FCC Denies Trump Administration’s Request To Block Ligado

The FCC denies the NTIA petition, but language in the FY 2021 NDAA all but pauses the project.

Earlier this month, the Trump Administration’s Federal Communications Commission (FCC) denied the petition to stay submitted by the National Telecommunications and Information Administration (NTIA) to stop the FCC’s April 2020 decision to let Ligado proceed with “a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz portions of its license in the mobile satellite services (MSS) L-band allocation.”

Ligado and its predecessor have been trying to obtain authorization from the FCC in one form or another for the last 15 years. When the company was finally given the green light last spring, other agencies renewed and their objections even though the had been part of the inter-agency consideration process. Moreover, there were Members of Congress who urged the FCC to rescind the authorization. The objections arose from claims that Ligado’s operation would impair key national security and civilian Global Positioning System (GPS) systems. And, on the basis of these concerns, there is language in a recently enacted law that will function to block the FCC and Ligado from proceeding until an independent report is completed.

However, this issue now becomes the responsibility of the Biden Administration. It is not known how the NTIA will proceed, and they conceivably could appeal the FCC’s decision in federal court. Moreover, the caretaker officials at the agency may do just this in order to preserve the option for the Biden Administration officials. Certainly, Members of Congress interested in stopping the FCC and Ligado have been in contact with the Biden team and will seek to draft them into their cause.

The FCC summarized its decision:

We find that the extraordinary equitable relief of a stay is not warranted.  First, NTIA itself argues that the harmful interference issue it raises will not likely arise until after Ligado deploys its network.  Such deployment will not occur for some time and not before the Commission has an opportunity to rule on the Petition for Reconsideration and to reach a determination as to whether NTIA’s claims justify barring this deployment or otherwise modifying its underlying order.  Thus, there is no need to issue a stay at this time to prevent any irreparable harm that NTIA claims will occur.  Second, based on the record, we conclude that NTIA is unlikely to succeed on the merits.  Its claim is based primarily on an argument that the Order departed from the Commission’s established approach to evaluating harmful interference concerns, a claim belied by the words of the Order itself.  To the extent NTIA contends that the Commission should use the specific 1 dB metric and approach specifically advocated by DOT and others, the Commission addressed that contention in detail in the Order.  To the extent NTIA in its Stay Petition is seeking to support its request for a stay based on providing new data or additional testing that NTIA had not previously provided in the record of this proceeding, this argument is unlikely to succeed on the merits based on its untimeliness.  Finally, the balance of the equities favors denial of a stay, in light of the tangible harm to Ligado from a stay and the public interest in finally bringing its terrestrial service to market. 

In late April, the FCC’s “decision authorize[d] Ligado to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” The agency argued the order “provides regulatory certainty to Ligado, ensures adjacent band operations, including GPS, are sufficiently protected from harmful interference, and promotes more efficient and effective use of [the U.S.’s] spectrum resources by making available additional spectrum for advanced wireless services, including 5G.”

Defense and other civilian government stakeholders remained unconvinced. Also, in late April, the chairs and ranking members of the Armed Services Committees penned an op-ed, in which they claimed “the [FCC] has used the [COVID-19] crisis, under the cover of darkness, to approve a long-stalled application by Ligado Networks — a proposal that threatens to undermine our GPS capabilities, and with it, our national security.” Then Chairs James Inhofe (R-OK) and Adam Smith (D-WA) and Ranking Members Jack Reed (D-RI) and Mac Thornberry (R-TX) asserted:

  • So, we wanted to clarify things: domestic 5G development is critical to our economic competiveness against China and for our national security. The Pentagon is committed working with government and industry to share mid-band spectrum where and when it makes sense to ensure rapid roll-out of 5G.
  • The problem here is that Ligado’s planned usage is not in the prime mid-band spectrum being considered for 5G — and it will have a significant risk of interference with GPS reception, according to the National Telecommunications and Information Administration (NTIA). The signals interference Ligado’s plan would create could cost taxpayers and consumers billions of dollars and require the replacement of current GPS equipment just as we are trying to get our economy back on its feet quickly — and the FCC has just allowed this to happen.

The Ligado application was seen as so important, the first hearing of the Senate Armed Services Committee held after the beginning of the COVID-19 pandemic was on this issue. Not surprisingly the DOD explained the risks of Ligado’s satellite-terrestrial wireless system as it sees them at some length. Under Secretary of Defense for Research and Engineering Michael Griffin asserted at the 6 May hearing:

  • The U.S. Department of Transportation (DOT) conducted a testing program developed over multiple years with stakeholder involvement, evaluating 80 consumer-grade navigation, survey, precision agriculture, timing, space-based, and aviation GPS receivers. This test program was conducted in coordination with DOD testing of military receivers. The results, as documented in the DoT “Adjacent Band Compatibility” study released in March, 2018, demonstrated that even very low power levels from a terrestrial system in the adjacent band will overload the very sensitive equipment required to collect and process GPS signals.  Also, many high precision receivers are designed to receive Global Navigation Satellite System (GNSS) signals not only in the 1559 MHz to 1610 MHz band, but also receive Mobile Satellite Service (MSS) signals in the 1525 MHz to 1559 MHz band to provide corrections to GPS/GNSS to improve accuracy. With the present and future planned ubiquity of base stations for mobile broadband use, the use of GPS in entire metropolitan areas would be effectively blocked.  That is why every government agency having any stake in GPS, as well as dozens of commercial entities that will be harmed if GPS becomes unreliable,  opposed the FCC’s decision. 
  • There are two principal reasons for the Department’s opposition to Ligado’s proposal. The first and most obvious is that we designed and built GPS for reasons of national security, reasons which are at least as valid today as when the system was conceived. The second, less well-known, is that the DoD has a statutory responsibility to sustain and protect the system. Quoting from 10 USC 2281, the Secretary of Defense “…shall provide for the sustainment and operation of the GPS Standard Positioning Service for peaceful civil, commercial, and scientific uses…” and “…may not agree to any restriction of the GPS System proposed by the head of a department or agency of the United States outside DoD that would adversely affect the military potential of GPS.”

Also in April, 32 Senators wrote the FCC expressing their concern that the “Order does not adequately project adjacent band operations – including those related to GPS and satellite communications –  from harmful interference that would impact countless commercial and military activities.” They also took issue “the hurried nature of the circulation and consideration of the Order,” which they claimed occurred during “a national crisis” and “was not conducive to addressing the many technical concerns raised by affected stakeholders.” Given that nearly one-third of the Senate signed the letter, this may demonstrate the breadth of opposition in Congress to the Ligado order.

In early May 2020, the NTIA, a component agency of the Department of Commerce, filed two petitions with the FCC) asking the latter agency to stay its decision allowing Ligado to proceed with wireless service using a satellite-terrestrial network utilizing the L-Band opposed by a number of Trump Administration agencies and a number of key Congressional stakeholders. They argue the order would allow Ligado to set up a system that would interfere with the Department of Defense’s (DOD) GPS and civilian federal agency applications of GPS as well.

The NTIA stated in its press release that it “petitioned the FCC to reconsider its Order and Authorization that conditionally granted license modification applications filed by Ligado Networks LLC…[that] permits Ligado to provide terrestrial wireless services that threaten to harm federal government users of the Global Positioning System (GPS) along with a variety of other public and private stakeholders.”

In the petition for a stay, NTIA asked that “Ligado Networks LLC’s (Ligado’s) mobile satellite service (MSS) license modification applications for ancillary terrestrial operations” be paused until the agency’s petition for reconsideration is decided by the FCC because of “executive branch concerns of harmful interference to federal government and other GPS devices.”

In the petition for reconsideration, the NTIA argued it “focuses on the problems in the Ligado Order that are uniquely related to the interests of Department of Defense (DOD) and other federal agencies and their mission-critical users of GPS.” The NTIA added “that the Commission failed to consider the major economic impact its decision will have on civilian GPS users and the American economy…[and] [a]s the lead civil agency for GPS, DOT explained…Ligado’s proposed operations would disrupt a wide range of civil GPS receivers owned and operated by emergency first responders, among others.”

NTIA made the following arguments in its petition:

  • The Ligado Order failed to adequately consider and give appropriate weight to important and valid executive branch concerns about harmful interference to GPS.
  • None of Ligado’s latest mitigation proposals, nor the conditions based on them, have been tested or evaluated by any independent party…[and] [a] more scientific way of resolving these technical disputes could be accomplished through further joint FCC-executive branch or independent testing based on Ligado’s actual network and base station parameters.
  • The license conditions imposed on Ligado will not adequately mitigate the risk of harmful interference to federal GPS devices, will shift the burden of fixing such interference to federal users, and are otherwise impractical for addressing actual impacts to national security systems. In light of the large number of federal GPS devices that potentially would be impacted by Ligado’s network, the FCC conditions, even if modified, will be a high-cost, time consuming effort for Ligado and federal agencies. As written, the condition requiring the repair or replacement of government receivers, is impractical, infeasible, and potentially illegal.

In June, Ligado filed its response to the NTIAs petitions to stay and have the FCC reconsider its order allowing the company to move forward with its satellite-terrestrial wireless network. The company argued the NTIA’s petitions rehash the same arguments heard and rejected by the FCC over the course of the nearly decade long proceeding, do not argue that an injury has occurred because Ligado is not yet operating, and is contrary to the public interest by delaying the rollout of 5G.

Ligado argued

  • First, NTIA is unlikely to prevail on the merits of its Petition for Reconsideration. The 72-page Order was the culmination of the Commission’s “extensive review of the record” generated during a comprehensive, multi-year proceeding, in which NTIA actively participated. In light of the ample notice and opportunity to comment that the Commission provided NTIA, its complaints regarding process are meritless and not a basis for reconsidering the Order. NTIA’s substantive arguments, which merely reiterate arguments that the Commission has already meticulously considered and rejected regarding alleged harmful interference with GPS devices, fare no better.
  • Second,  NTIA  effectively  concedes  that  it  will  suffer  no  imminent  irreparable  injury—meaning  “proof”  of  irreparable  injury  that  “is  certain  to  occur  in  the  near  future.” NTIA admits  that Ligado’s system will not become operational for a period as long as eighteen months. Putting aside  that  NTIA’s  alleged  injuries  are  contrary  to  the  extensive  record,  even  on  NTIA’s  own  theory those injuries would only occur after Ligado’s network commences operations, and so by definition  those  purported  injuries  are  not  “certain  to  occur  in  the  near  future.”
  • Third and finally, issuance of a stay would harm both Ligado and the public interest. A stay would needlessly hamper Ligado’s ability to make progress on important preliminary work items that are necessary to deploy the spectrum for 5G and have long lead times. Moreover, the Commission has explained that Ligado’s network will provide extensive benefits to the public, by unlocking the benefits of advanced communications technologies for customers and businesses, including 5G. A stay would thus unnecessarily delay the “significant public interest benefits associated with Ligado’s proposed ATC network and deployment.”

As mentioned, a recently enacted law will effectively block Ligado. There are provisions in the conference report to accompany the “William M. “Mac” Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395) barring the DOD to use funds to assist companies in mitigating any harmful interference from the operation of Ligado. Moreover, the DOD must contract for a study on any negative effects:

[The DOD] shall seek to enter into an agreement with the National Academies of Sciences, Engineering, and Medicine for the National Academies… carry out an independent technical review of the Order and Authorization adopted by the Federal Communications Commission on April 19, 2020 (FCC 20-48), to the extent that such Order and Authorization affects the devices, operations, or activities of the Department of Defense.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by AR on Unsplash

Preview of Senate Democratic Chairs

It’s not clear who will end up where, but new Senate chairs will change focus and agenda of committees and debate over the next two years.

With the victories of Senators-elect Rafael Warnock (D-GA) and Jon Ossoff (D-GA), control of the United States Senate will tip to the Democrats once Vice President-elect Kamala Harris (D) is sworn in and can break the 50-50 tie in the chamber in favor of the Democrats. With the shift in control, new chairs will take over committees key to setting the agenda over the next two years in the Senate. However, given the filibuster, and the fact that Senate Republicans will exert maximum leverage through its continued use, Democrats will be hamstrung and forced to work with Republicans on matters such as federal privacy legislation, artificial intelligence (AI), the Internet of Things (IOT), cybersecurity, data flows, surveillance, etc. just as Republicans have had to work with Democrats over the six years they controlled the chamber. Having said that, Democrats will be in a stronger position than they had been and will have the power to set the agenda in committee hearings, being empowered to call the lion’s share of witnesses and to control the floor agenda. What’s more, Democrats will be poised to confirm President-elect Joe Biden’s nominees at agencies like the Federal Communications Commission (FCC), Federal Trade Commission (FTC), the Department of Justice (DOJ), and others, giving the Biden Administration a free hand in many areas of technology policy.

All of that being said, this is not meant to be an exhaustive look at all the committees of jurisdiction and possible chairs. Rather, it seeks to survey likely chairs on selected committees and some of their priorities for the next two years. Subcommittee chairs will also be important, but until the cards get shuffled among the chairs, it will not be possible to see where they land at the subcommittee level.

When considering the possible Democratic chairs of committees, one must keep in mind it is often a matter of musical chairs with the most senior members getting first choice. And so, with Senator Patrick Leahy (D-VT) as the senior-most Democratic Senator, he may well choose to leave the Appropriations Committee and move back to assume the gavel of the Judiciary Committee. Leahy has long been a stakeholder on antitrust, data security, privacy, and surveillance legislation and would be in a position to influence what bills on those and other matters before the Senate look like. If Leahy does not move to the chair on Judiciary, he may still be entitled to chair a subcommittee and exert influence.

If Leahy stays put, then current Senate Minority Whip Dick Durbin (D-IL) would be poised to leapfrog Senator Dianne Feinstein (D-CA) to chair Judiciary after Feinstein was persuaded to step aside on account of her lackluster performance in a number of high-profile hearings in 2020. Durbin has also been active on privacy, data security, and surveillance issues. The Judiciary Committee will be central to a number of technology policies, including Foreign Intelligence Surveillance Act reauthorization, privacy legislation, Section 230 reform, antitrust, and others. On the Republican side of the dais, Senator Lindsey Graham (R-SC) leaving the top post because of term limit restrictions imposed by Republicans, and Senator Charles Grassley (R-IA) is set to replace him. How this changes the 47 USC 230 (Section 230) debate is not immediately clear. And yet, Grassley and three colleagues recently urged the Trump Administration in a letter to omit language in a trade agreement with the United Kingdom (UK) that mirrors the liability protection Section 230. Senators Rob Portman (R-OH), Mark R. Warner (D-VA), Richard Blumenthal (D-CT), and Grassley argued to U.S. Trade Representative Ambassador Robert Lighthizer that a “safe harbor” like the one provided to technology companies for hosting or moderating third party content is outdated, not needed in a free trade agreement, contrary to the will of both the Congress and UK Parliament, and likely to be changed legislatively in the near future. It is likely, however, Grassley will fall in with other Republicans propagating the narrative that social media is unfairly biased against conservatives, particularly in light of the recent purge of President Donald Trump for his many, repeated violations of policy.

The Senate Judiciary Committee will be central in any policy discussions of antitrust and anticompetition in the technology realm. But it bears note the filibuster (and the very low chances Senate Democrats would “go nuclear” and remove all vestiges of the functional supermajority requirement to pass legislation) will give Republicans leverage to block some of the more ambitious reforms Democrats might like to enact (e.g. the House Judiciary Committee’s October 2020 final report that calls for nothing less than a complete remaking of United States (U.S.) antitrust policy and law; see here for more analysis.)

It seems Senator Sherrod Brown (D-OH) will be the next chair of the Senate Banking, Housing, and Urban Development Committee which has jurisdiction over cybersecurity, data security, privacy, and other issues in the financial services sector, making it a player on any legislation designed to encompass the whole of the United States economy. Having said that, it may again be the case that sponsors of, say, privacy legislation decide to cut the Gordian knot of jurisdictional turf battles by cutting out certain committees. For example, many of the privacy bills had provisions making clear they would deem financial services entities in compliance with the Financial Services Modernization Act of 1999 (P.L. 106-102) (aka Gramm-Leach-Bliley) to be in compliance with the new privacy regime. I suppose these provisions may have been included on the basis of the very high privacy and data security standards Gramm-Leach-Bliley has brought about (e.g. the Experian hack), or sponsors of federal privacy legislation made the strategic calculation to circumvent the Senate Banking Committee as much as they can. Nonetheless, this committee has sought to insert itself into the policymaking process on privacy last year as Brown and outgoing Chair Mike Crapo (R-ID) requested “feedback” in February 2019 “from interested stakeholders on the collection, use and protection of sensitive information by financial regulators and private companies.” Additionally, Brown released what may be the most expansive privacy bill from the perspective of privacy and civil liberties advocates, the “Data Accountability and Transparency Act of 2020” in June 2020 (see here for my analysis.) Therefore, Brown may continue to push for a role in federal privacy legislation with a gavel in his hands.

In a similar vein, Senator Patty Murray (D-WA) will likely take over the Senate Health, Education, Labor, and Pensions (HELP) Committee which has jurisdiction over health information privacy and data security through the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). Again, as with the Senate Banking Committee and Gramm-Leach-Bliley, most of the privacy bills exempt HIPAA-compliant entities. And yet, even if her committee is cut out of a direct role in privacy legislation, Murray will still likely exert influence through oversight of and possible legislation changing HIPAA regulations and the Department of Health and Human Services (HHS) enforcement and rewriting of these standards for most of the healthcare industry. For example, HHS is rushing a rewrite of the HIPAA regulations at the tail end of the Trump Administration, and Murray could be in a position to inform how the Biden Administration and Secretary of Health and Human Services-designate Xavier Berra handles this rulemaking. Additionally, Murray may push the Office of Civil Rights (OCR), the arm of HHS that writes and enforces these regulations, to prioritize matters differently.

Senator Maria Cantwell (D-WA) appears to be the next chair of the Senate Commerce, Science, and Transportation Committee and arguably the largest technology portfolio in the Senate. It is the primary committee of jurisdiction for the FCC, FTC, National Telecommunications and Information Administration (NTIA), the National Institute of Standards and Technology (NIST), and the Department of Commerce. Cantwell may exert influence on which people are nominated to head and staff those agencies and others. Her committee is also the primary committee of jurisdiction for domestic and international privacy and data protection matters. And so, federal privacy legislation will likely be drafted by this committee, and legislative changes so the U.S. can enter into a new personal data sharing agreement with the European Union (EU) would also likely involve her and her committee.

