FCC Denies Trump Administration’s Request To Block Ligado

The FCC denies the NTIA petition, but language in the FY 2021 NDAA all but pauses the project.

Earlier this month, the Trump Administration’s Federal Communications Commission (FCC) denied the petition to stay submitted by the National Telecommunications and Information Administration (NTIA) to stop the FCC’s April 2020 decision to let Ligado proceed with “a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz portions of its license in the mobile satellite services (MSS) L-band allocation.”

Ligado and its predecessor have been trying to obtain authorization from the FCC in one form or another for the last 15 years. When the company was finally given the green light last spring, other agencies renewed and their objections even though the had been part of the inter-agency consideration process. Moreover, there were Members of Congress who urged the FCC to rescind the authorization. The objections arose from claims that Ligado’s operation would impair key national security and civilian Global Positioning System (GPS) systems. And, on the basis of these concerns, there is language in a recently enacted law that will function to block the FCC and Ligado from proceeding until an independent report is completed.

However, this issue now becomes the responsibility of the Biden Administration. It is not known how the NTIA will proceed, and they conceivably could appeal the FCC’s decision in federal court. Moreover, the caretaker officials at the agency may do just this in order to preserve the option for the Biden Administration officials. Certainly, Members of Congress interested in stopping the FCC and Ligado have been in contact with the Biden team and will seek to draft them into their cause.

The FCC summarized its decision:

We find that the extraordinary equitable relief of a stay is not warranted.  First, NTIA itself argues that the harmful interference issue it raises will not likely arise until after Ligado deploys its network.  Such deployment will not occur for some time and not before the Commission has an opportunity to rule on the Petition for Reconsideration and to reach a determination as to whether NTIA’s claims justify barring this deployment or otherwise modifying its underlying order.  Thus, there is no need to issue a stay at this time to prevent any irreparable harm that NTIA claims will occur.  Second, based on the record, we conclude that NTIA is unlikely to succeed on the merits.  Its claim is based primarily on an argument that the Order departed from the Commission’s established approach to evaluating harmful interference concerns, a claim belied by the words of the Order itself.  To the extent NTIA contends that the Commission should use the specific 1 dB metric and approach specifically advocated by DOT and others, the Commission addressed that contention in detail in the Order.  To the extent NTIA in its Stay Petition is seeking to support its request for a stay based on providing new data or additional testing that NTIA had not previously provided in the record of this proceeding, this argument is unlikely to succeed on the merits based on its untimeliness.  Finally, the balance of the equities favors denial of a stay, in light of the tangible harm to Ligado from a stay and the public interest in finally bringing its terrestrial service to market. 

In late April, the FCC’s “decision authorize[d] Ligado to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” The agency argued the order “provides regulatory certainty to Ligado, ensures adjacent band operations, including GPS, are sufficiently protected from harmful interference, and promotes more efficient and effective use of [the U.S.’s] spectrum resources by making available additional spectrum for advanced wireless services, including 5G.”

Defense and other civilian government stakeholders remained unconvinced. Also, in late April, the chairs and ranking members of the Armed Services Committees penned an op-ed, in which they claimed “the [FCC] has used the [COVID-19] crisis, under the cover of darkness, to approve a long-stalled application by Ligado Networks — a proposal that threatens to undermine our GPS capabilities, and with it, our national security.” Then Chairs James Inhofe (R-OK) and Adam Smith (D-WA) and Ranking Members Jack Reed (D-RI) and Mac Thornberry (R-TX) asserted:

  • So, we wanted to clarify things: domestic 5G development is critical to our economic competiveness against China and for our national security. The Pentagon is committed working with government and industry to share mid-band spectrum where and when it makes sense to ensure rapid roll-out of 5G.
  • The problem here is that Ligado’s planned usage is not in the prime mid-band spectrum being considered for 5G — and it will have a significant risk of interference with GPS reception, according to the National Telecommunications and Information Administration (NTIA). The signals interference Ligado’s plan would create could cost taxpayers and consumers billions of dollars and require the replacement of current GPS equipment just as we are trying to get our economy back on its feet quickly — and the FCC has just allowed this to happen.

The Ligado application was seen as so important, the first hearing of the Senate Armed Services Committee held after the beginning of the COVID-19 pandemic was on this issue. Not surprisingly the DOD explained the risks of Ligado’s satellite-terrestrial wireless system as it sees them at some length. Under Secretary of Defense for Research and Engineering Michael Griffin asserted at the 6 May hearing:

  • The U.S. Department of Transportation (DOT) conducted a testing program developed over multiple years with stakeholder involvement, evaluating 80 consumer-grade navigation, survey, precision agriculture, timing, space-based, and aviation GPS receivers. This test program was conducted in coordination with DOD testing of military receivers. The results, as documented in the DoT “Adjacent Band Compatibility” study released in March, 2018, demonstrated that even very low power levels from a terrestrial system in the adjacent band will overload the very sensitive equipment required to collect and process GPS signals.  Also, many high precision receivers are designed to receive Global Navigation Satellite System (GNSS) signals not only in the 1559 MHz to 1610 MHz band, but also receive Mobile Satellite Service (MSS) signals in the 1525 MHz to 1559 MHz band to provide corrections to GPS/GNSS to improve accuracy. With the present and future planned ubiquity of base stations for mobile broadband use, the use of GPS in entire metropolitan areas would be effectively blocked.  That is why every government agency having any stake in GPS, as well as dozens of commercial entities that will be harmed if GPS becomes unreliable,  opposed the FCC’s decision. 
  • There are two principal reasons for the Department’s opposition to Ligado’s proposal. The first and most obvious is that we designed and built GPS for reasons of national security, reasons which are at least as valid today as when the system was conceived. The second, less well-known, is that the DoD has a statutory responsibility to sustain and protect the system. Quoting from 10 USC 2281, the Secretary of Defense “…shall provide for the sustainment and operation of the GPS Standard Positioning Service for peaceful civil, commercial, and scientific uses…” and “…may not agree to any restriction of the GPS System proposed by the head of a department or agency of the United States outside DoD that would adversely affect the military potential of GPS.”

Also in April, 32 Senators wrote the FCC expressing their concern that the “Order does not adequately project adjacent band operations – including those related to GPS and satellite communications –  from harmful interference that would impact countless commercial and military activities.” They also took issue “the hurried nature of the circulation and consideration of the Order,” which they claimed occurred during “a national crisis” and “was not conducive to addressing the many technical concerns raised by affected stakeholders.” Given that nearly one-third of the Senate signed the letter, this may demonstrate the breadth of opposition in Congress to the Ligado order.

In early May 2020, the NTIA, a component agency of the Department of Commerce, filed two petitions with the FCC) asking the latter agency to stay its decision allowing Ligado to proceed with wireless service using a satellite-terrestrial network utilizing the L-Band opposed by a number of Trump Administration agencies and a number of key Congressional stakeholders. They argue the order would allow Ligado to set up a system that would interfere with the Department of Defense’s (DOD) GPS and civilian federal agency applications of GPS as well.

The NTIA stated in its press release that it “petitioned the FCC to reconsider its Order and Authorization that conditionally granted license modification applications filed by Ligado Networks LLC…[that] permits Ligado to provide terrestrial wireless services that threaten to harm federal government users of the Global Positioning System (GPS) along with a variety of other public and private stakeholders.”

In the petition for a stay, NTIA asked that “Ligado Networks LLC’s (Ligado’s) mobile satellite service (MSS) license modification applications for ancillary terrestrial operations” be paused until the agency’s petition for reconsideration is decided by the FCC because of “executive branch concerns of harmful interference to federal government and other GPS devices.”

In the petition for reconsideration, the NTIA argued it “focuses on the problems in the Ligado Order that are uniquely related to the interests of Department of Defense (DOD) and other federal agencies and their mission-critical users of GPS.” The NTIA added “that the Commission failed to consider the major economic impact its decision will have on civilian GPS users and the American economy…[and] [a]s the lead civil agency for GPS, DOT explained…Ligado’s proposed operations would disrupt a wide range of civil GPS receivers owned and operated by emergency first responders, among others.”

NTIA made the following arguments in its petition:

  • The Ligado Order failed to adequately consider and give appropriate weight to important and valid executive branch concerns about harmful interference to GPS.
  • None of Ligado’s latest mitigation proposals, nor the conditions based on them, have been tested or evaluated by any independent party…[and] [a] more scientific way of resolving these technical disputes could be accomplished through further joint FCC-executive branch or independent testing based on Ligado’s actual network and base station parameters.
  • The license conditions imposed on Ligado will not adequately mitigate the risk of harmful interference to federal GPS devices, will shift the burden of fixing such interference to federal users, and are otherwise impractical for addressing actual impacts to national security systems. In light of the large number of federal GPS devices that potentially would be impacted by Ligado’s network, the FCC conditions, even if modified, will be a high-cost, time consuming effort for Ligado and federal agencies. As written, the condition requiring the repair or replacement of government receivers, is impractical, infeasible, and potentially illegal.

In June, Ligado filed its response to the NTIAs petitions to stay and have the FCC reconsider its order allowing the company to move forward with its satellite-terrestrial wireless network. The company argued the NTIA’s petitions rehash the same arguments heard and rejected by the FCC over the course of the nearly decade long proceeding, do not argue that an injury has occurred because Ligado is not yet operating, and is contrary to the public interest by delaying the rollout of 5G.

Ligado argued

  • First, NTIA is unlikely to prevail on the merits of its Petition for Reconsideration. The 72-page Order was the culmination of the Commission’s “extensive review of the record” generated during a comprehensive, multi-year proceeding, in which NTIA actively participated. In light of the ample notice and opportunity to comment that the Commission provided NTIA, its complaints regarding process are meritless and not a basis for reconsidering the Order. NTIA’s substantive arguments, which merely reiterate arguments that the Commission has already meticulously considered and rejected regarding alleged harmful interference with GPS devices, fare no better.
  • Second,  NTIA  effectively  concedes  that  it  will  suffer  no  imminent  irreparable  injury—meaning  “proof”  of  irreparable  injury  that  “is  certain  to  occur  in  the  near  future.” NTIA admits  that Ligado’s system will not become operational for a period as long as eighteen months. Putting aside  that  NTIA’s  alleged  injuries  are  contrary  to  the  extensive  record,  even  on  NTIA’s  own  theory those injuries would only occur after Ligado’s network commences operations, and so by definition  those  purported  injuries  are  not  “certain  to  occur  in  the  near  future.”
  • Third and finally, issuance of a stay would harm both Ligado and the public interest. A stay would needlessly hamper Ligado’s ability to make progress on important preliminary work items that are necessary to deploy the spectrum for 5G and have long lead times. Moreover, the Commission has explained that Ligado’s network will provide extensive benefits to the public, by unlocking the benefits of advanced communications technologies for customers and businesses, including 5G. A stay would thus unnecessarily delay the “significant public interest benefits associated with Ligado’s proposed ATC network and deployment.”

As mentioned, a recently enacted law will effectively block Ligado. There are provisions in the conference report to accompany the “William M. “Mac” Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395) barring the DOD to use funds to assist companies in mitigating any harmful interference from the operation of Ligado. Moreover, the DOD must contract for a study on any negative effects:

[The DOD] shall seek to enter into an agreement with the National Academies of Sciences, Engineering, and Medicine for the National Academies… carry out an independent technical review of the Order and Authorization adopted by the Federal Communications Commission on April 19, 2020 (FCC 20-48), to the extent that such Order and Authorization affects the devices, operations, or activities of the Department of Defense.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by AR on Unsplash

FY 2021 Omnibus and COVID Stimulus Become Law

The end-of-the-year funding package for FY 2021 is stuffed with technology policy changes.

At the tail end of the calendar year 2020, Congress and the White House finally agreed on FY 2021 appropriations and further COVID-19 relief funding and policies, much of which implicated or involved technology policy. As is often the practice, Congressional stakeholders used the opportunity of must-pass legislation as the vehicle for other legislation that perhaps could not get through a chamber of Congress or surmount the now customary filibuster in the Senate.

Congress cleared the “Consolidated Appropriations Act, 2021” (H.R.133) on 21 December 2020, but President Donald Trump equivocated on whether to sign the package, in part, because it did not provide for $2,000 in aid to every American, a new demand at odds with the one his negotiators worked out with House Democrats and Senate Republicans. Given this disparity, it seems more likely Trump made an issue of the $2,000 assistance to draw attention from a spate of controversial pardons issued to Trump allies and friends. Nonetheless, Trump ultimately signed the package on 27 December.

As one of the only bills or set of bills to annually pass Congress, appropriations acts are often the means by which policy and programmatic changes are made at federal agencies through the ability of the legislative branch to condition the use of such funds as are provided. This year’s package is different only in that it contains much more in the way of ride-along legislation than the average omnibus. In fact, there are hundreds, perhaps even more than 1,000 pages of non-appropriations legislation, some that pertains to technology policy. Moreover, with an additional supplemental bill attached to the FY 2021 omnibus also carries significant technology funding and programming.

First, we will review FY 2021 funding and policy for key U.S. agencies, then discuss COVID-19 related legislation, and then finally all the additional legislation Congress packed into the omnibus.

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) would receive $2.025 billion, a bare $9 million increase above FY 2020 with significant reordering of how the agency may spend its funds:

  • The agreement includes a net increase of $224,178,000 above the budget request. This includes $226,256,000 above the request to maintain current services, and $54,516,000 in enhancements that are described in more detail below. Assumed in the current services level of funding are several rejections of proposed reductions to prior year initiatives and the inclusion of necessary annualizations to sustain them, such as: $35,606,000 for threat analysis and response; $5,507,000 for soft targets and crowded places security, including school safety and best practices; $6,852,000 for bombing prevention activities, including the train-the-trainer programs; and $67,371,000 to fully fund the Chemical Facility Anti-Terrorism Standards program. The agreement includes the following reductions below the budget request: $6,937,000 for personnel cost adjustments; $2,500,000 of proposed increases to the CyberSentry program; $11,354,000 of proposed increases for the Vulnerability Management program; $2,000,000 of proposed increases to the Cybersecurity Quality Service Management Office (QSMO); $6,500,000 of proposed increases for cybersecurity advisors; and $27,303,000 for the requested increase for protective security advisors. Of the total amount provided for this account, $22,793,000 is available until September 30, 2022, for the National Infrastructure Simulation Analysis Center.

The FY 2021 omnibus requires of CISA the following:

  • Financial Transparency and Accountability.-The Cybersecurity and Infrastructure Security Agency (CISA) is directed to submit the fiscal year 2022 budget request at the same level of PP A detail provided in the table at the end of this report with no further adjustments to the PP A structure. Further, CISA shall brief the Committees not later than 45 days after the date of enactment of this Act and quarterly thereafter on: a spend plan; detailed hiring plans with a delineation of each mission critical occupation (MCO); procurement plans for all major investments to include projected spending and program schedules and milestones; and an execution strategy for each major initiative. The hiring plan shall include an update on CISA’s hiring strategy efforts and shall include the following for each MCO: the number of funded positions and FTE within each PP A; the projected and obligated funding; the number of actual onboard personnel as of the date of the plan; and the hiring and attrition projections for the fiscal year.
  • Cyber Defense Education and Training (CDET).-The agreement includes $29,457,000 for CISA’s CDET programs, an increase of$20,607,000 above the request that is described in further detail below. Efforts are underway to address the shortage of qualified national cybersecurity professionals in the current and future cybersecurity workforce. In order to move forward with a comprehensive plan for a cybersecurity workforce development effort, the agreement includes $10,000,000 above the request to enhance cybersecurity education and training and programs to address the national shortfall of cybersecurity professionals, including activities funded through the use of grants or cooperative agreements as needed in order to fully comply with congressional intent. CISA should consider building a higher education consortium of colleges and universities, led by at least one academic institution with an extensive history of education, research, policy, and outreach in computer science and engineering disciplines; existing designations as a land-grant institution with an extension role; a center of academic excellence in cyber security operations; a proven track record in hosting cyber corps programs; a record of distinction in research cybersecurity; and extensive experience in offering distance education programs and outreach with K-12 programs. The agreement also includes $4,300,000 above the request for the Cybersecurity Education and Training Assistance Program (CETAP), which was proposed for elimination, and $2,500,000 above the request to further expand and initiate cybersecurity education programs, including CETAP, which improve education delivery methods for K-12 students, teachers, counselors and post-secondary institutions and encourage students to pursue cybersecurity careers.
  • Further, the agreement includes $2,500,000 above the request to support CISA’s role with the National Institute of Standards and Technology, National Initiative for Cybersecurity Education Challenge project or for similar efforts to address shortages in the cybersecurity workforce through the development of content and curriculum for colleges, universities, and other higher education institutions.
  • Lastly, the agreement includes $800,000 above the request for a review of CISA’s program to build a national cybersecurity workforce. CISA is directed to enter into a contract for this review with the National Academy of Public Administration, or a similar non-profit organization, within 45 days of the date of enactment of this Act. The review shall assess: whether the partnership models under development by CISA are positioned to be effective and scalable to address current and anticipated needs for a highly capable cybersecurity workforce; whether other existing partnership models, including those used by other agencies and private industry, could usefully augment CISA’s strategy; and the extent to which CISA’s strategy has made progress on workforce development objectives, including excellence, scale, and diversity. A report with the findings of the review shall be provided to the Committees not later than 270 days after the date of enactment of this Act.
  • Cyber QSMO.-To help improve efforts to make strategic cybersecurity services available to federal agencies, the agreement provides $1,514,000 above the request to sustain and enhance prior year investments. As directed in the House report and within the funds provided, CISA is directed to work with the Management Directorate to conduct a crowd-sourced security testing program that uses technology platforms and ethical security researchers to test for vulnerabilities on departmental systems. In addition, not later than 90 days after the date of enactment of this Act, CISA is directed to brief the Committees on opportunities for state and local governments to leverage shared services provided through the Cyber QSMO or a similar capability and to explore the feasibility of executing a pilot program focused on this goal.
  • Cyber Threats to Critical Election Infrastructure.-The briefing required in House Report 116–458 regarding CISA’s efforts related to the 2020 elections shall be delivered not later than 60 days after the date of enactment of this Act. CISA is directed to continue working with SL TT stakeholders to implement election security measures.
  • Cybersecurity Worliforce.-By not later than September 30, 2021, CISA shall provide a joint briefing, in conjunction with the Department of Commerce and other appropriate federal departments and agencies, on progress made to date on each recommendation put forth in Executive Order 13800 and the subsequent “Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce” report.
  • Hunt and Incident Response Teams.-The agreement includes an increase of $3,000,000 above fiscal year 2020 funding levels to expand CISA’s threat hunting capabilities.
  • Joint Cyber Planning Office (JCPO).-The agreement provides an increase of $10,568,000 above the request to establish a JCPO to bring together federal and SLTT governments, industry, and international partners to strategically and operationally counter nation-state cyber threats. CISA is directed to brief the Committees not later than 60 days after the date of enactment of this Act on a plan for establishing the JCPO, including a budget and hiring plan; a description of how JCPO will complement and leverage other CISA capabilities; and a strategy for partnering with the aforementioned stakeholders.
  • Multi-State Information Sharing and Analysis Center (MS-ISAC).-The agreement provides $5,148,000 above the request for the MS-ISAC to continue enhancements to SLTT election security support, and furthers ransomware detection and response capabilities, including endpoint detection and response, threat intelligence platform integration, and malicious domain activity blocking.
  • Software Assurance Tools.-Not later than 90 days after the date of enactment of this Act, CISA, in conjunction with the Science and Technology Directorate, is directed to brief the Committees on their collaborative efforts to transition cyber-related research and development initiatives into operational tools that can be used to provide continuous software assurance. The briefing should include an explanation for any completed projects and activities that were not considered viable for practice or were considered operationally self-sufficient. Such briefing shall include software assurance projects, such as the Software Assurance Marketplace.
  • Updated Lifecycle Cost Estimates.–CISA is directed to provide a briefing, not later than 60 days after the date of enactment of this Act, regarding the Continuous Diagnostics and Mitigation (COM) and National Cybersecurity Protection System (NCPS) program lifecycles. The briefing shall clearly describe the projected evolution of both programs by detailing the assumptions that have changed since the last approved program cost and schedule baseline, and by describing the plans to address such changes. In addition, the briefing shall include an analysis of alternatives for aligning vulnerability management, incident response, and NCPS capabilities. Finally, CISA is directed to provide a report not later than 120 days after the date of enactment of this Act with updated five-year program costs and schedules which is congruent with projected capability gaps across federal civilian systems and networks.
  • Vulnerability Management.-The agreement provides $9,452,000 above fiscal year 2020 levels to continue reducing the 12-month backlog in vulnerability assessments. The agreement also provides an increase of $8,000,000 above the request to address the increasing number of identified and reported vulnerabilities in the software and hardware that operates critical infrastructure. This investment will improve capabilities to identify, analyze, and share information about known vulnerabilities and common attack patterns, including through the National Vulnerability Database, and to expand the coordinated responsible disclosure of vulnerabilities.

