OIG Finds DHS Election Security Efforts Improved But Still Lacking

The OIG found issues with how CISA provided assistance on election cybersecurity and found a complete lack of planning or assistance on physical safety, terrorism, and violence issues.

The United States’ (U.S.) Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) released its second assessment in the last two years of the Cybersecurity and Infrastructure Security Agency’s (CISA) efforts to secure the U.S.’ election systems. The OIG lauded CISA’s progress in laying plans and taking precautions to secure U.S. election systems themselves but found room for CISA to improve its oversight and safeguarding the overall system. However, the OIG acknowledged the progress the agency has made since the February 2019 evaluation that was more critical of CISA’s efforts to date. But the OIG intimated that given the churn at the top of DHS over the last few years and the federal election system the U.S. has, CISA may be able to do only so much. In any event, the next few days may lead the OIG to rethink some of its assessment depending on how CISA performs.

The OIG summarized the scope of challenge before CISA:

  • As of September 2020, according to the Cybersecurity and Infrastructure Security Agency (CISA), there were 7,997 election administration jurisdictions in the country. The sizes of these jurisdictions vary dramatically, with the smallest towns having only a few hundred registered voters, while the largest jurisdiction in the country has more than 4.7 million.
  • The diversity in voting systems and software across the Nation presents considerable cybersecurity challenges. For example, there are 67 different types of voting machines manufactured by 7 different companies currently certified for use in any of the election administration jurisdictions across the United States. The election infrastructure’s reliance on technology for efficiency and convenience introduces even greater cybersecurity risks. Moreover, state and local jurisdictions may have different requirements for securing their systems, such as configuration settings, audit logging, intrusion detection capability, and patch management.

Nonetheless, beyond the effect of four different DHS heads since the beginning of the Trump Administration, the OIG pointed at CISA’s “protracted reorganization” since it was renamed and remade from its forerunner agency, the National Protection and Programs Directorate (NPPD). The OIG said CISA could not even produce an organizational chart, suggesting the possibility of dysfunction inside the agency. For example, the OIG noted:

For example, [Office of Intelligence and Analysis] officials told us in March 2020, the National Cybersecurity and Communications Integration Center (NCCIC) was recently re-organized. However, when we reached out to CISA officials for confirmation in April 2020, they dismissed this notion. According to CISA officials, the confusion may arise when some people refer to NCCIC according to its statutory authority while others refer to the organizational body (i.e., the Cybersecurity Division) that carries out the functions described in the statute.

The OIG flatly declared that until DHS and CISA get solid leadership and are properly organized, the assistance that can be provided to the election sector will be limited. As DHS is the sector-specific agency for a number of other sectors, this conclusion may also have repercussions in the following sectors:

  • Chemical Sector
  • Commercial Facilities Sector
  • Communications Sector
  • Critical Manufacturing Sector
  • Dams Sector
  • Emergency Services Sector
  • Information Technology Sector
  • Nuclear Reactors, Materials, and Waste Sector
  • Transportation Systems Sector (shared with the Department of Transportation)

To wit, the OIG asserted

Amid the leadership vacancies and repeated turnover, within DHS, CISA has not sufficiently prioritized key activities or established effective performance measures to monitor its progress in accomplishing its mission and goals of securing the Nation’s election infrastructure. Without DHS senior leadership guidance as a foundation, CISA cannot work successfully with sector representatives to develop the plans and strategies needed to secure the election infrastructure.

The under and unaddressed risks the OIG identified are “physical security risks, terrorism threats, and targeted violence.” The OIG speculated (correctly, I think) that after the 2016 election CISA was very focused on cybersecurity even though its remit over this subsector of a critical infrastructure sector also includes physical security:

Further, when assisting state and local election officials, CISA has primarily focused on the cybersecurity of election systems instead of broader election infrastructure aspects including related storage facilities, polling places, and centralized vote tabulation locations used to support the election process. CISA’s focus on cybersecurity may be attributed to reported cybersecurity threats and misinformation campaigns from foreign nations during the 2016 and 2018 elections. While beneficial, CISA’s primary focus on cybersecurity has limited DHS’ ability to provide the strategic direction needed to secure the election infrastructure from broader types of potential risks.

Given the protests and counter-protests this year related to Black Lives Matter, which has bled into the Presidential election campaign, CISA’s failure to focus on physical security, terrorism and violence may have left the election system susceptible. The OIG contended:

While attacks on physical election infrastructure locations and assets are rare, CISA should consider both physical and cyber threats as part of a comprehensive understanding of the threat and incorporate them in its election security and resilience planning. For example, an individual drove a van into a voter registration tent manned by campaign volunteers in February 2020. CISA cannot effectively secure the election infrastructure or manage risk to the Nation’s critical infrastructure based on the 2013 National Infrastructure Protection Plan by focusing on cybersecurity alone. A clear roadmap, sufficiently addressing broader risks, is needed to better guide DHS efforts and help achieve its goals of securing the election infrastructure. Moreover, the OIG found the quality fo the information provided by CISA to state and local election officials of questionable value. This is not surprising given the recent audit that found DHS’ cyber information sharing program was not providing quality information to the private sector. Based on our interviews with selected CISA regional staff, the cyber threat information CISA and I&A shared with election stakeholders was not always considered useful.

Based on our interviews with selected CISA regional staff, the cyber threat information CISA and I&A shared with election stakeholders was not always considered useful. DHS is required to maintain situational awareness of threats, and improve the sharing of threat intelligence with stakeholders to better prepare and protect election infrastructure. However, according to selected CISA regional staff, the information was over-classified, not tailored to election stakeholders needs, and could be obtained elsewhere. According to our interviews with CISA’s regional staff 12 Cybersecurity Advisors, 15 Protective Security Advisors, and 10 Regional Directors, the following are opportunities to improve the quality of information shared with stakeholders:

  • 8 (22 percent) of 37 CISA regional staff stated the information was overly classified.
  • 8 (22 percent) of 37 CISA regional staff stated briefings were not tailored to stakeholders needs.
  • 7 (19 percent) of 37 CISA regional staff stated the information could be obtained from public sources. In one example, by the time the cyber threat information was declassified for sharing with election stakeholders, they had already learned about it through the news media.
  • 5 (14 percent) of 37 CISA regional staff stated that after attending briefings, election officials could not share the information with their information technology staff and county clerks to remediate vulnerabilities as they did not possess the proper clearances.
  • 1 (3 percent) of 37 CISA regional staff stated some briefings were repetitive.
  • 7 (19 percent) of 37 CISA regional staff stated Fusion Centers were too far away and not convenient.

Representatives of other Federal agencies also told us about their work with CISA to secure the election infrastructure. One Federal agency representative discussed receiving duplicative election infrastructure threat information from CISA and DHS’ I&A. Another Federal agency official stated, “I cannot think of a single thing in a classified briefing that I have not read from the media,” indicating he had received complaints from others about DHS’ intelligence briefings not being helpful.

Worse still, when a state or local election authority requested that CISA perform an assessment of their systems or processes, the agency was often tardy in doing so. For example, the OIG found:

  • A Secretary of State initially requested a Phishing Campaign Assessment in October 2017. However, CISA did not begin the assessment until June 2018. CISA’s records show NCCIC did not complete the assessment until January 2019, more than a year after the request was made.
  • Another State Board of Elections requested CISA perform a Risk and Vulnerability Assessment in July 2018. The assessment did not begin until July 2019. NCCIC ultimately completed the testing in September 2019, more than a year after the initial request.

Staffing was also an issue. The OIG’s survey of CISA regional staff resulted in 73% of those interviewed saying “CISA needed more Cybersecurity Advisors to help private sector entities and state, local, territorial, and tribal governments prepare for and protect themselves against cybersecurity threats.”

The OIG made these recommendations to CISA:

  • Recommendation 1: Coordinate with the Office of the Secretary to revise the National Infrastructure Protection Plan and other planning documents to incorporate current and evolving risks as well as mitigation strategies needed to secure the Nation’s election infrastructure.
  • Recommendation 2: Improve the collaboration between I&A and CISA, which can help to enhance the quality and reduce the redundancy of information DHS shares with Federal agencies and state and local election officials.
  • Recommendation 3: Assign the staff resources needed to conduct timely cybersecurity and physical assessments to assist states and localities with securing the election infrastructure.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Free-Photos from Pixabay

Further Reading, Other Developments, and Coming Events (28 October)