Cantwell and likely next Ranking Member Roger Wicker (R-MS) agree on many elements of federal privacy law but were at odds last year on federal preemption and whether people could sue companies for privacy violations. Between them, they circulated three privacy bills. In September 2020, Wicker and three Republican colleagues introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act” (S.4626) (see here for more analysis). Wicker had put out for comment a discussion draft, the “Consumer Data Privacy Act of 2019” (CDPA) (See here for analysis) in November 2019 shortly after the Ranking Member on the committee, Senator Maria Cantwell (D-WA) and other Democrats had introduced their privacy bill, the “Consumer Online Privacy Rights Act“ (COPRA) (S.2968) (See here for more analysis).

Cantwell could also take a leading role on Section 230, but her focus, of late, seems to be on how technology companies are wreaking havoc to traditional media. released a report that she has mentioned during her opening statement at the 23 September hearing aimed at trying to revive data privacy legislation. She and her staff investigated the decline and financial troubles of local media outlets, which are facing a cumulative loss in advertising revenue of up to 70% since 2000. And since advertising revenue has long been the life blood of print journalism, this has devastated local media with many outlets shutting their doors or radically cutting their staff. This trend has been exacerbated by consolidation in the industry, often in concert with private equity or hedge funds looking to wring the last dollars of value from bargain basement priced newspapers. Cantwell also claimed that the overwhelming online advertising dominance of Google and Facebook has further diminished advertising revenue and other possible sources of funding through a variety of means. She intimates that much of this content may be illegal under U.S. law, and the FTC may well be able to use its Section 5 powers against unfair and deceptive acts and its anti-trust authority to take action. (see here for more analysis and context.) In this vein, Cantwell will want her committee to play in any antitrust policy changes, likely knowing massive changes in U.S. law are not possible in a split Senate with entrenched party positions and discipline.

Senator Jack Reed (D-RI) will take over the Senate Armed Services Committee and its portfolio over national security technology policy that includes the cybersecurity, data protection and supply chain of national security agencies and their contractors, AI, offensive and defensive U.S. cyber operations, and other realms. Much of the changes Reed and his committee will seek to make will be through the annual National Defense Authorization Act (NDAA) (see here and here for the many technology provisions in the FY 2021 NDAA.) Reed may also prod the Department of Defense (DOD) to implement or enforce the Cybersecurity Maturity Model Certification (CMMC) Framework differently than envisioned and designed by the Trump Administration. In December 2020, a new rule took effect designed to drive better cybersecurity among U.S. defense contractors. This rule brings together two different lines of effort to require the Defense Industrial Base (DIB) to employ better cybersecurity given the risks they face by holding and using classified information, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The Executive Branch has long wrestled with how to best push contractors to secure their systems, and Congress and the White House have opted for using federal contract requirements in that contractors must certify compliance. However, the most recent initiative, the CMMC Framework will require contractors to be certified by third party assessors. And yet, it is not clear the DOD has wrestled with the often-misaligned incentives present in third party certification schemes.

Reed’s committee will undoubtedly delve deep into the recent SolarWinds hack and implement policy changes to avoid a reoccurrence. Doing so may lead the Senate Armed Services Committee back to reconsidering the Cyberspace Solarium Commission’s (CSC) March 2020 final report and follow up white papers, especially their views embodied in “Building a Trusted ICT Supply Chain.”

Senator Mark Warner (D-VA) will likely take over the Senate Intelligence Committee. Warner has long been a stakeholder on a number of technology issues and would be able to exert influence on the national security components of such issues. He and his committee will almost certainly play a role in the Congressional oversight of and response to the SolarWinds hack. Likewise, his committee shares jurisdiction over FISA with the Senate Judiciary Committee and over national security technology policy with the Armed Services Committee.

Senator Amy Klobuchar (D-MN) would be the Senate Democratic point person on election security from her perch at the Senate Rules and Administration Committee, which may enable her to more forcefully push for the legislative changes she has long advocated for. In May 2019, Klobuchar and other Senate Democrats introduced the “Election Security Act” (S. 1540), the Senate version of the stand-alone measure introduced in the House that was taken from the larger package, the “For the People Act” (H.R. 1) passed by the House.

In August 2018, the Senate Rules and Administration Committee postponed indefinitely a markup on a compromise bill to provide states additional assistance in securing elections from interference, the “The Secure Elections Act” (S.2593). Reportedly, there was concern among state officials that a provision requiring audits of election results would be in effect an unfunded mandate even though this provision was softened at the insistence of Senate Republican leadership. However, a Trump White House spokesperson indicated in a statement that the Administration opposed the bill, which may have posed an additional obstacle to Committee action. However, even if the Senate had passed its bill, it was unlikely that the Republican controlled House would have considered companion legislation (H.R. 6663).

Senator Gary Peters (D-MI) may be the next chair of the Senate Homeland Security and Governmental Affairs Committee, and if so, he will continue to face the rock on which many the bark of cybersecurity legislation has been dashed: Senator Ron Johnson (R-WI). So significant has Johnson’s opposition been to bipartisan cybersecurity legislation from the House, some House Republican stakeholders have said so in media accounts not bothering to hide in anonymity. And so whatever Peters’ ambitions may be to shore up the cybersecurity of the federal government as his committee will play a role in investigating and responding to the Russian hack of SolarWinds and many federal agencies, he will be limited by whatever Johnson and other Republicans will allow to move through the committee and through the Senate. Of course, Peters’ purview would include the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) and its remit to police the cybersecurity practices of the federal government. Peters would also have in his portfolio the information technology (IT) practices of the federal government, some $90 billion annually across all agencies.

Finally, whether it be Leahy or Durbin at the Senate Appropriations Committee, this post allows for immense influence in funding and programmatic changes in all federal programs through the power of the purse Congress holds.

Further Reading, Other Developments, and Coming Events (12 January 2021)

Further Reading

  • Biden’s NSC to focus on global health, climate, cyber and human rights, as well as China and Russia” By Karen DeYoung — The Washington Post. Like almost every incoming White House, the Biden team has announced a restructuring of the National Security Council (NSC) to better effectuate the President-elect’s policy priorities. To not surprise, the volume on cybersecurity policy will be turned up. Other notable change is plans to take “cross-cutting” approaches to issues that will likely meld foreign and domestic and national security and civil issues, meaning there could be a new look on offensive cyber operations, for example. It is possible President Biden decides to put the genie back in the bottle, so to speak, by re-imposing an interagency decision-making process as opposed to the Trump Administration’s approach of delegating discretion to the National Security Agency/Cyber Command head. Also, the NSC will focus on emerging technology, a likely response to the technology arms race the United States finds itself in against the People’s Republic of China.
  • Exclusive: Pandemic relief aid went to media that promoted COVID misinformation” By Caitlin Dickson — yahoo! news. The consulting firm Alethea Group and the nonprofit Global Disinformation Index are claiming the COVID stimulus Paycheck Protection Program (PPP) provided loans and assistance to five firms that “were publishing false or misleading information about the pandemic, thus profiting off the infodemic” according to an Alethea Group vice president. This report follows an NBC News article claiming that 14 white supremacist and racist organizations have also received PPP loans. The Alethea Group and Global Disinformation Index named five entities who took PPP funds and kept spreading pandemic misinformation: Epoch Media Group, Newsmax Media, The Federalist, Liftable Media, and Prager University.
  • Facebook shuts Uganda accounts ahead of vote” — France24. The social media company shuttered a number of Facebook and Instagram accounts related to government officials in Uganda ahead of an election on account of “Coordinated Inauthentic Behaviour” (CIB). This follows the platform shutting down accounts related to the French Army and Russia seeking to influence events in Africa. These and other actions may indicate the platform is starting to pay the same attention to the non-western world as at least one former employee has argued the platform was negligent at best and reckless at worst in not properly resourcing efforts to police CIB throughout the Third World.
  • China tried to punish European states for Huawei bans by adding eleventh-hour rule to EU investment deal” By Finbarr Bermingham — South China Morning Post. At nearly the end of talks on a People’s Republic of China (PRC)-European Union (EU) trade deal, PRC negotiators tried slipping in language that would have barred entry to the PRC’s cloud computing market to any country or company from a country that restricts Huawei’s services and products. This is alternately being seen as either standard Chinese negotiating tactics or an attempt to avenge the thwarting of the crown jewel in its telecommunications ambitions.
  • Chinese regulators to push tech giants to share consumer credit data – sources” By Julie Zhu — Reuters. Ostensibly in a move to better manage the risks of too much unsafe lending, tech giants in the People’s Republic of China (PRC) will soon need to share data on consumer loans. It seems inevitable that such data will be used by Beijing to further crack down on undesirable people and elements within the PRC.
  • The mafia turns social media influencer to reinforce its brand” By Miles Johnson — The Financial Times. Even Italy’s feared ’Ndrangheta is creating and curating a social media presence.

Other Developments

  • President Donald Trump signed an executive order (EO) that bans eight applications from the People’s Republic of China on much the same grounds as the EOs prohibiting TikTok and WeChat. If this EO is not rescinded by the Biden Administration, federal courts may block its implementation as has happened with the TikTok and WeChat EOs to date. Notably, courts have found that the Trump Administration exceeded its authority under the International Emergency Economic Powers Act (IEEPA), which may also be an issue in the proposed prohibition on Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office. Trump found:
    • that additional steps must be taken to deal with the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain).  Specifically, the pace and pervasiveness of the spread in the United States of certain connected mobile and desktop applications and other software developed or controlled by persons in the People’s Republic of China, to include Hong Kong and Macau (China), continue to threaten the national security, foreign policy, and economy of the United States.  At this time, action must be taken to address the threat posed by these Chinese connected software applications.
    • Trump directed that within 45 days of issuance of the EO, there shall be a prohibition on “any transaction by any person, or with respect to any property, subject to the jurisdiction of the United States, with persons that develop or control the following Chinese connected software applications, or with their subsidiaries, as those transactions and persons are identified by the Secretary of Commerce (Secretary) under subsection (e) of this section: Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office.”
  • The Government Accountability Office (GAO) issued its first statutorily required annual assessment of how well the United States Department of Defense (DOD) is managing its major information technology (IT) procurements. The DOD spent more than $36 billion of the $90 billion the federal government was provided for IT in FY 2020. The GAO was tasked with assessing how well the DOD did in using iterative development, managing costs and schedules, and implementing cybersecurity measures. The GAO found progress in the first two realms but a continued lag in deploying long recommended best practices to ensure the security of the IT the DOD buys or builds. Nonetheless, the GAO focused on 15 major IT acquisitions that qualify as administrative (i.e. “business”) and communications and information security (i.e. “non-business.”) While there were no explicit recommendations made, the GAO found:
    • Ten of the 15 selected major IT programs exceeded their planned schedules, with delays ranging from 1 month for the Marine Corps’ CAC2S Inc 1 to 5 years for the Air Force’s Defense Enterprise Accounting and Management System-Increment 1.
    • …eight of the 10 selected major IT programs that had tested their then-current technical performance targets reported having met all of their targets…. As of December 2019, four programs had not yet conducted testing activities—Army’s ACWS, Air Force’s AFIPPS Inc 1, Air Force’s MROi, and Navy ePS. Testing data for one program, Air Force’s ISPAN Inc 4, were classified.
    • …officials from the 15 selected major IT programs we reviewed reported using software development approaches that may help to limit risks to cost and schedule outcomes. For example, major business IT programs reported using COTS software. In addition, most programs reported using an iterative software development approach and using a minimum deployable product. With respect to cybersecurity practices, all the programs reported developing cybersecurity strategies, but programs reported mixed experiences with respect to conducting cybersecurity testing. Most programs reported using operational cybersecurity testing, but less than half reported conducting developmental cybersecurity testing. In addition, programs that reported conducting cybersecurity vulnerability assessments experienced fewer increases in planned program costs and fewer schedule delays. Programs also reported a variety of challenges associated with their software development and cybersecurity staff.
    • 14 of the 15 programs reported using an iterative software development approach which, according to leading practices, may help reduce cost growth and deliver better results to the customer. However, programs also reported using an older approach to software development, known as waterfall, which could introduce risk for program cost growth because of its linear and sequential phases of development that may be implemented over a longer period of time. Specifically, two programs reported using a waterfall approach in conjunction with an iterative approach, while one was solely using a waterfall approach.
    • With respect to cybersecurity, programs reported mixed implementation of specific practices, contributing to program risks that might impact cost and schedule outcomes. For example, all 15 programs reported developing cybersecurity strategies, which are intended to help ensure that programs are planning for and documenting cybersecurity risk management efforts.
    • In contrast, only eight of the 15 programs reported conducting cybersecurity vulnerability assessments—systematic examinations of an information system or product intended to, among other things, determine the adequacy of security measures and identify security deficiencies. These eight programs experienced fewer increases in planned program costs and fewer schedule delays relative to the programs that did not report using cybersecurity vulnerability assessments.
  • The United States (U.S.) Department of Energy gave notice of a “Prohibition Order prohibiting the acquisition, importation, transfer, or installation of specified bulk-power system (BPS) electric equipment that directly serves Critical Defense Facilities (CDFs), pursuant to Executive Order 13920.” (See here for analysis of the executive order.) The Department explained:
    • Executive Order No. 13920 of May 1, 2020, Securing the United States Bulk-Power System (85 FR 26595 (May 4, 2020)) (E.O. 13920) declares that threats by foreign adversaries to the security of the BPS constitute a national emergency. A current list of such adversaries is provided in a Request for Information (RFI), issued by the Department of Energy (Department or DOE) on July 8, 2020 seeking public input to aid in its implementation of E.O. 13920. The Department has reason to believe, as detailed below, that the government of the People’s Republic of China (PRC or China), one of the listed adversaries, is equipped and actively planning to undermine the BPS. The Department has thus determined that certain BPS electric equipment or programmable components subject to China’s ownership, control, or influence, constitute undue risk to the security of the BPS and to U.S. national security. The purpose of this Order is to prohibit the acquisition, importation, transfer, or subsequent installation of such BPS electric equipment or programmable components in certain sections of the BPS.
  • The United States’ (U.S.) Department of Commerce’s Bureau of Industry and Security (BIS) added the People’s Republic of China’s (PRC) Semiconductor Manufacturing International Corporation (SMIC) to its Entity List in a move intended to starve the company of key U.S. technology needed to manufacture high end semiconductors. Therefore, any U.S. entity wishing to do business with SMIC will need a license which the Trump Administration may not be likely to grant. The Department of Commerce explained in its press release:
    • The Entity List designation limits SMIC’s ability to acquire certain U.S. technology by requiring U.S. exporters to apply for a license to sell to the company.  Items uniquely required to produce semiconductors at advanced technology nodes—10 nanometers or below—will be subject to a presumption of denial to prevent such key enabling technology from supporting China’s military-civil fusion efforts.
    • BIS also added more than sixty other entities to the Entity List for actions deemed contrary to the national security or foreign policy interest of the United States.  These include entities in China that enable human rights abuses, entities that supported the militarization and unlawful maritime claims in the South China Sea, entities that acquired U.S.-origin items in support of the People’s Liberation Army’s programs, and entities and persons that engaged in the theft of U.S. trade secrets.
    • As explained in the Federal Register notice:
      • SMIC is added to the Entity List as a result of China’s military-civil fusion (MCF) doctrine and evidence of activities between SMIC and entities of concern in the Chinese military industrial complex. The Entity List designation limits SMIC’s ability to acquire certain U.S. technology by requiring exporters, reexporters, and in-country transferors of such technology to apply for a license to sell to the company. Items uniquely required to produce semiconductors at advanced technology nodes 10 nanometers or below will be subject to a presumption of denial to prevent such key enabling technology from supporting China’s military modernization efforts. This rule adds SMIC and the following ten entities related to SMIC: Semiconductor Manufacturing International (Beijing) Corporation; Semiconductor Manufacturing International (Tianjin) Corporation; Semiconductor Manufacturing International (Shenzhen) Corporation; SMIC Semiconductor Manufacturing (Shanghai) Co., Ltd.; SMIC Holdings Limited; Semiconductor Manufacturing South China Corporation; SMIC Northern Integrated Circuit Manufacturing (Beijing) Co., Ltd.; SMIC Hong Kong International Company Limited; SJ Semiconductor; and Ningbo Semiconductor International Corporation (NSI).
  • The United States’ (U.S.) Department of Commerce’s Bureau of Industry and Security (BIS) amended its Export Administration Regulations “by adding a new ‘Military End User’ (MEU) List, as well as the first tranche of 103 entities, which includes 58 Chinese and 45 Russian companies” per its press release. The Department asserted:
    • The U.S. Government has determined that these companies are ‘military end users’ for purposes of the ‘military end user’ control in the EAR that applies to specified items for exports, reexports, or transfers (in-country) to the China, Russia, and Venezuela when such items are destined for a prohibited ‘military end user.’
  • The Australia Competition and Consumer Commission (ACCC) rolled out another piece of the Consumer Data Right (CDR) scheme under the Competition and Consumer Act 2010, specifically accreditation guidelines “to provide information and guidance to assist applicants with lodging a valid application to become an accredited person” to whom Australians may direct data holders share their data. The ACCC explained:
    • The CDR aims to give consumers more access to and control over their personal data.
    • Being able to easily and efficiently share data will improve consumers’ ability to compare and switch between products and services and encourage competition between service providers, leading to more innovative products and services for consumers and the potential for lower prices.
    • Banking is the first sector to be brought into the CDR.
    • Accredited persons may receive a CDR consumer’s data from a data holder at the request and consent of the consumer. Any person, in Australia or overseas, who wishes to receive CDR data to provide products or services to consumers under the CDR regime, must be accredited
  • Australia’s government has released its “Data Availability and Transparency Bill 2020” that “establishes a new data sharing scheme for federal government data, underpinned by strong safeguards to mitigate risks and simplified processes to make it easier to manage data sharing requests” according to the summary provided in Parliament by the government’s point person. In the accompanying “Explanatory Memorandum,” the following summary was provided:
    • The Bill establishes a new data sharing scheme which will serve as a pathway and regulatory framework for sharing public sector data. ‘Sharing’ involves providing controlled access to data, as distinct from open release to the public.
    • To oversee the scheme and support best practice, the Bill creates a new independent regulator, the National Data Commissioner (the Commissioner). The Commissioner’s role is modelled on other regulators such as the Australian Information Commissioner, with whom the Commissioner will cooperate.
    • The data sharing scheme comprises the Bill and disallowable legislative instruments (regulations, Minister-made rules, and any data codes issued by the Commissioner). The Commissioner may also issue non-legislative guidelines that participating entities must have regard to, and may release other guidance as necessary.
    • Participants in the scheme are known as data scheme entities:
      • Data custodians are Commonwealth bodies that control public sector data, and have the right to deal with that data.
      • Accredited users are entities accredited by the Commissioner to access to public sector data. To become accredited, entities must satisfy the security, privacy, infrastructure and governance requirements set out in the accreditation framework.
      • Accredited data service providers (ADSPs) are entities accredited by the Commissioner to perform data services such as data integration. Government agencies and users will be able to draw upon ADSPs’ expertise to help them to share and use data safely.
    • The Bill does not compel sharing. Data custodians are responsible for assessing each sharing request, and deciding whether to share their data if satisfied the risks can be managed.
    • The data sharing scheme contains robust safeguards to ensure sharing occurs in a consistent and transparent manner, in accordance with community expectations. The Bill authorises data custodians to share public sector data with accredited users, directly or through an ADSP, where:
      • Sharing is for a permitted purpose – government service delivery, informing government policy and programs, or research and development;
      • The data sharing principles have been applied to manage the risks of sharing; and
      • The terms of the arrangement are recorded in a data sharing agreement.
    • Where the above requirements are met, the Bill provides limited statutory authority to share public sector data, despite other Commonwealth, State and Territory laws that prevent sharing. This override of non-disclosure laws is ‘limited’ because it occurs only when the Bill’s requirements are met, and only to the extent necessary to facilitate sharing.
  • The United Kingdom’s Competition and Markets Authority’s (CMA) is asking interested parties to provide input on the proposed acquisition of British semiconductor company by a United States (U.S.) company before it launches a formal investigation later this year. However, CMA is limited to competition considerations, and any national security aspects of the proposed deal would need to be investigated by Prime Minister Boris Johnson’s government. CMA stated:
    • US-based chip designer and producer NVIDIA Corporation (NVIDIA) plans to purchase the Intellectual Property Group business of UK-based Arm Limited (Arm) in a deal worth $40 billion. Arm develops and licenses intellectual property (IP) and software tools for chip designs. The products and services supplied by the companies support a wide range of applications used by businesses and consumers across the UK, including desktop computers and mobile devices, game consoles and vehicle computer systems.
    • CMA added:
      • The CMA will look at the deal’s possible effect on competition in the UK. The CMA is likely to consider whether, following the takeover, Arm has an incentive to withdraw, raise prices or reduce the quality of its IP licensing services to NVIDIA’s rivals.
  • The Israeli firm, NSO Group, has been accused by an entity associated with a British university of using real-time cell phone data to sell its COVID-19 contact tracing app, Fleming, in ways that may have broken the laws of a handful of nations. Forensic Architecture,  a research agency, based at Goldsmiths, University of London, argued:
    • In March 2020, with the rise of COVID-19, Israeli cyber-weapons manufacturer NSO Group launched a contact-tracing technology named ‘Fleming’. Two months later, a database belonging to NSO’s Fleming program was found unprotected online. It contained more than five hundred thousand datapoints for more than thirty thousand distinct mobile phones. NSO Group denied there was a security breach. Forensic Architecture received and analysed a sample of the exposed database, which suggested that the data was based on ‘real’ personal data belonging to unsuspecting civilians, putting their private information in risk
    • Forensic Architecture added:
      • Leaving a database with genuine location data unprotected is a serious violation of the applicable data protection laws. That a surveillance company with access to personal data could have overseen this breach is all the more concerning.
      • This could constitute a violation of the General Data Protection Regulation (GDPR) based on where the database was discovered as well as the laws of the nations where NSO Group allegedly collected personal data
    • The NSO Group denied the claims and was quoted by Tech Crunch:
      • “We have not seen the supposed examination and have to question how these conclusions were reached. Nevertheless, we stand by our previous response of May 6, 2020. The demo material was not based on real and genuine data related to infected COVID-19 individuals,” said an unnamed spokesperson. (NSO’s earlier statement made no reference to individuals with COVID-19.)
      • “As our last statement details, the data used for the demonstrations did not contain any personally identifiable information (PII). And, also as previously stated, this demo was a simulation based on obfuscated data. The Fleming system is a tool that analyzes data provided by end users to help healthcare decision-makers during this global pandemic. NSO does not collect any data for the system, nor does NSO have any access to collected data.”

