are Racing to Invest in India” – Foreign Policy. With New Delhi banning 59 apps and platforms from the People’s Republic of China (PRC), two American firms have invested in an Indian giant with an eye toward the nearly 500 million Indians not yet online. Reliance Industries’ Jio Platforms have sold stakes to Google and Facebook worth $4.5 billion and $5.7 billion that gives them prized positions as the company looks to expand into 5G and other online ventures. This will undoubtedly give a leg up to the United States’ online giants in vying with competitors to the world’s second most populous nation.
  • “Outright Lies”: Voting Misinformation Flourishes on Facebook” – ProPublica. In this piece published with First Draft, “a global nonprofit that researches misinformation,” an analysis of the most popular claims made about mail voting show that many of them are inaccurate or false, thus violating the platforms terms of services yet Facebook has done nothing to remove them or mark them as inaccurate until this article was being written.
  • Inside America’s Secretive $2 Billion Research Hub” – Forbes. Using contract information obtained through Freedom of Information requests and interviews, light is shined on the little known non-profit MITRE Corporation that has been helping the United States government address numerous technological problems since the late 1950’s. The article uncovers some of its latest, federally funded projects that are raising eyebrows among privacy advocates: technology to life people’s fingerprints from social media pictures, technology to scan and copy Internet of Things (IoT) devices from a distance, a scanner to read a person’s DNA, and others.
  • The FBI Is Secretly Using A $2 Billion Travel Company As A Global Surveillance Tool” – Forbes. In his second blockbuster article in a week, Forbes reporter Thomas Brewster exposes how the United States (US) government is using questionable court orders to gather travel information from the three companies that essentially provide airlines, hotels, and other travel entities with back-end functions with respect to reservations and bookings. The three companies, one of whom, Sabre is a US multinational, have masses of information on you if you have ever traveled, and US law enforcement agencies, namely the Federal Bureau of Investigation, is using a 1789 statute to obtain orders all three companies have to obey for information in tracking suspects. Allegedly, this capability has only been used to track terror suspects but will now reportedly be used for COVID-19 tracking.
  • With Trump CIA directive, the cyber offense pendulum swings too far” – Yahoo! News. Former United States (US) National Coordinator for Security, Infrastructure Protection, and Counter-terrorism Richard Clarke argues against the Central Intelligence Agency (CIA) having carte blanche in conducting cyber operations without the review or input of other federal agencies. He suggests that the CIA in particular, and agencies in general, tend to push their authority to the extreme, which in this case could lead to incidents and lasting precedents in cyberspace that may haunt the US. Clarke also intimated that it may have been the CIA and not Israel that launched cyber attacks on infrastructure facilities in Tehran this month and last.

© Michael Kans, Michael Kans Blog and, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and with appropriate and specific direction to the original content.

Senate Consideration of NDAA Continues

Slowly, the Senate works on its NDAA by adding a number of amendments including a few standalone technology bills. However, an election security bill was stripped out of the FY 2021 Intelligence Authorization before it was added to the NDAA.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The Senate continued its consideration of the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) this week before recessing for the 4 July holiday. Work will continue later this month on the massive authorization package that sets annual policy for the Department of Defense (DOD) and related agencies. However, before leaving Washington, DC, the Senate did deal with some of the amendments offered for adoption by adding a number en bloc, some of which pertain to technology policy and funding.

The following amendments were adopted on 2 July 3, 2020 en bloc by unanimous consent:

  • The Department of Homeland of Security “shall produce a report on the state of digital content forgery technology” within one year of enactment and then every five years
  • “[T]he Secretary of Defense, with appropriate representatives of the Armed Forces, shall brief the Committees on Armed Services of the Senate and the House of Representatives on the feasibility and the current status of assigning members of the Armed Forces on active duty to the Joint Artificial Intelligence Center (JAIC) of the Department of Defense.”
  • “the Secretary of Homeland Security shall conduct a comprehensive review of the ability of the Cybersecurity and Infrastructure Security Agency to fulfill–
    • the missions of the Cybersecurity and Infrastructure Security Agency; and
    • the recommendations detailed in the report issued by the Cyberspace Solarium Commission”
  • The “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S.1611) that would require the Department of Commerce to “convene a working group of Federal stakeholders for the purpose of providing recommendations and a report to Congress relating to the aspects of the Internet of Things.”
  • “[T]he Secretary of Defense, in coordination with the Director of the National Reconnaissance Office and the Director of the National Geospatial-Intelligence Agency, shall leverage, to the maximum extent practicable, the capabilities of United States industry, including through the use of commercial geospatial-intelligence services and acquisition of commercial satellite imagery.”
  • “[T]he Secretary of Defense is authorized to establish a pilot program to explore the use of consumption-based solutions to address software-intensive warfighting capability” per a re commendation made by the Section 809 Panel.
  • “[T]he Secretary of Defense shall complete a study on the cyberexploitation of the personal  information and accounts of members of the Armed Forces and their families.”
  • A modified version of the “Utilizing Strategic Allied (USA) Telecommunications Act” (S.3189) that “would reassert U.S. and Western leadership by encouraging competition with Huawei that capitalizes on U.S. software advantages, accelerating development of an open-architecture model (known as O-RAN) that would allow for alternative vendors to enter the market for specific network components, rather than having to compete with Huawei end-to-end” according to a press release.

Additionally, a deal was struck to add the “Intelligence Authorization Act for Fiscal Year 2021” (S.3905) to S.4049 but without a bill included in the package as reported out of the Senate Intelligence Committee: the “Foreign Influence Reporting in Elections Act” (FIRE Act) (S.2242). The sponsor of the FIRE Act, Senate Intelligence Committee Ranking Member Mark Warner (D-VA), went to the Senate floor to protest the striking of his bill and to announce his plans to offer it as an amendment and force a vote:

The  committee  voted  14  to  1  to  pass an intel authorization bill that included  the  FIRE  Act,  the  act  that  I  just described, so that if a foreign government interferes or offers you assistance  or  offers  you  dirt,  you  don’t  say  thanks;  you  call  the  FBI.  So  you  can  imagine  my  surprise  and  frustration  when  I  learned  of  a  backroom  deal  to  strip  the  FIRE  Act  out  of  the  Intelligence   Committee’s   legislation   because  of  a  supposed  turf  war  with  another committee. I  am  back  again  today  because  the  security  of  our  elections  cannot  wait.  Let’s  not  hide  behind  process  or  jurisdictional  boundaries.  The  stakes  are  far  too  high  to  continue  the  partisan  blockade  of  election  security  legislation  that  we  have  seen  over  the  last  3  years. If,  behind  closed  doors,  my  Republican  colleagues  want  to  strip  this  legislation  out  of  the  NDAA,  then  I  am  going  to  offer  it  up  as  an  amendment  to  force  an  up-or-down  vote  and  put  every   Member   of   this   body   on   the   record: Are you for election security or are you for allowing foreign entities to interfere  and  offer  assistance  with  no  requirement to report?