Further Reading

  •  “Administration officials alarmed by White House push to fast track lucrative 5G spectrum contract, sources say” By Jake Tapper — CNN. A company with Karl Rove as its lobbyist may be poised to win a no-bid contract with the Department of Defense (DOD) for the commercial use of its highly sought-after mid-band spectrum ideal for 5G. Reportedly, White House Chief of Staff Mark Meadows has been pressing the DOD to hurry the process of making this spectrum available with many Administration officials having reservations about the seeming push to allow one company with little to no experience, Rivada, to have the whole chunk of spectrum. One official claimed if Rivada gets this contract it would be “the biggest handoff of economic power to a single entity in history.” Rove denied the company would accept a sole-source contract. There is strong bipartisan opposition on Capitol Hill, likely fanned by lobbyists from the companies apt to lose out if Rivada secures a winner-takes-all contract. Incidentally, in Jamaica where I live, the United States (U.S.) government has apparently pitched Rivada as a no-cost option to build out the island’s 5G network with Rivada collecting revenue from the operation of the system. The U.S. Ambassador has pitched the deal to Prime Minister Andrew Holness. And, while this could be seen as another U.S. effort to block the People’s Republic of China (PRC), which has done extensive development in Jamaica, it has the appearance of impropriety on the U.S.’ end, at the very least.
  • Remote learning is deepening the divide between rich and poor” By Lucien O. Chauvin and Anthony Faiola — The Washington Post. The digital divide is, if anything, even more pronounced in the Third World where the pandemic and underlying economic and societal conditions threaten to erase anti-poverty gains and the education and future of a generation.
  • Big Tech’s biggest critics are racing to raise money for Biden’s campaign” By Tony Romm — The Washington Post. In the last days of the campaign, a number of “Big Tech” critics are hosting or intensifying fund raising efforts for the Biden Campaign in the hopes of shaping its policies towards Silicon Valley. Those on the left favor dramatic action in a new administration while Biden’s centrist history may argue against significant change. Also, Silicon Valley as a whole has showered donations on the Biden Campaign, which may be a potent counterweight.
  • State, federal antitrust charges against Facebook could come as soon as November, sources say” By Tony Romm — The Washington Post. The Federal Trade Commission (FTC) and a group of state attorneys general may be filing their anti-trust suits as early as next month against Facebook for its dominance of the social messaging market. The suits would likely focus on Facebook’s acquisitions of potential rivals WhatsApp and Instagram.
  • Facebook touts free speech. In Vietnam, it’s aiding in censorship” By David Cloud and Shashank Bengali — Los Angeles Times. Despite Facebook’s talk of supporting free speech in western nations, it apparently complies to pressure from authoritarian regimes like Vietnam’s to block posts and close down accounts of dissidents.

Other Developments

  • The Presidency of the Council of the European Union (EU), currently held by Germany, released “Conclusions on the Charter of Fundamental Rights in the Context of Artificial Intelligence and Digital Change,” which laid out the EU’s views on how to develop and deploy artificial intelligence (AI).
    • The Presidency stated:
      • The COVID-19 pandemic has shown more clearly than ever that Europe must achieve digital sovereignty in order to be able to act with self-determination in the digital sphere and to foster the resilience of the European Union. We therefore want to work together on European responses for digital technologies, such as artificial intelligence (AI). We want to ensure that the design, development, deployment and use of new technologies uphold and promote our common values and the fundamental rights guaranteed by the EU Charter of Fundamental Rights (hereinafter ‘the Charter’), while increasing our competitiveness and prosperity. High levels of IT security must be maintained within a framework that is open to innovation.
      • We are committed to the responsible and human-centric design, development, deployment, use and evaluation of AI. We should harness the potential of this key technology in promoting economic recovery in all sectors in a spirit of European solidarity, uphold and promote fundamental rights, democracy and the rule of law and maintain high legal and ethical standards.
  • A United States’ (U.S.) Defense Science Board (DSB) Task Force published the executive summary of its “Final Report on Counter Autonomy,” “a strategic assessment of U.S. counter autonomy capabilities today and 30 years from now across all domains (land, sea, undersea, air, space, and cyberspace).” The DSB is an advisory body of the Department of Defense (DOD) that has proven influential in shaping DOD and U.S. policy. The Task Force stated:
    • The Task Force found a heavy focus across the whole-of-government on fielding U.S. autonomous systems with very little attention given to countering autonomous systems deployed by adversaries. One major exception is the U.S. government’s many programs focused on the counter unmanned aerial system (c-UAS) mission. Although c-UAS is critical to ensuring the safety and security of U.S. forces, allies, and the homeland, the DOD must adopt a broader view of counter autonomy or it will not be prepared to effectively defeat future adversary systems.
    • Like the introduction of cyberspace, the growth of autonomy and artificial intelligence (AI) will bring new capability to the public and private sector, but it will also introduce vulnerabilities to current and future capabilities. Therefore, the Task Force felt it necessary to not only develop recommendations aimed at counter autonomy but also counter-counter autonomy. The integrity of each component used to develop a physical or digital autonomous capability must be considered across the entire lifecycle of a system to maintain confidence in its efficacy and reliability.
    • The Task Force has provided a series of recommendations that, if implemented, will effectively aid the DOD and the wider U.S. government in developing a full-scope counter autonomy capability, strengthen U.S. autonomous systems, and result in a more resilient and lethal force.
    • The Task Force made these recommendations:
      • Recommendation 1: Leadership
        • The Under Secretary of Defense, Research and Engineering (USD(R&E)) create a single senior focal point for counter autonomy separate from autonomy leadership but of equal authority to ensure independent thinking
        • USD(R&E) champion a DOD-wide autonomy/counter autonomy community modeled on the existing low observable/counter low observable (LO/CLO) community
      • Recommendation 2: Capability and Operational Development
        • C. Military Departments (Secretaries) charter the following in order to develop robust fielded counter autonomy capabilities
        • Assess, fund, and deploy modifications needed to existing conventional capabilities
        • Create a robust Opposing force (OPFOR) that mimics adversary autonomy
        • Establish multi-domain Counter autonomy (CA) Red Teams
        • Develop CA requirements, concepts, and Tactics, techniques, and procedures (TTPs)/ Concept of operations (CONOPS)
        • D. Direct Service labs and DARPA to create CA
      • R&D Recommendation 3: Intelligence
        • Sensitive content – N/A
      • Recommendation 4: Assurance
        • Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)) establish and enforce AI-enabled autonomous system resilience guidelines to mitigate AI-specific vulnerabilities
        • Developmental test and evaluation (DT&E)/ Operational test and evaluation (OT&E) establish testing and evaluation guidance for development, fielding and sustainment to assure resilience of AI-enabled autonomous systems against counter autonomy attack over lifecycle
      • Recommendation 5: Policy
        • The Office of the Under Secretary of Defense for Policy (OUSD(P)) develop policy to provide appropriate defense of U.S. autonomous weapon systems, support autonomy exports, and ensure safety and security of imports
      • Recommendation 6: Talent
        • The Office of the Secretary of Defense (OSD) and Military Departments significantly expand autonomy/AI talent through aggressive recruiting, hiring, career path, and retention actions:
        • −  Upskill talent with AI skills through incentives and innovative methods such as free or affordable online training (e.g., edX, Coursera, Udacity)
        • −  Military Departments establish, promote, and incentivize autonomy/AI career paths for civilian and military personnel
        • o Service Academies, including Air Force Institute of Technology and Naval Postgraduate School, include counter autonomy in curriculum and research
        • −  Expand the use of innovative staffing (e.g., IPA, HQE, SMART), and build a national talent pipeline at the graduate level with focused DOD funding
        • −  Fully leverage Section 1107(c) Direct Hiring Authority and request Congress authorize the limitation be raised from 5 percent to 10 percent of the workforce
        • Defense Counterintelligence and Security Agency (DCSA) accelerate clearance adjudication for candidates with critical skills (AI/machine learning (ML), robotics, cyber, etc.)
  • The Center for a New American Security (CNAS), a center-left Washington, D.C. national security think tank that may prove as influential in a Biden Administration as it did during the Obama Administration, released “Common Code: An Alliance Framework for Democratic Technology Policy,” that argued for the most technologically advanced democracies to band together and cooperate so that democratic ideals and principles will inform the development of the coming technology. CNAS explained that “[t]he Technology Alliance project and this report were made possible by a grant from Schmidt Futures,” a philanthropic venture started and funded by former Google and Alphabet CEO Eric Schmidt. CNAS stated:
    • Technological leadership by the world’s major liberal-democratic nations will be essential to safeguarding democratic institutions, norms, and values, and will contribute to global peace and prosperity. A unified approach by like-minded nations also is needed to counteract growing investments in and deployments of emerging technologies by authoritarian, revisionist powers.
    • Many have made the case for such a grouping, most notably the United Kingdom’s recent call for a “Democracy 10” to tackle 5G and other technology issues. Similarly, former U.S. government officials have advocated for the creation of a “Tech 10.” Despite this interest in a new coordination mechanism for multilateral technology policy, the work needed to create it has been elusive.
    • CNAS explained:
      • This document lays out what that alliance framework should look like, the opening chapter of a new, multilateral techno-democratic statecraft strategy for the 21st century. It answers the key questions needed to move from concept to an actionable blueprint necessary to tackle the 21st century technology competition:
        • What countries should be members of the technology alliance, and why?
        • Should the alliance be able to collaborate with non-members, and why?
        • Should the alliance grow, and how?
        • How should the alliance be organized and structured?
        • What is the ideal voting system?
        • How should the alliance engage with stakeholders from industry and civil society?
        • What is the best meeting structure and frequency?
      • After detailing recommendations for creating the technology alliance itself, the blueprint addresses the new organization’s top priorities, areas where the project leads identified both a common code between the proposed member countries and an urgent need for improved coordination:
        • Restructure supply chains with a focus on security and diversity
        • Safeguard competitive technological advantages with tailored multilateral export controls and by curbing unwanted technology transfers
        • Fund and build secure digital infrastructure by creating new investment mechanisms
        • Craft standards and norms for a beneficial technology future.
      • The technology alliance’s longer-term agenda should include efforts to:
        • Pursue joint R&D
        • Engage in technology forecasting
        • Focus on data flows
        • Promote technology interoperability
        • Counter disinformation and other illiberal uses of technology
        • Maximize human capital.
  • The National Institute of Standards and Technology (NIST) published a notice in the Federal Register inviting “organizations to provide products and technical expertise to support and demonstrate security platforms for the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project.” NIST explained this “is the initial step for the National Cybersecurity Center of Excellence (NCCoE) in collaborating with technology companies to address cybersecurity challenges identified under the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture project.” NIST explained:
    • Since late 2018, NIST and NCCoE cybersecurity researchers have had the opportunity to work closely with the Federal Chief Information Officer (CIO) Council, federal agencies, and industry to address the challenges and opportunities for implementing zero trust architectures across U.S. government networks. This work resulted in publication of NIST Special Publication (SP) 800-207, Zero Trust Architecture
    • In November 2019, the NCCoE and the Federal CIO Council cohosted a Zero Trust Architecture Technical Exchange Meeting that brought together zero trust vendors and practitioners from government and industry to share successes, best practices, and lessons learned in implementing zero trust in the federal government and the commercial sector.
    • The NCCoE project builds on this body of knowledge as we seek to build out and document an example zero trust architecture that aligns to the concepts and principles in NIST SP 800-207 and using commercially available products.
  • The United States (U.S.) Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) evaluated DHS’ information security for FY 2019 and found serious problems. The OIG “reviewed DHS’ information security program for compliance with Federal Information Security Modernization Act requirements.” The OIG found serious deficiencies with the Cybersecurity and Infrastructure Security Agency, ostensibly the entity in the U.S. government charged with helping civilian agencies secure and defend their networks. The OIG found:
    • DHS’ information security program was not effective for FY 2019 because the Department earned a maturity rating of “Ad Hoc” (Level 1) in three of five functions, compared to last year’s higher overall rating of “Managed and Measurable” (Level 4). We rated DHS’ information security program according to five functions outlined in the 2019 reporting instructions:
      • Identify: DHS received a Level 1 rating because it did not have an effective strategy or department-wide approach to manage risks for all of its systems.
      • Protect: DHS achieved Level 4 as it was rated Level 4 in three of the four domains essential to this function.
      • Detect: DHS received a Level 1 rating due to the lack of a comprehensive strategy and organization-wide continuous monitoring approach to address all requirements and activities at each organizational tier.
      • Respond: DHS received a Level 1 rating because the Coast Guard had not reported its cybersecurity incidents to DHS since 2012.
      • Recover: DHS received Level 3 because it had not made progress since prior years [REDACTED]
    • According to FY 2019 reporting metrics, our independent contractor rated component information security programs effective for Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) as both components achieved the targeted “Level 4 – Managed and Measurable” or higher in four of five functions. The Cybersecurity and Infrastructure Security Agency (CISA) overall information security program was not effective because it achieved “Level 1 – Ad-hoc,” which is below the targeted Level 4 in three of five functions. Because the Department performs several security functions on CISA’s behalf, CISA has not yet developed component specific policies, procedures, and business processes as required by DHS policy.