There are a pair of provisions aimed at the People’s Republic of China (PRC) in Division B (i.e. the FY 2021 Commerce-Justice-Science Appropriations Act):

  • Section 514 prohibits funds for acquisition of certain information systems unless the acquiring department or agency has reviewed and assessed certain risks. Any acquisition of such an information system is contingent upon the development of a risk mitigation strategy and a determination that the acquisition is in the national interest. Each department or agency covered under section 514 shall submit a quarterly report to the Committees on Appropriations describing reviews and assessments of risk made pursuant to this section and any associated findings or determinations.
  • Section 526 prohibits the use of funds by National Aeronautics and Space Administration (NASA), Office of Science and Technology Policy (OSTP), or the National Space Council (NSC) to engage in bilateral activities with China or a Chinese-owned company or effectuate the hosting of official Chinese visitors at certain facilities unless the activities are authorized by subsequent legislation or NASA, OSTP, or NSC have made a certification…

The National Institute of Standards and Technology (NIST) is asked with a number of duties, most of which relate to current or ongoing efforts in artificial intelligence (AI), cybersecurity, and the Internet of Things:

  • Artificial Intelligence (Al). -The agreement includes no less than $6,500,000 above the fiscal year 2020 level to continue NIST’s research efforts related to AI and adopts House language on Data Characterization Standards in Al. House language on Framework for Managing AI Risks is modified to direct NIST to establish a multi-stakeholder process for the development of an Al Risk Management Framework regarding the reliability, robustness, and trustworthiness of Al systems. Further, within 180 days of enactment of this Act, NIST shall establish the process by which it will engage with stakeholders throughout the multi-year framework development process.
  • Cybersecurity.-The agreement includes no less than the fiscal year 2020 enacted level for cybersecurity research, outreach, industry partnerships, and other activities at NIST, including the National Cybersecurity Center of Excellence (NCCoE) and the National Initiative for Cybersecurity Education (NICE). Within the funds provided, the agreement encourages NIST to establish additional NICE cooperative agreements with regional alliances and multi-stakeholder partnerships for cybersecurity workforce and education.
  • Cybersecurity of Genomic Data.-The agreement includes no less than $1,250,000 for NIST and NCCoE to initiate a use case, in collaboration with industry and academia, to research the cybersecurity of personally identifiable genomic data, with a particular focus on better securing deoxyribonucleic acid sequencing techniques, including clustered regularly interspaced short palindromic repeat (CRISPR) technologies, and genomic data storage architectures from cyber threats. NIST and NCCoE should look to partner with entities who have existing capability to research and develop state-of-the-art cybersecurity technologies for the unique needs of genomic and biomedical-based systems.
  • Industrial Internet of Things (IIoT).-The agreement includes no less than the fiscal year 2020 enacted amount for the continued development of an IloT cybersecurity research initiative and to partner, as appropriate, with academic entities and industry to improve the sustainable security of IloT devices in industrial settings.

NIST would receive a modest increase in funding from $1.034 billion to $1.0345 billion from the last fiscal year to the next.

The National Telecommunications and Information Administration (NTIA) would be provided $45.5 million and “the agreement provides (1) up to $7,500,000 for broadband mapping in coordination with the Federal Communications Commission (FCC); (2) no less than the fiscal year 2020 enacted amount for Broadband Programs; (3) $308,000 for Public Safety Communications; and (4) no less than $3,000,000 above the fiscal year 2020 enacted level for Advanced Communications Research.” The agency’s funding for FY 2021 is higher than the last fiscal year at a bit more than $40 million but far less than the Trump Administration’s request of more than $70 million.

Regarding NTIA programmatic language, the bill provides:

  • Further, the agreement directs the additional funds for Advanced Communications Research be used to procure and maintain cutting-edge equipment for research and testing of the next generation of communications technologies, including 5G, as well as to hire staff as needed. The agreement further encourages NTIA to improve the deployment of 5G and spectrum sharing through academic partnerships to accelerate the development of low-cost sensors. For fiscal year 2021, NTIA is directed to follow prior year report language, included in Senate Report 116-127 and adopted in Public Law 116-93, on the following topics: Federal Spectrum Management, Spectrum Management for Science, and the Internet Corporation for Assigned Names and Numbers (ICANN).
  • Spectrum Management System.-The agreement encourages NTIA and the Department to consider alternative proposals to fully fund the needed upgrades to its spectrum management system, including options outside of direct appropriations, and is directed to brief the Committees regarding possible alternative options no later than 90 days after enactment of this Act.
  • Next Generation Broadband in Rural Areas.-NTIA is encouraged to ensure that deployment of last-mile broadband infrastructure is targeted to areas that are currently unserved or underserved, and to utilize public-private partnerships and projects where Federal funding will not exceed 50 percent of a project’s total cost where practicable.
  • National Broadband Map Augmentation.-NTIA is directed to engage with rural and Tribal communities to further enhance the accuracy of the national broadband availability map. NTIA should include in its fiscal year 2022 budget request an update on rural-and Tribal-related broadband availability and access trends, challenges, and Federal actions to achieve equitable access to broadband services in currently underserved communities throughout the Nation. Furthermore, NTIA is encouraged, in coordination with the FCC, to develop and promulgate a standardized process for collecting data from State and local partners.
  • Domain Name Registration.-NTIA is directed, through its position within the Governmental Advisory Committee to work with ICANN to expedite the establishment of a global access model that provides law enforcement, intellectual property rights holders, and third parties with timely access to accurate domain name registration information for legitimate purposes. NTIA is encouraged, as appropriate, to require registrars and registries based in the United States to collect and make public accurate domain name registration information.

The Federal Trade Commission (FTC) would receive $351 million, an increase of $20 million over FY 2020. The final bill includes this policy provision for the FTC to heed:

  • Resources for Data Privacy and Security. -The agreement urges the FTC to conduct a comprehensive internal assessment measuring the agency’s current efforts related to data privacy and security while separately identifying all resource-based needs of the FTC to improve in these areas. The agreement also urges the FTC to provide a report describing the assessment’s findings to the Committees within 180 days of enactment of this Act.

The Federal Communications Commission (FCC) would see a larger increase in funding for agency operations than the FTC, going from $339 million in FY 2020 to $374 million in FY 2021. However, $33 million of the increase is earmarked for implementing the “Broadband DATA Act” (P.L.116-130) along with the $65 million in COVID-19 supplemental funding for the same purpose. The FY 2021 omnibus directs the FCC on a range of policy issues:

  • Broadband Maps.-In addition to adopting the House report language on Broadband Maps, the agreement provides substantial dedicated resources for the FCC to implement the Broadband DATA Act. The FCC is directed to submit a report to the Committees on Appropriations within 90 days of enactment of this Act providing a detailed spending plan for these resources. In addition, the FCC, in coordination with the NTIA, shall outline the specific roles and responsibilities of each agency as it relates to the National Broadband Map and implementation of the Broadband DATA Act. The FCC is directed to report in writing to the Committees every 30 days on the date, amount, and purpose of any new obligation made for broadband mapping and any updates to the broadband mapping spending plan.
  • Lifeline Service. In lieu of the House report language on Lifeline Service, the agreement notes recent action by the FCC to partially waive its rules updating the Lifeline program’s minimum service standard for mobile broadband usage in light of the large increase to the standard that would have gone into effect on Dec. I, 2020, and the increased reliance by Americans on mobile broadband as a result of the pandemic. The FCC is urged to continue to balance the Lifeline program’s goals of accessibility and affordability.
  • 5G Fund and Rural America.-The agreement remains concerned about the feasible deployment of 5G in rural America. Rural locations will likely run into geographic barriers and infrastructure issues preventing the robust deployment of 5G technology, just as they have faced with 4G. The FCC’s proposed 5G Fund fails to provide adequate details or a targeted spend plan on creating seamless coverage in the most rural parts of the Nation. Given these concerns, the FCC is directed to report in writing on: (1) its current and future plans fix prioritizing deployment of 4G coverage in rural areas, (2) its plans for 5G deployment in rural areas, and (3) its plan for improving the mapping and long-term tracking of coverage in rural areas.
  • 6 Gigahertz. -As the FCC has authorized unlicensed use of the 6 gigahertz band, the agreement expects the Commission to ensure its plan does not result in harmful interference to incumbent users or impact critical infrastructure communications systems. The agreement is particularly concerned about the potential effects on the reliability of the electric transmission and distribution system. The agreement expects the FCC to ensure any mitigation technologies are rigorously tested and found to be effective in order to protect the electric transmission system. The FCC is directed to provide a report to the Committees within 90 days of enactment of this Act on its progress in ensuring rigorous testing related to unlicensed use of the 6 gigahertz band. Rural Broadband-The agreement remains concerned that far too many Americans living in rural and economically disadvantaged areas lack access to broadband at speeds necessary to fully participate in the Internet age. The agreement encourages the agency to prioritize projects in underserved areas, where the infrastructure to be installed provides access at download and upload speeds comparable to those available to Americans in urban areas. The agreement encourages the FCC to avoid efforts that could duplicate existing networks and to support deployment of last-mile broadband infrastructure to underserved areas. Further, the agreement encourages the agency to prioritize projects financed through public-private partnerships.
  • Contraband Cell Phones. -The agreement notes continued concern regarding the exploitation of contraband cell phones in prisons and jails nationwide. The agreement urges the FCC to act on the March 24, 2017 Further Notice of Proposed Rulemaking regarding combating contraband wireless devices. The FCC should consider all legally permissible options, including the creation, or use, of “quiet or no service zones,” geolocation-based denial, and beacon technologies to geographically appropriate correctional facilities. In addition, the agreement encourages the FCC to adopt a rules-based approach to cellphone disabling that would require immediate disabling by a wireless carrier upon proper identification of a contraband device. The agreement recommends that the FCC move forward with its suggestion in the Fiscal Year 2019 report to this Committee, noting that “additional field testing of jamming technology will provide a better understanding of the challenges and costs associated with the proper deployment of jamming system.” The agreement urges the FCC to use available funds to coordinate rigorous Federal testing of jamming technology and coordinate with all relevant stakeholders to effectively address this urgent problem.
  • Next-Generation Broadband Networks/or Rural America-Deployment of broadband and telecommunications services in rural areas is imperative to support economic growth and public safety. However, due to geographical challenges facing mobile connectivity and fiber providers, connectivity in certain areas remains challenging. Next generation satellite-based technology is being developed to deliver direct satellite to cellular capability. The FCC is encouraged to address potential regulatory hurdles, to promote private sector development and implementation of innovative, next generation networks such as this, and to accelerate broadband and telecommunications access to all Americans.

$635 million is provided for a Department of Agriculture rural development pilot program, and he Secretary will need to explain how he or she will use authority provided in the last farm bill to expand broadband:

  • The agreement provides $635,000,000 to support the ReConnect pilot program to increase access to broadband connectivity in unserved rural communities and directs the Department to target grants and loans to areas of the country with the largest broadband coverage gaps. These projects should utilize technology that will maximize coverage of broadband with the most benefit to taxpayers and the rural communities served. The agreement notes stakeholder concerns that the ReConnect pilot does not effectively recognize the unique challenges and opportunities that different technologies, including satellite, provide to delivering broadband in noncontiguous States or mountainous terrain and is concerned that providing preference to 100 mbps symmetrical service unfairly disadvantages these communities by limiting the deployment of other technologies capable of providing service to these areas.
  • The Agriculture Improvement Act of 2018 (Public Law 115-334) included new authorities for rural broadband programs that garnered broad stakeholder support as well as bipartisan, bicameral agreement in Congress. Therefore, the Secretary is directed to provide a report on how the Department plans to utilize these authorities to deploy broadband connectivity to rural communities.

In Division M of the package, the “Coronavirus Response and Relief Supplemental Appropriations Act, 2021,” there are provisions related to broadband policy and funding. The bill created a $3.2 billion program to help low-income Americans with internet service and buying devices for telework or distance education. The “Emergency Broadband Benefit Program” is established at the FCC, “under which eligible households may receive a discount of up to $50, or up to $75 on Tribal lands, off the cost of internet service and a subsidy for low-cost devices such as computers and tablets” according to a House Appropriations Committee summary. This funding is far short of what House Democrats wanted. And yet, this program aims to help those on the wrong side of the digital divide during the pandemic.

Moreover, this legislation also establishes two grant programs at the NTIA, designed to help provide broadband on tribal lands and in rural areas. $1 billion is provided for the former and $300 million for the latter with the funds going to tribal and state and local governments to obtain services from private sector providers. The $1 billion for tribal lands allows for greater flexibility in what the funds are ultimately spent on with the $320 million for underserved rural areas being restricted to broadband deployment. Again, these funds are aimed at bridging the disparity in broadband service exposed and exacerbated during the pandemic.

Congress also provided funds for the FCC to reimburse smaller telecommunications providers in removing and replacing risky telecommunications equipment from the People’s Republic of China (PRC). Following the enactment of the “Secure and Trusted Communications Networks Act of 2019” (P.L.116-124) that codified and added to a FCC regulatory effort to address the risks posed by Huawei and ZTE equipment in United States (U.S.) telecommunications networks, there was pressure in Congress to provide the funds necessary to help carriers meet the requirements of the program. The FY 2021 omnibus appropriates $1.9 billion for this program. In another but largely unrelated tranche of funding, the aforementioned $65 million given to the FCC to undertake the “Broadband DATA Act.”

Division Q contains text similar to the “Cybersecurity and Financial System Resilience Act of 2019” (H.R.4458) that would require “the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and National Credit Union Administration to annually report on efforts to strengthen cybersecurity by the agencies, financial institutions they regulate, and third-party service providers.”

Division U contains two bills pertaining to technology policy:

  • Title I. The AI in Government Act of 2020. This title codifies the AI Center of Excellence within the General Services Administration to advise and promote the efforts of the federal government in developing innovative uses of artificial intelligence (AI) and competency in the use of AI in the federal government. The section also requires that the Office of Personnel Management identify key skills and competencies needed for federal positions related to AI and establish an occupational series for positions related to AI.
  • Title IX. The DOTGOV Act. This title transfers the authority to manage the .gov internet domain from the General Services Administration to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security. The .gov internet domain shall be available to any Federal, State, local, or territorial government entity, or other publicly controlled entity, subject to registration requirements established by the Director of CISA and approved by the Director of the Office of Management and Budget.

Division W is the FY 2021 Intelligence Authorization Act with the following salient provisions:

  • Section 323. Report on signals intelligence priorities and requirements. Section 323 requires the Director of National Intelligence (DNI) to submit a report detailing signals intelligence priorities and requirements subject to Presidential Policy Directive-28 (PPD-28) that stipulates “why, whether, when, and how the United States conducts signals intelligence activities.” PPD-28 reformed how the National Security Agency (NSA) and other Intelligence Community (IC) agencies conducted signals intelligence, specifically collection of cellphone and internet data, after former NSA contractor Edward Snowden exposed the scope of the agency’s programs.
  • Section 501. Requirements and authorities to improve education in science, technology, engineering, arts, and mathematics. Section 501 ensures that the Director of the Central Intelligence Agency (CIA) has the legal authorities required to improve the skills in science, technology, engineering, arts, and mathematics (known as STEAM) necessary to meet long-term national security needs. Section 502. Seedling investment in next-generation microelectronics in support of artificial intelligence. Section 502 requires the DNI, acting through the Director of the Intelligence Advanced Research Projects Activity, to award contracts or grants, or enter into other transactions, to encourage microelectronics research.
  • Section 601. Report on attempts by foreign adversaries to build telecommunications and cybersecurity equipment and services for, or to provide them to, certain U.S. Section 601 requires the CIA, NSA, and DIA to submit a joint report that describes the United States intelligence sharing and military posture in Five Eyes countries that currently have or intend to use adversary telecommunications or cybersecurity equipment, especially as provided by China or Russia, with a description of potential vulnerabilities of that information and assessment of mitigation options.
  • Section 602. Report on foreign use of cyber intrusion and surveillance technology. Section 602 requires the DNI to submit a report on the threats posed by foreign governments and foreign entities using and appropriating commercially available cyber intrusion and other surveillance technology.
  • Section 603. Reports on recommendations of the Cyberspace Solarium Commission. Section 603 requires the ODNI and representatives of other agencies to report to Congress their assessment of the recommendations submitted by the Cyberspace Solarium Commission pursuant to Section 1652(j) of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019, and to describe actions that each agency expects to take to implement these recommendations.
  • Section 604. Assessment of critical technology trends relating to artificial intelligence, microchips, and semiconductors and related matters. Section 604 requires the DNI to complete an assessment of export controls related to artificial intelligence (AI), microchips, advanced manufacturing equipment, and other AI-enabled technologies, including the identification of opportunities for further cooperation with international partners.
  • Section 605. Combating Chinese influence operations in the United States and strengthening civil liberties protections. Section 605 provides additional requirements to annual reports on Influence Operations and Campaigns in the United States by the Chinese Communist Party (CCP) by mandating an identification of influence operations by the CCP against the science and technology sector in the United States. Section 605 also requires the FBI to create a plan to increase public awareness of influence activities by the CCP. Finally, section 605 requires the FBI, in consultation with the Assistant Attorney General for the Civil Rights and the Chief Privacy and Civil Liberties Officer of the Department of Justice, to develop recommendations to strengthen relationships with communities targeted by the CCP and to build trust with such communities through local and regional grassroots outreach.
  • Section 606. Annual report on corrupt activities of senior officials of the CCP. Section 606 requires the CIA, in coordination with the Department of Treasury’s Office of Intelligence and Analysis and the FBI, to submit to designated congressional committees annually through 2025 a report that describes and assesses the wealth and corruption of senior officials of the CCP, as well as targeted financial measures, including potential targets for sanctions designation. Section 606 further expresses the Sense of Congress that the United States should undertake every effort and pursue every opportunity to expose the corruption and illicit practices of senior officials of the CCP, including President Xi Jinping.
  • Section 607. Report on corrupt activities of Russian and other Eastern European oligarchs. Section 607 requires the CIA, in coordination with the Department of the Treasury’s Office of Intelligence and Analysis and the FBI, to submit to designated congressional committees and the Under Secretary of State for Public Diplomacy, a report that describes the corruption and corrupt or illegal activities among Russian and other Eastern European oligarchs who support the Russian government and Russian President Vladimir Putin, and the impact of those activities on the economy and citizens of Russia. Section 607 further requires the CIA, in coordination with the Department of Treasury’s Office of Intelligence and Analysis, to describe potential sanctions that could be imposed for such activities. Section 608. Report on biosecurity risk and disinformation by the CCP and the PRC. Section 608 requires the DNI to submit to the designated congressional committees a report identifying whether and how CCP officials and the Government of the People’s Republic of China may have sought to suppress or exploit for national advantage information regarding the novel coronavirus pandemic, including specific related assessments. Section 608 further provides that the report shall be submitted in unclassified form, but may have a classified annex.
  • Section 612. Research partnership on activities of People’s Republic of China. Section 612 requires the Director of the NGA to seek to enter into a partnership with an academic or non-profit research institution to carry out joint unclassified geospatial intelligence analyses of the activities of the People’s Republic of China that pose national security risks to the United States, and to make publicly available unclassified products relating to such analyses.

Division Z would tweak a data center energy efficiency and energy savings program overseen by the Secretary of Energy and the Administrator of the Environmental Protection Agency that could impact the Office of Management and Budget’s (OMB) government-wide program. Specifically, “Section 1003 requires the development of a metric for data center energy efficiency, and requires the Secretary of Energy, Administrator of the Environmental Protection Agency (EPA), and Director of the Office of Management and Budget (OMB) to maintain a data center energy practitioner program and open data initiative for federally owned and operated data center energy usage.” There is also language that would require the U.S. government to buy and use more energy-efficient information technology (IT): “each Federal agency shall coordinate with the Director [of OMB], the Secretary, and the Administrator of the Environmental Protection Agency to develop an implementation strategy (including best-practices and measurement and verification techniques) for the maintenance, purchase, and use by the Federal agency of energy-efficient and energy-saving information technologies at or for facilities owned and operated by the Federal agency, taking into consideration the performance goals.”

Division FF contains telecommunications provisions:

  • Section 902. Don’t Break Up the T-Band Act of 2020. Section 902 repeals the requirement for the FCC to reallocate and auction the 470 to 512megahertz band, commonly referred to as the T-band. In certain urban areas, the T-band is utilized by public-safety entities. It also directs the FCC to implement rules to clarify acceptable expenditures on which 9-1- 1 fees can be spent, and creates a strike force to consider how the Federal Government can end 9-1-1 fee diversion.
  • Section 903. Advancing Critical Connectivity Expands Service, Small Business Resources, Opportunities, Access, and Data Based on Assessed Need and Demand (ACCESS BROADBAND) Act. Section 903 establishes the Office of Internet Connectivity and Growth (Office) at the NTIA. This Office would be tasked with performing certain responsibilities related to broadband access, adoption, and deployment, such as performing public outreach to promote access and adoption of high-speed broadband service, and streamlining and standardizing the process for applying for Federal broadband support. The Office would also track Federal broadband support funds, and coordinate Federal broadband support programs within the Executive Branch and with the FCC to ensure unserved Americans have access to connectivity and to prevent duplication of broadband deployment programs.
  • Section 904. Broadband Interagency Coordination Act. Section 904 requires the Federal Communications Commission (FCC), the National Telecommunications and Information Administration (NTIA), and the Department of Agriculture to enter into an interagency agreement to coordinate the distribution of federal funds for broadband programs, to prevent duplication of support and ensure stewardship of taxpayer dollars. The agreement must cover, among other things, the exchange of information about project areas funded under the programs and the confidentiality of such information. The FCC is required to publish and collect public comments about the agreement, including regarding its efficacy and suggested modifications.
  • Section 905. Beat CHINA for 5G Act of 2020. Section 905 directs the President, acting through the Assistant Secretary of Commerce for Communications and Information, to withdraw or modify federal spectrum assignments in the 3450 to 3550 megahertz band, and directs the FCC to begin a system of competitive bidding to permit non-Federal, flexible-use services in a portion or all of such band no later than December 31, 2021.

Section 905 would countermand the White House’s efforts to auction off an ideal part of spectrum for 5G (see here for analysis of the August 2020 announcement). Congressional and a number of Trump Administration stakeholders were alarmed by what they saw as a push to bestow a windfall on a private sector company in the rollout of 5G.

