IC Concedes PATRIOT Act Used To Collect Browsing

The top U.S. intelligence official admits the PATRIOT Act has been used to surveil a website and its visitors. This admission could result in a narrowing of FISA to stop this and related practices.

In a follow-on letter to correct his previous letter the Director of National Intelligence (DNI) acknowledged the Federal Bureau of Investigation (FBI) has indeed used Section 215 of the PATRIOT Act to surveil a website and its users. The Senate came within one vote of adding language to the bill to reauthorize and reform the Foreign Intelligence Surveillance Act (FISA) barring the use of this provision to surveil web browsing and internet search histories. It is possible this revelation will sway the Congress and the Biden Administration to enact such a change when they turn to these and other lapsed FISA authorities next year. At present, FISA reauthorization seems very improbable under the current administration given the President’s animus for the FISA process that was used to surveil the contacts between his 2016 Campaign advisors and Russian intelligence operatives.

DNI John Ratcliffe conceded in a 25 November letter to Senator Ron Wyden (D-OR) that web browsing has been the subject of at least one FISA application and production. Ratcliffe stated “the Department of Justice provided additional information to my office indicating that one of those 61 orders [issued pursuant to applications under Title V of FISA in 2019] resulted in the production of information that could be characterized as information regarding browsing.” He added “[s]pecifically, as relevant to an authorized investigation to obtain foreign intelligence information, the order directed the production of log entries for a single, identified U.S. web page reflecting connections from IP addresses registered in a specified foreign country that occurred during a defined period of time.” Of course, Ratcliffe only referenced searches in 2019, and so, it is an open question as to how many FISA searches authorized under Section 215 authority have been conducted in recent years for web browsing and internet search histories.

In his 20 May letter to the then DNI, Wyden explained:

  • I am writing to inquire whether public reporting on the use of Section 215 of the PATRIOT Act would capture the government’s collection of web browsing and internet searches. As you know, on May 13, 2020, 59 U.S. Senators voted to prohibit this form of warrantless surveillance, reflecting the broad, bipartisan view that it represents a dangerous invasion of Americans’ privacy.
  • There have also been long-standing concerns about the inadequacy of public reporting on the use of Section 215, including whether the data released annually by the DNI adequately captures the extent of the government’s collection activities and its impact on Americans. These concerns are magnified by the lack of clarity as to how the public reporting requirements would apply to web browsing and internet searches.

In a statement to the New York Times, Wyden argued “the DNI has provided no guarantee that the government wouldn’t use the Patriot Act to intentionally collect Americans’ web browsing information in the future, which is why Congress must pass the warrant requirement that has already received support from a bipartisan majority in the Senate.” Apparently, Ratcliffe’s follow-on letter was a result of the newspaper’s reporters pressing the DNI on how it was defining web browsing. And yet, Ratcliffe refused to answer other questions about whether these practices occurred before 2019 or in 2020 because his letter is specific only to 2019.

The amendment Wyden referred to was considered earlier this year when the House, Senate, and White House seemed close to a deal to extend Section 215 and two other related surveillance provisions that had lapsed. That amendment would have barred the use of this FISA exception to the Fourth Amendment to surveil search histories, web browsing, location and GPS data. If all Senators had been present and voting, it would have likely been added to the bill, suggesting it will be added when FISA reauthorization is addressed next year. However, a compromise provision in the House was narrower than the Wyden/Daines amendment, which caused Wyden to announce his opposition to that language. Hence, there remains work on finding language acceptable to stakeholders in Congress and the Biden Administration.

In March, the House passed “USA FREEDOM Reauthorization Act of 2020” (H.R. 6172) by a 278-136 vote to reauthorize three expiring FISA provisions used by the National Security Agency (NSA) primarily to conduct surveillance: the business records exception, roving wiretaps, and the “lone wolf” provision. These authorities had been extended in December 2019 to March 15, 2020. However, the Senate did not act immediately on the bill and opted instead to send a 77-day extension of these now lapsed authorities to the House, which did not to take up the bill. The Senate was at an impasse on how to proceed, for some Members did not favor the House reforms while others wanted to implement further changes to the FISA process. Consequently, Senate Majority Leader Mitch McConnell (R-KY) promised amendment votes when the Senate took up H.R.6172.