Coming Events

  • On 29 October, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”
  • On 10 November, the Senate Commerce, Science, and Transportation Committee will hold a hearing to consider nominations, including Nathan Simington’s to be a Member of the Federal Communications Commission.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Computerizer from Pixabay

DHS OIG Sees More Progress Needed In Cyber Sharing

A five-year-old program to foster information sharing between the federal government and private sector barely got passing grades with plenty of room for improvement.

The Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) has issued its biannual report on how well DHS and the Cybersecurity Infrastructure Security Agency (CISA) are implementing the responsibilities and authorities bestowed on the agency by Congress in the “Cybersecurity Act of 2015” (P.L. 114-113), specifically the information sharing regime DHS was tasked with leading. While the OIG found progress, the quality of the cyber threat indicators and defensive measures continued to be lackluster and apparently of little value to private sector entities and federal agencies. The OIG lays out the various reasons CISA’s threat information has limited value, but until the agency starts providing useful and timely information, it is likely most potential recipients will either not opt to receive it or will discount the information they do receive. Moreover, while information sharing is probably not the silver bullet proponents of the legislation claimed, it does have obvious value in alerting organizations of cyber threats.

Apparently, CISA has not seen Field of Dreams because they thought stakeholders would just join even though what CISA was providing was of limited value. The OIG has a number of reasons for this, but it is somewhat astounding that DHS and CISA have had five years to implement perhaps the most anticipated change in United States (U.S.) cybersecurity policy and they are still muddling along. Of course, this lack of progress also begs the question of whether the conceptual framework that led to Title I of the “Cybersecurity Act of 2015” was as sound as advertised. Having lived through the marathon of bills, markups, negotiations, revised bills, amendments, etc., it is clear in my memory that private sector stakeholders insisted time and again before Congress that they could not share cyber information without liability protection because of the many lawsuits against them for doing just that (just kidding about that last part; no one ever said there was any actual litigation, but there might be.) It seemed dubious at the time to me, and still does, but they persuaded lawmakers and the Obama White House, and so it went into the bill. And yet, these entities are either not sharing information or not sharing it with the federal government.

However, aside and apart from the quality of the information CISA is providing, the OIG pointed out that CISA is receiving very little threat information from private sector partners. Why might this be? A lingering fear of litigation even though there is liability protection and such submissions cannot be released under Freedom of Information Act (FOIA) requests? Perhaps.

I also wonder if private sector entities are averse to sharing information because they fear regulation and enforcement may ensue even though the “Cybersecurity Act of 2015” has limits on how far federal agencies may go in doing either. I’m guessing that corporate counsel has argued and will continue to argue against private sector entities providing information for fear that somehow, someway it will boomerang back on companies. But, to be fair, the language in this provision relates to “lawful activities,” meaning illegal conduct that turns up in cybersecurity information shared with the federal government could be used to for an enforcement or regulatory action.

Moreover, federal agencies may use such information to tailor their cybersecurity regulation, so companies and other private sector entities may want to avoid regulation above the largely voluntary regime most entities in critical infrastructure industries face (excepting heavily regulated field like electric and nuclear power, for example.) Also, there are incentives related to information asymmetry, as always. If Company A has invested the resources to have a first-rate cybersecurity regime, why would they help Company B by pointing out dangers by submitting information to CISA, especially if they share a market and compete.

Perhaps more simply, using Occam’s Razor, private sector entities want cyber threat information and do not want to go to the trouble and expense of submitting it to the federal government. There is almost no incentive for them to share information other than the good feeling associated with helping to protect the U.S. and doing one’s duty.

Finally, this blog posting from 2015 by a “white shoe” law firm succinctly provides the type of advice that would stop most companies from participating:

In determining what information to share, a company should evaluate whether a cyber threat indicator or defensive measure implicates sensitive business information, and exercise particular care in evaluating the costs and benefits of sharing this information. It bears emphasis that CISA imposes no requirement to share cyber information, and if a company does choose to share it is free to distinguish between different types of information. As compared to more generic threat information, disclosing information about a company’s own specific cyber vulnerabilities and incidents can carry legal, competitive, and reputational risks that are far greater if that information is learned by competitors and customers. In this regard, it will be important to understand the situations in which the federal government may share and make public information received under CISA, such as in the context of a criminal prosecution. For particularly sensitive information, companies will want to focus on the ability to share on an anonymous basis, such as through an ISAC or ISAO. Public companies will, among other things, need to assess how their decision to share information under CISA may interact with their disclosure decisions under the securities laws, given that sharing cyber information with the federal government could potentially be seen as an indicator of materiality requiring disclosure in a public filing.

Finally, the OIG did not investigate information sharing within the private sector. This is outside its remit, and I suspect the Government Accountability Office (GAO) would be a better entity to take on this issue. Given all the noise made by the private sector about liability protection, very few seem to be using it by submitting information to CISA. Perhaps the information sharing market is gangbusters for ISACs or ISAOs.

Nonetheless, the OIG explained:

The DHS has addressed the basic information sharing requirements of the Cybersecurity Act of 2015. To carry out its mandate, the Cybersecurity and Infrastructure Security Agency (CISA) within DHS, developed policies, procedures, and an automated capability, known as the Automated Indicator Sharing (AIS) program, to share cyber threat information between the Federal Government and the private sector. CISA increased the number of AIS participants as well as the volume of cyber threat indicators it has shared since the program’s inception in 2016. However, CISA made limited progress improving the overall quality of information it shares with AIS participants to effectively reduce cyber threats and protect against attacks.

The OIG contended “CISA’s lack of progress in improving the quality of information it shares can be attributed to a number of factors, such as limited numbers of AIS participants sharing cyber indicators with CISA, delays receiving cyber threat intelligence standards, and insufficient CISA office staff.’ The OIG asserted “[t]o be more effective, CISA should hire the staff it needs to provide outreach, guidance, and training.”