Coming Events

  • On 13 January, the Federal Communications Commission (FCC) will hold its monthly open meeting, and the agency has placed the following items on its tentative agenda “Bureau, Office, and Task Force leaders will summarize the work their teams have done over the last four years in a series of presentations:
    • Panel One. The Commission will hear presentations from the Wireless Telecommunications Bureau, International Bureau, Office of Engineering and Technology, and Office of Economics and Analytics.
    • Panel Two. The Commission will hear presentations from the Wireline Competition Bureau and the Rural Broadband Auctions Task Force.
    • Panel Three. The Commission will hear presentations from the Media Bureau and the Incentive Auction Task Force.
    • Panel Four. The Commission will hear presentations from the Consumer and Governmental Affairs Bureau, Enforcement Bureau, and Public Safety and Homeland Security Bureau.
    • Panel Five. The Commission will hear presentations from the Office of Communications Business Opportunities, Office of Managing Director, and Office of General Counsel.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Judith Scharnowski from Pixabay

Further Reading, Other Development, and Coming Events (4 January 2021)

Further Reading

  • Microsoft Says Russian Hackers Viewed Some of Its Source Code” By Nicole Perlroth — The New York Times. The Sluzhba vneshney razvedki Rossiyskoy Federatsii’s (SVR) hack keeps growing and growing with Microsoft admitting its source code was viewed through an employee account. It may be that authorized Microsoft resellers were one of the vectors by which the SVR accessed SolarWinds, FireEye, and ultimately a number of United States (U.S.) government agencies. Expect more revelations to come about the scope and breadth of entities and systems the SVR compromised.
  • In 2020, we reached peak Internet. Here’s what worked — and what flopped.” By Geoffrey Fowler — The Washington Post. The newspaper’s tech columnist reviews the technology used during the pandemic and what is likely to stay with us when life returns to some semblance of normal.
  • Facebook Says It’s Standing Up Against Apple For Small Businesses. Some Of Its Employees Don’t Believe It.” By Craig Silverman and Ryan Mac — BuzzFeed News. Again, two of the best-sourced journalists when it comes to Facebook have exposed employee dissent within the social media and advertising giant, and this time over the company’s advertising blitz positioning it as the champion of small businesses that allegedly stand to be hurt when Apple rolls out iOS 14 that will allow users to block the type of tracking across apps and the internet Facebook thrives on. The company’s PR campaign stands in contrast to the anecdotal stories about errors that harmed and impeded small companies in using Facebook to advertise and sell products and services to cusstomers.
  • SolarWinds hack spotlights a thorny legal problem: Who to blame for espionage?” By Tim Starks — cyberscoop. This piece previews possible and likely inevitable litigation to follow from the SolarWinds hack, including possible securities action on the basis of fishy dumps of stock by executive, breach of contract, and negligence for failing to patch and address vulnerabilities in a timely fashion. Federal and state regulators will probably get on the field, too. But this will probably take years to play out as Home Depot settled claims arising from its 2014 breach with state attorneys general in November 2020.
  • The Tech Policies the Trump Administration Leaves Behind” By Aaron Boyd — Nextgov. A look back at the good, the bad, and the ugly of the Trump Administration’s technology policies, some of which will live on in the Biden Administration.

Other Developments

  • In response to the SolarWinds hack, the Federal Bureau of Investigation (FBI), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) issued a joint statement indicating that the process established in Pursuant to Presidential Policy Directive (PPD) 41, an Obama Administration policy has been activated and a Cyber Unified Coordination Group (UCG) has been formed “to coordinate a whole-of-government response to this significant cyber incident.” The agencies explained “[t]he UCG is intended to unify the individual efforts of these agencies as they focus on their separate responsibilities.”
    • In PPD-41 it is explained that a UCG “shall serve as the primary method for coordinating between and among Federal agencies in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts, as appropriate.” Moreover, “[t]he Cyber UCG is intended to result in unity of effort and not to alter agency authorities or leadership, oversight, or command responsibilities.”
  • Following the completion of its “in-depth” investigation, the European Commission (EC) cleared Google’s acquisition of Fitbit with certain conditions, removing a significant hurdle for the American multinational in buying the wearable fitness tracker company. In its press release, the EC explained that after its investigation, “the Commission had concerns that the transaction, as initially notified, would have harmed competition in several markets.” To address and allay concerns, Google bound itself for ten years to a set of commitments that can be unilaterally extended by the EC and will be enforced, in part, by the appointment of a trustee to oversee compliance.
    • The EC was particularly concerned about:
      • Advertising: By acquiring Fitbit, Google would acquire (i) the database maintained by Fitbit about its users’ health and fitness; and (ii) the technology to develop a database similar to that of Fitbit. By increasing the already vast amount of data that Google could use for the personalisation of ads, it would be more difficult for rivals to match Google’s services in the markets for online search advertising, online display advertising, and the entire “ad tech” ecosystem. The transaction would therefore raise barriers to entry and expansion for Google’s competitors for these services to the detriment of advertisers, who would ultimately face higher prices and have less choice.
      • Access to Web Application Programming Interface (‘API’) in the market for digital healthcare: A number of players in this market currently access health and fitness data provided by Fitbit through a Web API, in order to provide services to Fitbit users and obtain their data in return. The Commission found that following the transaction, Google might restrict competitors’ access to the Fitbit Web API. Such a strategy would come especially at the detriment of start-ups in the nascent European digital healthcare space.
      • Wrist-worn wearable devices: The Commission is concerned that following the transaction, Google could put competing manufacturers of wrist-worn wearable devices at a disadvantage by degrading their interoperability with Android smartphones.
    • As noted, Google made a number of commitments to address competition concerns:
      • Ads Commitment:
        • Google will not use for Google Ads the health and wellness data collected from wrist-worn wearable devices and other Fitbit devices of users in the EEA, including search advertising, display advertising, and advertising intermediation products. This refers also to data collected via sensors (including GPS) as well as manually inserted data.
        • Google will maintain a technical separation of the relevant Fitbit’s user data. The data will be stored in a “data silo” which will be separate from any other Google data that is used for advertising.
        • Google will ensure that European Economic Area (‘EEA’) users will have an effective choice to grant or deny the use of health and wellness data stored in their Google Account or Fitbit Account by other Google services (such as Google Search, Google Maps, Google Assistant, and YouTube).
      • Web API Access Commitment:
        • Google will maintain access to users’ health and fitness data to software applications through the Fitbit Web API, without charging for access and subject to user consent.
      • Android APIs Commitment:
        • Google will continue to license for free to Android original equipment manufacturers (OEMs) those public APIs covering all current core functionalities that wrist-worn devices need to interoperate with an Android smartphone. Such core functionalities include but are not limited to, connecting via Bluetooth to an Android smartphone, accessing the smartphone’s camera or its GPS. To ensure that this commitment is future-proof, any improvements of those functionalities and relevant updates are also covered.
        • It is not possible for Google to circumvent the Android API commitment by duplicating the core interoperability APIs outside the Android Open Source Project (AOSP). This is because, according to the commitments, Google has to keep the functionalities afforded by the core interoperability APIs, including any improvements related to the functionalities, in open-source code in the future. Any improvements to the functionalities of these core interoperability APIs (including if ever they were made available to Fitbit via a private API) also need to be developed in AOSP and offered in open-source code to Fitbit’s competitors.
        • To ensure that wearable device OEMs have also access to future functionalities, Google will grant these OEMs access to all Android APIs that it will make available to Android smartphone app developers including those APIs that are part of Google Mobile Services (GMS), a collection of proprietary Google apps that is not a part of the Android Open Source Project.
        • Google also will not circumvent the Android API commitment by degrading users experience with third party wrist-worn devices through the display of warnings, error messages or permission requests in a discriminatory way or by imposing on wrist-worn devices OEMs discriminatory conditions on the access of their companion app to the Google Play Store.
  • The United States (U.S.) Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) has proposed a major rewrite of the regulations governing medical privacy in the U.S. As the U.S. lacks a unified privacy regime, the proposed changes would affect on those entities in the medical sector subject to the regime, which is admittedly many such entities. Nevertheless, it is almost certain the Biden Administration will pause this rulemaking and quite possibly withdraw it should it prove crosswise with the new White House’s policy goals.
    • HHS issued a notice of proposed rulemaking “to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).”
      • HHS continued:
        • The Privacy Rule is one of several rules, collectively known as the HIPAA Rules, that protect the privacy and security of individuals’ medical records and other protected health information (PHI), i.e., individually identifiable health information maintained or transmitted by or on behalf of HIPAA covered entities (i.e., health care providers who conduct covered health care transactions electronically, health plans, and health care clearinghouses).
        • The proposals in this NPRM support the Department’s Regulatory Sprint to Coordinated Care (Regulatory Sprint), described in detail below. Specifically, the proposals in this NPRM would amend provisions of the Privacy Rule that could present barriers to coordinated care and case management –or impose other regulatory burdens without sufficiently compensating for, or offsetting, such burdens through privacy protections. These regulatory barriers may impede the transformation of the health care system from a system that pays for procedures and services to a system of value-based health care that pays for quality care.
    • In a press release, OCR asserted:
      • The proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.
  • The Federal Trade Commission (FTC) has used its powers to compel selected regulated entities to provide requested information in asking that “nine social media and video streaming companies…provide data on how they collect, use, and present personal information, their advertising and user engagement practices, and how their practices affect children and teens.” The TFTC is using its Section 6(b) authority to compel the information from Amazon.com, Inc., ByteDance Ltd., which operates the short video service TikTok, Discord Inc., Facebook, Inc., Reddit, Inc., Snap Inc., Twitter, Inc., WhatsApp Inc., and YouTube LLC. Failure to respond can result in the FTC fining a non-compliant entity.
    • The FTC claimed in its press release it “is seeking information specifically related to:
      • how social media and video streaming services collect, use, track, estimate, or derive personal and demographic information;
      • how they determine which ads and other content are shown to consumers;
      • whether they apply algorithms or data analytics to personal information;
      • how they measure, promote, and research user engagement; and
      • how their practices affect children and teens.
    • The FTC explained in its sample order:
      • The Commission is seeking information concerning the privacy policies, procedures, and practices of Social Media and Video Streaming Service providers, Including the method and manner in which they collect, use, store, and disclose Personal Information about consumers and their devices. The Special Report will assist the Commission in conducting a study of such policies, practices, and procedures.
  • The United States (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) supplemented its Emergency Directive 21-01 to federal civilian agencies in response to the Sluzhba vneshney razvedki Rossiyskoy Federatsii’s (SVR) hack via SolarWinds. In an 18 December update, CISA explained:
    • This section provides additional guidance on the implementation of CISA Emergency Directive (ED) 21-01, to include an update on affected versions, guidance for agencies using third-party service providers, and additional clarity on required actions.
    •  In a 30 December update, CISA stated:
      • Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” below are required to use at least SolarWinds Orion Platform version 2020.2.1HF2. The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code. Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020. CISA will follow up with additional supplemental guidance, to include further clarifications and hardening requirements.
  • Australia’s Attorney-General’s Department published an unclassified version of the four volumes of the “Report of the Comprehensive Review of the Legal Framework of the National Intelligence Community,” an “examination of the legislative framework underpinning the National Intelligence Community (NIC)…the first and largest since the Hope Royal Commissions considered the Australian Intelligence Community (AIC) in the 1970s and 1980s.” Ultimately, the authors of the report concluded:
    • We do not consider the introduction of a common legislative framework, in the form of a single Act governing all or some NIC agencies, to be a practical, pragmatic or proportionate reform. It would be unlikely that the intended benefits of streamlining and simplifying NIC legislation could be achieved due to the diversity of NIC agency functions—from intelligence to law enforcement, regulatory and policy—and the need to maintain differences in powers, immunities and authorising frameworks. The Review estimates that reform of this scale would cost over $200million and take up to 10years to complete. This would be an impractical and disproportionate undertaking for no substantial gain. In our view, the significant costs and risks of moving to a single, consolidated Act clearly outweigh the limited potential benefits.
    • While not recommending a common legislative framework for the entire NIC, some areas of NIC legislation would benefit from simplification and modernisation. We recommend the repeal of the TIA Act, Surveillance Devices Act 2004(SD Act) and parts of the Australian Security Intelligence Organisation Act 1979 (ASIO Act), and their replacement with a single new Act governing the use of electronic surveillance powers—telecommunications interception, covert access to stored communications, computers and telecommunications data, and the use of optical, listening and tracking devices—under Commonwealth law.
  • The National Institute of Standards and Technology (NIST) released additional materials to supplement a major rewrite of a foundational security guidance document. NIST explained “[n]ew supplemental materials for NIST Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, are available for download to support the December 10, 2020 errata release of SP 800-53 and SP 800-53B, Control Baselines for Information Systems and Organizations.” These supplemental materials include:
    • A comparison of the NIST SP 800-53 Revision 5 controls and control enhancements to Revision 4. The spreadsheet describes the changes to each control and control enhancement, provides a brief summary of the changes, and includes an assessment of the significance of the changes.  Note that this comparison was authored by The MITRE Corporation for the Director of National Intelligence (DNI) and is being shared with permission by DNI.
    • Mapping of the Appendix J Privacy Controls (Revision 4) to Revision 5. The spreadsheet supports organizations using the privacy controls in Appendix J of SP 800-53 Revision 4 that are transitioning to the integrated control catalog in Revision 5.
    • Mappings between NIST SP 800-53 and other frameworks and standards. The mappings provide organizations a general indication of SP 800-53 control coverage with respect to other frameworks and standards. When leveraging the mappings, it is important to consider the intended scope of each publication and how each publication is used; organizations should not assume equivalency based solely on the mapping tables because mappings are not always one-to-one and there is a degree of subjectivity in the mapping analysis.
  • Via a final rule, the Department of Defense (DOD) codified “the National Industrial Security Program Operating Manual (NISPOM) in regulation…[that] establishes requirements for the protection of classified information disclosed to or developed by contractors, licensees, grantees, or certificate holders (hereinafter referred to as contractors) to prevent unauthorized disclosure.” The DOD stated “[i]n addition to adding the NISPOM to the Code of Federal Regulations (CFR), this rule incorporates the requirements of Security Executive Agent Directive (SEAD) 3, “Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position.” The DOD stated “SEAD 3 requires reporting by all contractor cleared personnel who have been granted eligibility for access to classified information.”
    • The DOD added “[t]his NISPOM rule provides for a single nation-wide implementation plan which will, with this rule, include SEAD 3 reporting by all contractor cleared personnel to report specific activities that may adversely impact their continued national security eligibility, such as reporting of foreign travel and foreign contacts.”
    • The DOD explained “NISP Cognizant Security Agencies (CSAs) shall conduct an analysis of such reported activities to determine whether they pose a potential threat to national security and take appropriate action.”
    • The DOD added that “the rule also implements the provisions of Section 842 of Public Law 115-232, which removes the requirement for a covered National Technology and Industrial Base (NTIB) entity operating under a special security agreement pursuant to the NISP to obtain a national interest determination as a condition for access to proscribed information.”
  • An advisory committee housed at the United States (U.S.) Department of Homeland Security (DHS) is calling for the White House to quickly “operationalize intelligence in a classified space with senior executives and cyber experts from most critical entities in the energy, financial services, and communications sectors working directly with intelligence analysts and other government staff.” In their report, the President’s National Infrastructure Advisory Council (NIAC) proposed the creation of a Critical Infrastructure Command Center (CICC) to “provid[e] real-time collaboration between government and industry…[and] take direct action and provide tactical solutions to mitigate, remediate,  and deter threats.” NIAC urged the President to “direct relevant federal agencies to support the private sector in executing the concept, including identifying the required government staff…[and] work with Congress to ensure the appropriate authorities are established to allow the CICC to fully realize its operational functionality.” NIAC recommended “near-term actions to implement the CICC concept:
    • 1.The President should direct the relevant federal agencies to support the private sector in rapidly standing up the CICC concept with the energy, financial services, and communications sectors:
      • a. Within 90 days the private sector will identify the executives who will lead execution of the CICC concept and establish governing criteria (including membership, staffing and rotation, and other logistics).
      • b. Within 120 days the CICC sector executives will identify and assign the necessary CICC staff from the private sector.
      • c. Within 90 days an appropriate venue to house the operational component will be identified and the necessary agreements put in place.
    • 2. The President should direct the Intelligence Community and other relevant government agencies to identify and co-locate the required government staff counterparts to enable the direct coordination required by the CICC. This staff should be pulled from the IC, SSAs, and law enforcement.
    • 3. The President, working with Congress, should establish the appropriate authorities and mission for federal agencies to directly share intelligence with critical infrastructure companies, along with any other authorities required for the CICC concept to be fully successful (identified in Appendix A).
    • 4. Once the CICC concept is fully operational (within 180 days), the responsible executives should deliver a report to the NSC and the NIAC demonstrating how the distinct capabilities of the CICC have been achieved and the impact of the capabilities to date. The report should identify remaining gaps in resources, direction, or authorities.