Prior to its inclusion in the FY 2021 Intelligence Authorization Act, Warner had asked unanimous consent to take up the FIRE Act multiple times but was met with Republican objections each time. And there are other election security bills Republicans have continued to block, including:

  • The “Duty To Report Act” (S.1247)
  • The “Senate Cybersecurity Protection Act” (S.890)
  • The “Securing America’s Federal Elections Act” (SAFE Act) (H.R.2722)
  • The “Secure Elections Act of 2019” (S.1540)

Yet, the Senate has taken up and passed two election-related bills addressing facets of the cybersecurity challenges. On July 17, the Senate passed the “Defending the Integrity of Voting Systems Act” (S. 1321) by unanimous consent that would “make it a federal crime to hack any voting systems used in a federal election” according to the Senate Judiciary Committee’s website. In June the Senate also passed the “Defending Elections against Trolls from Enemy Regimes (DETER) Act” (S. 1328) that “will make “improper interference in U.S. elections” a violation of U.S. immigration law, and violators would be barred from obtaining a visa to enter the United States. The House has yet to act on these bills.

When the Senate returns to the bill on 20 July, a number of amendments will be pending, including one to establish semiconductor manufacturing grants.

© Michael Kans, Michael Kans Blog and, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and with appropriate and specific direction to the original content.

Senate Democratic Stakeholder Floats Privacy Discussion Draft

The top Democrat on one committee has released a bill that would scrap the notice and consent model and strictly limit what information can be collected, processed, and shared.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 18 June, Senate Banking, Housing, and Urban Affairs Ranking Member Sherrod Brown (D-OH) released a discussion draft of a federal privacy bill that “rejects the current, ineffective “consent” model for privacy, and instead places strict limits on the collection, use, and sharing of Americans’ personal data.” The “Data Accountability and Transparency Act of 2020” may possibly shift the debate on privacy legislation as other recent bills and developments have moved the window of what stakeholders believe possible on the issue of the sufficiency of the notice and consent model. Like a few other bills, Brown’s legislation would establish a new agency to regulate privacy at the federal level, thus rejecting the idea to expand the Federal Trade Commission’s jurisdiction. The package also addresses an issue that has grown in visibility over the last month or so: facial recognition technology. Most of the privacy bills have not sought to fold the new technology into their regulatory frameworks. However, at present, election year politics compounded by the ongoing pandemic and protests in the United States may serve to further diminish the already flagging chances of enactment of federal privacy legislation this year.

In his press release, Brown claimed his bill “creates a new framework that would give Americans the power to hold corporations, big tech, and the government responsible for how they collect and protect personal data.” He claimed “[t]he bill rejects the current, ineffective “consent” model for privacy, and instead places strict limits on the collection, use, and sharing of Americans’ personal data…[and] contains strong civil rights protections to ensure personal information is not used for discriminatory purposes, as well as a ban on the use of facial recognition technology.” Brown add the “Data Accountability and Transparency Act of 2020” “also establishes a new independent agency dedicated to protecting Americans’ privacy rights.”

Brown stated that “[s]pecifically, the Data Accountability and Transparency Act of 2020 would:

  • Ban the collection, use or sharing of personal data unless specifically allowed by law
  • Ban the use of facial recognition technology
  • Prohibits the use of personal data to discriminate in housing, employment, credit, insurance, and public accommodations;
  • Requires anyone using decision-making algorithms to provide new accountability reports
  • Creates a new, independent agency that is dedicated to protecting individuals’ privacy and the implementation of DATA 2020. The new agency will have rulemaking, supervisory, and enforcement authority, the ability to issue civil penalties for violations of the Act, and a dedicated Office of Civil Rights to protect individuals from discrimination
  • The proposal empowers individuals and state attorneys general to enforce privacy protections and does not preempt more protective state laws
  • Finally, the proposal would require CEO certification of compliance with the Act and contains potential criminal and civil penalties for CEO and Board of Directors

Brown had begun the process with the chair of the Senate Banking, Housing, and Urban Affairs Committee on possible bipartisan privacy legislation likely within the jurisdiction of their committee. In February 2019, Brown and Chair Mike Crapo (R-ID) requested “feedback from interested stakeholders on the collection, use and protection of sensitive information by financial regulators and private companies.” Crapo and Brown stated:

The collection, use and protection of personally identifiable information and other sensitive information by financial regulators and private financial companies (including third-parties that share information with financial regulators and private financial companies) is something that deserves close scrutiny.  Americans are rightly concerned about how their data is collected and used, and how such data is secured and protected.  The collection and use of personally identifiable information will be a major focus of the Banking Committee moving forward. 

However, the quotes from Crapo and Brown in the joint press release suggested they may not have been entirely aligned on the scope of potential privacy legislation. Crapo asserted “it is worth examining how the Fair Credit Reporting Act should work in a digital economy, and whether certain data brokers and other firms serve a function similar to the original consumer reporting agencies.” However, Brown remarked that “[i]n the year and a half since the Equifax breach, the country has learned that financial and technology companies are collecting huge stockpiles of sensitive personal data, but fail over and over to protect Americans’ privacy.” Brown added that “Congress should make it easy for consumers to find out who is collecting personal information about them, and give consumers power over how that data is used, stored and distributed.”

Crapo provided further insight into his preferred model by which the federal government would regulate privacy at an October 2019 hearing titled “Data Ownership: Exploring Implications for Data Privacy Rights and Data Valuation.” Crapo noted that “[t]his Committee has held a series of data privacy hearings exploring possible frameworks for facilitating privacy rights to consumers….[and] [n]early all have included references to data as a new currency or commodity.” He stated that “[t]he next question, then, is who owns it?” Crapo stated that “[t]here has been much debate about the concept of data ownership, the monetary value of personal information and its potential role in data privacy.” He asserted that “[s]ome have argued that privacy and control over information could benefit from applying an explicit property right to personal data, similar to owning a home or protecting intellectual property…[and yet] [o]thers contend the very nature of data is different from that of other tangible assets or goods.”

Crapo stated that “[s]till, it is difficult to ignore the concept of data ownership that appears in existing data privacy frameworks.” He said that “[f]or example, the European Union’s General Data Protection Regulation, or GDPR, grants an individual the right to request and access personally identifiable information that has been collected about them.” Crapo contended that “[t]here is an inherent element of ownership in each of these rights, and it is necessary to address some of the difficulties of ownership when certain rights are exercised, such as whether information could pertain to more than one individual, or if individual ownership applies in the concept of derived data.” He stated that “[a]ssociated with concepts about data ownership or control is the value of personal data being used in the marketplace, and the opportunities for individuals to benefit from its use.”

Crapo asserted that “Senators [John] Kennedy (R-LA) and [Mark] Warner (D-VA) have both led on these issues, with Senator Kennedy introducing legislation that would grant an explicit property right over personal data (i.e. the “Own Your Own Data Act” (S. 806), and Senator Warner introducing legislation that would give consumers more information about the value of their personal data and how it is being used in the economy (i.e. the “Designing Accounting Safeguards To Help Broaden Oversight and Regulations on Data” (S. 1951).” Crapo contended that “[a]s the Banking Committee continues exploring ways to give individuals real control over their data, it is important to learn more about what relationship exists between true data ownership and individuals’ degree of control over their personal information; how a property right would work for different types of personal information; how data ownership interacts with existing privacy laws, including the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and GDPR; and different ways that companies use personal data, how personal data could be reliably valued and what that means for privacy.” (See here for more analysis of both bills.)