The OIG found:

  • While CISA has increased the number of cyber threat indicators and defensive measures shared with program participants, the AIS information did not contain enough detail to fully mitigate potential threats. Specifically, the AIS indicators shared with participants did not contain actionable information, including sufficient context or background details to effectively protect Federal and private networks. Examples of contextual information may include Internet Protocol addresses, domain names, or hash files, which may be helpful for determining the appropriate course of action to mitigate threats against networks.
  • To determine whether CISA had improved the quality of information it shared under the AIS program, we obtained feedback from 17 AIS participants (10 Federal agencies and 7 private sector entities). Although some participants conceded the accuracy and quality of the indicators were not high, they still found the information beneficial. The feedback we obtained is outlined as follows, and shown in Figure 4:
    • 11 of 17 participants (5 Federal and 6 private sector) said the indicators lacked contextual/background data for determining the appropriate course of action to mitigate threats against their networks. Additionally, some participants stated that some indicators received were false positives or unusable information.
    •  6 of 17 participants (3 Federal and 3 private sector) said they had to augment the AIS indicators with additional information from other third- party sources.12
    •  5 of 17 participants (4 Federal and 1 private sector) stated the AIS program was effective or helpful.
    •  1 Federal agency did not express an opinion on the usefulness of the program.
  • CISA’s lack of progress to improve the quality of the information shared under the AIS program can be attributed to multiple external and internal factors. External factors include the limited number of AIS participants sharing cyber indicators with CISA and the delays in receiving the cyber threat intelligence standards needed to upgrade the AIS capability. Internal factors include insufficient staffing in the CISA office to adequately support the AIS program. Collectively, these shortcomings have hindered CISA’s ability to improve the quality of AIS indicators and have thwarted outreach efforts to increase participation and the usefulness of the AIS program.

The OIG made four recommendations:

  • Develop an approach to encourage Federal and private sector participants to share information with the Department and become data producers under the AIS program.
  • Collaborate with the Organization for the Advancement of Structured Information Standards to expedite the approval of new standards so that the CISA can complete AIS upgrades.
  • Actively promote the AIS program through increased outreach, training, technical assistance, and information sharing forums for Federal and private sector entities.
  • Place priority on hiring administrative and operational staff needed to conduct outreach, training, and performance measurement to improve the AIS program’s operational effectiveness.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading, Other Developments, and Coming Events (29 September)

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • September 30 the House Veterans’ Affairs Committee’s Technology Modernization Subcommittee will meet for an oversight hearing titled “Examining VA’s Ongoing Efforts in the Electronic Health Record Modernization Program.”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September and has made available its agenda with these items:
    • Facilitating Shared Use in the 3.1-3.55 GHz Band. The Commission will consider a Report and Order that would remove the existing non-federal allocations from the 3.3-3.55 GHz band as an important step toward making 100 megahertz of spectrum in the 3.45-3.55 GHz band available for commercial use, including 5G, throughout the contiguous United States. The Commission will also consider a Further Notice of Proposed Rulemaking that would propose to add a co-primary, non-federal fixed and mobile (except aeronautical mobile) allocation to the 3.45-3.55 GHz band as well as service, technical, and competitive bidding rules for flexible-use licenses in the band. (WT Docket No. 19-348)
    • Expanding Access to and Investment in the 4.9 GHz Band. The Commission will consider a Sixth Report and Order that would expand access to and investment in the 4.9 GHz (4940-4990 MHz) band by providing states the opportunity to lease this spectrum to commercial entities, electric utilities, and others for both public safety and non-public safety purposes. The Commission also will consider a Seventh Further Notice of Proposed Rulemaking that would propose a new set of licensing rules and seek comment on ways to further facilitate access to and investment in the band. (WP Docket No. 07-100)
    • Improving Transparency and Timeliness of Foreign Ownership Review Process. The Commission will consider a Report and Order that would improve the timeliness and transparency of the process by which it seeks the views of Executive Branch agencies on any national security, law enforcement, foreign policy, and trade policy concerns related to certain applications filed with the Commission. (IB Docket No. 16-155)
    • Promoting Caller ID Authentication to Combat Spoofed Robocalls. The Commission will consider a Report and Order that would continue its work to implement the TRACED Act and promote the deployment of caller ID authentication technology to combat spoofed robocalls. (WC Docket No. 17-97)
    • Combating 911 Fee Diversion. The Commission will consider a Notice of Inquiry that would seek comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes. (PS Docket Nos. 20-291, 09-14)
    • Modernizing Cable Service Change Notifications. The Commission will consider a Report and Order that would modernize requirements for notices cable operators must provide subscribers and local franchising authorities. (MB Docket Nos. 19-347, 17-105)
    • Eliminating Records Requirements for Cable Operator Interests in Video Programming. The Commission will consider a Report and Order that would eliminate the requirement that cable operators maintain records in their online public inspection files regarding the nature and extent of their attributable interests in video programming services. (MB Docket No. 20-35, 17-105)
    • Reforming IP Captioned Telephone Service Rates and Service Standards. The Commission will consider a Report and Order, Order on Reconsideration, and Further Notice of Proposed Rulemaking that would set compensation rates for Internet Protocol Captioned Telephone Service (IP CTS), deny reconsideration of previously set IP CTS compensation rates, and propose service quality and performance measurement standards for captioned telephone services. (CG Docket Nos. 13-24, 03-123)
    • Enforcement Item. The Commission will consider an enforcement action.
  • On October 1, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold a hearing as part of its series on online competition at which it may unveil its proposal on how to reform antitrust enforcement for the digital age. The hearing is titled “Proposals to Strengthen the Antitrust Laws and Restore Competition Online.”
  • On 1 October, the Senate Commerce, Science, and Transportation Committee may hold a markup to authorize subpoenas to compel the attendance of the technology CEOs for a hearing on 47 U.S.C. 230 (aka Section 230). Ranking Member Maria Cantwell (D-WA) has said:
    • Taking the extraordinary step of issuing subpoenas is an attempt to chill the efforts of these companies to remove lies, harassment, and intimidation from their platforms. I will not participate in an attempt to use the committee’s serious subpoena power for a partisan effort 40 days before an election,” indicating a vote, should one occur, may well be along party lines.
    • Nonetheless, the Committee may subpoena the following CEOs:
      • Mr. Jack Dorsey, Chief Executive Officer, Twitter
      • Mr. Sundar Pichai, Chief Executive Officer, Alphabet Inc., Google
      • Mr. Mark Zuckerberg, Chief Executive Officer, Facebook
  • The Senate Judiciary Committee will markup the “Online Content Policy Modernization Act” (S.4632), a bill to reform 47 U.S.C. 230 (aka Section 230) that provides many technology companies with protection from lawsuits for third party content posted on their platforms and for moderating and removing such content.
  • On October 1, the Senate Armed Services Committee’s Readiness and Management Support Subcommittee will hold a hearing on supply chain integrity with Under Secretary of Defense for Acquisition and Sustainment Ellen Lord testifying. Undoubtedly, implementation of the ban on Huawei, ZTE, and other People’s Republic of China (PRC) equipment and services as required by Section 889 of the “John S. McCain National Defense Authorization Act (NDAA) for FY 2019” (P.L. 115-232) will be discussed. Also, the Cybersecurity Maturity Model Certification (CMMC) program will also likely be discussed.
  • On October 29, the Federal Trade Commission (FTC) will hold a seminar titled “Green Lights & Red Flags: FTC Rules of the Road for Business workshop” that “will bring together Ohio business owners and marketing executives with national and state legal experts to provide practical insights to business and legal professionals about how established consumer protection principles apply in today’s fast-paced marketplace.”