Title XIV of Division FF would allow the FTC to seek civil fines of more than $43,000 per violation during the duration of the public health emergency arising from the pandemic “for unfair and deceptive practices associated with the treatment, cure, prevention, mitigation, or diagnosis of COVID–19 or a government benefit related to COVID-19.”

Finally, Division FF is the vehicle for the “American COMPETES Act” that:

directs the Department of Commerce and the FTC to conduct studies and submit reports on technologies including artificial intelligence, the Internet of Things, quantum computing, blockchain, advanced materials, unmanned delivery services, and 3-D printing. The studies include requirements to survey each industry and report recommendations to help grow the economy and safely implement the technology.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by forcal35 from Pixabay

Further Reading, Other Developments, and Coming Events (10 December)

Further Reading

  • Social media superspreaders: Why Instagram, not Facebook, will be the real battleground for COVID-19 vaccine misinformation” By Isobel Asher Hamilton — Business Insider. According to one group, COVID-19 anti-vaccination lies and misinformation are proliferating on Instagram despite its parent company’s, Facebook, efforts to find and remove such content. There has been dramatic growth in such content on Instagram, and Facebook seems to be applying COVID-19 standards more loosely on Instagram. In fact, some people kicked off of Facebook for violating that platform’s standards on COVID-19 are still on Instagram spreading the same lies, misinformation, and disinformation. For example, British anti-vaccination figure David Icke was removed from Facebook for making claims that COVID-19 was caused by or related to 5G, but he has a significant following on Instagram.
  • ‘Grey area’: China’s trolling drives home reality of social media war” By Chris Zappone — The Sydney Morning Herald. The same concept that is fueling aggressive cyber activity at a level below outright war has spread to diplomacy. The People’s Republic of China (PRC) has been waging “gray” social media campaigns against a number of Western nations, including Australia, mainly be propagating lies and misinformation. The most recent example is the spreading a fake photo of an Australian soldier appearing to kill an Afghan child. This false material seems designed to distract from the real issues between the two nations arising from clashing policies on trade and human rights. The PRC’s activities do not appear to violate Australia’s foreign interference laws and seem to have left Canberra at a loss as to how to respond effectively.
  • Facebook to start policing anti-Black hate speech more aggressively than anti-White comments, documents show” By Elizabeth Dwoskin, Nitasha Tiku and Heather Kelly — The Washington Post. Facebook will apparently seek to revamp its algorithms to target the types of hate speech that have traditionally targeted women and minority groups. Up until now all attacks were treated equally so that something like “white people suck” would be treated the same way as anti-Semitic content. Facebook has resisted changes for years even though experts and civil rights groups made the case that people of color, women, and LGBTI people endure far more abuse online. There is probably no connection between Facebook’s more aggressive content moderation policies and the advent of a new administration in Washington more receptive to claims that social media platforms allow the abuse of these people.
  • How Joe Biden’s Digital Team Tamed the MAGA Internet” By Kevin Roose — The New York Times. Take this piece with a block of salt. The why they won articles are almost always rife with fallacies, including the rationale that if a candidate won, his or her strategy must have worked. It is not clear that the Biden Campaign’s online messaging strategy of being nice and emphasizing positive values actually beat the Trump Campaign’s “Death Star” so much as the President’s mishandling of the pandemic response and cratering of the economy did him in.
  • Coronavirus Apps Show Promise but Prove a Tough Sell” By Jennifer Valentino-DeVries — The New York Times. It appears the intersection of concerns about private and public sector surveillance from two very different groups has worked to keep down rates of adopting smartphone COVID tracking apps in the United States. There are people wary of private sector practices to hoover up as much data as possible, and others concerned about the government’s surveillance activities. Consequently, many are shunning Google and Apple’s COVID contact tracing apps to the surprise of government, industry, and academia. A pair of studies show resistance to downloading or using such apps even if there are very strong privacy safeguards. This result may well be a foreseeable outcome from U.S. policies that have allowed companies and the security services to collect and use vast quantities of personal information.
  • UAE target of cyber attacks after Israel deal, official says” — Reuters. A top cybersecurity official in the United Arab Emirates claimed his nation’s financial services industries were targeted for cyber attack and implied Iran and affiliated hackers were responsible.

Other Developments

  • President-elect Joe Biden announced his intention to nominate California Attorney General Xavier Becerra to serve as the next Secretary of Health and Human Services (HHS). If confirmed by the Senate, California Governor Gavin Newsom would name Becerra’s successor who would need to continue enforcement of the “California Consumer Privacy Act” (CCPA) (AB 375) while also working towards the transition to the “California Privacy Rights Act” (Proposition 24) approved by California voters last month. The new statute establishes the California Privacy Protection Agency that will assume the Attorney General’s responsibilities regarding the enforcement of California’s privacy laws. However, Becerra’s successor may play a pivotal role in the transition between the two regulators and the creation of the new regulations needed to implement Proposition 24.
  • The Senate approved the nomination of Nathan Simington to be a Commissioner of the Federal Communications Commission (FCC) by a 49-46 vote. Once FCC Chair Ajit Pai steps down, the agency will be left with two Democratic and two Republican Commissioners, pending the Biden Administration’s nominee to fill Pai’s spot. If the Senate stays Republican, it is possible the calculation could be made that a deadlocked FCC is better than a Democratic agency that could revive net neutrality rules among other Democratic and progressive policies. Consequently, Simington’s confirmation may be the first step in a FCC unable to develop substantive policy.
  • Another federal court has broadened the injunction against the Trump Administration’s ban on TikTok to encompass the entirety of the Department of Commerce’s September order meant to stop the usage of the application in the United States (U.S.) It is unclear as to whether the Trump Administration will appeal, and if it should, whether a court would decide the case before the Biden Administration begins in mid-January. The United States Court for the District of Columbia found that TikTok “established that  the government likely exceeded IEEPA’s express limitations as part of an agency action that was arbitrary and capricious” and would likely suffer irreparable harm, making an injunction an appropriate remedy.
  • The United States’ National Security Agency (NSA) “released a Cybersecurity Advisory on Russian state-sponsored actors exploiting CVE-2020-4006, a command-injection vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector” and provided “mitigation and detection guidance.”
  • The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint alert, warning that U.S. think tanks are being targeted by “persistent continued cyber intrusions by advanced persistent threat (APT) actors.” The agencies stated “[t]his malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy.” CISA and the FBI stated its “guidance may assist U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.” The agencies added:
    • APT actors have relied on multiple avenues for initial access. These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.
    • Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of this Advisory.
  • A group of Democratic United States Senators have written the CEO of Alphabet and Google about its advertising policies and how its platforms may have been used to spread misinformation and contribute to voter suppression. Thus far, most of the scrutiny about the 2020 election and content moderation policy has fallen on Facebook and Twitter even though Google-owned YouTube has been flagged as containing the same amount of misinformation. Senators Amy Klobuchar (D-MN) and Mark Warner (D-VA) led the effort and expressed “serious concerns regarding recent reports that Google is profiting from the sale of ads spreading election-related disinformation” to Alphabet and Google CEO Sundar Pichai. Klobuchar, Warner, and their colleagues asserted:
    • Google is also helping organizations spreading election-related disinformation to raise revenue by placing ads on their websites. While Google has some policies in place to prevent the spread of election misinformation, they are not properly enforced and are inadequate. We urge you to immediately strengthen and improve enforcement of your policies on election-related disinformation and voter suppression, reject all ads spreading election-related disinformation, and stop providing advertising services on sites that spread election-related disinformation.
    • …a recent study by the Global Disinformation Index (GDI) found that Google services ads on 145 out of 200 websites GDI examined that publish disinformation. 
    • Similarly, a recent report from the Center for Countering Digital Hate (CCDH) found that Google has been placing ads on websites publishing disinformation designed to undermine elections. In examining just six websites publishing election-related disinformation, CCDH estimates that they receive 40 million visits a month, generating revenue for these sites of up to $3.4 million annually from displaying Google ads. In addition, Google receives $1.6 million from the advertisers’ payments annually.  These sites published stories ahead of the 2020 general election that contained disinformation alleging that voting by mail was not secure, that mail-in voting was being introduced to “steal the election,” and that election officials were “discarding mail ballots.” 
  • A bipartisan group of United States Senators on one committee are urging Congressional leadership to include funding to help telecommunications companies remove and replace Huawei and ZTE equipment and to aid the Federal Communications Commission (FCC) in drafting accurate maps of broadband service in the United States (U.S.). Senate Commerce, Science, and Transportation Committee Chair Roger Wicker (R-MS) and a number of his colleagues wrote the leadership of both the Senate and House and argued:
    • we urge you to provide full funding for Public Law 116-124, the Secure and Trusted Communications Networks Act, and Public Law 116-130, the Broadband DATA Act.   
    • Closing the digital divide and winning the race to 5G are critical to America’s economic prosperity and global leadership in technology. However, our ability to connect all Americans and provide access to next-generation technology will depend in large part on the security of our communications infrastructure. The Secure and Trusted Communications Networks Act (“rip and replace”) created a program to help small, rural telecommunications operators remove equipment posing a security threat to domestic networks and replace it with equipment from trusted providers. This is a national security imperative. Fully funding this program is essential to protecting the integrity of our communications infrastructure and the future viability of our digital economy at large.
    • In addition to safeguarding the security of the nation’s communications systems, developing accurate broadband maps is also critically important. The United States faces a persistent digital divide, and closing this divide requires accurate maps that show where broadband is available and where it is not. Current maps overstate broadband availability, which prevents many underserved communities, particularly in rural areas, from receiving the funds needed to build or expand broadband networks to millions of unconnected Americans. Fully funding the Broadband DATA Act will ensure more accurate broadband maps and better stewardship over the millions of dollars the federal government awards each year to support broadband deployment. Without these maps, the government risks overbuilding existing networks, duplicating funding already provided, and leaving communities unserved.  
  • The Government Accountability Office (GAO) released an assessment of 5G policy options that “discusses (1) how the performance goals and expected uses are to be realized in U.S. 5Gwireless networks; (2) the challenges that could affect the performance or usage of 5G wireless networks in the U.S.; and (3) policy options to address these challenges.” The report had been requested by the chairs and ranking members of the House Armed Services, Senate Armed Services, Senate Intelligence, and House Intelligence Committees along with other Members. The GAO stated “[w]hile 5G is expected to deliver significantly improved network performance and greater capabilities, challenges may hinder the performance or usage of 5G technologies in the U.S. We grouped the challenges into the following four categories:
    • availability and efficient use of spectrum
    • security of 5G networks
    • concerns over data privacy
    • concerns over possible health effects
    • The GAO presented the following policy options along with opportunities and considerations for each:
      • Spectrum-Sharing Technologies Opportunities:
        • Could allow for more efficient use of the limited spectrum available for 5G and future generations of wireless networks.
        • It may be possible to leverage existing5G testbeds for testing the spectrum sharing technologies developed through applied research.
      • Spectrum-Sharing Technologies Considerations:
        • Research and development is costly, must be coordinated and administered, and its potential benefits are uncertain. Identifying a funding source, setting up the funding mechanism, or determining which existing funding streams to reallocate will require detailed analysis.
      • Coordinated Cybersecurity Monitoring Opportunities:
        • A coordinated monitoring program would help ensure the entire wireless ecosystem stays knowledgeable about evolving threats, in close to real time; identify cybersecurity risks; and allow stakeholders to act rapidly in response to emerging threats or actual network attacks.
      • Coordinated Cybersecurity Monitoring Considerations:
        • Carriers may not be comfortable reporting incidents or vulnerabilities, and determinations would need to be made about what information is disclosed and how the information will be used and reported.
      • Cybersecurity Requirements Opportunities
        • Taking these steps could produce a more secure network. Without a baseline set of security requirements the implementation of network security practices is likely to be piecemeal and inconsistent.
        • Using existing protocols or best practices may decrease the time and cost of developing and implementing requirements.
      • Cybersecurity Requirements Considerations
        • Adopting network security requirements would be challenging, in part because defining and implementing the requirements would have to be done on an application-specific basis rather than as a one-size-fits-all approach.
        • Designing a system to certify network components would be costly and would require a centralized entity, be it industry-led or government-led.
      • Privacy Practices Considerations
        • Development and adoption of uniform privacy practices would benefit from existing privacy practices that have been implemented by states, other countries, or that have been developed by federal agencies or other organizations.
      • Privacy Practices Opportunities
        • Privacy practices come with costs, and policymakers would need to balance the need for privacy with the direct and indirect costs of implementing privacy requirements. Imposing requirements can be burdensome, especially for smaller entities.
      • High-band Research Opportunities
        • Could result in improved statistical modeling of antenna characteristics and more accurately representing propagation characteristics.
        • Could result in improved understanding of any possible health effects from long-term radio frequency exposure to high-band emissions.
      • High-band Research Considerations
        • Research and development is costly and must be coordinated and administered, and its potential benefits are uncertain. Policymakers will need to identify a funding source or determine which existing funding streams to reallocate.

Coming Events

  • The Senate Judiciary Committee will hold an executive session at which the “Online Content Policy Modernization Act” (S.4632), a bill to narrow the liability shield in 47 USC 230, may be marked up on 10 December.
  • On 10 December, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Securing the Communications Supply Chain. The Commission will consider a Report and Order that would require Eligible Telecommunications Carriers to remove equipment and services that pose an unacceptable risk to the national security of the United States or the security and safety of its people, would establish the Secure and Trusted Communications Networks Reimbursement Program, and would establish the procedures and criteria for publishing a list of covered communications equipment and services that must be removed. (WC Docket No. 18-89)
    • National Security Matter. The Commission will consider a national security matter.
    • National Security Matter. The Commission will consider a national security matter.
    • Allowing Earlier Equipment Marketing and Importation Opportunities. The Commission will consider a Notice of Proposed Rulemaking that would propose updates to its marketing and importation rules to permit, prior to equipment authorization, conditional sales of radiofrequency devices to consumers under certain circumstances and importation of a limited number of radiofrequency devices for certain pre-sale activities. (ET Docket No. 20-382)
    • Promoting Broadcast Internet Innovation Through ATSC 3.0. The Commission will consider a Report and Order that would modify and clarify existing rules to promote the deployment of Broadcast Internet services as part of the transition to ATSC 3.0. (MB Docket No. 20-145)

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Tima Miroshnichenko from Pexels

Further Reading, Other Developments, and Coming Events (9 December)

Further Reading

  • Secret Amazon Reports Expose the Company’s Surveillance of Labor and Environmental Groups” By Lauren Kaori Gurley — Vice’s Motherboard. Yet another article by Vice drawing back the curtain on Amazon’s labor practices, especially its apparently fervent desire to stop unionizing. This piece shines light on the company’s Global Security Operations Center that tracks labor organizing and union activities among Amazon’s workers and monitors environmental and human rights on social media. The company has even hired Pinkerton operatives to surveil its warehouse employees. Although the focus is on Europe because the leaked emails on which the story is based pertain to activities on that continent, there is no reason to expect the same tactics are not being used elsewhere. Moreover, the company may be violating the much stricter laws in Europe protecting workers and union activities.
  • Cyber Command deployed personnel to Estonia to protect elections against Russian threat” By Shannon Vavra — cyberscoop.  It was recently revealed that personnel from the United States (U.S.) Cyber Command were deployed to Estonia to work with the latter country’s Defense Forces Cyber Command to fend off potential Russian attacks during the U.S. election. This follows another recent “hunt forward” mission for Cyber Command in Montenegro, another nation on the “frontline” of Russian hacking activities. Whether this has any effect beyond building trust and capacity between nations opposed to state-sponsored hacking and disinformation is unclear.
  • How China Is Buying Up the West’s High-Tech Sector” By Elizabeth Braw — Foreign Policy. This piece by a fellow at the ring wing American Enterprise Institute (AEI) makes the case that reviewing and potentially banning direct foreign investment by People’s Republic of China (PRC) in the United States (U.S.), European Union (EU), and European nations is probably not cutting off PRC access to cutting edge technology. PRC entities are investing directly or indirectly as limited partners in venture capital firms and are probably still gaining access to new technology. For example, an entity associated with the University of Cambridge is working with Huawei on a private 5G wireless network even though London is advancing legislation and policy to ban the PRC giant from United Kingdom (UK) networks. The author advocates for expanding the regulation of foreign investment to include limited partnerships and other structures that are apparently allowing the PRC to continue investing in and reaping the benefit of Western venture capital. There is hope, however, as a number of Western nations are starting government-funded venture capital firms to fund promising technology.
  • Twitter expands hate speech rules to include race, ethnicity” By Katie Paul — Reuters. The social media platform announced that it “further expanding our hateful conduct policy to prohibit language that dehumanizes people on the basis of race, ethnicity, or national origin.” A human rights group, the Color of Change, that was part of a coalition to pressure Twitter and other platforms called the change “essential concessions” but took issue with the timing, stating it would have had more impact had it been made before the election. A spokesperson added “[t]he jury is still out for a company with a spotty track record of policy implementation and enforcing its rules with far-right extremist users…[and] [v]oid of hard evidence the company will follow through, this announcement will fall into a growing category of too little, too late PR stunt offerings.”
  • White House drafts executive order that could restrict global cloud computing companies” By Steven Overly and Eric Geller — Politico. The Trump Administration may make another foray into trying to ban foreign companies from United States (U.S.) key critical infrastructure, and this time would reportedly bar U.S. cloud companies like Microsoft, Amazon, and others from partnering with foreign companies or entities that pose risk to the U.S. through the use of these U.S. systems to conduct cyber-attacks. This seems like another attempt to strike at the People’s Republic of China’s (PRC) technology firms. If issued, it remains to be seen how a Biden Administration would use or implement such a directive given that there is not enough time for the Trump government to see things through to end on such an order. In any event, one can be sure that tech giants have already begun pressing both the outgoing and incoming Administration against any such order and most likely Congress as well.