© Michael Kans, Michael Kans Blog and, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and with appropriate and specific direction to the original content.

Senate Armed Services Marks Up FY 2021 NDAA

Per usual, the NDAA contains a number of technology related provisions, including a some of the CSC’s recommendations. The People’s Republic of China and the Russian Federation continue to receive attention.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

This week, legislative work began on the FY 2021 National Defense Authorization Act (NDAA). The Senate Armed Services Committee conducted markups at the subcommittee and committee level, almost of which were in closed settings, and announced a finished bill that has not yet been made available per committee tradition. However, as in years past, a summary of the NDAA has been released that provides a high level overview of the bill, including its cybersecurity and technology related provisions. Bill text will not likely be released before the bill comes to the Senate floor.

Most notably, a number of the Cyberspace Solarium Commission’s (CSC) recommendations were apparently included in the bill, an outcome the four CSC Members who also serve in Congress were working towards; Senators Ben Sasse (R-NE) and Angus King (I-ME) served on the CSC and are also on the Senate Armed Services Committee.

The CSC’s highest profile recommendation was not entirely accepted, however. The CSC had called for a National Cyber Director its final report that would be “be the President’s principal advisor for cybersecurity-related issues, as well as lead national-level coordination of cybersecurity strategy and policy, both within government and with the private sector.” However, the FY 2021 NDAA merely uses an old strategy on possibly controversial changes: a study would be conducted on a National Cyber Director. Nevertheless, the CSC’s mandate would be extended another 16 months if this legislation is enacted, giving the body more time to work to see this and other recommendations possibly come to fruition.

All of the recommendations in the FY 2021 NDAA are those within the jurisdiction of the Armed Services Committees, suggesting the non-defense cybersecurity recommendations will need to be enacted by the various committees of jurisdiction. Ironically, this is the very issue the CSC addressed in its recommendation that Congress establish “House Permanent Select and Senate Select Committees on Cybersecurity.” However, it is a rare occurrence for Congress to redraw committee jurisdictions in such a significant way, and the Homeland Security Committees were created after the attacks on the United States on 11 September 2001. And yet, it is not uncommon for legislation that pertains mostly to civilian agencies and affairs to get added to the NDAA. For example, the “Federal Information Technology Acquisition Reform” (FITARA) (P.L. 113-291) was enacted as part of the FY 2013 NDAA.

The Committee explained that the NDAA includes 11 of the CSC’s recommendations:

  • A review of National Guard response to cyberattacks,
  • Adding a force structure assessment in the quadrennial cyber posture review,
  • A report on enabling Cyber Command authorities, direction, and control of Cyber Operations Forces-related budgets, ensuring flexibility and agility to control acquisition,
  • An evaluation of cyber reserve force options, which could provide capable surge capability and enable DOD to draw on cyber talent in the department sector,
  • Improving cyber resiliency of nuclear command and control systems,
  • A modification to fortify the Strategic Cybersecurity program and further cyber vulnerability assessment of weapons systems,
  • A Defense Industrial Base threat intelligence sharing program to support companies’ ability to defend themselves,
  • An assessment of the risk posed by quantum computing to national security systems,
  • An extension of the Cyberspace Solarium Commission for tracking and facilitating the implementation of its recommendations for 16 months,
  • An independent assessment on the feasibility and advisability of establishing a National Cyber Director.

The House Armed Services Committee will begin marking up its FY 2021 NDAA later this month with a full committee markup scheduled for 1 July. It is very likely CSC recommendations make it into this bill, and so it will be a matter of final negotiations to determine which recommendations are part of the bill, which is seen as must-pass on Capitol Hill. Moreover, CSC recommendations could get folded into appropriations bills for FY 2021, which is often one of the last matters Congress addresses before recessing for the winter holidays.

The Committee highlighted other cybersecurity and cyberspace provisions:

  • Updates the responsibilities of the Principal Cyber Advisor, a key driver of the Department’s development and implementation of its 2018 cyber strategy, by increasing the integration and coordination responsibilities of that office to ensure that DOD’s cyber policies are coherent, cohesive, and meet needs,
  • Improves transparency and requires DOD to provide more regular updates on cyber operations to Congress,
  • Requires pilot programs, demonstrations, and/or plans for: speed-based cybersecurity capability metrics to measure DOD performance and effectiveness; interoperability and automated orchestration of cybersecurity systems (increased by $10 million above the President’s request); addressing network timing and address inconsistencies; and integration of user activity monitoring and cybersecurity systems,
  • Requires an assessment of gaps between Cyber Mission Forces and Cybersecurity Service Providers,
  • Authorizes increased funding ($25 million for Air Force Operation and Maintenance and $5 million for Army Operation and Maintenance) to provide Cyber Mission Forces with more resources to access, operate, and train as required by increased operational demands,
  • Improves cyber readiness and “man, train, and equip” by:
    • Authorizing a pilot program to prepare the National Guard for providing cyber assistance remotely in the case of cyber attacks,
    • Prohibiting the Secretary of Defense from taking any action on the National Defense University’s College of Information and Cyber Space until completing an assessment of educational requirements for military and civilian leaders in this domain,
    • Modifying authority to use Operation and Maintenance funds to allow for rapid creation, testing, and fielding of cyber capabilities to respond more quickly to threats, and
    • Improving the training and retention of highly qualified cyber personnel, including providing Cyber Command with the same hiring authority for technical talent as exists at DARPA, the Strategic Capabilities Office, and the Joint Artificial Intelligence Center, and by allowing for pay that is more competitive with commercial industry.

Again, the Committee addressed the threats posed by the DOD having a significant part of its supply chain rooted in the People’s Republic of China (PRC) and the challenges posed by the nation to US military and national security:

  • The FY21 NDAA takes numerous steps to reshape the Defense Industrial Base as a National Security Innovation Base, expanding its industrial capacity, promoting agility and resiliency, and identifying and mitigating risks associated with reliance on foreign adversaries, while investing in relationships with allies and partners. The shift to a National Security Innovation Base requires acknowledging that a whole-of-government approach is needed, and this bill encourages DOD to study broad factors that shape the industrial base and engage with outside stakeholders and interests. Recognizing that procurement restrictions are very powerful, the bill also ensures DOD is exploring all pathways to expand domestic capacity, including increased research and development. Lastly, the legislation safeguards proprietary technology, intellectual property, and other defense-sensitive data from being infiltrated by the government of China.
  • Further implements recommendations from DOD’s report proceeding from Executive Order 13806 on assessing and strengthening the manufacturing and defense industrial base and supply chain resiliency of the U.S., and updates the framework for modernizing acquisition processes to ensure the integrity of the Defense Industrial Base,
  • Requires analyses of a variety of materials and technology sectors, such as microelectronics, rare earth minerals, medical devices, personal protective equipment and pharmaceutical ingredients, to determine actions to take to address sourcing and industrial capacity,
  • Directs additional steps for certain items, such as microelectronics, printed circuit boards, critical raw materials, and unmanned aircraft systems to mitigate risk of relying on foreign sources for products, materials, components, and manufacturing,
  • Strengthens the National Technology and Industrial Base (NTIB) by creating a Regulatory Council and directing DOD to establish a process for admitting new members,
  • Requires assessment of foreign industrial base capabilities and capacity to see how these drive risk to the U.S. from overreliance on China and their economic aggression,
  • Continues to expand the role of small business, extending the authorization of a pilot program to streamline contracting and auditing processes for innovative technology programs and ensuring DOD pays small business contractors quickly,
  • Directs steps to safeguard defense-sensitive U.S. intellectual property and technology from acquisition by China and with post-employment restricts pertaining to China.