Other Developments

  • The Senate passed an extension of the “Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act of 2006” (U.S.  SAFE  WEB  Act) (H.R.4779), sending the bill to the White House. The Senate did not alter the bill the House sent to it in December. The House Energy and Commerce Committee explained in its committee report:
    • Enacted into law on December 22, 2006, the U.S. SAFE WEB Act amended the Federal Trade Commission Act (FTC Act) to improve the FTC’s ability to combat unfair or deceptive acts or practices that are international in scope. Specifically, U.S. SAFE WEB Act: (1) affirms the FTC’s cross-border enforcement authority; (2) authorizes collaboration with foreign law enforcement in the form of investigative assistance3and information sharing, provided certain statutory factors are met; (3) bolsters the FTC’s ability to receive information from foreign counterparts by allowing confidential treatment of information received; and (4) promotes relation-ship building through staff exchanges with foreign counterparts.
    • H.R. 4779 would ensure that the FTC continues to have the cross-border enforcement authority and international cooperation tools it needs to protect American consumers from unfair or deceptive acts or practices that originate abroad. This program provides a sound foundation for related issues of protecting and preserving cross-border data flows that are essential for Privacy Shield and other such agreements. Such legislation helps promote our leader ship  on  artificial  intelligence,  autonomous  vehicles,  quantum  computing, and other emerging technologies.
  • The Department of Veterans Affairs (VA) revealed it had been breached and “the personal information of approximately 46,000 Veterans” has been compromised. This announcement came the same day as an advisory issued by the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) that Chinese Ministry of State Security (MSS)-affiliated cyber threat actors have been targeting and possibly penetrating United States (U.S.) agency networks. The two events may not be linked, however. And yet, what is linked to the breach is an August VA request for information (RFI) for an entity “provide cyber security audit services support,” as confirmed by an agency spokesperson. The VA has experienced long running problems with information technology (IT) and cybersecurity as evidenced by this Government Accountability Office (GAO) testimony released a few weeks ago. In the notice of the breach, the VA explained:
    • The Financial Services Center (FSC) determined one of its online applications was accessed by unauthorized users to divert payments to community health care providers for the­ medical treatment of Veterans. The FSC took the application offline and reported the breach to VA’s Privacy Office. A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols. To prevent any future improper access to and modification of information, system access will not be reenabled until a comprehensive security review is completed by the VA Office of Information Technology. 
  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued Emergency Directive 20-04, “Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday” that directs United States’ (U.S.) agencies to act with respect to “non-national security systems,” meaning civilian agencies, to “immediately apply the Windows Server August 2020 security update to all domain controllers.” This most recent Emergency Directive follows two earlier ones this year (found here and here.)
  • The United States Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) announced a trio of enforcement actions for violations of HHS regulations on healthcare information these entities failed to properly protect. Specifically, these entities failed to meet their obligations under the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. OCR released these summaries of the actions:
    • Premera Blue Cross (PBC) has agreed to pay $6.85 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 10.4 million people. This resolution represents the second-largest payment to resolve a HIPAA investigation in OCR history. PBC operates in Washington and Alaska, and is the largest health plan in the Pacific Northwest, serving more than two million people.
      • On March 17, 2015, PBC filed a breach report on behalf of itself and its network of affiliates stating that cyber-attackers had gained unauthorized access to its information technology (IT) system.  The hackers used a phishing email to install malware that gave them access to PBC’s IT system in May 2014, which went undetected for nearly nine months until January 2015.  This undetected cyberattack, otherwise known as an advanced persistent threat, resulted in the disclosure of more than 10.4 million individuals’ protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. 
      • OCR’s investigation found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.
    •  CHSPSC LLC, (“CHSPSC”) has agreed to pay $2,300,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over six million people.  CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee.
      • In April 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC that it had traced a cyberhacking group’s advanced persistent threat to CHSPSC’s information system. Despite this notice, the hackers continued to access and exfiltrate the protected health information (PHI) of 6,121,158 individuals until August 2014. The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network. 
      • OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.
    • Athens Orthopedic Clinic PA (“Athens Orthopedic”) has agreed to pay $1,500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Athens Orthopedic is located in Georgia and provides orthopedic services to approximately 138,000 patients annually.
      • On June 26, 2016, a journalist notified Athens Orthopedic that a database of their patient records may have been posted online for sale. On June 28, 2016, a hacker contacted Athens Orthopedic and demanded money in return for a complete copy of the database it stole. Athens Orthopedic subsequently determined that the hacker used a vendor’s credentials on June 14, 2016, to access their electronic medical record system and exfiltrate patient health data. The hacker continued to access protected health information (PHI) for over a month until July 16, 2016.
      • On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected by this breach, and that the PHI disclosed included patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.
      • OCR’s investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.
  • The Department of the Treasury published a final rule that changes the Committee on Foreign Investment in the United States (CFIUS) regulations with respect to mandatory filings for future deals in which foreign companies are investing in United States (U.S.) firms producing “critical technologies.” Previously, the trigger was if there was a nexus between the U.S. entity and certain industries. But now, the filing requirement will be triggered if “certain U.S. government authorizations would be required to export, reexport, transfer (in-country), or retransfer the critical technology or technologies produced, designed, tested, manufactured, fabricated, or developed by the U.S. business to certain transaction parties and foreign persons in the ownership chain.” The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) (P.L. 115-232) required the agency to make this, among many other changes, in the CFIUS regime. What constitutes “critical technologies” is defined in FIRRMA and includes all sorts of military, commercial items with military applications, and “emerging and foundational technologies.” The final rule also “makes amendments to the definition of the term “substantial interest” and a related provision, and makes one technical revision.”
  • The Government Accountability Office (GAO) has assessed how well the Department of the Treasury is doing in its role as the overseer of cybersecurity for the United States (U.S.) financial services industry. The GAO found Treasury’s efforts lacking, especially with respect in implementing the recommendations the GAO has previously made. The GAO concluded:
    • Increased access to financial services sector systems, combined with the potential for monetary gains and economic disruptions, poses significant information security risks to the sector’s systems and to the critical operations and infrastructures they support. The financial services sector faces several different types of cyber-related risks, including ensuring adequate security for service providers traditionally considered external to the sector, an increased interconnectivity between sector entities that could result in simpler attack vectors, and the potential introduction of malware such as ransomware through social engineering techniques, such as spear phishing, or insider access. The sector has also faced an increase in attacks from well-organized attackers with significant resources.
    • The financial services industry, including firms and sectorwide groups set up to assist firms in ensuring the cybersecurity and resilience of the sector, have undertaken a series of risk mitigation efforts, in areas such as coordination and information sharing between organizations, development of guidance and training for members, and sectorwide incident response exercises. However, industry firms also pointed to challenge areas for assistance from regulators and policymakers. The most common of these areas were improved information sharing of actionable data after a cyber incident; improved harmonization among regulators, such as minimizing differences in use of state versus national requirements; establishing clearer guidance regarding regulation of the sector’s third-party service providers; and increasing cybersecurity training to firm employees.
    •  Federal agencies are conducting risk mitigation efforts intended to support private industry in improving cybersecurity of the financial services sector. These efforts, including regular outreach by the designated financial sector-specific agency, Treasury, generally meet responsibilities laid out in policy. However, Treasury does not prioritize or track the progress of sectorwide risk mitigation efforts, and does not explicitly link sector efforts to the goals in the sector specific plan, which is the primary sector planning document. Furthermore, the plan is out of date and does not include information on how the sector plans to implement recently required efforts. The plan also does not identify ways to measure sector progress, such as explicit metrics for determining the progress of risk mitigation efforts to enhance the cybersecurity and resilience of the sector. Unless Treasury undertakes tracking and prioritization of efforts based on metrics that reflect sector planning documents, the sector will remain unable to determine the effectiveness of its efforts, which could leave the sector insufficiently prepared to deal with primary sector risks.
    • The GAO made two recommendations to Treasury:
      • Regarding financial sector cyber risk mitigation efforts, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, track the content and progress of sectorwide cyber risk mitigation efforts, and prioritize their completion according to sector goals and priorities in the sector-specific plan. (Recommendation 1)
      • Regarding the financial sector-specific plan, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, update the financial services sector-specific plan to include specific metrics for measuring the progress of risk mitigation efforts and information on how the sector’s ongoing and planned risk mitigation efforts will meet sector goals and requirements, such as requirements for the financial services sector in the National Cyber Strategy Implementation Plan. (Recommendation 2)
  • The Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) published its review of a May 2019 breach of a U.S. Customs and Border Protection (CBP) subcontractor that resulted in “CBP data, including traveler images from CBP’s facial recognition pilot, appear[ing] on the dark web.” The OIG explained that “CBP selected Unisys Corporation to design, develop, and install a biometric entry-exit solution that would verify and confirm the arrival and departures of passengers. In turn, Unisys Corporation hired Perceptics, LLC, as a subcontractor to install its proprietary facial image capture solution.” Perceptics then proceeded to violate DHS security and privacy protocols by transferring these data to its systems, but the agency did not store the personally identifiable information (PII) in an encrypted form. Consequently, when Perceptics was hit with a ransomware attack, “more than 184,000 traveler facial image files, as well as 105,000 license plate images from prior pilot work, were stored on the subcontractor’s network at the time of the ransomware attack.” The hackers also “stole an array of contractual documents, program management documents, emails, system configurations, schematics, and implementation documentation related to CBP license plate reader programs.” Worse still, CBP was notified of the breach through a media article instead of by either the prime or subcontractor even thought Perceptics informed Unisys, which opted against informing CBP in violation of its contractual duties.
  • The OIG summarized the facts of the case:
    • CBP did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot (known as the Vehicle Face System). A subcontractor working on this effort, Perceptics, LLC, transferred copies of CBP’s biometric data, such as traveler images, to its own company network. The subcontractor obtained access to this data between August 2018 and January 2019 without CBP’s authorization or knowledge. Later in 2019, the Department of Homeland Security experienced a major privacy incident, as the subcontractor’s network was subjected to a malicious cyber attack.
    • DHS requires subcontractors to protect personally identifiable information (PII) from identity theft or misuse. However, in this case, Perceptics staff directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device and stored it on their own network. Given Perceptics’ ability to take possession of CBP-owned sensitive data, CBP’s information security practices during the pilot were inadequate to prevent the subcontractor’s actions.
    • This data breach compromised approximately 184,000 traveler images from CBP’s facial recognition pilot; at least 19 of the images were posted to the dark web. This incident may damage the public’s trust in the Government’s ability to safeguard biometric data and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry.
  • The OIG made 3 recommendations to CBP:
    • Recommendation 1: We recommend CBP’s Assistant Commissioner for the Office of Information and Technology implement all mitigation and policy recommendations to resolve the 2019 data breach identified in CBP’s Security Threat Assessments, including implementing USB device restrictions and applying enhanced encryption methods.
    • Recommendation 2: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations coordinate with the CBP Office of Information and Technology to ensure that all additional security controls are implemented on relevant devices at all existing Biometric Entry-Exit program pilot locations.
    • Recommendation 3: We recommend the Deputy Executive Assistant Commissioner, Office of Field Operations establish a plan for the Biometric Entry-Exit Program to routinely assess third-party equipment supporting biometric data collection to ensure partners’ compliance with Department security and privacy standards.