Other Developments

  • A bipartisan group of Senators and Representatives issued the framework for a $908 billion COVID-19 stimulus package that is reportedly the subject of serious in Congress. The framework details $10 billion for broadband without no detail on how these funds would be distributed.
  • The Australian Competition & Consumer Commission (ACCC) announced the signing of the Australian Product Safety Pledge, “a voluntary initiative that commits its signatories to a range of safety related responsibilities that go beyond what is legally required of them” in e-commerce. The ACCC stated “AliExpress, Amazon Australia, Catch.com.au and eBay Australia, who together account for a significant share of online sales in Australia, are the first businesses to sign the pledge, signifying their commitment to consumers’ safety through a range of commitments such as removing unsafe product listings within two days of being notified by the ACCC.” The pledge consists of 12 commitments:
    • Regularly consult the Product Safety Australia website and other relevant sources for information on recalled/unsafe products. Take appropriate action[1] on these products once they are identified.
    • Provide a dedicated contact point(s) for Australian regulatory authorities to notify and request take-downs of recalled/unsafe products.
    • Remove identified unsafe product listings within two business days of the dedicated contact point(s) receiving a take-down request from Australian regulatory authorities. Inform authorities on the action that has been taken and any relevant outcomes.
    • Cooperate with Australian regulatory authorities in identifying, as far as possible, the supply chain of unsafe products by responding to data/information requests within ten business days should relevant information not be publicly available.
    • Have an internal mechanism for processing data/information requests and take-downs of unsafe products.
    • Provide a clear pathway for consumers to notify the pledge signatory directly of unsafe product listings. Such notifications are treated according to the signatory’s processes and where responses to consumers are appropriate, they are given within five business days.
    • Implement measures to facilitate sellers’ compliance with Australian product safety laws. Share information with sellers on compliance training/guidance, including a link to the ACCC’s Selling online page on the Product Safety Australia website.
    • Cooperate with Australian regulatory authorities and sellers to inform consumers[2] about relevant recalls or corrective actions on unsafe products.
    • Set up processes aimed at preventing or restricting the sale of banned, non-compliant and recalled products as appropriate.
    • Put in place reasonable measures to act against repeat offenders selling unsafe products, including in cooperation with Australian regulatory authorities.
    • Take measures aimed at preventing the reappearance of unsafe product listings already removed.
    • Explore the potential use of new technologies and innovation to improve the detection and removal of unsafe products.
  • Senator Ron Wyden (D-OR) and Representative Lauren Underwood (D-IL) introduced “The Federal Cybersecurity Oversight Act” (S.4912) that would amend the “Federal Cybersecurity Enhancement Act of 2015” (P.L. 114-113) to restrict the use of exceptions to longstanding requirements that federal agencies use measures such as multi-factor authentication and encryption. Currently federal agencies exempt themselves on a number of grounds. Wyden and Underwood’s bill would tighten this process by making the exceptions good only for a year at a time and require the Office of Management and Budget (OMB) approve the execption. In a fact sheet, they claimed:
    • [T]he bill requires the Director of the Office of Management and Budget to approve all waivers, which can currently be self-issued by the head of the agency. To request a waiver, the agency head will have to certify that:
      • It would be excessively burdensome to implement the particular requirement;
      • The particular requirement is not necessary to secure the agency system and data; and
      • The agency has taken all necessary steps to secure the agency system and data.
  • The Government Accountability Office (GAO) looked at the United States (U.S.) longstanding efforts to buy common services and equipment in bulk known as Category Management. The GAO found progress but saw room for considerably more progress. GAO noted:
    • Since 2016, the Office of Management and Budget (OMB) has led efforts to improve how agencies buy these products and services through the category management initiative, which directs agencies across the government to buy more like a single enterprise. OMB has reported the federal government has saved $27.3 billion in 3 years through category management.
  • The GAO concluded:
    • The category management initiative has saved the federal government billions of dollars, and in some instances, enhanced agencies’ mission capabilities. However, the initiative has opportunities to accomplish much more. To date, OMB has focused primarily on contracting aspects of the initiative, and still has several opportunities to help agencies improve how they define their requirements for common products and services. OMB can take concrete steps to improve how agencies define these requirements through more robust guidance and training, changes to leadership delegations and cost savings reporting, and the development of additional metrics to measure implementation of the initiative.
    • Additionally, OMB can lead the development of a coordinated strategy that addresses government-wide data challenges hindering agencies’ efforts to assess their spending and identify prices paid for common products and services.
    • Finally, OMB can tailor additional training courses to provide more relevant information to agency personnel responsible for small business matters, and improve public reporting about the impact of category management on small businesses. In doing so, OMB can enhance the quality of the information provided to the small business community and policymakers. Through these efforts to further advance the category management initiative, OMB can help federal agencies accomplish their missions more effectively while also being better stewards of taxpayer dollars.
    • The GAO made the following recommendations:
      • The Director of the Office of Management and Budget should emphasize in its overarching category management guidance the importance of effectively defining requirements for common products and services when implementing the category management initiative. (Recommendation 1)
      • The Director of the Office of Management and Budget should work with the Category Management Leadership Council and the General Services Administration’s Category Management Program Management Office, and other appropriate offices, to develop additional tailored training for Senior Accountable Officials and agency personnel who manage requirements for common products and services. (Recommendation 2)
      • The Director of the Office of Management and Budget should account for agencies’ training needs, including training needs for personnel who define requirements for common products and services, when setting category management training goals. (Recommendation 3)
      • The Director of the Office of Management and Budget should ensure that designated Senior Accountable Officials have the authority necessary to hold personnel accountable for defining requirements for common products and services as well as contracting activities. (Recommendation 4)
      • The Director of the Office of Management and Budget should report cost savings from the category management initiative by agency. (Recommendation 5)
      • The Director of the Office of Management and Budget should work with the Category Management Leadership Council and the Performance Improvement Council to establish additional performance metrics for the category management initiative that are related to agency requirements. (Recommendation 6)
      • The Director of the Office of Management and Budget should, in coordination with the Category Management Leadership Council and the Chief Data Officer Council, establish a strategic plan to coordinate agencies’ responses to government-wide data challenges hindering implementation of the category management initiative, including challenges involving prices-paid and spending data. (Recommendation 7)
      • The Director of the Office of Management and Budget should work with the General Services Administration’s Category Management Program Management Office and other organizations, as appropriate, to develop additional tailored training for Office of Small Disadvantaged Business Utilization personnel that emphasizes information about small business opportunities under the category management initiative. (Recommendation 8)
      • The Director of the Office of Management and Budget should update its methodology for calculating potentially duplicative contract reductions to strengthen the linkage between category management actions and the number of contracts eliminated. (Recommendation 9)
      • The Director of the Office of Management and Budget should identify the time frames covered by underlying data when reporting on how duplicative contract reductions have impacted small businesses. (Recommendation 10)
  • The chair and ranking member of the House Commerce Committee are calling on the Federal Communications Commission (FCC) to take preparatory steps before Congress provides funding to telecommunications providers to remove and replace Huawei and ZTE equipment. House Energy and Commerce Committee Chair Frank Pallone Jr (D-NJ) and Ranking Member Greg Walden (R-OR) noted the “Secure and Trusted Communications Networks Act” (P.L. 116-124):
    • provides the Federal Communications Commission (FCC) with several new authorities to secure our communications supply chain, including the establishment and administration of the Secure and Trusted Communications Networks Reimbursement Program (Program). Through this Program, small communications providers may seek reimbursement for the cost of removing and replacing suspect network equipment. This funding is critical because some small and rural communications providers would not otherwise be able to afford these upgrades. Among the responsibilities entrusted to the FCC to carry out the Program is the development of a list of suggested replacements for suspect equipment, including physical and virtual communications equipment, application and management software, and services.
    • Pallone and Walden conceded that Congress has not yet provided funds but asked the FCC to take some steps:
      • First, the FCC should develop and release the list of eligible replacement equipment, software, and services as soon as possible. Second, the agency should reassure companies that they will not jeopardize their eligibility for reimbursement under the Program just because replacement equipment purchases were made before the Program is funded, assuming other eligibility criteria are met.
  • The Office of Special Counsel (OSC) wrote one of the whistleblowers at the United States Agency for Global Media (USAGM) and indicated it has ordered the head of USAGM to investigate the claims of malfeasance at the agency. The OSC stated:
    • On December 2, 2020, after reviewing the information you submitted, we directed the Chief Executive Officer (CEO) of USAGM to order an investigation into the following allegations and report back to OSC pursuant to 5 U.S.C. § 1213(c). Allegations to be investigated include that, since June 2020, USAGM:
      • Repeatedly violated the Voice of America (VOA) firewall—the law that protects VOA journalists’ “professional independence and integrity”;
      • Engaged in gross mismanagement and abuse of authority by:
        • Terminating the Presidents of each USAGM-funded network— Radio Free Asia (RFA), Radio Free Europe/Radio Liberty (RFE/RL), the Middle East Broadcasting Networks (MBN), and the Office of Cuba Broadcasting (OCB)—as well as the President and the CEO of the Open Technology Fund (OTF);
        • Dismissing the bipartisan board members that governed the USAGM- funded networks, replacing those board members with largely political appointees, and designating the USAGM CEO as Chairman;
        • Revoking all authority from various members of USAGM’s Senior Executive Service (SES) and reassigning those authorities to political appointees outside of the relevant offices;
        • Removing the VOA Editor for News Standards and Best Practices—a central figure in the VOA editorial standards process and a critical component of the VOA firewall—from his position and leaving that position vacant;
        • Similarly removing the Executive Editor of RFA;
        • Suspending the security clearances of six of USAGM’s ten SES members and placing them on administrative leave; and
        • Prohibiting several offices critical to USAGM’s mission—including the Offices of General Counsel, Chief Strategy, and Congressional and Public Affairs—from communicating with outside parties without the front office’s express knowledge and consent;
      • Improperly froze all agency hiring, contracting, and Information Technology migrations, and either refused to approve such decisions or delayed approval until the outside reputation and/or continuity of agency or network operations, and at times safety of staff, were threatened;
      • Illegally repurposed, and pressured career staff to illegally repurpose, congressionally appropriated funds and programs without notifying Congress; and
      • Refused to authorize the renewal of the visas of non-U.S. citizen journalists working for the agency, endangering both the continuity of agency operations and those individuals’ safety.

Coming Events

  • The Senate Judiciary Committee will hold an executive session at which the “Online Content Policy Modernization Act” (S.4632), a bill to narrow the liability shield in 47 USC 230, may be marked up on 10 December.
  • On 10 December, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Securing the Communications Supply Chain. The Commission will consider a Report and Order that would require Eligible Telecommunications Carriers to remove equipment and services that pose an unacceptable risk to the national security of the United States or the security and safety of its people, would establish the Secure and Trusted Communications Networks Reimbursement Program, and would establish the procedures and criteria for publishing a list of covered communications equipment and services that must be removed. (WC Docket No. 18-89)
    • National Security Matter. The Commission will consider a national security matter.
    • National Security Matter. The Commission will consider a national security matter.
    • Allowing Earlier Equipment Marketing and Importation Opportunities. The Commission will consider a Notice of Proposed Rulemaking that would propose updates to its marketing and importation rules to permit, prior to equipment authorization, conditional sales of radiofrequency devices to consumers under certain circumstances and importation of a limited number of radiofrequency devices for certain pre-sale activities. (ET Docket No. 20-382)
    • Promoting Broadcast Internet Innovation Through ATSC 3.0. The Commission will consider a Report and Order that would modify and clarify existing rules to promote the deployment of Broadcast Internet services as part of the transition to ATSC 3.0. (MB Docket No. 20-145)

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Makalu from Pixabay

Johnson’s Government Unveils Telecoms Bill

The UK seeks to remake its telecommunications sector, especially its security and supply chain risk aspects.

The government of Prime Minister Boris Johnson has released its telecommunications legislation that would delineate the United Kingdom’s (UK) approach to managing “high risk” companies such as Huawei. The Telecommunications (Security) Bill would reform how the UK regulates the security practices of telecommunications providers like Vodafone and also address risks to the nation’s telecommunications system.

The genesis of the legislation was the 2018 UK Telecoms Supply Chain Review, an inquiry launched “to address three key questions:

  1. How should we incentivise telecoms providers to improve security standards and practices in 5G and full fibre networks?
  2. How should we address the security challenges posed by vendors?
  3. How can we create sustainable diversity in the telecoms supply chain?”

A year later, the UK government “identified three areas of concern:

  1. Existing industry practices may have achieved good commercial outcomes but did not incentivise effective cyber security risk management.
  2. Policy and regulation in enforcing telecoms cyber security needed to be significantly strengthened to address these concerns.
  3. The lack of diversity across the telecoms supply chain creates the possibility of national dependence on single suppliers, which poses a range of risks to the security and resilience of UK telecoms networks.”

The Department asserted:

The Review recommended the establishment of a new security framework for the UK’s public telecoms providers, with its foundations set by new telecoms security requirements overseen by Ofcom and the government. It also recommended new national security powers for the government to control the presence of high risk vendors in UK networks.

Working in the background during this initiative was the pressure brought by the United States (U.S.) and the People’s Republic of China (PRC) over Huawei and 5G and the pending exit from the European Union (EU). The Trump Administration was making claims about the security of Huawei’s 5G technology and equipment, arguing it would serve to allow the PRC’s security services to spy in any nation that installed the PRC technology giant’s systems. At first, the UK tried to manage the risks its security services turned up in reviewing Huawei’s technology and sought a middle path where Huawei would have a significant role in 5G in the UK as it did for previous iterations of the nation’s wireless network.

However, this approach proved politically unfeasible when Conservative backbenchers indicated to Downing Street that they would amend a telecoms bill to ban Huawei. At this point, the Prime Minister changed tack and announced ban that would take effect by 2027 of any new Huawei technology in the UK’s 5G networks. Johnson’s government nearly lost a vote in March on a different telecoms bill, sending his leadership team a signal they appear to have received. The reason provided for the UK’s change was U.S. sanctions on Huawei that cut off its access to semiconductors that allegedly now made it impossible to use the company for the 5G rollout. In a fact sheet, it was claimed:

  • on 14 July 2020 the Secretary of State for Digital, Culture, Media, and Sport (DCMS) announced in the House of Commons that UK telecoms providers should cease to procure any new 5G equipment from Huawei after 31 December 2020 and remove all Huawei equipment from 5G networks by the end of 2027.
  • The government advised full fibre telecoms providers to transition away from purchasing Huawei full fibre equipment affected by the US sanctions. For full fibre networks, we have held a technical consultation with industry on the transition away from Huawei equipment, in order to better understand supply chain alternatives. The conclusions of the consultation will be announced in due course.

The Department for Digital, Culture, Media, and Sport (Department) explained in one fact sheet, “[t]he Telecommunications (Security) Bill is in two parts:

  1. Clauses 1 to 14 introduce a stronger telecoms security framework. The Bill amends the Communications Act 2003 by placing strengthened telecoms security duties on public telecoms providers. To support these duties, the Bill will enable more specific security requirements to be set out in secondary legislation, underpinned by codes of practice providing guidance on the security measures to be taken to meet those requirements. The Bill gives the telecoms regulator, the Office of Communications (Ofcom), powers to monitor and enforce industry compliance with the duties and specific security requirements. It places new obligations on public telecoms providers to share information with Ofcom that is necessary to assess the security of their networks, including reporting duties in the event of a security compromise. It also places new duties on Ofcom to promote security and resilience of public telecoms providers. In addition, the Bill introduces financial penalties for non-compliance with the new duties and requirements placed on public telecoms providers.
  2. Clauses 15 to 23 introduce new national security powers for the government to manage risks posed by high risk vendors. The Bill creates new powers for the Secretary of State to designate vendors for the purpose of issuing directions to public communications providers imposing controls on their use of those designated vendors’ goods, services and facilities. Designation and the giving of directions can only take place where the Secretary of State considers it is necessary in the interests of national security. The Bill makes it a duty for providers to comply with the requirements set out in the directions and creates financial penalties for non-compliance. It also includes provisions to ensure the monitoring and enforcement of those requirements, including new powers for the Secretary of State to give monitoring directions to Ofcom requiring Ofcom to obtain information relating to a provider’s compliance with requirements in a direction, and to provide such information in a report to the Secretary of State.

In a different fact sheet, the Department described how telecommunications providers would be regulated under the new security framework: “strengthened overarching security duties, specific security requirements, and codes of practice.” The Department provided detail on each piece:

Security duties

The Bill introduces strengthened overarching security duties. These will require all telecoms providers to take appropriate and proportionate measures to identify and reduce the risks of security compromises occurring, as well as preparing for the occurrence of security compromises. Security compromises will include:

  • anything that compromises the availability, performance or functionality of a network or service
  • any unauthorised access to, interference with or exploitation of networks or services
  • anything that compromises the confidentiality of signals or data
  • anything that causes signals or data to be lost, unintentionally altered or altered without permission of the telecoms provider
  • anything occurring in connection with a network or service that causes a compromise on another network or service that belongs to another telecoms provider

Telecoms providers will also be required to take appropriate and proportionate action after a security compromise has occurred, to limit damage and take steps to remedy or mitigate the damage.

Secondary legislation

The Telecommunications (Security) Bill also allows the government to make secondary legislation to detail specific security requirements that providers must meet. This will include targeted action to make sure telecoms providers securely design, construct and maintain network equipment that handles sensitive data; reduce supply chain risks; carefully control access to sensitive parts of the network; and make sure the right processes are in place to understand the risks facing their company’s public networks and services.

These requirements will be enforced by Ofcom and may be updated in the future where new threats arise or technologies evolve. The government will engage with telecoms providers on the technical detail of secondary legislation before it is finalised, during passage of the Bill. This engagement will help to inform an impact assessment, which will be published alongside the secondary legislation to assess costs and benefits to businesses.

Codes of practice

Finally, the Bill provides the government with the powers to issue codes of practice to provide guidance on how, and to what timescale, certain telecoms providers should comply with their legal obligations. For example, it will set out the detailed technical measures that should be taken to segregate and control access to the areas of networks that process and manage customers’ data. Ofcom will take relevant codes into account when monitoring and enforcing the new security framework.

There are many different sized telecoms companies providing telecoms networks and services, and while their security and resilience is critical, it is important their differences are recognised. To ensure measures are applied proportionately, the government intends to define three tiers of telecoms provider in an initial code of practice, which will be finalised via public consultation:

  1. The code of practice will apply to the largest national-scale (‘Tier 1’) telecoms providers, whose availability and security is critical to people and businesses across the UK. These providers will also be subject to intensive Ofcom monitoring and oversight.
  2. The code of practice will also apply to medium-sized (‘Tier 2’) telecoms providers, who will be subject to some Ofcom oversight and monitoring. These providers are expected to have more time to implement the security measures set out in the code of practice.
  3. The smallest (‘Tier 3’) telecoms providers, including small businesses and micro enterprises, will need to comply with the law. It is not anticipated that the code of practice will be applied to Tier 3 providers, but these providers may be subject to some limited Ofcom oversight.

The Bill includes a requirement for the government to consult on any codes of practice. DCMS will issue a full public consultation on the approach to implementing the code of practice following Royal Assent, including the approach to tiering and implementation timetables.

Alongside acting as a tool to help regulatory compliance, the code of practice will serve as best practice security guidance to all UK telecoms providers (including private networks).

The Department explained the new penalty scheme:

  • For contravention of a security duty (other than the duty to explain a failure to follow a code of practice) Ofcom may impose a penalty up to a maximum of ten percent of a provider’s ‘relevant turnover’ or (in the case of a continuing contravention) £100,000 per day.
  • For contravention of an information requirement or refusal to explain a failure to follow a code of practice, Ofcom may impose a penalty up to a maximum of £10 million or (in the case of a continuing contravention) £50,000 per day.

The Department explained other part of the bill under which the Secretary of State would be empowered to address risk in the telecommunications system is discussed in a different fact sheet:

The Telecommunications (Security) Bill introduces new powers for the Secretary of State to manage the risks posed by high risk vendors. In the Bill, such vendors are referred to ‘designated vendors’.

The Bill creates powers for the Secretary of State to:

  1. issue directions, in the interests of national security, to public communications providers placing controls on their use of goods, services or facilities supplied, provided or made available by designated vendors (‘designated vendor directions’)
  2. designate specific vendors, in the interests of national security, for the purpose of issuing the designated vendor directions (‘designated vendors’)

The Bill makes it a duty for public communications providers to comply with any requirements set out in a direction and introduces financial penalties for non-compliance. The Secretary of State will be responsible for assessing and enforcing compliance with any direction requirements. Ofcom may be tasked by the Secretary of State with gathering information relevant to the Secretary of State’s assessment of a provider’s compliance with a direction. Ofcom will provide such information to the Secretary of State in the form of a report, the frequency of which can be specified by the Secretary of State.

The Secretary of State will also be responsible for assessing and enforcing compliance with the requirements in the Bill relating to non-disclosure. The Bill enables the Secretary of State to impose requirements not to disclose particular information (such as in relation to a designated vendor director or designation notice), where disclosure would be contrary to the interests of national security.

The Secretary of State will also be responsible for assessing and enforcing compliance with any requirements to provide information given under the information requirement power. These requirements can apply not just to telecoms providers but to anyone who appears to the Secretary of State to have information relevant to the exercise of the Secretary of State’s functions in relation to designation notices and designated vendor directions.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by David Mark from Pixabay

Final NDAA Agreement, Part II

There are AI, 5G, and supply chain provisions in the national security policy bill the Armed Services Committee have agreed upon.

So, it appears I failed to include all the technology goodies to be found in the final FY 2021 National Defense Authorization Act (NDAA). And so, I will cover the provisions I missed yesterday in the conference report to accompany the “William M. “Mac” Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395). For example, there are artificial intelligence (AI), 5G, and supply chain provisions.

Notably, the final bill includes the House Science, Space, and Technology Committee’s “National Artificial Intelligence Initiative Act of 2020” (H.R.6216). In the Joint Explanatory Statement, the conferees asserted:

The conferees believe that artificial intelligence systems have the potential to transform every sector of the United States economy, boosting productivity, enhancing scientific research, and increasing U.S. competitiveness and that the United States government should use this Initiative to enable the benefits of trustworthy artificial intelligence while preventing the creation and use of artificial intelligence systems that behave in ways that cause harm. The conferees further believe that such harmful artificial intelligence systems may include high-risk systems that lack sufficient robustness to prevent adversarial attacks; high-risk systems that harm the privacy or security of users or the general public; artificial general intelligence systems that become self-aware or uncontrollable; and artificial intelligence systems that unlawfully discriminate against protected classes of persons, including on the basis of sex, race, age, disability, color, creed, national origin, or religion. Finally, the conferees believe that the United States must take a whole of government approach to leadership in trustworthy artificial intelligence, including through coordination between the Department of Defense, the Intelligence Community, and the civilian agencies.

H.R.6216 directs the President to establish the National Artificial Intelligence Initiative that would:

  • Ensure the U.S. continues to lead in AI research and development (R&D)
  • Lead efforts throughout the world to develop and use “trustworthy AI systems” in both the public and private sectors
  • Prepare to assist U.S. workers for the coming integration and use of AI throughout the U.S., and
  • Coordinate AI R&D development and demonstration activities across the federal government, including national security agencies.

The President would have a variety of means at his or her discretion in effectuating those goals, including existing authority to ask Congress for funding and to use Executive Office agencies to manage the authority and funding Congress provides.

Big picture, H.R. 6216 would require better coordination of federal AI initiatives, research, and funding, and more involvement in the development of voluntary, consensus-based standards for AI. Much of this would happen through the standing up of a new “National Artificial Intelligence Initiative Office” by the Office of Science and Technology Policy (OSTP) in the White House. This new entity would be the locus of AI activities and programs in the United States’ (U.S.) government with the ultimate goal of ensuring the nation is the world’s foremost developer and user of the new technology.

Moreover, OSTP would “acting through the National Science and Technology Council…establish or designate an Interagency Committee to coordinate Federal programs and activities in support of the Initiative.” This body would “provide for interagency coordination of Federal artificial intelligence research, development, and demonstration activities, development of voluntary consensus standards and guidelines for research, development, testing, and adoption of ethically developed, safe, and trustworthy artificial intelligence systems, and education and training activities and programs of Federal departments and agencies undertaken pursuant to the Initiative.” The committee would need to “develop a strategic plan for AI” within two years and update it every three years thereafter. Moreover, the committee would need to “propose an annually coordinated interagency budget for the Initiative to the Office of Management and Budget (OMB) that is intended to ensure that the balance of funding across the Initiative is sufficient to meet the goals and priorities established for the Initiative.” However, OMB would be under no obligation to take notice of this proposal save for pressure from AI stakeholders in Congress or AI champions in any given Administration. The Secretary of Commerce would create a ‘‘National Artificial Intelligence Advisory Committee” to advise the President and National Artificial Intelligence Initiative Office on a range of AI policy matters. In the bill as added to the House’s FY 2021 NDAA, it was to have been the Secretary of Energy.