Coming Events

  • On 13 January, the Federal Communications Commission (FCC) will hold its monthly open meeting, and the agency has placed the following items on its tentative agenda “Bureau, Office, and Task Force leaders will summarize the work their teams have done over the last four years in a series of presentations:
    • Panel One. The Commission will hear presentations from the Wireless Telecommunications Bureau, International Bureau, Office of Engineering and Technology, and Office of Economics and Analytics.
    • Panel Two. The Commission will hear presentations from the Wireline Competition Bureau and the Rural Broadband Auctions Task Force.
    • Panel Three. The Commission will hear presentations from the Media Bureau and the Incentive Auction Task Force.
    • Panel Four. The Commission will hear presentations from the Consumer and Governmental Affairs Bureau, Enforcement Bureau, and Public Safety and Homeland Security Bureau.
    • Panel Five. The Commission will hear presentations from the Office of Communications Business Opportunities, Office of Managing Director, and Office of General Counsel.
  • On 27 July, the Federal Trade Commission (FTC) will hold PrivacyCon 2021.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by opsa from Pixabay

Final NDAA Agreement, Part II

There are AI, 5G, and supply chain provisions in the national security policy bill the Armed Services Committee have agreed upon.

So, it appears I failed to include all the technology goodies to be found in the final FY 2021 National Defense Authorization Act (NDAA). And so, I will cover the provisions I missed yesterday in the conference report to accompany the “William M. “Mac” Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395). For example, there are artificial intelligence (AI), 5G, and supply chain provisions.

Notably, the final bill includes the House Science, Space, and Technology Committee’s “National Artificial Intelligence Initiative Act of 2020” (H.R.6216). In the Joint Explanatory Statement, the conferees asserted:

The conferees believe that artificial intelligence systems have the potential to transform every sector of the United States economy, boosting productivity, enhancing scientific research, and increasing U.S. competitiveness and that the United States government should use this Initiative to enable the benefits of trustworthy artificial intelligence while preventing the creation and use of artificial intelligence systems that behave in ways that cause harm. The conferees further believe that such harmful artificial intelligence systems may include high-risk systems that lack sufficient robustness to prevent adversarial attacks; high-risk systems that harm the privacy or security of users or the general public; artificial general intelligence systems that become self-aware or uncontrollable; and artificial intelligence systems that unlawfully discriminate against protected classes of persons, including on the basis of sex, race, age, disability, color, creed, national origin, or religion. Finally, the conferees believe that the United States must take a whole of government approach to leadership in trustworthy artificial intelligence, including through coordination between the Department of Defense, the Intelligence Community, and the civilian agencies.

H.R.6216 directs the President to establish the National Artificial Intelligence Initiative that would:

  • Ensure the U.S. continues to lead in AI research and development (R&D)
  • Lead efforts throughout the world to develop and use “trustworthy AI systems” in both the public and private sectors
  • Prepare to assist U.S. workers for the coming integration and use of AI throughout the U.S., and
  • Coordinate AI R&D development and demonstration activities across the federal government, including national security agencies.

The President would have a variety of means at his or her discretion in effectuating those goals, including existing authority to ask Congress for funding and to use Executive Office agencies to manage the authority and funding Congress provides.

Big picture, H.R. 6216 would require better coordination of federal AI initiatives, research, and funding, and more involvement in the development of voluntary, consensus-based standards for AI. Much of this would happen through the standing up of a new “National Artificial Intelligence Initiative Office” by the Office of Science and Technology Policy (OSTP) in the White House. This new entity would be the locus of AI activities and programs in the United States’ (U.S.) government with the ultimate goal of ensuring the nation is the world’s foremost developer and user of the new technology.

Moreover, OSTP would “acting through the National Science and Technology Council…establish or designate an Interagency Committee to coordinate Federal programs and activities in support of the Initiative.” This body would “provide for interagency coordination of Federal artificial intelligence research, development, and demonstration activities, development of voluntary consensus standards and guidelines for research, development, testing, and adoption of ethically developed, safe, and trustworthy artificial intelligence systems, and education and training activities and programs of Federal departments and agencies undertaken pursuant to the Initiative.” The committee would need to “develop a strategic plan for AI” within two years and update it every three years thereafter. Moreover, the committee would need to “propose an annually coordinated interagency budget for the Initiative to the Office of Management and Budget (OMB) that is intended to ensure that the balance of funding across the Initiative is sufficient to meet the goals and priorities established for the Initiative.” However, OMB would be under no obligation to take notice of this proposal save for pressure from AI stakeholders in Congress or AI champions in any given Administration. The Secretary of Commerce would create a ‘‘National Artificial Intelligence Advisory Committee” to advise the President and National Artificial Intelligence Initiative Office on a range of AI policy matters. In the bill as added to the House’s FY 2021 NDAA, it was to have been the Secretary of Energy.

Federal agencies would be permitted to award funds to new Artificial Intelligence Research Institutes to pioneer research in any number of AI fields or considerations. The bill does not authorize any set amount of money for this program and instead kicks the decision over to the Appropriations Committees on any funding. The National Institute of Standards and Technology (NIST) must “support measurement research and development of best practices and voluntary standards for trustworthy artificial intelligence systems” and “support measurement research and development of best practices and voluntary standards for trustworthy artificial intelligence systems” among other duties. NIST must “shall work to develop, and periodically update, in collaboration with other public and private sector organizations, including the National Science Foundation and the Department of Energy, a voluntary risk management framework for the trustworthiness of artificial intelligence systems.” NIST would also “develop guidance to facilitate the creation of voluntary data sharing arrangements between industry, federally funded research centers, and Federal agencies for the purpose of advancing artificial intelligence research and technologies.”

The National Science Foundation (NSF) would need to “fund research and education activities in artificial intelligence systems and related fields, including competitive awards or grants to institutions of higher education or eligible non-profit organizations (or consortia thereof).” The Department of Energy must “carry out a cross-cutting research and development program to advance artificial intelligence tools, systems, capabilities, and workforce needs and to improve the reliability of artificial intelligence methods and solutions relevant to the mission of the Department.” This department would also be tasked with advancing “expertise in artificial intelligence and high-performance computing in order to improve health outcomes for veteran populations.”

According to a fact sheet issued by the House Science, Space, and Technology Committee, [t]he legislation will:

  • Formalize interagency coordination and strategic planning efforts in AI research, development, standards, and education through an Interagency Coordination Committee and a coordination office managed by the Office of Science and Technology Policy (OSTP).
  • Create an advisory committee to better inform the Coordination Committee’s strategic plan, track the state of the science around artificial intelligence, and ensure the Initiative is meeting its goals.
  • Create a network of AI institutes, coordinated through the National Science Foundation, that any Federal department of agency could fund to create partnerships between the academia and the public and private sectors to accelerate AI research focused on an economic sector, social sector, or on a cross-cutting AI challenge.
  • Support basic AI measurement research and standards development at the National Institute for Standards and Technology(NIST) and require NIST to create a framework for managing risks associated with AI systems and best practices for sharing data to advance trustworthy AI systems.
  • Support research at the National Science Foundation (NSF) across a wide variety of AI related research areas to both improve AI systems and use those systems to advance other areas of science. This section requires NSF to include an obligation for an ethics statement for all research proposals to ensure researchers are considering, and as appropriate, mitigating potential societal risks in carrying out their research.
  • Support education and workforce development in AI and related fields, including through scholarships and traineeships at NSF.
  • Support AI research and development efforts at the Department of Energy (DOE), utilize DOE computing infrastructure for AI challenges, promote technology transfer, data sharing, and coordination with other Federal agencies, and require an ethics statement for DOE funded research as required at NSF.
  • Require studies to better understand workforce impacts and opportunities created by AI, and identify the computing resources necessary to ensure the United States remains competitive in AI.

A provision would expand the scope of the biannual reports the DOD must submit to Congress on the Joint Artificial Intelligence Center (JAIC) to include the Pentagon’s efforts to develop or contribute to efforts to institute AI standards and more detailed information on uniformed DOD members who serve at the JAIC. Other language would revamp how the Under Secretary of Defense for Research and Engineering shall manage efforts and procurements between the DOD and the private sector on AI and other technology with cutting edge national security applications. The new emphasis of the program would be to buy mature AI to support DOD missions, allowing DOD components to directly use AI and machine learning to address operational problems, speeding up the development, testing, and deployment of AI technology and capabilities, and overseeing and managing any friction between DOD agencies and components over AI development and use. This section also spells out which DOD officials should be involved with this program and how the JAIC fits into the picture. This language and other provisions suggest the DOD may have trouble in coordinating AI activities and managing infighting, at least in the eyes of the Armed Services Committees.

Moreover, the JAIC would be given a new Board of Advisors to advise the Secretary of Defense and JAIC Director on a range of AI issues. However, as the Secretary shall appoint the members of the board, all of whom must be from outside the Pentagon, this organ would seem to be a means of the Office of the Secretary asserting greater control over the JAIC.

And yet, the Secretary is also directed to delegate acquisition authority to the JAIC, permitting it to operate with the same independence as a DOD agency. The JAIC Director will need to appoint an acquisition executive to manage acquisition and policy inside and outside the DOD. $75 million would be authorized a year for these activities, and the Secretary needs to draft and submit an implementation plan to Congress and conduct a demonstration before proceeding.

The DOD must identify five use cases of when AI-enabled systems have improved the functioning of the Department in handling management functions in implementing the National Defense Strategy and then create prototypes and technology pilots to utilize commercially available AI capabilities to bolster the use cases.

Within six months of enactment, the DOD must determine whether it currently has the resources, capability, and know how to ensure that any AI bought has been ethically and responsibly developed. Additionally, the DOD must assess how it can install ethical AI standards in acquisitions and supply chains.

The Secretary is provided the authority to convene a steering committing on emerging technology and national security threats comprised of senior DOD officials to decide on how the Department can best adapt to and buy new technology to ensure U.S. military superiority. This body would also investigate the new technology used by adversaries and how to address and counter any threats. For this steering committee, emerging technology is defined as:

Technology determined to be in an emerging phase of development by the Secretary, including quantum information science and technology, data analytics, artificial intelligence, autonomous technology, advanced materials, software, high performance computing, robotics, directed energy, hypersonics, biotechnology, medical technologies, and such other technology as may be identified by the Secretary.

Not surprisingly, the FY 2021 NDAA has provisions on 5G. Most notably, the Secretary of Defense must assess and mitigate any risks presented by “at-risk” 5G or 6G systems in other nations before a major weapons system or a battalion, squadron, or naval combatant can be based there. The Secretary must take into account any steps the nation is taking to address risk, those steps the U.S. is taking, any agreements in place to mitigate risks, and other steps. This provision names Huawei and ZTE as “at-risk vendors.” This language may be another means by which the U.S. can persuade other nations not to buy and install technology from these People’s Republic of China (PRC) companies.

The Under Secretary of Defense for Research and Engineering and a cross-functional team would need to develop a plan to transition the DOD to 5G throughout the Department and its components. Each military department inside the DOD would get to manage its own 5G acquisition with the caveat that the Secretary would need to establish a telecommunications security program to address 5G security risks in the DOD. The Secretary would also be tasked with conducting a demonstration project to “evaluate the maturity, performance, and cost of covered technologies to provide additional options for providers of fifth-generation wireless network services” for Open RAN (aka oRAN) and “one or more massive multiple-input, multiple-output radio arrays, provided by one or more companies based in the United States, that have the potential to compete favorably with radios produced by foreign companies in terms of cost, performance, and efficiency.”

The service departments would need to submit reports to the Secretary on how they are assessing and mitigating and reporting to the DOD on the following risks to acquisition programs:

  • Technical risks in engineering, software, manufacturing and testing.
  • Integration and interoperability risks, including complications related to systems working across multiple domains while using machine learning and artificial intelligence capabilities to continuously change and optimize system performance.
  • Operations and sustainment risks, including as mitigated by appropriate sustainment planning earlier in the lifecycle of a program, access to technical data, and intellectual property rights.
  • Workforce and training risks, including consideration of the role of contractors as part of the total workforce.
  • Supply chain risks, including cybersecurity, foreign control and ownership of key elements of supply chains, and the consequences that a fragile and weakening defense industrial base, combined with barriers to industrial cooperation with allies and partners, pose for delivering systems and technologies in a trusted and assured manner.

Moreover, “[t]he Under Secretary of Defense for Acquisition and Sustainment, in coordination with the Chief Information Officer of the Department of Defense, shall develop requirements for ap- propriate software security criteria to be included in solicitations for commercial and developmental solutions and the evaluation of bids submitted in response to such solicitations, including a delineation of what processes were or will be used for a secure software development life cycle.”

The Armed Services Committees are directing the Secretary to follow up a report submitted to the President per Executive Order 13806 on strengthening Defense Industrial Base (DIB) manufacturing and supply chain resiliency. The DOD must submit “additional recommendations regarding United States industrial policies….[that] shall consist of specific executive actions, programmatic changes, regulatory changes, and legislative proposals and changes, as appropriate.”

The DOD would also need to submit an annex to an annual report to Congress on “strategic and critical materials, including the gaps and vulnerabilities in supply chains of such materials.”

There is language that would change how the DOD manages the production of microelectronics and related supply chain risk. The Pentagon would also need to investigate how to commercialize its intellectual property for microelectronic R&D. The Department of Commerce would need to “assess the capabilities of the United States industrial base to support the national defense in light of the global nature of the supply chain and significant interdependencies between the United States industrial base and the industrial bases of foreign countries with respect to the manufacture, design, and end use of microelectronics.”

There is a revision of the Secretary of Energy’s authority over supply chain risk administered by the National Nuclear Security Administration (NNSA) that would provide for a “special exclusion action” that would bar the procurement of risky technology for up to two years.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Armed Services Committees Agree On Final NDAA

The annual defense policy bill creates a new National Cyber Director and addresses other technology issues.

Last week, the negotiators agreed on a final FY 2021 National Defense Authorization Act (NDAA) that could get passed as early as this week. To no great surprise, President Donald Trump has threatened to veto the annual policy and authorization package for reasons largely unrelated to the Department of Defense and other agencies subject to the bill. It is unclear how the President will respond if Congress ends him the bill and similarly unclear whether Republicans would vote to override a veto. Additionally, the bill might not make it to the White House until around Christmas Day which would complicate the reconvening of Congress to hold override votes.

Nonetheless, big picture, the conferees explained in the Joint Explanatory Statement that conference report to accompany the “William M. “Mac” Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395):

  • The budget request for national defense discretionary programs within the jurisdiction of the Committees on Armed Services of the Senate and the House of Representatives for fiscal year 2021 was $731.6 billion. Of this amount, $636.3 billion was requested for base Department of Defense programs, $69.0 billion was requested for overseas contingency operations, $26.0 billion was requested for national security programs in the Department of Energy and the Defense Nuclear Facilities Safety Board, and $314.0 million for defense-related activities.
  • The conference agreement would authorize $731.6 billion in fiscal year 2021, including $635.5 billion for base Department of Defense programs, $69.0 billion for overseas contingency operations, $26.6 billion for national security programs in the Department of Energy and the Defense Nuclear Facilities Safety Board, and $494.0 million for defense-related activities.

As always, the bill is replete with provisions to change national security-related technology policy, most of which pertains to the Department of Defense (DOD) and the Intelligence Community (IC). However, anymore, the Department of Homeland Security and other agencies also receive policy alterations in the NDAA.

The bill would change the requirements as to when the DOD notifies Congress if it conducts offensive or defensive cyber operations by narrowing the category of such operations. For example, if Cyber Command were to strike a botnet again as it reportedly did in the run up to the election, it would not need to notify Congress, for such an operation is not a foreign terrorist organization or a foreign government unless they may be deemed a “proxy force.” There is a provision extending the liability shield for DOD contractors participating in the Pentagon’s mandated cyber incident reporting system to include compliance with Defense Federal Acquisition Regulation Supplement clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

H.R.6395 would tweak the Quadrennial Cyber Posture Review assessments of U.S. statutes, policies, and authorities to manage cyber threats, especially in achieving cyber deterrence.

The DOD would need to set requirements for the periodic, systematic review of the cybersecurity of major weapons systems and related critical infrastructure to ensure the security of these platforms. The Pentagon must also establish a “Strategic Cybersecurity Program” “to ensure that the Department of Defense is always able to conduct the most important military missions of the Department.” This new initiative “shall identify and designate for inclusion in the Program all of the systems, critical infrastructure, kill chains, and processes, including systems and components in development, that comprise the following military missions of the Department of Defense:

  • Nuclear deterrence and strike.
  • Select long-range conventional strike missions germane to the warfighting plans of United States European Command and United States Indo-Pacific Command.
  • Offensive cyber operations.
  • Homeland missile defense.