The Committee highlighted provisions aimed at the PRC and Russia:

  • Extends the limitation on providing sensitive missile defense information to Russia and on the integration of U.S. missile defense systems into those of China and Russia,
  • Requires the Secretary of Defense to submit a report on the risk to DOD personnel, equipment, and operations due to Huawei 5G architecture in host countries and possible steps for mitigation,
  • Requires the Secretary of Defense to consider 5G and 6G security risks posed by vendors like Huawei and ZTE when making overseas basing decisions,
  • Protects the defense industrial base and supply chain, as well as intellectual property and technology, from disruption, infiltration, or theft by the Government of China (see “Innovation Base”),
  • Fully funds the European Deterrence Initiative and increases funding to support rotational forces in Europe,
  • Requires a report on Russian support to racially and ethnically motivated violent extremist groups and networks in Europe and the United States that creates or causes growing national security threats, information warfare, and increasing risks to societal stability and democratic institutions,
  • Extends restrictions on military-to-military cooperation with Russia and any activities that would recognize Russian sovereignty over Crimea,
  • Expresses a sense of the Senate that long-term strategic competition with Russia is a top defense priority that requires sustained investment and enhanced deterrence due to the level of threat posed,

The Committee added

As our strategic competitors develop more and more advanced weapons, equipment, and technology, it’s critical that the United States keep pace through deliberate, knowledge-based development. The FY21 NDAA directs investments and implements policies that will maintain or expand our comparative advantage over China and Russia for key capabilities and technologies. One strategy for accelerating innovation will be through a tailored approach of both subsystem prototypes, including for unmanned surface vessels, and full-scale prototypes, including for hypersonic weapons, based on a detailed understanding of what is necessary to achieve technical and technological maturity.

The bill also

  • Supports the development of fifth-generation (5G) wireless networks by establishing a cross- functional team for 5G wireless networks and designates the DOD Chief Information Officer to lead the team and serve as the senior designated official for related policy, oversight, guidance, and coordination at DOD,
  • Strengthens Science and Technology efforts in emerging technologies, including by requiring: an assessment of U.S. efforts to develop biotechnologies compared to our adversaries; development of Artificial Intelligence use-cases for reform efforts; enhancements to the Quantum Information Science research and development program; and a demonstration of innovative 5G commercial technologies, Encourages DOD to leverage commercially available technology where appropriate, particularly for artificial intelligence,
  • Includes several provisions designed to recruit and retain talent with technology expertise, including requiring a study comparing methods for recruiting and retaining technology researchers used by both the U.S. and Chinese governments and authorizing a pilot program to permit university students and faculty to take on part-time and term employment at DOD labs to work on critical technologies and research activities,

© Michael Kans, Michael Kans Blog and, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and with appropriate and specific direction to the original content.

Senate Commerce Marks Up Three Technology Bills

Three targeted bills are sent to the full Senate to address a range of technology issues.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The Senate Commerce, Science, and Transportation Committee marked up a number of technology related bills at a 20 May executive session:

  • The “Identifying Outputs of Generative Adversarial Networks (IOGAN) Act” (S. 2904), which was amended twice before being reported out with an amendment in the nature of a substitute and another amendment changing the substitute. Broadly speaking, this bill would task the National Science Foundation with sponsoring and funding research into how to detect and prevent deep fakes through the use of artificial intelligence and machine learning.
  • The “Cybersecurity Competitions to Yield Better Efforts to Research the Latest Exceptionally Advanced Problems (CYBER LEAP) Act of 2020” (S. 3712) would require the Department of Commerce to conduct “grand challenges” for:
    • Building more resilient  systems  that measurably and exponentially raise adversary costs  of carrying out common cyber attacks
    • Empowering the people of the United States with an appropriate and measurably sufficient level of digital literacy to make safe and secure decisions online.
    • Developing a cybersecurity workforce with measurable skills to protect and maintain information systems.
    • Advancing cybersecurity efforts in response to emerging  technology, such as artificial intelligence, quantum science, and next generation communications technologies.
    • Maintaining a high sense of usability while improving the security and safety of online  activity of individuals in the United States.
    • Reducing cybersecurity risks to Federal networks and systems, and improving the response of Federal agencies to cybersecurity incidents on such networks and systems.
  • The “Spectrum IT Modernization Act of 2020” (S. 3717) requires the National Telecommunications and Information Administration (NTIA) to “submit to Congress a report that contains the plan of the NTIA to modernize and automate the infrastructure of the NTIA relating to managing the use of Federal spectrum by covered agencies so as to more efficiently manage that use” within 8 months of enactment. This bill could require agencies such as the Department of Defense to modernize any such IT used to manage federal spectrum.

In December, the House sent the Senate a bill related to the IOGAN Act also named the “Identifying Outputs of Generative Adversarial Networks Act” (H.R.4355) that “directs  the  NSF to  support  research  on  manipulated  or  synthesized  content  and  information  security,  including  fundamental  research  on  digital  media  forensic  tools,  social  and  behavioral  research,  and  research  awards  coordinated  with  other  federal  agencies  and  programs.” Consequently, it is possible a compromise bill passes this year.

Neither of the other bills have companion House legislation.

© Michael Kans, Michael Kans Blog and, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and with appropriate and specific direction to the original content.

Senate Commerce Republicans Vow To Introduce Privacy Bill To Govern COVID-19 Apps and Tech

Key Republican stakeholders on privacy legislation float a bill on COVID-19 relating to privacy that seems unlikely to garner the necessary Democratic buy-in to advance.  

Late last week, key Republicans on the Senate Commerce, Science, and Transportation announced they would introduce the “COVID-19 Consumer Data Protection Act” that provide new privacy and data security protections for the use of a COVID-19 contact tracing app and similar technologies. To date, text of the legislation has not been released and so any analysis of the bill is derived from a short summary issued by the committee and reports from media outlets that have apparently been provided a copy of the bill.

Based on this information, to no great surprise, the basic structure of the bill tracks privacy and data protection legislation previously introduced by the co-sponsors of the new bill: Chair Roger Wicker (R-MS) (See here for analysis of the “Consumer Data Privacy Act of 2019”)and Senators John Thune (R-SD), Jerry Moran (R-KS) (See here for analysis of “Consumer Data Privacy and Security Act of 2020” (S.3456)), and Marsha Blackburn (R-TN) (See here for analysis of the “Balancing the Rights Of Web Surfers Equally and Responsibly Act of 2019” (BROWSER Act) (S. 1116)). In short, people would be provided with notice about what information the app collects, how it is processed, and with whom and under what circumstances this information will be shared. Then a person would be free to make an informed choice about whether or not she wants to consent and allow the app or technology to operate on her smartphone. The Federal Trade Commission (FTC) and state attorneys general would enforce the new protections, and as there was no mention of a private right of action, and given these Members opposition to such provisions, it is likely the bill does not provide such redress. Moreover, according to media reports, the bill would preempt state laws contrary to its provision, which would be another likely non-starter among Democrats.