Moreover, H.R. 6172 ends the NSA’s ability to use the so-called call detail record (CDR) program that had allowed the agency to access data on many billions of calls. Nonetheless, the NSA shut down the program in 2018 due to what it termed technical problems. This closure of the program was included in the bill even though the Trump Administration had explicitly requested it also be reauthorized.

As mentioned, H.R. 6172 would reauthorize the business records exception, which includes “any tangible thing,” in FISA first instituted in the USA PATRIOT Act in 2001 but would reform certain aspects of the program. For example, if the Federal Bureau of Investigation (FBI) or NSA is seeking a business record under FISA for which a law enforcement agency would need to obtain a warrant, then the FBI or NSA will also need to obtain a warrant. Currently, this is not the case. Additionally, under H.R.6172, the FISA application process under Section 215 could not be used to obtain a person’s cell site location or GPS information. However, the FBI or NSA would still be able to use Title I of FISA to seek cell site location or GPS data for purposes of conducting electronic surveillance related to alleged foreign intelligence. The bill would require that prosecutors must inform defendants of the evidence derived from electronic surveillance unless doing so would harm national security.

Moreover, records obtained under Section 215 could be retained no longer than five years subject to a number of exceptions that may serve to make this limitation a dead letter. For example, if such records are deemed to have a “secret meaning” or are certified by the FBI as being vital to national security, then such records may be held longer than five years. Given the tendency of agencies to read their authority as broadly as possible and the past record of Intelligence Community (IC) agencies, it is likely these authorities will be stretched as far as legally possible. It bears note that all restrictions are prospective, meaning that current, ongoing uses of Section 215 would be exempted. The business records provision would be extended until December 1, 2023 as are the other two expiring authorities that permit so-called roving wiretaps and allow for surveillance of so-called “lone wolves.”

For FISA applications under Title I (i.e., electronic surveillance), any agency seeking a FISA order to surveil will need to disclose to the FISA court any information that may call into question the accuracy of the application or any doubtful information. Moreover, certain FISA applications to surveil Americans or residents would need to spell out the proposed investigative techniques to the FISA court. Moreover, any FISA application targeting U.S. officials or candidates for federal office must be approved by the Attorney General in writing before they can be submitted. H.R.6172 would permit the suspension or removal of any federal official, employee, or contractor for misconduct before the FISA court and increases criminal liability for violating FISA from five to eight years. Most of these reforms seem aimed at those Members, many of whom are Republican, that were alarmed by the defects in the FISA surveillance process of Trump Campaign associate Cater Page as turned up by the Department of Justice’s Office of the Inspector General investigation. Some of these Members were opposed to the House Judiciary Committee’s initial bill, which they thought did not implement sufficient reforms to the larger FISA process.

In May, the Senate amended and passed H.R. 6172 by an 80-16 vote. Consideration of the bill was stalled in March when some Senators pushed for amendments, a demand to which the Senate Majority Leader finally agreed, provided these amendments would need 60 votes to be adopted. Consequently, once COVID-19 legislation had been considered, the Senate returned to H.R.6172, and debated and voted upon three amendments, one of which was agreed to.

Wyden and Senator Steve Daines (R-MT) offered an amendment to narrow the Section 215 exception to the Fourth Amendment’s requirement that a search requires a warrant. Section 215 currently allows for FISA court approved searches of business records and all tangible things in the course of a national security investigation, and the underlying text of H.R. 6172 would exclude cell site location and GPS location from Section 215. The Wyden/Daines amendment would also exclude web browsing and search engine histories.

As Wyden explained during debate,

With web browsing and searches, you are talking about some of the most intimate, some of the most personal, some of the most private details of the lives of Americans. Every thought that can come into people’s heads can be revealed in an internet search or in a visit to a website: their health histories, their medical fears, their political views, their romantic lives, their religious beliefs. Collecting this information is as close to reading minds as surveillance can get. It is the digital mining of the personal lives of the American people.

However, the amendment failed to reach the 60-vote threshold necessary for adoption under the rule of debate for H.R. 6172, failing by one vote as four Senators did not vote.

Two weeks later, when the House was gearing up to consider the Senate-amended version of H.R.6172, Representatives Zoe Lofgren (D-CA) and Warren Davidson (R-OH) submitted an amendment along the lines of the language Wyden and Daines proposed that the Senate rejected by one vote to bar the collection of web browsing and internet search history via a FISA order under Section 215. Lofgren and Davidson had negotiated with other House Democratic stakeholders on language acceptable to them.