The DOD will need to “develop a standard, comprehensive framework to enhance the consistency, execution, and effectiveness of cyber hunt forward operations” including the criteria used to identify such operations, the roles of various stakeholders in the DOD, pre-deployment planning guidelines, the metrics to measure the success of the operation, and other facets. Cyber Command and the National Security Agency have been deploying more of these teams to other nations to develop partnerships with nations closer to shared cyber adversaries (e.g. Estonia and Montenegro visa vis Russia.) The formalization of this process indicates increased Congressional interest and a desire to regularize the practice.

The DOD must “conduct a review of the Cybersecurity Service Provider and Cyber Mission Force enterprises” to determine where there are gaps and redundancies between DOD systems and those provided by contractors. Presumably such an inventory process would precede the DOD consolidating where it can and expanding where necessary.

The position of DOD Principal Cyber Advisor would be reformed. The Secretary of Defense would name a person to fill this position from the DOD civilian officials confirmed by the Senate. The Principal Cyber Advisor would have the following responsibilities, among others:

  • Acting as the principal advisor to the Secretary on military cyber forces and activities.
  • Overall integration of Cyber Operations Forces activities relating to cyberspace operations, including associated policy and operational considerations, resources, personnel, technology development and transition, and acquisition.
  • Assessing and overseeing the implementation of the cyber strategy of the Department and execution of the cyber posture review of the Department on behalf of the Secretary.

The Principal Cyber Advisor will be tasked with the responsibility for the cybersecurity and critical infrastructure protection of the Defense Industrial Base (DIB) and must “synchronize, harmonize, de-conflict, and coordinate all policies and programs germane to defense industrial base cybersecurity.” This will encompass the Sector Specific Agency (SSA) responsibilities bestowed on the Under Secretary of Defense for Policy’s purview under Presidential Policy Directive-21, the Obama Administration era document that established the division and oversight of critical infrastructure with an eye towards cyber infrastructure. The Principal Cyber Advisor would also need to examine the Under Secretary of Defense for Acquisition and Sustainment’s authorities and responsibilities with respect to contracting and cybersecurity. The Principal Cyber Advisor would need to evaluate other facets of the DIB’s cybersecurity and critical infrastructure protection housed in different offices in the DOD, suggesting an obvious fracturing of efforts that may be at odds with one another.

The Principal Cyber Advisor and the head of Cyber Command would need to “conduct and complete an assessment on the operational planning and deconfliction policies and processes that govern cyber operations of the Department of Defense.” It appears that Congress would like DOD components to play better together when planning and conducting cyber operations, but this state of affairs is to be expected inside a large bureaucracy with players and entities interested in defending and even expanding their turf.

The DOD must “assess the feasibility and advisability of developing and using speed-based metrics to measure the performance and effectiveness of security operations centers and cyber security service providers in the Department of Defense.”

The DOD must study the feasibility of creating a new DIB information sharing program that would be above and beyond any current incident reporting requirements. Under law and regulation, at present, DIB contractors must report intrusions and incidents within 72 hours, but the language in H.R. 6395 envisions a program of greater information sharing for “cybersecurity purposes.” However, it begs the question as to why the DOD does not already have such a program given the “Cybersecurity Act of 2015” established the template for such programs over five years ago.

The Pentagon would need to “complete an assessment of the feasibility, suitability, definition of, and resourcing required to establish a defense industrial base cybersecurity threat hunting program to actively identify cybersecurity threats and vulnerabilities within the DIB.”

The DOD must “assess each Department component against the Cybersecurity Maturity Model Certification (CMMC) framework and submit to the congressional defense committees a report that identifies each such component’s CMMC level and implementation of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework.” And, for those components that fail to meet the “good cyber hygiene” standards, the report must indicate whether they will bring their hygiene up to snuff by March of 2022 and how they will shore up vulnerabilities and risks in the meantime.

The DOD would need to start submitting monthly reports on all “cross domain incidents,” a new term that seems to include all intrusions into classified or restricted systems regardless of whether information is exfiltrated, contaminated, or exposed. The Pentagon would also need to provide Congress with a list of all currently operative exemptions to DOD information policy.

The DOD must draft and implement a plan on how to secure and protect the U.S. nuclear command and control system from cyber threats.

The Cyberspace Solarium Commission (CSC) was extended. It was supposed to sunset after the delivery of its final report, but now it will continue to exist for the better part of two more years. The CSC would need to discharge the following duties:

  • collecting and assessing comments and feedback from the Executive Branch, academia, and the public on the analysis and recommendations contained in the Commission’s report;
  • collecting and assessing any developments in cybersecurity that may affect the analysis and recommendations contained in the Commission’s report;
  • reviewing the implementation of the recommendations contained in the Commission’s report;
  • revising, amending, or making new recommendations based on the [aforementioned] assessments and reviews…

The CSC’s primary recommendation that the U.S. have a National Cyber Director in the White House was included in the final bill. This new position shall also have a dedicated office in the Executive Office of the President but would not be a Senate confirmed position as the CSC advised. Moreover, it appears that offensive and defensive cyber operations of the DOD would be outside his or her statutory remit unless the President decides to make it so. The National Cyber Director would offer advice to the National Security Council (NSC) on U.S. cyber strategy and policy and coordinate the formulation of such policies and strategies. Moreover, the director would be a statutory member of the NSC. The National Cyber Director would lead U.S. responses at the federal level to cyber attacks and significant cyber campaigns.

The bill would expand the authority of the United States’ (U.S.) Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) with respect to operating on civilian agency networks. CISA would be able to access and inspect other agencies’ information systems without the permission or knowledge of the other agency and could then share information and its findings with the agency. And yet, CISA would not receive authority to act if it found something on another agency’s information networks or systems. Nonetheless, CISA would also be empowered to provide a range of assistance to other agencies.

DHS would need to conduct an assessment of CISA per the CSC’s recommendations on how the agency could improve its operations and better use its resources, among other matters. DHS would also be tasked with evaluating how well the Sector Specific Agency approach to regulating critical infrastructure is working as laid out in Presidential Policy Directive 21 and successor documents and make recommendations on how to revise the framework if needed. This could result in the Biden Administration revamping the current 17 sectors and other components of how the U.S. oversees its critical infrastructure. In concert with this review and possible revision, Sector Specific Agencies would be replaced by Sector Risk Management Agencies that, as a practical matter, will probably be the same agencies overseeing the same sectors but with greater statutory responsibilities.

DHS must study and draft a strategy for all U.S.-based email providers to use Domain-based Message Authentication, Reporting, and Conformance (DMARC), “an email authentication, policy, and reporting protocol that verifies the authenticity of the sender of an email and blocks and reports to the sender fraudulent accounts.”

DHS would need to report annually on digital content forgery technology with the Director of National Intelligence, including:

  • An assessment of the underlying technologies used to create or propagate digital content forgeries, including the evolution of such technologies and patterns of dissemination of such technologies.
  • A description of the types of digital content forgeries, including those used to commit fraud, cause harm, harass, coerce, or silence vulnerable groups or individuals, or violate civil rights recognized under Federal law.
  • An assessment of how foreign governments, and the proxies and networks thereof, use, or could use, digital content forgeries to harm national security.
  • An assessment of how non-governmental entities in the United States use, or could use, digital content forgeries.
  • An assessment of the uses, applications, dangers, and benefits, including the impact on individuals, of deep learning or digital content forgery technologies used to generate realistic depictions of events that did not occur.
  • An analysis of the methods used to determine whether content is created by digital content forgery technology, and an assessment of any effective heuristics used to make such a determination, as well as recommendations on how to identify and address suspect content and elements to provide warnings to users of such content.
  • A description of the technological countermeasures that are, or could be, used to address concerns with digital content forgery technology.
  • Any additional information the Secretary determines appropriate.

CISA would receive the subpoena authority it requested to obtain the contact information of owners and operators of critical cyber infrastructure from internet service providers (ISP) should there be a risk. CISA submitted a legislative proposal in summer 2019 that was then taken up by Senate and House stakeholders who then introduced legislation in December and February respectively: the “Cybersecurity Vulnerability Identification and Notification Act of 2019” (S. 3045) and the “Cybersecurity Vulnerability Identification and Notification Act of 2020” (H.R. 5680). The bills were very similar but had some differences that have been ironed out.

CISA would be able to appoint an employee in each state to serve as Cybersecurity State Coordinator to help states improve their cybersecurity.

CISA must establish a “Cybersecurity Advisory Committee” to “advise, consult with, report to, and make recommendations to the Director, as appropriate, on the development, refinement, and implementation of policies, programs, planning, and training pertaining to the cybersecurity mission of the Agency.”

Inside CISA, there would be a newly created Joint Cyber Planning Office “to develop, for public and private sector entities, plans for cyber defense operations, including the development of a set of coordinated actions to protect, detect, respond to, and recover from cybersecurity risks or incidents or limit, mitigate, or defend against coordinated, malicious cyber operations that pose a potential risk to critical infrastructure or national interests.”

Within one year, CISA “a report on Federal cybersecurity centers and the potential for better coordination of Federal cybersecurity efforts at an integrated cybersecurity center within” CISA.

The Government Accountability Office (GAO) would need to investigate and report on cyber insurance in the U.S. At one time, some experts considered the development of a cyber insurance market as being crucial to driving greater cybersecurity across the private sector. However, this has not come to pass, which is likely why the GAO will be reporting on the issue.

On other technology policy, a Public Wireless Supply Chain Innovation Fund would be established and overseen by the Department of Commerce’s National Telecommunications and Information Administration (NTIA) to support the following activities:

  • Promoting and deploying technology, including software, hardware, and microprocessing technology, that will enhance competitiveness in the fifth-generation (commonly known as ‘‘5G’’) and successor wireless technology supply chains that use open and interoperable interface radio access networks.
  • Accelerating commercial deployments of open interface standards-based compatible, interoperable equipment, such as equipment developed pursuant to the standards set forth by organizations such as the O-RAN Alliance, the Telecom Infra Project, 3GPP, the Open-RAN Software Community, or any successor organizations.
  • Promoting and deploying compatibility of new 5G equipment with future open standards-based, interoperable equipment.
  • Managing integration of multi-vendor network environments.
  • Identifying objective criteria to define equipment as compliant with open standards for multi-vendor network equipment interoperability.
  • Promoting and deploying security features enhancing the integrity and availability of equipment in multi-vendor networks.
  • Promoting and deploying network function virtualization to facilitate multi-vendor interoperability and a more diverse vendor market.

A Multilateral Telecommunications Security Fund would be created and run by the Department of State “to establish a common funding mechanism, in coordination with foreign partners, that uses amounts from the Multilateral Telecommunications Security Fund to support the development and adoption of secure and trusted telecommunications technologies.” The bill provides that “[i]n creating and sustaining a common funding mechanism, the Secretary of State should leverage United States funding in order to secure commitments and contributions from trusted foreign partners such as the United Kingdom, Canada, Australia, New Zealand, and Japan, and should prioritize the following objectives:

  • Advancing research and development of secure and trusted communications technologies.
  • Strengthening supply chains.
  • Promoting the use of trusted vendors.”

Both of these new programs would need the Appropriations Committees to provide funding as the FY 2021 NDAA does not give them any money.

H.R.6395 directs “an interagency information technology spectrum modernization effort, led by the Assistant Secretary of Commerce for Communications and Infrastructure and the NTIA, to synchronize development and coordination of standards and Federal spectrum management.” This provision “would also require the Secretary of Defense to establish a program to identify and mitigate vulnerabilities in the telecommunications infrastructure of the DOD.”

The FY 2021 NDAA contains the “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S.1611) that would require the Department of Commerce to “convene a working group of Federal stakeholders for the purpose of providing recommendations and a report to Congress relating to the aspects of the Internet of Things.”

H.R.6395 has provisions “that would require the Secretary of Commerce to establish a program that provides grants to covered entities to incentivize investment of semiconductor fabrication facilities, or assembly, testing, advanced packaging, or advanced research and development of semiconductors in the U.S.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Michael Afonso on Unsplash

Biden Administration Tech Policy: Federal Communications Commission (FCC)

The FCC could be a major force for technology policy in the Biden Administration.

The next Administration will change many of the technology policies put in place under President Donald Trump, but among the highest profile policy reversals will be the Biden Administration’s reestablishment of net neutrality rules. This signature accomplishment of the Obama Administration was undone by the Trump Federal Communications Commission (FCC), and the Biden Campaign made no mistake about its support for the rules that would change how internet service providers (ISP) are regulated. Moreover, with Congressional gridlock a possibility over the next two years as Republicans may maintain control of the Senate, a Biden program will likely hinge on executive action, especially agency action.

Current FCC Chair Ajit Pai has announced his intention to maintain tradition and step down on 20 January 2021, allowing the Biden Administration to name its own chair and tilt the FCC in favor of the Democrats. Should the Senate confirm Biden’s FCC nominee, then it is quite likely to implement a number of key policy changes. However, and I cannot stress this possibility enough, should Biden nominate someone Senate Republicans object to, and they control the chamber, it is very possible the Senate leaves the FCC without a fifth member deadlocked with two members of each party. The calculation may be made that Senate Republicans would rather this be the case than an empowered FCC able to implement net neutrality among other measures.

Net Neutrality

After 2010 net neutrality rules had been overturned by a federal court, in 2015, the Obama Administration FCC promulgated regulations that reclassified ISPs under Title II of the Federal Communications Act as common carriers, which allowed the agency to implement net neutrality regulations. The Open Internet Order (FCC 15–24) put in place “bright-line rules that prohibit blocking, throttling, and paid prioritization; a rule preventing broadband providers from unreasonably interfering or disadvantaging consumers or edge providers from reaching one another on the Internet; and provides for enhanced transparency into network management practices, network performance, and commercial terms of broadband Internet access service.” These regulations survived a court challenge (U.S. Telecom Association v. FCC), largely because the FCC crafted the Open Internet Order on the basis of the ruling that struck down the previous iteration of net neutrality rules (Verizon v. FCC).

In 2017, the Trump Administration FCC’s “Restoring Internet Freedom” (FCC 17–166) returned ISPs to their previous regulatory posture as being regulated under Title I as information services in undoing the Open Internet Order. This rollback of net neutrality regulations “restore[d] the classification of broadband internet access service as a lightly-regulated information service and reinstates the private mobile service classification of mobile broadband internet access service….requires ISPs to disclose information about their network management practices, performance characteristics, and commercial terms of service…[and] eliminates the conduct rules imposed by the [2015 regulations].” In the fall of 2019, the United States Court of Appeals for the District Of Columbia Circuit (D.C. Circuit) upheld most of the FCC’s repeal of the Open Internet Order and the new regulations. However, the D.C. Circuit declined to accept the FCC’s attempt to preempt all contrary state laws and struck down this part of the FCC’s rulemaking. Consequently, states and local jurisdictions may now be free to enact regulations of internet services along the lines of the Open Internet Order. In fact, a number of states have such laws already enacted or pending. The D.C. Circuit also sent the case back to the FCC for further consideration on three points, which it is still working through.

The Biden Administration could institute a rulemaking as soon as a new chair is in place to remove the Trump Administration’s rollback and then reimplement the Obama Administration’s Open Internet Order, a process that might not be completed until well into 2022 as they agency would need to draft regulations, accept and address comments, and then unveil final regulations. There would be litigation against the new rules, and possibly some uncertainty given the decided rightward tilt of the federal judiciary.

5G

The FCC has played a key role in the Trump Administration’s push against the dominance of the People’s Republic of China (PRC) in the race to install and use 5G. The FCC launched an initiative to identify risky PRC equipment and services (mostly provided by Huawei and ZTE), and then Congress followed by enacted a statute codifying the FCC program and adding requirement. It remains to be seen whether the FCC will be provided additional funding through the Universal Service Fund (USF) or other means to finance the removal and replacement of any risky equipment United States (U.S.) telecommunications providers have already installed. There is no reason to expect a significant substantive change in course by a Biden Administration FCC even if there is a softening of it rhetorical tone.

On December 10, the FCC will vote on a Report and Order “that would require Eligible Telecommunications Carriers to remove equipment and services that pose an unacceptable risk to the national security of the United States or the security and safety of its people, would establish the Secure and Trusted Communications Networks Reimbursement Program, and would establish the procedures and criteria for publishing a list of covered communications equipment and services that must be removed.” This rulemaking would implement the “Secure and Trusted Communications Networks Act of 2019” (P.L. 116-124). The FCC summarized its action:

The Commission plays an important role in protecting America’s communications networks and, today, we take further steps toward securing our communications networks by implementing the Secure and Trusted Communications Networks Act of 2019 (Secure Networks Act). We first adopt a rule that requires Eligible Telecommunications Carriers (ETCs) to remove and replace covered equipment from their networks. Second, we establish the Secure and Trusted Communications Networks Reimbursement Program to subsidize smaller carriers to remove and replace covered equipment, once Congress appropriates at least $1.6 billion that Commission staff estimate will be needed to reimburse providers eligible under current law. Third, we establish the procedures and criteria for publishing a list of covered communications equipment or services that pose an unacceptable risk to the national security of the United States or the security and safety of United States persons and prohibit USF support from being used for such covered equipment or services. Last, we adopt a reporting requirement to ensure we are informed about the ongoing presence of covered equipment in communications networks.

The FCC is faced with competition from the Department of Defense (DOD) on setting 5G policy. In August, the White House and the DOD announced the latter will share a prime slice of mid band electromagnetic frequency with commercial entities that would be ideal for 5G according to their press release. The development of the next iteration of wireless communications has been hampered in the U.S. because the DOD controls a range of the usable frequency spectrum other nations have been using to test and deploy 5G. This announcement would allow commercial entities to ultimately bid on 100 continuous MHz of spectrum that has been used exclusively by the DOD for guidance and navigation. It is an open question whether the relinquishment of this spectrum will speed 5G development and adoption in the U.S., and the timeline provided by the Administration suggests licenses to use these mid-band frequencies will not be in the hands of commercial entities until mid-2022 at the earliest, assuming President Donald Trump is reelected, for a Biden Administration may propose a different course of action. Nonetheless, one Administration official asserted releasing this 100 MHz will be “the fastest transfer of Federal spectrum to commercial use in history.”

In a related development, in an October press release, the Department of Defense (DOD) detailed its “$600 million in awards for 5G experimentation and testing at five U.S. military test sites, representing the largest full-scale 5G tests for dual-use applications in the world.” These awards were made largely to prominent private sector technology and telecommunications companies vying to play prominent roles in 5G. However, of course, no awards were made to companies from the PRC. Nonetheless, this announcement may provoke further claims from Members of Congress and stakeholders that the DOD’s effort is the camel’s nose under the tent of a nationalized 5G system and a further infringement of the FCC’s jurisdiction.