Wicker, Thune, Moran, and Blackburn claimed their bill “would provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data…[and] would also hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic” as they asserted in their press release.

Wicker, Thune, Moran, and Blackburn provided this summary of the “COVID-19 Consumer Data Protection Act:”

  • Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
  • Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
  • Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
  • Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
  • Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
  • Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
  • Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
  • Authorize state attorneys general to enforce the Act.

If such legislation were to pass, it would add to the patchwork of privacy and data security bills already enacted that are geared to addressing certain sectors or populations (e.g. the “Health Insurance Portability and Accountability Act” (HIPAA) protects some healthcare information and “Children’s Online Privacy Protection Act” (COPPA) broadly protects children online.)

© Michael Kans, Michael Kans Blog and, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and with appropriate and specific direction to the original content.

Fourth Volume of Report in 2016 Russian Hacking Endorses IC’s Conclusions

In a report that largely vindicates the Intelligence Community’s (IC) assessment of the 2016 election, a Senate committee continues with its investigation of Russian hacking with a heavily redacted fourth volume. The Republican-led committee rebuts the President’s assertions the IC was wrong and biased.  

The Senate Intelligence Committee has released the fourth of five planned volumes, detailing Russia’s interference in the 2016 presidential election. This volume, titled “Review of the Intelligence Community Assessment,” assessed the classified version of the Intelligence Community’s (IC) review and conclusions regarding Russian efforts to aid President Donald Trump’s campaign and to harm former Secretary of State Hillary Clinton’s bid for the presidency. In this assessment, the Committee found “unprecedented Russian interference” well-described, analyzed, and investigated by the IC. However, much of the report is redacted, and according to Committee Member, Senator Angus King (I-ME), this was done to protect the sources and methods the IC used.

An unclassified version of “Assessing Russian Activities and Intentions in Recent US Elections” was released in mid-2017 that was heavily criticized by the President, the White House, and a number of Republicans. Additionally, the House Intelligence Committee, led by then Chair and Trump ally Devin Nunes (R-CA), found that the IC assessment was plagued by “significant intelligence tradecraft failings.”

Given that the majority of Russian interference was executed in cyberspace, often through social media, it remains to be seen whether these reports will spur proposals to change laws regulating cybersecurity or U.S. intelligence activities. Moreover, like so many issues, the response to COVID-19 will likely overshadow this report and any potential impact it may have otherwise had.

While the White House has largely been silent on this volume of the Senate Intelligence Committee’s investigation, the subject of Russia’s activities during the 2016 election remains touchy at the White House, suggesting efforts to reform how the U.S. responds to this sort of hacking will remain at the agency-level with heads of key entities using authorities they currently possess. This opens the possibility that agencies and private sector entities will not receive new latitude to fight off disinformation campaigns likely to be waged by more than just Russia as North Korea, China, and Iran are often identified as those nations most able to interfer in this year’s election.

The Committee’s previous three volumes are: “Volume I: Russian Efforts Against Election Infrastructure,” “Volume II: Russia’s Use of Social Media,” and “Volume III: U.S. Government Response to Russian Activities.”

As threshold matters, the Committee found

  • [S]pecific intelligence as well as open source assessments support the assessment that President Putin approved and directed aspects of this influence campaign.
  • Further, a body of reporting, to include different intelligence disciplines, open source reporting on Russian leadership policy preferences, and Russian media content, showed that Moscow sought to denigrate then-candidate Clinton.
  • ICA presents information from public Russian leadership commentary, Russian state media reports, and specific intelligence reporting to support the assessment that Putin and the Russian Government demonstrated a preference for candidate Trump.

The Senate Intelligence Committee made the following findings:

1. The Committee found the Intelligence Community Assessment (ICA) presents a coherent and well-constructed intelligence basis for the case of unprecedented Russian interference in the 2016 U.S. presidential election. On the analytic lines of the ICA, the Committee concludes that all [REDACTED] lines are supported with all-source intelligence, although with varying substantiation. The Committee did not discover any significant analytic tradecraft issues in the preparation or final presentation of the ICA.

The ICA reflects proper analytic tradecraft despite being tasked and completed within a compressed time frame. The compact timeframe was a contributing factor for not conducting formal analysis of competing hypotheses.

The differing confidence levels on one analytic judgment are justified and properly represented. Those in disagreement all stated that they had the opportunity to express differing points of view. The decision regarding the presentation of differing confidence levels was the responsibility of the Director of the Central Intelligence Agency (CIA) John Brennan and the Director of the National Security Agency (NSA) Admiral Michael Rogers, both of whom independently expressed to the Committee that they reached the final wording openly and with sufficient exchanges of views.

Multiple intelligence disciplines are used and identified throughout the ICA. Where the Committee noted concerns about the use of specific sources, in no case did the Committee conclude any analytic line was compromised as a result.

In all the interviews of those who drafted and prepared the ICA, the Committee heard consistently that analysts were under no politically motivated pressure to reach specific conclusions. All analysts expressed that they were free to debate, object to content, and assess confidence levels, as is normal and proper for the analytic process.

2. The Committee found that the agencies responsible for the !CA-CIA, NSA, and FBI, under the aegis of ODNI-met the primary tasking as directed by President Obama, which was to assemble a product that reflected the intelligence available to the Intelligence Community (IC) regarding Russian interference in the 2016 election.

3. The Committee found that the ICA provides a proper representation of the intelligence collected by CIA, NSA, and FBI on Russian interference in 2016, and this body of evidence supports the substance and judgments of the ICA.

[REDACTED] Regarding FBI, the ICA states, in its “Scope and Sourcing” introduction, that “[w]e also do not include information from ongoing investigations.” [REDACTED] The Committee found that the information provided by Christopher Steele to FBI was not used in the body of the ICA or to support any of its analytic judgments. However, a summary of this material was included in Annex A as a compromise to FBI’s insistence that the information was responsive to the presidential tasking.

4. The Committee found the ICA makes a clear argument that the manner and aggressiveness of the Russian interference was historically unprecedented. However, the ICA and its sources do not provide a substantial representation of Russian interference in the 2008 and 2012 presidential elections, as the Committee understands was part of the President’s original tasking.

5. [REDACTED]The Committee found that the ICA did not provide a set of policy on how to respond to future Russian active measures, which was part of the tasking the President conveyed to the Director of National Intelligence (DNI) James Clapper. The ICA did include, in the compartmented version, an unclassified section independently produced by DHS, FBI, and the Department of Commerce’s National Institute of Standards and Technology (NIST), “DHS/FBI/NIST Recommendations: Options to Protect and Defend US Election Infrastructure and US Political Parties.”

The absence of policy recommendations was deliberate, due to the well-established norm that the IC provides insight and warning to policy makers, but does not itself make policy.