Federal agencies would be permitted to award funds to new Artificial Intelligence Research Institutes to pioneer research in any number of AI fields or considerations. The bill does not authorize any set amount of money for this program and instead kicks the decision over to the Appropriations Committees on any funding. The National Institute of Standards and Technology (NIST) must “support measurement research and development of best practices and voluntary standards for trustworthy artificial intelligence systems” and “support measurement research and development of best practices and voluntary standards for trustworthy artificial intelligence systems” among other duties. NIST must “shall work to develop, and periodically update, in collaboration with other public and private sector organizations, including the National Science Foundation and the Department of Energy, a voluntary risk management framework for the trustworthiness of artificial intelligence systems.” NIST would also “develop guidance to facilitate the creation of voluntary data sharing arrangements between industry, federally funded research centers, and Federal agencies for the purpose of advancing artificial intelligence research and technologies.”

The National Science Foundation (NSF) would need to “fund research and education activities in artificial intelligence systems and related fields, including competitive awards or grants to institutions of higher education or eligible non-profit organizations (or consortia thereof).” The Department of Energy must “carry out a cross-cutting research and development program to advance artificial intelligence tools, systems, capabilities, and workforce needs and to improve the reliability of artificial intelligence methods and solutions relevant to the mission of the Department.” This department would also be tasked with advancing “expertise in artificial intelligence and high-performance computing in order to improve health outcomes for veteran populations.”

According to a fact sheet issued by the House Science, Space, and Technology Committee, [t]he legislation will:

  • Formalize interagency coordination and strategic planning efforts in AI research, development, standards, and education through an Interagency Coordination Committee and a coordination office managed by the Office of Science and Technology Policy (OSTP).
  • Create an advisory committee to better inform the Coordination Committee’s strategic plan, track the state of the science around artificial intelligence, and ensure the Initiative is meeting its goals.
  • Create a network of AI institutes, coordinated through the National Science Foundation, that any Federal department of agency could fund to create partnerships between the academia and the public and private sectors to accelerate AI research focused on an economic sector, social sector, or on a cross-cutting AI challenge.
  • Support basic AI measurement research and standards development at the National Institute for Standards and Technology(NIST) and require NIST to create a framework for managing risks associated with AI systems and best practices for sharing data to advance trustworthy AI systems.
  • Support research at the National Science Foundation (NSF) across a wide variety of AI related research areas to both improve AI systems and use those systems to advance other areas of science. This section requires NSF to include an obligation for an ethics statement for all research proposals to ensure researchers are considering, and as appropriate, mitigating potential societal risks in carrying out their research.
  • Support education and workforce development in AI and related fields, including through scholarships and traineeships at NSF.
  • Support AI research and development efforts at the Department of Energy (DOE), utilize DOE computing infrastructure for AI challenges, promote technology transfer, data sharing, and coordination with other Federal agencies, and require an ethics statement for DOE funded research as required at NSF.
  • Require studies to better understand workforce impacts and opportunities created by AI, and identify the computing resources necessary to ensure the United States remains competitive in AI.

A provision would expand the scope of the biannual reports the DOD must submit to Congress on the Joint Artificial Intelligence Center (JAIC) to include the Pentagon’s efforts to develop or contribute to efforts to institute AI standards and more detailed information on uniformed DOD members who serve at the JAIC. Other language would revamp how the Under Secretary of Defense for Research and Engineering shall manage efforts and procurements between the DOD and the private sector on AI and other technology with cutting edge national security applications. The new emphasis of the program would be to buy mature AI to support DOD missions, allowing DOD components to directly use AI and machine learning to address operational problems, speeding up the development, testing, and deployment of AI technology and capabilities, and overseeing and managing any friction between DOD agencies and components over AI development and use. This section also spells out which DOD officials should be involved with this program and how the JAIC fits into the picture. This language and other provisions suggest the DOD may have trouble in coordinating AI activities and managing infighting, at least in the eyes of the Armed Services Committees.

Moreover, the JAIC would be given a new Board of Advisors to advise the Secretary of Defense and JAIC Director on a range of AI issues. However, as the Secretary shall appoint the members of the board, all of whom must be from outside the Pentagon, this organ would seem to be a means of the Office of the Secretary asserting greater control over the JAIC.

And yet, the Secretary is also directed to delegate acquisition authority to the JAIC, permitting it to operate with the same independence as a DOD agency. The JAIC Director will need to appoint an acquisition executive to manage acquisition and policy inside and outside the DOD. $75 million would be authorized a year for these activities, and the Secretary needs to draft and submit an implementation plan to Congress and conduct a demonstration before proceeding.

The DOD must identify five use cases of when AI-enabled systems have improved the functioning of the Department in handling management functions in implementing the National Defense Strategy and then create prototypes and technology pilots to utilize commercially available AI capabilities to bolster the use cases.

Within six months of enactment, the DOD must determine whether it currently has the resources, capability, and know how to ensure that any AI bought has been ethically and responsibly developed. Additionally, the DOD must assess how it can install ethical AI standards in acquisitions and supply chains.

The Secretary is provided the authority to convene a steering committing on emerging technology and national security threats comprised of senior DOD officials to decide on how the Department can best adapt to and buy new technology to ensure U.S. military superiority. This body would also investigate the new technology used by adversaries and how to address and counter any threats. For this steering committee, emerging technology is defined as:

Technology determined to be in an emerging phase of development by the Secretary, including quantum information science and technology, data analytics, artificial intelligence, autonomous technology, advanced materials, software, high performance computing, robotics, directed energy, hypersonics, biotechnology, medical technologies, and such other technology as may be identified by the Secretary.

Not surprisingly, the FY 2021 NDAA has provisions on 5G. Most notably, the Secretary of Defense must assess and mitigate any risks presented by “at-risk” 5G or 6G systems in other nations before a major weapons system or a battalion, squadron, or naval combatant can be based there. The Secretary must take into account any steps the nation is taking to address risk, those steps the U.S. is taking, any agreements in place to mitigate risks, and other steps. This provision names Huawei and ZTE as “at-risk vendors.” This language may be another means by which the U.S. can persuade other nations not to buy and install technology from these People’s Republic of China (PRC) companies.

The Under Secretary of Defense for Research and Engineering and a cross-functional team would need to develop a plan to transition the DOD to 5G throughout the Department and its components. Each military department inside the DOD would get to manage its own 5G acquisition with the caveat that the Secretary would need to establish a telecommunications security program to address 5G security risks in the DOD. The Secretary would also be tasked with conducting a demonstration project to “evaluate the maturity, performance, and cost of covered technologies to provide additional options for providers of fifth-generation wireless network services” for Open RAN (aka oRAN) and “one or more massive multiple-input, multiple-output radio arrays, provided by one or more companies based in the United States, that have the potential to compete favorably with radios produced by foreign companies in terms of cost, performance, and efficiency.”

The service departments would need to submit reports to the Secretary on how they are assessing and mitigating and reporting to the DOD on the following risks to acquisition programs:

  • Technical risks in engineering, software, manufacturing and testing.
  • Integration and interoperability risks, including complications related to systems working across multiple domains while using machine learning and artificial intelligence capabilities to continuously change and optimize system performance.
  • Operations and sustainment risks, including as mitigated by appropriate sustainment planning earlier in the lifecycle of a program, access to technical data, and intellectual property rights.
  • Workforce and training risks, including consideration of the role of contractors as part of the total workforce.
  • Supply chain risks, including cybersecurity, foreign control and ownership of key elements of supply chains, and the consequences that a fragile and weakening defense industrial base, combined with barriers to industrial cooperation with allies and partners, pose for delivering systems and technologies in a trusted and assured manner.

Moreover, “[t]he Under Secretary of Defense for Acquisition and Sustainment, in coordination with the Chief Information Officer of the Department of Defense, shall develop requirements for ap- propriate software security criteria to be included in solicitations for commercial and developmental solutions and the evaluation of bids submitted in response to such solicitations, including a delineation of what processes were or will be used for a secure software development life cycle.”

The Armed Services Committees are directing the Secretary to follow up a report submitted to the President per Executive Order 13806 on strengthening Defense Industrial Base (DIB) manufacturing and supply chain resiliency. The DOD must submit “additional recommendations regarding United States industrial policies….[that] shall consist of specific executive actions, programmatic changes, regulatory changes, and legislative proposals and changes, as appropriate.”

The DOD would also need to submit an annex to an annual report to Congress on “strategic and critical materials, including the gaps and vulnerabilities in supply chains of such materials.”

There is language that would change how the DOD manages the production of microelectronics and related supply chain risk. The Pentagon would also need to investigate how to commercialize its intellectual property for microelectronic R&D. The Department of Commerce would need to “assess the capabilities of the United States industrial base to support the national defense in light of the global nature of the supply chain and significant interdependencies between the United States industrial base and the industrial bases of foreign countries with respect to the manufacture, design, and end use of microelectronics.”

There is a revision of the Secretary of Energy’s authority over supply chain risk administered by the National Nuclear Security Administration (NNSA) that would provide for a “special exclusion action” that would bar the procurement of risky technology for up to two years.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Biden Administration Tech Policy: Federal Communications Commission (FCC)

The FCC could be a major force for technology policy in the Biden Administration.

The next Administration will change many of the technology policies put in place under President Donald Trump, but among the highest profile policy reversals will be the Biden Administration’s reestablishment of net neutrality rules. This signature accomplishment of the Obama Administration was undone by the Trump Federal Communications Commission (FCC), and the Biden Campaign made no mistake about its support for the rules that would change how internet service providers (ISP) are regulated. Moreover, with Congressional gridlock a possibility over the next two years as Republicans may maintain control of the Senate, a Biden program will likely hinge on executive action, especially agency action.

Current FCC Chair Ajit Pai has announced his intention to maintain tradition and step down on 20 January 2021, allowing the Biden Administration to name its own chair and tilt the FCC in favor of the Democrats. Should the Senate confirm Biden’s FCC nominee, then it is quite likely to implement a number of key policy changes. However, and I cannot stress this possibility enough, should Biden nominate someone Senate Republicans object to, and they control the chamber, it is very possible the Senate leaves the FCC without a fifth member deadlocked with two members of each party. The calculation may be made that Senate Republicans would rather this be the case than an empowered FCC able to implement net neutrality among other measures.

Net Neutrality

After 2010 net neutrality rules had been overturned by a federal court, in 2015, the Obama Administration FCC promulgated regulations that reclassified ISPs under Title II of the Federal Communications Act as common carriers, which allowed the agency to implement net neutrality regulations. The Open Internet Order (FCC 15–24) put in place “bright-line rules that prohibit blocking, throttling, and paid prioritization; a rule preventing broadband providers from unreasonably interfering or disadvantaging consumers or edge providers from reaching one another on the Internet; and provides for enhanced transparency into network management practices, network performance, and commercial terms of broadband Internet access service.” These regulations survived a court challenge (U.S. Telecom Association v. FCC), largely because the FCC crafted the Open Internet Order on the basis of the ruling that struck down the previous iteration of net neutrality rules (Verizon v. FCC).

In 2017, the Trump Administration FCC’s “Restoring Internet Freedom” (FCC 17–166) returned ISPs to their previous regulatory posture as being regulated under Title I as information services in undoing the Open Internet Order. This rollback of net neutrality regulations “restore[d] the classification of broadband internet access service as a lightly-regulated information service and reinstates the private mobile service classification of mobile broadband internet access service….requires ISPs to disclose information about their network management practices, performance characteristics, and commercial terms of service…[and] eliminates the conduct rules imposed by the [2015 regulations].” In the fall of 2019, the United States Court of Appeals for the District Of Columbia Circuit (D.C. Circuit) upheld most of the FCC’s repeal of the Open Internet Order and the new regulations. However, the D.C. Circuit declined to accept the FCC’s attempt to preempt all contrary state laws and struck down this part of the FCC’s rulemaking. Consequently, states and local jurisdictions may now be free to enact regulations of internet services along the lines of the Open Internet Order. In fact, a number of states have such laws already enacted or pending. The D.C. Circuit also sent the case back to the FCC for further consideration on three points, which it is still working through.

The Biden Administration could institute a rulemaking as soon as a new chair is in place to remove the Trump Administration’s rollback and then reimplement the Obama Administration’s Open Internet Order, a process that might not be completed until well into 2022 as they agency would need to draft regulations, accept and address comments, and then unveil final regulations. There would be litigation against the new rules, and possibly some uncertainty given the decided rightward tilt of the federal judiciary.

5G

The FCC has played a key role in the Trump Administration’s push against the dominance of the People’s Republic of China (PRC) in the race to install and use 5G. The FCC launched an initiative to identify risky PRC equipment and services (mostly provided by Huawei and ZTE), and then Congress followed by enacted a statute codifying the FCC program and adding requirement. It remains to be seen whether the FCC will be provided additional funding through the Universal Service Fund (USF) or other means to finance the removal and replacement of any risky equipment United States (U.S.) telecommunications providers have already installed. There is no reason to expect a significant substantive change in course by a Biden Administration FCC even if there is a softening of it rhetorical tone.

On December 10, the FCC will vote on a Report and Order “that would require Eligible Telecommunications Carriers to remove equipment and services that pose an unacceptable risk to the national security of the United States or the security and safety of its people, would establish the Secure and Trusted Communications Networks Reimbursement Program, and would establish the procedures and criteria for publishing a list of covered communications equipment and services that must be removed.” This rulemaking would implement the “Secure and Trusted Communications Networks Act of 2019” (P.L. 116-124). The FCC summarized its action:

The Commission plays an important role in protecting America’s communications networks and, today, we take further steps toward securing our communications networks by implementing the Secure and Trusted Communications Networks Act of 2019 (Secure Networks Act). We first adopt a rule that requires Eligible Telecommunications Carriers (ETCs) to remove and replace covered equipment from their networks. Second, we establish the Secure and Trusted Communications Networks Reimbursement Program to subsidize smaller carriers to remove and replace covered equipment, once Congress appropriates at least $1.6 billion that Commission staff estimate will be needed to reimburse providers eligible under current law. Third, we establish the procedures and criteria for publishing a list of covered communications equipment or services that pose an unacceptable risk to the national security of the United States or the security and safety of United States persons and prohibit USF support from being used for such covered equipment or services. Last, we adopt a reporting requirement to ensure we are informed about the ongoing presence of covered equipment in communications networks.

The FCC is faced with competition from the Department of Defense (DOD) on setting 5G policy. In August, the White House and the DOD announced the latter will share a prime slice of mid band electromagnetic frequency with commercial entities that would be ideal for 5G according to their press release. The development of the next iteration of wireless communications has been hampered in the U.S. because the DOD controls a range of the usable frequency spectrum other nations have been using to test and deploy 5G. This announcement would allow commercial entities to ultimately bid on 100 continuous MHz of spectrum that has been used exclusively by the DOD for guidance and navigation. It is an open question whether the relinquishment of this spectrum will speed 5G development and adoption in the U.S., and the timeline provided by the Administration suggests licenses to use these mid-band frequencies will not be in the hands of commercial entities until mid-2022 at the earliest, assuming President Donald Trump is reelected, for a Biden Administration may propose a different course of action. Nonetheless, one Administration official asserted releasing this 100 MHz will be “the fastest transfer of Federal spectrum to commercial use in history.”

In a related development, in an October press release, the Department of Defense (DOD) detailed its “$600 million in awards for 5G experimentation and testing at five U.S. military test sites, representing the largest full-scale 5G tests for dual-use applications in the world.” These awards were made largely to prominent private sector technology and telecommunications companies vying to play prominent roles in 5G. However, of course, no awards were made to companies from the PRC. Nonetheless, this announcement may provoke further claims from Members of Congress and stakeholders that the DOD’s effort is the camel’s nose under the tent of a nationalized 5G system and a further infringement of the FCC’s jurisdiction.

This announcement is part of the DOD’s 5G Strategy that “provides the DOD approach to implementing the National Strategy to Secure 5G and aligns with the National Defense Authorization Act for Fiscal Year 2020 (FY2020), Section 254…[that] is also consistent with National Defense Strategy guidance to lead in key areas of great power competition and lethality to ensure 5G’s ‘impact on the battle network of the future.’”

In a related DOD release, it was explained:

The effort — Tranche 1 of the department’s larger 5G initiative — will accelerate adoption of 5G technology, enhance the effectiveness and lethality of U.S. combat forces, and further the development and use of common 5G standards to ensure interoperability with military partners and allies.

There have been other indications the Trump Administration was moving to institute a nationalized 5G system. Reportedly, a company with Karl Rove as its lobbyist may be poised to win a no-bid contract with the DOD for the commercial use of its highly sought-after mid-band spectrum ideal for 5G. Reportedly, White House Chief of Staff Mark Meadows has been pressing the DOD to hurry the process of making this spectrum available with many Administration officials having reservations about the seeming push to allow one company with little to no experience, Rivada, to have the whole chunk of spectrum. One official claimed if Rivada gets this contract it would be “the biggest handoff of economic power to a single entity in history.” Rove denied the company would accept a sole-source contract. There is strong bipartisan opposition on Capitol Hill, likely fanned by lobbyists from the companies apt to lose out if Rivada secures a winner-takes-all contract. Incidentally, in Jamaica where I live, the United States (U.S.) government has apparently pitched Rivada as a no-cost option to build out the island’s 5G network with Rivada collecting revenue from the operation of the system. The U.S. Ambassador has pitched the deal to Prime Minister Andrew Holness. And, while this could be seen as another U.S. effort to block the People’s Republic of China (PRC), which has done extensive development in Jamaica, it has the appearance of impropriety on the U.S.’ end, at the very least.

The FCC is also locking horns with other federal agencies over the approval of a new means of providing service for 5G. In late April, FCC issued a “decision authorize[ing] Ligado to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” The agency argued the order “provides regulatory certainty to Ligado, ensures adjacent band operations, including Global Positioning System (GPS), are sufficiently protected from harmful interference, and promotes more efficient and effective use of [the U.S.’s] spectrum resources by making available additional spectrum for advanced wireless services, including 5G.”

Defense and other civilian government stakeholders remained unconvinced. Also, in late April, the chairs and ranking members of the Armed Services Committees penned an op-ed, in which they claimed “the [FCC] has used the [COVID-19] crisis, under the cover of darkness, to approve a long-stalled application by Ligado Networks — a proposal that threatens to undermine our GPS capabilities, and with it, our national security.” Chairs James Inhofe (R-OK) and Adam Smith (D-WA) and Ranking Members Jack Reed (D-RI) and Mac Thornberry (R-TX) asserted:

  • So, we wanted to clarify things: domestic 5G development is critical to our economic competiveness against China and for our national security. The Pentagon is committed working with government and industry to share mid-band spectrum where and when it makes sense to ensure rapid roll-out of 5G.
  • The problem here is that Ligado’s planned usage is not in the prime mid-band spectrum being considered for 5G — and it will have a significant risk of interference with GPS reception, according to the National Telecommunications and Information Administration (NTIA). The signals interference Ligado’s plan would create could cost taxpayers and consumers billions of dollars and require the replacement of current GPS equipment just as we are trying to get our economy back on its feet quickly — and the FCC has just allowed this to happen.

The Ligado application was seen as so important, the first hearing of the Senate Armed Services Committee held after the beginning of the COVID-19 pandemic was on this issue. Not surprisingly the DOD explained the risks of Ligado’s satellite-terrestrial wireless system as it sees them at some length. Under Secretary of Defense for Research and Engineering Michael Griffin asserted at the 6 May hearing:

  • The U.S. Department of Transportation (DOT) conducted a testing program developed over multiple years with stakeholder involvement, evaluating 80 consumer-grade navigation, survey, precision agriculture, timing, space-based, and aviation GPS receivers. This test program was conducted in coordination with DoD testing of military receivers. The results, as documented in the DoT “Adjacent Band Compatibility” study released in March, 2018, demonstrated that even very low power levels from a terrestrial system in the adjacent band will overload the very sensitive equipment required to collect and process GPS signals.  Also, many high precision receivers are designed to receive Global Navigation Satellite System (GNSS) signals not only in the 1559 MHz to 1610 MHz band, but also receive Mobile Satellite Service (MSS) signals in the 1525 MHz to 1559 MHz band to provide corrections to GPS/GNSS to improve accuracy. With the present and future planned ubiquity of base stations for mobile broadband use, the use of GPS in entire metropolitan areas would be effectively blocked.  That is why every government agency having any stake in GPS, as well as dozens of commercial entities that will be harmed if GPS becomes unreliable, opposed the FCC’s decision. 
  • There are two principal reasons for the Department’s opposition to Ligado’s proposal. The first and most obvious is that we designed and built GPS for reasons of national security, reasons which are at least as valid today as when the system was conceived. The second, less well-known, is that the DoD has a statutory responsibility to sustain and protect the system. Quoting from 10 USC 2281, the Secretary of Defense “…shall provide for the sustainment and operation of the GPS Standard Positioning Service for peaceful civil, commercial, and scientific uses…” and “…may not agree to any restriction of the GPS System proposed by the head of a department or agency of the United States outside DoD that would adversely affect the military potential of GPS.”

A few weeks prior to the hearing, 32 Senators wrote the FCC expressing their concern that the “Order does not adequately project adjacent band operations – including those related to GPS and satellite communications –  from harmful interference that would impact countless commercial and military activities.” They also took issue “the hurried nature of the circulation and consideration of the Order,” which they claimed occurred during “a national crisis” and “was not conducive to addressing the many technical concerns raised by affected stakeholders.” Given that nearly one-third of the Senate signed the letter, this may demonstrate the breadth of opposition in Congress to the Ligado order.

In May, the National Telecommunications and Information Administration (NTIA) filed two petitions with the FCC asking the latter agency to stay its decision allowing Ligado to proceed with wireless service using a satellite-terrestrial network utilizing the L-Band. This decision was opposed by a number of Trump Administration agencies and a number of key Congressional stakeholders. They argued the order would allow Ligado to set up a system that would interfere with the DOD GPS and civilian federal agency applications of GPS as well. If the FCC denies these petitions, it is possible NTIA could file suit in federal court to block the FCC’s order and Ligado.