This announcement is part of the DOD’s 5G Strategy that “provides the DOD approach to implementing the National Strategy to Secure 5G and aligns with the National Defense Authorization Act for Fiscal Year 2020 (FY2020), Section 254…[that] is also consistent with National Defense Strategy guidance to lead in key areas of great power competition and lethality to ensure 5G’s ‘impact on the battle network of the future.’”

In a related DOD release, it was explained:

The effort — Tranche 1 of the department’s larger 5G initiative — will accelerate adoption of 5G technology, enhance the effectiveness and lethality of U.S. combat forces, and further the development and use of common 5G standards to ensure interoperability with military partners and allies.

There have been other indications the Trump Administration was moving to institute a nationalized 5G system. Reportedly, a company with Karl Rove as its lobbyist may be poised to win a no-bid contract with the DOD for the commercial use of its highly sought-after mid-band spectrum ideal for 5G. Reportedly, White House Chief of Staff Mark Meadows has been pressing the DOD to hurry the process of making this spectrum available with many Administration officials having reservations about the seeming push to allow one company with little to no experience, Rivada, to have the whole chunk of spectrum. One official claimed if Rivada gets this contract it would be “the biggest handoff of economic power to a single entity in history.” Rove denied the company would accept a sole-source contract. There is strong bipartisan opposition on Capitol Hill, likely fanned by lobbyists from the companies apt to lose out if Rivada secures a winner-takes-all contract. Incidentally, in Jamaica where I live, the United States (U.S.) government has apparently pitched Rivada as a no-cost option to build out the island’s 5G network with Rivada collecting revenue from the operation of the system. The U.S. Ambassador has pitched the deal to Prime Minister Andrew Holness. And, while this could be seen as another U.S. effort to block the People’s Republic of China (PRC), which has done extensive development in Jamaica, it has the appearance of impropriety on the U.S.’ end, at the very least.

The FCC is also locking horns with other federal agencies over the approval of a new means of providing service for 5G. In late April, FCC issued a “decision authorize[ing] Ligado to deploy a low-power terrestrial nationwide network in the 1526-1536 MHz, 1627.5-1637.5 MHz, and 1646.5-1656.5 MHz bands that will primarily support Internet of Things (IoT) services.” The agency argued the order “provides regulatory certainty to Ligado, ensures adjacent band operations, including Global Positioning System (GPS), are sufficiently protected from harmful interference, and promotes more efficient and effective use of [the U.S.’s] spectrum resources by making available additional spectrum for advanced wireless services, including 5G.”

Defense and other civilian government stakeholders remained unconvinced. Also, in late April, the chairs and ranking members of the Armed Services Committees penned an op-ed, in which they claimed “the [FCC] has used the [COVID-19] crisis, under the cover of darkness, to approve a long-stalled application by Ligado Networks — a proposal that threatens to undermine our GPS capabilities, and with it, our national security.” Chairs James Inhofe (R-OK) and Adam Smith (D-WA) and Ranking Members Jack Reed (D-RI) and Mac Thornberry (R-TX) asserted:

  • So, we wanted to clarify things: domestic 5G development is critical to our economic competiveness against China and for our national security. The Pentagon is committed working with government and industry to share mid-band spectrum where and when it makes sense to ensure rapid roll-out of 5G.
  • The problem here is that Ligado’s planned usage is not in the prime mid-band spectrum being considered for 5G — and it will have a significant risk of interference with GPS reception, according to the National Telecommunications and Information Administration (NTIA). The signals interference Ligado’s plan would create could cost taxpayers and consumers billions of dollars and require the replacement of current GPS equipment just as we are trying to get our economy back on its feet quickly — and the FCC has just allowed this to happen.

The Ligado application was seen as so important, the first hearing of the Senate Armed Services Committee held after the beginning of the COVID-19 pandemic was on this issue. Not surprisingly the DOD explained the risks of Ligado’s satellite-terrestrial wireless system as it sees them at some length. Under Secretary of Defense for Research and Engineering Michael Griffin asserted at the 6 May hearing:

  • The U.S. Department of Transportation (DOT) conducted a testing program developed over multiple years with stakeholder involvement, evaluating 80 consumer-grade navigation, survey, precision agriculture, timing, space-based, and aviation GPS receivers. This test program was conducted in coordination with DoD testing of military receivers. The results, as documented in the DoT “Adjacent Band Compatibility” study released in March, 2018, demonstrated that even very low power levels from a terrestrial system in the adjacent band will overload the very sensitive equipment required to collect and process GPS signals.  Also, many high precision receivers are designed to receive Global Navigation Satellite System (GNSS) signals not only in the 1559 MHz to 1610 MHz band, but also receive Mobile Satellite Service (MSS) signals in the 1525 MHz to 1559 MHz band to provide corrections to GPS/GNSS to improve accuracy. With the present and future planned ubiquity of base stations for mobile broadband use, the use of GPS in entire metropolitan areas would be effectively blocked.  That is why every government agency having any stake in GPS, as well as dozens of commercial entities that will be harmed if GPS becomes unreliable, opposed the FCC’s decision. 
  • There are two principal reasons for the Department’s opposition to Ligado’s proposal. The first and most obvious is that we designed and built GPS for reasons of national security, reasons which are at least as valid today as when the system was conceived. The second, less well-known, is that the DoD has a statutory responsibility to sustain and protect the system. Quoting from 10 USC 2281, the Secretary of Defense “…shall provide for the sustainment and operation of the GPS Standard Positioning Service for peaceful civil, commercial, and scientific uses…” and “…may not agree to any restriction of the GPS System proposed by the head of a department or agency of the United States outside DoD that would adversely affect the military potential of GPS.”

A few weeks prior to the hearing, 32 Senators wrote the FCC expressing their concern that the “Order does not adequately project adjacent band operations – including those related to GPS and satellite communications –  from harmful interference that would impact countless commercial and military activities.” They also took issue “the hurried nature of the circulation and consideration of the Order,” which they claimed occurred during “a national crisis” and “was not conducive to addressing the many technical concerns raised by affected stakeholders.” Given that nearly one-third of the Senate signed the letter, this may demonstrate the breadth of opposition in Congress to the Ligado order.

In May, the National Telecommunications and Information Administration (NTIA) filed two petitions with the FCC asking the latter agency to stay its decision allowing Ligado to proceed with wireless service using a satellite-terrestrial network utilizing the L-Band. This decision was opposed by a number of Trump Administration agencies and a number of key Congressional stakeholders. They argued the order would allow Ligado to set up a system that would interfere with the DOD GPS and civilian federal agency applications of GPS as well. If the FCC denies these petitions, it is possible NTIA could file suit in federal court to block the FCC’s order and Ligado.

In the petition for a stay, NTIA asked that “Ligado Networks LLC’s (Ligado’s) mobile satellite service (MSS) license modification applications for ancillary terrestrial operations” be paused until the agency’s petition for reconsideration is decided by the FCC because of “executive branch concerns of harmful interference to federal government and other GPS devices.”

In the petition for reconsideration, the NTIA argued it “focuses on the problems in the Ligado Order that are uniquely related to the interests of DOD and other federal agencies and their mission-critical users of GPS.” The NTIA added “that the Commission failed to consider the major economic impact its decision will have on civilian GPS users and the American economy…[and] [a]s the lead civil agency for GPS, DOT explained…Ligado’s proposed operations would disrupt a wide range of civil GPS receivers owned and operated by emergency first responders, among others.”

In early June, Ligado filed its response to the Trump Administration’s petitions to stay and have the FCC reconsider its order allowing the company to move forward with its satellite-terrestrial wireless network. The company argued the NTIA’s petitions rehash the same arguments heard and rejected by the FCC over the course of the nearly decade long proceeding, do not argue that an injury has occurred because Ligado is not yet operating, and is contrary to the public interest by delaying the rollout of 5G.

Broadband Privacy

At the beginning of the Trump Administration, Congress used the Congressional Review Act (CRA) to nullify the FCC’s 2016 final rule “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.” An act of Congress signed by the President is needed before the FCC could again regulate the privacy and data practices of internet service providers (ISPs). Such a change could conceivably be included in broader privacy legislation that supposedly will be at the top of Congress’ technology agenda in the next Congress. However, to date, there has not been a broad privacy bill I have seen that includes such language. And yet, a number of the broader bills would include common carriers under the jurisdiction of the Federal Trade Commission’s (FTC) expanded powers to enforce a new privacy regime, which would represent a de facto negation of the CRA process that undid the FCC’s broadband privacy rules. It would seem to me the key question would be what would happen in such a scenario if a future FCC undoes net neutrality rules. Would ISPs then no longer be subject to federal privacy rules as they would no longer be common carriers and no longer be subject to FTC jurisdiction as such?

In any event, the FCC in 2016 summarized its now nullified rules:

The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice and security requirements for customers’ personal information:

  • Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.
  • Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.
  • Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

In addition, the rules include:

  • Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences;
  • A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.
  • Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information.

Section 230

The Trump Administration FCC has started a rulemaking to construe key terms in 47 U.S.C. 230 (aka Section 230), a provision that shields technology companies from litigation arising from content it posts from third parties and any decisions it makes to take down, censor, or edit such material. Via executive order (EO), Trump directed the National Telecommunications and Information Administration (NTIA) to file a petition with the FCC asking the agency to conduct a rulemaking, and the FCC decided to commence this fall. However, it is unlikely the FCC will have enough time to finish this process even though Pai could conceivably unveil draft regulations to pare back the protection companies like Facebook, Twitter, Reddit, etc. enjoy. This push has been opposed by Democrats generally and by the two Democratic FCC Commissioners, and so it would likely be ended under a Biden FCC.

As a threshold matter, it is quite likely President-elect Joe Biden will issue almost immediately an executive order pausing almost all Trump Administration executive orders pending review. It is also conceivable that the new Administration will withdraw the Trump Administration’s petition for a Section 230 rulemaking, and a Biden Administration staffed and controlled FCC may be very willing to accept such a withdrawal and close down the rulemaking process. This is not to say, however, that the Biden Administration will not seek changes to Section 230. Biden has opined Section 230 should be repealed, and other Democratic stakeholders want to see a paring back of the liability shield as a means of creating an incentive for Facebook, Twitter, and others to address the proliferation of problematic content such as white supremacist materials, QAnon conspiracies, abuse of women and minorities, and outright lies and disinformation. A key Member of the House, Representative Jan Schakowsky (D-IL), who chairs the Consumer Protection and Commerce Subcommittee, has said she will release her reform proposal in January. It remains to be seen what role, if any, the FCC may play under a revised Section 230.

In October, FCC Chair Ajit Pai announced that that the “[t]he Commission’s General Counsel has informed me that the FCC has the legal authority to interpret Section 230…[and] [c]onsistent with this advice, I intend to move forward with a rulemaking to clarify its meaning.” Pai namechecked Thomas’ statement in which he “pointed out that courts have relied upon ‘policy and purpose arguments to grant sweeping protections to Internet platforms’ that appear to go far beyond the actual text of the provision.” Moreover, this interpretation has been subsequently released in a rather unusual fashion. Normally, agencies use the vehicle of a draft rule to make the claim it has or does not have certain authority provided by Congress to act. But, not in this case. The FCC has decided to make its case in a blog posting before it has released proposed regulations to define certain terms in Section 230’s liability shield for technology companies.

Working along a parallel track is pressure on the Senate committee that oversees the FCC to vet, hold a hearing on, and approve Trump’s nominee for the FCC. Commissioner Mike O’Reilly was lukewarm to the EO and his appointment to the FCC was expiring. And so, in typical Trump Administration fashion, the White House decided that the policy was not the problem. Personnel was. Consequently, Nathan Simington of the NTIA was nominated to replace O’Reilly, and the Senate Commerce, Science, and Transportation Committee advanced his nomination on party-line vote on 2 December. If Simington is confirmed and then the Republican-controlled Senate blocks a Biden nominee (which we know would never happen given the deep respect Senate Majority Leader Mitch McConnell (R-KY) has for the traditions of the institution), then the agency would be decapitated and could not act.

Broadband

Bridging the digital divide will likely be a signal technology priority for the Biden Administration. There are media accounts stating Biden and allies in Congress are already planning on how to significantly increase broadband funding, possibly in the next COVID-19 stimulus bill. Whether they continue the Trump Administration’s FCC’s approach is not clear. Whatever their course of action, the digital divide was made all the starker by the pandemic with people working from work and children doing online schooling.

The agency has proposed and is implementing a program that will allegedly raise over $20 billion to bridge the digital divide. The FCC explained the Rural Digital Opportunity Fund (RDOF):

The Rural Digital Opportunity Fund is the Commission’s next step in bridging the digital divide.  On August 1, 2019, the Commission adopted a Notice of Proposed Rulemaking (NPRM) proposing to establish the $20.4 billion Rural Digital Opportunity Fund to bring high speed fixed broadband service to rural homes and small businesses that lack it.  On January 30, 2020, the Commission adopted the Rural Digital Opportunity Fund Report and Order, which establishes the framework for the Rural Digital Opportunity Fund, building on the success of the CAF Phase II auction by using reverse auctions in two phases.  The Phase I auction, which is scheduled to begin on October 29, 2020, will target over six million homes and businesses in census blocks that are entirely unserved by voice and broadband with download speeds of at least 25 Mbps.  Phase II will cover locations in census blocks that are partially served, as well as locations not funded in Phase I.  The Rural Digital Opportunity Fund will ensure that networks stand the test of time by prioritizing higher network speeds and lower latency, so that those benefitting from these networks will be able to use tomorrow’s Internet applications as well as today’s.

There are other programs a Biden FCC could utilize to address some of the digital divide, including the E-Rate and Lifeline programs, and the next FCC could make some changes to the structure of the programs through rulemakings if it sought fit.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Ali Shah Lakhani on Unsplash

Further Reading, Other Developments, and Coming Events (4 November)

Further Reading

  • U.S. Cyber Command Expands Operations to Hunt Hackers From Russia, Iran and China” By Julian Barnes — The New York Times. The United States (U.S.) agency charged with offensive cyber operations sent teams around the world to undisclosed locations to work with partner nations to foil Russian, Chinese, and Iranian efforts to disrupt the U.S. election. It appears this exercise is more about building relations with partners in key regions and having personnel see first-hand the effect of constant cyber attacks, especially in regions targeted by the Russian Federation rather than the rationale offered by Cyber Command that “hunting forward” puts its people closer to the action. Considering this is cyberspace, does it really matter where personnel are?
  • U.S. undertook cyber operation against Iran as part of effort to secure the 2020 election” By Ellen Nakashima — The Washington Post. United States (U.S.) Cyber Command is out setting a narrative about how effective its operations against nations like Iran have been in protecting the election. Of course, one cannot prove this easily, so it is perhaps an open question as to the effectiveness of U.S. efforts. Nonetheless, this uncharacteristic openness may be on account of successful operations to foil and fend off efforts to disrupt the election, and it certainly reflects the U.S. security services’ desire to avoid 2016’s mistake of not going public with information so Americans would understand what is happening.
  •  “Europe and the US are drifting apart on tech. Joe Biden wouldn’t fix that.” By Nicholas Vincour — Politico EU. This rundown of the significant policy differences suggests the United States (U.S.) and the European Union (EU) will be at odds on major tech issues even under a Biden Administration that one can safely assume will return the U.S. to closer relations with the EU. Most of these differences transcend personality, however, suggesting structural and systemic reasons, which foretell continued friction.
  • What Big Tech has to gain—and lose—from a Biden presidency” By Mark Sullivan — Fast Company. This piece lays out how a Biden Administration might continue and discontinue Trump Administration policy if Joe Biden prevails in the election. One aspect this piece glosses over, however, is how the composition of Congress would inform a Biden Administration’s capability to achieve its policy goals on tech.
  • Robocalls Told at Least 800,000 Swing State Residents to “Stay Home” on Election Day. The FBI Is Investigating.” By Jack Gillum and Jeremy B. Merrill — ProPublica. Robocalls to more than 3 million people were made yesterday, urging them to stay home and stay safe. This is akin to voter suppression tactics that have been used for decades in the United States, but it is unlikely the culprit or true motive (if it was not intended as suppression) will ever be discovered given the ease of use, scale, and anonymity spoofing provides.