6. The Committee found the ICA would benefit from a more comprehensive presentation of how Russian propaganda-as generated by Russia’s multiple state-owned platforms-was used to complement the full Russian influence campaign.

Open source collection is a long-standing discipline for CIA and other elements of the IC, and open source reporting is used throughout the ICA to support specific analytic assertions. However, open source reporting on RT and Sputnik’s coverage of WikiLeaks releases of Democratic National Committee (DNC) information would have strengthened the ICA’s examination of Russia’s use of propaganda. On this point, the Committee finds that Annex [REDACTED] of the ICA-“Open Source Center Analysis: Russia: Kremlin’s TV Seeks to Influence Politics, Fuel Discontent in US,” published December 12, 2012-should have been updated to provide a summary of Kremlin propaganda in 2016, thereby making a more relevant contribution to the ICA. An update to this assessment was not produced by the Open Source Enterprise until after the publication of the ICA.

7. [REDACTED] The role of social media has been a significant focus by the Committee and is discussed in a separate volume of this report.

Technology Policy Update (10 April)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 here.

Here are the articles from this edition:

  • “Paper” Hearing on COVID-19 and Big Data
  • DOD Revises Cybersecurity Model For Contractors; Accreditation Body Holds Webinar
  • EC Calls For EU-Wide Approach on Big Data and COVID-19
  • EU’s Data Supervisor Calls For Limits On Using Data In Fighting COVID-19
  • EDPB Fast Tracks Privacy and Processing Guidance For COVID-19
  • Warner Asks OMB For Uniform Guidance On Contractors
  • OCR Announces HIPAA Enforcement Discretion
  • Executive Order Formalizes Review of Foreign Investment in Telecommunications
  • CISA Guides Agencies On Telework Best Practices and Security

“Paper” Hearing on COVID-19 and Big Data

On April 9, the Senate Commerce, Science, and Transportation Committee held a virtual hearing of sorts as all the proceedings would occur through the written word with the chair, ranking member, and witnesses all submitting statements. Then all the members were to submit written questions to the witnesses who will have 96 business hours to respond or what appears to be 12 days. The questions posed to each witness by each member of the committee have been posted on the hearing webpage as well.

In his written statement, Chair Roger Wicker (R-MS) stated “[a]s the public and private sectors race to develop a vaccine for [COVID-19], government officials and health-care professionals have turned to what is known as “big data” to help fight the global pandemic.” He stated “[i]n recognition of the value of big data, Congress recently authorized the CDC, through the bipartisan coronavirus relief package, to develop a modern data surveillance and analytics system,” a reference to the $500 million appropriated for “for public health data surveillance and analytics infrastructure modernization.”  Wicker said “[t]his system is expected to use public health data inputs – including big data – to track the coronavirus more effectively and reduce its spread.” He added “[s]tate governments are also using big data to monitor the availability of hospital resources and manage supply chains for the distribution of masks and other personal protective medical equipment.”

Wicker remarked,

  • Recent media reports revealed that big data is being used by the mobile advertising industry and technology companies in the United States to track the spread of the virus through the collection of consumer location data.  This location data is purported to be in aggregate form and anonymized so that it does not contain consumers’ personally identifiable information.  It is intended to help researchers identify where large crowds are forming and pinpoint the source of potential outbreaks.  The data may also help predict trends in the transmission of COVID-19 and serve as an early warning system for individuals to self-isolate or quarantine.
  • In addition to these uses, consumer location data is being analyzed to help track the effectiveness of social distancing and stay-at-home guidelines.  Data scientists are also seeking ways to combine artificial intelligence and machine learning technologies with big data to build upon efforts to track patterns, make diagnoses, and identify other environmental or geographic factors affecting the rate of disease transmission.
  • The European Union is turning to big data to stop the spread of the illness as well. Italy, Germany, and others have sought to obtain consumer location data from telecommunications companies to track COVID-19.  To protect consumer privacy, EU member states have committed to using only anonymized and aggregate mobile phone location data.  Although the EU’s General Data Protection Regulation does not apply to anonymized data, EU officials have committed to deleting the data once the public health crisis is over.  

Wicker asserted, “[t]he potential benefits of big data to help contain the virus and limit future outbreaks could be significant.” He stated “[r]educing privacy risks begins with understanding how consumers’ location data – and any other information – is being collected when tracking compliance with social distancing measures.” He contended that “[e]qually important is understanding how that data is anonymized to remove all personally identifiable information and prevent individuals from being re-identified…[and] I look forward to hearing from our witnesses about how consumer privacy can be protected at every stage of the data collection process.”

Wicker stated, “I also look forward to exploring how consumers are notified about the collection of their location information and their ability to control or opt out of this data collection if desired.” He explained “[g]iven the sensitivity of geolocation data, increased transparency into these practices will help protect consumers from data misuse and other unwanted or unexpected data processing.” Wicker added “I hope to learn more about how location data is being publicly disclosed, with whom it is being shared, and what will be done with any identifiable data at the end of this global pandemic.”

Wicker concluded,

Strengthening consumer data privacy through the development of a strong and bipartisan federal data privacy law has been a priority for this Committee.  The collection of consumer location data to track the coronavirus, although well intentioned and possibly necessary at this time, further underscores the need for uniform, national privacy legislation.  Such a law would provide all Americans with more transparency, choice, and control over their data, as well as ways to keep businesses more accountable to consumers when they seek to use their data for unexpected purposes.  It would also provide certainty and clear, workable rules of the road for businesses in all 50 states, and preserve Americans’ trust and confidence that their data will be protected and secure no matter where they live.

Ranking Member Maria Cantwell (D-WA) asserted, “[r]ight now, we must ensure there are enough hospital beds, enough personal protective equipment, and enough ventilators and medical supplies to withstand the full force of this virus as it peaks in communities across our country” in her opening statement. She stated, “[w]e need robust testing, and as the virus finally fades, we’ll need to deploy contact tracing systems so that we can respond quickly to outbreaks and stamp it out for good.” Cantwell claimed, “[d]ata provides incredible insights that can assist us in these efforts, and we should be doing everything possible to harness information in a manner that upholds our values.” She remarked, “[t]o gain and keep the public’s trust about the use of data, a defined framework should be maintained to protect privacy rights…[that] at a minimum, should ensure that information is used:

(1) for a specific limited purpose, with a measurable outcome and an end date,

(2) in a fully transparent manner with strong consumer rights, and

(3) under strict accountability measures.

Cantwell stated, “[w]e must always focus on exactly how we expect technology to help, and how to use data strategically to these ends…[and] [w]e must resist hasty decisions that will sweep up massive, unrelated data sets.” She further argued, “we must guard against vaguely defined and non-transparent government initiatives with our personal data…[b]ecause rights and data surrendered temporarily during an emergency can become very difficult to get back.”