Further Reading

  • Revealed: Trump campaign strategy to deter millions of Black Americans from voting in 2016” — Channel 4 News. The same British news organization that broke the Cambridge Analytica story is back with another article on the mining and use of personal data in microtargeting voters in the 2016 presidential election. Despite repeated denials, it appears the Trump Campaign in concert with Cambridge Analytica and the Republican National Committee targeted African Americans with messages on Facebook to keep them home on election day, possibly swinging a few keys states Trump could not have won the Electoral College without.
  • Why the right wing has a massive advantage on Facebook” By Alex Thompson — Politico. This piece lays the responsibility for the advantage in popularity conservative political posts and content on human nature, arguing that right-wing populism will always be more viscerally appealing to people than left-wing populism. The company also seems to be laying what many are calling its malign effects on human nature, too.  
  • Foreign Hackers Cripple Texas County’s Email System, Raising Election Security Concerns” By Jack Gillum, Jessica Huseman, Jeff Kao and Derek Willis — ProPublica. In an article based on information provided on a small Texas County’s breach, light is shined on how unprepared many localities and jurisdictions against common cyber threats. In this case, a common ransomware malware was placed successfully on the county’s system rending it unusable. It appears this, and other counties, have disregarded the cybersecurity advice furnished by the Department of Homeland Security in the hopes that the United States’ (U.S.) systems will be secure against election day hacks. With minimal effort, a sophisticated entity can wreak havoc in contested states this election.
  • TikTok was just the beginning: Trump administration is stepping up scrutiny of past Chinese tech investments” By Jeanne Whalen — The Washington Post. To no great surprise, the Trump Administration is looking to use the Committee on Foreign Investment in the United States (CFIUS) process. The Department of the Treasury’s Office of Investment Security Monitoring & Enforcement has been sending letters to technology companies since the early spring inquiring about foreign investment. The companies being targeted tend to collect, process, and store a lot of personal data or are pioneering or producing cutting edge technology considered vital for national security like electric batteries. This new office is reportedly looking back at transactions completed more than ten years ago. Already the scrutiny is having its intended effect as entities from the People’s Republic of China (PRC) have invested less this year in Silicon Valley than they have in six years.
  • China chip giant SMIC shares sink on US export controls” By Jerome Taylor — AFP; “U.S. sanctions on chipmaker SMIC hit at the very heart of China’s tech ambitions” By Arjun Kharpal — CNBC. The United States (U.S.) Department of Commerce has reportedly informed U.S. chipmakers and others that they must stop selling equipment to the People’s Republic of China’s (PRC) Semiconductor Manufacturing International Corp (SMIC) unless they get an export license. This latest move tightens further the chokehold the U.S. has placed on Huawei and other PRC firms that require U.S. technology to make their products. While SMIC has made strides in developing chips, it is still dependent on foreign technology. SMIC told western media outlets we “no relationship with the Chinese military and does not manufacture for any military end-users or end-uses.”
  • Activists slam Palantir for its work with ICE ahead of market debut” By Tonya Riley and Cat Zakrzewski — The Washington Post. Ahead of tomorrow’s initial public offering, human rights advocates are pressing investors to forego Palantir or to buy the stock and demand changes. These activists are arguing that the Peter Thiel launched company has worked with the United States government and others in violation of human rights.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Daniel Falcao on Unsplash

Further Reading, Other Developments, and Coming Events (21 August)

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • The United States’ Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced that its third annual National Cybersecurity Summit “will be held virtually as a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7:”
    • September 16: Key Cyber Insights
    • September 23: Leading the Digital Transformation
    • September 30: Diversity in Cybersecurity
    • October 7: Defending our Democracy
    • One can register for the event here.
  • The Senate Judiciary Committee’s Antitrust, Competition Policy & Consumer Rights Subcommittee will hold a hearing on 15 September titled “Stacking the Tech: Has Google Harmed Competition in Online Advertising?.” In their press release, Chair Mike Lee (R-UT) and Ranking Member Amy Klobuchar (D-MN) asserted:
    • Google is the dominant player in online advertising, a business that accounts for around 85% of its revenues and which allows it to monetize the data it collects through the products it offers for free. Recent consumer complaints and investigations by law enforcement have raised questions about whether Google has acquired or maintained its market power in online advertising in violation of the antitrust laws. News reports indicate this may also be the centerpiece of a forthcoming antitrust lawsuit from the U.S. Department of Justice. This hearing will examine these allegations and provide a forum to assess the most important antitrust investigation of the 21st century.
  • On 22 September, the Federal Trade Commission (FTC) will hold a public workshop “to examine the potential benefits and challenges to consumers and competition raised by data portability.” By 21 August, the FTC “is seeking comment on a range of issues including:
    • How are companies currently implementing data portability? What are the different contexts in which data portability has been implemented?
    • What have been the benefits and costs of data portability? What are the benefits and costs of achieving data portability through regulation?
    • To what extent has data portability increased or decreased competition?
    • Are there research studies, surveys, or other information on the impact of data portability on consumer autonomy and trust?
    • Does data portability work better in some contexts than others (e.g., banking, health, social media)? Does it work better for particular types of information over others (e.g., information the consumer provides to the business vs. all information the business has about the consumer, information about the consumer alone vs. information that implicates others such as photos of multiple people, comment threads)?
    • Who should be responsible for the security of personal data in transit between businesses? Should there be data security standards for transmitting personal data between businesses? Who should develop these standards?
    • How do companies verify the identity of the requesting consumer before transmitting their information to another company?
    • How can interoperability among services best be achieved? What are the costs of interoperability? Who should be responsible for achieving interoperability?
    • What lessons and best practices can be learned from the implementation of the data portability requirements in the GDPR and CCPA? Has the implementation of these requirements affected competition and, if so, in what ways?”
  • The Federal Communications Commission (FCC) will hold an open meeting on 30 September, but an agenda is not available at this time.