Other Developments

  • Australia’s Department of Home Affairs (Department) released for comment “Critical Technology Supply Chain Principles (the Principles)” that “are intended to assist organisations – including governments and businesses of all sizes – in making decisions about their suppliers.” The Department stated that “[t]he Principles also complement the Protecting Critical Infrastructure and Systems of National Significance reforms…[and] [t]ogether, these measures will help protect the supply of essential services that all Australians rely on.​​”
    • The Department stated:
      • Supply chains for critical technologies in Australia must be more resilient. Australia’s COVID-19 experience highlights the vulnerabilities of supply chains for products essential to the country. At the same time, the global technological landscape is evolving at an unprecedented pace and geostrategic competition is affecting how critical technologies are being developed and used.
      • The more dependent society becomes on technology, the less governments and organisations can rely on traditional habits and decision-making frameworks when it comes to their supply chains. Improving the management of critical technology supply chains specifically, across the economy will help build Australia’s resilience to future shocks, as well as address the inherent risks to our nation’s national security, economic prosperity and social cohesion. Advances in technology underpin our future prosperity, however they also expose our nation to more risks. Malicious actors can use critical technologies to harm our national security, and undermine our democracy. One way to address these risks is to consider the supply chains of critical technologies, and how these could be made more secure. Understanding the risks is the first step towards organisations of all sizes taking action to create diverse, trusted and secure supply chains.
      • That’s why the Australian Government is developing the Critical Technology Supply Chain Principles. These Principles will be non-binding and voluntary, and are intended to act as a tool to assist governments and businesses in making decisions about their suppliers and transparency of their own products. The Principles will help Australian business consider the unforeseen risks when developing critical technologies, building business resilience. The suggested Principles will be grouped under three pillars: security-by-design, transparency, and autonomy and integrity. The suggested Principles below align with guidance provided by the Australian Signals Directorate’s Australian Cyber Security Centre on supply chain risk management.
    • The Department provided an overview of the conceptual framework of the document:
      • Security should be a core component of critical technologies. Organisations should ensure they are making decisions that build in security from the ground-up.
        • 1. Understand what needs to be protected and why.
        • 2. Understand the security risks posed by your supply chain.
        • 3. Build security considerations into contracting processes that are proportionate to the level of risk (and encourage suppliers to do the same).
        • 4. Raise awareness of security within your supply chain
      • Transparency of technology supply chains is critical, both from a business perspective and a national security perspective.
        • 5. Know who suppliers are and build an understanding of security measures.
        • 6. Set and communicate minimum transparency requirements consistent with existing standards and international benchmarks for your suppliers and encourage continuous improvement.
        • 7. Encourage suppliers to understand their supply chains, and be able to provide this information to consumers.
      • Knowing that your suppliers demonstrate integrity and are acting autonomously is fundamental to securing your supply chain.
        • 8. Consider the influence of foreign governments on suppliers and seek to ensure they operate with appropriate levels of autonomy.
        • 9. Consider if suppliers operate ethically, with integrity, and consistently with their human rights responsibilities.
        • 10. Build trusted, strategic relationships with suppliers
  • The United States’ (U.S.) Department of Justice (DOJ) announced that a member of a $100 million botnet conspiracy was sentenced to eight years in prison “for his role in operating a sophisticated scheme to steal and traffic sensitive personal and financial information in the online criminal underground.” The DOJ stated:
    • Aleksandr Brovko, 36, formerly of the Czech Republic, pleaded guilty in February to conspiracy to commit bank and wire fraud. According to court documents, Brovko was an active member of several elite, online forums designed for Russian-speaking cybercriminals to gather and exchange their criminal tools and services. 
    • As reflected in court documents, from 2007 through 2019, Brovko worked closely with other cybercriminals to monetize vast troves of data that had been stolen by “botnets,” or networks of infected computers.  Brovko, in particular, wrote software scripts to parse botnet logs and performed extensive manual searches of the data in order to extract easily monetized information, such as personally identifiable information and online banking credentials.  Brovko also verified the validity of stolen account credentials, and even assessed whether compromised financial accounts had enough funds to make it worthwhile to attempt to use the accounts to conduct fraudulent transactions. 
    • According to court documents, Brovko possessed and trafficked over 200,000 unauthorized access devices during the course of the conspiracy. These access devices consisted of either personally identifying information or financial account details. Under the U.S. Sentencing Guidelines, the estimated intended loss in this case has been calculated as exceeding $100 million.
  • The Office of the Privacy Commissioner of Canada (OPC), Office of the Information and Privacy Commissioner of Alberta (OIPC AB) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) found that “Cadillac Fairview – one of North America’s largest commercial real estate companies – embedded cameras inside their digital information kiosks at 12 shopping malls across Canada and used facial recognition technology without their customers’ knowledge or consent.”  The Commissioners asserted:
    • The goal, the company said, was to analyze the age and gender of shoppers and not to identify individuals. Cadillac Fairview also asserted that shoppers were made aware of the activity via decals it had placed on shopping mall entry doors that referred to their privacy policy – a measure the Commissioners determined was insufficient.
    • Cadillac Fairview also asserted that it was not collecting personal information, since the images taken by camera were briefly analyzed then deleted. However, the Commissioners found that Cadillac Fairview did collect personal information, and contravened privacy laws by failing to obtain meaningful consent as they collected the 5 million images with small, inconspicuous cameras. Cadillac Fairview also used video analytics to collect and analyze sensitive biometric information of customers.
    • The investigation also found that:
      • Facial recognition software was used to generate additional personal information about individual shoppers, including estimated age and gender.
      • While the images were deleted, investigators found that the sensitive biometric information generated from the images was being stored in a centralized database by a third party.
      • Cadillac Fairview stated that it was unaware that the database of biometric information existed, which compounded the risk of potential use by unauthorized parties or, in the case of a data breach, by malicious actors.
  • The United States (U.S.) Department of Defense (DOD) published its “DOD Electromagnetic Spectrum Superiority Strategy” the purpose of which “is to align DOD electromagnetic spectrum (EMS) activities with the objectives of the 2017 National Security Strategy, the 2018 National Defense Strategy, and national economic and technology policy goals.” The DOD stated:
    • This Strategy embraces the enterprise approach required to ensure EMS superiority by integrating efforts to enhance near-term and long-term EMS capabilities, activities, and operations. The Strategy informs the Department’s domestic EMS access policies and reinforces the need to develop cooperative frameworks with other EMS stakeholders in order to advance shared national policy goals. The traditional functions of Electromagnetic Spectrum Management (EMSM) and Electromagnetic Warfare (EW)—integrated as Electromagnetic Spectrum Operations (EMSO)—are addressed within the document’s strategic goals. This 2020 Strategy builds upon the successes of and supersedes both the DOD’s 2013 EMS Strategy and 2017 EW Strategy.
    • The DOD concluded:
      • DOD faces rapidly increasing challenges to its historical EMS dominance due in part to increasingly complex EMOEs. Threats to DOD capabilities due to EMS vulnerabilities have become increasingly sophisticated and easily attainable. Commercial technology advancements are proliferating wireless devices and services that are eroding DOD’s freedom of action in the EMS. At the same time, the U.S. military has increasing spectrum requirements for the operations, testing, and training of advanced warfighting capabilities. Finally, DOD must exploit near-peer adversaries’ EMS vulnerabilities through advanced EW to offset their capacity overmatch.
      • To cope with these challenges and achieve the vision of Freedom of Action in the Electromagnetic Spectrum, the DOD will actively pursue the areas outlined herein. DOD will enhance the ability to plan, sense, manage, and control military operations with advanced EMS technologies to ensure EMS superiority. The Department will also proactively engage with spectrum policymakers and partners to ensure spectrum policies support U.S . capability requirements. DOD will perform the governance functions needed to ensure our efforts are aligned and coordinated to maximize the results of our efforts.
      • The NDS directs the Department to “determine an approach to enhancing the lethality of the joint force against high end competitors and the effectiveness of our military against a broad spectrum of potential threats.” Realization of the NDS requires DOD to actualize the vision of this DOD EMS Superiority Strategy by implementing its goals and objectives through an empowered EMS enterprise. Advancing how DOD conducts operations in the EMS, and generates EMS superiority, will be critical to the success of all future missions for the United States, its allies, and partners.

Coming Events

  • On 10 November, the Senate Commerce, Science, and Transportation Committee will hold a hearing to consider nominations, including Nathan Simington’s to be a Member of the Federal Communications Commission.
  • On 17 November, the Senate Judiciary Committee will reportedly hold a hearing with Facebook CEO Mark Zuckerberg and Twitter CEO Jack Dorsey on Section 230 and how their platforms chose to restrict The New York Post article on Hunter Biden.
  • On 18 November, the Federal Communications Commission (FCC) will hold an open meeting and has released a tentative agenda:
    • Modernizing the 5.9 GHz Band. The Commission will consider a First Report and Order, Further Notice of Proposed Rulemaking, and Order of Proposed Modification that would adopt rules to repurpose 45 megahertz of spectrum in the 5.850-5.895 GHz band for unlicensed operations, retain 30 megahertz of spectrum in the 5.895-5.925 GHz band for the Intelligent Transportation Systems (ITS) service, and require the transition of the ITS radio service standard from Dedicated Short-Range Communications technology to Cellular Vehicle-to-Everything technology. (ET Docket No. 19-138)
    • Further Streamlining of Satellite Regulations. The Commission will consider a Report and Order that would streamline its satellite licensing rules by creating an optional framework for authorizing space stations and blanket-licensed earth stations through a unified license. (IB Docket No. 18-314)
    • Facilitating Next Generation Fixed-Satellite Services in the 17 GHz Band. The Commission will consider a Notice of Proposed Rulemaking that would propose to add a new allocation in the 17.3-17.8 GHz band for Fixed-Satellite Service space-to-Earth downlinks and to adopt associated technical rules. (IB Docket No. 20-330)
    • Expanding the Contribution Base for Accessible Communications Services. The Commission will consider a Notice of Proposed Rulemaking that would propose expansion of the Telecommunications Relay Services (TRS) Fund contribution base for supporting Video Relay Service (VRS) and Internet Protocol Relay Service (IP Relay) to include intrastate telecommunications revenue, as a way of strengthening the funding base for these forms of TRS and making it more equitable without increasing the size of the Fund itself. (CG Docket Nos. 03-123, 10-51, 12-38)
    • Revising Rules for Resolution of Program Carriage Complaints. The Commission will consider a Report and Order that would modify the Commission’s rules governing the resolution of program carriage disputes between video programming vendors and multichannel video programming distributors. (MB Docket Nos. 20-70, 17-105, 11-131)
    • Enforcement Bureau Action. The Commission will consider an enforcement action.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by skeeze from Pixabay

Further Reading, Other Developments, and Coming Events (28 October)

Further Reading

  •  “Administration officials alarmed by White House push to fast track lucrative 5G spectrum contract, sources say” By Jake Tapper — CNN. A company with Karl Rove as its lobbyist may be poised to win a no-bid contract with the Department of Defense (DOD) for the commercial use of its highly sought-after mid-band spectrum ideal for 5G. Reportedly, White House Chief of Staff Mark Meadows has been pressing the DOD to hurry the process of making this spectrum available with many Administration officials having reservations about the seeming push to allow one company with little to no experience, Rivada, to have the whole chunk of spectrum. One official claimed if Rivada gets this contract it would be “the biggest handoff of economic power to a single entity in history.” Rove denied the company would accept a sole-source contract. There is strong bipartisan opposition on Capitol Hill, likely fanned by lobbyists from the companies apt to lose out if Rivada secures a winner-takes-all contract. Incidentally, in Jamaica where I live, the United States (U.S.) government has apparently pitched Rivada as a no-cost option to build out the island’s 5G network with Rivada collecting revenue from the operation of the system. The U.S. Ambassador has pitched the deal to Prime Minister Andrew Holness. And, while this could be seen as another U.S. effort to block the People’s Republic of China (PRC), which has done extensive development in Jamaica, it has the appearance of impropriety on the U.S.’ end, at the very least.
  • Remote learning is deepening the divide between rich and poor” By Lucien O. Chauvin and Anthony Faiola — The Washington Post. The digital divide is, if anything, even more pronounced in the Third World where the pandemic and underlying economic and societal conditions threaten to erase anti-poverty gains and the education and future of a generation.
  • Big Tech’s biggest critics are racing to raise money for Biden’s campaign” By Tony Romm — The Washington Post. In the last days of the campaign, a number of “Big Tech” critics are hosting or intensifying fund raising efforts for the Biden Campaign in the hopes of shaping its policies towards Silicon Valley. Those on the left favor dramatic action in a new administration while Biden’s centrist history may argue against significant change. Also, Silicon Valley as a whole has showered donations on the Biden Campaign, which may be a potent counterweight.
  • State, federal antitrust charges against Facebook could come as soon as November, sources say” By Tony Romm — The Washington Post. The Federal Trade Commission (FTC) and a group of state attorneys general may be filing their anti-trust suits as early as next month against Facebook for its dominance of the social messaging market. The suits would likely focus on Facebook’s acquisitions of potential rivals WhatsApp and Instagram.
  • Facebook touts free speech. In Vietnam, it’s aiding in censorship” By David Cloud and Shashank Bengali — Los Angeles Times. Despite Facebook’s talk of supporting free speech in western nations, it apparently complies to pressure from authoritarian regimes like Vietnam’s to block posts and close down accounts of dissidents.

Other Developments

  • The Presidency of the Council of the European Union (EU), currently held by Germany, released “Conclusions on the Charter of Fundamental Rights in the Context of Artificial Intelligence and Digital Change,” which laid out the EU’s views on how to develop and deploy artificial intelligence (AI).
    • The Presidency stated:
      • The COVID-19 pandemic has shown more clearly than ever that Europe must achieve digital sovereignty in order to be able to act with self-determination in the digital sphere and to foster the resilience of the European Union. We therefore want to work together on European responses for digital technologies, such as artificial intelligence (AI). We want to ensure that the design, development, deployment and use of new technologies uphold and promote our common values and the fundamental rights guaranteed by the EU Charter of Fundamental Rights (hereinafter ‘the Charter’), while increasing our competitiveness and prosperity. High levels of IT security must be maintained within a framework that is open to innovation.
      • We are committed to the responsible and human-centric design, development, deployment, use and evaluation of AI. We should harness the potential of this key technology in promoting economic recovery in all sectors in a spirit of European solidarity, uphold and promote fundamental rights, democracy and the rule of law and maintain high legal and ethical standards.
  • A United States’ (U.S.) Defense Science Board (DSB) Task Force published the executive summary of its “Final Report on Counter Autonomy,” “a strategic assessment of U.S. counter autonomy capabilities today and 30 years from now across all domains (land, sea, undersea, air, space, and cyberspace).” The DSB is an advisory body of the Department of Defense (DOD) that has proven influential in shaping DOD and U.S. policy. The Task Force stated:
    • The Task Force found a heavy focus across the whole-of-government on fielding U.S. autonomous systems with very little attention given to countering autonomous systems deployed by adversaries. One major exception is the U.S. government’s many programs focused on the counter unmanned aerial system (c-UAS) mission. Although c-UAS is critical to ensuring the safety and security of U.S. forces, allies, and the homeland, the DOD must adopt a broader view of counter autonomy or it will not be prepared to effectively defeat future adversary systems.
    • Like the introduction of cyberspace, the growth of autonomy and artificial intelligence (AI) will bring new capability to the public and private sector, but it will also introduce vulnerabilities to current and future capabilities. Therefore, the Task Force felt it necessary to not only develop recommendations aimed at counter autonomy but also counter-counter autonomy. The integrity of each component used to develop a physical or digital autonomous capability must be considered across the entire lifecycle of a system to maintain confidence in its efficacy and reliability.
    • The Task Force has provided a series of recommendations that, if implemented, will effectively aid the DOD and the wider U.S. government in developing a full-scope counter autonomy capability, strengthen U.S. autonomous systems, and result in a more resilient and lethal force.
    • The Task Force made these recommendations:
      • Recommendation 1: Leadership
        • The Under Secretary of Defense, Research and Engineering (USD(R&E)) create a single senior focal point for counter autonomy separate from autonomy leadership but of equal authority to ensure independent thinking
        • USD(R&E) champion a DOD-wide autonomy/counter autonomy community modeled on the existing low observable/counter low observable (LO/CLO) community
      • Recommendation 2: Capability and Operational Development
        • C. Military Departments (Secretaries) charter the following in order to develop robust fielded counter autonomy capabilities
        • Assess, fund, and deploy modifications needed to existing conventional capabilities
        • Create a robust Opposing force (OPFOR) that mimics adversary autonomy
        • Establish multi-domain Counter autonomy (CA) Red Teams
        • Develop CA requirements, concepts, and Tactics, techniques, and procedures (TTPs)/ Concept of operations (CONOPS)
        • D. Direct Service labs and DARPA to create CA
      • R&D Recommendation 3: Intelligence
        • Sensitive content – N/A
      • Recommendation 4: Assurance
        • Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)) establish and enforce AI-enabled autonomous system resilience guidelines to mitigate AI-specific vulnerabilities
        • Developmental test and evaluation (DT&E)/ Operational test and evaluation (OT&E) establish testing and evaluation guidance for development, fielding and sustainment to assure resilience of AI-enabled autonomous systems against counter autonomy attack over lifecycle
      • Recommendation 5: Policy
        • The Office of the Under Secretary of Defense for Policy (OUSD(P)) develop policy to provide appropriate defense of U.S. autonomous weapon systems, support autonomy exports, and ensure safety and security of imports
      • Recommendation 6: Talent
        • The Office of the Secretary of Defense (OSD) and Military Departments significantly expand autonomy/AI talent through aggressive recruiting, hiring, career path, and retention actions:
        • −  Upskill talent with AI skills through incentives and innovative methods such as free or affordable online training (e.g., edX, Coursera, Udacity)
        • −  Military Departments establish, promote, and incentivize autonomy/AI career paths for civilian and military personnel
        • o Service Academies, including Air Force Institute of Technology and Naval Postgraduate School, include counter autonomy in curriculum and research
        • −  Expand the use of innovative staffing (e.g., IPA, HQE, SMART), and build a national talent pipeline at the graduate level with focused DOD funding
        • −  Fully leverage Section 1107(c) Direct Hiring Authority and request Congress authorize the limitation be raised from 5 percent to 10 percent of the workforce
        • Defense Counterintelligence and Security Agency (DCSA) accelerate clearance adjudication for candidates with critical skills (AI/machine learning (ML), robotics, cyber, etc.)
  • The Center for a New American Security (CNAS), a center-left Washington, D.C. national security think tank that may prove as influential in a Biden Administration as it did during the Obama Administration, released “Common Code: An Alliance Framework for Democratic Technology Policy,” that argued for the most technologically advanced democracies to band together and cooperate so that democratic ideals and principles will inform the development of the coming technology. CNAS explained that “[t]he Technology Alliance project and this report were made possible by a grant from Schmidt Futures,” a philanthropic venture started and funded by former Google and Alphabet CEO Eric Schmidt. CNAS stated:
    • Technological leadership by the world’s major liberal-democratic nations will be essential to safeguarding democratic institutions, norms, and values, and will contribute to global peace and prosperity. A unified approach by like-minded nations also is needed to counteract growing investments in and deployments of emerging technologies by authoritarian, revisionist powers.
    • Many have made the case for such a grouping, most notably the United Kingdom’s recent call for a “Democracy 10” to tackle 5G and other technology issues. Similarly, former U.S. government officials have advocated for the creation of a “Tech 10.” Despite this interest in a new coordination mechanism for multilateral technology policy, the work needed to create it has been elusive.
    • CNAS explained:
      • This document lays out what that alliance framework should look like, the opening chapter of a new, multilateral techno-democratic statecraft strategy for the 21st century. It answers the key questions needed to move from concept to an actionable blueprint necessary to tackle the 21st century technology competition:
        • What countries should be members of the technology alliance, and why?
        • Should the alliance be able to collaborate with non-members, and why?
        • Should the alliance grow, and how?
        • How should the alliance be organized and structured?
        • What is the ideal voting system?
        • How should the alliance engage with stakeholders from industry and civil society?
        • What is the best meeting structure and frequency?
      • After detailing recommendations for creating the technology alliance itself, the blueprint addresses the new organization’s top priorities, areas where the project leads identified both a common code between the proposed member countries and an urgent need for improved coordination:
        • Restructure supply chains with a focus on security and diversity
        • Safeguard competitive technological advantages with tailored multilateral export controls and by curbing unwanted technology transfers
        • Fund and build secure digital infrastructure by creating new investment mechanisms
        • Craft standards and norms for a beneficial technology future.
      • The technology alliance’s longer-term agenda should include efforts to:
        • Pursue joint R&D
        • Engage in technology forecasting
        • Focus on data flows
        • Promote technology interoperability
        • Counter disinformation and other illiberal uses of technology
        • Maximize human capital.
  • The National Institute of Standards and Technology (NIST) published a notice in the Federal Register inviting “organizations to provide products and technical expertise to support and demonstrate security platforms for the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project.” NIST explained this “is the initial step for the National Cybersecurity Center of Excellence (NCCoE) in collaborating with technology companies to address cybersecurity challenges identified under the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project.” NIST explained:
    • Since late 2018, NIST and NCCoE cybersecurity researchers have had the opportunity to work closely with the Federal Chief Information Officer (CIO) Council, federal agencies, and industry to address the challenges and opportunities for implementing zero trust architectures across U.S. government networks. This work resulted in publication of NIST Special Publication (SP) 800-207, Zero Trust Architecture
    • In November 2019, the NCCoE and the Federal CIO Council cohosted a Zero Trust Architecture Technical Exchange Meeting that brought together zero trust vendors and practitioners from government and industry to share successes, best practices, and lessons learned in implementing zero trust in the federal government and the commercial sector.
    • The NCCoE project builds on this body of knowledge as we seek to build out and document an example zero trust architecture that aligns to the concepts and principles in NIST SP 800-207 and using commercially available products.
  • The United States (U.S.) Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) evaluated DHS’ information security for FY 2019 and found serious problems. The OIG “reviewed DHS’ information security program for compliance with Federal Information Security Modernization Act requirements.” The OIG found serious deficiencies with the Cybersecurity and Infrastructure Security Agency, ostensibly the entity in the U.S. government charged with helping civilian agencies secure and defend their networks. The OIG found:
    • DHS’ information security program was not effective for FY 2019 because the Department earned a maturity rating of “Ad Hoc” (Level 1) in three of five functions, compared to last year’s higher overall rating of “Managed and Measurable” (Level 4). We rated DHS’ information security program according to five functions outlined in the 2019 reporting instructions:
      • Identify: DHS received a Level 1 rating because it did not have an effective strategy or department-wide approach to manage risks for all of its systems.
      • Protect: DHS achieved Level 4 as it was rated Level 4 in three of the four domains essential to this function.
      • Detect: DHS received a Level 1 rating due to the lack of a comprehensive strategy and organization-wide continuous monitoring approach to address all requirements and activities at each organizational tier.
      • Respond: DHS received a Level 1 rating because the Coast Guard had not reported its cybersecurity incidents to DHS since 2012.
      • Recover: DHS received Level 3 because it had not made progress since prior years [REDACTED]
    • According to FY 2019 reporting metrics, our independent contractor rated component information security programs effective for Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) as both components achieved the targeted “Level 4 – Managed and Measurable” or higher in four of five functions. The Cybersecurity and Infrastructure Security Agency (CISA) overall information security program was not effective because it achieved “Level 1 – Ad-hoc,” which is below the targeted Level 4 in three of five functions. Because the Department performs several security functions on CISA’s behalf, CISA has not yet developed component specific policies, procedures, and business processes as required by DHS policy.