Cantwell expressed her belief that “there are three advantages to data that need to be harnessed at this time: the power to predict, the power to discover, and the power to persuade.” She remarked, “[d]ata helps us build models based on what has come before…[and] [w]e can use these models to identify patterns to help us prepare for what might be next, whether those are predictions of where disease is spreading, estimations of community needs, or coordination of scarce resources.” Cantwell said, “[l]arge publically available data sets also help us identify patterns and solutions that cannot be seen with a more fragmented, less complete picture.” She asserted, “[d]iscoveries and insights that once were hidden can now be brought to light with the help of advanced data analysis techniques.” She said, “[a]nd when there are vital messages to share, data allows us to get those messages out to everyone who needs to hear them…[and] [m]essages about social distancing, exposure risks, and treatment options are just a few of the many types of essential communications that can be informed and enhanced by data analysis.”

Cantwell summed up:

  • The world is now confronting a challenge of tremendous urgency and magnitude. At some point, we will be opening up our society and our economy again. First, we’re going to need robust testing. And when that time comes, we’re also going to need technology, powered by data, to help us safely transition back to a more normal way of life.
  • Our job in Congress is to help provide the tools needed to turn back this disease, and to understand how we marshal innovation and technology in a responsible way to respond to this challenge, both in the short term and for what we are starting to understand may be a very long fight ahead.
  • We are only at the beginning of this fight. We urgently need to plan for the days and, yes, the years ahead; we must discover, test, and distribute new cures faster than ever before; we need our greatest minds, wherever they may be, to collaborate and work together; and we must build unity because ultimately, that is our greatest strength.

University of Washington Professor of Law Ryan Calo explained

In this testimony, I will address some of the ways people and institutions propose to use data analytics and other technology to respond to coronavirus. The first set of examples involves gaining a better understanding of the virus and its effects on American life. By and large I support these efforts; the value proposition is clear and the privacy harms less pronounced. The second set of examples involves the attempt to track the spread of COVID-19 at an individual level using mobile software applications (“apps”). I am more skeptical of this approach as I fear that it threatens privacy and civil liberties while doing little to address the pandemic. Finally, I conclude with the recommendation that, however we leverage data to fight this pandemic, policymakers limit use cases to the emergency itself, and not permit mission creep or downstream secondary uses that surprise the consumer.

Calo said

I am not opposed to leveraging every tool in our technical arsenal to address the current pandemic. We are facing a near unprecedented global crisis. I note in conclusion that there will be measures that are appropriate in this context, but not beyond it. Americans and their representatives should be vigilant that whatever techniques we use today to combat coronavirus do not wind up being used tomorrow to address other behaviors or achieve other goals. To paraphrase the late Justice Robert Jackson, a problem with emergency powers is that they tend to kindle emergencies.

Calo asserted

In national security, critics speak in terms of mission creep, as when vast surveillance powers conferred to fight terrorism end up being used to enforce against narcotics trafficking or unlawful immigration. In consumer privacy, much thought is given to the prospect of secondary use, i.e., the possibility that data collected for one purpose will be used by a company to effectuate a second, more questionable purpose without asking the data subject for additional permissions. No consumer would or should expect that the absence of certain antibodies in their blood, gathered for the purpose of tracing a lethal disease, could lead to higher health insurance premiums down the line. There is also a simpler danger that Americans will become acclimated to more invasive surveillance partnerships between industry and government.14My hope is that policymakers will expressly ensure that any accommodations privacy must concede to the pandemic will not outlive the crisis.

ACT | The App Association Senior Director for Public Policy Graham Dufault explained some of the big data privacy concerns in the COVID-19 crisis:

  • Creating and Using Big Data Sets Consistent with Privacy Expectations. Beyond the Taiwan example described above, other nations are engaging in their own versions of highly targeted surveillance. Israel is tracking citizens’ movements using smartphone location data and even sending text messages to people who were recently near a person known to have been infected with COVID-19, with an order to self-quarantine.While Israeli courts blocked the use of this data to enforce quarantines,11even the use of it to send unsolicited text messages and swiftly apply impromptu quarantines raises some questions.
  • By contrast, in the United States, private companies are leading the charge on big data sets about location, with persistent privacy oversight by policymakers. For example, Google is producing reports on foot traffic patterns using smartphone location data. However, there are limitations to the reports because they only use high-level data indicating a percentage decrease or increase in foot traffic in six different types of locations (e.g., workplaces, retail, and recreation sites)over a given period of time. Their vagueness is in part the result of federal and state privacy law, which generally prohibit deceptive practices, including the disclosure of private data in a manner that is inconsistent with a company’s own privacy policies or where the individual never consented to the disclosure. News articles variously describe these kinds of high-level reports as tracking compliance with stay-at-home orders, but they only do so in an indirect sense and certainly not to the degree to which Taiwan or Israel track compliance, which involves the use of individual location data.
  • With Location Data, Privacy is Possible. Ideally, federal, state, and local governments could enact targeted measures that significantly stem the spread of COVID-19 in high-risk areas and at high-risk times, while enabling certain parts of the economy to open back up where there is mitigation of risk—all with anonymous data. The Private Kit app takes privacy protective steps that may help provide both actionable data and effective anonymity. For example, when a user downloads the app, it clarifies that location data stays on the user’s phone and does not go to a centralized server. Instead, when turned on, the app tracks the user’s location and stores it in an encrypted format—which it apparently sends, again encrypted, directly to other phones when queried. Theoretically, it would be difficult for any single user of the app to discern the identity of the person signified by one of the dots on the map. The problem Private Kit encounters is whether enough people will download this app quickly enough for it to be useful for policymakers and users. Similar ideas, like NextTrace have also cropped up, but the effectiveness of these tools may be limited if a single, popular choice does not soon emerge.
  • The COVID-19 Pandemic Underscores the Need for a National Privacy Law. National privacy legislation should ensure companies are using default privacy measures like those described above. Animating some of the privacy concerns policymakers have expressed about the use of big data to address the COVID-19 pandemic is a (not entirely unfair) lack of trust in how tech-driven companies are using sensitive personal data, especially location data. While many of us worry that governmental intrusions to address the COVID-19 pandemic would be difficult to pull back, policymakers also worry that corporate surveillance efforts could later turn into unexpected uses of sensitive data and exposure to additional risk of unauthorized access. The passage of a strong, national privacy framework could help alleviate the stated concerns with private sector use of data.
  • Healthcare Data Remains Siloed. Through the Connected Health Initiative (CHI), we advocate for patients to be able to share their healthcare data with digital health companies that can help them make use of it. But in general, electronic health records (EHR) companies decline to transfer that data except inside their own network of providers and business associates (BAs), citing Health Insurance Portability and Accountability Act (HIPAA) compliance concerns. The problem with this, of course, is that HIPAA is supposed to make data portable, as the name suggests. And EHRs have emerged as a chokepoint for healthcare data that patients should otherwise be able to use as they wish. Besides harming big data competencies, outdated healthcare policies have also directly harmed patients. It would be a great tragedy if we yanked telehealth and remote physiologic monitoring (RPM)away from patients just as the general public begins to realize their potential. Certainly, the ability to rely on telehealth (defined in Medicare as live voice or video visits between patients and caregivers) is a sudden necessity during the pandemic as caregivers must screen and monitor patients from a distance. Avoiding such basic communications technologies because of fraud or abuse concerns when public health demands patients stay at home would be nothing short of a catastrophic win for red tape. What surprises many of us, however, is just how unprepared our relative inability to make use of digital health has made us for pandemics like COVID-19.