Other Developments

  • The National Institute of Standards and Technology (NIST) published for input Four Principles of Explainable Artificial Intelligence (Draft NISTIR 8312) in which the authors stated:
    • We introduce four principles for explainable artificial intelligence (AI) that comprise the fundamental properties for explainable AI systems. They were developed to encompass the multidisciplinary nature of explainable AI, including the fields of computer science,  engineering, and psychology. Because one size fits all explanations do not exist, different users will require different types of explanations. We present five categories of explanation and summarize theories of explainable AI. We give an overview of the algorithms in the field that cover the major classes of explainable algorithms. As a baseline comparison, we assess how well explanations provided by people follow our four principles. This assessment provides insights to the challenges of designing explainable AI systems.
    • NIST said “our four principles of explainable AI are:
      • Explanation: Systems deliver accompanying evidence or reason(s) for all outputs.
      • Meaningful: Systems provide explanations that are understandable to individual users.
      • Explanation Accuracy: The explanation correctly reflects the system’s process for generating the output.
      • Knowledge Limits: The system only operates under conditions for which it was designed or when the system reaches a sufficient confidence in its output.
    • A year ago, NIST published “U.S. LEADERSHIP IN AI: A Plan for Federal Engagement in Developing Technical Standards and Related Tools” as required by Executive Order (EO) 13859, Maintaining American Leadership in Artificial Intelligence in response to an August 10, 2019 due date. 
      • NIST explained that “[t]here are a number of cross-sector (horizontal) and sector-specific (vertical) AI standards available now and many others are being developed by numerous standards developing organizations (SDOs)…[and] [s]ome areas, such as communications, have well-established and regularly maintained standards in widespread use, often originally developed for other technologies. Other aspects, such as trustworthiness, are only now being considered.” NIST explained that its AI plan “identifies the following nine areas of focus for AI standards: 
        • Concepts and terminology
        • Data and knowledge 
        • Human interactions 
        • Metrics
        • Networking
        • Performance testing and reporting methodology
        • Safety
        • Risk management
        • Trustworthiness
      • NIST asserting that “[i]n deciding which standards efforts merit strong Federal government involvement, U.S. government agencies should prioritize AI standards efforts that are:
        • Consensus-based, where decision-making is based upon clearly established terms or agreements that are understood by all involved parties, and decisions are reached on general agreement.
        • Inclusive and accessible, to encourage input reflecting diverse and balanced communities of users, developers, vendors, and experts. Stakeholders should include representatives from diverse technical disciplines as well as experts and practioners from non-traditional disciplines of special importance to AI such as ethicists, economists, legal professionals, and policy makers: essentially, accommodating all desiring a “seat at the table.”
        • Multi-path, developed through traditional and novel standards-setting approaches and organizations that best meet the needs of developers and users in the marketplace as well as society at large.
        • Open and transparent, operating in a manner that: provides opportunity for participation by all directly- and materially- affected; has well-established and readily accessible operating rules, procedures, and policies that provide certainty about decision making processes; allows timely feedback for further consideration of the standard; and ensures prompt availability of the standard upon adoption.
        • Result in globally relevant and non-discriminatory standards, where standards avoid becoming non-tariff trade barriers or locking in particular technologies or products.
  • Consumer Watchdog has sued Zoom Video Communications “for making false and deceptive representations to consumers about its data security practices in violation of the District of Columbia Consumer Protection Procedures Act (CPPA).” The advocacy organization asserted
    • To distinguish itself from competitors and attract new customers, Zoom began advertising and touting its use of a strong security feature called “end-to-end encryption” to protect communications on its platform, meaning that the only people who can access the communicated data are the sender and the intended recipient. Using end-to-end encryption prevents unwanted third parties—including the company that owns the platform (in this case, Zoom)—from accessing communications, messages, and data transmitted by users.
    • Unfortunately, Zoom’s claims that communications on its platform were end-to-end encrypted were false. Zoom only used the phrase “end-to-end encryption” as a marketing device to lull consumers and businesses into a false sense of security.
    • The reality is that Zoom is, and has always been, capable of intercepting and accessing any and all of the data that users transmit on its platform—the very opposite of end-to-end encryption. Nonetheless, Zoom relied on its end-to-end encryption claim to attract customers and to build itself into a publicly traded company with a valuation of more than $70 billion.
    • Consumer Watchdog is seeking the greater of treble damages or $1,500 per violation along with other relief
    • Zoom is being sued in a number of other cases, including two class action suits in United States courts in Northern California (#1 and #2).
  • The United States (U.S.) Government Accountability Office (GAO) decided the Trump Administration violated the order of succession at the U.S. Department of Homeland Security by naming the Customs and Border Protection (CBP) Commissioner of Kevin McAleenan the acting Secretary after former Secretary Kirstjen Nielsen resigned early in 2019. The agency’s existing order of succession made clear that Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs was next in line to lead DHS. The GAO added “[a]s such, the subsequent appointments of Under Secretary for Strategy, Policy, and Plans, Chad Wolf and Principal Deputy Director of U.S. Citizenship and Immigration Services (USCIS) Ken Cuccinelli were also improper because they relied on an amended designation made by Mr. McAleenan.”
    • However, GAO is punting the question of what the implications of its findings are:
      • In this decision we do not review the consequences of Mr. McAleenan’s service as Acting Secretary, other than the consequences of the November delegation, nor do we review the consequences of Messers. Wolf and Cuccinelli service as Acting Secretary and Senior Official Performing the Duties of Deputy Secretary respectively.
      • We are referring the question as to who should be serving as the Acting Secretary and the Senior Official Performing the Duties of Deputy Secretary to the DHS Office of Inspector General for its review.
      • We also refer to the Inspector General the question of consequences of actions taken by these officials, including consideration of whether actions taken by these officials may be ratified by the Acting Secretary and Senior Official Performing the Duties of Deputy Secretary as designated in the April Delegation.
    • The GAO also denied DHS’s request to rescind this opinion because “DHS has not shown that our decision contains either material errors of fact or law, nor has DHS provided information not previously considered that warrants reversal or modification of the decision.”
    • The chairs of the House Homeland Security and Oversight and Reform Committees had requested the GAO legal opinion and claimed in their press release the opinion “conclude[es] that President Donald Trump’s appointments to senior leadership positions at the Department of Homeland Security were illegal and circumvented both the Federal Vacancy Reform Act and the Homeland Security Act.”
  • Top Democrats on the House Energy and Commerce Committee wrote the members of the Facebook Oversight Board expressing their concern the body “does not have the power it needs to change Facebook’s harmful policies.” Chair Frank Pallone, Jr. (D-NJ), Communications and Technology Subcommittee Chair Mike Doyle (D-PA) and Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL) “encouraged the newly appointed members to exert pressure on Facebook to listen to and act upon their policy recommendations, something that is not currently included in the Board Members’ overall responsibilities.” They asserted:
    • The Committee leaders believe Facebook is intentionally amplifying divisive and conspiratorial content because such content attracts more customer usage and, with it, advertising revenue. Pallone, Doyle and Schakowsky were also troubled by recent reports that Facebook had an opportunity to retune its systems responsible for the amplification of this content, but chose not to. 
    • The three Committee leaders wrote that the public interest should be the Oversight Board’s priority and that it should not be influenced by the profit motives of Facebook executives. Pallone, Doyle and Schakowsky also requested the board members answer a series of questions in the coming weeks.
  • The United States (U.S.) Government Accountability Office (GAO) examined how well the United States Department of Homeland Security and selected federal agencies are implementing a cybersecurity program designed to give the government better oversight and control of their networks. In auditing the Continuous Diagnostics and Mitigation (CDM), the GAO found limited success and ongoing, systemic roadblocks preventing increased levels of security. DHS has estimated the program will cost $10.9 billion over ten years.
    • The GAO concluded
      • Selected agencies reported that the CDM program had helped improve their awareness of hardware on their networks. However, although the program has been in existence for several years, these agencies had only implemented the foundational capability for managing hardware to a limited extent, including not associating hardware devices with FISMA systems. In addition, while most agencies implemented requirements for managing software, all of them inconsistently implemented requirements for managing configuration settings. Moreover, poor data quality resulting from these implementation shortcomings diminished the usefulness of agency dashboards to support security-related decision making. Until agencies fully and effectively implement CDM program capabilities, including the foundational capability of managing hardware on their networks, agency and federal dashboards will not accurately reflect agencies’ security posture. Part of the reason that agencies have not fully implemented key CDM requirements is that DHS had not ensured integrators had addressed shortcomings with integrators’ CDM solutions for managing hardware and vulnerabilities. Although DHS has taken various actions to address challenges identified by agencies, without further assistance from DHS in helping agencies overcome implementation shortcomings, the program—costing billions of dollars— will likely not fully achieve expected benefits.
    • The chairs and ranking members of the Senate Homeland Security & Governmental Affairs and House Homeland Security Committees, the chair of the House Oversight and Reform Committee, and other Members requested that the GAO study and report on this issue.
  • Google and the Australian Competition and Consumer Commission (ACCC) have exchanged public letters, fighting over the latter’s proposal to ensure that media companies are compensated for articles and content the former uses.
    • In an Open Letter to Australians, Google claimed:
      • A proposed law, the News Media Bargaining Code, would force us to provide you with a dramatically worse Google Search and YouTube, could lead to your data being handed over to big news businesses, and would put the free services you use at risk in Australia.
      • You’ve always relied on Google Search and YouTube to show you what’s most relevant and helpful to you. We could no longer guarantee that under this law. The law would force us to give an unfair advantage to one group of businesses – news media businesses – over everyone else who has a website, YouTube channel or small business. News media businesses alone would be given information that would help them artificially inflate their ranking over everyone else, even when someone else provides a better result. We’ve always treated all website owners fairly when it comes to information we share about ranking. The proposed changes are not fair and they mean that Google Search results and YouTube will be worse for you.
      • You trust us with your data and our job is to keep it safe. Under this law, Google has to tell news media businesses “how they can gain access” to data about your use of our products. There’s no way of knowing if any data handed over would be protected, or how it might be used by news media businesses.
      • We deeply believe in the importance of news to society. We partner closely with Australian news media businesses — we already pay them millions of dollars and send them billions of free clicks every year. We’ve offered to pay more to license content. But rather than encouraging these types of partnerships, the law is set up to give big media companies special treatment and to encourage them to make enormous and unreasonable demands that would put our free services at risk.
    • In its response, the ACCC asserted:
      • The open letter published by Google today contains misinformation about the draft news media bargaining code which the ACCC would like to address. 
      • Google will not be required to charge Australians for the use of its free services such as Google Search and YouTube, unless it chooses to do so.
      • Google will not be required to share any additional user data with Australian news businesses unless it chooses to do so.
      • The draft code will allow Australian news businesses to negotiate for fair payment for their journalists’ work that is included on Google services.
      • This will address a significant bargaining power imbalance between Australian news media businesses and Google and Facebook.
    • Late last month, the ACCC released for public consultation a draft of “a mandatory code of conduct to address bargaining power imbalances between Australian news media businesses and digital platforms, specifically Google and Facebook.” The government in Canberra had asked the ACCC to draft this code earlier this year after talks broke down between the Australian Treasury and the companies.
    • The ACCC explained
      • The code would commence following the introduction and passage of relevant legislation in the Australian Parliament. The ACCC released an exposure draft of this legislation on 31 July 2020, with consultation on the draft due to conclude on 28 August 2020. Final legislation is expected to be introduced to Parliament shortly after conclusion of this consultation process.
    • This is not the ACCC’s first interaction with the companies. Late last year, the ACCC announced a legal action against Google “alleging they engaged in misleading conduct and made false or misleading representations to consumers about the personal location data Google collects, keeps and uses” according to the agency’s press release. In its initial filing, the ACCC is claiming that Google mislead and deceived the public in contravention of the Australian Competition Law and Android users were harmed because those that switched off Location Services were unaware that their location information was still be collected and used by Google for it was not readily apparent that Web & App Activity also needed to be switched off.
    • A year ago, the ACCC released its final report in its “Digital Platforms Inquiry” that “proposes specific recommendations aimed at addressing some of the actual and potential negative impacts of digital platforms in the media and advertising markets, and also more broadly on consumers.”
  • The United States Coast Guard is asking for information on “the introduction and development of automated and autonomous commercial vessels and vessel technologies subject to U.S. jurisdiction, on U.S. flagged commercial vessels, and in U.S. port facilities.” The Coast Guard is particularly interested in the “barriers to the development of autonomous vessels.” The agency stated
    • On February 11, 2019, the President issued Executive Order (E.O.) 13859, “Maintaining American Leadership in Artificial Intelligence.”The executive order announced the policy of the United States Government to sustain and enhance the scientific, technological, and economic leadership position of the United States in artificial intelligence (AI) research and development and deployment through a coordinated Federal Government strategy. Automation is a broad category that may or may not incorporate many forms of technology, one of which is AI. This request for information (RFI) will support the Coast Guard’s efforts to accomplish its mission consistent with the policies and strategies articulated in E.O. 13859. Input received from this RFI will allow the Coast Guard to better understand, among other things, the intersection between AI and automated or autonomous technologies aboard commercial vessels, and to better fulfill its mission of ensuring our Nation’s maritime safety, security, and stewardship.