In the petition for a stay, NTIA asked that “Ligado Networks LLC’s (Ligado’s) mobile satellite service (MSS) license modification applications for ancillary terrestrial operations” be paused until the agency’s petition for reconsideration is decided by the FCC because of “executive branch concerns of harmful interference to federal government and other GPS devices.”

In the petition for reconsideration, the NTIA argued it “focuses on the problems in the Ligado Order that are uniquely related to the interests of DOD and other federal agencies and their mission-critical users of GPS.” The NTIA added “that the Commission failed to consider the major economic impact its decision will have on civilian GPS users and the American economy…[and] [a]s the lead civil agency for GPS, DOT explained…Ligado’s proposed operations would disrupt a wide range of civil GPS receivers owned and operated by emergency first responders, among others.”

In early June, Ligado filed its response to the Trump Administration’s petitions to stay and have the FCC reconsider its order allowing the company to move forward with its satellite-terrestrial wireless network. The company argued the NTIA’s petitions rehash the same arguments heard and rejected by the FCC over the course of the nearly decade long proceeding, do not argue that an injury has occurred because Ligado is not yet operating, and is contrary to the public interest by delaying the rollout of 5G.

Broadband Privacy

At the beginning of the Trump Administration, Congress used the Congressional Review Act (CRA) to nullify the FCC’s 2016 final rule “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.” An act of Congress signed by the President is needed before the FCC could again regulate the privacy and data practices of internet service providers (ISPs). Such a change could conceivably be included in broader privacy legislation that supposedly will be at the top of Congress’ technology agenda in the next Congress. However, to date, there has not been a broad privacy bill I have seen that includes such language. And yet, a number of the broader bills would include common carriers under the jurisdiction of the Federal Trade Commission’s (FTC) expanded powers to enforce a new privacy regime, which would represent a de facto negation of the CRA process that undid the FCC’s broadband privacy rules. It would seem to me the key question would be what would happen in such a scenario if a future FCC undoes net neutrality rules. Would ISPs then no longer be subject to federal privacy rules as they would no longer be common carriers and no longer be subject to FTC jurisdiction as such?

In any event, the FCC in 2016 summarized its now nullified rules:

The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice and security requirements for customers’ personal information:

  • Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.
  • Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.
  • Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

In addition, the rules include:

  • Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences;
  • A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.
  • Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information.

Section 230

The Trump Administration FCC has started a rulemaking to construe key terms in 47 U.S.C. 230 (aka Section 230), a provision that shields technology companies from litigation arising from content it posts from third parties and any decisions it makes to take down, censor, or edit such material. Via executive order (EO), Trump directed the National Telecommunications and Information Administration (NTIA) to file a petition with the FCC asking the agency to conduct a rulemaking, and the FCC decided to commence this fall. However, it is unlikely the FCC will have enough time to finish this process even though Pai could conceivably unveil draft regulations to pare back the protection companies like Facebook, Twitter, Reddit, etc. enjoy. This push has been opposed by Democrats generally and by the two Democratic FCC Commissioners, and so it would likely be ended under a Biden FCC.

As a threshold matter, it is quite likely President-elect Joe Biden will issue almost immediately an executive order pausing almost all Trump Administration executive orders pending review. It is also conceivable that the new Administration will withdraw the Trump Administration’s petition for a Section 230 rulemaking, and a Biden Administration staffed and controlled FCC may be very willing to accept such a withdrawal and close down the rulemaking process. This is not to say, however, that the Biden Administration will not seek changes to Section 230. Biden has opined Section 230 should be repealed, and other Democratic stakeholders want to see a paring back of the liability shield as a means of creating an incentive for Facebook, Twitter, and others to address the proliferation of problematic content such as white supremacist materials, QAnon conspiracies, abuse of women and minorities, and outright lies and disinformation. A key Member of the House, Representative Jan Schakowsky (D-IL), who chairs the Consumer Protection and Commerce Subcommittee, has said she will release her reform proposal in January. It remains to be seen what role, if any, the FCC may play under a revised Section 230.

In October, FCC Chair Ajit Pai announced that that the “[t]he Commission’s General Counsel has informed me that the FCC has the legal authority to interpret Section 230…[and] [c]onsistent with this advice, I intend to move forward with a rulemaking to clarify its meaning.” Pai namechecked Thomas’ statement in which he “pointed out that courts have relied upon ‘policy and purpose arguments to grant sweeping protections to Internet platforms’ that appear to go far beyond the actual text of the provision.” Moreover, this interpretation has been subsequently released in a rather unusual fashion. Normally, agencies use the vehicle of a draft rule to make the claim it has or does not have certain authority provided by Congress to act. But, not in this case. The FCC has decided to make its case in a blog posting before it has released proposed regulations to define certain terms in Section 230’s liability shield for technology companies.

Working along a parallel track is pressure on the Senate committee that oversees the FCC to vet, hold a hearing on, and approve Trump’s nominee for the FCC. Commissioner Mike O’Reilly was lukewarm to the EO and his appointment to the FCC was expiring. And so, in typical Trump Administration fashion, the White House decided that the policy was not the problem. Personnel was. Consequently, Nathan Simington of the NTIA was nominated to replace O’Reilly, and the Senate Commerce, Science, and Transportation Committee advanced his nomination on party-line vote on 2 December. If Simington is confirmed and then the Republican-controlled Senate blocks a Biden nominee (which we know would never happen given the deep respect Senate Majority Leader Mitch McConnell (R-KY) has for the traditions of the institution), then the agency would be decapitated and could not act.

Broadband

Bridging the digital divide will likely be a signal technology priority for the Biden Administration. There are media accounts stating Biden and allies in Congress are already planning on how to significantly increase broadband funding, possibly in the next COVID-19 stimulus bill. Whether they continue the Trump Administration’s FCC’s approach is not clear. Whatever their course of action, the digital divide was made all the starker by the pandemic with people working from work and children doing online schooling.

The agency has proposed and is implementing a program that will allegedly raise over $20 billion to bridge the digital divide. The FCC explained the Rural Digital Opportunity Fund (RDOF):

The Rural Digital Opportunity Fund is the Commission’s next step in bridging the digital divide.  On August 1, 2019, the Commission adopted a Notice of Proposed Rulemaking (NPRM) proposing to establish the $20.4 billion Rural Digital Opportunity Fund to bring high speed fixed broadband service to rural homes and small businesses that lack it.  On January 30, 2020, the Commission adopted the Rural Digital Opportunity Fund Report and Order, which establishes the framework for the Rural Digital Opportunity Fund, building on the success of the CAF Phase II auction by using reverse auctions in two phases.  The Phase I auction, which is scheduled to begin on October 29, 2020, will target over six million homes and businesses in census blocks that are entirely unserved by voice and broadband with download speeds of at least 25 Mbps.  Phase II will cover locations in census blocks that are partially served, as well as locations not funded in Phase I.  The Rural Digital Opportunity Fund will ensure that networks stand the test of time by prioritizing higher network speeds and lower latency, so that those benefitting from these networks will be able to use tomorrow’s Internet applications as well as today’s.

There are other programs a Biden FCC could utilize to address some of the digital divide, including the E-Rate and Lifeline programs, and the next FCC could make some changes to the structure of the programs through rulemakings if it sought fit.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Ali Shah Lakhani on Unsplash

Further Reading, Other Developments, and Coming Events (18 November)

Further Reading

  • Trump fires top DHS official who refuted his claims that the election was rigged” By Ellen Nakashima and Nick Miroff — The Washington Post. As rumored, President Donald Trump has decapitated the United States’ (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Director Christopher Krebs was fired via Twitter, after he had endorsed a letter by 59 experts on election security who said there was no fraud in the election. Trump tweeted: “The recent statement by Chris Krebs on the security of the 2020 Election was highly inaccurate, in that there were massive improprieties and fraud — including dead people voting, Poll Watchers not allowed into polling locations, ‘glitches’ in the voting machines which changed votes from Trump to Biden, late voting, and many more. Therefore, effective immediately, Chris Krebs has been terminated as Director of the Cybersecurity and Infrastructure Security Agency.” Of course, the statement CISA cosigned and issued last week asserting there was no evidence of fraud or wrongdoing in the election probably did not help his prospects. Additionally, CISA Deputy Director Matthew Travis was essentially forced out when he was informed the normal succession plan would be ignored and he would not become the acting head of CISA. A CISA senior civil servant, Brandon Wales, will helm the agency in an acting basis. Last week, CISA’s Assistant Director for Cybersecurity Bryan Ware was forced out.
  • NSA Spied On Denmark As It Chose Its Future Fighter Aircraft: Report” By Thomas Newdick — The Drive. A Danish media outlet is claiming the United States U.S. National Security Agency (NSA) spied Denmark’s Ministry of Finance, the Ministry of Foreign Affairs, and the defense firm Terma in order to help Lockheed Martin’s bid to sell F-35 Joint Strike Fighters to Denmark. Eurofighter GmbH and Saab were offering their Typhoon and Gripen fighters to replace Denmark’s F-16s. Reportedly, the NSA used an existing arrangement with Denmark to obtain information from a program allowing the NSA access to fiber optics cables in the country. It is likely Denmark did not have such surveillance in mind when it struck this agreement with the U.S. Two whistleblowers reports have been filed with the Forsvarets Efterretningstjeneste (FE), Denmark’s Defense Intelligence Service, and there are allegations that the U.S. surveillance was illegal. However, the surveillance appears not to have influenced the Danish government, which opted for the F-35. Earlier this year, there were allegations the FE was improperly sharing Danish cables containing information on Danish citizens improperly.
  • Facebook Knows That Adding Labels To Trump’s False Claims Does Little To Stop Their Spread” By Craig Silverman and Ryan Mac — BuzzFeed News. These reporters must know half of Facebook’s staff because they always see what is going on internally with the company. In this latest scoop, they say they have seen internal numbers showing that labeling President Donald Trump’s false tweets have done little to slow their spread. In fact, labelling may only slow their spread by 8%. This outcome is contrary to a practice Facebook employed in 2017 under which fact checkers would label untrue posts as false. This reduced their virality by 80%.
  • Apple Halves Its App Store Fee for the Smaller Companies” By Jack Nicas — The New York Times. The holiday spirit must already be afoot in Cupertino, California, for small app developers will now only pay Apple 15% of in-app purchases for the privilege of being in the App Store. Of course, this decision has nothing to do with the antitrust pressure the company is facing in the European Union and United States (U.S.) and will have very little impact on their bottom line since app developers with less than $1 million in revenue (i.e., those entitled to a reduction) account for 2% of App Store revenue. It does give Apple leadership and executive some great talking points when pressed by antitrust investigators, legislators, and the media.
  • Inside the behind-the-scenes fight to convince Joe Biden about Silicon Valley” By Theodore Schleifer — recode. The jockeying among factions in the Democratic party and other stakeholders is fierce and will only grow fiercer when it comes to who will serve where in a Biden Administration. Silicon Valley and those who would reform tech are fighting to get people amenable to their policy goals placed in the new Administration. President-elect Joe Biden and his campaign were ambiguous on many tech policy issues and have flexibility which has been further helped by appointing people respected in both camps like new White House Chief of Staff Ron Klain.
  • Group of 165 Google critics calls for swift EU antitrust action – letter” By Foo Yun Chee — Reuters. A wide-ranging group of companies and industry associations are urging the European Union to investigate and punish what they see as Google’s anti-competitive dominance of online search engines, especially the One Box that now appears at the top of search results that points people to Google sites and products.

Other Developments

  • The European Union (EU) announced a revision of its export control process for allowing the export of dual use items, including cyber surveillance tools. The European Commission (EC) asserted “[t]hanks to the new Regulation, the EU can now effectively protect its interests and values and, in particular, address the risk of violations of human rights associated with trade in cyber-surveillance technologies without prior agreement at multilateral level…[and] also enhances the EU’s capacity to control trade flows in sensitive new and emerging technologies. The EC explained “[t]he new Regulation includes many of the Commission proposals for a comprehensive “system upgrade”, and will make the existing EU Export control system more effective by:
    • introducing a novel ‘human security’ dimension so the EU can respond to the challenges posed by emerging dual-use technologies – especially cyber-surveillance technologies – that pose a risk to national and international security, including protecting human rights;
    • updating key notions and definitions (e.g. definition of an “exporter” to apply to natural persons and researchers involved in dual-use technology transfers);
    • simplifying and harmonising licensing procedures and allowing the Commission to amend – by ‘simplified’ procedure, i.e. delegated act – the list of items or destinations subject to specific forms of control, thereby making the export control system more agile and able to evolve and adjust to circumstances;
    • enhancing information-exchange between licensing authorities and the Commission with a view to increasing transparency of licensing decisions;
    • coordination of, and support for, robust enforcement of controls, including enhancing secure electronic information-exchange between licensing and enforcement agencies;
    • developing an EU capacity-building and training programme for Member States’ licensing and enforcement authorities;
    • outreach to industry and transparency with stakeholders, developing a structured relationship with the private sector through specific consultations of stakeholders by the relevant Commission group of Member-State experts, and;
    • setting up a dialogue with third countries and seeking a level playing field at global level.
    • The European Parliament contended:
      • The reviewed rules, agreed by Parliament and Council negotiators, govern the export of so-called dual use goods, software and technology – for example, high-performance computers, drones and certain chemicals – with civilian applications that might be repurposed to be used in ways which violate human rights.
      • The current update, made necessary by technological developments and growing security risks, includes new criteria to grant or reject export licenses for certain items.
      • The Parliament added its negotiators
        • got agreement on setting up an EU-wide regime to control cyber-surveillance items that are not listed as dual-use items in international regimes, in the interest of protecting human rights and political freedoms;
        • strengthened member states’ public reporting obligations on export controls, so far patchy, to make the cyber-surveillance sector in particular more transparent;
        • increased the importance of human rights as licensing criterion; and
        • agreed on rules to swiftly include emerging technologies in the regulation.
  • The United States House of Representatives passed three technology bills by voice vote yesterday. Two of these bills would address in different ways the United States’ (U.S.) efforts to make up ground on the People’s Republic of China in the race to roll out 5G networks. It is possible but not foreseeable whether the Senate will take up these bills before year’s end and send them to the White House. It is possible given how discrete the bills are in scope. The House Energy and Commerce Committee provided these summaries:
    • The “Utilizing Strategic Allied (USA) Telecommunications Act of 2020” (H.R.6624) creates a new grant program through the National Telecommunications and Information Administration (NTIA) to promote technology that enhances supply chain security and market competitiveness in wireless communications networks.
      • One of the bill’s sponsors, House Energy and Commerce Committee Chair Frank Pallone Jr (D-NJ) stated:
        • Earlier this year, the House passed, and the President signed, my Secure and Trusted Communications Networks Act to create a program to fund the replacement of suspect network equipment. Suspect equipment, including that produced by Huawei and ZTE, could allow foreign adversaries to surveil Americans at home or, worse, disrupt our communications systems.
        • While we are still pushing for Congress to appropriate funds to that end, it is important to recognize that my legislation was only half the battle, even when it is funded. We also need to create and foster competition for trusted network equipment that uses open interfaces so that the United States is not beholden to a market for network equipment that is becoming less competitive. This bill before us today, the Utilizing Strategic Allied Telecommunications Act, or the USA Telecommunications Act, does just that.
        • The bipartisan legislation creates a grant program and authorizes $750 million in funding for the National Telecommunications and Information Administration to help promote and deploy Open Radio Access Network technologies that can spur that type of competition. We must support alternatives to companies like Huawei and ZTE…
    • The “Spectrum IT Modernization Act of 2020” (H.R.7310) requires NTIA – in consultation with the Policy and Plans Steering Group – to submit to Congress a report on its plans to modernize agency information technology systems relating to managing the use of federal spectrum. 
      • A sponsor of the bill, House Energy and Commerce Committee Ranking Member Greg Walden (R-OR) explained:
      • H.R. 7310 would require NTIA to establish a process to upgrade their spectrum management infrastructure for the 21st century. The bill would direct the policy coordination arm of NTIA to submit a plan to Congress as to how they will standardize the data collection across agencies and then directs agencies with Federal spectrum assignments from NTIA to issue an implementation plan to interoperate with NTIA’s plan.
      • This is a good-government bill–it really is–and with continued support and oversight from Congress, we can continue the United States’ leadership in making Federal spectrum available for flexible use by the private sector.
    • The “Reliable Emergency Alert Distribution Improvement (READI) Act of 2020” (H.R.6096) amends the Warning, Alert, and Response Network Act to classify emergency alerts from the Federal Emergency Management Agency as a type of alert that commercial mobile service providers may not allow subscribers to block from their devices. The bill also directs the Federal Communications Commission (FCC) to adopt regulations to facilitate coordination with State Emergency Communications Committees in developing and modernizing State Emergency Alert System plans. Finally, the READI Act directs the FCC to examine the feasibility of modernizing the Emergency Alert System by expanding alert distribution to the internet and streaming services.  
  • The same privacy activists that brought the suits that resulted in the striking down of the Safe Harbor and Privacy Shield agreements have filed complaints in Spain and Germany that Apple has violated the European Union’s (EU) e-Privacy Directive and laws in each nation through its use of IDFA (Apple’s Identifier for Advertisers). Because the General Data Protection Regulation (GDPR) is not the grounds for the complaints, each nation could act without needing to consult other EU nations. Moreover, a similar system used by Google is also being investigated for possible violations. The group none of your business (noyb) asserted:
    • IDFA – the cookie in every iPhone user’s pocket. Each iPhone runs on Apple’s iOS operating system. By default, iOS automatically generates a unique “IDFA” (short for Identifier for Advertisers) for each iPhone. Just like a license plate this unique string of numbers and characters allows Apple and other third parties to identify users across applications and even connect online and mobile behaviour (“cross device tracking”).
    • Tracking without user consent. Apple’s operating system creates the IDFA without user’s knowledge or consent. After its creation, Apple and third parties (e.g. applications providers and advertisers) can access the IDFA to track users’ behaviour, elaborate consumption preferences and provide personalised advertising. Such tracking is strictly regulated by the EU “Cookie Law” (Article 5(3) of the e-Privacy Directive) and requires the users’ informed and unambiguous consent.
    • Insufficient “improvement” on third-party access. Recently Apple announced plans for future changes to the IDFA system. These changes seem to restrict the use of the IDFA for third parties (but not for Apple itself). Just like when an app requests access to the camera or microphone, the plans foresee a new dialog that asks the user if an app should be able to access the IDFA. However, the initial storage of the IDFA and Apple’s use of it will still be done without the users’ consent and therefore in breach of EU law. It is unclear when and if these changes will be implemented by the company.
    • No need for EU cooperation. As the complaint is based on Article 5(3) of the e-Privacy Directive and not the GDPR, the Spanish and German authorities can directly fine Apple, without the need for cooperation among EU Data Protection Authorities as under GDPR.
  • The Federal Trade Commission (FTC) Chair made remarks at antitrust conference on how antitrust law should view “an acquisition of a nascent competitive threat by a monopolist when there is reason to think that the state of competition today may not tell the whole story.” Chair Joseph Simons views are timely for a number of reasons, particularly the extent to which large technology firms have sought and bought smaller, newer companies. Obviously, the acquisitions of WhatsApp and Instagram by Facebook and YouTube and AdSense by Google come to mind as the sorts of acquisitions United States (U.S.) regulators approved, possibly without much thought given to what a future market may look like for competition if the larger, dominant company is allowed to proceed. Simons suggested regulators and courts would be wise to give this aspect of antitrust mush more thought, which could theoretically inform the approach the Biden Department of Justice and FTC take. Simons stated:
    • And if firms are looking to the future, then antitrust enforcers should too. We must be willing and able to recognize that harm to competition might not be obvious from looking at the marketplace as it stands. If we confine ourselves to examining a static picture of the market at the moment we investigate a practice or transaction, without regard to the dynamic business realities at work, then we risk forfeiting the benefits of competition that could arise in the future to challenge the dominant firm, even when this future competition is to some extent uncertain.
    • Simons asserted:
      • A merger or acquisition can of course constitute anticompetitive conduct for purposes of Section 2 [of the Sherman Act]
      • From a competition perspective, a monopolist can “squash” a nascent competitor by buying it, not just by targeting it with anticompetitive actions as Microsoft did. In fact, from the monopolist’s perspective, it may be easier and more effective to buy the nascent threat (even if only to keep it out of the hands of others) than to target it with other types of anticompetitive conduct.
      • A central issue in potential competition cases is the nature and strength of evidence that the parties will become actual competitors in the future. Some cases have applied Section 7 [of the Clayton Act] narrowly in this context: too narrowly, I think, given that the purpose of Section 7 is to prohibit acquisitions that “may” substantially lessen competition or “tend” to create a monopoly.
    • Simons concluded:
      • But uncertainty has always been a feature of the competitive process, even in markets that appear to be simple or traditional, and dealing with uncertainty is all in a day’s work for an antitrust enforcer. I have referred to the Microsoft case repeatedly today, so, in closing, let me remind everyone that there was some uncertainty about the future in Microsoft as well. The court, in holding that the plaintiff does not and should not bear the burden of “reconstruct[ing] a product’s hypothetical development,” observed that the defendant should appropriately be “made to suffer the uncertain consequences of its own undesirable conduct.” The same holds when the monopolist has simply chosen to acquire the threat.
  • The National Institute of Standards and Technology’s (NIST) National Initiative for Cybersecurity Education (NICE) revised the Workforce Framework for Cybersecurity (NICE Framework) that “improves communications about how to identify, recruit, develop, and retain cybersecurity talent ­ – offering a common, consistent lexicon that categorizes and describes cybersecurity work.” NIST explained:
    • The NICE Framework assists organizations with managing cybersecurity risks by providing a way to discuss the work and learners associated with cybersecurity. These cybersecurity risks are an important input into enterprise risk decisions as described in NIST Interagency Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM).
    • NIST stated “[r]evisions to the NICE Framework (NIST Special Publication 800-181) provide:
      • A streamlined set of “building blocks” comprised of Task, Knowledge, and Skill Statements;
      • The introduction of Competencies as a mechanism for organizations to assess learners; and
      • A reference to artifacts, such as Work Roles and Knowledge Skills and Abilities statements, that will live outside of the publication to enable a more fluid update process.
  • A left center think tank published a report on how the United States (U.S.) and likeminded nations can better fight cybercrime. In the report addressed to President-elect Joe Biden and Vice President-elect Kamala Harris, the Third Way presented the results of a “multiyear effort to define concrete steps to improve the government’s ability to tackle the scourge of cybercrime by better identifying unlawful perpetrators and imposing meaningful consequences on them and those behind their actions.” In “A Roadmap to Strengthen US Cyber Enforcement: Where Do We Go From Here?,” the Third Way made a list of detailed recommendations on how the Biden Administration could better fight cybercrime, but in the cover letter to the report, there was a high level summary of these recommendations:
    • In this roadmap, we identify the challenges the US government faces in investigating and prosecuting these crimes and advancing the level of international cooperation necessary to do so. Cyberattackers take great pains to hide their identity, using sophisticated tools that require technical investigative and forensic expertise to attribute the attacks. The attacks are often done at scale, where perpetrators prey on multiple victims across many jurisdictions and countries, requiring coordination across criminal justice agencies. The skills necessary to investigate these crimes are in high demand in the private sector, making it difficult to retain qualified personnel. A number of diplomatic barriers make cross-border cooperation difficult, a challenge exacerbated often by blurred lines line between state and non-state actors in perpetrating these crimes.
    • This roadmap recommends actions that your administration can take to develop a comprehensive strategy to reduce cybercrime and minimize its impact on the American people by identifying the perpetrators and imposing meaningful consequences on them. We propose you make clear at the outset to the American public and global partners that cyber enforcement will be a top priority for your administration. In reinstating a White House cybersecurity position, we have extensive recommendations on how that position should address cybercrime. And, to make policy from an intelligence baseline, we believe you should request a National Intelligence Estimate on the linkages between cybercrime and nation-state cyber actors to understand the scope of the problem.
    • Our law enforcement working group has detailed recommendations to improve and modernize law enforcement’s ability to track and respond to cybercrime. And our global cooperation working group has detailed recommendations on creating a cohesive international cyber engagement strategy; assessing and improving the capacity of foreign partners on cybercrime; and improving the process for cross-border data requests that are critical to solving these crimes. We believe that with these recommendations, you can make substantial strides in bringing cybercriminals to justice and deterring future cybercriminals from victimizing Americans.