Regarding their amendment, in their press release, Lofgren and Davidson claimed “[t]he amendment – which is supported by Reps. Adam Schiff, Chair of the House Permanent Select Committee on Intelligence, and Jerrold Nadler, Chair of the House Judiciary Committee – is an outright prohibition: the government will not be able to use Section 215 to collect the websites that a U.S. person visits, the videos that a U.S. person watches, or the search queries that a U.S. person makes…[and] [s]pecifically:

  • If the government is not sure if you’re a U.S. person, but you could be, the government cannot get your internet activity without a Title I FISA warrant.
  • If the government wants to order a service provider to produce a list of everyone who has visited a particular website, watched a particular video, or made a particular search query: the government cannot make that order unless it can guarantee that no U.S. persons’ IP addresses, device identifiers, or other identifiers will be disclosed to the government.
    • This amendment does not allow for the incidental collection of U.S. persons’ web browsing or search information when the target is a specific-selection term that would or could produce such information.
  • This prohibition is a strict liability-type provision. (It isn’t a knowledge standard or a reasonable-belief standard. An order must not result in the production of a U.S. person’s web browsing or search information.)
  • If the order would or could result in the production of a U.S. person’s web browsing or search information, the government cannot order it without a Title I FISA warrant that must be narrowly tailored toward the subject of the warrant.

It appeared this amendment would be made in order during debate, but opposition from both the left and right in the House and among stakeholders made this untenable. The fact that the Lofgren/Davidson amendment was narrower in that it would only provide this protection to people in the United States whereas the Wyden/Daines amendment would have outright barred the practice under FISA led to opposition on the left. Early on 27 May, Wyden supported this language, but when House Intelligence Committee Chair Adam Schiff (D-CA) suggested that intelligence agencies could continue to collect web browsing and search histories of Americans, Wyden withdrew his support. Thereafter, House Democratic Leadership ultimately decided against allowing this amendment to have a vote. Consequently, the effort to enact a FISA reauthorization collapsed.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by joffi from Pixabay

U.S. Alleges Russian and Iranian Election Interference

U.S. security services called out Russian and Iranian efforts to hack and disrupt the U.S. election. There was a split between the DNI’s view and those in the intelligence agencies, however.

The United States (U.S.) government announced that the Russian Federation and Iran have undertaken operations to disrupt and undermine next month’s U.S. election. The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a pair of advisories about Russian and Iranian attempts to interfere with the election. It appears U.S. intelligence community agencies and their partners want to avoid a repeat of 2016 when they were often behind the curve on Russian interference and failed to alert the public to what they knew.

Email sent to Democratic voters supposedly by the Proud Boys, a white supremacist group that supports President Donald Trump, was actually sent by Iran. These emails warned people in three swing states to vote for Trump or “we will come after you” because the group is “in possession of all your information.” According to media accounts, the day the Department of Homeland Security (DHS) identified Iran as the culprit, the Director of National Intelligence (DNI) John Ratcliffe decided to disclose this information at a hastily called press conference with Federal Bureau of Investigation (FBI) Director Christopher Wray.

In Ratcliffe’s remarks, he put Iran before Russia as has been the wont of the Trump Administration to make it seem as if Russia’s capabilities and intentions are matched by two other adversaries of the U.S. Moreover, the Trump Administration has placed more emphasis generally on the dangers posed by Tehran than Moscow, particularly in light of the nuclear agreement from which the U.S. withdrew. Ratcliffe asserted:

  • we would like to alert the public that we have identified that two foreign actors – Iran and Russia – have taken specific actions to influence public opinion relating to our elections.
  • First, we have confirmed that some voter registration information has been obtained by Iran, and separately, by Russia. This data can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion, sow chaos, and undermine your confidence in American democracy.
  • To that end, we have already seen Iran sending “spoofed” emails designed to intimidate voters, incite social unrest, and damage President Trump. You may have seen some reporting on this in the last 24 hours, or you may have been one of the recipients.
  • Additionally, Iran is distributing other content, to include a video that implies that individuals could cast fraudulent ballots, even from overseas. This video – and any claims about such allegedly fraudulent ballots – are not true.
  • These actions are desperate attempts by desperate adversaries. Even if the adversaries pursue further attempts to intimidate or attempt to undermine voter confidence, know that our election systems are resilient, and you can be confident your votes are secure.
  • Although we have not seen the same actions from Russia, we are aware that they have obtained some voter information, just as they did in 2016.