Further Reading

  • ‘Boring and awkward’: students voice concern as colleges plan to reopen – through Minecraft” By Kari Paul – The Guardian. A handful of universities in the United States (U.S.) are offering students access to customized Minecraft, an online game that allows players to build worlds. The aim seems to be to allow students to socialize online in replicas on their campuses. The students interviewed for this story seemed underwhelmed by the effort, however.
  • When regulators fail to rein in Big Tech, some turn to antitrust litigation” – By Reed Albergotti and Jay Greene – The Washington Post. This article places Epic Games suit against Apple and Google into the larger context of companies availing themselves of the right to sue themselves under antitrust laws in the United States. However, for a number of reasons, these suits have not often succeeded, and one legal commentator opined that judges tend to see these actions as sour grapes. However, revelations turned up during discovery can lead antitrust regulators to jump into proceedings, giving the suit additional heft.
  • What Can America Learn from Europe About Regulating Big Tech?” By Nick Romeo – The New Yorker.  A former Member of the European Parliament, Marietje Schaake, from the Netherlands is now a professor at Stanford and is trying to offer a new path on regulating big tech that would rein in the excesses and externalities while allowing new technologies and competition to flourish. The question is whether there is a wide enough appetite for her vision in the European Union let alone the United States.
  • Facebook employees internally question policy after India content controversy – sources, memos” By Aditya Kalra and Munsif Vengattil – Reuters. The tech giant is also facing an employee revolt in the world’s largest democracy. Much like in the United States and elsewhere, employees are pressing leadership to explain why they are seemingly not applying the platform’s rules on false and harmful material to hateful speech by leaders. In this case, it was posts by a member of the ruling Bharatiya Janata Party (BJP) calling Indian Muslims traitors. And, in much the same way accusations have been leveled at a top Facebook lobbyist in Washington who has allegedly interceded on behalf of Republicans and far right interests on questionable material, a lobbyist in New Delhi has done the same the BJB.
  • List of 2020 election meddlers includes Cuba, Saudi Arabia and North Korea, US intelligence official says” By Shannon Vavra – cyberscoop. At a virtual event this week, National Counterintelligence and Security Center (NCSC) Director William Evanina claimed that even more nations are trying to disrupt the United States election this fall, including Cuba, Saudi Arabia, and North Korea. Evanina cautioned anyone lest they think the capabilities of these nations rise to the level of the Russian Federation, People’s Republic of China, and Iran. Earleir this month, Evanina issued an update to his late July statement “100 Days Until Election 2020” through “sharing additional information with the public on the intentions and activities of our adversaries with respect to the 2020 election…[that] is being released for the purpose of better informing Americans so they can play a critical role in safeguarding our election.” Evanina offered more in the way of detail on the three nations identified as those being most active in and capable of interfering in the November election: the Russian Federation, the PRC, and Iran. This additional detail may well have been provided given the pressure Democrats in Congress to do just this. Members like Speaker of the House Nancy Pelosi (D-CA) argued that Evanina was not giving an accurate picture of the actions by foreign nations to influence the outcome and perception of the 2020 election. Republicans in Congress pushed back, claiming Democrats were seeking to politicize the classified briefings given by the Intelligence Community (IC).

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Silentpilot from Pixabay

Federal Court Rules Against Suspicionless Searches At Border and In Airports

A U.S. District Court held that U.S. Customs and Border Protection (CPB) and U.S. Immigration and Customs Enforcement’s (ICE) current practices for searches of smartphones and computers at the U.S. border are unconstitutional and the agency must have reasonable suspicion before conducting such a search. However, the Court declined the plaintiffs’ request that the information taken off of their devices be expunged by the agencies. This ruling follows a Department of Homeland Security Office of the Inspector General (OIG) report that found CPB “did not always conduct searches of electronic devices at U.S. ports of entry according to its Standard Operating Procedures” and asserted that “[t]hese deficiencies in supervision, guidance, and equipment management, combined with a lack of performance measures, limit [CPB’s] ability to detect and deter illegal activities related to terrorism; national security; human, drug, and bulk cash smuggling; and child pornography.”

In terms of a legal backdrop, the United States Supreme Court has found that searches and seizures of electronic devices at borders and airports are subject to lesser legal standards than those conducted elsewhere in the U.S. under most circumstances. Generally, the government’s interest in securing the border against the flow of contraband and people not allowed to enter allow considerable leeway to the warrant requirements for many other types of searches. However, in recent years two federal appeals courts (the Fourth and Ninth Circuits) have held that searches of electronic devices require suspicion on the part of government agents while another appeals court (the Eleventh Circuit) held differently. Consequently, there is not a uniform legal standard for these searches.

The case was brought by the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) on behalf of 10 U.S. citizens and one legal permanent resident who had had their phones and computers searched by CBP or ICE agents upon entering the U.S., typically at airports. The ACLU argued these searches violated the Fourth Amendment’s because the agents did not obtain search warrants before conducting the searches of the devices for contraband. The plaintiffs further alleged the searches violated the First Amendment because “warrantless searches of travelers’ electronic devices unconstitutionally chill the exercise of speech and associational rights” according to their complaint. The agencies claimed that such searches require neither a warrant nor probable cause and that the First Amendment claim held no water, a position a number of federal appeals courts have held.

The Court noted that

In January 2018, CBP updated its policy to distinguish between two different types of searches, “basic” and “advanced,” and to require reasonable suspicion or a national security concern for any advanced search, but no showing of cause for a basic search. Under this policy, an advanced search is defined as “any search in which an officer connects external equipment, through a wired or wireless connection, to an electronic device, not merely to gain access to the device, but to review, copy and/or analyze its contents.” The parameters of an advanced search are clearer given this definition than that adopted for a basic search, which is merely defined as “any border search that is not an advanced search.” CBP and ICE use the same definitions of basic and advanced searches and ICE policy also requires reasonable suspicion to perform an advanced search.

The Court stated that

Although the border search exception and the search incident to arrest exception are similar, narrow exceptions to the search warrant requirement, the Court recognizes the governmental interests are different at the border and holds that reasonable suspicion and not the heightened warrant requirement supported by probable cause that Plaintiffs seek here and as applied to the search in Riley is warranted here.

The Court added that

Moreover, the reasonable suspicion that is required for the currently defined basic search and advanced search is a showing of specific and articulable facts, considered with reasonable inferences drawn from those facts, that the electronic devices contains contraband. Although this may be “a close question” on which at least two Circuits disagree…the Court agrees that this formulation is consistent with the government’s interest in stopping contraband at the border and the long-standing distinction that the Supreme Court has made between the search for contraband, a paramount interest at the border, and the search of evidence of past or future crimes at the border, which is a general law enforcement interest not unique to the border.

The Court explained the relief the plaintiffs sought:

  • declaration that CPB and ICE’s policies violate the First and Fourth Amendment facially and have violated Plaintiffs’ First and Fourth Amendment rights by authorizing and conducting searches of electronic devices absent a warrant supported by probable cause, and
  • declarations that CPB and ICE’s policies violate the Fourth Amendment facially and have violated Plaintiffs’ Fourth Amendment rights by authorizing and conducting the confiscation of electronic devices absent probable cause

The Court stated that this relief is granted to the extent that it is declaring “that the CBP and ICE policies for “basic” and “advanced” searches, as presently defined, violate the Fourth Amendment to the extent that the policies do not require reasonable suspicion that the devices contain contraband for both such classes of non-cursory searches and/or seizure of electronic devices; and that the non-cursory searches and/or seizures of Plaintiffs’ electronic devices, without such reasonable suspicion, violated the Fourth Amendment.”

However, the Court declined to institute a nationwide injunction preventing [CPB and ICE] from “searching electronic devices absent a warrant supported by probable cause that the devices contain contraband or evidence of a violation of immigration or customs laws,”…and b) an injunction preventing Defendants from confiscating electronic devices, with the intent to search the devices after the travelers leave the border, without probable cause and without promptly seeking a warrant for the search.” The Court asserted that briefing on the issues would be needed before such relief could be granted.