Coming Events

  • On 29 October, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”
  • On 10 November, the Senate Commerce, Science, and Transportation Committee will hold a hearing to consider nominations, including Nathan Simington’s to be a Member of the Federal Communications Commission.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Computerizer from Pixabay

Further Reading, Other Developments, and Coming Events (15 October)

Further Reading

  •  “Amazon to escape UK digital services tax that will hit smaller traders” By Mark Sweney — The Guardian. According to media reports, the United Kingdom’s (UK) new digital services tax will not be levied on goods Amazon sells directly to consumers. Rather, the new tax HM Revenue and Customs will be on the revenue from services Amazon and other platforms charge to third-party sellers using Amazon. And, Amazon has made clear it will merely pass along the 2% tax to these entities. This is a strange outcome to a policy ostensibly designed to address the fact that the tach giant paid only £14.4 million in corporation taxes to the UK last year on £13.7 billion in revenue.
  • Norway blames Russia for cyber-attack on parliament” — BBC News. In a statement, the Norwegian government claimed that its Parliament has been breached, and Norway’s Foreign Minister is saying the Russian Federation is the culprit. Last month the government in Oslo said that the email accounts of some government officials had been compromised, but this announcement seems to indicate the breach was far wider than thought last month, or that the government knew and was holding back the information. If true, this is the second such penetration and exfiltration by Russian security services of a European government in the recent past as the German government made the same claims, which lead to the European Union’s first cyber sanctions.
  • Twitter suspends accounts for posing as Black Trump supporters” By Kari Paul — The Guardian and “Fake Twitter accounts posing as Black Trump supporters appear, reach thousands, then vanish” By Craig Timberg and Isaac Stanley-Becker — The Washington Post. As a rule of thumb, I find the Cui Bono helpful. And, so it is with fake Twitter accounts of alleged African Americans who will vote for President Donald Trump. Are these courtesy of the Republican Party and the Trump Campaign? Maybe. They would certainly gain from peeling off African American support for Vice President Joe Biden considering its his strongest constituency as measured by percentage support relative to total population. The Russians? Sure. They also stand to benefit from stirring the cauldron of unease and division in the United States regardless of who wins, and possibly even more so if Biden wins for the U.S. will likely return to its pre-Trump adversarial policy towards the Russian Federation. And, finally how does Twitter benefit from taking down the sort of fake accounts that violate its terms of service when this has not often been its modus operandi? Perhaps to curry favor with a Biden Administration likely to push for changes as to how social media platforms are to be regulated.
  • Backers of Australia’s mandatory news code welcome French ruling on Google” By Amanda Meade — The Guardian. Not surprisingly, the Australian Competition and Consumer Commission (ACCC) was delighted when a French appeals court ruled in favor of France’s competition authority against Google in its challenge of a French law to require social media platforms to pay traditional media for use of their content. The ACCC has been fighting its own battle on this front with its draft code that would require Google and Facebook to do the same down under.
  • Can Tinder be sued for breach of care?” By James Purtrill — ABC News. Given the recent allegations that Tinder knew of sexual assaulters using their app and doing nothing, this piece looks at the liability Tinder may face under Australian law. It is quite likely if sexual assaults related to Tinder indifference or negligence is occurring in other common law countries, then the company may be facing lawsuits there, too.

Other Developments

  • The Government Accountability Office (GAO) found that the Federal Aviation Administration (FAA) has not all it can on aviation cybersecurity despite the absence of any successful cyber attacks on a plane’s avionics system. The GAO asserted:
    • FAA has not (1) assessed its oversight program to determine the priority of avionics cybersecurity risks, (2) developed an avionics cybersecurity training program, (3) issued guidance for independent cybersecurity testing, or (4) included periodic testing as part of its monitoring process. Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes.
    • The GAO allowed:
      • Increasing use of technology and connectivity in avionics has brought new opportunities for persons with malicious intentions to target commercial transport airplanes. The connections among avionics and other systems onboard airplanes and throughout the aviation ecosystem are growing more complex as airplanes become more connected to systems that are essential for flight safety and operations. Airframe manufacturers are deploying software and hardware protections to reduce the risk of the cyber threats currently facing avionics systems.
    • The GAO contended:
      • Further, while FAA has mechanisms for coordinating among its internal components and with other federal agencies and private sector stakeholders to address cybersecurity risks, it has not established avionics cybersecurity risks as a priority. As a result, avionics cybersecurity issues that have been raised within FAA have not been consistently tracked to resolution. Until FAA conducts an overall assessment of the cybersecurity risks to avionics systems and prioritizes coordination efforts based on that assessment, it may not be allocating resources and coordinating on risks as effectively as it could.
    • The GAO made this recommendations:
      • The FAA Administrator should direct the Associate Administrator for Aviation Safety to conduct a risk assessment of avionics systems cybersecurity to identify the relative priority of avionics cybersecurity risks for its oversight program compared to other safety concerns and develop a plan to address those risks. (Recommendation 1)
      • The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. (Recommendation 2)
      • The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. (Recommendation 3)
      • The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. (Recommendation 4)
      • The FAA Administrator should direct the Associate Administrator for Aviation Safety to develop a mechanism to ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. (Recommendation 5)
      • The FAA Administrator should direct the Associate Administrator for Aviation Safety, based on the assessment of avionics cybersecurity risks, to review and consider the extent to which oversight resources should be committed to avionics cybersecurity. (Recommendation 6)
  • The chairs and ranking members of the House Energy and Commerce Committee and one of its subcommittee wrote the Government Accountability Office (GAO) to “evaluate Department of Health and Human Services’ (HHS) [cyber] incident response capabilities…[and] should include assessing the agency’s forensic threat intelligence data infrastructure used in responding to major or significant incidents involving persistent threats and data breaches.” Chair Frank Pallone, Jr. (D-NJ), Ranking Member Greg Walden (R-OR), and Oversight and Investigations Subcommittee Chair Diana DeGette (D-CO), and Ranking Member Brett Guthrie (R-KY) stated:
    • The Chief Information Security Officer at HHS recently acknowledged that the ongoing COVID-19 public health crisis has placed a new target on HHS, and malicious actors have boosted their efforts to infiltrate the agency and access sensitive data. In addition, it was reported in March 2020 that HHS suffered a cyber-attack on its computer system. According to people familiar with the incident, it was part of a campaign of disruption and disinformation that was aimed at undermining the response to the coronavirus pandemic and may have been the work of a foreign actor. Further, emerging cyber threats, such as the advanced persistent threat groups that exploited COVID-19 in early 2020, underscore the importance of effectively protecting information systems supporting the agency.
    • Given the types of information created, stored, and shared on the information systems owned and operated by HHS, it is important that the agency implement effective incident response handling processes and procedures to address persistent cyber-based threats.
  • A federal court denied Epic Games’ request for a preliminary injunction requiring Apple to put Fortnite back into the App Store. The judge assigned the case had signaled this request would likely fail as its request for a temporary restraining order was also rejected. The United States District Court for the Northern District of California summarized Epic’s motion:
    • In this motion for preliminary injunction, Epic Games asks the Court to force Apple to reinstate Fortnite to the Apple App Store, despite its acknowledged breach of its licensing agreements and operating guidelines, and to stop Apple from terminating its affiliates’ access to developer tools for other applications, including Unreal Engine, while Epic Games litigates its claims.
    • The court stated:
      • Epic Games bears the burden in asking for such extraordinary relief. Given the novelty and the magnitude of the issues, as well as the debate in both the academic community and society at large, the Court is unwilling to tilt the playing field in favor of one party or the other with an early ruling of likelihood of success on the merits. Epic Games has strong arguments regarding Apple’s exclusive distribution through the iOS App Store, and the in-app purchase (“IAP”) system through which Apple takes 30% of certain IAP payments. However, given the limited record, Epic Games has not sufficiently addressed Apple’s counter arguments. The equities, addressed in the temporary restraining order, remain the same.
    • The court held:
      • Apple and all persons in active concert or participation with Apple, are preliminarily enjoined from taking adverse action against the Epic Affiliates with respect to restricting, suspending or terminating the Epic Affiliates from the Apple’s Developer Program, on the basis that Epic Games enabled IAP direct processing in Fortnite through means other than the Apple IAP system, or on the basis of the steps Epic Games took to do so. This preliminary injunction shall remain in effect during the pendency of this litigation unless the Epic Affiliates breach: (1) any of their governing agreements with Apple, or (2) the operative App Store guidelines. This preliminary injunction supersedes the prior temporary restraining order.
    • In its complaint, Epic Games is arguing that Apple’s practices violate federal and California antitrust and anti-competition laws. Epic Games argued:
      • This case concerns Apple’s use of a series of anti-competitive restraints and monopolistic practices in markets for (i) the distribution of software applications (“apps”) to users of mobile computing devices like smartphones and tablets, and (ii) the processing of consumers’ payments for digital content used within iOS mobile apps(“in-app content”). Apple imposes unreasonable and unlawful restraints to completely monopolize both markets and prevent software developers from reaching the over one billion users of its mobile devices (e.g., iPhone and iPad) unless they go through a single store controlled by Apple, the App Store, where Apple exacts an oppressive 30% tax on the sale of every app. Apple also requires software developers who wish to sell digital in-app content to those consumers to use a single payment processing option offered by Apple, In-App Purchase, which likewise carries a 30% tax.
      • In contrast, software developers can make their products available to users of an Apple personal computer (e.g., Mac or MacBook) in an open market, through a variety of stores or even through direct downloads from a developer’s website, with a variety of payment options and competitive processing fees that average 3%, a full ten times lower than the exorbitant 30% fees Apple applies to its mobile device in-app purchases.
    • In its late August denial of Epic Games’ request for a temporary restraining order, the court decided the plaintiff does not necessarily have an antitrust case strong enough to succeed on the merits, has not demonstrated irreparable harm because the “current predicament appears to be of its own making,” would unjustifiably be enriched if Fortnite is reinstated to the App Store without having to pay 30% of in app purchases to Apple, and is not operating in a public interest strong enough to overcome the expectation private parties will honor their contracts or resolve disputes through normal means.
  • As part of its Digital Modernization initiative, the Department of Defense (DOD) released its Data Strategy which is supposed to change how the DOD and its components collect, process, and use data, which is now being framed as an essential element of 21st Century conflicts. The DOD stated:
    • DOD must accelerate its progress towards becoming a data-centric organization. DOD has lacked the enterprise data management to ensure that trusted, critical data is widely available to or accessible by mission commanders, warfighters, decision-makers, and mission partners in a real- time, useable, secure, and linked manner. This limits data-driven decisions and insights, which hinders the execution of swift and appropriate action.
    • Additionally, DOD software and hardware systems must be designed, procured, tested, upgraded, operated, and sustained with data interoperability as a key requirement. All too often these gaps are bridged with unnecessary human-machine interfaces that introduce complexity, delay, and increased risk of error. This constrains the Department’s ability to operate against threats at machine speed across all domains.
    • DOD also must improve skills in data fields necessary for effective data management. The Department must broaden efforts to assess our current talent, recruit new data experts, and retain our developing force while establishing policies to ensure that data talent is cultivated. We must also spend the time to increase the data acumen resident across the workforce and find optimal ways to promote a culture of data awareness.
    • The DOD explained how it will implement the new strategy:
      • Strengthened data governance will include increased oversight at multiple levels. The Office of the DOD Chief Data Officer (CDO) will govern the Department’s data management efforts and ensure sustained focus by DOD leaders. The DOD Chief Information Officer (DOD CIO) will ensure that data priorities are fully integrated into the DOD Digital Modernization program, ensuring synchronization with DOD’s cloud; AI; Command, Control, and Communications (C3); and cybersecurity efforts. The DOD CIO will also promote compliance with CDO guidance via CIO authorities for managing IT investments, issuing DOD policy, and certifying Service/component budgets.
      • The CDO Council, chaired by the DOD CDO, will serve as the primary venue for collaboration among data officers from across the Department. This body will identify and prioritize data challenges, develop solutions, and oversee policy and data standards of the Department. While working closely with the appropriate governance bodies, members of the CDO Council must also advocate that data considerations be made an integral part of all the Department’s requirements, research, procurement, budgeting, and manpower decisions.
    • The DOD concluded:
      • Data underpins digital modernization and is increasingly the fuel of every DOD process, algorithm, and weapon system. The DOD Data Strategy describes an ambitious approach for transforming the Department into a data-driven organization. This requires strong and effective data management coupled with close partnerships with users, particularly warfighters. Every leader must treat data as a weapon system, stewarding data throughout its lifecycle and ensuring it is made available to others. The Department must provide its personnel with the modern data skills and tools to preserve U.S. military advantage in day-to-day competition and ensure that they can prevail in conflict.
    • In its draft Digital Modernization Strategy, the DOD stated:
      • The DOD Digital Modernization Strategy, which also serves as the Department’s Information Resource Management (IRM) Strategic Plan, presents Information Technology (IT)-related modernization goals and objectives that provide essential support for the three lines of effort in the National Defense Strategy (NDS), and the supporting National Defense Business Operations Plan (NDBOP). It presents the DOD CIO’s vision for achieving the Department’s goals and creating “a more secure, coordinated, seamless, transparent, and cost-effective IT architecture that transforms data into actionable information and ensures dependable mission execution in the face of a persistent cyber threat.”

Coming Events

  • The European Union Agency for Cybersecurity (ENISA), Europol’s European Cybercrime Centre (EC3) and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU) will hold the 4th annual IoT Security Conference series “to raise awareness on the security challenges facing the Internet of Things (IoT) ecosystem across the European Union:”
    • Supply Chain for IoT – 21 October at 15:00 to 16:30 CET
  • The Federal Communications Commission (FCC) will hold an open commission meeting on 27 October, and the agency has released a tentative agenda:
    • Restoring Internet Freedom Order Remand – The Commission will consider an Order on Remand that would respond to the remand from the U.S. Court of Appeals for the D.C. Circuit and conclude that the Restoring Internet Freedom Order promotes public safety, facilitates broadband infrastructure deployment, and allows the Commission to continue to provide Lifeline support for broadband Internet access service. (WC Docket Nos. 17-108, 17-287, 11- 42)
    • Establishing a 5G Fund for Rural America – The Commission will consider a Report and Order that would establish the 5G Fund for Rural America to ensure that all Americans have access to the next generation of wireless connectivity. (GN Docket No. 20-32)
    • Increasing Unlicensed Wireless Opportunities in TV White Spaces – The Commission will consider a Report and Order that would increase opportunities for unlicensed white space devices to operate on broadcast television channels 2-35 and expand wireless broadband connectivity in rural and underserved areas. (ET Docket No. 20-36)
    • Streamlining State and Local Approval of Certain Wireless Structure Modifications – The Commission will consider a Report and Order that would further accelerate the deployment of 5G by providing that modifications to existing towers involving limited ground excavation or deployment would be subject to streamlined state and local review pursuant to section 6409(a) of the Spectrum Act of 2012. (WT Docket No. 19-250; RM-11849)
    • Revitalizing AM Radio Service with All-Digital Broadcast Option – The Commission will consider a Report and Order that would authorize AM stations to transition to an all-digital signal on a voluntary basis and would also adopt technical specifications for such stations. (MB Docket Nos. 13-249, 19-311)
    • Expanding Audio Description of Video Content to More TV Markets – The Commission will consider a Report and Order that would expand audio description requirements to 40 additional television markets over the next four years in order to increase the amount of video programming that is accessible to blind and visually impaired Americans. (MB Docket No. 11-43)
    • Modernizing Unbundling and Resale Requirements – The Commission will consider a Report and Order to modernize the Commission’s unbundling and resale regulations, eliminating requirements where they stifle broadband deployment and the transition to next- generation networks, but preserving them where they are still necessary to promote robust intermodal competition. (WC Docket No. 19-308)
    • Enforcement Bureau Action – The Commission will consider an enforcement action.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”
  • The Senate Commerce, Science, and Transportation Committee will reportedly hold a hearing on 29 October regarding 47 U.S.C. 230 with testimony from:
    • Jack Dorsey, Chief Executive Officer of Twitter;
    • Sundar Pichai, Chief Executive Officer of Alphabet Inc. and its subsidiary, Google; and 
    • Mark Zuckerberg, Chief Executive Officer of Facebook.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by amrothman from Pixabay