Coming Events

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (28 October)

Further Reading

  •  “Administration officials alarmed by White House push to fast track lucrative 5G spectrum contract, sources say” By Jake Tapper — CNN. A company with Karl Rove as its lobbyist may be poised to win a no-bid contract with the Department of Defense (DOD) for the commercial use of its highly sought-after mid-band spectrum ideal for 5G. Reportedly, White House Chief of Staff Mark Meadows has been pressing the DOD to hurry the process of making this spectrum available with many Administration officials having reservations about the seeming push to allow one company with little to no experience, Rivada, to have the whole chunk of spectrum. One official claimed if Rivada gets this contract it would be “the biggest handoff of economic power to a single entity in history.” Rove denied the company would accept a sole-source contract. There is strong bipartisan opposition on Capitol Hill, likely fanned by lobbyists from the companies apt to lose out if Rivada secures a winner-takes-all contract. Incidentally, in Jamaica where I live, the United States (U.S.) government has apparently pitched Rivada as a no-cost option to build out the island’s 5G network with Rivada collecting revenue from the operation of the system. The U.S. Ambassador has pitched the deal to Prime Minister Andrew Holness. And, while this could be seen as another U.S. effort to block the People’s Republic of China (PRC), which has done extensive development in Jamaica, it has the appearance of impropriety on the U.S.’ end, at the very least.
  • Remote learning is deepening the divide between rich and poor” By Lucien O. Chauvin and Anthony Faiola — The Washington Post. The digital divide is, if anything, even more pronounced in the Third World where the pandemic and underlying economic and societal conditions threaten to erase anti-poverty gains and the education and future of a generation.
  • Big Tech’s biggest critics are racing to raise money for Biden’s campaign” By Tony Romm — The Washington Post. In the last days of the campaign, a number of “Big Tech” critics are hosting or intensifying fund raising efforts for the Biden Campaign in the hopes of shaping its policies towards Silicon Valley. Those on the left favor dramatic action in a new administration while Biden’s centrist history may argue against significant change. Also, Silicon Valley as a whole has showered donations on the Biden Campaign, which may be a potent counterweight.
  • State, federal antitrust charges against Facebook could come as soon as November, sources say” By Tony Romm — The Washington Post. The Federal Trade Commission (FTC) and a group of state attorneys general may be filing their anti-trust suits as early as next month against Facebook for its dominance of the social messaging market. The suits would likely focus on Facebook’s acquisitions of potential rivals WhatsApp and Instagram.
  • Facebook touts free speech. In Vietnam, it’s aiding in censorship” By David Cloud and Shashank Bengali — Los Angeles Times. Despite Facebook’s talk of supporting free speech in western nations, it apparently complies to pressure from authoritarian regimes like Vietnam’s to block posts and close down accounts of dissidents.

Other Developments

  • The Presidency of the Council of the European Union (EU), currently held by Germany, released “Conclusions on the Charter of Fundamental Rights in the Context of Artificial Intelligence and Digital Change,” which laid out the EU’s views on how to develop and deploy artificial intelligence (AI).
    • The Presidency stated:
      • The COVID-19 pandemic has shown more clearly than ever that Europe must achieve digital sovereignty in order to be able to act with self-determination in the digital sphere and to foster the resilience of the European Union. We therefore want to work together on European responses for digital technologies, such as artificial intelligence (AI). We want to ensure that the design, development, deployment and use of new technologies uphold and promote our common values and the fundamental rights guaranteed by the EU Charter of Fundamental Rights (hereinafter ‘the Charter’), while increasing our competitiveness and prosperity. High levels of IT security must be maintained within a framework that is open to innovation.
      • We are committed to the responsible and human-centric design, development, deployment, use and evaluation of AI. We should harness the potential of this key technology in promoting economic recovery in all sectors in a spirit of European solidarity, uphold and promote fundamental rights, democracy and the rule of law and maintain high legal and ethical standards.
  • A United States’ (U.S.) Defense Science Board (DSB) Task Force published the executive summary of its “Final Report on Counter Autonomy,” “a strategic assessment of U.S. counter autonomy capabilities today and 30 years from now across all domains (land, sea, undersea, air, space, and cyberspace).” The DSB is an advisory body of the Department of Defense (DOD) that has proven influential in shaping DOD and U.S. policy. The Task Force stated:
    • The Task Force found a heavy focus across the whole-of-government on fielding U.S. autonomous systems with very little attention given to countering autonomous systems deployed by adversaries. One major exception is the U.S. government’s many programs focused on the counter unmanned aerial system (c-UAS) mission. Although c-UAS is critical to ensuring the safety and security of U.S. forces, allies, and the homeland, the DOD must adopt a broader view of counter autonomy or it will not be prepared to effectively defeat future adversary systems.
    • Like the introduction of cyberspace, the growth of autonomy and artificial intelligence (AI) will bring new capability to the public and private sector, but it will also introduce vulnerabilities to current and future capabilities. Therefore, the Task Force felt it necessary to not only develop recommendations aimed at counter autonomy but also counter-counter autonomy. The integrity of each component used to develop a physical or digital autonomous capability must be considered across the entire lifecycle of a system to maintain confidence in its efficacy and reliability.
    • The Task Force has provided a series of recommendations that, if implemented, will effectively aid the DOD and the wider U.S. government in developing a full-scope counter autonomy capability, strengthen U.S. autonomous systems, and result in a more resilient and lethal force.
    • The Task Force made these recommendations:
      • Recommendation 1: Leadership
        • The Under Secretary of Defense, Research and Engineering (USD(R&E)) create a single senior focal point for counter autonomy separate from autonomy leadership but of equal authority to ensure independent thinking
        • USD(R&E) champion a DOD-wide autonomy/counter autonomy community modeled on the existing low observable/counter low observable (LO/CLO) community
      • Recommendation 2: Capability and Operational Development
        • C. Military Departments (Secretaries) charter the following in order to develop robust fielded counter autonomy capabilities
        • Assess, fund, and deploy modifications needed to existing conventional capabilities
        • Create a robust Opposing force (OPFOR) that mimics adversary autonomy
        • Establish multi-domain Counter autonomy (CA) Red Teams
        • Develop CA requirements, concepts, and Tactics, techniques, and procedures (TTPs)/ Concept of operations (CONOPS)
        • D. Direct Service labs and DARPA to create CA
      • R&D Recommendation 3: Intelligence
        • Sensitive content – N/A
      • Recommendation 4: Assurance
        • Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)) establish and enforce AI-enabled autonomous system resilience guidelines to mitigate AI-specific vulnerabilities
        • Developmental test and evaluation (DT&E)/ Operational test and evaluation (OT&E) establish testing and evaluation guidance for development, fielding and sustainment to assure resilience of AI-enabled autonomous systems against counter autonomy attack over lifecycle
      • Recommendation 5: Policy
        • The Office of the Under Secretary of Defense for Policy (OUSD(P)) develop policy to provide appropriate defense of U.S. autonomous weapon systems, support autonomy exports, and ensure safety and security of imports
      • Recommendation 6: Talent
        • The Office of the Secretary of Defense (OSD) and Military Departments significantly expand autonomy/AI talent through aggressive recruiting, hiring, career path, and retention actions:
        • −  Upskill talent with AI skills through incentives and innovative methods such as free or affordable online training (e.g., edX, Coursera, Udacity)
        • −  Military Departments establish, promote, and incentivize autonomy/AI career paths for civilian and military personnel
        • o Service Academies, including Air Force Institute of Technology and Naval Postgraduate School, include counter autonomy in curriculum and research
        • −  Expand the use of innovative staffing (e.g., IPA, HQE, SMART), and build a national talent pipeline at the graduate level with focused DOD funding
        • −  Fully leverage Section 1107(c) Direct Hiring Authority and request Congress authorize the limitation be raised from 5 percent to 10 percent of the workforce
        • Defense Counterintelligence and Security Agency (DCSA) accelerate clearance adjudication for candidates with critical skills (AI/machine learning (ML), robotics, cyber, etc.)
  • The Center for a New American Security (CNAS), a center-left Washington, D.C. national security think tank that may prove as influential in a Biden Administration as it did during the Obama Administration, released “Common Code: An Alliance Framework for Democratic Technology Policy,” that argued for the most technologically advanced democracies to band together and cooperate so that democratic ideals and principles will inform the development of the coming technology. CNAS explained that “[t]he Technology Alliance project and this report were made possible by a grant from Schmidt Futures,” a philanthropic venture started and funded by former Google and Alphabet CEO Eric Schmidt. CNAS stated:
    • Technological leadership by the world’s major liberal-democratic nations will be essential to safeguarding democratic institutions, norms, and values, and will contribute to global peace and prosperity. A unified approach by like-minded nations also is needed to counteract growing investments in and deployments of emerging technologies by authoritarian, revisionist powers.
    • Many have made the case for such a grouping, most notably the United Kingdom’s recent call for a “Democracy 10” to tackle 5G and other technology issues. Similarly, former U.S. government officials have advocated for the creation of a “Tech 10.” Despite this interest in a new coordination mechanism for multilateral technology policy, the work needed to create it has been elusive.
    • CNAS explained:
      • This document lays out what that alliance framework should look like, the opening chapter of a new, multilateral techno-democratic statecraft strategy for the 21st century. It answers the key questions needed to move from concept to an actionable blueprint necessary to tackle the 21st century technology competition:
        • What countries should be members of the technology alliance, and why?
        • Should the alliance be able to collaborate with non-members, and why?
        • Should the alliance grow, and how?
        • How should the alliance be organized and structured?
        • What is the ideal voting system?
        • How should the alliance engage with stakeholders from industry and civil society?
        • What is the best meeting structure and frequency?
      • After detailing recommendations for creating the technology alliance itself, the blueprint addresses the new organization’s top priorities, areas where the project leads identified both a common code between the proposed member countries and an urgent need for improved coordination:
        • Restructure supply chains with a focus on security and diversity
        • Safeguard competitive technological advantages with tailored multilateral export controls and by curbing unwanted technology transfers
        • Fund and build secure digital infrastructure by creating new investment mechanisms
        • Craft standards and norms for a beneficial technology future.
      • The technology alliance’s longer-term agenda should include efforts to:
        • Pursue joint R&D
        • Engage in technology forecasting
        • Focus on data flows
        • Promote technology interoperability
        • Counter disinformation and other illiberal uses of technology
        • Maximize human capital.
  • The National Institute of Standards and Technology (NIST) published a notice in the Federal Register inviting “organizations to provide products and technical expertise to support and demonstrate security platforms for the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project.” NIST explained this “is the initial step for the National Cybersecurity Center of Excellence (NCCoE) in collaborating with technology companies to address cybersecurity challenges identified under the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project.” NIST explained:
    • Since late 2018, NIST and NCCoE cybersecurity researchers have had the opportunity to work closely with the Federal Chief Information Officer (CIO) Council, federal agencies, and industry to address the challenges and opportunities for implementing zero trust architectures across U.S. government networks. This work resulted in publication of NIST Special Publication (SP) 800-207, Zero Trust Architecture
    • In November 2019, the NCCoE and the Federal CIO Council cohosted a Zero Trust Architecture Technical Exchange Meeting that brought together zero trust vendors and practitioners from government and industry to share successes, best practices, and lessons learned in implementing zero trust in the federal government and the commercial sector.
    • The NCCoE project builds on this body of knowledge as we seek to build out and document an example zero trust architecture that aligns to the concepts and principles in NIST SP 800-207 and using commercially available products.
  • The United States (U.S.) Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) evaluated DHS’ information security for FY 2019 and found serious problems. The OIG “reviewed DHS’ information security program for compliance with Federal Information Security Modernization Act requirements.” The OIG found serious deficiencies with the Cybersecurity and Infrastructure Security Agency, ostensibly the entity in the U.S. government charged with helping civilian agencies secure and defend their networks. The OIG found:
    • DHS’ information security program was not effective for FY 2019 because the Department earned a maturity rating of “Ad Hoc” (Level 1) in three of five functions, compared to last year’s higher overall rating of “Managed and Measurable” (Level 4). We rated DHS’ information security program according to five functions outlined in the 2019 reporting instructions:
      • Identify: DHS received a Level 1 rating because it did not have an effective strategy or department-wide approach to manage risks for all of its systems.
      • Protect: DHS achieved Level 4 as it was rated Level 4 in three of the four domains essential to this function.
      • Detect: DHS received a Level 1 rating due to the lack of a comprehensive strategy and organization-wide continuous monitoring approach to address all requirements and activities at each organizational tier.
      • Respond: DHS received a Level 1 rating because the Coast Guard had not reported its cybersecurity incidents to DHS since 2012.
      • Recover: DHS received Level 3 because it had not made progress since prior years [REDACTED]
    • According to FY 2019 reporting metrics, our independent contractor rated component information security programs effective for Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) as both components achieved the targeted “Level 4 – Managed and Measurable” or higher in four of five functions. The Cybersecurity and Infrastructure Security Agency (CISA) overall information security program was not effective because it achieved “Level 1 – Ad-hoc,” which is below the targeted Level 4 in three of five functions. Because the Department performs several security functions on CISA’s behalf, CISA has not yet developed component specific policies, procedures, and business processes as required by DHS policy.

Coming Events

  • On 29 October, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”
  • On 10 November, the Senate Commerce, Science, and Transportation Committee will hold a hearing to consider nominations, including Nathan Simington’s to be a Member of the Federal Communications Commission.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Computerizer from Pixabay

Further Reading, Other Developments, and Coming Events (22 October)

Further Reading

  •  “A deepfake porn Telegram bot is being used to abuse thousands of women” By Matt Burgess — WIRED UK. A bot set loose on Telegram can take pictures of women and, apparently teens, too, and “takes off” their clothing, rendering a naked image of females who never took naked pictures. This seems to be the next iteration in deepfake porn, a problem that will surely get worse until governments legislate against it and technology companies have incentives to locate and take down such material.
  • The Facebook-Twitter-Trump Wars Are Actually About Something Else” By Charlie Warzel — The New York Times. This piece makes the case that there are no easy fixes for American democracy or for misinformation on social media platforms.
  • Facebook says it rejected 2.2m ads for breaking political campaigning rules” — Agence France-Presse. Facebook’s Vice President of Global Affairs and Communications Nick Clegg said the social media giant is employing artificial intelligence and humans to find and remove political advertisements that violate policy in order to avoid a repeat of 2016 where untrue information and misinformation played roles in both Brexit and the election of Donald Trump as President of the United States.
  • Huawei Fallout—Game-Changing New China Threat Strikes At Apple And Samsung” By Zak Doffman — Forbes. Smartphone manufacturers from the People’s Republic of China (PRC) appear ready to step into the projected void caused by the United States (U.S.) strangling off Huawei’s access to chips. Xiaomi and Oppo have already seen sales surge worldwide and are poised to pick up where Huawei is being forced to leave off, perhaps demonstrating the limits of U.S. power to blunt the rise of PRC technology companies.
  • As Local News Dies, a Pay-for-Play Network Rises in Its Place” By Davey Alba and Jack Nicas — The New York Times. With a decline and demise of many local media outlets in the United States, new groups are stepping into the void, and some are politically minded but not transparent about biases. The organization uncovered in this article is nakedly Republican and is running and planting articles at both legitimate and artificial news sites for pay. Sometimes conservative donors pay, sometimes campaigns do. Democrats are engaged in the same activity but apparently to a lesser extent. These sorts of activities will only erode further faith in the U.S. media.
  • Forget Antitrust Laws. To Limit Tech, Some Say a New Regulator Is Needed.” By Steve Lohr — The New York Times. This piece argues that anti-trust enforcement actions are plodding, tending to take years to finish. Consequently, this body of law is inadequate to the task of addressing the market dominance of big technology companies. Instead, a new regulatory body is needed along the lines of those regulating the financial services industries that is more nimble than anti-trust. Given the problems in that industry with respect to regulation, this may not be the best model.
  • “‘Do Not Track’ Is Back, and This Time It Might Work” By Gilad Edelman — WIRED. Looking to utilize the requirement in the “California Consumer Privacy Act” (CCPA) (AB 375) that requires regulated entities to respect and effectuate the use of a one-time opt-out mechanism, a group of entities have come together to build and roll out the Global Privacy Control. In theory, users could download this technical specification to their phones and computers, install it, use it once, and then all websites would be on notice regarding that person’s privacy preferences. Such a means would go to the problem turned up by Consumer Reports recent report on the difficulty of trying to opt out of having one’s personal information sold.
  • EU countries sound alarm about growing anti-5G movement” By Laurens Cerulus — Politico. 15 European Union (EU) nations wrote the European Commission (EC) warning that the nascent anti-5G movement borne of conspiracy thinking and misinformation threatens the Eu’s position vis-à-vis the United States (U.S.) and the People’s Republic of China (PRC). There have been more than 200 documented arson attacks in the EU with the most having occurred in the United Kingdom, France, and the Netherlands. These nations called for a more muscular, more forceful debunking of the lies and misinformation being spread about 5G.
  • Security firms call Microsoft’s effort to disrupt botnet to protect against election interference ineffective” By Jay Greene — The Washington Post. Microsoft seemingly acted alongside the United States (U.S.) Cyber Command to take down and impair the operation of Trickbot, but now cybersecurity experts are questioning how effective Microsoft’s efforts really were. Researchers have shown the Russian operated Trickbot has already stood up operations and has dispersed across servers around the world, showing how difficult it is to address some cyber threats.
  • Governments around the globe find ways to abuse Facebook” By Sara Fischer and Ashley Gold — Axios. This piece puts a different spin on the challenges Facebook faces in countries around the world, especially those that ruthlessly use the platform to spread lies and misinformation than the recent BuzzFeed News article. The new article paints Facebook as the well-meaning company being taken advantage of while the other one portrays a company callous to content moderation except in nations where it causes them political problems such as the United States, the European Union, and other western democracies.