Unnamed U.S. intelligence officials shortly thereafter disagreed with Ratcliffe’s emphasis on Iran when they think the evidence clearly shows Russia to be the more dangerous threat. Some speculated Ratcliffe was improperly political given the DNI is supposed to be non-partisan.

In contrast, Wray sought to tamp down alarm about interference:

  • We’re not going to tolerate foreign interference in our elections or any criminal activity that threatens the sanctity of your vote or undermines public confidence in the outcome of the election.
  • When we see indications of foreign interference or federal election crimes, we’re going to aggressively investigate and work with our partners, to quickly take appropriate action.
  • We’re also coordinating with the private sector—both technology and social media companies—to make sure that their platforms are not used by foreign adversaries to spread disinformation and propaganda.
  • We’ve been working for years as a community to build resilience in our election infrastructure—and today that infrastructure remains resilient.
  • You should be confident that your vote counts.

Following Wray’s remarks, there were leaks to the media that Trump wants to remove him and Attorney General William Barr from office after the election. During “repeated” discussion on the removal of two of the U.S.’ two top law enforcement officials, Trump and top Administration officials have apparently decried Wray’s disinclination to announce an investigation of former Vice President Joe Biden and his son in a reprise of former FBI Director James Comey’s announcement days before the 2016 election he would reopen the investigation into former Secretary of State Hillary Clinton’s email. Moreover, the FBI also declined to support Ratcliffe’s public assertions that Russia had nothing to do with the purported email and data of Hunter Biden being portrayed as evidence of the corruption of the Biden family. In a letter to Senate Homeland Security & Governmental Affairs Committee Chair Ron Johnson (R-WI), the FBI referenced the Inspector General’s findings about the impropriety of Comey’s remarks so close to an election as a significant reason why it would neither confirm nor deny any such inquiry.

The FBI and CISA issued a pair of joint advisories:

  • Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets that “updates joint CISA-FBI cybersecurity advisory AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.” The agencies asserted:
    • Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets. The Russian state- sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.
    • The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:
      • Sensitive network configurations and passwords.
      • Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
      • IT instructions, such as requesting password resets.
      • Vendors and purchasing information.
      • Printing access badges.
    • To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.
    • As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.
  • Iranian State-Sponsored Advanced Persistent Threat Actors Threaten Election-Related Systems in which the FBI and CISA “warn[] that Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.” They added:
    • The APT actors are creating fictitious media sites and spoofing legitimate media sites to spread obtained U.S. voter-registration data, anti-American propaganda, and misinformation about voter suppression, voter fraud, and ballot fraud.
    • The APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of- service (DDoS) attacks, structured query language (SQL) injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Nikita Karimov on Unsplash

Congressional Cybersecurity Commission Releases Annex To Final Report

A Congressional cyber panel is adding four recommendations to its comprehensive March report.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

On 2 June, the Cyberspace Solarium Commission (CSC) released an annex to its final report. The CSC was created by the National Defense Authorization Act for Fiscal Year 2019 (P.L. 115-232) to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” In mid-March, the CSC released its final report and made a range of recommendations, some of which were paired with legislative language the CSC has still not yet made available. However, Members of Congress who served on the CSC are working with the Armed Services Committees to get some of this language added to the FY 2021 National Defense Authorization Act (NDAA). See this issue of the Technology Policy Update for more detail on the CSC’s final report.

Per its grant of statutory authority, the CSC is set to terminate 120 days after the release of its final report, which will be next month. Nonetheless, the CSC has been holding a series of webinars to elucidate or explain various components of the final report, and the Commission began to consider cybersecurity through the lens of the current pandemic for parallels and practical effects. Consequently, the CSC added four new recommendations and renewed its call that recommendations in its final report related to the pandemic – in the view of the Commission – receive renewed attention and ideally action by Congress and the Executive Branch.

The CSC again called for the types of resources and reforms most policymakers have either not shown an appetite for or believe are a few bridges too far. Even though the CSC stated its intention to a “9/11 Commission without the 9/11 event,” it is unlikely such sweeping policy changes will be made in the absence of a crisis or event that fundamentally changes this status quo. Nevertheless, the CSC’s new recommendations are targeted and modest, one of which call for funneling more funds through an existing grant program to bolster private sector/non-profit efforts and another for a government agency to exercise previously granted authority. What’s more, the CSC could add the new recommendations to those shared in the form of legislative language with the Armed Services Committees in the hopes they are included in this year’s NDAA. Given that CSC co-chairs Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI) serve on their chambers’ Armed Services Committees as do the other two Members of Congress on the CSC, Senator Ben Sasse (R-NE) and Representative James Langevin (D-RI), the chances of some of the recommendations making it into statute are higher than they may be otherwise.