Interactive Advertising Bureau Executive Vice President for Public Policy Dave Grimaldi stated

While self-regulation has been a useful mechanism to encourage responsible data use, federal leadership is now needed to ensure that robust consumer privacy protections apply consistently throughout the country. The time is right for the creation of a new paradigm for data privacy in the United States. To this end, IAB is a key supporter of Privacy for America, a broad industry coalition of top trade organizations and companies representing a wide cross-section of the American economy that advocates for federal omnibus privacy legislation. Privacy for America has released a detailed policy framework to provide members of Congress with a new option to consider as they develop data privacy legislation for the United States. Participants in Privacy for America have met with leaders of Congress, the FTC, the Department of Commerce, the White House, and other key stakeholders to discuss the ways the framework protects consumers while also ensuring that beneficial uses of data can continue to provide vast benefits to the economy and mankind.

Grimaldi claimed

The Privacy for America framework would prohibit, rather than allow consent for, a range of practices that make personal data vulnerable to misuse. Many of these prohibitions would apply not only to companies that engage in these harmful practices directly, but to suppliers of data who have reason to know that the personal information will be used for these purposes.

  • Eligibility Determinations. Determining whether individuals are eligible for benefits like a job or credit are among the most important decisions that companies make. Although many of these decisions are currently regulated by existing sectoral laws (e.g., the Fair Credit Reporting Act), companies can easily purchase data on the open market to evade compliance with these laws. Privacy for America’s framework would prevent this abuse by banning the use of data to make eligibility decisions—about jobs, credit, insurance, healthcare, education, financial aid, or housing—outside these sectoral laws, thereby bolstering and clarifying the protections already in place. It also would provide new tools to regulators to cut off the suppliers of data that undermine these protections. To the extent that companies are unsure about whether a practice is permitted under existing law, they would be able to seek guidance from the FTC.
  • Discrimination. The widespread availability of detailed personal information has increased concerns that this data will be used to discriminate against individuals. The new framework envisioned by Privacy for America would supplement existing anti- discrimination laws by banning outright a particularly pernicious form of discrimination—using data to charge higher prices for goods or services based on personal traits such race, color, religion, national origin, sexual orientation, or gender identity. As discussed below, the framework also would allow individuals to opt out of data personalization, which can contribute to discrimination.
  • Fraud and Deception. For decades, the FTC and the states have pursued cases against companies that engage in fraud and deception. The new framework would focus specifically on the use and supply of data for these purposes. Thus, it would ban a range of fraudulent practices designed to induce the disclosure of personal information and, more generally, material misrepresentations about data privacy and security.
  • Stalking. In recent years, the proliferation of data has made it easier to track the location and activities of individuals for use in stalking. Of note, mobile apps designed for this very purpose have been identified in the marketplace. The framework would outlaw the use of personal information for stalking or other forms of substantial harassment, and would hold these types of apps accountable.
  • Use of Sensitive Data Without Express Consent. Consumers care most about their sensitive data, and companies should have an obligation to protect it. The new framework would prohibit companies from obtaining a range of sensitive information— including health, financial, biometric, and geolocation information, as well as call records, private emails, and device recording and photos—without obtaining consumers’ express consent.
  • Special Protections for Individuals Over 12 and Under 16 (Tweens). The Privacy for America framework includes a robust set of safeguards for data collected from tweens, an age group that needs protection but is actively engaged online and not subject to constant parental oversight. Specifically, the framework would prohibit companies from transferring tween data to third parties when they have actual knowledge of age. It also would ban payment to tweens for personal data, except under a contract to which a parent or legal guardian is a party. Finally, companies would be required to implement data eraser requirements allowing individuals to delete data posted online when they were tweens.

Center for Democracy and Technology Data and Privacy Project Director Michelle Richardson advised

When deciding what types of data practices are appropriate, Congress should remember that privacy is a balancing of equities. We no longer think of privacy as an on-off switch, or something that can be dismissed after a person agrees to a lengthy privacy policy. It instead weighs the intrusion of any product or program against the benefit of the data use, the secondary effects on individuals, and any mitigating steps that can be taken to minimize harms. As policymakers review data collection, use and sharing, they should:

  • Focus on prevention and treatment, not punishment: Past epidemics have demonstrated that fear is not as effective as clear, meaningful information from a reliable source and the ability to voluntarily comply with medical and governmental directives. Successfully fighting the coronavirus will mean ensuring that a government response does not evolve into law enforcement and broad surveillance functions.
  • Ensure accuracy and effectiveness: There does not appear to be a universally accepted definition of “accurate” or “effective” when it comes to predicting, preventing, or responding to the coronavirus. Nevertheless, if a tool or practice is unlikely to provide meaningful and measurable contributions to the coronavirus response, companies and governments should consider alternatives. This is not only because the privacy risks may not be justified but because people may rely on these measures in lieu of those that actually work.
  • Provide actionable information: In a time of crisis, more information isn’t always better. New data collection or novel data uses should inform individual, corporate, or government behavior in a constructive way. Symptom trackers, for example, may tell a person whether he or she should seek medical care. Contact tracing on the other hand, when it relies on insufficiently granular data, may result in unnecessary or unproductive quarantine, testing, and fear.
  • Require corporate and government practices that respect privacy: People are reasonably fearful for their own health and the health of their loved ones. The burden for constructing privacy-protective products and responses must not be on concerned citizens but on companies and governments. That includes:
    • A preference for aggregated data. Individually identifiable information should not be used when less intrusive measures will suffice. If aggregated data will not do, industry best practices in anonymization and de-identification must be applied.
    • Minimizing collection, use, and sharing. When identifiable information is necessary, data processing should be limited when possible.
    • Purpose limitations. Data collected or used for the coronavirus response should not be used for secondary purposes. For corporate actors, this means advertising for commercial purposes or unrelated product development. For government actors, that means any function not directly related to their public health functions.
    • Deletion. Data should be deleted when it is no longer necessary for responding to the coronavirus epidemic or conducting public health research, especially if it is personally identifiable.
  • Build services that serve all populations: Newly released data is confirming that minorities are contracting the coronavirus at a higher rate and are more likely to die from it.58 There are also legitimate questions about how actionable mobility tracking data is for rural, poor, and working class communities that must travel for work or to secure food and medical care. As technology seeks to find solutions to the coronavirus, it is crucial that it does so in a way that serves all demographics and does not exacerbate existing inequalities.
  • Empower individuals when possible: Epidemic response may not always allow for individualized opt-ins or opt-outs of data collection and use. To the extent possible, participation in data based programs should be voluntary and individuals should maintain traditional rights to control one’s data.
  • Be transparent to build trust: People will hesitate to participate in programs that involve their personal information but that are not transparent in how that information will be used. Companies that provide data, or inferences from data, and the governmental entities that use such information, must be transparent to users and residents about how data will be used.
  • Be especially rigorous when considering government action: A coordinated government response is necessary for successfully fighting the coronavirus epidemic, but the United States has an important tradition of recognizing that the powers of the state pose unique threats to privacy and liberty.