Other Developments

  • The United States (U.S.) Department of Justice’s (DOJ) Cyber-Digital Task Force (Task Force) issued “Cryptocurrency: An Enforcement Framework,” that “provides a comprehensive overview of the emerging threats and enforcement challenges associated with the increasing prevalence and use of cryptocurrency; details the important relationships that the Department of Justice has built with regulatory and enforcement partners both within the United States government and around the world; and outlines the Department’s response strategies.” The Task Force noted “[t]his document does not contain any new binding legal requirements not otherwise already imposed by statute or regulation.” The Task Force summarized the report:
    • [I]n Part I, the Framework provides a detailed threat overview, cataloging the three categories into which most illicit uses of cryptocurrency typically fall: (1) financial transactions associated with the commission of crimes; (2) money laundering and the shielding of legitimate activity from tax, reporting, or other legal requirements; and (3) crimes, such as theft, directly implicating the cryptocurrency marketplace itself. 
    • Part II explores the various legal and regulatory tools at the government’s disposal to confront the threats posed by cryptocurrency’s illicit uses, and highlights the strong and growing partnership between the Department of Justice and the Securities and Exchange Commission, the Commodity Futures Commission, and agencies within the Department of the Treasury, among others, to enforce federal law in the cryptocurrency space.
    • Finally, the Enforcement Framework concludes in Part III with a discussion of the ongoing challenges the government faces in cryptocurrency enforcement—particularly with respect to business models (employed by certain cryptocurrency exchanges, platforms, kiosks, and casinos), and to activity (like “mixing” and “tumbling,” “chain hopping,” and certain instances of jurisdictional arbitrage) that may facilitate criminal activity.    
  • The White House’s Office of Science and Technology Policy (OSTP) has launched a new website for the United States’ (U.S.) quantum initiative and released a report titled “Quantum Frontiers: Report On Community Input To The Nation’s Strategy For Quantum Information Science.” The Quantum Initiative flows from the “National Quantum Initiative Act” (P.L. 115-368) “to  provide  for  a  coordinated  Federal  program  to  accelerate  quantum  research  and  development  for  the  economic and national security of the United States.” The OSTP explained that the report “outlines eight frontiers that contain core problems with fundamental questions confronting quantum information science (QIS) today:
    • Expanding Opportunities for Quantum Technologies to Benefit Society
    • Building the Discipline of Quantum Engineering
    • Targeting Materials Science for Quantum Technologies
    • Exploring Quantum Mechanics through Quantum Simulations
    • Harnessing Quantum Information Technology for Precision Measurements
    • Generating and Distributing Quantum Entanglement for New Applications
    • Characterizing and Mitigating Quantum Errors
    • Understanding the Universe through Quantum Information
    • OSTP asserted “[t]hese frontier areas, identified by the QIS research community, are priorities for the government, private sector, and academia to explore in order to drive breakthrough R&D.”
  • The New York Department of Financial Services (NYDFS) published its report on the July 2020 Twitter hack during which a team of hacker took over a number of high-profile accounts (e.g. Barack Obama, Kim Kardashian West, Jeff Bezos, and Elon Musk) in order to perpetrate a cryptocurrency scam. The NYDFS has jurisdiction over cryptocurrencies and companies dealing in this item in New York. The NYDFS found that the hackers used the most basic means to acquire permission to take over accounts. The NYDFS explained:
    • Given that Twitter is a publicly traded, $37 billion technology company, it was surprising how easily the Hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account. Indeed, the Hackers used basic techniques more akin to those of a traditional scam artist: phone calls where they pretended to be from Twitter’s Information Technology department. The extraordinary access the Hackers obtained with this simple technique underscores Twitter’s cybersecurity vulnerability and the potential for devastating consequences. Notably, the Twitter Hack did not involve any of the high-tech or sophisticated techniques often used in cyberattacks–no malware, no exploits, and no backdoors.
    • The implications of the Twitter Hack extend far beyond this garden-variety fraud. There are well-documented examples of social media being used to manipulate markets and interfere with elections, often with the simple use of a single compromised account or a group of fake accounts.In the hands of a dangerous adversary, the same access obtained by the Hackers–the ability to take control of any Twitter users’ account–could cause even greater harm.
    • The Twitter Hack demonstrates the need for strong cybersecurity to curb the potential weaponization of major social media companies. But our public institutions have not caught up to the new challenges posed by social media. While policymakers focus on antitrust and content moderation problems with large social media companies, their cybersecurity is also critical. In other industries that are deemed critical infrastructure, such as telecommunications, utilities, and finance, we have established regulators and regulations to ensure that the public interest is protected. With respect to cybersecurity, that is what is needed for large, systemically important social media companies.
    • The NYDFS recommended the cybersecurity measures cryptocurrency companies in New York should implement to avoid similar hacks, including its own cybersecurity regulations that bind its regulated entities in New York. The NYDFS also called for a national regulator to address the lack of a dedicated regulator of Twitter and other massive social media platforms. The NYDFS asserted:
      • Social media companies currently have no dedicated regulator. They are subject to the same general oversight applicable to other companies. For instance, the SEC’s regulations for all public companies apply to public social media companies, and antitrust and related laws and regulations enforced by the Department of Justice and the FTC apply to social media companies as they do to all companies. Social media companies are also subject to generally applicable laws, such as the California Consumer Privacy Act and the New York SHIELD Act. The European Union’s General Data Protection Regulation, which regulates the storage and use of personal data, also applies to social media entities doing business in Europe.
      • But there are no regulators that have the authority to uniformly regulate social media platforms that operate over the internet, and to address the cybersecurity concerns identified in this Report. That regulatory vacuum must be filled.
      • A useful starting point is to create a “systemically important” designation for large social media companies, like the designation for critically important bank and non-bank financial institutions. In the wake of the 2007-08 financial crisis, Congress established a new regulatory framework for financial institutions that posed a systemic threat to the financial system of the United States. An institution could be designated as a Systemically Important Financial Institution (“SIFI”) “where the failure of or a disruption to the functioning of a financial market utility or the conduct of a payment, clearing, or settlement activity could create, or increase, the risk of significant liquidity or credit problems spreading among financial institutions or markets and thereby threaten the stability of the financial system of the United States.”
      • The risks posed by social media to our consumers, economy, and democracy are no less grave than the risks posed by large financial institutions. The scale and reach of these companies, combined with the ability of adversarial actors who can manipulate these systems, require a similarly bold and assertive regulatory approach.
      • The designation of an institution as a SIFI is made by the Financial Stability Oversight Council (“FSOC”), which Congress established to “identify risks to the financial stability of the United States” and to provide enhanced supervision of SIFIs.[67] The FSOC also “monitors regulatory gaps and overlaps to identify emerging sources of systemic risk.” In determining whether a financial institution is systemically important, the FSOC considers numerous factors including: the effect that a failure or disruption to an institution would have on financial markets and the broader financial system; the nature of the institution’s transactions and relationships; the nature, concentration, interconnectedness, and mix of the institution’s activities; and the degree to which the institution is regulated.
      • An analogue to the FSOC should be established to identify systemically important social media companies. This new Oversight Council should evaluate the reach and impact of social media companies, as well as the society-wide consequences of a social media platform’s misuse, to determine which companies they should designate as systemically important. Once designated, those companies should be subject to enhanced regulation, such as through the provision of “stress tests” to evaluate the social media companies’ susceptibility to key threats, including cyberattacks and election interference.
      • Finally, the success of such oversight will depend on the establishment of an expert agency to oversee designated social media companies. Systemically important financial companies designated by the FSOC are overseen by the Federal Reserve Board, which has a long-established and deep expertise in banking and financial market stability. A regulator for systemically important social media would likewise need deep expertise in areas such as technology, cybersecurity, and disinformation. This expert regulator could take various forms; it could be a completely new agency or could reside within an established agency or at an existing regulator.
  • The Government Accountability Office (GAO) evaluated how well the Trump Administration has been implementing the “Open, Public, Electronic and Necessary Government Data Act of 2018” (OPEN Government Data Act) (P.L. 115-435). As the GAO explained, this statute “requires federal agencies to publish their information as open data using standardized, nonproprietary formats, making data available to the public open by default, unless otherwise exempt…[and] codifies and expands on existing federal open data policy including the Office of Management and Budget’s (OMB) memorandum M-13-13 (M-13-13), Open Data Policy—Managing Information as an Asset.”
    • The GAO stated
      • To continue moving forward with open government data, the issuance of OMB implementation guidance should help agencies develop comprehensive inventories of their data assets, prioritize data assets for publication, and decide which data assets should or should not be made available to the public.
      • Implementation of this statutory requirement is critical to agencies’ full implementation and compliance with the act. In the absence of this guidance, agencies, particularly agencies that have not previously been subject to open data policies, could fall behind in meeting their statutory timeline for implementing comprehensive data inventories.
      • It is also important for OMB to meet its statutory responsibility to biennially report on agencies’ performance and compliance with the OPEN Government Data Act and to coordinate with General Services Administration (GSA) to improve the quality and availability of agency performance data that could inform this reporting. Access to this information could inform Congress and the public on agencies’ progress in opening their data and complying with statutory requirements. This information could also help agencies assess their progress and improve compliance with the act.
    • The GAO made three recommendations:
      • The Director of OMB should comply with its statutory requirement to issue implementation guidance to agencies to develop and maintain comprehensive data inventories. (Recommendation 1)
      • The Director of OMB should comply with the statutory requirement to electronically publish a report on agencies’ performance and compliance with the OPEN Government Data Act. (Recommendation 2)
      • The Director of OMB, in collaboration with the Administrator of GSA, should establish policy to ensure the routine identification and correction of errors in electronically published performance information. (Recommendation 3)
  • The United States’ (U.S.) National Security Agency (NSA) issued a cybersecurity advisory titled “Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities,” that “provides Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks.” The NSA recommended a number of mitigations generally for U.S. entities, including:
    • Keep systems and products updated and patched as soon as possible after patches are released.
    • Expect that data stolen or modified (including credentials, accounts, and software) before the device was patched will not be alleviated by patching, making password changes and reviews of accounts a good practice.
    • Disable external management capabilities and set up an out-of-band management network.
    • Block obsolete or unused protocols at the network edge and disable them in device configurations.
    • Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network.
    • Enable robust logging of Internet-facing services and monitor the logs for signs of compromise.
    • The NSA then proceeded to recommend specific fixes.
    • The NSA provided this policy backdrop:
      • One of the greatest threats to U.S. National Security Systems (NSS), the U.S. Defense Industrial Base (DIB), and Department of Defense (DOD) information networks is Chinese state-sponsored malicious cyber activity. These networks often undergo a full array of tactics and techniques used by Chinese state-sponsored cyber actors to exploit computer networks of interest that hold sensitive intellectual property, economic, political, and military information. Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and mitigation efforts.
      • The same process for planning the exploitation of a computer network by any sophisticated cyber actor is used by Chinese state-sponsored hackers. They often first identify a target, gather technical information on the target, identify any vulnerabilities associated with the target, develop or re-use an exploit for those vulnerabilities, and then launch their exploitation operation.
  • Belgium’s data protection authority (DPA) (Autorité de protection des données in French or Gegevensbeschermingsautoriteit in Dutch) (APD-GBA) has reportedly found that the Transparency & Consent Framework (TCF) developed by the Interactive Advertising Bureau (IAB) violates the General Data Protection Regulation (GDPR). The Real-Time Bidding (RTB) system used for online behavioral advertising allegedly transmits the personal information of European Union residents without their consent even before a popup appears on their screen asking for consent. The APD-GBA is the lead DPA in the EU in investigating the RTB and will likely now circulate their findings and recommendations to other EU DPAs before any enforcement will commence.
  • None Of Your Business (noyb) announced “[t]he Irish High Court has granted leave for a “Judicial Review” against the Irish Data Protection Commission (DPC) today…[and] [t]he legal action by noyb aims to swiftly implement the [Court of Justice for the European Union (CJEU)] Decision prohibiting Facebook’s” transfer of personal data from the European Union to the United States (U.S.) Last month, after the DPC directed Facebook to stop transferring the personal data of EU citizens to the U.S., the company filed suit in the Irish High Court to stop enforcement of the order and succeeded in staying the matter until the court rules on the merits of the challenge.
    • noyb further asserted:
      • Instead of making a decision in the pending procedure, the DPC has started a second, new investigation into the same subject matter (“Parallel Procedure”), as widely reported (see original reporting by the WSJ). No logical reasons for the Parallel Procedure was given, but the DPC has maintained that Mr Schrems will not be heard in this second case, as he is not a party in this Parallel Procedure. This Paralell procedure was criticised by Facebook publicly (link) and instantly blocked by a Judicial Review by Facebook (see report by Reuters).
      • Today’s Judicial Review by noyb is in many ways the counterpart to Facebook’s Judicial Review: While Facebook wants to block the second procedure by the DPC, noyb wants to move the original complaints procedure towards a decision.
      • Earlier this summer, the CJEU struck down the adequacy decision for the agreement between the EU and (U.S. that had provided the easiest means to transfer the personal data of EU citizens to the U.S. for processing under the General Data Protection Regulation (GDPR) (i.e. the EU-U.S. Privacy Shield). In the case known as Schrems II, the CJEU also cast doubt on whether standard contractual clauses (SCC) used to transfer personal data to the U.S. would pass muster given the grounds for finding the Privacy Shield inadequate: the U.S.’s surveillance regime and lack of meaningful redress for EU citizens. Consequently, it has appeared as if data protection authorities throughout the EU would need to revisit SCCs for transfers to the U.S., and it appears the DPC was looking to stop Facebook from using its SCC. Facebook is apparently arguing in its suit that it will suffer “extremely significant adverse effects” if the DPC’s decision is implemented.
  • Most likely with the aim of helping British chances for an adequacy decision from the European Union (EU), the United Kingdom’s Information Commissioner’s Office (ICO) published guidance that “discusses the right of access [under the General Data Protection Regulation (GDPR)] in detail.” The ICO explained “is aimed at data protection officers (DPOs) and those with specific data protection responsibilities in larger organisations…[but] does not specifically cover the right of access under Parts 3 and 4 of the Data Protection Act 2018.”
    • The ICO explained
      • The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data from you, as well as other supplementary information.
  • The report the House Education and Labor Ranking Member requested from the Government Accountability Office (GAO) on the data security and data privacy practices of public schools. Representative Virginia Foxx (R-NC) asked the GAO “to review the security of K-12 students’ data. This report examines (1) what is known about recently reported K-12 cybersecurity incidents that compromised student data, and (2) the characteristics of school districts that experienced these incidents.” Strangely, the report did have GAO’s customary conclusions or recommendations. Nonetheless, the GAO found:
    • Ninety-nine student data breaches reported from July 1, 2016 through May 5, 2020 compromised the data of students in 287 school districts across the country, according to our analysis of K-12 Cybersecurity Resource Center (CRC) data (see fig. 3). Some breaches involved a single school district, while others involved multiple districts. For example, an attack on a vendor system in the 2019-2020 school year affected 135 districts. While information about the number of students affected was not available for every reported breach, examples show that some breaches affected thousands of students, for instance, when a cybercriminal accessed 14,000 current and former students’ personally identifiable information (PII) in one district.
    • The 99 reported student data breaches likely understate the number of breaches that occurred, for different reasons. Reported incidents sometimes do not include sufficient information to discern whether data were breached. We identified 15 additional incidents in our analysis of CRC data in which student data might have been compromised, but the available information was not definitive. In addition, breaches can go undetected for some time. In one example, the personal information of hundreds of thousands of current and former students in one district was publicly posted for 2 years before the breach was discovered.
    • The CRC identified 28 incidents involving videoconferences from April 1, 2020 through May 5, 2020, some of which disrupted learning and exposed students to harm. In one incident, 50 elementary school students were exposed to pornography during a virtual class. In another incident in a different district, high school students were targeted with hate speech during a class, resulting in the cancellation that day of all classes using the videoconferencing software. These incidents also raise concerns about the potential for violating students’ privacy. For example, one district is reported to have instructed teachers to record their class sessions. Teachers said that students’ full names were visible to anyone viewing the recording.
    • The GAO found gaps in the protection and enforcement of student privacy by the United States government:
      • [The Department of] Education is responsible for enforcing Family Educational Rights and Privacy Act (FERPA), which addresses the privacy of PII in student education records and applies to all schools that receive funds under an applicable program administered by Education. If parents or eligible students believe that their rights under FERPA have been violated, they may file a formal complaint with Education. In response, Education is required to take appropriate actions to enforce and deal with violations of FERPA. However, because the department’s authority under FERPA is directly related to the privacy of education records, Education’s security role is limited to incidents involving potential violations under FERPA. Further, FERPA amendments have not directly addressed educational technology use.
      • The “Children’s Online Privacy Protection Act” (COPPA) requires the Federal Trade Commission (FTC) to issue and enforce regulations concerning children’s privacy. The COPPA Rule, which took effect in 2000 and was later amended in 2013, requires operators of covered websites or online services that collect personal information from children under age 13 to provide notice and obtain parental consent, among other things. COPPA generally applies to the vendors who provide educational technology, rather than to schools directly. However, according to FTC guidance, schools can consent on behalf of parents to the collection of students’ personal information if such information is used for a school-authorized educational purpose and for no other commercial purpose.
  • Upturn, an advocacy organization that “advances equity and justice in the design, governance, and use of technology,” has released a report showing that United States (U.S.) law enforcement agencies have multiple means of hacking into encrypted or protected smartphones. There have long been the means and vendors available in the U.S. and abroad for breaking into phones despite the claims of a number of nations like the Five Eyes (U.S., the United Kingdom, Australia, Canada, and New Zealand) that default end-to-end encryption was a growing problem that allowed those preying on children and engaged in terrorism to go undetected. In terms of possible bias, Upturn is “is supported by the Ford Foundation, the Open Society Foundations, the John D. and Catherine T. MacArthur Foundation, Luminate, the Patrick J. McGovern Foundation, and Democracy Fund.”
    • Upturn stated:
      • Every day, law enforcement agencies across the country search thousands of cellphones, typically incident to arrest. To search phones, law enforcement agencies use mobile device forensic tools (MDFTs), a powerful technology that allows police to extract a full copy of data from a cellphone — all emails, texts, photos, location, app data, and more — which can then be programmatically searched. As one expert puts it, with the amount of sensitive information stored on smartphones today, the tools provide a “window into the soul.”
      • This report documents the widespread adoption of MDFTs by law enforcement in the United States. Based on 110 public records requests to state and local law enforcement agencies across the country, our research documents more than 2,000 agencies that have purchased these tools, in all 50 states and the District of Columbia. We found that state and local law enforcement agencies have performed hundreds of thousands of cellphone extractions since 2015, often without a warrant. To our knowledge, this is the first time that such records have been widely disclosed.
    • Upturn argued:
      • Law enforcement use these tools to investigate not only cases involving major harm, but also for graffiti, shoplifting, marijuana possession, prostitution, vandalism, car crashes, parole violations, petty theft, public intoxication, and the full gamut of drug-related offenses. Given how routine these searches are today, together with racist policing policies and practices, it’s more than likely that these technologies disparately affect and are used against communities of color.
      • We believe that MDFTs are simply too powerful in the hands of law enforcement and should not be used. But recognizing that MDFTs are already in widespread use across the country, we offer a set of preliminary recommendations that we believe can, in the short-term, help reduce the use of MDFTs. These include:
        • banning the use of consent searches of mobile devices,
        • abolishing the plain view exception for digital searches,
        • requiring easy-to-understand audit logs,
        • enacting robust data deletion and sealing requirements, and
        • requiring clear public logging of law enforcement use.

Coming Events

  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, and the agency has released a tentative agenda:
    • Restoring Internet Freedom Order Remand – The Commission will consider an Order on Remand that would respond to the remand from the U.S. Court of Appeals for the D.C. Circuit and conclude that the Restoring Internet Freedom Order promotes public safety, facilitates broadband infrastructure deployment, and allows the Commission to continue to provide Lifeline support for broadband Internet access service. (WC Docket Nos. 17-108, 17-287, 11- 42)
    • Establishing a 5G Fund for Rural America – The Commission will consider a Report and Order that would establish the 5G Fund for Rural America to ensure that all Americans have access to the next generation of wireless connectivity. (GN Docket No. 20-32)
    • Increasing Unlicensed Wireless Opportunities in TV White Spaces – The Commission will consider a Report and Order that would increase opportunities for unlicensed white space devices to operate on broadcast television channels 2-35 and expand wireless broadband connectivity in rural and underserved areas. (ET Docket No. 20-36)
    • Streamlining State and Local Approval of Certain Wireless Structure Modifications – The Commission will consider a Report and Order that would further accelerate the deployment of 5G by providing that modifications to existing towers involving limited ground excavation or deployment would be subject to streamlined state and local review pursuant to section 6409(a) of the Spectrum Act of 2012. (WT Docket No. 19-250; RM-11849)
    • Revitalizing AM Radio Service with All-Digital Broadcast Option – The Commission will consider a Report and Order that would authorize AM stations to transition to an all-digital signal on a voluntary basis and would also adopt technical specifications for such stations. (MB Docket Nos. 13-249, 19-311)
    • Expanding Audio Description of Video Content to More TV Markets – The Commission will consider a Report and Order that would expand audio description requirements to 40 additional television markets over the next four years in order to increase the amount of video programming that is accessible to blind and visually impaired Americans. (MB Docket No. 11-43)
    • Modernizing Unbundling and Resale Requirements – The Commission will consider a Report and Order to modernize the Commission’s unbundling and resale regulations, eliminating requirements where they stifle broadband deployment and the transition to next- generation networks, but preserving them where they are still necessary to promote robust intermodal competition. (WC Docket No. 19-308)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • The Senate Commerce, Science, and Transportation Committee will hold a hearing on 28 October regarding 47 U.S.C. 230 titled “Does Section 230’s Sweeping Immunity Enable Big Tech Bad Behavior?” with testimony from:
    • Jack Dorsey, Chief Executive Officer of Twitter;
    • Sundar Pichai, Chief Executive Officer of Alphabet Inc. and its subsidiary, Google; and 
    • Mark Zuckerberg, Chief Executive Officer of Facebook.
  • On 29 October, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”
  • On 10 November, the Senate Commerce, Science, and Transportation Committee will hold a hearing to consider nominations, including Nathan Simington’s to be a Member of the Federal Communications Commission.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Mehmet Turgut Kirkgoz from Pixabay