In its “White Paper #1: Cybersecurity Lessons from the Pandemic,” the CSC asserted:

The COVID-19 pandemic illustrates the challenge of ensuring resilience and continuity in a connected world. Many of the effects of this new breed of crisis can be significantly ameliorated through advance preparations that yield resilience, coherence, and focus as it spreads rapidly through the entire system, stressing everything from emergency services and supply chains to basic human needs and mental health. e pandemic produces cascading effects and high levels of uncertainty. It has undermined normal policymaking processes and, in the absence of the requisite preparedness, has forced decision makers to craft hasty and ad hoc emergency responses. Unless a new approach is devised, crises like COVID-19 will continue to challenge the modern American way of life each time they emerge. This annex collects observations from the pandemic as they relate to the security of cyberspace, in terms of both the cybersecurity challenges it creates and what it can teach the United States about how to prepare for a major cyber disruption. These insights and the accompanying recommendations, some of which are new and some of which appear in the original March 2020 report, are now more urgent than ever.

The CSC conceded that “[t]he lessons the country is learning from the ongoing pandemic are not perfectly analogous to a significant cyberattack, but they offer many illuminating parallels.

  • First, both the pandemic and a significant cyberattack can be global in nature, requiring that nations simultaneously look inward to manage a crisis and work across borders to contain its spread.
  • Second, both the COVID-19 pandemic and a significant cyberattack require a whole-of-nation response effort and are likely to challenge existing incident management doctrine and coordination mechanisms.
  • Third, when no immediate therapies or vaccines are available, testing and treatments emerge slowly; such circumstances place a premium on building systems that are agile, are resilient, and enable coordination across the government and private sector, much as is necessary in the cyber realm.
  • Finally, and perhaps most importantly, prevention is far cheaper and preestablished relationships far more effective than a strategy based solely on detection and response.

The CSC continued:

The COVID-19 pandemic is a call to action to ensure that the United States is better prepared to withstand shocks and crises of all varieties, especially those like cyber events that we can reasonably predict will occur, even if we do not know when. We, as a nation, must internalize the lessons learned from this emergency and move forward to strengthen U.S. national preparedness.  This means building structures in government now to ensure strategic leadership and coordination through a cyber crisis. It means driving down the vulnerability of the nation’s networks and technologies. And finally, it means investing in rigorously building greater resiliency in the government, in critical infrastructure, and in our citizenry. In the past several years, experts have sounded the alarm, ranking cyberattacks as one of the most likely causes of a crisis. As the COVID-19 crisis has unfolded, the United States has experienced a wake-up call, prompting a national conversation about disaster prevention, crisis preparedness, and incident response. While COVID-19 is the root cause of today’s crisis, a significant cyberattack could be the cause of the next. If that proves to be the case, history will surely note that the time to prepare was now.

The CSC offered these four new recommendations:

  • Pass an Internet of Things Security Law: With a significant portion of the workforce working from home during the COVID-19 disruption, household internet of things (IoT) devices, particularly household routers, have become vulnerable but important pieces of our national cyber ecosystem and our adversary’s attack surface. To ensure that the manufacturers of IoT devices build basic security measures into the products they sell, Congress should pass an IoT security law. The law should focus on known challenges, like insecurity in Wi-Fi routers, and mandate that these devices have reasonable security measures, such as those outlined under the National Institute of Standards and Technology’s “Recommendations for IoT Device Manufacturers.” But it should be only modestly prescriptive, relying more heavily on outcome-based standards, because security standards change with technology over time. Nonetheless, the law should stress enduring standards both for authentication, such as requiring unique default passwords that a user must change to their own authentication mechanism upon first use, and for patching, such as ensuring that a device is capable of receiving a remote update. Congress should consider explicitly tasking the Federal Trade Commission with enforcement of the law on the basis of existing authorities under Section 5 of the Federal Trade Commission Act.
    • In a footnote, the CSC asserted “[t]he proposed Internet of Things (IoT) Cybersecurity Improvement Act of 2019 provides a viable model for a federal law that mandates that connected devices procured by the federal government have reasonable security measures in place, but should be expanded to cover all devices sold or offered for sale in the United States.
    • The initial draft of the “Internet of Things Cybersecurity Improvement Act of 2019” (H.R. 1668/S. 734) was a revised, unified version of two similar bills from the 115th Congress of the same title: the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” (S. 1691) and the “Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018” (H.R. 7283). However, during the process of consideration in both chambers, differences emerged that as of yet have not been reconciled. However, it is possible that a final version of this bill gets folded into the FY 2021 NDAA or is passed as standalone legislation in the waning days of this Congress.
    • However, the FTC already uses its Section 5 authorities to bring actions against IoT manufacturers. For example, last month, the agency announced a settlement with Tapplock regarding “allegations that it deceived consumers by falsely claiming that its Internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data it collected from users.”
  • Support Nonprofits that Assist Law Enforcement’s Cybercrime and Victim Support Efforts: Cyber-specific nonprofit organizations regularly collaborate with law enforcement in writing cybercrime reports, carrying out enforcement operations, and providing victim support services. As the COVID-19 pandemic has proven, trusted nonprofit organizations serve as critical law enforcement partners that can quickly mobilize to help identify and dismantle major online schemes. Such nonprofits have the expertise and flexibility to help and reinforce law enforcement efforts to disrupt cybercrime and assist victims. However, they often face financial challenges. Therefore, the Commission recommends that Congress provide grants through the Department of Justice’s Office of Justice Programs to help fund these essential efforts.
    • The portion of the Department of Justice’s Office of Justice Programs that makes grants was provided $1.892 billion in FY 2020, with large chunks being earmarked for state and local law enforcement agencies like the Edward Byrne Memorial Justice Assistance Grant program. Therefore, there would likely need to be additional funding provided for this program if there will be additional eligible recipients and additional purposes.
  • Establish the Social Media Data and Threat Analysis Center: Because major social media platforms are owned by private companies, developing a robust public-private partnership is essential to effectively combat disinformation. To this end, the Commission supports the provision in the FY2020 National Defense Authorization Act that authorizes the Office of the Director of National Intelligence to establish and fund a Social Media Data and Threat Analysis Center (DTAC), which would take the form of an independent, nonprofit organization intended to encourage public-private cooperation to detect and counter foreign influence operations against the United States. The center would serve as a public-private facilitator, developing information-sharing procedures and establishing—jointly with social media—the threat indicators that the center will be able to access and analyze. In addition, the DTAC would be tasked with informing the public about the criteria and standards for analyzing, investigating, and determining threats from malign influence operations. Finally, in order to strengthen a collective understanding of the threats, the center would host a searchable archive of aggregated information related to foreign influence and disinformation operations.
    • This is, obviously, not really a new recommendation, but rather a call for already granted authority to be used. The Director of National Intelligence was provided discretionary authority to establish the DTAC in P.L. 116-92 and has not chosen to do so yet. There are a number of existing entities that may qualify as the Atlantic Council’s Digital Forensics Research Lab or the Alliance for Securing Democracy. However, the issue may be resources in that the DNI was not provided any additional funding to stand up the DTAC.
  • Increase Nongovernmental Capacity to Identify and Counter Foreign Disinformation and Influence Campaigns: Congress should fund the Department of Justice to provide grants, in consultation with the Department of Homeland Security and the National Science Foundation, to nonprofit centers seeking to identify, expose, and explain malign foreign influence campaigns to the American public while putting those campaigns in context to avoid amplifying them. Such malign foreign influence campaigns can include covert foreign state and non-state propaganda, disinformation, or other inauthentic activity across online platforms, social networks, or other communities. These centers should analyze and monitor foreign influence operations, identify trends, put those trends into context, and create a robust, credible source of information for the American public. To ensure success, these centers should be well-resourced and coordinated with ongoing government efforts and international partners’ efforts.
    • It is not clear whether this program would be conducted through an existing DOJ program or a new one would be created. As with the DOJ’s Office of Justice Programs, funding may be an issue, and while the Armed Services Committees may be able to fold this into the FY 2021 (notwithstanding jurisdictional issues considering the DOJ is part of the Judiciary Committees’ purviews), but the Appropriations Committees would ultimately decide whether this would be funded.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.